AEM 7.0.0.0 User Guide

Arbor Enterprise Manager
User Guide
Version 7.0.0.0
Legal Notice
The information contained within this document is subject to change without notice. NETSCOUT SYSTEMS, INC.
makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose. NETSCOUT SYSTEMS, INC. shall not be liable for errors
contained herein or for any direct or indirect, incidental, special, or consequential damages in connection with the
furnishings, performance, or use of this material.
Use of this product is subject to the End User License Agreement available at
http://www.NetScout.com/legal/terms-and-conditions or which accompanies the product at the time of shipment
or, if applicable, the legal agreement executed by and between NetScout Systems, Inc. or one of its wholly-owned
subsidiaries (“NETSCOUT”) and the purchaser of this product (“Agreement”).
Government Use and Notice of Restricted Rights: In U.S. government (“Government”) contracts or subcontracts,
Customer will provide that the Products and Documentation, including any technical data (collectively “Materials”),
sold or delivered pursuant to this Agreement for Government use are commercial as defined in Federal
Acquisition Regulation (“FAR”) 2.101and any supplement and further are provided with RESTRICTED RIGHTS. All
Materials were fully developed at private expense. Use, duplication, release, modification, transfer, or disclosure
(“Use”) of the Materials is restricted by the terms of this Agreement and further restricted in accordance with FAR
52.227-14 for civilian Government agency purposes and 252.227- 7015 of the Defense Federal Acquisition
Regulations Supplement (“DFARS”) for military Government agency purposes, or the similar acquisition
regulations of other applicable Government organizations, as applicable and amended. The Use of Materials is
restricted by the terms of this Agreement, and, in accordance with DFARS Section 227.7202 and FAR Section
12.212, is further restricted in accordance with the terms of NETSCOUT’S commercial End User License
Agreement. All other Use is prohibited, except as described herein.
This Product may contain third-party technology. NETSCOUT may license such third-party technology and
documentation (“Third-Party Materials”) for use with the Product only. In the event the Product contains Third-
Party Materials, or in the event you have the option to use the Product in conjunction with Third-Party Materials
(as identified by NETSCOUT in the Documentation provided with this Product), then such third-party materials are
provided or accessible subject to the applicable third-party terms and conditions contained either in the “Read
Me” or “About” file located in the Software or on an Application CD provided with this Product, or in an appendix
located in the documentation provided with this Product. To the extent the Product includes Third-Party Materials
licensed to NETSCOUT by third parties, those third parties are third-party beneficiaries of, and may enforce, the
applicable provisions of such third-party terms and conditions.
Open-Source Software Acknowledgement: This product may incorporate open-source components that are
governed by the GNU General Public License (“GPL”) or licenses that are compatible with the GPL license (“GPL
Compatible License”). In accordance with the terms of the GNU GPL, NETSCOUT will make available a complete,
machine-readable copy of the source code components of this product covered by the GPL or applicable GPL
Compatible License, if any, upon receipt of a written request. Please identify the product and send a request to:
NetScout Systems, Inc.
GNU GPL Source Code Request
310 Littleton Road
Westford, MA 01886
Attn: Legal Department
No portion of this document may be copied, photocopied, reproduced, translated, or reduced to any electronic
medium or machine form without prior consent in writing from NETSCOUT. The information in this document is
subject to change without notice and does not represent a commitment on the part of NETSCOUT.
The products and specifications, configurations, and other technical information regarding the products
described or referenced in this document are subject to change without notice and NETSCOUT reserves the right,
at its sole discretion, to make changes at any time in its technical information, specifications, service, and support
programs. All statements, technical information, and recommendations contained in this document are believed
to be accurate and reliable but are presented “as is” without warranty of any kind, express or implied. You must
take full responsibility for their application of any products specified in this document. NETSCOUT makes no
implied warranties of merchantability or fitness for a purpose as a result of this document or the information
described or referenced within, and all other warranties, express or implied, are excluded.
Except where otherwise indicated, the information contained in this document represents the planned
capabilities and intended functionality offered by the product and version number identified on the front of this
document. Screen images depicted in this document are representative and intended to serve as example images
only.
© 2014-2023 NETSCOUT All rights reserved. Confidential and Proprietary.

www.netscout.com
Document Number: AEM-UG-7000-2023/05
01 May, 2023
Contents
Preface
About the AEM Documentation 9
Command Syntax 10
Contacting the Arbor Technical Assistance Center 11
Part I: AEM Overview

Section 1: Introduction to AEM 13
About Managing Devices from AEM 13
About the AEM User Interfaces 15
Section 2: Getting Started with AEM 16
Before You Begin to Use AEM 16
Logging in to and out of the AEM UI 17
Editing Your User Account 17
Navigation and Common Page Functions 20
Saving, Emailing, and Printing Pages from the UI 22
Viewing Graphs in the UI 23
Part II: AEM Implementation

Section 3: Configuring User Groups and Authentication 27
About User Authentication 28
About User Groups 29
About User Accounts 30
Adding and Deleting User Groups 32
Assigning Authorization Keys to User Groups 33
User Group Authorization Keys 33
Configuring the User Accounting Level 37
Configuring Password Requirements for Local User Accounts 38
Adding and Editing Local User Accounts 42
Locking and Unlocking Local User Accounts 46
Adding Users to User Groups 47
Setting the Authentication Method for RADIUS and TACACS+ 48
Setting the AEM User Group for RADIUS Users 50
Setting the AEM User Group for TACACS+ Users 50
Changing the Default User Group for RADIUS and TACACS+ 51
Configuring RADIUS Integration 51
Configuring TACACS+ Integration 53
About HTTP Header-Based Authentication 54
Configuring HTTP Header-Based Authentication for Single Sign-on 55
Section 4: Configuring AEM 57
Configuring General Settings 57
Configuring SNMP Polling 58
Configuring the Audit Trail Settings 60
© NETSCOUT Confidential and Proprietary 3

AEM User Guide, Version 7.0.0.0
Configuring the Syslog Destination for the Audit Trail 61

Configuring System Alerts 61
Configuring Remote Backup Settings 63
Using a Custom SSL Certificate for User Authentication 65
Adding a Custom Logo to the UI 66
Section 5: Managing the ATLAS Intelligence Feed 68
About the ATLAS Intelligence Feed 68
About the ATLAS Threat Policies 69
About the ATLAS Confidence Index 70
About Web Crawler Support 73
Configuring the ATLAS Intelligence Feed 74
Viewing the Status of ATLAS Intelligence Feed Updates 75
Viewing the AIF Traffic Statistics for a Protection Group 76
Section 6: Configuring Notifications 78
About Notifications 78
Configuring Notifications 80
Viewing Notifications 83
Part III: Device Management

Section 7: Introduction to Device Management 86
Configuring a Device for AEM Management 86
Accessing Managed Devices from AEM 88
About Single Sign-on to Managed Devices 89
About Configuration Data Synchronization with AEM 90
How Restoring Backups Affects the AEM - Device Synchronization 93
Setting the Protection Mode (Active or Inactive) 95
About the Protection Levels 96
Deleting Offline Devices 99
Section 8: Managing Shared Server Types 101
About the Server Types 101
Viewing Server Types 105
Adding and Deleting Custom Server Types 106
Changing the Protection Settings for Server Types 108
About Traffic Profiling for Protection Configuration 110
Starting Traffic Profiles from AEM 112
Using Traffic Profile Data to Configure Protection Settings 114
Restoring the Default Protection Settings 115
Section 9: Configuring the Protection Settings 117
About the Protection Settings Configuration 118
About the Outbound Threat Filter 119
Configuring the Outbound Threat Filter 121
Validating the Outbound Threat Filter Configuration 122
Application Misbehavior Settings 125
ATLAS Intelligence Feed Settings 125
Block Malformed DNS Traffic Settings 128
Block Malformed SIP Traffic Settings 129
Botnet Prevention Settings 129
CDN and Proxy Support Settings 131
DNS Authentication Settings 131
DNS NXDomain Rate Limiting Settings 132
DNS Rate Limiting Settings 133

DNS Regular Expression Settings 134

Flexible Rate-based Blocking Settings 134
Fragment Detection Settings 136
HTTP Header Regular Expressions Settings 137
HTTP Rate Limiting Settings 137
HTTP Reporting Settings 138
ICMP Flood Detection Settings 139
Malformed HTTP Filtering Settings 140
Multicast Blocking Settings 140
Payload Regular Expression Settings 141
Private Address Blocking Settings 143
Rate-based Blocking Settings 144
SIP Request Limiting Settings 145
Spoofed SYN Flood Prevention Settings 146
STIX Feeds Settings 149
TCP Connection Limiting Settings 149
TCP Connection Reset Settings 150
TCP SYN Flood Detection Settings 151
TLS Attack Prevention Settings 153
Traffic Shaping Settings 154
UDP Flood Detection Settings 155
Section 10: Detecting and Mitigating Attacks with Attack Analysis 156
How Attack Analysis Detects Attacks and Generates Protection Recommendations 156
Enabling Attack Analysis 158
Viewing Protection Recommendations for Mitigating Attacks 159
Section 11: Configuring Filter Lists to Drop and Pass Traffic 161
About Filter Lists 161
Configuring Master Filter Lists 163
Passing and Dropping Inbound Traffic and Outbound Traffic 164
Section 12: Managing the Deny List and Allow List 167
About the Deny List and Allow List 167
About the Capacity of the Deny List and Allow List 170
Adding Inbound Traffic to the Deny List 172
Viewing and Searching the Inbound Deny List 174
Adding Outbound Traffic to the Deny List 177
Viewing and Searching the Outbound Deny List 178
Adding Inbound Traffic to the Allow List 180
Viewing and Searching the Inbound Allow List 181
Adding Outbound Traffic to the Allow List 183
Viewing and Searching the Outbound Allow List 185
Section 13: Viewing AED and APS Traffic 187
Viewing the Traffic Activity for a Protection Group 187
Viewing the Traffic Overview for a Protection Group 190
Filtering the Traffic Data by Device 191
Viewing the Attack Categories for a Protection Group 192
Viewing the Top URLs for a Protection Group 198
Viewing the Top Domains for a Protection Group 199
Viewing the Top IP Locations for a Protection Group 201
Viewing the Top Protocols for a Protection Group 203
Viewing the Top Services for a Protection Group 204

Section 14: Managing Protection Groups 207

About Protection Groups 207
About Bandwidth Alerts 212
Viewing the Status of Protection Groups 214
Adding, Editing, and Deleting Protection Groups 220
Assigning Managed Devices to Protection Groups 226
Overriding a Protection Group’s Settings on a Managed Device 228
Section 15: Mitigating Attacks 230
About Attack Mitigation 230
Workflow for Routine System Monitoring 232
Indicators of Attacks and Mitigations 234
Mitigating an Attack by Raising the Protection Level 236
Changing the Protection Level 238
Identifying and Blocking an Attack 239
Section 16: Traffic Forensics 242
About the Blocked Hosts Log 242
Viewing the Blocked Hosts Log 244
Information on the Blocked Hosts Log Page 246
Taking Action on a Blocked Host 250
Viewing the ATLAS Threat Categories on the Summary Page 252
Viewing the ATLAS Threat Categories that Block Traffic 253
About Capturing Packets 258
Capturing Packet Information 259
Alternative Ways to Start a Packet Capture 262
Information on the Packet Capture Page 263
Configuring Regular Expressions from Captured Packets 267
Section 17: Managing Centralized Reports 269
About Centralized Reports 269
About the Centralized Executive Summary Report 270
Configuring On-Demand Centralized Reports 274
Viewing and Deleting Centralized Reports 276
Part IV: Network Management

Section 18: Viewing Network Activity on the Dashboard 281
Viewing a Dashboard of Network Activity 281
Viewing AED and APS Traffic on the Dashboard 282
Viewing Active Alerts on the Dashboard 285
Section 19: Monitoring Alerts 288
About Alerts 288
About the Security Alerts Page 291
Viewing Security Alerts 293
Filtering the Security Alerts Page 296
About the Alert Impact Value 297
Viewing a Summary of System Alerts 298
Filtering the Alerts on the System Alerts Page 300
Ignoring Alerts 302
Section 20: Viewing and Analyzing Threats 304
About Threats 304
About the MITRE ATT&CK Data 306
Viewing and Analyzing Threats 307

Filtering the Threat Analysis Page 309

Viewing Threat Details 310
Section 21: Monitoring the Status of the Network and Devices 313
Viewing a Summary of System Activity 313
Viewing System Information on the Summary Page 314
Viewing Audit Trail Information on the Summary Page 316
Section 22: Monitoring System Changes in the Audit Trail 318
About the Audit Trail 318
Including Change Messages in the Audit Trail 319
Viewing the Audit Trail Log 320
Part V: Command Line Interface

Section 23: Using the Command Line Interface 323
About the Command Line Interface 323
About the Connections to the Command Line Interface 323
Logging in to and out of the AEM Command Line Interface 324
Getting Help in the Command Line Interface 325
About the CLI Command Components 327
Entering CLI Commands 328
Navigating the CLI Command Hierarchy 329
Editing Command Lines 330
Viewing Statuses in the CLI 331
Part VI: AEM Maintenance and Management

Section 24: Managing AEM Files 334
About the Files Page 334
Managing the Files on AEM and Managed Devices 336
Managing Diagnostics Packages 337
Section 25: Backing Up AEM 339
About AEM Backups 339
Running a Local Backup Manually 340
Restoring AEM from a Backup 341
Section 26: Installing, Upgrading, and Reinstalling AEM 344
Installing AEM 344
Installing the License Keys for AEM 348
Upgrading the AEM Software 348
Reinstalling AEM 351
Appendixes
Appendix A: AEM Communication Ports 355
AEM Communication Ports 355
Appendix B: Using FCAP Expressions 357
Available FCAP Expressions 357
FCAP Expression Reference 358
Logical Operators for Compound FCAP Expressions 363
FCAP Expressions that Indicate Direction 364
Examples of FCAP Expressions 365

Appendix C: Notification Formats 367

Email Notification Examples 367
Syslog Notification Examples 368
Glossary 369
Index 379
End User License Agreement 390

Preface
This guide describes how to configure and use the NETSCOUT® Arbor Enterprise
Manager (AEM) to manage Arbor Edge Defense (AED) devices and Arbor APS (APS)
devices, to protect critical service availability.
This guide also describes how to configure advanced settings for your AEM deployment.
Audience
This help is intended for the following personnel:
n The network operators who use AEM to secure their network. These users should have
a working knowledge of their network security policies and network configuration.
n The network security system administrators (or network operators) who are
responsible for configuring and managing AEM on their networks. These
administrators should have a fundamental knowledge of their network security
policies and network configuration.
In this section
This section contains the following topics:
About the AEM Documentation 9

Command Syntax 10
Contacting the Arbor Technical Assistance Center 11
About the AEM Documentation

This guide contains Information and instructions for configuring and using AEM.
The instructions assume that you have completed the installation steps in the
appropriate Installation Guide.

Preface
AEM documentation set

See the following guides for information about AEM and its deployment:
Document Contents
Arbor Enterprise Manager Release Release information about AEM, including new features, system
Notes requirements, fixed issues, and known issues.
Arbor Enterprise Manager User Guide Information about how to configure and use AEM.
You can access the User Guide by clicking the Help button in the
AEM UI. It also is available as a PDF file.
The User Guide includes all of the information that previously
was included in the Arbor Enterprise Manager Advanced
Configuration Guide.
Installation Guides and Configuration Information about how to install, connect, and configure AEM
Guides for AEM appliances on a physical appliance.
Each AEM appliance has its own installation guide.
Virtual Arbor Enterprise Manager Information about how to install and configure the AEM virtual
Installation Guide machine (vAEM). Follow the instructions in this guide if you will
run AEM in a VM instead of on hardware.
Arbor Edge Defense, Arbor APS, and The requirements for managing AED devices and APS devices
Arbor Enterprise Manager that have different software versions on AEM.
Compatibility Guide
Command Syntax
This guide uses typographic conventions to make the information in commands and
procedures easier to recognize.
The following table shows the syntax of commands and other types of user input. Do not
type the brackets, braces, or vertical bars that indicate options and variables.
Conventions for commands and user input
Convention Description
Monospaced bold Information that you must type exactly as shown.
Monospaced A variable for which you must supply a value.

italics
{ } (braces) A set of choices for options or variables, one of which is

required. For example: {option1 | option2}.
[ ] (square brackets) A set of choices for options or variables, all of which are optional.
For example: [variable1 | variable2].
| (vertical bar) Separates the mutually exclusive options or variables.

Preface
Contacting the Arbor Technical Assistance Center

The Arbor Technical Assistance Center is your primary point of contact for all service and
technical assistance issues that involve Arbor products.
Contact methods
You can contact the Arbor Technical Assistance Center as follows:
n Phone US toll free — +1 877 272 6721
n Phone worldwide — +1 781 362 4301
n Support portal — https://my.netscout.com
Submitting documentation comments

If you have comments about the documentation, you can forward them to the Arbor
Technical Assistance Center. Please include the following information:
n Title of the guide
n Document number (listed on the reverse side of the title page)
n Page number
Example
AEM User Guide
AEM-UG-7000-2023/05
Page 9

Part I:
AEM Overview
Section 1:
Introduction to AEM
This section describes AEM and how to use it to manage AED and APS devices.
In this section
About Managing Devices from AEM 13

About the AEM User Interfaces 15
About Managing Devices from AEM

Large organizations might have multiple devices (AED and APS) installed across data
centers or geographic areas. Arbor Enterprise Manager (AEM) provides security
administrators with a single console for the central management of multiple devices. AEM
manages up to 50 devices in any combination, including virtual machines. This
management allows you to monitor and respond to attacks across your network from a
single user interface.
Note
AEM can support multiple versions of AED and APS software simultaneously. For more
information about multi-version support, see the Arbor Edge Defense, Arbor APS, and
Arbor Enterprise Manager Compatibility Guide.
AEM features
The ability to manage multiple devices from a single user interface allows you to more
effectively perform the following network management tasks:
n View the critical alerts and events in your network and outside your network that may
put your business at risk.
n Manage the security policies that protect your network from potential threats and
attacks.
n Centralize the server types, protection groups, outbound threat filter, deny list, and
allow list to provide consistent protection across your network and a streamlined
workflow.
n Quickly respond to attacks by adjusting the protections on multiple devices or an
individual device.

Section 1: Introduction to AEM
Device management tasks

AEM allows you to perform the following tasks for managing the configuration and daily
operations on the devices that are under management:
n Create, configure, and manage the server types, protection groups, outbound threat
filter, filter list, deny list, and allow list in AEM. AEM propagates the configurations to
each managed device as appropriate.
n Share common protection groups and server types across multiple devices.
n View the traffic and statistics from each device as well as an aggregate of the data from
all of the devices. For example, you can view an aggregated blocked host log.
n View security alerts and system alerts for all of the devices.
n View and respond to the threats that are identified by the ATLAS threat policies.
n Respond to availability attacks by changing the protection level, adding hosts to the
deny list, or modifying the protection settings globally or per device.
n Navigate to a specific device to view more detailed information about its configuration
or traffic.
When you first connect a device to AEM, the applicable configurations on AEM are copied
to the device. Any existing configurations on the device are copied to AEM. Thereafter,
you make changes in AEM only. Periodically, the device checks AEM and obtains any
configuration changes that apply to that device. See “About Configuration Data
Synchronization with AEM” on page 90.
Important
On a device that is managed by AEM, the ability to edit certain configurations is disabled.
These configurations include the server types, protection groups, filter lists, outbound
threat filter, deny list, allow list, and others. This restriction helps to avoid
synchronization issues between AEM and the managed device.
About connecting a device to AEM

To manage a device from AEM, you use a CLI command to connect the device to AEM and
perform several other configurations. You do this configuration on each device that you
want AEM to manage. See “Configuring a Device for AEM Management” on page 86.
Communication between AEM and the managed devices

After the initial connection of a device to AEM, the systems communicate with each other
as follows:
n Every minute, each managed device checks AEM for configuration changes and obtains
the changes that apply to that device. See “About Configuration Data Synchronization
with AEM” on page 90.
n AEM sends requests to each managed device for information such as traffic data.
n Every hour, AEM sends requests to each managed device for all of its active alerts and
the expired alerts from the past two weeks.
n Each managed device sends blocked host notifications to AEM at the notification
interval that is defined on the device. The default interval is one hour.
In AEM, you can view the connection and synchronization status for a specific device in
the System Information section on the Summary page. See “Viewing the synchronization
status” on page 91.

Section 1: Introduction to AEM
Single sign-on to managed devices from AEM

AEM uses single sign-on to log you in to managed devices automatically. When you access
a managed device from AEM, you are logged in as aem_admin or aem_user, according to
your assigned user group on AEM.
The aem_admin account and aem_user account are created on a managed device when
you connect it to AEM. For details, see “About Single Sign-on to Managed Devices” on
page 89.
For more information about logging in to managed devices from AEM, see “Accessing
Managed Devices from AEM” on page 88.
About the AEM User Interfaces

You can view data and configure settings using the user interface (UI) and the command
line interface (CLI).
About the UI
On AEM, you use the UI to configure system settings and view and analyze network traffic
on managed AED and APS devices.
The AEM UI uses the HTTPS protocol for secure sessions. By default, AEM uses a self-
signed SSL certificate for connections to the UI. If necessary, you can upload a custom
certificate and its certificate authority (CA) file to comply with your company’s security
policies and prevent browser errors. See “Using a Custom SSL Certificate for User
Authentication” on page 65.
See “Logging in to and out of the AEM UI” on page 17 and “Navigation and Common Page
Functions” on page 20.
About the CLI

The command line interface (CLI) allows you to enter commands and navigate through
the directories on AEM.
Typically, the CLI is used for installing and upgrading the software and completing the
initial configuration. However, some advanced functions can be configured only by using
the CLI.
See “About the Command Line Interface” on page 323.

Section 2:
Getting Started with AEM
This section describes how to log in to and navigate the AEM user interface (UI). You use
the UI to configure system settings, manage network security rules, and view and analyze
network traffic.
In this section
Before You Begin to Use AEM 16

Logging in to and out of the AEM UI 17
Editing Your User Account 17
Navigation and Common Page Functions 20
Saving, Emailing, and Printing Pages from the UI 22
Viewing Graphs in the UI 23
Before You Begin to Use AEM

Before you can access the AEM UI, you must perform the tasks described in this topic.
Initial requirements
You must complete all of the initial configuration procedures listed in the Installation
Guides for your appliances. Verify that you have done the following:
n connected and configured your AEM
n connected and configured your AED and APS devices
Supported web browsers

See the Release Notes for a list of supported browsers.
Logging in as a new user

If you are a new user, then verify that your administrator has created an account for you
with a user name and initial password.
Important
Change this password for security purposes after you log in for the first time.
For information about changing your password, see “Editing Your User Account” on the
next page.

Section 2: Getting Started with AEM
Logging in to and out of the AEM UI

You use the UI to configure system settings, manage network security rules, and view and
analyze the network traffic.
Logging in as a new user

If you are a new user, then verify that your administrator has created an account for you
with a user name and initial password.
Important
For security purposes, change the password after you log in for the first time.
For information about changing your password, see “When to change your password” on
the next page.
About the SSL certificate for secure sessions

The AEM UI uses the HTTPS protocol for secure sessions. The first time you start AEM
services, the system generates a default SSL certificate if one is not found in known
locations.
When you access the UI for the first time, accept the SSL certificate to complete the
connection.
Logging in to the AEM UI

Important
You must use a secure connection to access AEM.
To log in to the AEM UI:

1. Open your browser.
2. Enter https://system_ipAddress
system_ipAddress = the IP address of your AEM
3. If applicable, select the appropriate option for accepting the site’s certificate, and
then click OK.
4. In the Welcome window, type your user name and password.
5. Click Log in.
Logging out of the AEM UI

To log out of the AEM UI, click Logout in the upper-right corner of any page in the UI.
Troubleshooting
If you cannot access the UI, then verify that you are logged in to your computer with a
local administrator account. Then try to log in to AEM again.
Editing Your User Account

You can edit the information in your AEM user account. Typically, you edit your account to
change your password.

If you are not an administrative user, then you only can view and edit your own account.
An administrative user can edit any account.
When you create or edit the accounts of other users, the entry screen is somewhat
different. See “Adding and Editing Local User Accounts” on page 42.
When to change your password

For security purposes, you should change your password in the following situations:
n After you log in to AEM for the first time.
n At intervals that your system administrator recommends.
n Before your password expires, if password expiration is configured.
n Whenever you think that someone else might have gained access to your password.
Passwords must meet certain criteria. See “Criteria for secure and acceptable passwords”
on page 31.
Editing your account

To edit your user account:
1. Select Administration > User Accounts.
2. If you are an administrator, then click your user name link to display the Edit Existing
Account window.
If you are a non-administrative user, then your own account appears on the Edit
Existing Account page.
3. Edit your account settings.
See “User account settings” below.
4. When you finish editing, click Save.
5. If the Audit Trail window appears, then type a message for the audit trail or accept
your default message, if any.
User account settings

Settings for editing user accounts
Setting Description
Username box Displays the user name that was originally assigned. You cannot
edit the user name.
Real Name box Type your full name.

Settings for editing user accounts (continued)
Setting Description
Email box Type your valid email address.

If the administrator who created your user account entered
your email address, then AEM created a notification for that
email address. If you change or delete your email address, then
edit or delete any related notifications on the Configure
Notifications page (Administration > Notifications). See
“Configuring Notifications” on page 80.
Password box Type a password and then type the same password in the Verify
Confirm box box. See “Password requirements” below.
To clear the passwords in both boxes, click (remove).
Important
For security purposes, do not use arbor, which is the default
administrator password.
Password requirements
Password requirements for local user accounts
Requirement Description
Password length By default, the minimum length is 10 characters while the

maximum length cannot be more than 72 characters. However,
an administrator can change the password length requirements.
See “Changing the required password length” on page 40.
Number of The password must contain from two to four of the following
character types character types:
n uppercase letters
n lowercase letters
n numbers
n symbols
The required number of character types depends on whether the

complexity mode is standard or advanced. The standard
complexity mode requires at least two character types. The
advanced complexity mode requires all four character types.

Password requirements for local user accounts (continued)
Character mix In the advanced complexity mode, passwords are rejected if they
do not meet the following character mix requirements:
n Uppercase letters cannot be at the start of the password only.
n Numbers cannot be at the end of the password only.
n Symbols cannot be at the end of the password only.
In the standard complexity mode, passwords are rejected if they

contain only two character types and violate any of the character
mix requirements. However, the character mix requirements do
not apply to passwords in standard mode if the passwords
contain more than two character types.
Note
By default, the complexity mode is set to standard. However, an administrator can
change the complexity mode. See “Changing the complexity mode” on page 41.
Navigation and Common Page Functions

You can navigate through the AEM UI menus and pages by using a variety of navigation
controls.
About the UI menu bar

At the top of every page in the UI, the menu bar indicates which menu is active and allows
you to navigate to the UI menus and pages. The menus that are available depend on the
user group to which you are assigned.
Navigation menu bar in AEM

The menu bar contains the following menus:
Menu items
Item Description
Dashboard View an overview of the security status of your network.
Summary View a summary of the status for AEM.
Explore Use the options on the menus as follows:

n View the ATLAS threat categories that block inbound traffic
and outbound traffic on all of the AED and APS devices that
AEM manages.
n View information about the traffic that is blocked by the
managed devices.
n View and analyze security alerts.
n View AEM system alerts.

Menu items (continued)
Item Description
Protect Configure server types, protection groups, and other ways to

filter traffic for mitigation.
Reports Configure and manage centralized reports.
Administration View and change the AEM system settings.
Toolbar icons
To the right of and below the menu bar is a series of tool icons that allow you to perform
the following page-related functions.
Note
The email and PDF options are not available on the Threat Analysis page and the Security
Alerts page. However, you might click (Print this page) and print to PDF, if your
computer can do so.
Tool icons
Icon Description
(Create a PDF Create a PDF of the current page and save it to your local
computer.
of this page)
(Email this Email the current page and an optional message to recipients. See
“Emailing a page as a PDF file” on page 23.
page)
(Print this Open your browser’s print window and print the current page. See
“Printing a page” on page 23.
page)
(Refresh this Refresh the data on the current page. See “Saving a page as a PDF
file” on the next page.
page)
(Toggle auto- Refreshes a page in the UI every 120 seconds. A teal-colored icon (
) indicates that the auto-refresh is on. Click to stop the
refresh)
automatic refresh (for example, to preserve interesting data).
This option is available for certain pages only.
(Help) Open the Help window for the current page.
Using Help
When you click the (Help) button on any UI page, a window appears that contains
information about that page.

In the Help window, you can perform any of the following tasks:
n Read about the functions that are available on the current page.
n View related topics.
n Scroll through the table of contents for the User Guide.
n Search for topics in the User Guide.
Finding licensing and copyright information

The AEM About window displays information about the installed software and hardware,
including the version number, build numbers, and the NETSCOUT End User License
Agreement.
To view licensing and copyright information:

1. In the lower-right corner of any page in the UI, click the copyright notice link.
2. In the About window, you can view the following license information:
n Information about the installed software and hardware.
n NETSCOUT License — Use the scrollbar to view the entire license.
n Associated licenses — Click the copyright notice and the associated licensing link.
n GPL-based software licenses — Click the arbor-support@netscout.com link to send
an email request for copies of additional licenses that are based on the General
Public License (GPL).
About the error page

The system displays an error page when unexpected errors or internal errors occur. This
page includes a link that you can click to send a report to the Arbor Technical Assistance
Center. If you click this link and you do not have an SMTP server configured, then AEM
displays an error message that advises you to configure the SMTP server. Click the link
that appears in the error message to navigate to the Configure General Settings page,
where you configure the SMTP server.
Saving, Emailing, and Printing Pages from the UI

The AEM menu bar contains icons that allow you to save pages as PDF files and email the
PDF files.
Note
Before you can send email from AEM, you must configure an SMTP Server and a Default
URL Hostname. See “Configuring General Settings” on page 57.
Saving a page as a PDF file

Note
The PDF option is not available on the Threat Analysis page or the Security Alerts page.
However, you might click (Print this page) and print to PDF, if your computer can do
so.
To save a UI page as a PDF file:

1. Navigate to the page that you want to save.
2. On the toolbar, click (Create a PDF).

3. Open or save the file according to your browser options.
Emailing a page as a PDF file

When you send an email message that contains a PDF of a UI page, the subject line
contains “AEM:” followed by the name of the page. The “from” address uses the Default
URL Hostname. For example, if the hostname is 123.example.com, then the “from”
address is root@123.example.com.
Note
The email option is not available on the Threat Analysis page or the Security Alerts page.
However, you might click (Print this page) and print to PDF, if your computer can do
so. Then you can email the PDF.
To email a UI page as a PDF file:

1. Navigate to the page that you want to email.
2. On the toolbar, click (Email this page).
3. In the Email Page window, enter the following information:
Setting Description
Email to box Enter one or more valid email addresses. Separate multiple
email addresses with commas.
Comment box Enter a message to include in the body of the email.
4. Click Send Email.
Printing a page
For best results when you print a UI page, adjust the print options as described below.
To print a UI page:
1. Navigate to the page, and then minimize or maximize your browser window so that
you can see all of the data on the page.
2. Click (Print this page).
3. In the Print options, change the Orientation setting to Landscape, which has
proportions that are similar to browser windows.
4. If you do not see all of the data on the print preview or on the printed page, then
adjust the Scale percentage. The optimal scale percentage varies for different pages;
experiment until you are satisfied with the results.
5. Click Print.
Viewing Graphs in the UI

AEM uses graphs to represent your organization’s traffic in real time.
For most of the graphs that appear in AEM, you can change the timeframe and unit of
measure in which those graphs are displayed. The time increments provide a level of
visibility that allows you to inspect the traffic on a much deeper scale.

About stacked graphs

Stacked graphs allow you to see specific types of data more clearly. Each data type in a
stacked graph has its own color-coded segment. The height of the stack segment
represents that segment’s data as a percentage of the total data.
Examples of the pages that contain stacked graphs are the Dashboard page and the View
Protection Group page.
About minigraphs
Minigraphs allow you to see a small representation of graph data. In some areas, when
you hover your mouse pointer over a minigraph, a larger version of the graph appears in
a pop-up window. For examples of minigraphs, see the View Protection Groups page.
Changing the display

On certain pages in the UI, you can change the time frame for which the traffic data is
displayed. The style of the time frame selectors vary by page, but they all allow you to
select the time frame as follows:
n Select a predefined time frame. Typically, the predefined ranges are the last 5 minutes,
the last hour, the last day, and the last 7 days.
n Select a start date and end date and, if necessary, select a start time and end time.
n On certain pages, you can click and drag across a traffic graph to focus on a time frame
within the displayed range. Some pages also contain zoom controls that allow you to
zoom in and zoom out on a traffic graph.
These actions change the time frame for the entire page. For example, you can
examine the traffic for a certain peak or valley within the graph.
The display change might take a few seconds.
Changing the display unit of measure

On certain traffic-related pages in the UI, you can display the traffic data in terms of bytes
or packets.
To change the display unit of measure, click the Bytes button or Packets button.
Typically, these buttons appear on the page to the right of the time frame selector.
Note
The bits per second (bps) values in the displayed traffic statistics are based on the layer
3 packet size.

Part II:
AEM Implementation
Part II: AEM Implementation

Section 3:
Configuring User Groups and
Authentication
You can create custom user groups to organize AEM users by the different levels of
system access. You also can configure the authentication method that AEM uses to log in
users. These methods include local user accounts, RADIUS, and TACACS+.
This section also describes how to configure password requirements for local user
accounts as well as the password requirements for those accounts.
User access
Administrators who have the srv_aaa authorization key can complete all of the actions
that are described in this section.
In this section
About User Authentication 28

About User Groups 29
About User Accounts 30
Adding and Deleting User Groups 32
Assigning Authorization Keys to User Groups 33
User Group Authorization Keys 33
Configuring the User Accounting Level 37
Configuring Password Requirements for Local User Accounts 38
Adding and Editing Local User Accounts 42
Locking and Unlocking Local User Accounts 46
Adding Users to User Groups 47
Setting the Authentication Method for RADIUS and TACACS+ 48
Setting the AEM User Group for RADIUS Users 50
Setting the AEM User Group for TACACS+ Users 50
Changing the Default User Group for RADIUS and TACACS+ 51
Configuring RADIUS Integration 51
Configuring TACACS+ Integration 53
About HTTP Header-Based Authentication 54
Configuring HTTP Header-Based Authentication for Single Sign-on 55

Section 3: Configuring User Groups and Authentication
About User Authentication

User accounts represent the login credentials for the people who use AEM. Each unique
user account contains the user’s login credentials and determines the levels of access that
the user is allowed.
AEM supports the following user authentication methods:

n Local — AEM authenticates users based on user accounts that you configure.
n RADIUS — AEM performs static password authentication with an existing
implementation of RADIUS (Remote Authentication Dial In User Service).
n TACACS+ — AEM performs static password authentication with an existing
implementation of TACACS+ (Terminal Access Controller Access-Control System Plus).
All of the authentication methods provide access to the CLI through SSH and to the user
interface (UI) through HTTPS.
About local user accounts

You add, edit, and delete the local user accounts in the UI or the CLI. See “Adding and
Editing Local User Accounts” on page 42.
The AEM installation creates a user account named “admin”, which is a member of the
system_admin group. You cannot delete the admin account or change its group
membership.
Important
For security reasons, we strongly recommend that you change the admin account
password during the AEM installation.
Administrators also can configure password requirements that apply to all local user
accounts. See “Configuring Password Requirements for Local User Accounts” on page 38.
About access to local user accounts

Administrators can perform all of the user account management tasks, including the
creation, modification, and deletion of user accounts and groups. Non-administrative
users only have access to a view of the user accounts.
For more information about the different levels of access, see “About User Groups” on the
next page.
How authentication works with RADIUS and TACACS+

AEM can integrate with the RADIUS service or TACACS+ service for centralized user
authentication. You add, edit, and delete domain user accounts on the authentication
server only. However, you can view the RADIUS users and TACACS+ users in the AEM CLI.
When a RADIUS user or TACACS+ user logs in to AEM, AEM connects to the primary
authentication server that you designated. If the server can authenticate the user, then it
sends the AEM user group that you defined for that user in RADIUS or TACACS+. AEM logs
in the user with the access permissions that are associated with the user group.
If the primary authentication server does not respond within the defined timeout period,
then AEM tries to connect to the backup server, if any. If AEM cannot reach either of the
designated servers, then AEM tries to authenticate the user locally.

About the AEM user groups in RADIUS or TACACS+

For the RADIUS users or TACACS+ users who log in to AEM, you define an AEM user group
on the appropriate authentication server.
Some RADIUS users or TACACS+ users might not have any group assignment on the
authentication server. By default, any user who is not assigned to a user group on the
authentication server is assigned to the predefined system_user group in AEM.
If the system_user group is inappropriate for your RADIUS users or TACACS+ users, then
you can change the default group to which they are assigned. See “Changing the Default
User Group for RADIUS and TACACS+” on page 51.
Integrating AEM with RADIUS or TACACS+

Process for integrating AEM with RADIUS or TACACS+
Step Description
1 On the RADIUS server or TACACS+ server, set the user group for the AEM
users.
See “Setting the AEM User Group for RADIUS Users” on page 50 or “Setting the
AEM User Group for TACACS+ Users” on page 50.
2 If necessary, change the default AEM user group for RADIUS users or TACACS+
users. Any user who is not assigned to a user group on the RADIUS server or
TACACS+ server is assigned to the default user group that you specify.
See “Changing the Default User Group for RADIUS and TACACS+” on page 51.
3 Configure AEM to access the authentication server and an optional backup

server for RADIUS or TACACS+.
See “Configuring RADIUS Integration” on page 51 or “Configuring TACACS+
Integration” on page 53
4 Set the authentication method. By default, AEM uses local user authentication.
To use RADIUS authentication or TACACS+ authentication, you specify one of
those services as the primary authentication method.
See “Setting the Authentication Method for RADIUS and TACACS+” on page 48.
5 (Optional) Configure the user accounting level, which determines whether

AEM logs user activities in the local syslog.
See “Configuring the User Accounting Level” on page 37.
About User Groups

User groups allow you to organize AEM users by the different levels of system access that
the users are allowed. When you create a user account, you assign it to a user group. The
owner of the account inherits the access levels that are assigned to the user group.
You can assign users to user groups on the User Accounts page in the user interface (UI),
or in the command line interface (CLI). See “Adding Users to User Groups” on page 47.

About authorization keys

An administrator assigns authorization keys to a user group, which determines the level
of system access that is granted to the users in the group. See “Assigning Authorization
Keys to User Groups” on page 33.
About the predefined user groups

AEM contains the following predefined user groups:
Predefined user groups
Group Access
system_admin Allows full administrative access to view and configure AEM

settings. Users in this group have read and write access to the UI,
the API, and the command line interface (CLI).
Users also can add and delete system_admin, system_user, and
system_none user accounts.
system_user Allows read access to most of the UI pages and limited access to
CLI commands.
Users in this group cannot add user accounts, but they can change
the real name, email, time zone, and password for their own
account.
system_none Denies AEM access to unwanted users who have an account on a

TACACS+ or RADIUS server.
When your organization uses RADIUS or TACACS+ authentication, it
is possible for all users who have an account on the authentication
server to access AEM. Use this group as the default to lock out the
unwanted users, and then assign other groups to the users who
need AEM access.
See “Changing the Default User Group for RADIUS and TACACS+”
on page 51.
For a complete list of the permissions for each user group, see “User Group Authorization
Keys” on page 33.
About custom user groups

For additional flexibility in assigning user permissions, administrators can define custom
user groups in the CLI. These custom user groups appear as options on the User Accounts
page in the UI. See “Adding and Deleting User Groups” on page 32.
About User Accounts

Each person who uses AEM requires a unique user account that contains their login
information and determines the levels of system access that they are allowed.

About configuring user accounts

You configure the user account settings on the Configure User Accounts page
(Administration > User Accounts). See “Adding and Editing Local User Accounts” on
page 42.
For information about editing your own user account, see “Editing Your User Account” on
page 17.
About access to user accounts

Administrators can view all of the user accounts, edit and delete accounts, and create
new accounts. Non-administrators can view and edit their own user accounts only. For
example, they can reset their passwords or update their email addresses.
For information about the different levels of system access, see “Editing Your User
Account” on page 17.
Criteria for secure and acceptable passwords

A user’s account contains a password, which allows the user to access AEM.
Passwords must meet the following criteria:
n must be between 7 and 72 characters long
Administrators can configure a different minimum length and maximum length for
passwords.
n can include special characters, spaces, and quotation marks
n cannot be all digits
n cannot be all lowercase letters or all uppercase letters
n cannot be only letters followed by only digits (for example, abcd123)
n cannot be only digits followed by only letters (for example, 123abcd)
n cannot consist of alternating letter-digit combinations (for example, 1a3A4c1 or
a2B4c1d)
Information on the Configure User Accounts page

For administrative users, the Configure User Accounts page displays the following
information for each user:
User account details
Information Description
Username Displays the user name as a link to the Edit Existing Account
window.
Real Name Displays the user’s real name.
Group Displays the user group to which the user belongs.
Email Displays the user’s email address.

User account details (continued)
Location Displays the IP address from which the user last connected to
AEM.
Time Displays the last time the user logged in to AEM.
Failures Indicates the number of times that the user tried to log in but was
unsuccessful. This number is cleared when the user successfully
logs in to the system.
Selection check Allows you to select the user account for deletion.
box
Adding and Deleting User Groups

User groups allow you to organize AEM users by the different levels of system access that
they are allowed. AEM has several predefined user groups, and administrators can define
custom user groups. Defining a custom user group consists of adding the group and
assigning authorization keys for that group. See “About User Groups” on page 29.
Adding a user group

When you use the add command to add a new group, AEM creates the new group without
any authorization keys. See “Assigning Authorization Keys to User Groups” on the next
page.
To add a user group:

1. Log in to the CLI with your administrator user name and password.
2. Enter / services aaa groups add group_name
3. To confirm that the group was added, enter / services aaa groups show group_
name
4. To save the configuration, enter / config write
Copying a user group

To save time when you create a group that is similar to an existing group, you can copy an
existing group and then edit the copy. The new group inherits the authorization keys
from the original group.
To copy a user group:

1. In the CLI, enter / services aaa groups copy existing_group new_group
existing_group = the name of the group to copy
new_group = the name of the new group that is a copy of the existing group
Deleting a user group

When you delete a user group, the members of that group become members of the
default group.

To delete a user group:

1. In the CLI, enter / services aaa groups delete group_name
2. At the confirmation prompt, enter y.
Assigning Authorization Keys to User Groups

The authorization keys that are assigned to a user group determine the level of access
that is granted to the users in that group. Only users in the system_admin user group can
add and delete authorization keys, and assign authorization keys for any new groups that
are created. See “About User Groups” on page 29.
Adding and deleting authorization keys

If you change or add keys, any account affected by those keys must be logged off of the
system and must restart their browser for the change to take effect.
To add or delete an authorization key:

2. Enter / services aaa groups key {add | delete} name key
{add | delete} = Type add to assign an authorization key or delete to remove
one.
name = the group name
key = the authorization key to assign
For a list of the authorization keys that are available, see “User Group
Authorization Keys” below.
3. Repeat this procedure for each additional authorization key that you want to add or
delete.
Viewing the group authorization keys

To view the group authorization keys:
n In the CLI, enter / services aaa groups show name
name = The user group name. If you do not include the name, then AEM displays
the authorization keys for all the user groups.
User Group Authorization Keys

The authorization keys that are assigned to a group determine the level of system access
that is granted to members of that group. You assign authorization keys in the command
line interface (CLI). See “Assigning Authorization Keys to User Groups” above.

Available authorization keys

The following table shows the authorization keys that you can assign to user groups and
the predefined groups to which they are assigned. When you assign an authorization key
to a user group, type the key exactly as it is shown.
User group authorization keys
Predefined
group
Key Description assignment
apses_view View the managed devices. system_admin
clock Set the system clock. system_admin
conf_imp Import a configuration from disk. system_admin
conf_show Show the running or saved system_admin

configuration. system_user
conf_write Save the running configuration or system_admin

export it to a disk.
diag_admin Create a diagnostics package. system_admin
general-settings_view View the general settings. system_admin

system_user
ip_access Edit and apply the IP access rules. system_admin
ip_arp Modify the Address Resolution system_admin

Protocol (ARP) information.
ip_int Edit the IP interface configuration. system_admin
ip_route Edit the routing configuration. system_admin
ip_snoop Snoop network interface traffic. system_admin
ip_tee Edit the IP tee configuration. system_admin
login_cli Access the command line interface system_admin

(CLI). system_user
login_ui Access the Web user interface and the system_admin

pages in the UI that are not controlled system_user
by another authorization key.
nsi_admin Start and stop AEM services and system_admin

complete other administrative tasks
in the CLI.
protection-groups_view View protection groups. system_admin
reload Reload AEM. system_admin
reports_edit Edit Central Reports. system_admin

User group authorization keys (continued)
Predefined
group
reports_view View Central Reports. system_admin

system_user
shutdown Shut down AEM. system_admin
srv_aaa Edit the local user and authentication, system_admin

authorization, and accounting (AAA)
configuration.
srv_backup Manage and restore from system system_admin

backups.
srv_dns Edit the DNS cache configuration. system_admin
srv_http Edit the HTTP configuration. system_admin
srv_log Edit the logging configuration and system_admin

view the logs.
srv_nfs Edit the NFS configuration. system_admin
srv_ntp Edit the NTP configuration. system_admin
srv_snmp Edit the SNMP configuration. system_admin
srv_ssh Edit the SSH configuration. system_admin
srv_ssh_key Manage the SSH keys. system_admin
sys Edit system information. system_admin
sys_att Edit the system attributes. system_admin
sys_cdrom Lock and unlock the CD-ROM drive. system_admin
sys_disk Manage the system disks. system_admin
sys_file Manage files. system_admin
sys_file_admin Install and uninstall software system_admin

packages.
sys_hard Show hardware information system_admin
sys_hsm Access the HSM card system_admin
web_approve_alerts Approve alerts for a rule on the system_admin

System Alerts page.
web_audit_hide Show and hide the audit trail. system_admin
web_audit_view View the Audit Trail page. system_admin

Predefined
group
web_clear_alerts Clear alerts on the System Alerts page. system_admin
web_edit_accounts Edit user accounts in the UI, including system_admin

adding users and changing
passwords.
web_edit_alert_summary Edit the alert summary system_admin
web_edit_atf Edit the AIF settings. (The AIF was system_admin

formerly known as “ATF”.)
web_edit_atlas Edit ATLAS settings system_admin
web_edit_backups Edit the backup settings. system_admin
web_edit_deny_allow Edit the deny list and allow list. system_admin
web_edit_files Manage files. system_admin
web_edit_filter Edit the master filter list. system_admin
web_edit_general Edit the settings on the General system_admin

Settings page.
web_edit_itracking Edit the identity tracking settings. system_admin
web_edit_notifications Add, edit, and delete notification system_admin

objects.
web_edit_protection_ Edit protection groups and the system_admin

group Outbound Threat Filter.
web_edit_protection_ Edit the AED and APS protection system_admin

level levels.
web_edit_server_types Configure and manage server types. system_admin
web_explore Access (read-only) the traffic data on system_admin

the Explore page and Detail pages. system_user
web_explore_blocked_ View the Blocked Hosts, Threat system_admin

hosts Analysis, and Packet Capture pages.
web_reports Create and view traffic reports and system_admin

delete your own reports. system_user
web_reports_delete_all Delete the reports that other users system_admin

created.
web_ssh_device_console SSH to a managed device through the system_admin

Device Console.

Predefined
group
web_view_aif_threat_ View the ATLAS Threat Categories page. system_admin

catego system_user
web_view_alert_summary View the System Alerts page. system_admin

system_user
web_view_app_web View application-level web data system_admin

system_user
web_view_atlas View ATLAS global feed data. system_admin

system_user
web_view_attack_ View the Attack Analysis page. system_admin

analysis
web_view_dashboard View the Dashboard page. system_admin

system_user
web_view_deny_allow View the deny list and allow list. system_admin

system_user
web_view_filter View the master filter list. system_admin

system_user
web_view_protection_ View protection groups and the system_admin

group Outbound Threat Filter. system_user
web_view_server_types View server types. system_admin
Configuring the User Accounting Level

The user accounting level determines whether AEM logs the following user activities to
the local syslog:
n software logins
n configuration changes
n interactive commands
This logging applies to activities in the AEM CLI only.
Important
AEM obfuscates the user passwords in the syslog.
You can set one accounting level for each authentication method that you use (local,
RADIUS, and TACACS+).
For information about the authentication methods, see “About User Authentication” on
page 28

Configuring the accounting level

To configure the accounting level:
2. Enter / services aaa {local | radius | tacacs} accounting set level
{none | login | change | commands}
{local | radius | tacacs} = the authentication method for which to
configure the accounting level
{none | login | change | commands} = the accounting level; specify one of
the following levels per authentication method
none — (default) disables account logging
login — tracks logins to AEM
change — (TACACS+ only) tracks configuration changes
commands — (TACACS+ only) tracks the use of CLI commands
3. Repeat the step above for each additional authentication method that you want to
set.
Configuring Password Requirements for Local User

Accounts
As a system administrator, you can view and change certain password requirements for
local user accounts. The password requirements that you can change are as follows:
n password expiration
n whether users receive warning messages before password expiration and if so, when
the warnings begin
n password length
n password complexity mode
You also can view these settings. See “Viewing the password requirement settings” on
page 42.
Important
These password requirements apply to local user accounts only. They do not apply to
external logins that use TACACS+ and RADIUS and they do not apply to API tokens.
Before you enable password expiration

By default, the passwords for user accounts do not expire. However, you can configure a
password expiration timeframe in the CLI. Password expiration is tied to the last time that
a password was set.
When you enable password expiration, the timeframe applies to existing passwords as
well as new passwords. Therefore, if you enable password expiration, it is possible for an
existing password to be expired the next time that a user tries to log into AEM.
To avoid this situation, we recommend that the passwords for all user accounts be reset
before you enable password expiration.

Important
Only a user assigned to the predefined system_admin user group or a custom user
group with the srv_aaa authorization key can reset an expired password. For
information about user groups, see “About User Groups” on page 29.
Enabling or disabling password expiration

Important
Be sure to configure a password expiration timeframe that does not interfere with your
AEM backup schedule. For example, if you configure full backups weekly and
incremental backups daily, then you should not set the password expiration to seven
days or less. See “About AEM Backups” on page 339.
To enable password expiration :

2. (Optional) To view the current password expiration setting, enter / services aaa
local policy expiration

3. To change the password expiration setting, enter / services aaa local policy
expiration set days
days = A number from 1 to 365, which indicates the number of days after which
passwords expire.
To disable password expiration:
1. In the CLI, enter one of the following commands:

n / services aaa local policy expiration clear
n / services aaa local policy expiration set 0
Enabling or disabling the password expiration warning message

You can configure AEM to display a warning message before a password expires. After
the specified number of days before expiration pass, a warning message appears every
time the user logs into the UI and the CLI. The warning message is shown on login until
the password is changed or expires.
To enable the password expiration warning:

2. (Optional) To view the current setting for the warning message, enter / services
aaa local policy expiration warning
3. To set the timeframe, enter / services aaa local policy expiration warning
set days
days = A number from 1 to 30, which indicates the number of days before the
password expires that the warning message starts to appear.
To disable the warning message:
1. In the CLI, enter one of the following commands:

n / services aaa local policy expiration warning clear
n / services aaa local policy expiration warning set 0
Changing the required password length

By default, the minimum length for a local user account password is 10 characters and
the maximum length is 72 characters. However, you can change the required length to
meet the security needs of your company.
Important
When you change the password length requirements, the changes only apply to new
passwords. The new requirements do not affect existing passwords.
To change the required password length:

2. (Optional) To view the current setting for the password length, enter / services aaa
password_length

3. To specify the password length, enter / services aaa password_length {min

minValue | max maxValue}
minValue = A number from 7 to 72 that indicates the minimum number of
characters that a password must include.
maxValue = A number from 7 to 72 that indicates the maximum number of
characters that a password can include.
To reset the password to the default minimum length or default maximum length:
1. Enter the following command in the CLI:
/ services aaa password_length {min | max} reset_default
min = Sets the minimum password length to 10.
max = Sets the maximum password length to 72.
About the complexity mode for passwords

By default, the password complexity mode is standard, which requires that passwords
include only two character types. To make passwords more complex, you can change the
complexity mode to advanced, which requires that passwords contain four character
types.
The character types are as follows:
n uppercase letters
n lowercase letters
n numbers
n symbols
In advanced mode, the passwords also must meet character mix requirements. In
standard mode, these character mix requirements also apply to passwords that only
contain two character types. The character mix requirements are as follows:
Important
In standard mode, the character mix requirements do not apply to passwords that
contain more than two character types.
Changing the complexity mode

To change the password complexity mode:
2. (Optional) To view the current password complexity mode, enter / services aaa
local policy complexity
3. To change the complexity mode, enter / services aaa local policy complexity
{standard | advanced}
standard = Passwords must meet contain at least two character types.
advanced = Passwords must contain four characters types.

Viewing the password requirement settings

To view all the authentication, authorization, and accounting settings, including the
password requirement settings for local user accounts, enter the following command in
the CLI:
/ services aaa show
To view the settings for local user accounts, enter the following command in the CLI:
/ services aaa local show
Adding and Editing Local User Accounts

Each person who uses AEM requires a unique local user account that contains their login
information. Each user is assigned to a user group, which determines the user’s level of
access.
Administrators can add new local user accounts, edit some of the settings for existing
accounts, and delete accounts. Non-administrative users can view and edit some of the
settings for their own local user accounts.
Important
Administrators are users who are assigned to the predefined system_admin user group
or a custom user group with the srv_aaa privileges. See “About User Groups” on page 29.
If you want AEM to log user activities in the local syslog, then configure the user
accounting level. See “Configuring the User Accounting Level” on page 37.
Adding local user accounts

Users that are assigned to a group with srv_aaa privileges can add local user accounts.
To add a local user account:

2. On the Configure User Accounts page, click Add Account.
3. In the Add New Account window, configure the settings.
See “Local user account settings” on page 44.
4. Click Create Account.
Important
After you add new users, advise them to change their passwords to maintain
security. See “When to change your password” on page 45.

Editing local user accounts

Users who are assigned to a group with srv_aaa privileges can edit any local user account
while non-administrative users can edit their own accounts.
To edit a local user account:

If you are a non-administrative user, then the Edit Account page for your account
appears by default.
2. For administrators, when the Configure User Accounts page appears, click a link in the
Username column to open the Edit Account window.
3. Change any of the editable settings. See “Local user account settings” on the next
page.
4. Click Save.
Important
If you change the password for a user’s account, then advise the user to change the
password to maintain security. See “When to change your password” on page 45.
Deleting local user accounts

You cannot delete your own account. To delete the accounts of other users, you must be
a user who are assigned to a user group with srv_aaa privileges.
To delete a local user account:
2. On the Configure User Accounts page, complete one of the following steps:
n To delete individual user accounts, select the check boxes that correspond to the
user accounts that you want to delete.
n To delete all of the user accounts, select the check box in the table heading row.
3. Click Delete.
4. In the confirmation message that appears, click OK.

Local user account settings

When administrators add local user accounts, they can configure any of the account
settings in the following table. When administrators edit user accounts, they can change
all of the settings except the username. When users edit their own accounts, they can
change all of the settings except the username and the user group.
Settings for configuring user accounts
Setting Description
Username box Type a unique name for this user. Usernames should meet the
following requirements:
n must contain 1 to 32 characters
n can contain any combination of letters (A-Z, a-z), numbers, or
both
n cannot begin with a hyphen or underscore but can include
them
n cannot include a period (.)
After a user account is created, you cannot edit the username.

To change the username, delete the account and then re-create
it.
Real Name box Type the user’s full name.

Administrators can edit this name for any local user account.
Non-administrative users can edit the name for their own
account.
Group list Select the user group to assign to the user. The user group
determines the user’s level of system access.
Only administrators can change the group to which users are
assigned. You also cannot change the group for the default
“admin” user.
See “About User Groups” on page 29.

Settings for configuring user accounts (continued)
Setting Description
Email box Type a valid email address for the user.

Administrators can edit the email address for any local user
account. Non-administrative users can edit the email address
for their own accounts.
When you enter an email address for a user account, AEM
creates a notification for that email address. If you change or
delete a user’s email address, then edit or delete any related
notification on the Configure Notifications page (Administration
> Notifications). See “Configuring Notifications” on page 80.
Password box Type a password and then type the same password in the Verify
Confirm box box. See “Password requirements” on the next page.
Important
For security purposes, do not use arbor, which is the default
administrator password.
Administrators can edit the password for any local user account.
Non-administrative users can edit the password for their own
account.
When to change your password

For security purposes, you should change your password in the following situations:
n After you log in to AEM for the first time.
n At intervals that your system administrator recommends.
n Before your password expires, if password expiration is configured.
n Whenever you think that someone else might have gained access to your password.

Password requirements
The password requirements for local user accounts are as follows:
Password length By default, the minimum length is 10 characters while the

maximum length cannot be more than 72 characters. However,
an administrator can change the password length requirements.
Number of The password must contain from two to four of the following
character types character types:
n uppercase letters
n lowercase letters
n numbers
n symbols
The required number of character types depends on whether the

complexity mode is standard or advanced. The standard mode
requires at least two character types. The advanced mode
requires all four character types.
Character mix In the advanced complexity mode, AEM rejects passwords that do
not meet the following character mix requirements:
In the standard mode, AEM rejects passwords if they contain only

two character types and violate any of the character mix
requirements. However, the character mix requirements do not
apply to passwords in standard mode if the passwords contain
more than two character types.
Note
By default, the complexity mode is set to standard. However, you can change the
complexity mode. See “Changing the complexity mode” on page 41.
Locking and Unlocking Local User Accounts

Administrators in the system_admin group can lock a user account manually. System
administrators also can specify the number of login attempts that a user can make before
the account gets locked automatically.
System administrators can unlock accounts that were disabled manually or automatically.
Note
The administrator account cannot be disabled manually.
If an account is locked manually, then the user cannot log into the AEM until a user with
system_admin privileges, or assigned to a group that includes the srv_aaa authorization
key, unlocks the account.

If an account is locked automatically, then the user cannot log in with a password.
However, if SSH key authentication was enabled previously on the AEM, then the user can
log in with an SSH key.
You lock and unlock user accounts from the command line interface (CLI).
Changing the number of login attempts before AEM locks a user account
You can change the number of times that users can attempt to log in before they are
locked out of their AEM account. The default value is 5.
To change the number of login attempts that are allowed:

n In the CLI, enter / services aaa max_login_failures set {unlimited | number}
unlimited = There is no limit on the number of login attempts.
number = The number of times a user can attempt to log in before AEM locks them
out of the account.
Determining the status of a user account

You can review the status of a user account from the CLI.
To determine the status of a user account:
2. Enter / services aaa user_hist
If disabled appears in the history for an account, then the account is locked. If ok
appears in the history, then the account is unlocked.
Manually locking a user account

In addition to configuring AEM to automatically lock a user account after a specified
number of login attempts, an administrator can lock a user account manually. If you
manually lock a user account, then the user cannot log in with SSH key authentication or
password authentication until you re-enable the account.
To lock a user account manually:

n In the CLI, enter / services aaa disable_account username
username = The username of the account to lock.
Unlocking a user account

After a user is locked out of AEM, an administrator must unlock the account.
To unlock a user account:
n In the CLI, enter / services aaa enable_account username
username = The username of the account to unlock.
Note
In this case, they must reset their password to unlock their account. See “Enabling or
disabling password expiration” on page 39.
Adding Users to User Groups

After you create a new user group, you can add users to it.

You can also add local users to existing user groups on the User Accounts page in the AEM
user interface. See “Adding and Editing Local User Accounts” on page 42.
For information about user groups, see “About User Groups” on page 29.
Viewing the list of configured users

Before you add a new user, you might want to view the list of current users.
To view a list of users:

2. Enter / services aaa local show
Adding a user to a user group

To add a local user to a user group:
n In the CLI, enter / services aaa local add user_name group_name
user_name = the name of the user to add
group_name = the name of the group to assign the user to
Changing an existing user’s group

To change the user group to which a local user belongs:
n In the CLI, enter / services aaa local privilege user_name group_name
user_name = the name of the user
group_name = the new group to add the user to
Setting the Authentication Method for RADIUS and

TACACS+
If you authenticate your users with the RADIUS or TACACS+ authentication service, then
you must specify which authentication method you use. If you use multiple methods, you
also specify the order in which AEM should try each method. AEM tries each method
according to the order in which you list them, until one method succeeds or until they all
fail.
If you do not set any authentication method, then the system uses local authentication.
After you set the authentication method, you configure the integration between AEM and
the authentication server. See “Configuring TACACS+ Integration” on page 53 or
“Configuring RADIUS Integration” on page 51.
About the default user group

By default, any user who is not assigned to a user group on the RADIUS or TACACS+
server is assigned to the predefined system_user group in AEM. If the system_user
group’s authorizations are inappropriate for your RADIUS or TACACS+ users, then you can
change the default group to which they are assigned.
See “Changing the Default User Group for RADIUS and TACACS+” on page 51.

Setting the authentication method

To set the authentication method:
2. Enter / services aaa method set {local | radius | tacacs}
{local | radius | tacacs} = Type one or more of these methods in the order in
which AEM should use them to authenticate. Type a space between each
method.
Important
If you want the system to perform both RADIUS authentication and local
authentication, then you must explicitly set both methods.
Setting an exclusive authentication method

If you set multiple authentication methods, but you want a user to be able to log in with
one method only, then you enable the exclusive method. With the exclusive method, after
a user logs in successfully with one method, AEM does not try to authenticate using any
of the other specified methods.
Also, if AEM connects to an authentication server, but the user cannot log in, then the
user cannot log in with any method. AEM tries to authenticate with the next listed method
only if the server is unreachable on the network.
To set the method as exclusive:

n In the CLI, enter / services aaa method exclusive enable
If the method is “tacacs local” and you make it exclusive, then at least one user with
administrative privileges must be defined both locally and on TACACS+. Otherwise,
local administrative users cannot log in to AEM.
For example, if the only privileged user on example.com is “admin”, but an “admin”
user is not defined in TACACS+, then “admin” cannot log in to example.com. The only
way “admin” can log into example.com is by making the TACACS+ server unavailable
(for example, by unplugging the network).
Configuring the accounting levels

You can configure the accounting settings for each authentication method. Use local and
TACACS+ accounting to track and log software logins, configuration changes, and
interactive commands. Use RADIUS accounting to track software logins. This logging
applies to activities in the command line interface (CLI) only.
To configure the accounting level:

1. In the CLI, enter / services aaa {local | radius | tacacs} accounting set
level {none | login | change | commands}
{local | radius | tacacs} = the authentication method for which to
configure the accounting level
{none | login | change | commands} = the accounting level; specify one level
per authentication method
none — (default) disables account tracking
login — tracks logins to EDM
change — (TACACS+ only) tracks configuration changes
commands — (TACACS+ only) tracks the use of CLI commands

2. Repeat the step above for each additional authentication method that you want to
set.
Setting the AEM User Group for RADIUS Users

When a RADIUS user logs in to AEM, AEM connects to the RADIUS authentication server. If
the server can authenticate the user, then it sends the AEM user group that you defined
for that user. AEM logs in the user with the access authorizations that are associated with
the group.
You set the AEM user group for RADIUS users on the RADIUS server. To do so:
1. Set an Arbor-Privilege-Level attribute that has the user group name as its value.
You can specify any of the predefined AEM user groups or a custom user group. See
“About User Groups” on page 29.
For example, you can set the AEM user group on the RADIUS server to one of the
following values:
n Arbor-Privilege-Level = system_user
n Arbor-Privilege-Level = system_none
2. For the RADIUS server to interpret the Arbor-Privilege-Level attribute, add the
following lines to the RADIUS dictionary file:
VENDOR Arbor 9694
ATTRIBUTE Arbor-Privilege-Level 1 string Arbor
Any user who is not assigned to a user group on the authentication server is assigned to
the default user group in AEM. Initially, the default user group is the predefined group
system_user. If the system_user group is inappropriate for those users, then you can
change the default group to which they are assigned. See “Changing the Default User
Group for RADIUS and TACACS+” on the next page.
Additional tasks are required for completing the integration with RADIUS. See “Integrating
AEM with RADIUS or TACACS+” on page 29.
Setting the AEM User Group for TACACS+ Users

When a TACACS+ user logs in to AEM, AEM connects to the TACACS+ authentication
server. If the server can authenticate the user, then it sends the AEM user group that you
defined for that user. AEM logs in the user with the access authorizations that are
associated with the group.
You set the AEM user group for TACACS+ users on the TACACS+ server. To do so:
n Set an arbor service with an arbor_group attribute that has the user group name as its
value. You can specify any of the predefined AEM user groups or a custom user group.
For example, you can set the AEM user group on the TACACS+ server as follows:
service = arbor { arbor_group = system_user }
or
service = arbor { arbor_group = system_none }
Any user who is not assigned to a user group on the authentication server is assigned to
the default user group in AEM. Initially, the default user group is the predefined group

system_user. If the system_user group is inappropriate for those users, then you can
change the default group to which they are assigned. See “Changing the Default User
Group for RADIUS and TACACS+” below.
Additional tasks are required for completing the integration with TACACS+. See
“Integrating AEM with RADIUS or TACACS+” on page 29.
Changing the Default User Group for RADIUS and TACACS+

If you use RADIUS or TACACS+ to authenticate AEM users, then you must specify the user
group for the AEM users on the respective RADIUS server or TACACS+ server. Any user
who is not assigned to a user group on the RADIUS server or TACACS+ server is assigned
to the default user group in AEM.
Initially, the default user group is the predefined group system_user.

n If you want the RADIUS users or TACACS+ users with no group assignment to have
access to AEM, then either accept the default user group or change it. You can specify
any group for these users, including a custom group.
n If you want to deny AEM access to RADIUS users or TACACS+ users with no group
assignment, then change the default group to system_none.
For information about the predefined AEM user groups, see “About User Groups” on
page 29.
Additional tasks are required for completing the integration with RADIUS or TACACS+. See
“Integrating AEM with RADIUS or TACACS+” on page 29.
Changing the default user group

To change the default user group for RADIUS or TACACS+:
2. Enter / services aaa groups default set group_name
group_name = the name of the group name to set as the default
Configuring RADIUS Integration

AEM can perform static password authentication with RADIUS. This optional feature
integrates AEM with your existing RADIUS implementation. RADIUS authentication is
available for CLI connections through SSH, and web interface access through HTTPS.
Important
To use RADIUS for authentication, you must specify RADIUS as the authentication
method. Otherwise, the system uses local authentication. See “Setting the
Authentication Method for RADIUS and TACACS+” on page 48.
About the authentication servers

You can integrate AEM with a primary server and a backup server. When AEM connects, it
tries to connect to the primary server, and then to the backup server. If both of the
servers are unreachable, then AEM tries the next configured authentication method, if

any.
Adding a RADIUS server

You can add a RADIUS server for authentication or accounting.
To add a RADIUS server:

2. Enter the following command:
/ services aaa radius {server | accounting} set {primary | backup} IP_
address {encrypted | unencrypted} secret [port]
{server | accounting} = the type of server to configure; for an authentication
server, enter server
{primary | backup} = the server to configure
IP_address = the IP address or hostname of the primary server or backup server
{encrypted | unencrypted} = indicates whether the secret that you enter is
encrypted or unencrypted
secret = The secret that AEM uses to communicate with the authentication
server. For security purposes, use a secret that contains a variety of characters.
[port] = (Optional) If you do not want to use the default RADIUS port, then
specify the port on which AEM communicates with the RADIUS server. For a list of
the default ports, see “AEM Communication Ports” on page 355.
3. Repeat step 2 for any additional server that you want to configure.
Setting the number of retries and the timeout period

The retries setting specifies the number of times that AEM tries to authenticate after the
first attempt fails. The timeout period specifies the length of time AEM waits for a
connection before AEM tries to connect to the specified backup server.
You only need to configure these settings if you want to change the default values. The
default number of retry attempts is 2 and the default timeout period is 2 seconds.
To change the number of retries and the timeout period:

1. In the CLI, enter / services aaa radius retries set number
number = the number of times (1 - 60) that AEM tries to authenticate after the first
attempt fails
2. Enter / services aaa radius timeout set number
number = the number of seconds (1 - 60) that AEM waits for a connection before it
tries the backup server
To revert to the default settings for the number of retries and the timeout period:
1. In the CLI, enter / services aaa radius {retries | timeout} clear
{retries | timeout} = specifies the setting to clear
You can specify only one of these settings per command.
2. (Optional) Repeat the first step to clear the other setting.
Configuring a Network Access Server identifier

The Network Access Server (NAS) identifier is a string that identifies the NAS that
originates an access request.

To configure a NAS identifier:

n In the CLI, enter / services aaa radius nas_identifier set string
string = an ASCII string of up to 253 characters
Clearing the NAS identifier

To clear the NAS identifier:
n In the CLI, enter / services aaa radius nas_identifier clear
Viewing the current RADIUS configuration

To view the current RADIUS configuration:
n In the CLI, enter / services aaa radius show
Configuring TACACS+ Integration

AEM can perform static password authentication with an existing TACACS+
implementation. TACACS+ authentication is available for CLI connections through SSH,
and web interface access through HTTPS.
Important
To use TACACS+ for authentication, you must specify RADIUS as the authentication
method. Otherwise, the system uses local authentication. For information, see “Setting
the Authentication Method for RADIUS and TACACS+” on page 48.
About the authentication servers

You can integrate AEM with a primary server and a backup server. When AEM connects, it
tries to connect to the primary server, and then to the backup server. If both of the
servers are unreachable, then AEM tries the next configured authentication method, if
any.
Adding a TACACS+ server

To configure a TACACS+ server:
2. Enter / services aaa tacacs server set {primary | backup} IP_address
port {encrypted | unencrypted} secret
{primary | backup} = the authentication server to configure
IP_address = the IP address or hostname of the primary server or backup server
port = the port on which AEM should communicate with the TACACS+ server
You must specify a TCP port.
{encrypted | unencrypted} = indicates whether the secret that you enter is
encrypted or unencrypted
secret = The secret that AEM uses to communicate with the authentication
server. For security purposes, use a secret that contains a variety of characters.

Setting the timeout period

The timeout period specifies the length of time AEM waits for a connection before it tries
to connect to the specified backup server.
You only need to configure this setting if you want to change the default value. The
default timeout is 2 seconds.
To set the timeout period:
n In the CLI. enter / services aaa tacacs timeout set number
number = the number of seconds (1 - 60) that AEM waits for a connection before it
tries the backup server
Reverting to the default timeout period

To revert to the default timeout:
n In the CLI, enter / services aaa tacacs timeout clear
Configuring password expiration notifications

You can configure AEM to display a warning message in the UI when a user’s TACACS+
password is about to expire. Users with expired passwords cannot log in to AEM.
To configure notifications for passwords that are expiring:
n In the CLI, enter / services aaa tacacs tacpass_expiry_notify {enable |
disable}
{enable | disable} = specifies whether to enable or disable the notifications
Viewing the current TACACS+ configuration

To view the current TACACS+ configuration:
n In the CLI, enter / services aaa tacacs show
About HTTP Header-Based Authentication

You can configure AEM to allow single sign-on using HTTP header authentication. HTTP
header authentication is an authorization mechanism that uses an HTTP header value to
specify an AEM user name.
To allow HTTP header-based authentication, you use the command line interface (CLI). In
the CLI, you define an HTTP header and add the remote access rules to limit the IP
addresses that can connect through single sign-on. You also can define a URL for the
redirection of invalid users. See “Configuring HTTP Header-Based Authentication for
Single Sign-on” on the next page.
Note
This single sign-on is not related to the single sign-on that allows automatic logins to
managed devices from AEM.
About the web proxy

When you use HTTP header authorization, the users who log in to AEM are authenticated
by a web proxy. The web proxy inserts a header that contains the user name into the
request that the user’s browser sends to AEM. On receipt of the request, AEM accepts the
header-specified user as authenticated. After the initial login with their AEM credentials,

the authorized users can access AEM without re-entering those credentials.
About access limitation and web proxy security

To limit the IP addresses that can connect to AEM through HTTP authentication, you
enable and configure remote access rules for one or more web proxy servers. The remote
access rules provide additional security by limiting header spoofing.
When an authorized user accesses the AEM UI, the system verifies that the web proxy IP
address is on the remote address list. If the IP address is not on this list, then the single
sign-on does not work.
If you configure a redirection URL, then the system redirects users to that URL when the
single sign-on fails. Otherwise, the system prompts for a user name and password.
How the single sign-on works

The first time that a user logs in to the AEM UI with single sign-on, the web proxy
performs the following actions:
1. Intercepts the HTTPS communication that is sent to AEM.
2. Displays an HTML page that prompts the user to enter an AEM user name and
password for authentication.
3. Sets the HTTP header value according to the information that the user entered.
4. Logs the user in to the AEM UI.
After the initial login, whenever an authorized user requests web access to AEM, the web
proxy server passes the HTTP header value with the user name. AEM verifies that the
HTTP header value is the value that the user originally entered.
If the HTTP header value changes, then the user is redirected to another URL, if a URL is
configured. If a redirection URL is not configured, then AEM prompts for a user name and
password.
Configuring HTTP Header-Based Authentication for Single

Sign-on
You can configure AEM to use HTTP header authentication to allow single sign-on. With
HTTP header authentication, authorized users do not have to re-enter their credentials to
log in to the AEM UI.
To allow HTTP header-based authentication, you use the command line interface (CLI). In
the CLI, you define an HTTP header and add the remote access rules to limit the IP
addresses that can connect through single sign-on. You also can define a URL for the
redirection of invalid users.
See “About HTTP Header-Based Authentication” on the previous page.
Requirement
Each user who will access AEM through HTTP header authorization must have an AEM
user account. See “Adding and Editing Local User Accounts” on page 42.
Configuring HTTP header-based authentication

To configure HTTP header-based authentication:

1. On the AEM, log in to the CLI with your administrator user name and password.
2. So that you do not have to type long commands in the following steps, enter /
services aem sso
3. To enable the HTTP header-based authentication, enter enable
4. Enter http_header header set http_header
http_header = a valid HTTP header name
5. To configure access limiting, enable and add the remote access rules for a web proxy
server as follows:
a. To enable the remote access rules, enter http_header remote_address enable
b. To add the remote access rules, enter http_header remote_address add
proxy_address
proxy_address = the IP address or the CIDR block for the web proxy server
that is allowed to communicate with AEM
c. To add remote access rules for additional web proxy servers, repeat the http_
header remote_address add proxy_address command for each proxy server.
Important
If you enable the remote access rules, then the single sign-on is allowed only for
addresses that are specified in this access list.
6. (Optional) To redirect invalid users, enter http_header header invalid_user set
URL
URL = the URL to which invalid users are redirected
If a URL contains a question mark (?), then wrap the URL in quotation marks (" ").
The use of quotation marks prevents the system from interpreting the ?
character as a request to access the CLI help.
Note
If you do not configure a URL and an invalid user tries to use single sign-on, then
AEM prompts for a user name and password.
7. To verify the configuration, enter show
Deleting remote access rules

For the access limiting to work, it must be enabled and one or more web proxies must be
defined.
If necessary, you can delete the remote access rule for a web proxy server. To do so:
n Enter / services aem sso http_header remote_address delete proxy_address
proxy_address = the IP address or the CIDR block for the web proxy server that is
allowed to communicate with AEM

Section 4:
Configuring AEM
This section describes how to set up the basic components of AEM.
In this section
Configuring General Settings 57

Configuring SNMP Polling 58
Configuring the Audit Trail Settings 60
Configuring the Syslog Destination for the Audit Trail 61
Configuring System Alerts 61
Configuring Remote Backup Settings 63
Using a Custom SSL Certificate for User Authentication 65
Adding a Custom Logo to the UI 66
Configuring General Settings

The general settings define the servers that AEM interacts with as well as other system
preferences, such as the system date format.
Configuring General Settings

To configure the general settings:
1. Select Administration > General.
2. On the Configure General Settings page, configure the settings. See “General Settings”
on the next page.
3. Click Save.

Section 4: Configuring AEM
General Settings
Details about General Settings
Setting Description
DNS box Type the IP addresses of your DNS servers, to map IP addresses
to hostnames in AEM. Type multiple servers as a comma-
separated list of IP addresses.
AEM tries to connect to the first IP address in the list as the
primary name server. If that address fails, then AEM tries the
subsequent addresses in the list as backup name servers.
SMTP Server box Type the IP address or domain name for the SMTP server that
AEM uses to send email notifications. You can specify one SMTP
server.
SNMP Agent Type the community string (password) to authenticate the

Community box external sources that poll AEM through SNMP.
The maximum length of this string is 32 characters. You can use
any characters except the following:
n quotation mark (")
n apostrophe (‘)
n backslash (\)
n pipe (|)
n tab
See “Configuring SNMP Polling” below.
Default URL Type a hostname or a fully qualified domain name that appears
Hostname box as a link in the notification and emails that originate from AEM.
For example, system.example.com. AEM also uses this URL as
the “from” address when you send an email message that
contains a PDF of a UI page.
Date Format list Select the format in which to display dates throughout the
system:
n mm/dd/yy (month/day/year)
n dd/mm/yy (day/month/year)
n yy/mm/dd (year/month/day)
Configuring SNMP Polling

AEM supports polling by third-party SNMP monitoring systems, which allows you to fit
your AEM workflow into existing network monitoring tools. These monitoring tools can
poll AEM for management information such as the system status and configurations.
The SNMP agent runs only when the AEM services run. When you stop the services, SNMP
is not available.

Configuring AEM for SNMP polling

AEM supports SNMPv1 and SNMPv2c for remote SNMP polling. To enable SNMP polling,
configure the following settings:
Process for configuring SNMP
Step Action Details
1 Set a community In the UI, on the Configure General Settings page, type
string to authenticate a string in the SNMP Agent Community box.
the external sources See “About the SNMP Agent Community string”
that poll AEM. below.
2 Create an IP access To create an IP access rule:

rule to allow SNMP 1. Log in to the CLI with your administrator user
access to AEM. name and password.
2. To create an IP access rule to allow SNMP access,
enter / ip access add snmp {mgt0 | mgt1 |
all} CIDR
{mgt0 | mgt1 | all} = the name of the
management interface on which to apply a
service exclusively, or to apply the rule to all
of the interfaces
CIDR = the address range from which you
want to allow communications to a service
Caution
We strongly recommend that you do not use
0.0.0.0/0 or ::/0, because these address ranges
allow unrestricted access to a service. To
restrict access, specify the narrowest address
range that you can.
3. Type ip access commit, and then press ENTER.
About the SNMP traps that AEM sends

AEM can send notifications to a network management system as SNMP traps. See “About
Notifications” on page 78.
SNMP MIB files can help you decode the SNMP traps that AEM sends for notifications. The
MIB files can also help you understand the OIDs (object identifiers) that can be queried on
AEM. You can download and view the MIB files from the Files page (Administration >
Files). See “Managing the Files on AEM and Managed Devices” on page 336.
About the SNMP Agent Community string

External sources can poll AEM through SNMP for the following system status and
configuration information:
n Disk Space Free/Used
n AEM configuration

If you want to limit the external sources that can use SNMP to poll AEM. then configure a
unique SNMP Agent Community string. This string is used to authenticate external
sources. See “Configuring General Settings” on page 57.
Configuring the Audit Trail Settings

When you make a change in the AEM UI, the Audit Trail window appears and prompts you
to describe the change. By default, the Audit Trail window appears for all changes and
does not include a default change message. On the Audit Trail page, you can specify a
default change message and enable or disable the Audit Trail window for certain changes
or all changes.
The Audit Trail page also allows you to view the audit trail log. See “Viewing the Audit Trail
Log” on page 320.
For general information about the audit trail, see “About the Audit Trail” on page 318.
Changing the Audit Trail default settings

To change the default settings for the audit trail:
1. Select Administration > Audit Trail.
2. On the Audit Trail page, select the Audit Settings tab.
3. (Optional) In the Change Message box, type a default change message that appears
in the Audit Trail window whenever a user makes a change.
When the Audit Trail window appears to users, they can accept this default message,
add to it, or override it by typing new text.
4. In the list of settings, choose one of the following options:
Option Steps
Enable or disable the For the Globally enable or disable the audit trail
Audit Trail window for all dialogs setting, select Enable or Disable.
changes.
Enable or disable the For each setting, select Show or Don’t Show.
Audit Trail window for
individual changes.
5. Click Save.
Disabling the Audit Trail window

If you disable the Audit Trail window for a specific change, then the window does not
appear when users make that type of change. The system still logs the changes but it
does not include any change messages.
Additional audit trail configuration

In the command line interface (CLI), you can configure a syslog destination, to which you
can export audit trail entries.
See “Configuring the Syslog Destination for the Audit Trail” on the next page.

Configuring the Syslog Destination for the Audit Trail

The audit trail records all of the changes that are made in AEM. You can export the audit
trail entries as syslog messages to an external system by defining a syslog destination.
You configure the syslog destination in the command line interface (CLI).
You configure the audit trail settings and view the audit trail in the UI. See “About the
Audit Trail” on page 318.
Configuring the syslog destination for audit trail entries

To configure the syslog destination to which your audit trail entries are sent:
2. Enter / services aem audit syslog set destination_IP_address severity
facility_code
destination_IP_address = the syslog host IP address
severity = one of the following severity levels, which will be associated with the
audit trail entries that are sent to the syslog:
emerg = (emergency) The system is unusable.
alert = Requires immediate action.
crit = Critical condition.
err = Error condition.
warning = Warning condition.
notice = Normal but significant condition.
info = Informational message. This option is the one that is most likely to be
used for audit trail entries.
debug = Debug-level message.
facility_code = (Optional) Specify a syslog facility value to indicate the source
of the message as defined in the syslog protocol RFC 3164. To view a list of the
facility codes, type ? at the end of the command, after severity.
Clearing the audit trail syslog destination

To clear the syslog destination for the audit trail:
n In the CLI, enter / services aem audit syslog clear
Configuring System Alerts

AEM monitors certain system events and creates alerts when those events occur. AEM
events are predefined and you cannot add or delete them. However, you can enable or
disable them, change their severity levels, and configure their notification settings. You
edit the alert settings for system events on the Configure System Alerts page
(Administration > System Alerts).
Note
The alert settings that you configure apply to future alerts only. They do not apply to
alerts that AEM has already generated.

Types of system events

AEM monitors the following system events:
Types of system events
System event Trigger
Device Deny A managed device reaches the capacity for a deny list or allow list.
List/Allow List Table See “About the Capacity of the Deny List and Allow List” on
Full page 170.
Device Up/Down A managed device changes state.
Misc. System AEM detects health-related system behaviors. These events may
represent normal behaviors or abnormal behaviors; for example,
a managed device synchronization or an SMTP failure on AEM.
Before you configure alerting for system events

If you want to send notifications when these system events occur, then you first must
configure at least one notification. A notification defines the users and the systems to
notify when these system alerts occur.
For example, if you want to send notifications as syslog messages to an external system,
then configure a syslog notification. When you configure the alert settings, you select the
syslog notification as its destination.
See “Configuring Notifications” on page 80.
Configuring system alerts

To configure system alerts:
1. Select Administration > System Alerts from the menu.
2. On the Configure System Alerts page, select the event to configure in one of the
following ways:
n Click the Edit button for the alert.
n Click the name of the alert.
3. In the Configure window, configure the following settings:

Setting Description
Notification Select Yes to enable notifications for this alert. Select No to

Enabled options disable the notifications.
By default, notifications are disabled for all of the system
alerts.
Note
The notifications for Device Up/Down events may be
delayed by up to five minutes. This delay occurs because
AEM waits to make sure that a managed device is down
and not experiencing a temporary connection issue.
If you do not enable notifications, then you do not have to configure the remaining
settings.
Severity level Select the severity level to assign to this system alert, where
1 is the least severe and 10 is the most severe.
See “About system alert severity levels” on page 290.
Notification This section displays all of the notification destinations that

Destinations list are defined in AEM. To indicate which destinations should
be notified when this alert occurs, select the check boxes for
one or more of the destinations.
If there are no notification destinations, then you need to
define at least one notification. See “Configuring
Notifications” on page 80.
4. Click Save.
Configuring Remote Backup Settings

You can manage remote backups for AEM configuration settings and data on the Backup
Settings page.
Note
You also can run local backups. See “Running a Local Backup Manually” on page 340.
Types of backups
AEM supports the following types of backups:
n remote backups that you run on a recurring backup schedule or that you run manually
n local backups that run automatically every night at midnight or that you run manually
For more information about these types of backups, see “About AEM Backups” on
page 339.
About restoring backup data

To restore AEM from a backup, you must use the command line interface (CLI).
See “Restoring AEM from a Backup” on page 341.

Specifying a remote backup schedule

To specify a remote backup schedule:
1. Select Administration > Backup.
2. On left side of the Backup Settings page, select Arbor Enterprise Manager
Configuration and Data. The amount of disk space that the data requires appears in
parentheses.
3. Configure the remote backup settings. See “Remote backup settings” below.
4. Click one of the following buttons:
n Test Connection — To test the connection settings for the copy method without
saving the settings. See “Testing the connection to the backup server” on the next
page.
n Save and Run — To test the connection, save the settings, and then begin the
backup.
n Save — To save the connection settings without testing them or beginning the
backup.
Running a remote backup manually

To run a remote backup manually:
2. On left side of the Backup Settings page, select AEM Configuration and Data. The
amount of disk space that the data requires appears in parentheses.
3. Configure the appropriate remote backup settings. See “Remote backup settings”
below.
4. Click Save and Run.
Remote backup settings

You configure the settings for a remote backup as follows:
Settings for scheduling a recurring remote backup
Setting Description
Schedule remote Select the backup frequency (Daily or Weekly), and then
backups to occur select the time of day at which the backup should begin.
section
Host box Type the hostname or IP address of the server on which to

store the backups.
Port box Type the port on the backup server to which AEM connects.
The default port is 22.

Settings for scheduling a recurring remote backup (continued)
Setting Description
Directory box Type the path to the target directory on the backup server.
The following guidelines apply:
n Use an absolute path. The path must start with a
forward slash (/) and use / as a directory separator.
n The path may include alphabetic and numeric
characters.
n The path may include the following special characters
only: forward slash (/), hyphen (-), period (.), and
underscore (_).
Username box Type the user name with which to authenticate on the
backup server.
Authentication list For an SCP backup, select the authentication method:

Password or RSA Key.
Password box If you select Password authentication, then type the

Confirm box password and then re-type the password to confirm it.
Generate Key button If you select RSA Key authentication and a key has not been
Download Public Key generated, then click Generate Key to generate one.
button If a RSA key has been generated, then click Download
Public Key to download a copy of the key.
Testing the connection to the backup server

When you test the connection to the backup server, AEM tries to copy a file to the location
that you configured on the backup server. Then AEM tries to remove the file from the
backup server. When the test is finished, a message reports the results.
To test the connection to the backup server:
2. On the Backup Settings page, click Test Connection.
Using a Custom SSL Certificate for User Authentication

By default, AEM uses a self-signed SSL certificate for connections to the UI. If necessary,
you can upload a custom certificate and its certificate authority (CA) file to comply with
your company’s security policies and prevent browser errors. You do so on the Manage
Files page.
See “About the Files Page” on page 334.

Custom SSL certificate requirements

If you want to use a custom SSL certificate to connect to the UI, then the certificate files
must meet the following requirements:
n The SSL file and CA file must be PEM-encoded (Privacy Enhanced Mail).
n The SSL file must contain the certificate and the key that was used to create the
certificate.
n The SSL file and CA file cannot be password protected.
Uploading a custom SSL certificate

To upload a custom SSL certificate:
1. Place the files in a location that the AEM system can access.
2. Select Administration > Files.
3. On the Manage Files page, under SSL Certificate, click Upload SSL Cert.
4. In the Upload Certificate window, follow these steps:
a. Click Browse to locate a custom SSL certificate file.
b. Click Browse to locate the custom CA certificate file.
c. Click Upload.
5. In the confirmation window, click OK.
Note
Because you changed the SSL certificate during a session, most browsers display an
error message.
7. Log out of AEM, close your browser, and then restart your browser.
Reverting to the default AEM SSL certificate

This option is available only if someone previously uploaded a custom SSL certificate.
To revert to the AEM default SSL certificate:
2. On the Manage Files page, under SSL Certificate, click Use Default.
5. Log out of AEM, close your browser, and then restart your browser.
Adding a Custom Logo to the UI

You can customize the appearance of the AEM UI by replacing the default AEM logo with
your custom logo. To do so, you upload the logo file on the Files page. When you upload a
custom logo, it appears in the UI.
The custom logo image must be in SVG format and the file must be smaller than 500 KB.

Note
For information about the other uses for the Files page, see “About the Files Page” on
page 334.
Uploading a custom logo

To upload a custom logo:
2. On the Manage Files page, in the Logo section, click Use Custom.
3. In the Upload Logo window, click Browse to locate and select the logo file.
4. Click Upload.
6. If the custom logo does not appear on the page, then refresh your browser.
To change to a different custom logo, you first must revert to the default logo, and then
perform these steps again.
Reverting to the default logo

This option is available only if someone previously uploaded a custom logo.
To revert to the default logo:

2. On the Manage Files page, in the Logo section, click Use Default.
4. If the default logo does not appear on the page, then refresh your browser.

Section 5:
Managing the ATLAS Intelligence Feed
This section describes how to use the ATLAS Intelligence Feed (AIF) to detect and stop
emerging botnet and application-layer attacks.
In this section
About the ATLAS Intelligence Feed 68

About the ATLAS Threat Policies 69
About the ATLAS Confidence Index 70
About Web Crawler Support 73
Configuring the ATLAS Intelligence Feed 74
Viewing the Status of ATLAS Intelligence Feed Updates 75
Viewing the AIF Traffic Statistics for a Protection Group 76
About the ATLAS Intelligence Feed

AEM, AED, and APS can leverage our global threat intelligence to protect your network
against the latest threats by using the ATLAS Intelligence Feed (AIF).
The AIF is a global service of the ATLAS Security Engineering and Response Team (ASERT).
The ASERT security researchers discover and analyze emerging threats and develop
targeted defenses, based on the data from the Active Threat Level Analysis System
(ATLAS). For more information about ASERT and ATLAS, visit
https://www.netscout.com/global-threat-intelligence.
The AIF profiles emerging threats to facilitate the detection and mitigation of DDoS
attacks, malware, and other security hazards to help ensure service availability and data
integrity.
About the AIF updates

ASERT frequently updates the feed to account for rapidly changing attacker behavior and
to provide more effective and accurate threat detection. The updates occur without
requiring any software upgrades, system downtime, or restarts.
When automatic AIF updates are enabled, AEM uses HTTPS to download the latest AIF
information at regular intervals.
You can change the frequency of the updates and you can force an update at any time.
About the AIF components

On AEM, the following components are provided with your AIF subscription:

Section 5: Managing the ATLAS Intelligence Feed
n AIF Botnet Signatures

n Web crawler support
n Command and Control threat category
n DDoS Reputation threat category
n Email Threats threat category
n IP location data
n Location-based Threats threat category
n Malware threat category
n Mobile threat category
n Targeted Attacks threat category
Under certain conditions, the AIF contains a component that defines certain MITRE
ATT&CK® categories and the associated tactics and techniques. AEM can add MITRE
information to the Threat Analysis page to help you understand why certain threats are
important. See “About the MITRE ATT&CK Data” on page 306.
Important
These components are subject to change as ASERT updates the feed.
Where to configure the AIF settings

Use the Configure AIF Settings page (Administration > ATLAS Intelligence Feed) to
configure AIF settings such as configuring a proxy server or disabling automatic updates.
See “Configuring the ATLAS Intelligence Feed” on page 74.
You configure the other AIF-related settings in the ATLAS Intelligence Feed section on the
following pages:
n Configure Server Type page (Protect > Inbound Protection > Server Type
Configuration), for inbound traffic
n Outbound Threat Filter page (Protect > Outbound Protection > Outbound Threat
Filter), for outbound traffic
See “ATLAS Intelligence Feed Settings” on page 125.
About the ATLAS Threat Policies

One of the components of the ATLAS Intelligence Feed (AIF) is the threat information,
which consists of the policies that identify threats by their traffic patterns. AED and APS
use this information to protect your network against the latest threats by blocking any
traffic that matches the policies.
You enable the threat protection on managed devices when you configure the server
types or the outbound threat filter (OTF). See “ATLAS Intelligence Feed Settings” on
page 125.
For general information about AIF, see “About the ATLAS Intelligence Feed” on the
previous page.
About the ATLAS threat policies

A threat policy is a collection of the rules and actions that the ATLAS Security Engineering
and Response Team (ASERT) develops to define a given threat. A rule can consist of one

or more IP addresses, HTTP regular expressions, or DNS names.
ASERT organizes related threat policies into threat categories. Each threat category is
further subdivided into threat subcategories, which are limited collections of related
threat policies. For example, the Malware threat category might contain subcategories
such as RAT (remote access Trojan), Fake Antivirus, and other malware threats. Each of
these subcategories consists of the policies that define the specific threats.
The AIF is updated frequently as the ASERT researchers identify new threats. Although the
threat categories remain relatively static, they are subject to change.
On a managed device, you can enable threat blocking and view traffic statistics by threat
category. When you do so, you can also configure custom confidence values for specific
threat categories. The confidence value is a relative value on the ATLAS confidence index,
which represents ASERT’s confidence that the rules in a threat policy will identify
malicious traffic. The managed device uses the confidence value to determine whether to
apply the corresponding rule to block traffic.
About matching domain policies

The ATLAS threat categories contain policies that define domains that host threats. When
traffic matches a domain threat policy, the managed device does not block all of the
traffic to the DNS server and it does not block the host. Instead, the managed device
handles the traffic as follows:
n For outbound traffic — The managed device blocks the DNS request for a fully
qualified domain name that is known to be bad.
The managed device sees only the request to the DNS server, not the resolution of the
IP address for the fully qualified domain name. Therefore, the managed device reports
the DNS server as a blocked destination IP address on the Blocked Hosts Log page.
For example, assume that an infected internal asset sends a request to a DNS host
(192.0.2.1) to resolve the IP address of a certain fully qualified domain name. The DNS
request matches a domain threat policy, and therefore the managed device blocks the
response from the DNS host. In this example, 192.0.2.1 would appear in the Destination
column on the Blocked Hosts Log page.
n For inbound traffic — The managed device blocks the response from the DNS server
for a fully qualified domain name that is known to be bad.
You can use a packet capture to determine the hostname that is being requested and
blocked. See “Investigate why a DNS server appears to be blocked” on page 250.
A DNS server can be blocked for some other reason, for example, if it is on the deny list or
it matches a DNS regular expression. In such cases, all of the traffic to the DNS server is
blocked.
Note
For managed devices to block outbound DNS requests, you must enable the outbound
threat filter and the ATLAS threat categories there. See “Configuring the Outbound
Threat Filter” on page 121.
About the ATLAS Confidence Index

The ATLAS confidence index is a numeric scale from 1 to 100, which represents our
confidence that the rules in a threat policy will identify malicious traffic. ATLAS assigns a

relative numeric value, or confidence value, to every rule in a threat policy for each
protection level. As AED or APS inspects traffic, it applies the rules whose confidence
values match or exceed the confidence value for the active protection level.
Configuring confidence values

In the ATLAS Intelligence Feed protection settings, the ATLAS confidence values become the
default confidence values for the threat categories. You can accept the default confidence
values or configure custom confidence values. You configure these settings when you
configure the server types or the outbound threat filter. See “ATLAS Intelligence Feed
Settings” on page 125.
For general information about AIF and the threat policies, see “About the ATLAS
Intelligence Feed” on page 68 and “About the ATLAS Threat Policies” on page 69.
How the ATLAS confidence index affects traffic

In general, a high confidence value indicates that there is more evidence to support the
classification of the traffic that matches the rule as malicious. A lower confidence value
can indicate that there is less supporting evidence for classifying the traffic as malicious.
Alternatively, a lower confidence value can represent the aging and associated reduction
of a formerly high confidence value.
AED and APS apply the threat rules based on the ATLAS confidence values, the configured
confidence values for the associated threat categories, and the active protection level, as
follows:
n When the ATLAS confidence value is less than the threat category’s confidence value
for the active protection level, then AED and APS pass traffic.
n When the ATLAS confidence value is greater than or equal to the threat category’s
confidence value for the active protection level, then AED and APS block the traffic.
At the higher protection levels, AED and APS block more traffic; however, the lower
confidence values might cause some clean traffic to be blocked.
See “How the threat rules are applied” on the next page.
How the ATLAS confidence values can change over time

The confidence values for rules are relative values that change over time, based on
several factors. An example of a factor that affects the adjustment of the confidence value
is whether ATLAS continues to observe the threat behavior that a rule defines. For
example, when ATLAS observes a threat from a particular IP address, it creates a rule for
that threat and IP address, and assigns a confidence value of 100. If ATLAS continues to
observe traffic that matches the rule, then the rule confidence value remains at 100.
When ATLAS no longer observes traffic that matches the rule, the rule confidence value
decreases. The rule confidence value continues to decrease as time passes without
further attack traffic from that IP address.
Example
The following figure shows how the ATLAS confidence values for a rule can change over
time, given the following scenario:
n On Day 1, Day 2, and Day 3, ATLAS observes a malware threat from 192.0.2.1. ATLAS
creates a rule under the Malware threat category and assigns a confidence value of 100
to the new rule.

n Because no malware is observed from 192.0.2.1 after Day 3, the confidence value
decreases over time.
n On Day 29 and Day 30, ATLAS again detects a malware threat from 192.0.2.1, and
resets the confidence value to 100.
The confidence value changes do not adhere to a fixed timeframe. The date span in this
simplified example is for illustration purposes and does not necessarily represent an
actual timeframe for confidence value changes.
Example: How the ATLAS confidence values can change over time
How the threat rules are applied

The following example shows how AED and APS apply the threat rules based on the
changing confidence values. For this example, assume the following conditions:
n During a certain month, the AIF updates contain a rule for malware from 192.0.2.1, and
the rule confidence value changes over time as shown in the figure above.
n You receive traffic from 192.0.2.1 on the dates in the following table.
n In the ATLAS Intelligence Feed settings in AED and APS, the confidence values for the
Malware threat category are configured as shown in the following table.
Given those conditions, the following table shows how AED and APS would apply these
threat rules to the traffic:
Example: How AED and APS apply the threat rules
Confidence values in AED and APS

ATLAS confidence value
Date for the rule Low = 75 Medium = 50 High = 25
Day 2 100 block block block
Day 15 60 pass block block
Day 22 45 pass pass block

About Web Crawler Support

When protecting your HTTP servers from DDoS attacks, AED and APS might prevent
search engine web crawlers from accessing your site. You can configure AED and APS to
pass traffic from certain search engines with limited inspection, so that legitimate web
crawlers can crawl your web site more freely. As a result, you can maximize search engine
page ranking while maintaining protection from threats that are designed to imitate
legitimate web crawlers.
How the web crawler support works

The web crawler support consists of the following features:
n In AED and APS, the ATLAS Intelligence Feed (AIF) updates include a list of the IP
address ranges that are considered to be legitimate search engine web crawlers. Each
IP address range is associated with the low, medium, or high protection level.
n Settings on the Configure AIF Settings page in AED and APS allow you to enable the
search engines that can crawl your web site.
n On the Configure Server Type page, the Web Crawler Support setting allows you to
enable web crawler support by protection level. See “ATLAS Intelligence Feed Settings”
on page 125.
n Sections on the Summary page and the View Protection Group page in AED and APS
display information about the web crawler traffic that AED and APS detect and pass.
How and APS pass web crawler traffic

AED and APS pass search engine traffic in a manner that is similar to adding items to the
allow list, except that not all search engine traffic is passed globally. The following criteria
determine which search engine traffic is passed:
n the search engines that are enabled on the Configure AIF Settings page (Administration
> ATLAS Intelligence Feed) in AED and APS
n the protection level that is associated with each search engine’s IP address range in the
AIF updates
n the global protection level or protection group protection level
The protection levels determine which search engine traffic is inspected and which
protection categories are used, as follows:
Protection level Effect on search engine traffic
Low Traffic from all of the enabled search engines is passed without
further inspection.
Medium Traffic from a smaller set of enabled search engines is passed

with limited inspection.
High Traffic from an even smaller set of enabled search engines is

inspected by a majority of protection categories.

Configuring the ATLAS Intelligence Feed

You can download updates to the ATLAS® Intelligence Feed (AIF) at any time and you can
configure AEM to download the updates at specified intervals. To request and configure
AIF updates, use the Configure AIF Settings page (Administration > ATLAS Intelligence
Feed). If necessary, you also can configure AEM to connect to the AIF server through a
proxy server.
To allow you to download the updated feed, the AIF server uses a client certificate to
authenticate an SSL session.
For general information about AIF, see “About the ATLAS Intelligence Feed” on page 68.
Requirement
For name resolution, you must configure a valid DNS server on AEM. You can configure
this information on the Configure General Settings page. See “Configuring General Settings”
on page 57.
Viewing the AIF status

The Status section on the Configure AIF Settings page indicates the date and time of the
most recent AIF update. It also indicates when the system last checked for an update.
Requesting an AIF update

You can request an AIF update at any time. For example, you might want to perform an
AIF update outside of the schedule or test the connection to the AIF servers.
To request an AIF update:
1. Select Administration > ATLAS Intelligence Feed.

2. On the Configure AIF Settings page, select the Enable Automatic Connection to AIF
check box.
3. (Optional) To use a proxy server to connect to the AIF server, configure the proxy
server settings that are described in “Proxy settings for AIF updates” on the next
page.
4. Click Update Now.
5. To save the configuration, including the automatic update setting, click Save.
Otherwise, exit the Configure AIF Settings page without saving it.
Enabling automatic AIF updates

To enable automatic connections to the AIF server:
1. Select Administration > ATLAS Intelligence Feed.
2. On the Configure AIF Settings page, select the Enable Automatic Connection to AIF
check box.
3. In the Check for AIF updates every list, specify how often AEM should download the
feed data from the AIF server. You can select an interval from 15 minutes up to 2
days. The default interval is 1 hour.

4. (Optional) To use a proxy server to connect to the AIF server, configure the proxy
settings that are described in “Proxy settings for AIF updates” below.
5. Click Save to save the settings and connect to the AIF server at the next interval.
7. (Optional) Click Update Now to test the connection.
Proxy settings for AIF updates

To connect to the AIF server through a proxy server, configure the following settings.
Settings for an AIF proxy server
Setting Description
Use proxy to connect to Select this check box to allow AEM to connect to the AIF
AIF server check box server through a proxy server.
Host box Type the IP address or the host name for the proxy
server.
Port box Type the port number for the proxy server.
Username box If necessary, type the user name that is required to access
the proxy server.
Password box If necessary, type the password that is required to access

the proxy server.
Authentication mode list Select one of the following authentication methods to use
when AEM connects to the proxy server:
n basic
n NTLM
n digest method
Changing the default AIF HTTPS server

You can change the default AIF HTTPS server from aif.arbor.net to a different host.
For example, NETSCOUT might change the default AIF server endpoints between product
releases, when there would be no update program to make the change for you. In such
cases, a support representative would inform you of the change.
To change the default AIF server:

2. Enter / services aem atf set server aif_host_name
aif_host_name = the host name of the AIF server
Viewing the Status of ATLAS Intelligence Feed Updates

You can view the status of the ATLAS Intelligence Feed (AIF) updates on the Configure AIF
Settings page and the Audit Trail Log.

On any of these pages, you can refresh your browser window to update the status
information.
Checking the status of AIF updates

To check the status of the last automatic update or update request (from the Update
Now button):
n Select Administration > ATLAS Intelligence Feed to display the Configure AIF Settings
page, and view the Last Check information.
Viewing AIF updates in the Audit Trail Log

All of the automatic AIF updates are recorded and displayed in the Audit Trail Log
(Administration > Audit Trail). The AIF log entries contain information about which files
are updated.
You can search for “ATLAS” to filter the display for AIF entries. See “Viewing the Audit Trail
Log” on page 320.
About the AIF traffic statistics

You can use the View Protection Group page to view information about the attack traffic
that the AIF signatures detected and blocked. See “Viewing the AIF Traffic Statistics for a
Protection Group” below.
Viewing the AIF Traffic Statistics for a Protection Group

You can use the View Protection Group page to view information about the attack traffic
that the AIF botnet signatures detected and blocked. This information is displayed at the
protection group level.
For general information about ATLAS Intelligence Feed, see “About the ATLAS Intelligence
Feed” on page 68.
Viewing the AIF traffic statistics for a protection group

To view the AIF traffic statistics for a protection group:
1. Select Protect > Inbound Protection > Protection Groups.
2. On the List Protection Groups page, click the name link of the protection group whose
data you want to view.
3. On the View Protection Group page, under the Attack Categories section, scroll to the
Botnet Prevention line and click Details.
4. In the subsection that opens, scroll to the AIF Botnet Signatures line and click Details.
This line appears only if traffic matched the AIF signatures and was blocked.
This subsection might also display information, under Basic Botnet Prevention, about
the traffic that is blocked as a result of the Botnet Prevention settings. That traffic is
not associated with the AIF botnet signatures.
5. When you finish viewing the detailed information, click Details to hide it.

AIF Botnet Signatures information

The AIF Botnet Signatures line displays the following information:
n a minigraph of the total traffic that was blocked by the AIF botnet signatures
You can hover your mouse pointer over the minigraph to view a larger version of the
graph.
n the total amount of traffic that was blocked, in bytes, bits per second (bps), packets,
and packets per second (pps)
AIF traffic details

When you click the Details button on the AIF Botnet Signatures line, the following
information appears for each protection level:
n a minigraph of the traffic that was detected or blocked by all of the AIF protection
settings at that level
n the status of each protection level
For example, if the protection level is set to medium, both the low level and medium
level of AIF traffic are marked as Active. The AIF signatures at both levels are used to
block traffic.
n the amount of traffic that was detected or blocked, in bytes, bits per second (bps),
packets, and packets per second (pps)
n the average number of hosts that were blocked
This information reflects the global protection level or the protection group’s protection
level, for those groups that have their own protection level configured.
For the active protection level and for any lower protection levels, the traffic statistics
represent the attacks that were blocked. For any protection level that is higher than the
active level, the traffic statistics represent the attacks that would be blocked if that level
were active.
A large graph represents the traffic that was detected and blocked at all of the levels.

Section 6:
Configuring Notifications
This section describes how to define destinations for sending alert notifications. You can
create notifications for any combination of email addresses, SNMP traps, and syslog
messages.
You can group similar recipients so that they all receive the same types of event
notifications. For example, you can create a notification that includes all of your network
security engineers.
User access
Users at all authorization levels can view the notification configurations. Only
administrators and can perform the configuration tasks that are described in this section.
In this section
About Notifications 78
Configuring Notifications 80
Viewing Notifications 83
About Notifications
When AEM detects events, conditions, or errors in the system, it creates alerts to inform
users. You can configure AEM to send notification messages to specified destinations to
communicate certain alerts. You do so by associating the alert with one or more
notifications.
A notification defines its destination and the means by which the notification is sent. You
can create notifications for different groups of users, mailing lists, and remote systems.
You also can create notifications when you add user accounts. When you enter an email
address for a user account, AEM creates a notification for that email address. If necessary,
you can edit or delete these user-specific notifications on the Configure Notifications page.
Viewing notifications
The Configure Notification page displays all of the notifications that are configured for
AEM, and allows you to add, edit, and delete notifications. See “Viewing Notifications” on
page 83 and “Configuring Notifications” on page 80.
How AEM uses the notifications

When you create a notification, it appears as a selection in the alert configuration for
system events. You can select one or more notifications for each alert configuration.

Section 6: Configuring Notifications
When an alert is triggered for the associated event, the notifications are sent to the
destinations that are defined in the alert’s notification.
You configure alerts for system events on the Configure System Alerts page
(Administration > System Alert Notifications). See “Configuring System Alerts” on
page 61.
Note
The notifications for Device Up/Down events may be delayed by up to five minutes. This
delay occurs because AEM waits to make sure that a managed device is down and not
experiencing a temporary connection issue.
Notification contents
A typical notification contains the alert type and a description. It also includes the default
URL hostname, if one is configured on the Configure General Settings page
(Administration > General). The recipient can copy and paste the URL into a browser to
navigate directly to the event.
Depending on the alert type, the notification can contain additional information, such as
the associated rule, severity, client, server, service, and other messages.
See “Email Notification Examples” on page 367 or “Syslog Notification Examples” on

page 368.
Notification types
The notification type defines how AEM sends notifications. You can create notifications
for any combination of email addresses, SNMP traps, and syslog messages.
Types of notifications
Notification type Description
email AEM sends email notifications to the destination addresses that

you specify, and the notifications appear to come from the sender
address that you specify. AEM queues email messages for one
minute, and then sends them in a batch. When an email
notification contains multiple alerts, AEM sends one summary
email.
The system sends the email notifications through the SMTP server
that you configure on the Configure General Settings page.
SNMP AEM sends notifications to a network management system as

SNMP traps.
The Arbor SMI MIB and the AEM MIB define the SNMP notification
format. See “Configuring SNMP Polling” on page 58.
AEM supports SNMP versions 1, 2, and 3 for notifications.
You can send test SNMP notification messages to verify that the
system is working properly before it generates an actual alert.
syslog AEM sends notifications to a security event management system

as syslog messages.

Configuring Notifications
The Configure Notifications page allows you to configure the notifications that AEM sends
to specified destinations when certain system alerts and events occur.
See “About Notifications” on page 78.
Setting a default From address

You can set a default From address that is used in every new email notification that you
create, unless you specify otherwise.
To set a default From address:

1. Select Administration > Notifications.
2. At the bottom of the Configure Notifications page, in the Default ‘From’ Address box,
type a valid email address.
3. Click Save.
Configuring a notification
To add or edit a notification:
2. On the Configure Notifications page, complete one of the following steps:
n To add a new notification, click Add Notification.
n To edit an existing notification, click the notification name.
3. Configure the following settings:
Setting Description
Name box Type a unique name to identify the notification throughout
the UI. Use a name that helps users recognize the
destinations that it represents. You can use any
combination of letters and numbers.
Comment box (Optional) Provide descriptive information to further

identify the notification. The comment appears in the list of
notifications on the Configure Notifications page.
4. Configure the settings for one of the following destination types, and then click Save.
n Email — See “Email destination settings” on the next page.
n SNMP — See “SNMP destination settings” on the next page.
Tip
After you add an SNMP notification, you can click Test to send test SNMP
notification messages. This test allows you to verify that the system is working
properly before it generates an actual alert.
n Syslog — See “Syslog destination settings” on page 82.

Email destination settings

When you create or edit an email destination , configure the following settings:
Email destination settings
Setting Description
From box Type the email address that should appear as the sender. You
can use the AEM name as the sender to easily identify any AEM
notifications.
If you specified a default From address, then the address
appears here. See “Setting a default From address” on the
previous page.
To box Type the recipient’s valid email address. Enter multiple email
addresses as a comma-separated list.
SNMP destination settings

Note
The SNMP settings on this page do not affect the SNMP settings on the Configure General
Settings page.
When you create or edit an SNMP destination , configure the following settings:
SNMP destination settings
Settings Description
Destination IP box Type the IP address for each SNMP trap receiver. You can add
up to four IP addresses.
Use commas to separate multiple IP addresses.
Version list Select the SNMP version that you use.
Community box (Versions 1 and 2 only) Type the community string (password)
to use for authenticating the SNMP trap. Otherwise, the
system defaults to the standard public setting.
Agent IP box (Version 1 only) Type the IP address for the SNMP agent.
User Name box (Version 3 only) Type an SNMP user name.

This setting is required and must match one of the names that
is configured on your trap receiver.
Security Engine ID (Version 3 only) Type an SNMP security engine ID.

box This setting is required and must be an even-length string of
hex digits (0-9, A-F). It must match one of the security engine
IDs that are configured on your trap receiver.

SNMP destination settings (continued)
Settings Description
Passphrase box (Version 3 only) Type the passphrase for the SNMP user name
that you specified above if the Security Level setting is set to
something other than No Authentication.
Authentication (Version 3 only) Select an authentication protocol (MD5 or

Protocol list SHA).
If you set Security Level to something other than No
Authentication, then this value must match the value that is
expected by your trap receiver.
Security Level list (Version 3 only) Select one of the following security levels:
n No Authentication — No passphrase authentication is
performed.
n Authentication/No Privacy — Passphrase authentication is
performed, but there is no encryption of the data in the
trap messages.
n Authentication w/ Privacy — Passphrase authentication is
performed and the data in the trap messages is encrypted.
Context Name box (Version 3 only, optional) Type the SNMP application context.
Because there is only one SNMP context on AEM , this setting
typically is not required. However, if your trap receiver expects
a specific context name, then provide it.
Privacy Protocol list (Version 3 only) Verify that this value matches the value that is
expected by your trap receiver.
If you select Authentication w/ Privacy from the Security
Level list, then select the appropriate privacy protocol (DES or
AES).
Verify that this value matches the value that is expected by
your trap receiver.
Privacy Passphrase (Version 3 only) If you select Authentication w/ Privacy from

box the Security Level list, then type the privacy passphrase that
is expected by your trap receiver.
Syslog destination settings

When you create or edit a syslog notification, configure the following settings:
Syslog destination settings
Setting Description
Destination box Type the syslog host IP address.
Port box (Optional) The default setting is port 514. if you do not want to
use the default port, then type a new port number.

Syslog destination settings (continued)
Setting Description
Facility list Select a syslog facility value to indicate the source of the
message as defined in the syslog protocol RFC 3164.
The default facility is Daemon.
Severity list Select one of the following syslog severity values:

n alert — action must be taken immediately
n crit — critical condition
n debug — debug-level message
n emerg — emergency, system is unusable
n err — error condition
n info — informational message
n notice — normal but significant condition
n warning — warning condition
Deleting notifications
You cannot delete a notification that is referenced by a system alert.
To delete a notification:
2. On the Configure Notifications page, complete one of the following steps:
n To delete individual notifications, select the check boxes to the right of the
notifications.
n To delete all of the notifications on the current page, select the Select All check
box in the table heading row.
3. Click Delete.
Viewing Notifications
The Configure Notifications page displays all of the notifications in the system and allows
you to add, edit, and delete the notifications. See “Configuring Notifications” on page 80.
For general information about notifications, see “About Notifications” on page 78.
Viewing the notifications

To view the existing notifications:
2. (Optional) On the Configure Notifications page, to find specific notifications, type a
string in the Search Notifications box, and then click Search.

Information on the Configure Notifications page

The Configure Notifications page displays the following information for each notification:
Notification details
Name Displays the name of the notification as a link that opens the Edit
Notification Settings page for that notification.
Email For email notifications, displays the email addresses that

notifications are sent to, and the email address that the
notifications appear to be sent from.
SNMP For SNMP notifications, displays the SNMP destination,

community, and version for the notification.
Syslog For Syslog notifications, displays the destination, facility, and

severity for the notification.
Comment Displays descriptive information that was entered when the

notification was configured.
Log Message Displays the most recent message that was logged for the
notification.
Creator Displays the name of the user who configured the notification.
Last Modified Indicates the last time that the notification was changed by a
user or by the system.
Used By Alert Displays the system alerts that reference the notification as links
Configurations to the corresponding alert Configuration window.
Selection check box Allows you to select the notification for deletion.

Part III:
Device Management
Section 7:
Introduction to Device Management
This section describes how to use AEM as a system to manage multiple AED and APS
devices.
User access
Users at all authorization levels can view the device information. Only administrators and
analysts can perform the configuration tasks that are described in this section.
In this section
Configuring a Device for AEM Management 86

Accessing Managed Devices from AEM 88
About Single Sign-on to Managed Devices 89
About Configuration Data Synchronization with AEM 90
How Restoring Backups Affects the AEM - Device Synchronization 93
Setting the Protection Mode (Active or Inactive) 95
About the Protection Levels 96
Deleting Offline Devices 99
Configuring a Device for AEM Management

To manage multiple devices (AED and APS) from Arbor Enterprise Manager (AEM), you
connect each device to AEM.
The connection process, which is also called binding, performs the following tasks on the
device to be managed:
n Configures the connection between the device and AEM.
n Adds a syslog notification with the AEM device as the destination.
The syslog data is stored in an AEM database and supports the threat analysis feature
in AEM.
n Adds special user accounts that allow single sign-on access from AEM to the device.
See “About Single Sign-on to Managed Devices” on page 89.
For more information about device management, see “About Managing Devices from
AEM” on page 13

Section 7: Introduction to Device Management
About the commands for connecting devices

You connect a device to AEM and perform the required configurations by using the
following / services aps_aed manager commands in the device’s CLI:
n test — Allows you to test the connection to AEM before you spend the time and
system resources that the binding process requires.
n bind — Configures the connection between the devices and adds the syslog
notification and user accounts. After you connect a device to AEM, the initial data
synchronization occurs. See “About Configuration Data Synchronization with AEM” on
page 90.
n show — Displays the status of the current configuration.
n unbind — Disconnects a device from AEM management and deletes the associated
configurations. For details, see “Disconnecting a managed device” on the next page.
Before you begin

Before you connect a device to AEM, verify that the following requirements are met:
n The device is installed and configured as described in the appropriate Installation Guide
and in this document.
n The software version for the device is supported by AEM, as shown in the compatibility
matrix that is included in the Arbor Enterprise Manager Release Notes.
Also, obtain the IP address or system name of the AEM and the shared secret that was
configured on the AEM. The shared secret authenticates communication between AEM
and the managed device. You configure the same secret on all of the devices that AEM
manages.
Connecting a device for AEM management

In the following commands, the italicized text represents the following variables:
n host = The AEM device to connect to, entered as an IP address or system name.
n secret = The shared secret that is configured in AEM.
To connect a device to AEM:

1. On the device to be managed, log in to the CLI with your administrator user name
and password.
2. To test the connection between the device and AEM before you complete the binding,
enter the following command:
/ services {aed | aps} manager test host interactive
After you enter this command, enter the shared secret at the Secret prompt that
appears.
If the test is successful, then continue with the next step.
3. To connect the device, enter the following command:
/ services {aed | aps} manager bind host interactive
After you enter this command, enter the shared secret at the Secret prompt that
appears.
4. To verify the connection, enter / services {aed | aps} manager show
5. To log out of the CLI, enter exit

Note
As an alternative to the interactive argument, you can use the secret argument to
allow the entry of the secret without the prompt. For example: / services {aed |
aps} manager test host secret secret. This command is intended for use in
automation. You might not want to use this command in the CLI because the secret
remains visible on the screen.
Disconnecting a managed device

In certain situations, you might need to disconnect (unbind) a device from AEM. For
example, you might want to connect the device to a different AEM, or you might want to
move a physical appliance or return it for repair.
The unbind command removes the following configurations from the managed device:
n The connection to AEM
n The syslog notification with the AEM device as the destination
n The special user accounts and SSH key that allow single sign-on access from AEM
The unbind command does not affect any data on the connected AEM.
To disconnect a managed device from AEM:

1. On the managed device, log in to the CLI with your administrator user name and
password.
2. Enter / services {aed | aps} manager unbind
Note
If you intend to remove the device from management by this AEM permanently, then
you might want to remove the device and its data from the AEM. First, unbind the
device. Then use the Delete button on the AEM Summary page. This deletion is not
required, but it can free storage space and remove unneeded data from AEM. For
details, see Deleting Offline Devices.
Accessing Managed Devices from AEM

To examine specific data more closely or perform tasks on a managed device, you can log
in to the device from AEM. For your convenience, you can use the Device Console in AEM
to log in to the CLI of managed devices.
Administrators can access a managed device’s UI or CLI. Non-administrative users can

access a managed device’s UI only.
For more information about managing devices from AEM, see the following topics:
n “About Managing Devices from AEM” on page 13
n “Connecting a device for AEM management” on the previous page
About single sign-on

AEM uses single sign-on to log you in to managed devices automatically. When you access
a managed device from AEM, you are logged in as aem_admin or aem_user, according to
your assigned user group on AEM.

The aem_admin account and aem_user account are created on a managed device when
you connect it to AEM. For details, see “About Single Sign-on to Managed Devices” below.
Accessing the CLI of a managed device

(System administrators only.)
To access the CLI of a managed device:
1. In AEM, select Summary from the menu to open the Summary page.
2. In the System Information section, click (Launch device console) to the left of the
serial number for the managed device.
The Device Console opens in a browser window and you are logged in to the device
automatically as aem-admin. The system name for the device appears as aem-
admin@deviceName in the Device Console.
3. Enter the CLI commands for the managed device as you typically do.
For example, you would enter / services aed attack-analysis enable to enable
Attack Analysis on the managed AED.
4. To disconnect the managed device from the Device Console, enter / exit
If you do not close the Device Console after you disconnect, then you can press ENTER
to reconnect to the managed device.
5. To close the Device Console, close the browser window.
Accessing the UI of a managed device

To access the UI of a managed device:
1. In AEM, select Summary from the menu to open the Summary page.
2. In the System Information section, click the name link for a device in the Hostname
column.
The managed device opens in a browser window and you are logged in to the device
automatically as either aem-admin or aem-user.
3. Use the managed device as you typically do.
The ability to edit certain configurations is disabled on the device. These
configurations include server types, protection groups, filter lists, deny lists, allow
lists, and others. This restriction helps to avoid synchronization issues between AEM
and the managed device.
4. To log out of the device, click Logout in the upper-right corner of any page in the UI.
5. To close the managed device, close the browser window.
About Single Sign-on to Managed Devices

To examine specific data more closely or perform tasks on a managed device, you can log
in to the device from AEM. AEM uses single sign-on to log you in to managed devices
automatically.
For your convenience, you can use the Device Console in AEM to log in to managed
devices. Currently, the single sign-on is available only when you access managed devices
from the AEM Summary page or Blocked Hosts Log page.
You also can access managed devices from device links elsewhere in AEM. However,
access to a managed device from those other links in AEM still requires a login.

See “Accessing Managed Devices from AEM” on page 88.
This single sign-on is different from the HTTP header-based authentication that provides
single sign-on when users log in to the AEM UI. See “About HTTP Header-Based
Authentication” on page 54.
Note
The use of single sign-on requires that the managed device has a valid reverse DNS
lookup. If the device does not have a valid reverse DNS lookup, then AEM links to the IP
address of the device instead of its hostname. In that case, an SSL certificate error will
occur.
User accounts and SSH keys for single sign-on

When you connect a device to AEM, the bind command adds two new user accounts to
the managed device. The single sign-on process uses these accounts as follows:
n aem-admin — Users who belong to the system_admin group in AEM are logged in to
the managed device as aem-admin, with the same authorizations as the device’s
system_admin group. Administrators can access a managed device’s UI or CLI.
n aem-user — Users who belong to the system_user group in AEM are logged in to the
managed device as aem-user, with the same authorizations as the device’s system_
user group. System users can access a managed device’s UI only.
Administrators can view the aem-user account and aem-admin account in the managed
device’s UI or CLI.
The single sign-on also requires SSH keys for password-free access to the managed
device. The first time someone accesses the Device Console for a managed device, AEM
generates an SSH key pair and uploads the public key to the managed device. The SSH
keys are unique to each managed device.
About Configuration Data Synchronization with AEM

When you use AEM as a central management console, you create and manage the
configurations for multiple devices on AEM. When you configure server types, protection
groups, the outbound threat filter, filter lists, deny list, and allow list on AEM, AEM copies
those configurations to each managed device.
When you first connect a device to AEM, the applicable configurations on AEM are copied
to the device. Any existing configurations on the device are copied to AEM. Thereafter,
you make changes in AEM only. Periodically, the device checks AEM and obtains any
configuration changes that apply to that device. See “Configuring a Device for AEM
Management” on page 86.
For general information about device management, see “About Managing Devices from
AEM” on page 13.
Important

Viewing the synchronization status

In AEM, you can view the synchronization status for a specific device in the System
Information section on the Summary page. The possible statuses are as follows:
n Initial synchronization — A device is connected for the first time, and the initial
synchronization is in progress.
n Preparing configuration — The system is in the process of updating the current
configurations.
n Good — The configurations on the device match the configurations on AEM that apply
to the device.
n Out of sync — One or more of the configurations on AEM changed, and the device has
not yet received those changes.
Initial synchronization
When you first connect a device to AEM, the following items are copied from AEM to the
device:
n server types, both standard and custom
n protection groups, including the default protection group
n outbound threat filter
n global items in the inbound deny list and inbound allow list
n items in the outbound deny list and outbound allow list
n active alerts and expired alerts from the past two weeks
If the device contains local configurations, then the local configurations are copied to AEM
as follows:
n The local configurations are merged with the configurations on AEM.
See “Configuration merges during the initial synchronization” on the next page.
n If certain local configurations conflict with any of the configurations that were copied
from AEM, then those local configurations are duplicated on the device.
See “Initial synchronization of duplicate configurations” below.
Initial synchronization of duplicate configurations

During the initial synchronization of a device that has local configurations, a server type
or protection group on the device might conflict with one on AEM. These conflicts are
treated as follows:
n If the device and AEM contain a server type (standard or custom) with the same name,
then a copy of that server type is created on the device. The device name is appended
to the name of the server type copy. The original server type on the device is updated
with the configuration from AEM. Any protection groups that were associated with the
original server type are updated to be associated with the new server type.
n If the device and AEM contain a protection group with the same name, then a copy of
that protection group is created on the device. The copy of the protection group has
the same name as the original protection group, with the name of the device
appended to it. The original protection group on the device is updated with the
configuration from AEM.

Configuration merges during the initial synchronization

During the initial synchronization of a device that has local configurations, the local items
are merged with the items on AEM as described below.
Server type merges

Any local server types on the device are copied to AEM. These server types include any
duplicate server types that the device might have created to resolve conflicts with the
server types that it received from AEM. See “Initial synchronization of duplicate
configurations” on the previous page.
Important
After the initial data synchronization between the device and AEM, any custom server
type settings that do not have values are set to their default values.
Protection group merges

n The default protection group on AEM replaces the one on the device.
n Any local protection groups on the device are copied to AEM. These protection groups
include any duplicate protection groups that the device might have created to resolve
conflicts with the protection groups that it received from AEM. See “Initial
synchronization of duplicate configurations” on the previous page.
Outbound threat filter merge

The outbound threat filter on AEM replaces the one on the device.
Deny list merges and allow list merges

n The global items and protection group-specific items on the device that do not match
any items on AEM are copied to AEM.
n A global item on the device that matches a protection group-specific item on AEM
replaces the AEM item.
n A protection group-specific item on the device that matches a global item on AEM is
deleted.
n If an item from the device causes AEM to exceed its capacity, then the item is added to
AEM but disabled. The item appears on the deny list or allow list in the AEM UI, but it is
dimmed to indicate that it is disabled.
See “About the Capacity of the Deny List and Allow List” on page 170.
n Any CIDRs on the deny list or allow list on the device that overlap existing items on
AEM are copied to AEM but are not merged.
For example, assume that 192.0.2.0/16 is added to the deny list on the device and
192.0.2.0/24 is added to the deny list on AEM. Although the denied address on the
device includes the subnet of the denied address on AEM, the AEM deny list will
contain both items.
Consolidating the new configurations

After you connect each device, you might review AEM for configurations that you can
consolidate.
For example, if a device contains a protection group that is assigned to that device only,
then determine whether an existing protection group on AEM would serve the same
purpose. If so, then on AEM, unassign the device from the local protection group and

assign it to the protection group on AEM. Then delete the device-specific protection
group.
Subsequent synchronizations
Every minute, each managed device checks AEM for configuration changes and obtains
the changes that apply to that device. As in the initial synchronization, each device
obtains only the standard items, the global items, and the items that are specific to the
device. No configurations are copied from the device to AEM.
When you back up and restore AEM and a device, you must follow certain guidelines to
maintain the synchronization. See “How Restoring Backups Affects the AEM - Device
Synchronization” below.
Synchronization after a device is disconnected from AEM

If you disconnect a device from AEM and then reconnect it, the synchronization process
depends on the state of the device when you reconnect it:
Synchronization after a device is disconnected from AEM
Situation Synchronization process
A device that contains configuration The synchronization is the same as those

data is reconnected to the same AEM. that occur after the initial synchronization.
This situation typically occurs when the See “Subsequent synchronizations” above.
communication between the device and
AEM is interrupted, either because you
disconnect the device or because of
some other connection issue.
A device that contains no configuration The synchronization is the same as when you
data is reconnected to the same AEM. connect a device for the first time. See “Initial
This situation might occur when you synchronization” on page 91.
return the device for a repair, during
which the configuration data is erased.
A device with or without configuration The synchronization is the same as when you
data is reconnected to a different AEM. connect a device for the first time. Any
This situation might occur when you configurations that the device obtained from
move the device to a different location the original AEM are merged with the data
in your network or replace the original from the new AEM. See “Initial
AEM. synchronization” on page 91.
How Restoring Backups Affects the AEM - Device

Synchronization
When you use AEM to manage devices (AED and APS), AEM periodically copies its
configuration data for a managed device to the managed device itself. When you back up
and restore AEM and a device, you must follow certain guidelines to maintain the data
synchronization.

Guidelines for restoring an AEM backup

Important
Restore an AEM backup only when all of the managed devices are disconnected. If you
restore AEM while the devices are connected, then during the next synchronization, AEM
sends the old data to the device.
Before you restore an AEM backup, follow these steps:

1. Disconnect each device that is connected to AEM as follows:
a. Log in to the UI of the device.
b. Select Administration > General.
c. On the Configure General Settings page, clear the Arbor Enterprise Manager box
and the Shared Secret box, and then click Save.
2. Restore the AEM backup. See “Restoring AEM from a Backup” on page 341.
Now the data on AEM is older than the data on the device.
3. Reconnect each device. The data is synchronized as follows:
n If AEM was backed up before the device was connected, then the synchronization
is the same as for a newly-connected device. AEM copies any configurations from
the device that postdate the backup. See “Initial synchronization” on page 91.
n If AEM was backed up after the device was connected, then the synchronization is
the same as for any periodic synchronization. The configurations are copied from
AEM to the device as appropriate. See “Subsequent synchronizations” on the
previous page.
Guidelines for restoring a device backup

When you run a device backup, the state of the connection between AEM and the device
determines how you must restore that backup.
Guidelines for restoring device backups
Backup scenario How to restore the device
You back up the device while it is Restore the device backup as usual. During the
connected to AEM. next synchronization, AEM updates the device.
You back up the device before it is 1. Restore the device backup.

connected to AEM. Later, after the Now the device is no longer connected to
device is connected to AEM, you AEM, because the backup does not include
need to restore the device backup. the connection configuration. However, AEM
still knows about the device.
2. Connect the device to AEM.
During the next synchronization, AEM
updates the device.
You back up the device while it is 1. Restore the device backup.

connected to AEM. Later, you 2. Connect the device to AEM.
disconnect the device. For During the next synchronization, AEM
example, you might need to move updates the device.
the device or return it for repair.

Additional information about backups and data synchronization

For additional information, see the following topics:
n Backing up and restoring AEM — see “About AEM Backups” on page 339. Also see
“Restoring AEM from a Backup” on page 341.
n Connecting a device to AEM — see “Configuring a Device for AEM Management” on
page 86.
n The data synchronization — see “About Configuration Data Synchronization with AEM”
on page 90.
Setting the Protection Mode (Active or Inactive)

When an AED or APS device is installed in the inline deployment mode, you can run it in
one of the following protection modes:
n active — In addition to monitoring traffic and detecting attacks, the device mitigates
attacks.
n inactive — The device analyzes traffic and detects attacks without performing
mitigations. You can use the resulting information to set your policies for attack
detection and mitigation.
The inactive mode is most commonly used in trial implementations.
You can set the protection mode for an individual protection group or the outbound
threat filter without affecting any other traffic. For example, you can set a new protection
group to inactive mode for testing while keeping the device in active mode. See “Adding,
Editing, and Deleting Protection Groups” on page 220 and “Configuring the Outbound
About changing the protection mode for multiple devices

When you use AEM to manage a device, you can set the protection mode for multiple
devices, as follows:
n By default, every device to which a protection group is assigned uses the protection
mode that you configure for that protection group. However, for a specific device, you
can override the protection group’s protection mode.
n For outbound traffic, all of the managed devices use the protection mode that is set for
the AEM outbound threat filter.

Viewing the current protection mode

You can view the current protection mode in the following places in the UI:
Protection mode
type Where to view the protection mode
Protection group You can view the protection mode for a protection group on the following
pages:
n List Protection Groups (Protect > Inbound Protection > Protection Groups)
n View Protection Group
Outbound threat filter You can view the protection mode for the outbound threat filter on the
Outbound Threat Filter page (Protect > Outbound Protection > Outbound
Threat Filter).
Changing the protection mode for a protection group

A device mitigates traffic for an active protection group only when the system’s protection
mode is active.
To change the protection mode for a protection group:
2. On the List Protection Groups page, click the name link of the protection group to edit.
3. On the View Protection Group page, in the header section, click Edit.
4. In Protection Group Mode, select Active or Inactive.
5. Click Save.
Changing the protection mode for the outbound threat filter

To change the protection mode for the outbound threat filter:
1. Select Protect > Outbound Protection > Outbound Threat Filter.
2. For Protection Mode, select Active or Inactive.
3. Click Save.
About the Protection Levels

The protection level defines the strength of protection that the device (AED or APS)
provides and the associated intrusiveness and risk of blocking clean traffic. The
protection levels are low, medium, and high.
The protection levels are associated with different protection settings. These settings
include those that are not user-defined, such as the invalid packets protection category.
When the protection level is set, the protection settings that are associated with that level
are enabled.
User access
Only administrators can change the protection level. Non-administrative users can view
the current protection level but cannot make changes.

About the different protection levels

The protection level determines which protection settings are in use at any given time.
For example, if the protection level is low, then the low protection settings are used to
inspect the current traffic. You can change the protection level as needed to mitigate
attacks. See “Changing the Protection Level” on page 238.
Initially, a device uses a global protection level, which applies to the entire device. You can
continue to use the global protection level, but you also can configure individual
protection levels for specific protection groups and the outbound threat filter. These
individual protection levels take precedence over the global protection level.
About the protection levels for protection groups and the outbound threat
filter
The protection level determines which protection settings are in use for a specific
protection group or the outbound threat filter. You might change the protection level for
a protection group or the outbound threat filter in the following situations:
n To respond to attacks and traffic spikes against one protection group without affecting
the traffic to the other protection groups.
n To respond to outbound threats without affecting the inbound traffic.
n To determine how different protection levels affect the traffic when you create a new
protection group or change the settings for an existing protection group.
You also can automate the protection level for a protection group. See “About protection
level automation” on page 225.
About the protection levels for the protection settings

For each of the protection settings, you can specify different values for the low, medium,
and high protection levels. The current protection level determines which of the settings
are used at any given time. For example, you might set conservative thresholds for the
low protection level and more aggressive thresholds for the medium and high protection
levels.
You also can leave the protection settings empty or disable one or more of the protection
levels. For example, you might disable a setting for the low protection level and then
enable it for the medium and high protection levels.
You configure the protection settings for multiple devices on the following pages:
n For inbound traffic — Configure Server Type page. Select Protect > Inbound Protection
> Server Type Configuration, and then click a server type name on the Server Type
page. See “Changing the Protection Settings for Server Types” on page 108.
n For outbound traffic — Outbound Threat Filter page. Select Protect > Outbound
Protection > Outbound Threat Filter. See “Configuring the Outbound Threat Filter” on
page 121.
Viewing the current protection level

Throughout the UI, the following icons represent the protection levels: global, low,
medium, and high. The current protection level is indicated by a check mark in the
corresponding icon.

You also can automate a protection group’s protection level. The following icons
represent the low automated protection level and the high automated protection level
(there is no medium automated protection level):
You can view the current protection level on the following pages:
Where you can view the protection level
Protection level Page How the protection level is indicated
Protection group List Protection To the far right of the protection group name, a
Groups page single icon indicates the protection group’s
protection level. If the protection group uses
the global protection level, then no icon
appears.
View Protection The header area contains text that indicates the
Group page protection group’s protection level.
When you edit a protection group, all of the
protection level icons appear. The protection
group’s current protection level is checked, and
you can click an icon to change the protection
level.
Outbound threat Outbound Threat The header area contains text that indicates the
filter Filter page outbound threat filter’s protection level.
When you edit the outbound threat filter, all the
protection level icons appear. The outbound
threat filter’s current protection level is checked,
and you can click an icon to change the
protection level.

Balancing protection and risk

The risk of blocking clean traffic increases with the level of protection. Generally, you
should set the protection level to low. Reserve the medium and high levels for use during
attack conditions.
The following table describes when to use the different protection levels and the levels of
protection and risk that are associated with each one:
Levels of protection and risk
Level When to use Level of protection and risk
Low Under normal This level is the safest but it offers the least
conditions protection.
n Only low-risk traffic is blocked.
n There is no tolerance for false positives.
Medium During a significant The protection settings are stricter. Clean traffic
attack that is unusual might be blocked.
High During a heavy This level provides the most aggressive protection
attack but it carries risks.
Blocking some clean traffic is acceptable as long as
most of the hosts are protected.
For protection groups, you can automate the protection level. When you automate the
protection level, AED and APS use a total traffic threshold to determine when to change
the protection level from low to high. See “About protection level automation” on
page 225.
Recommended protection levels for protection settings

Your protection settings at the low level should protect your network against the majority
of attacks without blocking any clean traffic. If a large number of attacks are passed
through, then you might need to configure more aggressive thresholds at the low level.
Conversely, if too much clean traffic is blocked, then you might need to configure more
conservative thresholds at the low level. As you use the device and review the traffic
information that it provides, you can refine the settings to provide an acceptable balance
between protection and risk.
Deleting Offline Devices

You can delete a managed device from AEM by using the Delete button on the Summary
page. A device becomes eligible for deletion when it does down or when someone
disconnects (unbinds) it from AEM. In either case, “Offline” appears in the Uptime column
for that device on the Summary page. If the device remains offline for several minutes,
then a Delete button appears at the far right of that device’s row.
Caution
When you delete a device, the device is removed from AEM and all of its alerts and
protection groups are deleted from AEM.

The deletion does not affect the managed device itself or any of the alerts or protection
groups on that device.
To completely disconnect a managed device from AEM, use the unbind command. See
“Disconnecting a managed device” on page 88.
Deleting an offline device from AEM

To delete a device:
1. Select the Summary menu.
2. On the Summary page, in the System Information section, click the Delete button that
appears next to the offline device.

Section 8:
Managing Shared Server Types
This section describes how to configure and manage the server types that determine
which protection settings are available for each protection group. On AEM, you can
manage the server types for multiple AED devices or APS devices. You also can add and
delete server types on AEM.
In this section
About the Server Types 101

Viewing Server Types 105
Adding and Deleting Custom Server Types 106
Changing the Protection Settings for Server Types 108
About Traffic Profiling for Protection Configuration 110
Starting Traffic Profiles from AEM 112
Using Traffic Profile Data to Configure Protection Settings 114
Restoring the Default Protection Settings 115
About the Server Types

The server type determines which protection settings are available for a protection group
and which application-specific data AED or APS collects and displays for that group. Each
protection group is associated with a server type; multiple protection groups can be
associated with the same server type.
AED and APS provide multiple predefined, standard server types for IPv4 hosts and one
standard server type for IPv6 hosts. These standard server types offer protection settings
that cover most situations. You can create multiple custom server types based on the
standard server types.
You can add a maximum of 200 custom server types on an AED or APS device.
Navigating to the server types page

You add, edit, and delete the server types on the Configure Server Type page. Select
Protect > Inbound Protection > Server Type Configuration, and then click a server type
name on the Server Type page. See “Adding and Deleting Custom Server Types” on
page 106 and “Changing the Protection Settings for Server Types” on page 108.
About managing the server types from AEM

When you first connect a device to AEM, the server types on AEM are copied to the device.
Any existing server types on the device are copied to AEM. Thereafter, you make changes

Section 8: Managing Shared Server Types
in AEM only. Periodically, the device checks AEM and obtains any server type changes that
apply to that device.
For a server type to be copied to a managed device, that server type must be associated
with a protection group that is assigned to that device.
See “About Configuration Data Synchronization with AEM” on page 90.
About the standard server types

The standard server types on which the custom server types are based are as follows:
n Generic Server
The generic server type contains all of the protection settings and is associated with
the default protection group.
n Web Server
n DNS Server
n Mail Server
n VoIP Server
n VPN Server
n RLogin Server (remote login)
n File Server
n Generic IPv6 Server
About the custom server types

You create custom server types on the Server Types page. The custom server types allow
you to configure different protection settings for similar types of servers. For example,
you can add a custom server type to protect specific DNS servers with settings that differ
from the standard DNS Server settings.
You can associate a custom server type with any custom protection group. See “Adding,
Editing, and Deleting Protection Groups” on page 220.
Examples of how you can use custom server types are as follows:
n Different content
Your organization might have one HTTP server that serves standard web pages,
another that serves video, and another with a heavy AJAX interaction. Some of the
HTTP-related protection categories, such as HTTP Rate Limiting, might not apply to all of
those servers. You can create a custom server type with the appropriate protection
settings for each of these HTTP servers.
n Different traffic rates
An excessive amount of inbound traffic and connections for one server might be
normal for another server. In such cases, setting appropriate thresholds for the rate-
based protection categories can be difficult. You can create custom server types that
are configured for different traffic rates.
n Separate server ownership
In some organizations, different web servers can fall under completely separate
ownership structures, in which different people are responsible for the availability of
the web service. You can create custom server types with separate protection settings
for separately owned servers.

Available protection settings for IPv4 standard server types

Certain protection settings are available for all of the IPv4 standard server types. Other
settings include application-specific behavior and are available only for the server type
that is associated with the application. For example, the HTTP Rate Limiting settings are
available for a Web Server but not for a DNS Server.
The categories of protection settings that are available for the IPv4 standard server types
are as follows:
Note
An * (asterisk) indicates that the protection category is also available for the Generic
IPv6 Server type.
Available protection settings for the IPv4 standard server types
Settings Generic DNS File Mail RLogin VoIP VPN Web

category Server Server Server Server Server Server Server Server
ATLAS ü ü ü ü ü ü ü ü
Intelligence Feed
Application ü ü ü ü ü ü
Misbehavior
Block Malformed ü ü
DNS Traffic*
Block Malformed ü ü
SIP Traffic
Botnet ü ü ü
Prevention
CDN and Proxy ü ü

Support
DNS ü ü
Authentication*
DNS NXDomain ü ü
Rate Limiting*
DNS Rate ü ü
Limiting*
DNS Regular ü ü
Expression*
Filter List* ü ü ü ü ü ü ü ü
Flexible Rate- ü ü ü ü ü ü ü ü
based Blocking*
Fragment ü ü ü ü ü ü ü ü
Detection

Available protection settings for the IPv4 standard server types (continued)

HTTP Header ü ü ü ü
Regular
Expressions
HTTP Rate ü ü ü ü
Limiting
HTTP Reporting ü ü ü
ICMP Flood ü ü ü ü ü ü ü ü
Detection
IP Location ü ü ü ü ü ü ü ü
Policing1
Malformed HTTP ü ü ü
Filtering
Multicast ü ü ü ü ü ü ü ü
Blocking
Payload Regular ü ü ü ü ü ü ü ü
Expression*
Private Address ü ü ü ü ü ü ü ü
Blocking
Rate-based ü ü ü ü ü ü ü ü
Blocking*
SIP Request ü x
Limiting
Spoofed SYN ü ü ü ü ü ü ü ü
Flood
Prevention*
STIX Feeds ü ü ü ü ü ü ü ü
TCP Connection ü ü ü ü
Limiting*
TCP Connection ü ü ü ü ü ü ü ü
Reset*
TCP SYN Flood ü ü ü ü ü ü ü ü

Detection
TLS Attack ü ü ü ü ü
Prevention
1. The IP Location Policing settings must be configured on a managed device instead of on AEM.

Available protection settings for the IPv4 standard server types (continued)

Traffic Shaping* ü ü ü ü ü ü ü ü
UDP Flood ü ü ü ü ü ü ü ü
Detection
Viewing Server Types

The Server Types page displays the server types that are shared by the AED and APS
devices that are under AEM management. Use the Server Types page to view information
about the server types, edit and manage existing server types, and create new custom
server types.
For general information about the server types, see “About the Server Types” on
page 101.
For information about editing the server types, see “Adding and Deleting Custom Server
Types” on the next page and “Changing the Protection Settings for Server Types” on
page 108. On a device that is managed by AEM, these functions are disabled.
Viewing the server types

To view the server types:
1. Select Protect > Inbound Protection > Server Type Configuration.
2. (Optional) On the Server Types page, filter the list of servers. In the search box, type a
search string in any of the following ways, and then click Search.
n Type all or part of a server type name, base type name, or protection group name.
n Type multiple search strings in any combination, using commas to separate
multiple entries.
n Include a wildcard character: an underscore (_) matches any one character, and a
percent symbol (%) matches any number of characters. For example, to find “DNS
Server”, you could type dns, _ns, or d%.
3. To view or edit the protection settings for a particular server type, click the server
type’s name link.
For information about the specific protection settings, see the topics under
“Configuring the Protection Settings” on page 117.

Information on the Server Types page

The Server Types page contains the following information for each server type:
Information on the Server Types page
Column Description
Name Displays the server type’s name as a link that allows you to open the Configure
Server Type page. There, you can view and edit the server type information. See
“Changing the Protection Settings for Server Types” on page 108.
(context menu) Appears when you hover your mouse pointer over a source IP address. Click
to display the following options:
n Restore Defaults — Restores the selected server type’s protection settings
to their default values.
When you restore the protection settings for a server type, it affects all of
the protection groups that are associated with that server type. See
“Restoring the Default Protection Settings” on page 115.
n Duplicate — Creates a custom server type that inherits the protection
settings from the selected server type. See “Duplicating an existing server
type” on the next page.
n Delete — (Custom server types only) Deletes the selected server type for all
of the managed devices with which it is associated.
Caution
When you delete a server type, all of the protection groups that are
associated with that server type are deleted. See “Deleting a custom server
type” on page 108.
n Profile Capture — Allows you to start or stop a traffic profile on any of the
managed devices that are associated with the server type. See “Starting
Traffic Profiles from AEM” on page 112.
Base Type Indicates the standard server type on which a custom server type is based. The
base server type name appears as a link to the Configure Server Type page,
where you can view and edit the base server type.
Last Modified Indicates the last time the server type was edited, which allows you to identify
recent configuration changes.
In Use By Displays the protection groups that use this server type.
If multiple protection groups are associated with the server type, then this
column displays the number of groups. You can display a list of those
protection groups by hovering your mouse pointer over the displayed number.
You can click a protection group’s name link to display the View Protection
Group page for that protection group.
Adding and Deleting Custom Server Types

Custom server types allow you to configure different protection settings for similar types
of servers. For example, you can add a custom server type to protect specific DNS servers
with settings that differ from the standard DNS Server settings. When you create a new

server type, it inherits the protection settings from the existing server type on which it is
based. You can edit the settings as necessary for the new server type.
For general information about the server types, see “About the Server Types” on
page 101.
About managing protection settings from AEM

When you manage AED and APS devices with AEM, you configure the server types in AEM
and those configurations are copied to the appropriate managed devices. The exception
is IP location policing, which must be configured on the managed device (AED only).
Adding a custom server type

Use this procedure to create a custom server type that inherits the protection settings
from one of the standard server types.
You can add a maximum of 200 custom server types on an AED or APS device.
To add a custom server type:

2. On the Server Types page, under Add A New Server Type, define the server type as
follows:
Setting Description
Server Type Name Type a name to identify the server type throughout the UI.
box
Base Server Type list Select the server type on which to base the new server
type.
3. Click Add Server Type.

4. (Optional) To edit the protection settings, follow these steps:
a. Go to the Configure Server Type page by clicking the Edit settings link in the
confirmation message that appears at the top of the page. You also can click the
name link for the new server type in the list on the Server Types page.
b. Edit the protection settings.
c. Click Save.
Duplicating an existing server type

Use this procedure to create a custom server type that inherits the protection settings
from any standard server type or custom server type.
To duplicate a server type:
2. On the Server Types page, click (context menu) next to the server type to duplicate,
and then select Duplicate.
3. In the Server Type Name box, type a name to identify the server type throughout the
UI.

4. (Optional) To edit the protection settings, follow these steps:

a. Go to the Configure Server Type page by clicking the Edit settings link in the
confirmation message that appears at the top of the page. You also can click the
name link for the new server type in the list on the Server Types page.
b. Edit the protection settings.
c. Click Save.
Deleting a custom server type

You can delete custom server types. You cannot delete standard server types.
Caution
When you delete a server type, all of the protection groups that are associated with that
server type are deleted. Any IPv4 prefixes that the deleted protection group protected
are assigned to the default protection group unless they are included in another
protection group.
To delete a custom server type:

2. On the Server Types page, click (context menu) next to the server type to delete,
and then select Delete.
3. In the confirmation message that appears, select Delete.
Changing the Protection Settings for Server Types

The protection settings are the criteria by which AED and APS define clean traffic and
attack traffic. The default protection settings provide protection from the most common
types of DDoS attacks. These attacks include TCP stack attacks, host or pipe flooding,
fragmentation attacks, resource exhaustion, connection state attacks, botnet attacks, and
vulnerability exploits.
You can customize these settings to provide more directed protection for specific server
types, both standard and custom. If necessary, you can restore a particular server type’s
protection settings to their default values. See “Restoring the Default Protection Settings”
on page 115.
For information about the protection categories and suggestions for when to change the
protection settings, see “About the Protection Settings Configuration” on page 118. For
general information about the server types, see “About the Server Types” on page 101.
About managing protection settings from AEM

When you manage AED and APS devices with AEM, you configure the server types in AEM
and those configurations are copied to the appropriate managed devices. The exception
is IP location policing, which must be configured on the managed device (AED only).
Navigating to the protection settings

The Configure Server Type page allows you to change the protection settings for each of
the protected server types.

To access the Server Types page, select Protect > Inbound Protection > Server Type
Configuration.
How changes affect the protection groups

When you add a protection group, you associate it with a server type. The protection
group inherits the protection settings for that server type. If you change the protection
settings for a server type, then the change applies to all of the protection groups that
have the same server type. For example, if you change the Web Server settings, then
those settings apply to all of the Web Server protection groups.
About traffic profiling for more accurate settings

AED and APS can simplify the configuration of certain rate-based protection settings by
suggesting values that are appropriate for your network. To determine these values, AED
and APS profile your network by capturing statistical data about its traffic.
See “About Traffic Profiling for Protection Configuration” on the next page.
About traffic profiling on multiple devices

You can profile your network traffic on managed devices to capture statistical data about
certain types of traffic. This profile data can help to configure protection settings that are
optimized for your server types. If a managed device contains profile data, then you can
use this data as a guide when you configure the protection settings on AEM. See “Using
Traffic Profile Data to Configure Protection Settings” on page 114.
Configuring the protection settings

For information about the specific protection settings, see “About the Protection Settings
Configuration” on page 118.
To configure the protection settings for a server type:

2. (Optional) On the Server Types page, filter the list of servers. In the search box, type a
search string in any of the following ways, and then click Search.
n Type all or part of a server type name, base type name, or protection group name.
n Type multiple search strings in any combination, using commas to separate
multiple entries.
n Include a wildcard character: an underscore (_) matches any one character, and a
percent sign (%) matches any number of characters. For example, to find “DNS
Server”, you could type dns, _ns, or d%.
3. In the Server Type list, click the name link of the server type to edit.
4. Edit the protection settings as follows:
a. From the list on the left side of the page, select a protection category to display
the settings in that category.
b. Edit the settings as needed.
If (View profile) appears next to a setting, then you can use profile data to help you
configure the appropriate values for that setting. See “Viewing and Tuning Individual
Protection Settings” or “Viewing and Tuning Protection Settings by Server Type” in the
AED or APS User Guide.
5. Click Save.

About Traffic Profiling for Protection Configuration

and APS profile your network by capturing statistical data about its traffic.
You can use the profile data in the following ways:

n To estimate how much traffic would be passed at different thresholds and protection
levels.
n To configure protection settings that are optimized for your server types.
n To configure the protection settings on AEM, based on the guidance provided by the
traffic profiles on your managed devices.
You can start a profile capture from AED, APS, or AEM. However, the profile capture
always runs on the managed device, even when you start the capture from AEM.
Important
On a device that is managed by AEM, you can capture profiles and tune the protection
settings. However, the ability to save the tuning settings or configure any protection
settings on a managed device is disabled. You configure the protection settings in AEM
only. See “Using Traffic Profile Data to Configure Protection Settings” on page 114.
What type of traffic is profiled?

The profile capture examines the traffic for selected server types and protection groups,
and then captures statistical data about that traffic. (See “Which protection settings are
profiled?” on the next page.)
The device and page from which you start the profile capture determine what type of
traffic is profiled, as follows:
Types of profiled traffic
How you start the capture Type of traffic
List Protection Groups page on Traffic for the hosts in one or more of the selected
an unmanaged device protection groups.
Configure Server Type page on Traffic for the hosts in a protection group that is
an AED or APS, either associated with the selected server type.
managed or unmanaged If you run a profile capture on a single managed device,
then only the traffic on that device is profiled. However,
when you update the protection settings on AEM, AEM
copies them to any managed devices that are assigned
to the profiled protection group.
Server Types page on AEM (for Traffic for the hosts in a protection group that is
managed devices) associated with the selected server type. The capture
runs on all of the managed devices that are assigned to
the protection group.

Workflow for capturing traffic profiles

The following table lists the general steps for capturing and viewing the traffic profiles
from AEM.
Capturing traffic profiles from AEM
Step Action
1 In AEM, on the Server Types page, start the profile capture for a specific server
type. See “Starting Traffic Profiles from AEM” on the next page.
2 After the capture ends, log in to a managed device and review the results on
the Configure Server Type page. See the following topics in the AED or APSUser
Guide:
n “Viewing and Tuning Protection Settings by Server Type”
n “Viewing and Tuning Individual Protection Settings”
3 Return to AEM and update the rate-based protection settings based on the
values that are recommended by the profile. You perform this task in AEM
because the ability to edit the settings on a managed device is disabled. See
“Using Traffic Profile Data to Configure Protection Settings” on page 114.
What is tuning?
Tuning the protection settings consists of the following actions:
n Viewing the profile results to see the recommended protection settings and learning
how they might affect the passed traffic.
n (Optional) Trying different values in the settings to see their effect on passed traffic
without committing those changes.
When you finish the tuning for one or more protection settings, you save the new values
to optimize those settings for your network.
Which protection settings are profiled?

AED and APS capture profile data for a server type’s rate-based protection settings. When
you start a profile capture, the managed device temporarily applies the appropriate
maximum values for these rate-based protection settings to obtain accurate results.
However, the values that the managed device applies do not appear in the fields on the
Configure Server Type page. Those fields still contain the values that were set previously.
Profiled rate-based protection settings
Protection category Setting
DNS NXDomain Rate Limiting DNS NXDomain Rate Limit

See “DNS NXDomain Rate Limiting Settings” on
page 132.
DNS Rate Limiting DNS Query Rate Limit

See “DNS Rate Limiting Settings” on page 133.

Profiled rate-based protection settings (continued)
Protection category Setting
Flexible Rate-based Blocking Bits per Second Threshold

Packets per Second Threshold
Filters
See “Flexible Rate-based Blocking Settings” on page 134.
Fragment Detection Maximum bps

Maximum pps
See “Fragment Detection Settings” on page 136.
HTTP Rate Limiting HTTP Request Limit

HTTP URL Limit
See “HTTP Rate Limiting Settings” on page 137.
ICMP Flood Detection Maximum bps

Maximum pps
See “ICMP Flood Detection Settings” on page 139.
Rate-based Blocking Bits per Second Threshold

Packets per Second Threshold
See “Rate-based Blocking Settings” on page 144.
SIP Request Limiting SIP Source Limit

See “SIP Request Limiting Settings” on page 145.
UDP Flood Detection Maximum bps

Maximum pps
See “UDP Flood Detection Settings” on page 155.
Starting Traffic Profiles from AEM

You can profile your network on managed devices to capture statistical data about your
network traffic. This profile data can help to configure protection settings that are
optimized for your server types. For details, see “About Traffic Profiling for Protection
Configuration” on page 110
On AEM, you start profile captures from the Server Types page. However, the profile
captures always run on the managed device. Because you cannot configure protection
settings on a managed device, you return to AEM to configure the settings.
Caution
While a profile capture is in progress, the managed device does not block any traffic for
the profiled server type’s rate-based protection settings.

Caution
In AEM, avoid editing the settings for a server type that is being profiled on a managed
device. Otherwise, during the next synchronization with AEM after the capture ends, the
managed device will receive the updated settings, which can make your profile data
obsolete.
Capturing traffic profiles

To start a profile capture from AEM:
1. Select Protect > Inbound Protection > Server Types.
2. On the Server Types page, hover your mouse pointer over the name of a server type,
and then click (context menu).
3. In the context menu, select Profile Capture.
The Profile Capture option is available only if a server type is associated with a
protection group that has at least one device assignment.
4. In the Profile Capture window, select the check boxes for one or more managed
devices to profile.
5. To specify the duration of the capture, move the Length of capture slider. You can
specify from 1 day to 14 days.
If a profile capture is in progress, then the status of the capture is shown next to the
selected device names in the Stop Capture section.
6. Click Start.
7. To close the Profile Capture window, click Close.
The profile capture runs in the background on the selected managed devices for the
specified duration.
Stopping a profile capture

You can stop a profile capture at any time. To determine whether a capture is running for
a specific server type, you can view the capture status.
Caution
If you stop a profile capture prior to its completion, then the partial data that was
captured might provide inaccurate results.
To stop a profile capture from AEM:

2. On the Server Types page, hover your mouse pointer over the name of a server type,
and then click (context menu).
4. In the Profile Capture window, select the managed devices on which to stop the
capture, and then click Stop.
5. To close the Profile Capture window, click Close.

Viewing the status of profile captures in AEM

To view the status of the profile captures:
1. In AEM, select Protect > Inbound Protection > Server Types.
2. On the Configure Server Type page, hover your mouse pointer over the name of a
server type, and then click (context menu).
4. The Profile Capture window indicates whether a profile capture is running on any of
the devices that are assigned to the profiled protection group and server type.
You also can view the profile status on the managed devices. See “Viewing the status of
profile captures” in the AED or APS User Guide.
Using Traffic Profile Data to Configure Protection Settings

After you run a profile capture on a managed device, you can view the profile data on the
Configure Server Type page on that device. For each of the protection settings that the
device profiles, you can view the data that was measured during the most recent profile
capture. The data represents the profiled server type and the protection groups that are
associated with that server type.
You can use the profile data in the following ways:

n To estimate how much traffic would be passed at different thresholds and protection
levels.
n To configure protection settings that are optimized for your server types.
n To configure the protection settings on AEM, based on the guidance provided by the
traffic profiles on your managed devices.
See the following topics:

“Starting Traffic Profiles from AEM” on page 112
“Which protection settings are profiled?” on page 111
Important
On a device that is managed by AEM, you can capture profiles and tune the protection
settings. However, the ability to save the tuning settings or configure any protection
settings on a managed device is disabled. You configure the protection settings in AEM
only.
About the recommended settings for managed devices

The profile captures always run on the managed device, even when you initiate a capture
from AEM. However, the device from which you start the profile capture determines the
settings that the profile recommends, as follows:
n A profile that you capture from a managed device recommends settings that are
unique to that device.

n A profile that you capture from AEM recommends settings for one or more managed
devices that are assigned to the profiled protection group and its associated server
type.
Under blocking or over blocking can occur in the following situation:

n You apply the recommended settings for a server type on a managed device to the
same server type on AEM and
n on AEM, that server type is associated with a protection group that is assigned to
multiple managed devices.
Viewing and using the traffic profile data

The profile data is visible on the managed devices only. However, you can open the
Configure Server Type page on the managed device from AEM.
To view the profile data and use it to configure protection settings:

1. On AEM, select Protect > Inbound Protection > Protection Groups.
2. To view the managed devices that are assigned to a protection group, click
(expand) to the left of a protection group name.
3. Click the name of the device on which you want to view the profile data.
4. Log in to the device.
5. On the managed device, select Protect > Inbound Protection > Server Type
Configuration.
6. Follow the procedure in either of the following topics in the AED or APS User Guide:
n To tune all of the settings for the server type on one screen, see “Viewing and
Tuning Protection Settings by Server Type”.
n To tune each of the settings in its own profile window, see “Viewing and Tuning
Individual Protection Settings”.
7. Review the suggested protection settings that appear in the profile window to
configure the corresponding settings in AEM. You might want to leave the AED or APS
window open or otherwise record the settings.
8. Go back to AEM and select Protect > Inbound Protection > Server Types.
9. On the Server Types page, click the name link for the server type that you want to
configure. Then edit the protection settings as recommended in the profile on the
managed device.
Restoring the Default Protection Settings

You can change the protection settings for any standard server type or custom server
type. You also can restore a particular server type’s protection settings to its default
values.
Important
On a device that is managed by AEM, these functions are disabled.
When you restore the protection settings for a server type, it affects each protection
group that is associated with that server type. If a protection group in AEM is assigned to
one or more managed devices, then the server type changes affect each assigned device.

Restoring the protection settings affects the standard server types and custom server
types as follows:
n When you restore the protection settings for a standard server type, the settings for
any related custom server types are not affected.
n When you restore the protection settings for a custom server type, the settings are
returned to the default settings of the base server type. Any changes that might have
been made to the base server type’s settings are not applied to the custom server type.
Caution
You cannot undo the restoration.
To restore the default protection settings:

2. On the Server Type page, click (context menu) next to the server type for which you
want to restore settings, and then select Restore Defaults.
4. To view the restored protection settings, click the server type’s name link to open the
Configure Server Type page.
For general information about the server types, see “About the Server Types” on page 101
and “Adding and Deleting Custom Server Types” on page 106.

Section 9:
Configuring the Protection Settings
attack traffic. You configure the protection settings to define how AED and APS identify
and block malicious traffic at each protection level.
In AEM, you can configure the protection settings for multiple AED and APS devices.
In this section
About the Protection Settings Configuration 118

About the Outbound Threat Filter 119
Configuring the Outbound Threat Filter 121
Validating the Outbound Threat Filter Configuration 122
Application Misbehavior Settings 125
ATLAS Intelligence Feed Settings 125
Block Malformed DNS Traffic Settings 128
Block Malformed SIP Traffic Settings 129
Botnet Prevention Settings 129
CDN and Proxy Support Settings 131
DNS Authentication Settings 131
DNS NXDomain Rate Limiting Settings 132
DNS Rate Limiting Settings 133
DNS Regular Expression Settings 134
Flexible Rate-based Blocking Settings 134
Fragment Detection Settings 136
HTTP Header Regular Expressions Settings 137
HTTP Rate Limiting Settings 137
HTTP Reporting Settings 138
ICMP Flood Detection Settings 139
Malformed HTTP Filtering Settings 140
Multicast Blocking Settings 140
Payload Regular Expression Settings 141
Private Address Blocking Settings 143
Rate-based Blocking Settings 144
SIP Request Limiting Settings 145
Spoofed SYN Flood Prevention Settings 146
STIX Feeds Settings 149

Section 9: Configuring the Protection Settings
TCP Connection Limiting Settings 149

TCP Connection Reset Settings 150
TCP SYN Flood Detection Settings 151
TLS Attack Prevention Settings 153
Traffic Shaping Settings 154
UDP Flood Detection Settings 155
About the Protection Settings Configuration

attack traffic. For example, if a setting specifies a threshold based on the number of
requests per second, then traffic that exceeds the threshold is considered to be an attack.
The default protection settings in AED and APS provide protection from the most
common types of DDoS attacks. You can customize these settings to provide more
directed protection for specific types of servers and for your outbound traffic. In AEM, you
can customize the protection settings for multiple managed devices.
Important
For information about types of DDoS attacks, see “DDoS Attacks and AED or APS
Protections” in the AED or APS User Guide.
Navigating to the protection settings

For inbound traffic, you configure these settings on the Configure Server Type page. Select
Protect > Inbound Protection > Server Type Configuration, and then click on a server
type name.
For outbound traffic, you configure these settings on the Outbound Threat Filter (Protect >
Outbound Protection > Outbound Threat Filter). See “Configuring the Outbound Threat
Filter” on page 121.
About the protection categories

The protection settings are organized into categories, each of which detects a different
type of attack traffic.
For inbound traffic, each server type contains the categories of protection settings that
are most appropriate for that server type. Each protection group is associated with a
server type and one or more host servers of that type. For example, a Web Server
protection group contains the HTTP categories of settings, which detect HTTP-based
attacks.
The outbound threat filter contains the categories of protection settings that are most
appropriate for outbound traffic.

About temporary blocking

Temporary blocking occurs dynamically as a result of the protection settings that are
configured for the protection groups. When AED and APS encounter certain types of
malicious inbound traffic, they block the offending traffic.
Some of the protection categories temporarily block a host, which effectively blocks all of
the traffic from that host, including its clean traffic. The top 10 sources that are blocked in
this way appear in the Temporarily Blocked Sources section on the View Protection Group
page. AED and APS do not temporarily block the sources for outbound traffic.
Other protection categories temporarily block a host’s offending traffic but not its clean
traffic or the host itself. Such hosts do not appear in the Temporarily Blocked Sources
section on the View Protection Group page, but they do appear in the blocked hosts log.
Typically, the sources are blocked for several minutes. The protection category that
detects the malicious traffic determines the length of time the sources are blocked, and
this time period cannot be changed.
About the protection levels for the protection settings

For each of the protection settings, you can specify different values for the low, medium,
and high protection levels. The current protection level determines which of the settings
are used at any given time. For example, you might set conservative thresholds for the
low protection level and more aggressive thresholds for the medium and high protection
levels.
You also can leave the protection settings empty or disable one or more of the protection
levels. For example, you might disable a setting for the low protection level and then
enable it for the medium and high protection levels.
See “About the Protection Levels” on page 96.
When to change the protection settings

Because you configure different settings for each protection level, you can vary the threat
detection criteria at any time by changing the protection level. You can change the
protection level globally or for one or more specific protection groups.
Typically, you use the default settings when you first install AED or APS. As you use AED or
APS and analyze its actions, you can customize as many settings as needed to secure your
data center from threats against availability. If you have historical traffic information and
statistics from an AED or APS trial or monitor-only implementation, then use that
information as a guide for refining the protection settings.
learning typical network behaviors and suggesting protection settings that are
appropriate for your network. See “About Traffic Profiling for Protection Configuration” on
page 110.
About the Outbound Threat Filter

The outbound threat filter prevents malicious traffic from leaving your network. Unlike
the protection groups, which protect specific hosts, the single outbound threat filter
protects all of the outbound IPv4 traffic that passes through AED and APS.

When you install or upgrade AED or APS, the outbound threat filter and all of its ATLAS
Intelligence Feed (AIF) threat categories are enabled by default on AEM. You can disable
the outbound threat filter and the AIF threat categories on the Outbound Threat Filter page
(Protect > Outbound Protection > Outbound Threat Filter). See “Configuring the
Outbound Threat Filter” on the next page.
Important
For the outbound deny list and outbound allow list to work, you must leave the
outbound threat filter enabled. See "Adding Outbound Traffic to the Deny List" on
page 177 and "Adding Outbound Traffic to the Allow List" on page 183.
About the protection settings

The outbound threat filter contains the categories of protection settings that are the most
appropriate for outbound traffic, to protect state-dependent devices such as load
balancers and next-generation firewalls. It also uses the ATLAS Intelligence Feed (AIF)
threat categories. These settings are the criteria by which AED and APS define clean traffic
and attack traffic.
You configure these protection settings on the Outbound Threat Filter page. You also can
configure the protection mode (active or inactive) and protection level (global, low,
medium, or high) for the outbound threat filter. See “Configuring the Outbound Threat
Filter” on the next page.
For information about the protection categories and suggestions for when to change the
protection settings, see “About the Protection Settings Configuration” on page 118.
Note
If you turn on DNS NXDomain Rate Limiting for a protection group, then outbound traffic
may match the protection group instead of the outbound threat filter. By default, DNS
NXDomain Rate Limiting is enabled for the default IPv4 protection group and any
protection groups that use the generic IPv6 server type or the DNS server type. Custom
protection groups also might have this protection turned on. See “DNS NXDomain Rate
Limiting Settings” on page 132.
About the outbound threat filter’s protection mode and protection level
The outbound threat filter’s protection mode determines whether AED and APS block
malicious outbound traffic. In the active mode, AED and APS monitor traffic and mitigates
attacks. In the inactive mode, AED and APS detect attacks but does not mitigate them. To
test the outbound threat filter, set the protection mode for the outbound threat filter to
inactive.
The outbound threat filter’s protection level determines which protection settings are in
use for the outbound traffic. The outbound threat filter can use the global protection level
or a protection level that you configure for the outbound threat filter. The outbound
threat filter’s protection level takes precedence over the global protection level.
In AEM, you can change the outbound threat filter’s protection mode or protection level
for all of the managed AED and APS devices.
About managing the outbound threat filter from AEM

When you use AEM to manage AED and APS, you configure the outbound threat filter in
AEM and propagate the configurations to each managed device.

When you first connect an AED or APS device to AEM, the outbound threat filter on the
managed device is replaced with the one from AEM. Thereafter, any changes to the
outbound threat filter on AEM are periodically copied to each managed device. See
“About Configuration Data Synchronization with AEM” on page 90.
Important
On a device that is managed by AEM, the editing functions on the Outbound Threat Filter
page are disabled.
Configuring the Outbound Threat Filter

You configure the protection settings for the outbound threat filter, to prevent malicious
traffic from leaving your network. You also configure the ATLAS Intelligence Feed (AIF)
threat categories, the protection mode, and the protection level for the outbound threat
filter.
You can enable and disable the outbound threat filter, but you cannot delete it.
Important
If you deploy an AED or APS device in the monitor mode, then the outbound traffic does
not go through that device. Therefore, the traffic is not analyzed.
For more details about the outbound threat filter, see “About the Outbound Threat Filter”
on page 119.
Configuring the outbound threat filter

To configure the outbound threat filter:
2. Select the Enable Outbound Threat Filter check box.
3. Configure the following settings:
4.
Setting Description
Protection Mode Select Active or Inactive to configure the protection mode.
options For more information about the protection mode, see
“Setting the Protection Mode (Active or Inactive)” on
page 95.
Select an icon to set the protection level (global, low,

medium, or high) for the outbound threats. The global
(Protection Level) protection level is the default. A check mark in the
corresponding icon shows which level is currently active.
For information about the global protection level, see
“About the Protection Levels” on page 96. Also see
“Changing the Protection Level” on page 238.
5. For each protection level, configure the protection settings.

For information about the specific settings, see the following topics:
n “ATLAS Intelligence Feed Settings” on page 125
n “STIX Feeds Settings” on page 149

n “Passing and Dropping Inbound Traffic and Outbound Traffic” on page 164
n “Payload Regular Expression Settings” on page 141
n “DNS Rate Limiting Settings” on page 133
n “Malformed HTTP Filtering Settings” on page 140
6. Click Save.
After you configure the outbound threat filter, you can verify that you configured it
correctly. See “Validating the Outbound Threat Filter Configuration” below.
Validating the Outbound Threat Filter Configuration

After you configure the outbound threat filter, we recommend that you validate its
configuration to ensure that the relevant traffic passes through the managed AED or APS
device.
Several issues might prevent the outbound threat filter from functioning as expected, for
example:
n misconfiguration of the device
n a deployment that prevents traffic mitigation (for example, you deploy a device in an
out-of-band mode or inactive mode)
n routing configurations that do not allow or the device to see the relevant traffic
For more information, see “About the Outbound Threat Filter” on page 119.
Testing guidelines
Required configuration settings
You must configure the following settings before testing the outbound threat filter:
n Enable the outbound threat filter.
n Set the protection mode to Active.
n Enable all of the AIF threat categories.
See “Configuring the Outbound Threat Filter” on the previous page.
IP address and domain name for testing

To test the outbound threat filter configuration, use the following IP address and domain
name
n 52.26.163.109
n arbor-aif-test.com
The AIF includes this IP address and domain name.
IP address testing
You can use the ping command on the operating system command line to test the
outbound threat filter configuration. This command is available for all of the standard
operating systems.

To use the ping command to test the outbound threat filter:

1. From a host inside a protection group, access the operating system’s command line.
2. On the command line, enter ping 52.26.163.109
Results of a successful ping test

If you configure the outbound threat filter correctly, then the ping command is
unsuccessful and times out, as shown in the following image:
On the Summary Page for a device, you should see a spike in the blocked traffic, as shown
in the following image:
On the Outbound Blocked Threats graph, you should see an increase in the number of
source hosts that the devices blocked, as shown in the following image:
Results of an unsuccessful ping test

If the host receives a response to the ping command, as shown in the following image,
then you should review the outbound threat filter configuration settings.

DNS query testing

You can use the nslookup command on the operating system command line to test the
outbound threat filter configuration. This command attempts to perform a DNS query.
The nslookup command is available for all of the standard operating systems.
To use the nslookup command to test the outbound threat filter:

1. From a host in a protection group, open up the operating system command line.
2. On the command line, enter nslookup arbor-aif-test.com
Results of a successful nslookup test

If you configure the outbound threat filter correctly, then the nslookup command is
unsuccessful and times out, as shown in the following image:
On the Summary Page for a device, you should see a spike in the blocked traffic, as shown
in the following image:
On the Outbound Blocked Threats graph, you should see an increase in the number of
source hosts that AED and APS blocked, as shown in the following image:

Results of a unsuccessful nslookup test

If the host receives a response to the nslookup command, as shown in the following
image, then you should review the outbound threat filter configuration settings.
Application Misbehavior Settings

Use the Application Misbehavior settings to detect application misbehavior patterns that
might not be specific to any protocol. You configure these settings on the Configure Server
Type page. Select Protect > Inbound Protection > Server Types, and then click a server
type name. The server must be associated with a managed device.
About these settings

These settings allow AED and APS to detect request headers that are interrupted by a TCP
FIN from the client. AED and APS count a host’s interrupts until either of the following
conditions is met:
n The number of interruptions exceeds the configured limit. In this case, AED or APS
temporarily blocks the source host.
n The host completes a request without interruption.
In either case, the interrupt counter is reset to zero.
For example, some botnet attacks send multiple, small HTTP requests that cause a series
of bad request errors and overwhelm the victim server. The bot terminates each
connection before the request is complete.
Application Misbehavior settings

The Application Misbehavior category contains the following setting for each protection
level:
Application Misbehavior settings
Setting Description
Interrupt Count box Type the number of TCP FIN interruptions that AED and APS
allow from a single client before that client is temporarily
blocked.
To disable this setting, leave this box empty.
ATLAS Intelligence Feed Settings

The ATLAS Intelligence Feed (AIF) contains information about the latest advanced threats,
botnets, and web crawlers that our Active Threat Level Analysis System (ATLAS) has
identified. AED and APS can use this information to detect threats, block attacks, and
allow legitimate search engine web crawlers to access your network.

When AED or APS detects traffic that matches any of the HTTP header signatures or
threat policies that are enabled, it blocks the traffic. If the traffic is inbound, then AED or
APS temporarily blocks the source host.
You configure these protection settings on the following pages:

n Configure Server Type page — Select Protect > Inbound Protection > Server Types, and
then click a server type name. The server must be associated with a managed device.
n Outbound Threat Filter page — Select Protect > Outbound Protection > Outbound
Threat Filter.
For general information about ATLAS Intelligence Feed, see “About the ATLAS Intelligence
Feed” on page 68.
Important
These protection settings depend on the presence of an AIF update file. Before you
enable any of the ATLAS Intelligence Feed settings, either verify that the automatic AIF
updates are enabled or request an update. Some of these settings, such as the default
confidence values, do not appear if an AIF update file is not present.

The ATLAS Intelligence Feed settings allow AED and APS to use the information in the
ATLAS Intelligence Feed to block traffic as follows:
How AED and APS use the ATLAS Intelligence Feed settings
AED or APS
action Basis for action
Block attack The AIF updates include the policies that identify categories of
traffic known threats by their traffic patterns, which are defined by IP
addresses, HTTP regular expressions, or DNS names. When you
enable the Threat Categories settings, AED and APS block any
inbound traffic or outbound traffic that matches the threat policies.
See “About the ATLAS Threat Policies” on page 69.
Block botnet (Inbound traffic only) Many botnets are known by their traffic
traffic patterns or profiles that suggest an attack. The AIF updates include
the policies (signatures) that identify known botnets. When you
enable the AIF Botnet Signatures settings, AED and APS compare
each policy to the HTTP headers and HTTP requests. AED and APS
block any traffic that matches any of the policies and temporarily
block the source host.

How AED and APS use the ATLAS Intelligence Feed settings (continued)
AED or APS
action Basis for action
Pass web crawler (Inbound traffic only) In the process of protecting your servers
traffic from DDoS attacks, AED and APS might prevent search engine web
crawlers from accessing your site. The AIF updates include a list of
the IP address ranges that are considered to be legitimate search
engine web crawlers. When you enable the Web Crawler Support
settings, AED and APS pass the traffic from the search engine IP
addresses.
For more information, see “About Web Crawler Support” on
page 73.
ATLAS Intelligence Feed Settings

The ATLAS Intelligence Feed protection category contains the following settings for each
protection level:
ATLAS Intelligence Feed settings
Setting Description
Web Crawler Support (Inbound traffic only) Click one of these buttons to enable
buttons or disable the inspection of traffic for legitimate web
crawler search engines.
For AED and APS to pass the traffic from specific web
crawlers, those web crawlers must be enabled on the
Configure AIF Settings page (Administration > ATLAS
Intelligence Feed). Initially, all of the web crawlers are
enabled by default, but you can choose which web crawlers
to enable or disable.
This option is available for the following server types only:
Generic, DNS, and web.
AIF Botnet Signatures (Inbound traffic only) Click one of these buttons to enable
buttons or disable the inspection of traffic based on the traffic
patterns or profiles by which the AIF identifies known
botnets.
This option is available for the following server types only:
Generic, VOIP, and Web.
Threat Categories Click one of these buttons to enable or disable advanced

buttons threat detection based on the ATLAS threat policies, which
are grouped by threat category. See “About the ATLAS
Threat Policies” on page 69.
When you select the Threat Categories check box, the following ATLAS confidence
index settings become available. For more information about the ATLAS confidence
index and the confidence values, see “About the ATLAS Confidence Index” on page 70.

ATLAS Intelligence Feed settings (continued)
Setting Description
ATLAS Confidence Index The default confidence value is applied to all of the rules in
options all of the enabled threat categories, except those for which
you define a category-specific confidence value. To specify
the default confidence value, select one of the following
options:
n Use Default — Use the confidence value that the
ATLAS Security Engineering and Response Team (ASERT)
recommends, which appears in parentheses after this
option. This option is selected by default.
n Custom — Configure a custom confidence value to use
as the default. When you select this option, type a
number from 1 to 100 in the box to represent the
confidence value.
When AED or APS inspects traffic, it applies the threat policy
rules whose confidence values match or exceed the default
confidence value.
Threat category check For each of the threat categories, you can configure the
boxes and confidence following settings:
value boxes n To enable or disable a threat category, select its check
box. By default, all of the threat categories are enabled.
n To configure a confidence value for an enabled threat
category, click to the right of the category’s check box to
display the confidence value box. Type a number from 1
to 100 to represent the confidence value.
The threat category confidence value overrides the
default confidence value for the specific category.
Block Malformed DNS Traffic Settings

Enable the Block Malformed DNS Traffic protection settings to prevent attacks that send
invalid or blank DNS requests to a server. These attacks are intended to exhaust
resources or to exploit vulnerabilities. You can enable settings for each of the protection
levels.
You configure these settings on the Configure Server Type page. Select Protect > Inbound
Protection > Server Types, and then click a server type name. The server must be
associated with a managed device.
When a DNS request arrives at port 53 (source or destination), AED and APS perform the
following tests:
n Verifies that the packet contains a payload that could be part of a valid DNS message. If
the payload is missing, then AED and APS block the packet. In this case, AED and APS
do not block the source host.

n Evaluates valid DNS requests for compliance with RFC standards. AED and APS block
any requests that do not conform to the standards.
Important
AED and APS do not validate that the Z flag is set to 0. While this is an exception to
RFC 1035, it is not uncommon for DNS implementations to allow the flag to be non-
zero.
These settings are available for the Generic IPv6 Server type and some of the IPv4 server
types. See “About the Server Types” on page 101.
Block Malformed SIP Traffic Settings

Enable the Block Malformed SIP Traffic settings to prevent attacks that disrupt VoIP service
by sending invalid or blank SIP requests. You can enable settings for each of the
protection levels.
When a UDP packet arrives at a SIP destination port (usually port 5060), AED and APS
perform the following tests:
n Verifies that the packet contains a payload that could be part of a valid SIP request. If
the payload is missing, then AED and APS block the packet and temporarily block the
source host.
n Evaluates valid SIP requests to verify that all of the headers that are specified in RFC
3261 section 8.1 are properly formatted and have reasonable values. AED and APS
block any requests that do not conform to the standards and temporarily blocks the
source host.
Botnet Prevention Settings

Use the Botnet Prevention settings to prevent botnet attacks, in which a large set of
compromised computers generate a high-volume of traffic that targets a victim server.
The Botnet Prevention settings allow AED and AED to detect and block botnet attacks
based on known botnet behaviors.
You also can prevent botnet attacks based on the traffic patterns or profiles by which the
AIF identifies known botnets. See “ATLAS Intelligence Feed Settings” on page 125.

About botnets
The following patterns of behavior are common to many botnets:
n Sending requests with incomplete header fields.
n Sending slow request attacks, which usually contain artificially truncated request
segments. For example, some botnets send multiple, small HTTP requests, and then
terminate each connection before the request is complete. This attack causes a series
of bad request errors and overwhelms the victim server.

To prevent botnet attacks, AED and APS perform the following tests:
n Enable Basic Botnet Prevention
Checks the packet headers for incomplete fields. AED and APS block any packets
whose headers are incomplete and temporarily blocks the source host.
The fields that are checked vary by protection level, as follows:
Protection level Checks

Low, Medium Analyzes the Host field in HTTP 1.1 requests
High Analyzes the following fields in all requests:

n Host
n User-Agent
n Connection
n Prevent Slow Request Attacks

Checks for HTTP requests that contain less than 500 bytes of data and do not end with
\n. Requests that match these criteria are likely to be part of a slow HTTP attack. AED
and APS pass the first three packets that match these criteria and then drops the
subsequent packets and temporarily blocks the source host.
Botnet Prevention settings

Important
The Botnet Prevention settings work only when Malformed HTTP Filtering is enabled. If you
disable Malformed HTTP Filtering, then the Botnet Prevention settings for the
corresponding protection levels also are disabled. If you enable one of the Botnet
Prevention settings, then the Malformed HTTP Filtering is enabled for the corresponding
protection levels. See “Malformed HTTP Filtering Settings” on page 140.

The Botnet Prevention category contains the following settings for each protection level:
Botnet Prevention settings
Setting Description
Enable Basic Botnet Click one of these buttons to enable or disable the inspection
Prevention buttons of traffic for missing HTTP header fields, which are a common
indicator of botnet attacks.
Prevent Slow Request Click one of these buttons to enable or disable the inspection
Attacks buttons of traffic for requests that are characteristic of slow HTTP
attacks.
CDN and Proxy Support Settings

Enable the CDN and Proxy Support settings to prevent the global blocking of all traffic from
a content delivery network (CDN) or proxy. You can enable settings for each of the
protection levels.
The protection categories in AED and APS block malicious traffic, temporarily block
malicious hosts, or both. When traffic is routed through a CDN or proxy, the source IP
address is that of the last CDN or proxy device. That source IP address is shared by all of
the users whose traffic passes that device. Therefore, the protection settings that block
an attacker’s IP address might block all traffic from the CDN or proxy. To prevent AED and
APS from blocking all of the traffic from a CDN or proxy, you enable CDN and Proxy
Support.
After you enable CDN and Proxy Support, AED and APS rely on the protection categories
that block malicious traffic but do not block the attacker’s IP address. AED and APS pass
the clean traffic from the CDN or proxy.
DNS Authentication Settings

Enable the DNS Authentication category to protect against DNS attacks that originate from
a source that is not a valid host. These settings can protect any type of DNS server. You
can enable settings for each of the protection levels.
AED and APS force any clients that send DNS requests to change to TCP before the
queries reach the DNS server. This change validates that the original request came from a
legitimate client. AED and APS block any requests that are not verified, but do not block
the source hosts.
Before you enable these settings for active mitigation, test them thoroughly in a lab
environment. Because these settings require two-way communications, they must be

tested in an inline deployment mode (Inline Routed or Inline Bridged) and the active
protection mode. See “Setting the Deployment Mode” in the AED or APS User Guide and
“Setting the Protection Mode (Active or Inactive)” on page 95.
Important
When cleaned traffic is forwarded through a GRE tunnel, AED and APS do not use the
settings for Spoofed Syn Flood Prevention or DNS Authentication to inspect the traffic. In
this case, AED and APS ignore the settings for these protection categories because the
device would have to send packets back through the GRE tunnel. See “Inspecting GRE
tunnel traffic” in the AED or APS User Guide.
DNS NXDomain Rate Limiting Settings

Use the DNS NXDomain Rate Limiting category to monitor response packets for hosts that
send requests that might cause the generation of a non-existent domain (NXDomain)
response. These settings protect against DNS cache poisoning and dictionary attacks.
AED and APS temporarily block any host that generates more consecutive failed DNS
requests than the configured limit.
Network requirement
If you plan to use these settings, then you must configure your network so that AED and
APS can see the DNS response traffic from the DNS server.
DNS NXDomain Rate Limiting settings

The DNS NXDomain Rate Limiting category contains the following setting for each
protection level.
Note
DNS NXDomain Rate Limiting settings
Setting Description
DNS NXDomain Rate Limit Type the number of failed queries to allow per second.
box To disable this setting, leave this box empty.

Effects on traffic if DNS NXDomain Rate Limiting settings are not configured
If you do not configure the DNS NXDomain Rate Limiting settings, then the processing of
outbound traffic is affected as follows:
n The following response-based protection categories do not block outbound traffic
(these protection categories are configured in the server types):
l Filter List. See “Passing and Dropping Inbound Traffic and Outbound Traffic” on
page 164.
l Multicast Blocking. See “Multicast Blocking Settings” on page 140.
l Private Address Blocking. See “Private Address Blocking Settings” on page 143.
n The deny list does not block outbound traffic.
n You cannot perform a packet capture on any “int” interfaces in AED or APS.
To address these issues, you must enable the Outbound Threat Filter and add FCAP
expressions to the filter list to block outbound traffic. See “Configuring the Outbound
DNS Rate Limiting Settings

Use the DNS Rate Limiting settings to prevent attacks from legitimate hosts that misuse
DNS requests to flood DNS servers.
AED and APS inspect all of the DNS traffic that originates from a single source and records
the number of queries per second. AED and APS block any traffic that exceeds the
configured rate limit. If the traffic is inbound, then AED and APS temporarily block the
source host.

Threat Filter.
DNS Rate Limiting Settings

The DNS Rate Limiting category contains the following setting for each protection level.
Note

DNS Rate Limiting settings
Setting Description
DNS Query Rate Type the maximum number of DNS queries per second that a
Limit box source can send before AED or APS blocks it. This rate limit
represents what you consider to be a reasonable maximum
amount of DNS traffic.
DNS Regular Expression Settings

The DNS Regular Expression settings allow you to target specific DNS traffic. AED and APS
inspect all of the DNS traffic and apply each regular expression separately to each line of
the DNS requests. If traffic matches an expression, then AED and APS drop that traffic.
The DNS Regular Expression category contains the following setting for each protection
level:
DNS Regular Expression settings
Setting Description
DNS Regular Type a regular expression to filter and drop the DNS traffic
Expressions lines with matching requests or headers. Use the PCRE format.
You can type multiple regular expressions. AED and APS use
the OR operator for multiple regular expressions.
Flexible Rate-based Blocking Settings

The Flexible Rate-based Blocking settings use threshold values and FCAP fingerprint
expressions to identify source hosts that send excessive amounts of traffic to protected
hosts. After AED or APS identifies these source hosts, it blocks traffic from the hosts.
You can configure these settings to help prevent numerous types of attacks, such as
flood, TCP SYN, protocol, connection table, and request table exhaustion. You also can
configure settings to prevent some user-initiated actions such as bulk content downloads
and peer-to-peer file hosting.

Note
These protection settings are available for all of the server types. See “About the Server
Types” on page 101.

To detect specific types of attacks, you create rate-based matching filters (Filter 1 and Filter
2) by using FCAP expressions. AED and APS evaluate only the packets that match a filter
and then determines the traffic that it blocks based on the current protection level:
n For the medium and high protection levels — If the traffic matches a filter and exceeds
a configured threshold, then AED and APS temporarily block all of the traffic from the
source host.
n For the low protection level — If the traffic matches a filter and exceeds a configured
threshold, then AED and APS block only the traffic that exceeds the threshold.
Typically, you should set the thresholds to rates that are higher than you expect any
legitimate host to send on a sustained basis. These rates vary based on the services that
the hosts offer. For example, if the protected hosts are content servers and the source
hosts are clients that send only requests and acknowledgments, then low traffic rates are
expected.
About traffic profiling for more accurate settings

and APS profile your network by capturing statistical data about its traffic. See “Using
Traffic Profile Data to Configure Protection Settings” on page 114.
Flexible Rate-based Blocking settings

The Flexible Rate-based Blocking category consists of the following settings. To enable
these settings, you must configure a filter and at least one of the threshold values.
Note
Flexible Rate-based Blocking settings
Setting Description
Description (Optional) Type a description for this filter. AED and APS do
not display this description anywhere else in the UI.
Filter FCAP Type an FCAP expression that corresponds to the data that
Expressions you want to match. This expression applies to all of the
protection levels.
For more information about FCAP expressions, see “Using
FCAP Expressions” on page 357.

Flexible Rate-based Blocking settings (continued)
Setting Description
Bits per Second For each protection level, type the maximum rate of traffic in
Threshold box bits that a source can send.
Packets per Second For each protection level, type the maximum rate of traffic in
Threshold box packets that a source can send.
Fragment Detection Settings

Use the Fragment Detection settings to protect against attacks that send an excessive
number of IP packet fragments to a server to exhaust its resources.
About fragmentation attacks

A fragmentation attack is a flood of unwanted IP packet fragments. IP standards require a
receiving host to store packet fragments until the other fragments of that packet arrive
and the packet can be reassembled. If the other fragments never arrive, then the original
fragments remain in the victim server’s buffers until a timeout marks them as too old. A
large number of fragments can fill the server buffer space and prevent the receipt of
clean traffic.
AED or APS inspects the packet fragments that originate from a single source and records
the bits per second and packets per second. It blocks any traffic that exceeds the
configured rate limits. If the protection level is medium or high, then it temporarily blocks
the source host.
Fragment Detection settings

The Fragment Detection category contains the following settings for each protection level.
Note
Fragment Detection settings
Setting Description
Enable Fragment Click one of these buttons to enable or disable this

Detection buttons category.
Maximum bps box Type the maximum amount of traffic in bits per second to
allow from a single source.

Fragment Detection settings (continued)
Setting Description
Maximum pps box Type the maximum amount of traffic in packets per second
to allow from a single source.
HTTP Header Regular Expressions Settings

When you use the HTTP Header Regular Expressions settings, the managed devices inspect
HTTP traffic and apply each regular expression to each line of the HTTP headers and HTTP
requests. If a regular expression matches the first HTTP request or HTTP header in a
connection, then the devices block that request and temporarily blocks the source host.
If the regular expressions do not match the first HTTP request or HTTP header in a
connection, then the devices add all of the HTTP requests for that connection to the allow
list.
The HTTP Header Regular Expressions category contains the following setting for each
protection level:
HTTP Header Regular Expressions settings
Setting Description
Header Regular Type a regular expression to match HTTP requests or HTTP

Expressions lines headers. Use PCRE format.
You can type multiple regular expressions. The devices use
the OR operator for multiple regular expressions.
HTTP Rate Limiting Settings

Use the HTTP Rate Limiting settings to limit the rates at which a source host can send HTTP
requests. These settings prevent a host from overwhelming the resources of a web server
by sending too many requests or by requesting too many unique HTTP objects. (An HTTP
object is a request for a specific resource.)


AED and APS monitor the HTTP requests from each host and performs the following
tests:
n Compares the number of requests per second to the configured rate limit. If the
request rate is too high, then AED and APS block the requests and temporarily block
the source host.
n Compares the number of unique HTTP objects per second to the configured URL limit.
If the object rate is too high, then AED and APS block the requests and temporarily
block the source host.
The default limits are usually acceptable for typical users. Because a web server can be
heavily loaded by a small number of HTTP requests, do not raise the limits by large
amounts without careful consideration. If you need to make an exception for a content
mirror server, then you can add it to a pass rule in the Filter List settings. See “Passing and
Dropping Inbound Traffic and Outbound Traffic” on page 164.
HTTP Rate Limiting settings

The HTTP Rate Limiting category contains the following settings for each protection level.
Note
HTTP Rate Limiting settings
Setting Description
HTTP Request Limit Type the number of HTTP requests to allow per second. An
box HTTP request is any type of request such as GET, POST, HEAD,
or OPTIONS. To disable this setting, leave this box empty.
HTTP URL Limit box Type the number of requests for a unique HTTP object (specific
URL) to allow per second.
For example, the medium level defaults are 500 for the HTTP
Request Limit and 15 for the HTTP URL Limit. If AED or APS
receives 100 requests for the same URL within one second, then
the requests are blocked because they exceed the URL limit.
HTTP Reporting Settings

Enable the HTTP Reporting settings to display the top URLs and top domains on the View
Protection Group page. This information appears in the Web Traffic By URL section and the
Web Traffic By Domain section, respectively. HTTP Reporting is enabled by default. By
disabling HTTP Reporting, you can improve the performance of the AED
and APS devices that AEM manages.

See the following topics for more information viewing this information:
n “Viewing the Top URLs for a Protection Group” on page 198
n “Viewing the Top Domains for a Protection Group” on page 199
ICMP Flood Detection Settings

Use the ICMP Flood Detection settings to detect ICMP flood attacks.
An ICMP flood exploits the ping utility, which allows a user to verify that a particular IP
address exists and can accept requests. The attacker sends a large number of ICMP echo
requests to the victim web server. The server tries to respond to all of the requests until it
exhausts its resources and cannot respond to clean traffic.

Typically, a legitimate client does not send a large number of ICMP echo requests to a
single server. The managed AED and APS inspect the ICMP traffic that originates from a
single source and records the number of ICMP packets per second and bits per second. If
the protection level is low, then the managed devices allow traffic up to the configured
rate limit. If the protection level is medium or high, then the devices block the hosts’
traffic and temporarily block the source host.
ICMP Flood Detection settings

The ICMP Flood Detection category contains the following settings for each protection
level.
Note
ICMP Flood Detection settings
Setting Description
Enable ICMP Flood Click one of these buttons to enable or disable this category.
Detection buttons
Maximum Request Type the maximum number of ICMP echo requests per
Rate box second that a source can send before it is blocked.
This rate limit represents what you consider to be a
reasonable amount of ICMP traffic.

ICMP Flood Detection settings (continued)
Setting Description
Maximum bps box Type the maximum amount of traffic (in bps) to allow from a
single source.
Malformed HTTP Filtering Settings

Enable the Malformed HTTP Filtering settings to protect against attacks that exhaust
resources by sending invalid or blank HTTP requests to a server.
The bots in a botnet sometimes manufacture the HTTP requests that they use to flood
victim servers, and these requests can be malformed. For example, the request header
might not conform to RFC 2616.
Important
The Botnet Prevention settings work only if you enable Malformed HTTP Filtering. If you
disable Malformed HTTP Filtering, then the Botnet Prevention settings for the
corresponding protection levels are disabled also. If you enable one of the Botnet
Prevention settings, then the Malformed HTTP Filtering is enabled for the corresponding
protection levels. See “Botnet Prevention Settings” on page 129.

Threat Filter.
Testing the HTTP requests

AED and APS perform the following tests on HTTP requests:
n Verifies that the HTTP header conforms to RFC 2616 Section 2.2 "Basic Rules".
Exceptions to the RFC constraints on the space character are allowed.
n Verifies that the entire request is in a legal and consistent format.
If any of these evaluations fails, then AED and APS block the request. If the traffic is
inbound, then AED and APS temporarily block the source host or destination host.
Multicast Blocking Settings

Enable the Multicast Blocking settings to protect against attacks that misuse multicast
routing to overwhelm a server’s resources. You can enable settings for each of the
protection levels.
Many attackers use multicasting to reflect and amplify attack traffic. For example, one
type of attack sends echo requests to a multicast address, spoofing the request source

with the victim’s IP address. The amplified request can result in an excessive number of
responses that overwhelm the victim server and prevent it from accepting clean traffic.
To protect against this kind of attack, AED and APS block any inbound traffic whose
source is a designated multicast address.
Note
These settings do not block outbound traffic. To block outbound traffic whose source or
destination is a designated multicast address:
1. Enable the outbound threat filter. See “Configuring the Outbound Threat Filter” on
page 121.
2. Add the designated multicast addresses to the Filter List protection category or to
the Outbound Deny Lists page.
For more information, see “Passing and Dropping Inbound Traffic and Outbound
Traffic” on page 164, and “Managing the Outbound Deny List” in the AED User Guide
or APS User Guide.
Payload Regular Expression Settings

Use the Payload Regular Expression settings to drop malicious TCP traffic and UDP traffic
or to temporarily add the hosts that sent the malicious traffic to the deny list. Payload
regular expressions help you to identify attacks by packets that contain unique data
patterns in their payloads. You also can configure these protection settings to inspect
packet headers.
Many application layer DDoS attacks and packet repetition attacks can be identified by
their payloads. The payload of a TCP packet or UDP packet consists of the data that
appears after the header.
The Payload Regular Expression protection settings are available for all of the IPv4 server
types and for the Generic IPv6 Server type. See “About the Server Types” on page 101.
Note
You can use the information in captured packets to help you write the regular
expressions. See “Configuring Regular Expressions from Captured Packets” on page 267.

Threat Filter.

A managed device inspects all TCP traffic and UDP traffic sent from or sent to the
specified ports, and matches each regular expression against each payload’s packet. If
you enable the Apply Regular Expression to Packet Headers setting, then the managed
device also matches each regular expression against each packet’s header.
You can select source or destination as the direction of the specified ports.
For inbound traffic, if the payload or header matches a regular expression, then the
managed device drops the packet or temporarily blocks all traffic from the host. For

outbound traffic, if the payload or header matches a regular expression, then the device
drops the packet.
Note
If you enter a regular expression, but you do not specify any ports or port ranges, then
the managed device passes all of the TCP and UDP traffic.
Payload Regular Expression settings

You can configure the following Payload Regular Expression settings for each protection
level:
Payload Regular Expression settings
Setting Description
Enable Payload Click one of these buttons to enable or disable this category for
Regular Expression each protection level.
buttons
Port Direction To inspect traffic that is sent from TCP ports and UDP ports on
buttons source hosts, click Source. To inspect traffic that is sent to TCP
ports and UDP ports on destination hosts, click Destination.
Payload Regular Type the port numbers to define the TCP traffic to inspect. You
Expression TCP Ports can enter port numbers and port ranges (for example, 10-22).
box To inspect all TCP traffic, enter all.
Use spaces or commas to separate multiple port numbers.
If you set Port Direction to Source, then the managed device
matches the regular expressions against TCP packets that are
sent from the specified ports. If you set Port Direction to
Destination, then the device matches the regular expressions
against TCP packets that are sent to the specified ports.
Note
If you specify a regular expression, but you do not specify any
ports or port ranges, then the managed device passes all TCP
traffic.
Payload Regular Type the port numbers to define the UDP traffic to inspect. You
Expression UDP can enter single port numbers and port ranges (for example,
Ports box 10-22). To inspect all UDP traffic, enter all.
Use spaces or commas to separate multiple port numbers and
port ranges.
If you set Port Direction to Source, then AED and APS match
the regular expressions against UDP packets that are sent from
the specified ports. If you set Port Direction to Destination,
then AED and APS match the regular expressions against UDP
packets that are sent to the specified ports.
Note
If you specify a regular expression, but you do not specify any
ports or port ranges, then AED and APS pass all UDP traffic.

Payload Regular Expression settings (continued)
Setting Description
Payload Regular Type the regular expressions to match against packets sent
Expression box from or sent to the specified ports. Use PCRE format. If you add
multiple regular expressions, then press ENTER after each one.
The managed device uses the OR operator for multiple regular
expressions.
Note
If you enter a regular expression, but you do not specify any
ports or port ranges, then the managed device passes all of
the TCP and UDP traffic.
If you enable the Apply Regular Expression to Packet
Headers option, then the managed device also matches these
expressions against the packet headers.
Apply Regular Click Enabled to match the regular expressions against packet
Expression to Packet headers in addition to packet payloads. If you enable this
Headers buttons option, then the managed device blocks attacks based on
specific patterns in packet headers.
To match the regular expressions against packet payloads only,
click Disabled.
Action to Apply Click Drop Packets to drop the packets that match regular
buttons expressions. Click Block Hosts to temporarily block all traffic
from the hosts of the packets that match the regular
expressions.
Note
This option only applies to inbound traffic. For outbound
traffic, the managed device always drops the packets that
match the regular expressions.
Private Address Blocking Settings

Enable the Private Address Blocking settings to protect against attacks that spoof private IP
addresses.
Specific blocks of IP addresses are reserved for use on private networks and their traffic is
not intended to be routed to the internet. Typically, traffic from outside your network
should not originate from a private address. Such traffic is likely to be an attack in which
the private address is spoofed.
To protect against this kind of attack, AED and APS inspect the inbound traffic and block
any traffic whose source is a designated private address.

Note
These settings do not block outbound traffic. To block outbound traffic whose source or
destination is a private address:
1. Enable the outbound threat filter.
2. Add the private IP addresses to the Filter List protection category or to the Outbound
Deny Lists page.
For more information, see "Passing and Dropping Inbound Traffic and Outbound
Traffic" on page 164, and “Managing the Outbound Deny List” in the AED or APS User
Guide.
Rate-based Blocking Settings

The Rate-based Blocking settings use configured threshold values to identify and block
hosts that send excessive amounts of traffic to protected hosts or networks.
These protection settings are available for all of the IPv4 server types and for the Generic
IPv6 Server type. See “About the Server Types” on page 101.

You can configure these settings to help prevent flood, TCP SYN, and protocol attacks, as
well as connection table and request table exhaustion attacks. You also can configure
settings to prevent some user-initiated actions such as bulk content downloads and peer-
to-peer file hosting.
AED and APS use these settings to limit the rate at which any source host can send traffic.
AED and APS constantly examine the bit rate and packet rate of traffic from each source
host. If the traffic exceeds either of the configured thresholds, then AED and APS
temporarily block the source host.
Typically, you should set the thresholds to rates that are higher than any legitimate host
would be expected to send on a sustained basis. These rates can vary depending on the
services that the hosts offer. For example, if the protected hosts are content servers and
the source hosts are clients that send only requests and acknowledgments, low traffic
rates are expected.
AED and APS also use rate-based blocking settings for capturing traffic profiles. See
“Which protection settings are profiled?” on page 111.
Note
AED and APS use a speed measurement algorithm that applies a smoothing function to
reduce the possibility that short-term, high-traffic spikes are treated as attacks.

Rate-based Blocking settings

The Rate-based Blocking category contains the following settings for each protection level.
Note
Rate-based Blocking settings
Setting Description
Bits per Second Type the maximum rate of traffic in bits that a source can
Threshold box send before it is blocked.
Packets per Second Type the maximum rate of traffic in packets that a source
Threshold box can send before it is blocked.
SIP Request Limiting Settings

Use the SIP Request Limiting settings to limit the number of SIP requests that a host can
send per second. These settings prevent attacks that disrupt VoIP service by flooding the
VoIP network with too many SIP requests.

AED and APS monitor the SIP requests from the source IP. They block any traffic that
exceeds the configured rate limit, and temporarily block the source host.
Because SIP servers can send a large amount of data in a single request, communications
between SIP servers may greatly exceed the rate limit. You can protect those servers by
adding them to a pass rule in the Filter List settings or adding them to the allow list.
See “Passing and Dropping Inbound Traffic and Outbound Traffic” on page 164 or “Adding
Inbound Traffic to the Allow List” on page 180.
SIP Request Limiting settings

The SIP Request Limiting category contains the following setting for each protection level.
Note

SIP Request Limiting settings
Setting Description
SIP Source Limit box Type the maximum number of SIP requests to allow per
second.
Spoofed SYN Flood Prevention Settings

Use the Spoofed SYN Flood Prevention settings to detect certain SYN flood attacks. A SYN
flood consists of a large number of uncompleted connection requests, which fill the
victim’s connection queues and consume its resources.
Important
When cleaned traffic is forwarded through a GRE tunnel, AED and APS do not use the
settings for Spoofed Syn Flood Prevention or DNS Authentication to inspect the traffic. In
this case, AED and APS ignore the settings for these protection categories because the
device would have to send packets back through the GRE tunnel. See “Inspecting GRE
tunnel traffic” in the AED or APS User Guide.
The Spoofed SYN Flood Prevention protection settings are available for all of the IPv4 server
types and for the Generic IPv6 Server type. See “About the Server Types” on page 101.
About SYN flood attacks

A SYN flood attack exploits the TCP three-way handshake, which establishes a connection
between a client and a server. During a SYN flood attack, the attacker sends a large
number of SYN packets. However, because the SYN packets contain spoofed source IP
addresses, the handshake is never completed.
Both Spoofed SYN Flood Prevention and TCP SYN Flood Detection protect against SYN
flood attacks. By forcing all TCP clients to authenticate that they are valid, Spoofed SYN
Flood Prevention can protect against highly distributed attacks.
If a managed device cannot authenticate a TCP connection, then it drops the traffic on
that connection but does not block the host.
About TCP authentication

The managed device authenticates TCP traffic in one of the following ways:
n The managed device replies to the client’s initial SYN packet with an ACK that has a
special sequence number. If the client responds with the correct ACK, then the device
authenticates the client, resets the connection, and passes its traffic without additional
authentication.
n If TCP Out of Sequence Authentication is enabled, then the managed device replies
to the client’s initial SYN with an ACK that imitates an existing, half-open TCP
connection. If the client sends a reset, then the managed device authenticates the

client, and the client opens a new TCP connection to the protected host.
This authentication method targets non-HTTP protocols, such as HTTPS and SMTP, that
do not support session redirects or retries. This method allows clients to connect to
protected hosts without having to manually refresh their web browsers.
About HTTP authentication

If you enable HTTP authentication, then the AED and APS devices ensure that the source
host is a valid HTTP client in one of the following ways:
n HTTP redirect — The managed device replies to the client’s initial request with a 302
redirect. If the client sends a redirected request, then the device authenticates the
client and redirects it to the original URL.
This authentication method causes the web browser to retry the request without a
connection reset.
n HTTP soft reset — In this simplified version of the HTTP redirect authentication, the
managed device replies to the client, asking it to resend its request. If the client
resends the request, then the device authenticates the client.
n HTTP JavaScript — In response to a request, the managed device sends a small amount
of JavaScript to the client. If the client responds with a redirect, then the device
authenticates the client.
Automating Spoofed SYN Flood Prevention

You can automate Spoofed SYN Flood Prevention. To do this, you enable the Spoofed
SYN Flood Prevention Automation setting and then specify an automation threshold. If
the rate of SYN packets sent to any protected host in a protection group exceeds this
threshold, then the managed device performs TCP authentication or HTTP authentication
as configured. Otherwise, if all protected hosts in a protection group are receiving SYN
packets at a rate below the threshold, then the device does not perform the configured
authentication.
Testing the settings

Before you enable these settings for active mitigation, test them thoroughly in a lab
environment. Because these settings require two-way communications, they must be
tested in an inline deployment mode (Inline Routed or Inline Bridged) and the active
protection mode. See “Setting the Deployment Mode” in the AED or APS User Guide and
“Setting the Protection Mode (Active or Inactive)” on page 95.

Spoofed SYN Flood Prevention settings

The Spoofed SYN Flood Prevention protection category contains the following settings for
each protection level.
Setting Description
Prevent Spoofed Click one of the following buttons to select the authentication
SYN Floods method that the managed device uses to detect spoofed SYN flood
buttons attacks:
n Off — Disables spoofed SYN flood attack detection.
n TCP — Enables TCP authentication. The device inspects TCP
traffic, to authenticate the connections.
n TCP+HTTP — Enables HTTP authentication in addition to TCP
authentication. The managed device authenticates TCP
connections and ensures that the source host is a valid HTTP
client.
The option that you select determines which protection settings
are available for this protection category.
Except on ports For applications that have difficulty with spoofed SYN flood
box authentication, type the affected application ports. If the traffic’s
destination ports match any of these ports, then the managed
device skips the TCP authentication.
TCP Out of Click one of these buttons to enable or disable this authentication
Sequence method. If you enable this setting, then the managed device uses
Authentication this method to authenticate a TCP connection instead of
buttons attempting to complete the TCP 3-way-handshake. See “About TCP
authentication” on page 146.
Spoofed SYN Click one of these buttons to enable or disable automating this
Flood Prevention protection category. If you automate this protection category, then
Automation you must specify an automation threshold.
buttons

Spoofed SYN Flood Prevention settings (continued)
Setting Description
Automation Enter a value in pps. The managed device performs TCP

Threshold box authentication or HTTP authentication as configured only if the
rate of SYN packets sent to any protected host in a protection
group exceeds this threshold. If the rate of SYN packets falls below
this threshold, then the device stops performing the configured
authentication.
HTTP Click one of the following buttons to select the method that the
Authentication managed device uses to authenticate HTTP traffic on ports 80 and
Method buttons 8080:
n Redirect — Sends a 302 redirect to the client.
n Soft Reset — Asks the client to resend its request.
n JavaScript — Sends a JavaScript response to the client.
Note
If you select the JavaScript option, then legitimate clients that
do not have JavaScript enabled cannot connect to protected
hosts.
STIX Feeds Settings

Enable the STIX Feeds settings to identify and block any traffic that matches the STIX IoCs
in the TAXII collections. The STIX feeds are supported in AED only. However, you can
enable and disable the use of STIX feeds in AEM.
When you enable these settings, AED identifies and blocks traffic that matches any STIX
IoCs in the TAXII collections. When you disable the settings, AED does not identify or block
traffic that matches the STIX IoCs. By default, STIX threats are enabled for outbound
traffic and disabled for inbound traffic.
For information about how to configure AED to accept STIX IoCs, see “Configuring TAXII
Clients to Push STIX IoCs to AED” in the AED User Guide.
TCP Connection Limiting Settings

Enable the TCP Connection Limiting settings to limit the number of concurrent TCP
connections that can originate from a single host. You can enable settings for each of the
protection levels.
These settings prevent attacks that overwhelm the victim's connection resources with an
excessive number of TCP connections. For example, some botnets open hundreds of
active or inactive TCP connections. A sufficiently large number of connections can
consume all of the server's resources and prevent the server from accepting clean traffic.


AED and APS monitor the TCP requests from the source IP and count the number of SYN
messages that are followed by an ACK message. When the number of concurrent
connections from a single host exceeds a preconfigured rate limit, the managed device
blocks that traffic. The managed device does not block the source host.
TCP Connection Reset Settings

Use the TCP Connection Reset settings to track established TCP connections and drop the
traffic when a connection remains idle for too long. This category can protect against the
following types of TCP state exhaustion attacks:
n flood
n TCP SYN
n slow HTTP post
n protocol
The TCP Connection Reset settings also can protect against the exhaustion of TCP
connection resources that occur when server connection tables are filled. These
problems can be caused by idle TCP connections or user-initiated actions such as bulk
content downloads and peer-to-peer file hosting.

When AED or APS monitor a TCP connection, the managed device verifies that the source
host sends the request header within a certain amount of time. The device also verifies
that the host maintains a specified rate of transmission for the entire request.
If a TCP connection does not meet these requirements, then the device resets the
connection. Also, if any source host exceeds the configured number of consecutive
violations, then the device temporarily blocks the host.
About the protected ports

The managed devices apply the TCP Connection Reset settings to the following ports:
n 80 — HTTP traffic (web traffic)
n 443 — HTTPS traffic (web traffic)
n 25 — SMTP traffic (email)
You cannot manually configure the ports for the TCP Connection Reset settings.

TCP Connection Reset settings

The TCP Connection Reset category contains the following settings for each protection
level.
TCP Connection Reset settings
Setting Description
Enable TCP Click one of these buttons to enable or disable this category.
Connection Reset
buttons
Minimum Request Type the minimum rate of bits per second that a host must
Bit Rate box maintain when sending an individual request. The managed
device checks several times per minute to verify that the
transmitted data does not fall below this limit.
If the data rate falls below this limit for a minimum of 60
seconds, then the managed device resets the connection or
blocks the host.
TCP Connection Idle Type the number of seconds that must elapse before an idle
Timeout box connection is reset or blocked. For the medium and high
protection levels, the default value is 120 seconds.
There is no default value for the low protection level.
Track Connections Click Enabled to track a connection after it leaves the initial
After Initial State state.
check box
TCP Connection Type the number of seconds that a connection can be idle
Initial Timeout box after it is first established before it is blocked.
Initial Timeout Type the number of bytes that a host must send within the
Required Data box initial timeout period for the timeout to be canceled.
For example, the default TCP Connection Initial Timeout is 10
seconds and the default Initial Timeout Required Data is 1
byte. In this case, the connection has 10 seconds in which to
send 1 byte of data. If the specified amount of data is not sent
within 10 seconds, then the connection is reset.
Consecutive Type the number of consecutive idle connections to allow

Violations before before a host is blocked.
Blocking Source box You can enter a larger number for applications with multiple
TCP control connections that might be idle simultaneously due
to a single lack of user action.
TCP SYN Flood Detection Settings

Use the TCP SYN Flood Detection settings to detect TCP SYN flood attacks, which are also
known as SYN floods. A SYN flood consists of a large number of connection requests that
cannot be completed. These requests fill the victim’s connection queues and consume its
resources.

About SYN flood attacks

The SYN flood attack exploits the TCP three-way handshake that establishes a connection
between a client and a server. During a SYN flood attack, the attacker sends a large
number of SYN packets. However, it does not return the final ACK responses and the
handshake is never completed.
The server waits for the ACK responses until it times out. A sufficiently large number of
half-open connections can consume all of the server’s resources and prevent the server
from accepting clean traffic.
Both Spoofed SYN Flood Prevention and TCP SYN Flood Detection protect against SYN
flood attacks. However, while Spoofed SYN Flood Prevention can protect against highly
distributed attacks, TCP SYN Flood Detection uses rate thresholds to detect high rate,
undistributed SYN flood attacks.

The managed device intercepts all TCP traffic that originates from a single source and
then completes the following tests:
n Compares the number of SYN packets per second to the configured SYN Rate.
n Subtracts the number of ACK packets from the number of SYN packets and compares
the result to the configured SYN ACK Delta Rate.
The managed device blocks any traffic that exceeds either of these rate limits and
TCP SYN Flood Detection settings

The TCP SYN Flood Detection category contains the following settings for each protection
level:
TCP SYN Flood Detection settings
Setting Description
Enable SYN Flood Click one of these buttons to enable or disable this category.
Detection buttons
SYN ACK Delta Rate Type the allowable difference between the number of ACK
box packets and the number of SYN packets (SYN - ACK = delta).
This rate should be lower than the SYN Rate.
In clean traffic, the number of ACK packets from a specific
source should exceed or be slightly less than the number of
SYN packets from that source.
This threshold represents the allowable difference between the
two types of packets and allows the managed device to detect
attackers that send only SYN packets.

TCP SYN Flood Detection settings (continued)
Setting Description
SYN Rate box Type the number of packets per second that a source can send
before it is blocked.
In a data center environment, a client typically does not
establish a large number of connections per second. This
threshold allows the managed device to detect blatant SYN
floods based on the number of connection requests from a
single source.
TLS Attack Prevention Settings

Enable the TLS Attack Prevention settings to protect against attacks that exploit SSL or TLS
on application servers such as Web, Mail, or secure VPN servers. You can enable settings
for each of the protection levels.

The SSL (Secure Socket Layer) and TLS (Transport Layer Security) encryption protocols
underlie secure services on the internet. Because these protocols are resource intensive,
the services that rely on them are particularly vulnerable to resource exhaustion attacks.
During these attacks, clients send small requests that force the server to perform a
disproportionately large amount of work to set up a secure session.
The TLS Attack Prevention settings enforce correct protocol usage and block malformed
SSL requests and TLS requests. These settings also block clients that attempt to exploit
the protocols to exhaust server resources.
When the managed device receives an SSL request or a TLS request, it performs the
following tests:
n Validates the request according to the following criteria:
l The negotiation messages are well-formed.
l The protocol options are used properly.
l The message length and fragmentation are reasonable.
l The protocol version is acceptable.
n Verifies that acceptable SSL or TLS handshake behaviors occur as follows:
l The messages are sent in the correct sequence.
l Renegotiation requests do not occur outside of an established session.
n Verifies that the following items do not exceed the preconfigured limits:
l The number of cipher suites that are advertised.
l The number of extensions that are sent.

l The number of compression algorithms that are advertised.

l The number of connections that are closed before a handshake is completed.
If any of these evaluations fails, then the managed device blocks the request and
Traffic Shaping Settings

Use the Traffic Shaping settings to limit the forwarding rate of the traffic that matches a
specific filter. These settings limit attack traffic to a level that allows protected hosts to
function and allows some clean traffic to reach those hosts.
The Traffic Shaping protection settings are available for all of the IPv4 server types and for
the Generic IPv6 Server type. See “About the Server Types” on page 101.
Note
Traffic shaping is also known as rate limiting.

The managed device inspects each packet to determine if the packet matches the filter
that you define. If the packet matches or if no filter is defined, then the managed device
compares the packet forwarding rate to the maximum rate settings. If the packet would
cause the forwarding rate to exceed either of the maximum rates, then it blocks the
packet. It does not block the source host.
Caution
Traffic shaping restricts clean traffic and attack traffic equally.
Use traffic shaping in the following situations only:

n when other settings fail to mitigate an attack and you cannot mitigate it in another way
n when other settings succeed only partially and the traffic levels remain high enough to
be a continued threat
If you enable this category, then you must set at least one of the maximum rate settings.
Traffic Shaping settings

The Traffic Shaping category contains the following settings for each protection level:
Traffic Shaping settings
Setting Description
Enable Traffic Click one of these buttons to enable or disable this category.
Shaping buttons
Maximum bps box Type the maximum amount of traffic (in bps) to allow.

Traffic Shaping settings (continued)
Setting Description
Maximum pps box Type the maximum amount of traffic (in pps) to allow.
Filter box (Optional) Type an FCAP expression that corresponds to the

data that you want to match. For example, you can match IP
addresses, CIDRs, and other traffic attributes.
Type one expression per line. To include a comment, type a
number sign (#) at the beginning of each comment line.
UDP Flood Detection Settings

Use the UDP Flood Detection settings to protect against attacks that send an excessive
number of UDP packets to a server to exhaust its resources.
About UDP floods

A UDP flood occurs when an attacker sends a large number of UDP packets to random
ports on a server, often from a spoofed IP address. The server tries to determine the
applications that are listening on those ports. Because no applications are listening, the
server is forced to reply with many ICMP Destination Unreachable packets. If the number
of ICMP packets is great enough, then the server becomes unavailable to other clients.
The managed device inspects the UDP traffic that originates from a single source and
records the bits per second and packets per second. It blocks any traffic that exceeds the
configured rate limits. If the protection level is medium or high, then the managed device
UDP Flood Detection settings

The UDP Flood Detection category contains the following settings for each protection level.
Note
UDP Flood Detection settings
Setting Description
Enable UDP Flood Click one of these buttons to enable or disable this
Detection buttons category.
Maximum bps box Type the maximum amount of traffic (in bps) to allow
from a single source.

Section 10: Detecting and Mitigating Attacks with Attack Analysis
UDP Flood Detection settings (continued)
Setting Description
Maximum pps box Type the maximum amount of traffic (in pps) to allow
from a single source.
Section 10:
Detecting and Mitigating Attacks with
Attack Analysis
This section describes how to use Attack Analysis on AED 8100 appliances that AEM
manages. Attack Analysis examines the traffic that AED forwards to the protected
network for possible attacks. When Attack Analysis detects possible attack traffic, it
provides the recommended protection settings to configure for the identified server type,
to mitigate the attack.
In this section
How Attack Analysis Detects Attacks and Generates Protection Recommendations 156
Enabling Attack Analysis 158
Viewing Protection Recommendations for Mitigating Attacks 159
How Attack Analysis Detects Attacks and Generates

Protection Recommendations
When an AED is in active mode, it blocks malicious traffic according to the configuration
of its protection settings. However, if the AED protection settings are not configured to
effectively stop an attack, then attack traffic may pass through AED to the protected
network.
To address this issue, you can enable Attack Analysis on AED 8100 appliances that AEM
manages. Attack Analysis detects possible attack traffic that AED forwards to the
protected network, and provides recommendations for mitigating the attacks it detects.
You enable Attack Analysis on an AED from the Device Console, which you access from
AEM. See “Enabling Attack Analysis” on page 158.
Important
Attack Analysis is supported only on AED 8100 appliances that AEM manages.
Note
When Attack Analysis is enabled, the TLS proxy is not supported.

How Attack Analysis works

Attack Analysis examines IPv4 traffic that AED inspects and forwards to the protected
network, to detect traffic patterns that match potential DDoS attack vectors that ASERT
defines. When Attack Analysis detects possible attack traffic, it displays alerts about the
attack and generates recommendations for mitigating the attacks it detects.
On AEM, the alerts appear on the Dashboard page and the Security Alerts page. On AED,
the alerts appear on the Summary page and the System Alerts page.
About notifications for Attack Analysis alerts

You configure notifications for the Attack Analysis alerts on the managed AED. To
configure notifications for the alerts, see “Configuring Notifications” in the Arbor Edge
Defense User Guide.
Note
When you configure notifications for the Attack Analysis alerts, always select Protection
as the alert type.

About the Attack Analysis protection recommendations

Important
On a device that AEM manages, the ability to configure protection settings is disabled.
You configure the recommended protection settings on AEM only.
The Attack Analysis page in AEM lists the recommended protection settings to configure
for a server type. The settings apply to a protection category and protection level for the
identified server type.
Note
The protection recommendations that Attack Analysis generates are shown only in AEM.
You cannot view them in AED.
You configure the recommended settings on the AEM Server Types page. To mitigate the
attack, you must configure all of the recommended protection settings for the server
type.
See “Changing the Protection Settings for Server Types” on page 108.
Expiration of attack alerts and removal of protection recommendations

Approximately every 60 seconds, Attack Analysis examines the traffic that a managed AED
forwards to the protected network. If Attack Analysis detects an attack that it previously
detected, then the current alerts and recommendations for that attack remain active. AED
does not generate new alerts or recommendations for attacks that Attack Analysis has
identified previously.
When Attack Analysis no longer detects an attack, the alerts expire for that attack. AEM
also removes the protection recommendation for the attack from the Attack Analysis page.
Enabling Attack Analysis

You can enable Attack Analysis on AED 8100 appliances that AEM manages. Attack
Analysis detects possible attack traffic that AED forwards to the protected network, and
provides recommendations for mitigating any attacks that it detects.
You view the protection recommendations on the Attack Analysis page. See “Viewing the
Attack Analysis protection recommendations” on the next page.
To learn more about Attack Analysis, see “How Attack Analysis Detects Attacks and
Generates Protection Recommendations” on page 156.
Important
Viewing the state of Attack Analysis

To view whether Attack Analysis is enabled or disabled on an AED 8100 that AEM
manages:
1. On AEM, select Summary from the menu to open the Summary page.
serial number for for the managed AED on which you want to enable Attack Analysis.

3. When the Device Console opens, log in to the command line interface (CLI) with your
administrator user name and password for that AED.
4. Enter / services aed attack-analysis show
Changing the state of Attack Analysis

To enable or disable Attack Analysis on an AED 8100 that AEM manages:
1. On AEM, select Summary from the menu to open the Summary page.
serial number for for the managed AED on which you want to enable Attack Analysis.
3. When the Device Console opens, log in to the command line interface (CLI) with your
administrator user name and password for that AED.
4. Enter / services aed attack-analysis {enable | disable}
{enable | disable} = To change the state of Attack Analysis, enter enable or
disable.
Viewing Protection Recommendations for Mitigating

Attacks
If Attack Analysis detects possible attack traffic, it provides the recommendations for
mitigating the attack. You view the recommended protection settings on the Attack
Analysis page.
You configure the recommended settings on the Configure Server Type page for the server
type that the protection recommendation identifies. See “Configuring the recommended
protection settings” on the next page
Important
To enable Attack Analysis, see “Viewing the state of Attack Analysis” on the previous page.
To learn more about Attack Analysis, see “How Attack Analysis Detects Attacks and
Generates Protection Recommendations” on page 156.
Viewing the Attack Analysis protection recommendations

To view the protection recommendations:
1. Select Protect > Inbound Protection > Attack Analysis.
2. (Optional) To change the information that is shown on the Attack Analysis page and
the order in which the information appears, perform any of the following actions:
n To filter the information, click (Add a filter) and select one or more types of
information to view. Then select one or more items for each filter type.
To delete a single item from a filter, click its (clear) icon. To delete an entire
filter, click (Clear) in its filter box.
n To change the sort order of the information, click the up arrow or down arrow to
the right of the column header that contains the information to sort by.
n To change which columns appear, click (Show or hide columns). Then click
(toggle button) to select the columns to show or hide.

3. On the Attack Analysis page, view the following information about an attack:
Attack information
Column Description
First Identified The time at which Attack Analysis first identified the
attack.
Attack Vector The type of attack. For example, TCP Reflection.
Target The CIDR on the protected network that is the target of

the attack.
Protection Group The name of the protection group that protects the
CIDR that is the target of the attack.
Server Type The name of the server type whose protection settings
you need configure to mitigate the attack.
Device The name of the managed AED on which Attack Analysis

detects the attack.
Recommended Protection The protection settings to configure for the server type
Settings on the Configure Server Type page.
Important
To mitigate an attack, you must configure all of the recommended protection
settings for the server type.
Note
In rare cases, Attack Analysis may detect two simultaneous attacks but provide
different protection recommendations for the same setting. In this situation, you
must decide which attack to mitigate.
Configuring the recommended protection settings

To configure the recommended protection settings:

2. On the Server Types page, click the name of the server type that the protection
recommendation identifies.
3. On the Configure Server Type page, configure the settings for the server type’s
protection category and protection level as identified in the protection
recommendation.
Important
To mitigate the attack, you must configure all of the recommended protection
settings for the server type.
For instructions, see “Changing the Protection Settings for Server Types” on page 108.

Section 11:
Configuring Filter Lists to Drop and
Pass Traffic
Filter lists allow you to configure fingerprint expression (FCAP) filters (rules) that drop and
pass traffic without further inspection. You can configure two types of filter lists.
Master filter lists compare the FCAP expressions to all protection group traffic across all
protection levels.
Filter lists compare FCAP expressions only to traffic for specific server types or the
outbound threat filter. These filter lists also allow you to configure different expressions
for each protection level.
In AEM, you can configure both types of filter lists for multiple AED and APS devices.
In this section
About Filter Lists 161

Configuring Master Filter Lists 163
Passing and Dropping Inbound Traffic and Outbound Traffic 164
About Filter Lists

Filter lists allow you to configure flow capture (FCAP) fingerprint expression rules that
drop and pass traffic without further inspection. You can configure two types of filter lists:
n Master filter lists for all protection groups across all protection levels. See “Master filter
lists” below.
n Filter lists for specific server types or the outbound threat filter. See “Filter lists for
server types or the outbound threat filter” on the next page.
If a drop FCAP expression matches inbound traffic, then AED and APS drop the matching
traffic for active protection groups only. See “Setting the Protection Mode (Active or
Inactive)” on page 95.
If a drop FCAP expression matches outbound traffic, then AED and APS drop the
matching traffic only when the outbound threat filter is enabled. See “Configuring the
Outbound Threat Filter” on page 121.
Master filter lists

Master filter lists contain drop and pass FCAP expressions that AED and APS compare to
all inbound traffic. If an FCAP expression matches inbound traffic for an active protection
group, then AED and APS drop or pass the matching traffic without further inspection.

Section 11: Configuring Filter Lists to Drop and Pass Traffic
See “Setting the Protection Mode (Active or Inactive)” on page 95.
Use master filter lists if you have a common list of FCAP expressions to apply to all
protection groups across all protection levels. When you use master filter lists, you do not
have to create filter lists for each server type at each protection level.
There are two master filter lists: a list for IPv4 protection groups and a list for IPv6
protection groups. Each time you edit a master filter list, AED and APS apply the updated
list to all IPv4 protection groups or all IPv6 protection groups. AED and APS also
automatically apply the master filter lists to new protection groups that you add.
See “Configuring Master Filter Lists” on the next page.
Filter lists for server types or the outbound threat filter

You can configure filter lists for specific server types. This type of filter list compares drop
and pass FCAP expressions to inbound traffic for protection groups that are associated
with the server type. You can configure different expressions for each protection level.
You also can configure filter lists that compare FCAP expressions to outbound traffic. See
“Configuring the Outbound Threat Filter” on page 121.
Use filter lists to protect against threats based on specific situations. For example, if the
mitigation protects a server group that obtains content from other sources, then add the
connections to those other sources to a pass rule. You can exempt these connections
from further inspection because you know that they are legitimate.
See “Passing and Dropping Inbound Traffic and Outbound Traffic” on page 164.
How AED and APS evaluate and process packets

AED and APS use master filter lists and filter lists to evaluate and process packets as
follows:
n Immediately drops any packets that match a drop rule. AED and APS do not evaluate
any additional rules or apply further settings for those packets.
n Immediately passes any packets that match a pass rule. AED and APS do not evaluate
any additional rules or apply further settings for those packets.
n Passes the packets to the next protection category for further evaluation if they do not
match a drop rule or a pass rule.
Alternative methods for passing and dropping traffic

If you prefer not to use FCAP expressions, then you can add hosts to the deny list and
allow list to drop and pass traffic without further inspection. However, FCAP expressions
are more flexible and powerful in their ability to find specific traffic. See “About the Deny
List and Allow List” on page 167.
Order of evaluation
AED and APS evaluate the items on master filter lists, filter lists, the deny list, and the
allow list in the following order:
1. the hosts on the deny list and the allow list
2. the master filter list

3. server-type filter lists

4. the deny list for countries, URLs, and domains
For example, consider the following rules:

n 192.0.2.0/24 on the allow list
n drop 192.0.2.11 in the master filter list
AED and APS apply the rules as follows:

1. Passes all of the traffic from the addresses within the 192.0.2.0/24 range.
2. Passes the traffic from 192.0.2.11, because the address falls within the 192.0.2.0/24
range, and hosts on the allow list take precedence over entries on the master filter
list. Therefore, the traffic from this address cannot be dropped.
Configuring Master Filter Lists

Use a master filter list to configure drop and pass flow capture (FCAP) fingerprint
expression rules to compare to inbound traffic for protection groups (IPv4 and IPv6AED
and APS apply the FCAP expressions in the master filter lists across all protection levels.
Master filter lists drop and pass inbound traffic only.
Important
traffic for active protection groups only. See “Setting the Protection Mode (Active or
You also can configure filter lists that apply to a specific server type only or to the
outbound threat filter. See “Passing and Dropping Inbound Traffic and Outbound Traffic”
on the next page.
Configuring and editing master filter lists

To configure or edit a master filter list:
1. Select Protect > Inbound Protection > Master Filter Lists.
2. On the View Master Filter Lists page, click Edit.
3. In the IPv4 FCAP Expressions box or the IPv6 FCAP Expressions box, enter FCAP
expressions that correspond to the data to match. Enter expressions to match IP
addresses, CIDRs, and other traffic attributes.
Include a drop or pass keyword to specify the action AED and APS take on the
matched data. If you do not specify a keyword, then AED and APS consider it a drop
action.
Type one expression per line. To include a comment, type a number sign (#) at the
beginning of each comment line.
See “FCAP Expression Reference” on page 358.
4. To edit the lists, enter new expressions or delete the existing expressions in the FCAP
Expressions boxes.
5. Click Save.

Order of evaluation within the master filter lists

AED and APS evaluate the FCAP expressions in the order in which they appear in the lists.
pass src 192.0.2.11
drop proto udp
AED and APS apply these rules as follows:

1. Passes all of the traffic from 192.0.2.11, regardless of the protocol
2. Drops all of the UDP traffic whose source is not 192.0.2.11
Example: Master filter list settings

To have AED or APS pass TCP/22 SSH traffic from a block of addresses and block all other
TCP/22 SSH traffic, enter the following FCAP expressions:
pass port 22 and src 192.0.2.0/24
drop port 22
AED and APS pass the traffic on port 22 that is sent from 192.0.2.0/24 and blocks all other
traffic on port 22.
Passing and Dropping Inbound Traffic and Outbound

Traffic
Use the Filter List protection settings to configure a list of flow capture (FCAP) fingerprint
expression rules to drop and pass traffic without further inspection. You can configure
FCAP expressions to drop and pass inbound traffic and outbound traffic.
The Filter List settings for inbound traffic are available for all of the IPv4 server types and
for the Generic IPv6 Server type. The Filter List settings for outbound traffic only apply to
IPv4 traffic.

Threat Filter.
Configuring filter lists to drop and pass inbound traffic

For inbound traffic, you configure a filter list at the server-type level. As such, the filter list
only applies to protection groups that use the server type.
traffic for active protection groups only.
Note
To compare drop and pass FCAP expressions to inbound traffic for all protection groups,
use the master filter lists. See “Configuring Master Filter Lists” on the previous page.
To configure a filter list for inbound traffic:

2. In the Server Types list, click the name link of the server type to edit.

3. In the left navigation menu, click Filtering.

4. In the Filter FCAP Expressions boxes in the Filter List section, enter the FCAP
expressions that correspond to the data to match. Enter expressions to match IP
addresses, CIDRs, and other traffic attributes. You can enter expressions for each
protection level.
Include a drop or pass keyword to specify the action to take on the matched data. If
you do not include a keyword, then AED and APS consider it a drop action.
Important
You can use IPv6 addresses in FCAP expressions only for the standard Generic IPv6
Server type and custom server types that are based on Generic IPv6 Server type.
5. To edit the filter list, enter new expressions or delete the existing expressions in the
Filter FCAP Expressions boxes.
6. Click Save.
Configuring filter lists to drop and pass outbound traffic

For outbound traffic, you can drop and pass traffic by configuring Filter List settings for
the outbound threat filter. If the outbound threat filter is enabled and a drop FCAP
expression matches outbound traffic, then AED and APS drop the matching traffic. See
To configure a filter list for the outbound threat filter:

1. Select Protect > Inbound Protection > Outbound Threat Filter.
2. On the Outbound Threat Filter page, click Filtering.
3. Select the Enable Outbound Threat Filter check box.
4. In the Filter FCAP Expressions boxes, enter the FCAP expressions that correspond to
the data to match. Enter expressions to match IPv4 IP addresses, IPv4 CIDRs, and
other traffic attributes. You can enter expressions for each protection level.
Include a drop or pass keyword to specify the action to take on the matched data. If
you do not include a keyword, then AED and APS consider it a drop action.
5. To edit the filter list, enter new expressions or delete the existing expressions in the
Filter FCAP Expressions boxes.
6. Click Save.

Order of evaluation within filter lists

AED and APS evaluate the FCAP expressions in the order in which they appear in the lists.
pass src 192.0.2.11
drop proto udp
AED and APS apply these rules as follows:

1. Passes all of the traffic from 192.0.2.11, regardless of the protocol
2. Drops all of the UDP traffic whose source is not 192.0.2.11
Example of filter list settings

To have AED or APS pass TCP/22 SSH traffic from a block of addresses and block all other
TCP/22 SSH traffic, enter the following FCAP expressions:
pass port 22 and src 192.0.2.0/24
drop port 22
AED and APS pass the traffic on port 22 that is sent from 192.0.2.0/24 and blocks all other
traffic on port 22.

Section 12:
Managing the Deny List and Allow List
AED and APS use the deny list to protect your network from malicious traffic, and they
use the allow list to allow trusted traffic.
In this section
About the Deny List and Allow List 167

About the Capacity of the Deny List and Allow List 170
Adding Inbound Traffic to the Deny List 172
Viewing and Searching the Inbound Deny List 174
Adding Outbound Traffic to the Deny List 177
Viewing and Searching the Outbound Deny List 178
Adding Inbound Traffic to the Allow List 180
Viewing and Searching the Inbound Allow List 181
Adding Outbound Traffic to the Allow List 183
Viewing and Searching the Outbound Allow List 185
About the Deny List and Allow List

AED and APS use the deny list to protect your network from malicious traffic, and use the
allow list to allow trusted traffic. AED and APS use the deny list and allow list as filters to
block traffic or pass traffic without further inspection, regardless of the current protection
level.
Note
As an alternative method to adding hosts to the deny list, you can use the Filter List
settings to block traffic without further inspection. The filter list uses FCAP expressions
to define the hosts. The FCAP expressions are more flexible and powerful in their ability
to find specific traffic. See “Passing and Dropping Inbound Traffic and Outbound Traffic”
on page 164.
Important
On a device that is managed by AEM, the ability to configure the deny lists and allow lists
is disabled. You edit the deny lists and allow lists in AEM only. Exception: you can
configure countries in the outbound deny list on a managed device.
For more information, see “About managing the deny list and allow list on AEM” on
page 170.

Section 12: Managing the Deny List and Allow List
About the deny list and allow list

You configure the deny list and the allow list; AED and APS devices do not add items to
the deny list or allow list automatically.
You can create and manage the following types of deny lists and allow lists:
Types of deny lists and allow lists
List Purpose Items you can add
Inbound deny list Blocks the inbound traffic that originates Hosts (IPv4 and
from specific hosts or countries, or from IPv6), countries, and
the clients that access specific domains domains
or URLs in your network.
Inbound allow list Passes the inbound traffic that originates Hosts (IPv4 and
from specific hosts. IPv6), countries, and
domains
Outbound deny list Blocks the traffic that is sent from Hosts and countries
specific internal hosts or to specific (IPv4 only)
external hosts. Also blocks the traffic
that originates from your network and is
sent to specific countries.
Outbound allow list Passes the traffic that originates from IPv4 hosts only
your network and is sent from specific
hosts or to specific hosts.
Managed devices combine the items on the deny list and allow list and store them until
specific limits are met. On a managed device, any items that are added to the deny list or
allow list on AEM also are counted toward the total allowed items. See “About the
Capacity of the Deny List and Allow List” on page 170.
About denying and allowing inbound traffic by protection group

For inbound traffic, you can add hosts to the deny list and allow list for all protection
groups and for specific protection groups.
Typically, you can add items to the deny list and allow list for specific IPv4 protection
groups on the pages that contain information about the protection group. For example,
when you click a Deny List button on the View Protection Group page, the following
options appear: All PGs and For this PG.
You also can add items to the deny list and allow list for specific IPv4 protection groups by
using the API or the .csv files on a managed device. For IPv6 protection groups, the API
and .csv files are the only ways in which you can add items to the deny list and allow list
for specific protection groups.
When the items from the deny list or allow list appear throughout the UI, the associated
protection group information is displayed.
Note
Outbound traffic is not associated with protection groups.

About precedence
Before you add hosts to the deny list or allow list, consider the following information
about precedence:
n To avoid conflicts, AED and APS devices handle the precedence for duplicate hosts as
follows:
l If you add the same host to a list for all protection groups and then add the same
host to the other list for a specific protection group, then the entry on the list for all
protection groups takes precedence. In this case, the managed device removes the
entry from the list for the specific protection group.
l If you add the same host to the deny list and the allow list for all protection groups,
then the most recent entry takes precedence. In this case, the managed device
removes the older entry.
l If you add a host to the deny list and allow list for the same protection group, then
the most recent entry takes precedence. In this case, the managed device removes
the older entry.
l If you add a host to the deny list or allow list for more than one protection group,
then the managed device allows it because there are no conflicts.
n If a CIDR on the deny list or allow list overlaps an IP address on the other list, then the
most specific address takes precedence. For example, if 10.2.3.141 is on the allow list
and you add 10.2.3.0/24 to the deny list, then 10.2.3.141 remains on the allow list.
n The Invalid Packets category takes precedence over the deny list and allow list. As a
result, the managed device blocks invalid packets from allowed hosts. Also, in the
Attack Categories graphs, any traffic from allowed hosts that matches invalid packets is
attributed to invalid packets. See “Viewing the Attack Categories for a Protection
Group” on page 192.
Locations from which you can add items to the deny list and allow list
You can add items to the deny list and allow list from the following areas in the UI.
Locations for adding items to the deny list and allow list
Page Reference
Inbound Deny Lists See “Adding Inbound Traffic to the Deny List” on page 172.
Inbound Allow Lists See “Adding Inbound Traffic to the Allow List” on page 180.
Outbound Deny Lists See “Adding Outbound Traffic to the Deny List” on page 177.
Outbound Allow Lists See “Adding Outbound Traffic to the Allow List” on page 183.
View Protection Group See the following topics:

n “Viewing the Top IP Locations for a Protection Group” on
page 201
n “Viewing the Top URLs for a Protection Group” on page 198
n “Viewing the Top Domains for a Protection Group” on
page 199
Blocked Hosts Log See “Taking Action on a Blocked Host” on page 250.

Note
You also can add items to the deny list and allow list by using the API or .csv files.
About removing items from the deny list

Certain areas of the UI that display blocked traffic allow you to remove an item from the
deny list, which is also referred to as unblocking. For example, in the Top Countries section
of the Summary page, you can unblock a country on the deny list.
Unblocking an item removes it from the deny list but does not add it to the allow list.
How quickly do denying, allowing, and unblocking affect the traffic?

When you deny, allow, or unblock a host, country, domain, or URL, its traffic is affected as
follows:
n When you deny or allow an item, AED and APS begin to block or pass its traffic
immediately.
n When you unblock an item, AED and APS can take several minutes to remove it from
the deny list and pass its traffic.
n When you remove a temporarily blocked host from the deny list or add it to the allow
list, it is removed from the Temporarily Blocked Sources list immediately. When you do
the same for a CIDR or country that contains temporarily blocked hosts, those hosts
are removed from the Temporarily Blocked Sources list within five minutes.
To unblock an individual IP address immediately, add the IP address to the allow list.
After you deny, allow, or unblock an item in AEM, the change is applied to the managed
devices during the next synchronization. See “About Configuration Data Synchronization
with AEM” on page 90.
About managing the deny list and allow list on AEM

On a device that is managed by AEM, you configure the deny lists and allow lists on AEM
only. Exception: you can configure countries in the outbound deny list on a managed
device.
When you first connect a device to AEM, the deny lists and allow lists on AEM are copied
to the device. If a managed device already contains a deny list or allow list, then those lists
are merged with the items from AEM. Thereafter, you make changes in AEM only.
Periodically, the device checks AEM and obtains any changes to the deny lists and allow
lists. See “About Configuration Data Synchronization with AEM” on page 90.
About the Capacity of the Deny List and Allow List

The maximum number of items that the deny list and allow list can support on AED or
APS depends on the type of item and the device on which you add the item.
Note
Items that you add to the deny list and allow list on AEM are added to the combined
total for the lists on a managed device.
The following table describes the items that you can add to each type of deny list and
allow list:

List Items that you can add
Inbound deny list IPv4 and IPv6 hosts, countries, domains, and URLs
Inbound allow list IPv4 and IPv6 hosts
Outbound deny list IPv4 hosts and countries
Outbound allow list IPv4 hosts
For more information, see “About the Deny List and Allow List” on page 167.
Host limits by managed device

If AEM manages an APS or AED device, then the host limits for the device are as follows:
Device IPv4 host limit IPv6 host limit
HD1000 10,000 6,364
8100 16,000 5,091
2800 16,000 5,091
2600 6,400 2,036
vAPS_vAED, high-end 400 254

configuration
vAPS_vAED, low-end configuration 2,000 1,272
The IPv4 limits include the hosts on the deny list and allow list for inbound traffic and
outbound traffic. The IPv6 limits include the hosts on the deny list and allow list for
inbound traffic only.
Limits for domains, URLs, and countries

For domains and URLs, a total of 5,000 items can be added for each protection group.
There is no limit for countries.
Note
AEM does not have a deny list for domains or URLs.
What happens when the limits are exceeded

On an managed device, you cannot enter an item that would exceed the limits for the
deny list and allow list on that device. However, AEM accepts excess items, whether you
add the items in the AEM UI or the items are added during the initial synchronization of
the device.
When the addition of an item causes AEM to exceed the limits, AEM treats the excess item
as follows:
n The excess item is added to the appropriate list on AEM, but the item is marked as
disabled and does not affect any traffic.
n The disabled item appears on the deny list page or the allow list page in the AEM UI,
but the entry is dimmed. However, you are able to delete the item.

n If you delete an enabled item, then space might become available for a disabled item.
In this case, AEM identifies the oldest disabled item and enables that item. A global
inbound item is enabled for all of the protection groups; an item for an individual
protection group is enabled for that protection group only.
How synchronization between AEM and managed devices affects the capacity
During the synchronization of a deny list or allow list between AEM and its managed
devices, AEM or a managed device can exceed the limits for the deny list and allow list.
For example, a global item on AEM could cause a device to exceed its limit. In this case,
the new item is not added to the device.
During initial synchronization between AEM and a managed device, the following events
occur when the addition of existing items from the managed device to AEM causes AEM
to exceed its capacity:
n The item is added to AEM, but the item is marked as disabled.
n On an AED or APS, the item that caused AEM to exceed its capacity is deleted.
n Other managed devices do not obtain the disabled item during synchronization, even if
the devices have the capacity to accept the item.
For example, a disabled inbound item might apply to a specific protection group. Even
if the protection group is assigned to a managed device that is below its capacity, that
device does not obtain the disabled item.
n When AEM enables an item that was disabled, the item is applied to all of the
appropriate managed devices.
Adding Inbound Traffic to the Deny List

Use the inbound deny list to block the traffic to your network that originates from specific
hosts or countries, or from the clients that access specific domains in your network. AED
and APS always block the traffic from the hosts on the deny list without further
inspection, regardless of the current protection level.
Important
For additional information about the deny list, see the following topics:
n “About the Deny List and Allow List” on page 167
n “Viewing and Searching the Inbound Deny List” on page 174
About the deny list settings

On the Inbound Deny Lists page, you can add the traffic’s source in the following ways:
n by the IP address or CIDR
n by the country
n by the domain or URL that is specified in the HTTP request header

If the deny list and allow list contain an IP address and a CIDR that overlaps that IP
address, the most specific address always takes precedence. For example, if the IP
address 10.2.3.141 is on the allow list, and you add the CIDR 10.2.3.0/24 to the deny list,
the IP address remains on the allow list.
If you add a host to the allow list or remove a host from the deny list, and that host is
temporarily blocked, it is removed from the Temporarily Blocked Sources list
immediately. When you do the same for a CIDR that contains temporarily blocked hosts,
those hosts are removed from the Temporarily Blocked Sources list within five minutes.
You can unblock an individual IP address immediately by adding that IP address to the
allow list.
Adding items to the inbound deny list

To add items to the inbound deny list:
1. Select Protect > Inbound Protection > Deny Lists.
2. On the Inbound Deny Lists page, select one of the following tabs:
n Source IP Address tab — to add an IP address or country
n Domains and URLs tab — to add a domain or URL
3. In the Add box, type any combination of the following items separated by commas,
and then click Add:
Selected tab What you can add

Source IP Address n IPv4 or IPv6 address
tab n CIDR
n Country name
As you type the name, the system displays the countries
that match your entry, and you can select a country from
the list.
Domains and URLs n Domain, for example, example.com

tab n URL, for example, www.example.com/doc1/?search=text
When you add a domain or URL to the deny list, AED or APS
blocks the traffic by matching the domain or URL that is
specified in the HTTP request header.
This audit trail information will be visible from the Inbound Deny Lists page.
Deleting items from the inbound deny list

Deleting an item from the deny list does not add it to the allow list. If you want to add a
host to the allow list from the Inbound Deny Lists page, see “Moving hosts from the deny
list to the allow list” on the next page.
To delete an item from the inbound deny list:

2. On the Inbound Deny Lists page, select the tab for the item that you want to delete.

3. Delete the item as follows:

n To delete the item for all the protection groups, click (Remove) to the far right of
the item.
n To delete the item for a specific protection group, hover your mouse pointer over
the protection group in the PGs Affected column. Click the (Remove) icon that
appears.
Moving hosts from the deny list to the allow list

Because only IP addresses and CIDRs can be added to the allow list, this option is
available in the Denied Hosts section only.
When you move a denied host to the allow list, it is removed from the deny list and added
to the allow list. If the host was added to the deny list for specific protection groups only,
then it is added to the allow list for those protection groups.
To move a denied host to the allow list:

2. On the Inbound Deny Lists page, select the Source IP Address tab.
3. Click the Allow List button to the far right of the IP address or CIDR.
This audit trail information will be visible from the Inbound Allow Lists page.
Viewing and Searching the Inbound Deny List

The Inbound Deny Lists page in AEM allows you to view the entire deny list for all of the
AED and APS that are devices managed by AEM. You can search this deny list for specific
hosts, CIDRs, countries, domains, or URLs. You can enter only one item per search but the
search can return multiple results.
You also can use the Inbound Deny Lists page to add inbound traffic for all of the managed
devices to the deny list. See “Adding Inbound Traffic to the Deny List” on page 172.
Viewing the inbound deny list

To view the inbound deny list:
2. On the Inbound Deny Lists page, select the Source IP Address tab or the Domains and
URLs tab.
3. (Optional) You can collapse or expand the sections on the page at any time by clicking
(collapse) or (expand), respectively.
By default, all of the sections appear.
If the list of denied items continue on multiple pages, then you can use the paging
icons at the upper-right of each section to view additional items for that section.
4. To filter the list to display items of interest, you can search for specific items. See
“Searching the inbound deny list” on the next page.

Searching the inbound deny list

When you view the inbound deny list, you can filter the list to display items of interest by
searching for one or more items.
A search for any of the items on the Source IP Address tab returns any IP addresses,
CIDRs, or countries on the deny list that are associated with that address.
To search the inbound deny list:
2. On the Inbound Deny Lists page, select the Source IP Address tab or the Domains and
URLs tab.
3. In the Search box, type a search string as follows:
Selected tab Search strings

Source IP Address Type one of the following search strings:
tab n An IPv4 or IPv6 address.
n An IPv4 or IPv6 address range, with a hyphen to separate
the beginning IP address and ending IP address. For
example: 192.0.2.1-192.0.2.10
n A CIDR.
n A country name. As you type, the system displays the
countries that match your entry. You can continue to type
the country name or select a country from the list.
Domains and URLs Type one of the following search strings:

tab n A full domain name or partial domain name.
n A full URL or partial URL.
4. Click Search.
5. If an item that you searched for is not on the inbound deny list, a message appears.
The following options might be available:
n You can click (add) in the message to add that item to the deny list.
On a device that is managed by AEM, this function is disabled.

n (Source IP Address tab only) If the host is on the inbound deny list, you can click
the link in the message to open the Inbound Allow Lists page and display that host.
Information on the Inbound Deny Lists page

By default, the inbound deny list is sorted by the Since column, beginning with the most
recent items. You also can sort the inbound deny list by the Hostname, Country, Domain
Name, or URLs columns on their respective tabs.
For each item on the list, the Inbound Deny Lists page displays the following information:

Inbound Deny Lists page details
Hosts (Source IP Address tab only) Displays the host’s IP address or

CIDR. If the system can identify the host’s country, this column
also includes a flag icon that represents the country.
If the system can resolve the host name, you can see the host
name by hovering your mouse pointer over the IP address or
CIDR. For IPv4 hosts that are not private networks, you can see
the country name by hovering your mouse pointer over the flag
icon.
Note
Country mappings do not exist for IPv6 addresses. If the source
is an IPv6 address, then this column includes an IPv6 flag icon
instead of a country flag icon. Also, for private networks, this
column includes a 10 icon or a 192 icon.
Country (Source IP Address tab only) Displays the country. If the system
can identify the country’s flag, this column also displays a flag
icon.
Domain Name (Domains and URLs tab only) Displays the domain.
URLs (Domains and URLs tab only) Displays the URL.
Since Indicates the amount of time that the item has been on the
inbound deny list.
(information) Displays the audit trail entry, if any, that was created when this
item was added to the list. Click next to the time period in the
Since column.
PGs Affected Displays the protection groups for which the item is denied.
When multiple protection groups are listed, you can hover your
mouse pointer over a protection group to display (Remove).
Click to remove the item from the deny list for that protection
group only.
Allow List button Adds the item to the inbound allow list.
Because you only can add hosts to the allow list, this option is
available in the Denied Hosts section only.
(Remove) Removes the item from the inbound deny list for all of the
protection groups without adding the item to the allow list.

allow list.
Adding Outbound Traffic to the Deny List

Use the outbound deny list to block the IPv4 traffic that originates from your network and
is sent from specific internal hosts or to specific external hosts. AED and APS always block
the traffic from the hosts on the deny list without further inspection, regardless of the
current protection level.
For the outbound deny list to take effect, you must enable the outbound threat filter. See
Note
You cannot add IPv6 traffic to the outbound deny list.
Important
About the outbound deny list settings

On the Outbound Deny Lists page, you can add the traffic’s source or destination to the
deny list by specifying an IPv4 address or CIDR.
allow list.
Adding items to the outbound deny list

To add items to the outbound deny list:
1. Select Protect > Outbound Protection > Deny Lists.
2. In the Add box, type one or more IPv4 addresses or CIDRs separated by commas.
3. Click Add.
This audit trail information will be visible from the Outbound Deny Lists page.

Deleting items from the outbound deny list

Deleting an item from the outbound deny list does not add it to the outbound allow list. If
you want to move a host from the outbound deny list to the outbound allow list, see
“Moving hosts from the deny list to the allow list” below.
To delete an item from the outbound deny list:

2. On the Outbound Deny Lists, click (Remove) to the far right of the item.
Moving hosts from the deny list to the allow list

When you add a host to the allow list from the deny list, the host is removed from the
outbound deny list and added to the outbound allow list.
To move a host from the deny list to the allow list:

2. On the Outbound Deny Lists page, click the Allow List button to the far right of the
item.
This audit trail information will be visible from the Outbound Allow Lists page.
Viewing and Searching the Outbound Deny List

The Outbound Deny Lists page in AEM allows you to view the entire outbound deny list for
all the AED and APS devices that are managed by AEM. You can search this deny list for
specific IPv4 addresses or CIDRs, or for IPv4 addresses and CIDRs that match a specific
country.
Note
The outbound deny list does not include IPv6 addresses.
You also use the Outbound Deny Lists page to add outbound IPv4 traffic to the deny list on
any device that is managed by AEM. See “Adding Outbound Traffic to the Deny List” on
the previous page.
Important
You must enable the outbound threat filter for the outbound deny list to take effect. See
Viewing the outbound deny list

To view the outbound deny list:
2. If the denied items continue on multiple pages, you can use the paging icons at the
upper-right of the page to view the additional items.
“Searching the outbound deny list” on the next page.

Searching the outbound deny list

When you view the outbound deny list, you can filter the list to display items of interest by
To search the outbound deny list:
2. In the Search box on the Outbound Deny Lists page, type one of the following search
strings:
n An IPv4 address
n An IPv4 address range, with a hyphen to separate the beginning IP address and
ending IP address. For example: 192.0.2.1-192.0.2.10
n A CIDR
n A country name. As you type, the system displays the countries that match your
entry. You can continue to type the country name or select a country from the list.
3. Click Search.
4. If you search for a host that is not on the outbound deny list, a message appears. The
following options might be available:
n You can click (add) in the message to add the host to the outbound deny list.

n If the host is on the outbound allow list, you can click the link in the message to
open the Outbound Allow Lists page and display that host.
Information on the Outbound Deny Lists page

By default, the outbound deny list is sorted by the Since column, beginning with the most
recent items. You also can sort the outbound deny list by the Hosts column.
For each item, the Outbound Deny Lists page displays the following information:
Outbound Deny Lists page details
Hosts Displays the host’s IP address or CIDR. If the system can identify
the host’s country, this column also includes a flag icon that
represents the country.
icon.
outbound deny list.
Since column.

Outbound Deny Lists page details (continued)
Allow List button Moves the item to the outbound allow list.
(Remove) Removes the item from the outbound deny list without adding it
to the outbound allow list.
allow list.
Adding Inbound Traffic to the Allow List

Use the inbound allow list to pass the inbound traffic that originates from specific
external hosts. AED and APS always pass the traffic from the allowed hosts without
further inspection, regardless of the current protection level.
Important
Allow list exception

An exception to the allowed behavior is when a managed device detects invalid packets.
Because the Invalid Packets protection takes precedence over the allow list, that device
blocks invalid packets even if the source host is on the allow list. See “Invalid Packets” on
page 194.
About the allow list settings

On the Inbound Allow Lists page, you can add the traffic’s source by specifying an IP
address, hostname, or CIDR.
When you add a host that is temporarily blocked to the allow list, the host is removed
from the Temporarily Blocked Sources list immediately. When you do the same for a CIDR
that contains temporarily blocked hosts, those hosts are removed from the Temporarily

Blocked Sources list within five minutes. You can unblock an individual IP address
immediately by adding that IP address to the allow list.
Adding hosts to the inbound allow list

To add hosts to the inbound allow list:
1. Select Protect > Inbound Protection > Allow Lists.
2. In the Add box, type one or more IPv4 or IPv6 addresses or CIDRs separated by
commas, and then click Add.
This audit trail information will be visible from the Inbound Allow Lists page.
Deleting items from the inbound allow list

Deleting an item from the allow list does not add it to the deny list. If you want to add an
item to the deny list from the Inbound Allow Lists page, see “Moving allowed hosts to the
deny list” below.
To delete an item from the inbound allow list:

2. On the Inbound Allow Lists page, delete the item as follows:
n To delete the item for all of the protection groups, click (Remove) to the far right
of the item.
n To delete the item for a specific protection group, hover your mouse pointer over
the protection group in the PGs Affected column. Click the (Remove) icon that
appears.
Moving allowed hosts to the deny list

You can move a host from the allow list to the deny list. If the host was added to the allow
list for specific protection groups only, then it is added to the deny list for those
protection groups.
To move an allowed host to the deny list:

2. On the Inbound Allow Lists page, click the Deny List button to the far right of the item.
This audit trail information will be visible from the Inbound Deny Lists page.
Viewing and Searching the Inbound Allow List

The Inbound Allow Lists page in AEM allows you to view the entire allow list for all of the
AED and APS devices that are managed by AEM. You can search this allow list for specific
IP addresses or CIDRs, or for IP addresses and CIDRs that match a specific country. You
can enter only one item per search but the search can return multiple results.

You also use the Inbound Allow Lists page to add inbound traffic to the allow list for all of
the managed devices. See “Adding Inbound Traffic to the Allow List” on page 180.
Viewing the inbound allow list

To view the inbound allow list:
2. If the items on the allow list continue on multiple pages, you can use the paging icons
at the upper-right of the section to view additional items.
“Searching the inbound allow list” below.
Searching the inbound allow list

When you view the inbound allow list, you can filter the list to display items of interest by
To search the inbound allow list:
2. On the Inbound Allow Lists page, in the Search box, type one of the following search
strings:
n An IPv4 or IPv6 address.
n An IPv4 or IPv6 address range, with a hyphen to separate the beginning IP address
and ending IP address. For example: 192.0.2.1-192.0.2.10
n A CIDR.
3. Click Search.
4. If you search for a host that is not on the inbound allow list, a message appears. The
following options might be available:
n You can click (add) in the message to add that host to the allow list.
n If the host is on the inbound deny list, you can click the link in the message to open
the Inbound Deny Lists page and display that host.
Information on the Inbound Allow Lists page

By default, the inbound allow list is sorted by the Since column, beginning with the most
recent items. You also can sort the inbound allow list by the Hostname column.

For each item, the Inbound Allow Lists page displays the following information:
Information about the inbound allow list
icon.
Note
Country mappings do not exist for IPv6 addresses. If the source
is an IPv6 address, then this column includes an IPv6 flag icon
instead of a country flag icon. Also, for private networks, this
column includes a 10 icon or a 192 icon.
inbound allow list.
Since column.
PGs Affected Displays the protection groups that the item is associated with.
When multiple protection groups are listed, you can hover your
mouse pointer over a protection group to display (Remove).
Click to remove the item from the allow list for that protection
group only.
Deny List button Moves the item to the inbound deny list.
(Remove) Removes the item from the inbound allow list for all the
protection groups without adding it to the deny list.
Adding Outbound Traffic to the Allow List

Use the outbound allow list to pass the IPv4 traffic that originates from your network and
is sent from specific internal hosts or to specific external hosts. AED and APS always pass
the traffic from or to the allowed hosts without further inspection, regardless of the
current protection level.
For the outbound deny list to take effect, you must enable the outbound threat filter. See
Important

Allow list exception

An exception to the allowed behavior is when a managed device detects invalid packets.
Because the Invalid Packets protection takes precedence over the allow list, that device
blocks invalid packets even if the source host is on the allow list. See “Invalid Packets” on
page 194.
About the outbound allow list settings

On the Outbound Allow Lists page, you can add the traffic’s source to the allow list by
specifying an IPv4 address or CIDR.
Note
You cannot add IPv6 traffic to the outbound allow list.
When you add a host that is temporarily blocked to the allow list, the host is removed
from the Temporarily Blocked Sources list immediately. When you do the same for a CIDR
that contains temporarily blocked hosts, those hosts are removed from the Temporarily
Blocked Sources list within five minutes. You can unblock an individual IP address
immediately by adding that IP address to the allow list.
Important
When you deploy a managed device in monitor mode, the outbound traffic does not go
through that device and is not analyzed.
Adding hosts to the outbound allow list

To add IPv4 hosts to the outbound allow list:
1. Select Protect > Outbound Protection > Allow List.
2. In the Add box, type one or more IPv4 addresses or CIDRs separated by commas.
3. Click Add.
This audit trail information will be visible from the Outbound Allow Lists page.
Deleting items from the outbound allow list

Deleting an item from the outbound allow list does not add it to the outbound deny list. If
you want to move a host from the outbound allow list to the outbound deny list, see
“Adding allowed hosts to the deny list” on the next page.
To delete an item from the outbound allow list:
1. Select Protect > Outbound Protection > Allow Lists.
2. On the Outbound Allow Lists page, click (Remove) to the far right of the item.

Adding allowed hosts to the deny list

When you move an allowed host to the deny list, it is removed from the outbound allow
list and added to the outbound deny list.
To move an allowed host to the deny list:

1. Select Protect > Outbound Protection > Allow List.
2. On the Outbound Allow Lists page, click the Deny List button to the far right of the
item.
This audit trail information will be visible from the Outbound Deny Lists page.
Viewing and Searching the Outbound Allow List

The Outbound Allow Lists page in AEM allows you to view the entire outbound allow list for
all the AED and APS devices that are managed by AEM. You can search this allow list for
specific IPv4 addresses and CIDRs, or for IPv4 addresses and CIDRs that match a specific
country.
You also use the Outbound Allow Lists page to add outbound IPv4 traffic to the allow list on
any device that is managed by AEM. See “Adding Outbound Traffic to the Allow List” on
page 183.
You must enable the outbound threat filter for the outbound allow list to take effect. See
Note
The outbound allow list does not include IPv6 addresses.
Viewing the outbound allow list

To view the outbound allow list:
2. If the items on the allow list continue on multiple pages, you can use the paging icons
at the upper-right of the page to view additional items.
“Searching the outbound allow list” below.
Searching the outbound allow list

When you view the outbound allow list, you can filter the list to display items of interest
by searching for one or more items.
To search the outbound allow list:
2. In the Search box on the Outbound Allow Lists page, type one of the following search
strings:

n An IPv4 address
n An IPv4 address range, with a hyphen to separate the beginning IP address and
ending IP address. For example: 192.0.2.1-192.0.2.10
n A CIDR
3. Click Search.
4. If a host that you searched for is not on the outbound allow list, a message appears.
The following options might be available:
n You can click (add) in the message to add the host to the outbound allow list.

n If the host is on the outbound deny list, you can click the link in the message to
open the Outbound Deny Lists page and display that host.
Information on the Outbound Allow Lists page

By default, the outbound allow list is sorted by the Since column, beginning with the most
recent items. You also can sort the outbound allow list by the Hosts column.
For each item, the Outbound Allow Lists page displays the following information:
Outbound Allow Lists page details
icon.
outbound allow list.
Since column.
Deny List button Allows you to move the item to the outbound deny list.
(Remove) Allows you to remove the item from the outbound allow list
without adding it to the outbound deny list.

Section 13: Viewing AED and APS Traffic
Section 13:
Viewing AED and APS Traffic
This section describes the many ways in which you can view the traffic that AED and APS
inspect.
In this section
Viewing the Traffic Activity for a Protection Group 187

Viewing the Traffic Overview for a Protection Group 190
Filtering the Traffic Data by Device 191
Viewing the Attack Categories for a Protection Group 192
Viewing the Top URLs for a Protection Group 198
Viewing the Top Domains for a Protection Group 199
Viewing the Top IP Locations for a Protection Group 201
Viewing the Top Protocols for a Protection Group 203
Viewing the Top Services for a Protection Group 204
Viewing the Traffic Activity for a Protection Group

The View Protection Group page allows you to view information in real time about the
traffic that is destined for the prefixes that are defined in a protection group. The traffic
information that appears on this page is for incoming traffic only. The information does
not include server response traffic.
Use the information on this page to monitor how effectively the managed AED and APS
devices mitigate attacks and to decide whether you need to take action to block the
traffic.
The View Protection Group page displays aggregated traffic data for all of the managed
devices that are assigned to the protection group. You can filter the data on the View
Protection Group page to view information for a single managed device. See “Filtering the
traffic data for a single device” on page 192.
The View Protection Group page also allows you to add or remove certain hosts from the
deny list, which is also referred to as unblocking. See “About the Deny List and Allow List”
on page 167. On a device that is managed by AEM, these functions are disabled. For
example, you cannot edit protection groups and you cannot add hosts and countries to
the deny list. However, you can use the Cloud Signaling widget on the managed device.

Navigating to the View Protection Group page

To navigate to the View Protection Group page:
2. (Optional) On the List Protection Groups page, filter the list to find a specific protection
group. See “Searching for protection groups” on page 216.
3. Click the protection group name.
Sections on the View Protection Group page

The View Protection Group page contains the following sections:
Information about the protection group
Section Description and reference
Time selector Allows you to filter the information that appears on the View
Protection Group page by a specific increment or by a time range.
See “Changing the display” on page 24.
bps and pps Click bps or pps to change the display unit of measure on the View
buttons Protection Group page.
Protection Group Displays summary data about all of the protection group’s traffic
Overview during the selected timeframe.
See “Viewing the Traffic Overview for a Protection Group” on
page 190.
Total Protection Shows a stacked graph that represents the total passed traffic in
Group Traffic graph green and the total blocked traffic in red. Below the graph, you
can click (Passed) or (Blocked) to show and hide the different
types of traffic.
Traffic Views Lists the different types of inbound traffic that are destined for
the prefixes that are defined in the protection group. You can click
a link in the list to view the data for that type of traffic.
See “Viewing the inbound traffic by type” on the next page.
Select Display All to display the data for all of the traffic views, in
the order in which they appear in the list. To include all of the
traffic view data when you create a PDF of the View Protection
Group page, select this option.
See “Saving, Emailing, and Printing Pages from the UI” on page 22
for PDF instructions.
Attack Categories Displays a graph of the attack categories, including the AIF threat
categories and TAXII collections, that are responsible for blocking
the current traffic.
See “Viewing the Attack Categories for a Protection Group” on
page 192.

Viewing the inbound traffic by type

In the Traffic Views section, you can view the data for the inbound traffic that is destined
for the prefixes that are defined in the protection group.
To select the type of traffic to view:
n Click (expand), and then click a link in the list of traffic views. The graph and table
display the data for the selected type of traffic.
You can click (collapse) to hide the list of traffic views. When the list is hidden, the graph
and table continue to display the data for the selected type of traffic.
The types of traffic that are available in the list depend on the server type for the
protection group. For example, when you display this page for a Web Server protection
group, only the sections that are relevant for Web servers appear.
The list of traffic views can include the following types of traffic:
Types of Traffic in the Traffic Views section
Type Description and reference
Attack Categories Displays a graph of the attack categories that are responsible for
blocking current traffic.
See “Viewing the Attack Categories for a Protection Group” on
page 192.
Web Traffic by URL Displays the 10 URLs that have the highest amounts of inbound
IPv4 traffic.
See “Viewing the Top URLs for a Protection Group” on page 198.
Note
This traffic data is not available for IPv6 protection groups.
Web Traffic by Displays the 10 domains that have the highest amounts of inbound
Domain IPv4 traffic.
See “Viewing the Top URLs for a Protection Group” on page 198.
Note
IP Location Displays the 10 identifiable countries that send the most IPv4
traffic.
See “Viewing the Top IP Locations for a Protection Group” on
page 201.
Note

Types of Traffic in the Traffic Views section (continued)
Type Description and reference
Protocols Displays the 10 protocols that have the highest amounts of

inbound traffic.
See “Viewing the Top Protocols for a Protection Group” on
page 203.
Services Displays the 10 services that have the highest amounts of inbound
traffic.
See “Viewing the Top Services for a Protection Group” on page 204.
Viewing the Traffic Overview for a Protection Group

On the View Protection Group page, the Protection Group Overview section displays
summary data about the protection group’s traffic during the selected timeframe.
Use the information in this section to quickly view the protection group’s activity, assess
its performance, and look for problems. For example, a significant increase or a large
spike in the passed traffic might indicate an attack.
To view information in real time about the traffic that is destined to a protection group,
see “Viewing the Traffic Activity for a Protection Group” on page 187.
Filtering traffic data

AEM aggregates the traffic data for all of the managed AED and APS devices that are
assigned to the protection group. To filter the page to view the traffic data for a single
managed device, click the All Devices link under Device Assignments.
See “Filtering the Traffic Data by Device” on the next page.
Navigating to the View Protection Group page

To navigate to the View Protection Group page:

Information in the Protection Group Overview section

The Protection Group Overview section contains the following information:
Overview Information about the protection group
Section Description
Total Traffic Displays a minigraph that represents the total traffic, and displays
the following values:
n Total summarizes the total amount of traffic during the specified
timeframe.
n Rate summarizes the average rate of this traffic during the
specified timeframe.
Passed Traffic Displays a minigraph that represents the passed traffic, and
displays the following values:
n Total summarizes the total amount of passed traffic during the
n Rate summarizes the average rate of the passed traffic during
the specified timeframe.
Blocked Traffic Displays a minigraph that represents the blocked traffic, and
displays the following values:
n Total summarizes the total amount of blocked traffic during the
n Rate summarizes the average rate of the blocked traffic during
the specified timeframe.
Blocked Hosts Displays a minigraph that represents the blocked hosts. The
Average value indicates the average number of blocked hosts
during the specified timeframe.
Total Traffic graph Shows the percentage of the total traffic that is passed in green
and the percentage that is blocked in red.
Filtering the Traffic Data by Device

The View Protection Group page displays aggregated traffic data for all of the devices that
are assigned to the protection group. You can filter the data on the View Protection Group
page to view only the traffic data for a single device.
After you filter the page, the device remains selected even if you navigate away from the
View Protection Group page. You must clear the selection manually to revert to viewing the
traffic data for all the AED assignments. See “Viewing the traffic data for all the device
assignments” on the next page.
About device assignments

At the top of the page, under AED Assignments, AEM indicates whether it displays the
traffic for all assigned devices or for a single device. The AED Assignments section also
displays the total number of device assignments for the protection group.

Filtering the traffic data for a single device

To filter the traffic data on the View Protection Group page for a single device:
1. Navigate to the View Protection Group page as follows:
a. Select Protect > Inbound > Protection Groups.
b. (Optional) On the List Protection Groups page, filter the list to find a specific
protection group. See “Searching for protection groups” on page 216.
c. Click the protection group name.
2. At the top of the View Protection Group page, click the All AEDs link to open the Filter
by AED window.
The Filter by AED window displays the following information for each device:
n a graph that shows the percentage of blocked traffic
n the number of active alerts, if any
3. (Optional) In the Filter by AED name box, type all or part of a name to locate a
specific device. As you type, the list displays only the device names that match the
string.
4. If there is only one match, the device name is selected automatically. If there are
multiple matches, select a device.
AEM updates the sections for Total Protection Group Traffic, Mode, Traffic Overview, and
Recent Alerts to display data for the selected device.
5. Click Apply.
After you apply the filter, the name of the selected device replaces the All AEDs link
on the View Protection Group page.
Viewing the traffic data for all the device assignments

You can clear the selected device to display data for all of the device assignments on the
View Protection Group page:
n Click (clear). The All AEDs link appears when the View Protection Group page is no
longer filtered for a specific device.
Viewing the Attack Categories for a Protection Group

The Attack Categories section on the View Protection Group page displays the categories of
protections that are responsible for blocking current traffic.
The data display for the attack categories refreshes approximately every 60 seconds.
Use this information to determine why a managed device blocked the traffic. For
example, if blocked traffic is shown for the Invalid Packets category for a device, you can
display the details for that category to view the reasons why that traffic was considered to
be invalid.
For general information about the protection settings, see “About the Protection Settings
Configuration” on page 118.

Navigating to the Attack Categories section

To navigate to the Attack Categories section on the View Protection Group page:
1. Select Protect > Inbound > Protection Groups.
4. If the Traffic Views section is not visible on the View Protection Group page, then click
(expand) to the left of the Attack Categories section.
5. In the list of traffic views, select Attack Categories.

6. (Optional) Filter the information that appears on the page as follows:
n To change the timeframe for which the data is displayed, click one of the time
increments or click From and select a time range.
n To select the unit of measure for displaying traffic, click bps or pps.
Information in the Attack Categories section

The Attack Categories section contains the following information:
Information in the Attack Categories section
Attack Categories AEM updates the data display once per minute.
graph
Key Shows the color that represents the source in the Attack Categories
graph and allows you to filter the graph display. Click the key for
an attack category to hide or show that category on the graph.
AEM retains your selections until you navigate away from the View
Graph Represents the traffic that the category blocks. You can hover
your mouse pointer over the minigraph to view a larger version of
the graph.
Category Displays the attack category that is blocking the traffic.

Several of the categories do not correspond to specific protection
settings. See “About the non-configurable categories” on the next
page.
(context menu) Appears when you hover your mouse pointer over an attack
category name. You can click , and then select Blocked Hosts to
display the Blocked Hosts Log page for this protection group and
attack category.
See “About the Blocked Hosts Log” on page 242.
Bytes blocked Shows the amount of blocked traffic for the attack category in
Packets blocked bytes and packets.

Information in the Attack Categories section (continued)
bps blocked Shows the rate of blocked traffic for the attack category in bits per
pps blocked second and packets per second.
Details button Allows you to view additional information about the blocked
traffic. The information that AED and APS display varies for each
attack category. Detailed information is not available for all of the
attack categories.
You can hide the details by clicking Details again.
About the non-configurable categories

The Attack Categories section might include the following categories. These attack
categories are not configurable on the Configure Server Type page or Outbound Threat Filter
page.
Non-configurable categories
Category Description
Denied Hosts The Denied Hosts category represents the hosts that are blocked
because they are on the deny list.
Note
The Invalid Packets category takes precedence over the deny list
and allow list. As a result, AED and APS block invalid packets from
hosts on the allow list. Also, any traffic from hosts on the deny list
or allow list that matches invalid packets is attributed to invalid
packets in the Attack Categories graphs.
HTTP Blocked The HTTP Blocked Locations category represents the following hosts
Locations and domains:
n The domains that were blocked because they are on the
inbound deny list
n The blocked hosts that appear in the Web Traffic By URL section
on the View Protection Group page
n The blocked domains that appear in the Web Traffic By Domain
section on the View Protection Group page
Invalid Packets The Invalid Packets category blocks invalid TCP/IP packets. Click
Details for this category to view the reasons that AED or APS
blocked the packets.
Note
The Invalid Packets category takes precedence over the deny list
and allow list. As a result, AED and APS block invalid packets from
hosts on the allow list. Also, any traffic from hosts on the deny list
or allow list that matches invalid packets is attributed to invalid
packets in the Attack Categories graphs.

Detailed information in the Attack Categories section for protection groups

Detailed information about blocked traffic is available for the protection group attack
categories.
Detailed Attack Categories information for protection groups
Category Details
ATLAS Threat Lists the ATLAS threat categories that blocked traffic, and shows
Categories the amount of blocked traffic for each category. AED and APS
display a traffic minigraph for each category.
Application Shows the average number of blocked hosts.

Misbehavior
Block Malformed Shows statistics about the blocked hosts, including the total
SIP Traffic number of hosts that were blocked. See “About the total hosts
blocked” on page 197.
Botnet Prevention Displays blocking information for the following subcategories:

n Basic Botnet Prevention
These details show a graph and summary statistics of the
botnet traffic that would have been blocked under a higher
protection level.
They also show the average number of hosts that were blocked
and the number of requests that were examined.
n AIF Botnet Signatures
These details show the botnet traffic that was blocked or that
would be blocked by the AIF signatures that are associated
with each protection level. For example, if the active global
protection level is medium, the blocking details for the medium
protection level and low protection level represent traffic that
was blocked. The blocking details for the high protection level
represent traffic that would be blocked if you change to the
high protection level.
n Slow Request Attacks
These details show the average number of hosts that were
blocked and the number of requests that were examined.
DNS Authentication Shows the number of hosts that were tested and the number of
hosts that were validated.
DNS NXDomain Shows the average number of hosts and the total number of
Rate Limiting hosts that were blocked. See “About the total hosts blocked” on
page 197.
DNS Rate Limiting Shows statistics about the hosts that were blocked, including the
total number of hosts that were blocked. See “About the total
hosts blocked” on page 197.
Fragment Detection Shows the average number of hosts that were blocked.

Detailed Attack Categories information for protection groups (continued)
Category Details
HTTP Header Shows the average number of hosts that were blocked.
Regular Expressions
HTTP Rate Limiting Shows statistics about the hosts that were blocked and whether
they were blocked for exceeding the request limit or the URL limit.
This section also shows the total number of hosts that were
blocked. See “About the total hosts blocked” on the next page.
ICMP Flood Shows the average number of hosts that were blocked.
Detection
Invalid Packets Lists the reasons why traffic was considered to be invalid and
shows the amount of traffic that was blocked for each reason. A
traffic minigraph is displayed for each reason, and a stacked
graph summarizes the blocked traffic with one row for each
reason.
IP Location Policing Shows statistics about the countries whose traffic was blocked
because you chose to deny their traffic or their traffic exceeded
the configured rate limits. This section also includes statistics for
other countries that are not configured specifically, but whose
traffic is blocked based on the default settings.
Malformed HTTP Shows the average number of hosts that were blocked and the
Filtering number of requests that were examined.
Rate-based Blocking Shows the average number of hosts that were blocked.
SIP Request Limiting Shows the average number of hosts and the total number of
hosts that were blocked. See “About the total hosts blocked” on
the next page.
Spoofed SYN Flood Shows statistics about the number of hosts that were allowed to
Prevention form connections, the total number of connections, and the total
number of HTTP requests on those connections.
TCP Connection Lists the top 10 hosts whose concurrent TCP connections
Limiting exceeded the rate limit, and shows the amount of traffic that was
blocked for each host. Connection statistics are displayed for each
host.
Important
This section includes traffic for all of the categories that affect
each host, not just the TCP Connection Limiting category.
TCP Connection Shows statistics for the connections and hosts that were blocked,
Reset including the total number of hosts that were blocked. See “About
the total hosts blocked” on the next page.
TCP SYN Flood Shows the average number of hosts that were blocked.
Detection

Detailed Attack Categories information for protection groups (continued)
Category Details
TLS Attack Lists the reasons why the SSL or TLS traffic was considered to be
Prevention invalid and shows statistics about the traffic that was blocked for
each reason. You can click Details next to each reason to view the
average number of hosts that were blocked for that reason.
Note
If AED or APS drops malformed TLS traffic when the TLS proxy is
enabled, then the device identifies TLS Attack Prevention as the
reason. Even if TLS Attack Prevention is disabled for the protection
group, the device identifies it as the reason for dropping the
malformed TLS traffic.
Traffic Shaping Shows statistics about the traffic that exceeded the configured
thresholds and the traffic that was passed.
UDP Flood Shows the average number of hosts that were blocked.
Detection
Detailed information in the Attack Categories section for the Outbound

Threat Filter
Detailed information about blocked traffic is available for outbound threat filter attack
categories.
Detailed Attack Categories information for the Outbound Threat Filter
Category Details
ATLAS Threat Lists the ATLAS threat categories that blocked traffic, and shows
Categories the amount of blocked traffic for each category. AED and APS
display a traffic minigraph for each category.
DNS Rate Limiting Shows statistics about the hosts that were blocked, including the
total number of hosts that were blocked. See “About the total
hosts blocked” below.
Malformed HTTP Shows the average number of hosts that were blocked and the
Filtering number of requests that were examined.
About the total hosts blocked

The detail information for several of the attack categories shows the total hosts blocked.
This number represents the total number of times that any and all hosts were blocked,
and might contain hosts that were blocked multiple times. For example, if one host is
blocked 15 times, then the total is 15.

Viewing the Top URLs for a Protection Group

The Web Traffic By URL section of the View Protection Group page identifies the top URLs
for all of the AED and APS devices that are assigned to the protection group. If you filter
the page to view the data for one device, the Web Traffic By URL section displays the top
URLs for that device only. See “Filtering the Traffic Data by Device” on page 191.
Use this information to identify problems or determine the target of an attack. For
example, a URL whose traffic is significantly higher than normal might be under attack.
Also, a URL that has a high percentage of the total HTTP traffic is often an attack target.
Note
Navigating to the Web Traffic By URL section

To navigate to the Web Traffic By URL section on the View Protection Group page:
5. In the Traffic Views list, select Web Traffic By URL.

Information in the Web Traffic By URL section

The Web Traffic By URL section contains the following information:
Information about web traffic by URL
Web Traffic By URL Displays a stacked graph of the traffic for the top URLs in requests
graph per minute.
Key Shows the color that represents the specific URL in the Web Traffic
By URL graph and allows you to filter the graph display.
To hide or show a URL on the graph, click the key for the URL.
AEM retains your selections until you navigate away from the View
Graph Represents the number of requests per minute that are sent to
the URL. To view a larger version of a minigraph, hover your
mouse pointer over it.

Information about web traffic by URL (continued)
URL Displays the URL for which the traffic is destined.

If “Other” appears in this list, then it represents the aggregated
traffic data for URLs that are not listed here.
Note
If a URL is truncated, then hover your mouse pointer over it to
view the entire URL. When you copy a truncated URL, the entire
URL is copied.
Requests Displays the number of requests that are sent to the URL.
Percent Displays the percentage of the total HTTP traffic that the traffic for
that URL represents, shown as a figure and as a proportion bar.
The bar for the top URL is the full column width and the
remaining bars are in proportion to it.
Request bps Shows the average rate of the requests that are sent to the URL.
Deny List button Adds the URL to the inbound deny list for this protection group or
for all IPv4 protection groups.
When you add a URL to the deny list, the managed devices traffic
from the clients that access the URL in your network.
See “About the Deny List and Allow List” on page 167.
Unblock button Removes the URL from the inbound deny list. This button appears
only when a URL has been added to the deny list.
Viewing the Top Domains for a Protection Group

The Web Traffic By Domain section on the View Protection Group page identifies the top
domains for all of the AED and APS devices that are assigned to the protection group. If
you filter the page to view the data for one device, the Web Traffic By Domain section
displays the top domains for that device only. See “Filtering the Traffic Data by Device” on
page 191.
Use this information to identify problems or determine the target of an attack. For
example, a domain whose traffic is significantly higher than normal might be under
attack. Also, a domain that has a high percentage of the total HTTP traffic is often an
attack target.
Note
Disabling the HTTP Reporting settings

The Web Traffic By Domain section does not appear for protection groups with server
types on which HTTP Reporting is disabled. Disabling the display of this information can
improve the performance of managed devices.
See “HTTP Reporting Settings” on page 138.

Navigating to the Web Traffic By Domain section

To navigate to the Web Traffic By Domain section on the View Protection Group page:
5. In the list of traffic views, select Web Traffic By Domain.

Information in the Web Traffic By Domain section

The Web Traffic By Domain section contains the following information:
Information about web traffic by domain
Web Traffic By Displays a stacked graph of the traffic for the top domains in
Domain graph requests per minute.
Key Shows the color that represents the specific domain in the Web
Traffic By Domain graph and allows you to filter the graph display.
You can click a domain’s key to hide or show that domain on the
graph. Your selections are retained until you navigate away from
the View Protection Group page.
Graph Represents the number of requests per minute that are sent to
the domain. To view a larger version of a minigraph, hover your
mouse pointer over it.
Domain Name Displays the domain for which the traffic is destined.
If “Other” appears in this list, then it represents the aggregated
traffic data for domains that are not listed here.
Requests Shows the number of requests that are sent to the domain.
Percent Displays the percentage of the total HTTP traffic that the domain’s
traffic represents, shown as a figure and as a proportion bar. The
bar for the top domain is the full column width and the remaining
bars are in proportion to it.
Request bps Shows the average rate of the requests that are sent to the
domain.

Information about web traffic by domain (continued)
Deny List button Adds the domain to the inbound deny list for this protection
group or for all IPv4 protection groups.
When you add a domain to the deny list, the managed devices
block all of the IPv4 traffic from the clients that access the
domain.
Unblock button Removes the domain from the inbound deny list. This button
appears only when a domain has been added to the deny list.
Viewing the Top IP Locations for a Protection Group

The IP Location section on the View Protection Group page identifies the top countries for
all of the AED and APS devices that are assigned to the protection group. If you filter the
page to view the data for one device, then the IP Location section displays the countries
for that device only. See “Filtering the Traffic Data by Device” on page 191.
Use this section to identify problems or to determine the source of an attack. For
example, traffic that is significantly higher than normal or a spike in the passed traffic
might indicate an attack.
The data display for the top IP locations refreshes approximately every 60 seconds.
Note
Navigating to the IP Location section

To navigate to the IP Location section on the View Protection Group page:
5. In the list of traffic views, select IP Location.


Information in the IP Location section

The IP Location section contains the following information:
Information about IP locations
IP Location graph Displays a stacked graph of the total traffic from the top countries.
The graph displays the traffic in bytes per second or packets per
second, depending on the unit of measure that is selected.
Key Shows the color that represents the country in the IP Location
graph and allows you to filter the graph display.
You can click a country’s key to hide or show the data for that
country on the graph. Your selections are retained until you
navigate away from the View Protection Group page.
Country Displays the name of the country from which the traffic was sent.
The ATLAS Intelligence Feed (AIF) supplies the information that
identifies the country. See “About the ATLAS Intelligence Feed” on
page 68.
(context menu) Appears when you hover your mouse pointer over a country
name if the data on the page is for a single device. You can select
the Packet Capture option on this menu to capture packets for
the protection group and the country.
When you select Packet Capture, it opens the Packet Capture page
on the selected device. The protection group and the country are
selected as filter criteria on this page. You can start the packet
capture or you can specify additional filter criteria.
See “About Capturing Packets” on page 258.
Graph Represents the country’s passed traffic (green) and blocked traffic
(red). You can hover your mouse pointer over the minigraph to
view a larger version of the graph.
Passed Traffic Shows the average rate of the passed and blocked traffic for the
Blocked Traffic country.
Percent Bytes Displays the percentage of the total traffic that the country’s traffic
represents, shown as a figure and as a proportion bar. The bar for
the top country is the full column width and the remaining bars
are in proportion to it.
Deny List button Adds the country to the inbound deny list for this protection
group or for all IPv4 protection groups. See “About the Deny List
and Allow List” on page 167.
Unblock button Removes the country from the inbound deny list. This button
appears only when a country has been added to the deny list.

Viewing the Top Protocols for a Protection Group

The Protocols section on the View Protection Group page identifies the top protocols for all
of the AED and APS devices that are assigned to the protection group. If you filter the
page to view the data for one device, the Protocols section displays the top protocols for
that device only. See “Filtering the Traffic Data by Device” on page 191.
This data is provided primarily for informational purposes. However, any traffic on your
network that is unexpected could represent an attack. For example, if you expect only
TCP traffic, but traffic is displayed for the UDP protocol, you should investigate this traffic.
The data display for the top protocols refreshes approximately every 60 seconds.
Navigating to the Protocols section

To navigate to the Protocols section on the View Protection Group page:
5. In the list of traffic views, select Protocols.

Information in the Protocols section

The Protocols section contains the following information:
Information about protocols
Protocols graph Displays a stacked graph of the total traffic for the top protocols.
Key Shows the color that represents the specific protocol in the
Protocols graph and allows you to filter the graph display.
You can click a protocol’s key to hide or show that protocol on the
graph. Your selections are retained until you navigate away from
the View Protection Group page.
Graph Represents the total traffic for a specific protocol. To view a larger
version of a minigraph, hover your mouse pointer over it.

Information about protocols (continued)
Protocol Displays the destination port number of the specific protocol and
the name of the protocol, if it is known. AEM sorts the list of
protocols by bytes, in descending order.
If “Other” appears in this list, then it represents the totals for all of
the other protocols that are not listed here.
Bytes Shows the amount of traffic for the specific protocol in bytes and
Packets packets.
bps Shows the rate of traffic for the specific protocol in bits per
pps second and packets per second.
Viewing the Top Services for a Protection Group

The Services section on the View Protection Group page identifies the top services for all of
the AED and APS devices that are assigned to the protection group. If you filter the page
to view the data for one device, the Services section displays the top services for that
device only. See “Filtering the Traffic Data by Device” on page 191.
The data display for the top services refreshes approximately every 60 seconds.
This information is provided primarily for informational purposes. However, any traffic on
your network that is unexpected could represent an attack. For example, if you expect
only web traffic, but traffic is displayed for SMTP, you should investigate the traffic
further.
About service data for ephemeral ports

The AED and APS devices store service data for individual ephemeral ports for one week,
after which the devices combine and store the data in groups of 200 ephemeral ports.
An ephemeral port is a temporary port, numbered 1024 or greater, that the TCP/IP stack
allocates when a client does not specifically request a port number. When the
communication session terminates, the ephemeral port is available for reuse.
When the display timeframe on the View Protection Group page is more than one week,
the service data for ephemeral ports is displayed by port range. For example, when the
UDP service on port 5000 has a high amount of traffic and the display timeframe is one
hour, that traffic appears as UDP/5000. When the display timeframe is two weeks, that
traffic is included in the entry for UDP/5000-5199.
In the Services graph, the data for ephemeral ports is always displayed by port range,
regardless of the display timeframe.

Navigating to the Services section

To navigate to the Services section on the View Protection Group page:
5. In the list of traffic views, select Services.

Information in the Services section

The Services section contains the following information:
Information about services
Services graph Displays a stacked graph of the total traffic for the top services.
The keys below the graph show the colors that represent the
specific services in the graph. You can click a service’s key to hide
or show that service on the graph. If you hide a service, then AEM
also dims any rows in the table that are associated with that
service.
Your selections are retained until you navigate away from the View
Graph Represents the total traffic for a specific service. If the service is on
an ephemeral port, then the data displays by port range. See
“About service data for ephemeral ports” on the previous page.
To view a larger version of a minigraph, hover your mouse pointer
over it.
Service Displays the name of the protocol, the port or the range of ports,
and the name of the service in parentheses, if known.
AEM sorts the list of services by bytes, in descending order.
If “Other” appears in this list, then it represents the totals for all of
the other services that are not listed here.

Information about services (continued)
(context menu) Appears when you hover your mouse pointer over a service if the
data on the page is for a single device. You can select the Packet
Capture option on this menu to capture packets for the
protection group and the service on the selected device.
When you select Packet Capture, it opens the Packet Capture page
on the selected device. The protection group and the country are
selected as filter criteria on this page. You can start the packet
capture or you can specify additional filter criteria. See “About
Capturing Packets” on page 258.
bps Shows the rate of traffic for the specific service in bits per second
pps and packets per second.

Section 14:
Managing Protection Groups
This section describes how to manage protection groups on AEM. It also describes how to
add new protection groups and how to assign AED and APS devices to the protection
groups.
User access
Users at all authorization levels can view the protection groups. Only administrators can
perform the configuration tasks that are described in this section. See “About User
Accounts” on page 30.
In this section
About Protection Groups 207

About Bandwidth Alerts 212
Viewing the Status of Protection Groups 214
Adding, Editing, and Deleting Protection Groups 220
Assigning Managed Devices to Protection Groups 226
Overriding a Protection Group’s Settings on a Managed Device 228
About Protection Groups

AED and APS monitor your network traffic and mitigate attacks by using the protection
settings that are defined for one or more protection groups.
A protection group represents either the IPv4 hosts or the IPv6 hosts that you need to
protect on your network. Each protection group is associated with a server type and one
or more host servers of that type. For example, a protection group can represent a single
web server or a specific group of DNS servers.
About the default protection group

The default protection group provides protection for all of the IPv4 hosts in your
enterprise as soon as you put AED or AEM into an active protection mode. The default
protection group is preconfigured to protect all IPv4 hosts and is associated with the
generic server type, which contains nearly all of the protection settings categories.
You can edit the default protection group, but only to configure its protection mode,
protection level, and bandwidth alert thresholds. You cannot delete the default protection
group.

Section 14: Managing Protection Groups
Note
The default protection group only protects IPv4 hosts. It does not protect IPv6 hosts.
You can add an IPv6 protection group to serve as the default IPv6 protection group. For
an example that illustrates how to create a default protection group for all of the
unprotected IPv6 hosts, see the “IPv6 prefix matching example” on page 211.
About adding protection groups

A protection group protects a specific host or group of hosts and allows you to configure
the most appropriate protection settings for those hosts. You can add protection groups
to protect either IPv4 hosts or IPv6 hosts.
Important
On a device that is managed by AEM, the ability to configure protection groups is
disabled. You configure protection groups in AEM only.
Important
On a device that is managed by AEM, the ability to configure bandwidth alerts for
individual protection groups is disabled. You configure bandwidth alerts for protection
groups in AEM only. However, you can set global bandwidth alerts on the managed
device.
Throughout AED, APS, and AEM, you can monitor traffic and mitigate attacks by
protection group, so that you can focus your attention on your most critical hosts.
We recommend that you add a protection group for each of the services that you want to
protect. See “Adding, Editing, and Deleting Protection Groups” on page 220.
Supported number of protection groups

AEM supports a limited number of protection groups, which differs depending on where
AEM is installed. If you try to add a protection group beyond the supported limit, then
AEM does not allow the entry.
Number of protection groups that AEM and vAEM support
Type of managed
device Supported protection groups per managed device
Per managed AED or Up to 100 protection groups (99 custom protection groups plus
APS appliance the default protection group)
Per managed vAED n High-end configuration — Up to 50 protection groups (49

or vAPS custom protection groups plus the default protection group)
n Low-end configuration — Up to 10 protection groups (9
custom protection groups plus the default protection group)

Protection group concepts

A protection group is associated with the following items:
Protection group concepts
Concept Description
Protection protocol You can create protection groups to protect IPv4 hosts or IPv6 hosts.
Protected hosts Protection groups monitor and mitigate the traffic that is destined for
one or more host servers. You define the protected hosts by their
prefixes or a set of prefixes.
A protection group can protect either IPv4 hosts or IPv6 hosts. You
cannot add IPv4 hosts and IPv6 hosts to a single protection group.
See “Prefix matching in protection groups” on page 211.
Server type The server type represents a class of servers that AED or APS protects.
The server type determines which protection settings are available for
a protection group and the application-specific data that AED or APS
collects and displays for the group.
When you create an IPv4 protection group, you can select a standard
IPv4 server type or a custom IPv4 server type, if any. When you create
an IPv6 protection group, you can select the Generic IPv6 Server
standard server type or a custom IPv6 server type, if any.
See “About the Server Types” on page 101.
Protection settings The protection settings are the criteria by which the devices define
clean traffic and attack traffic. For example, if a setting specifies a
threshold based on the number of requests per second, then traffic
that exceeds the threshold is considered to be an attack.
Protection categories The protection settings are organized into categories, each of which
detects a different type of attack traffic. A protection group contains
the categories of settings that are most appropriate for its server type.
For example, a Web Server protection group contains the HTTP
categories of settings, which detect HTTP-based attacks.

Protection group concepts (continued)
Concept Description
Protection levels For each of the protection settings, you can specify different values for
the low, medium, and high protection levels. The current protection
level determines which protection settings are in use at any given
time.
By default, all of the protection groups use a global protection level.
You can continue to use the global protection level or you can
configure individual protection levels for specific protection groups.
These individual protection levels take precedence over the global
protection level.
You also can use the total traffic threshold or the global total traffic
threshold to automate the protection level for a protection group. See
“About protection level automation” on page 225.
Protection mode The protection mode determines whether the managed device
mitigates traffic. In active mode, the device mitigates attacks in
addition to monitoring traffic. In inactive mode, the device detects
attacks but does not mitigate them.
You can set the protection mode for an individual protection group
without affecting any other traffic. For example, you can set a
protection group to inactive mode for testing while keeping the rest of
the system in active mode. See “Setting the Protection Mode (Active or
About managing the protection groups from Arbor Enterprise Manager

When you first connect a device to AEM, the protection groups on AEM are copied to the
assigned managed devices. Thereafter, you make changes in AEM only. Periodically, the
device checks AEM and obtains any changes to the protection groups that the device is
assigned to. See “Adding, Editing, and Deleting Protection Groups” on page 220.
When you add a protection group in AEM, you assign one or more managed devices to
that protection group.
If a device is assigned to the maximum number of protection groups, then AEM does not
allow you to assign that device to another protection group. Before AEM allows you to
assign the device to another protection group, you must unassign the device from at least
one protection group.
For the number of protection groups that AEM supports, see “Supported number of
protection groups” in the AEM Release Notes.

Prefix matching in protection groups

When different length prefixes of the same network are protected by one protection
group or separate protection groups, the device matches the traffic to the most specific
(longest) prefix.
IPv4 prefix matching examples

In the first IPv4 prefix matching example, the protection groups protect the following IPv4
hosts:
n Protection Group 1 — 198.51.100.0/24
n Protection Group 2 — 198.51.100.5/32
When traffic is destined to the IP address 198.51.100.5, AED or APS matches it to

Protection Group 2, which is the most specific match.
In the second IPv4 prefix matching example, the protection groups protect the following
IPv4 hosts:
IPv4 prefix matching
Protection group Protected Hosts

name setting Matched traffic
Protection Group 192.0.2.2/32 All the traffic that is destined to 192.0.2.2
3
Protection Group 192.0.2.0/24 All the traffic that is destined to 192.0.2.0/24,

4 except for the traffic that is destined to
192.0.2.2
IPv4 default 0.0.0.0/0 All IPv4 traffic, except for the traffic that is
protection group destined to 192.0.2.0/24
IPv6 prefix matching example

In the following IPv6 prefix matching example, the protection groups protect the following
IPv6 hosts:
IPv6 prefix matching

Protection Group fe80:22:ab00::3bf:159a:1/128 All the traffic that is destined to
5 fe80:22:ab00::3bf:159a:1
Protection Group fe80:22:ab00::/40 All the traffic that is destined to

6 fe80:22:ab00::/40 except for the
traffic that is destined to
fe80:22:ab00::3bf:159a:1

IPv6 prefix matching (continued)

Protection Group ::/0 All IPv6 traffic, except for the
7 (serves as a traffic that is destined to
default protection fe80:22:ab00::/40
group for IPv6
hosts)
About Bandwidth Alerts

AED and APS use bandwidth alerts to inform you about attacks and other traffic
anomalies that require your attention. To implement bandwidth alerts, you define traffic
thresholds based on traffic baselines and specific traffic rate limits for specific types of
traffic. When the traffic for a protection group exceeds a threshold, AED or APS creates a
bandwidth alert. The alert includes the protection group name and the level of traffic that
triggered the alert.
You can configure thresholds for bandwidth alerts globally or for individual protection
groups. The global thresholds are enabled by default. AED and APS use the global
thresholds for any protection group that does not have its own thresholds configured.
The threshold settings for a specific protection group override the global threshold
settings.
You can view bandwidth alerts in several areas of the AEM UI. See “Viewing a Summary of
System Alerts” on page 298.
Important
On a device that is managed by AEM, the ability to configure bandwidth alerts for
individual protection groups is disabled. You configure bandwidth alerts for protection
groups in AEM only. However, you can set global bandwidth alerts on the managed
device.

About the types of bandwidth alerts

You can configure baseline thresholds and specify rate limits to generate bandwidth
alerts for the following types of traffic:
Types of bandwidth alerts
Alert Description
Total traffic alert Occurs when a protection group’s total traffic exceeds the
threshold.
Total traffic alerts inform you of spikes in the traffic to protected
services so that you can investigate the cause and take action if
necessary.
Blocked host alert, Occurs when a protection group’s blocked traffic exceeds the
blocked traffic threshold. A spike in blocked traffic typically indicates that an
alert attack is underway and is blocked.
Blocked traffic alerts inform you of the system’s response to an
attack so that you can respond with further actions. For example,
if you determine that the traffic is legitimate, you can add the
source to the allow list.
Botnet alert Occurs when a protection group’s unblocked botnet traffic

exceeds the threshold.
Botnet alerts indicate that a botnet attack might be underway and
suggest the protection level that would block the botnet traffic.
License limit alert Occurs when your system’s traffic exceeds 90 percent of its
licensed throughput limit. Your licensed throughput limit is the
threshold for the license limit alerts; this threshold is not user-
configurable.
About traffic baselines
Before AED or APS can evaluate traffic against the baseline thresholds, it must calculate
the baselines based on a protection group’s traffic for the past week. Therefore, the alerts
may not begin to appear until a week after you create a protection group.
AED and APS generate bandwidth alerts when a protection group’s total traffic, blocked
traffic, or botnet traffic exceeds a specified baseline threshold for the corresponding
traffic type.
After the AED or APS calculates the initial baselines, it recalculates them every hour.
Configuring global bandwidth alerts

You configure the thresholds for global bandwidth alerts on the System Alerts page in AED
and APS. The global thresholds are enabled by default, but you can change the default
settings or turn off some or all of the global bandwidth alerts.
A global threshold for bandwidth alerts consists of a baseline threshold, and, optionally, a
minimum threshold. The baseline threshold is a percentage of the traffic above the

baseline for the corresponding traffic type. The minimum threshold is a traffic rate that
you specify in bps or pps.
If you specify a minimum threshold, then a protection group’s traffic must exceed both
the baseline threshold and the minimum threshold before AED or APS generates an alert.
For example, a specific protection group’s baseline might be a low level of traffic. If that
group’s traffic suddenly increases by the global percentage but the traffic level is still
below the minimum threshold, then no alerts are created.
For more information, see “Configuring Global Thresholds for Bandwidth Alerts” in the
AED or APSUser Guide.
Configuring bandwidth alerts for individual protection groups

You configure thresholds for protection group alerts when you create a protection group
in AEM. You can use the global thresholds that are configured on AED or APS, or specify
traffic thresholds for the protection group in bps or pps. You also can disable one or
more bandwidth alert types for a protection group.
See “Adding, Editing, and Deleting Protection Groups” on page 220.
Bandwidth alert expiration

Initially, a bandwidth alert remains active for one hour after it is created. The longer that a
bandwidth alert condition continues, the more the alert’s expiration time is extended. The
expiration time is never more than 24 hours after the alert condition disappears.
In addition, an alert expires instantly in the following situations:
n when you disable that type of alert in the configuration
n when you change the type of threshold (global threshold or specified traffic threshold)
for a protection group
n when you configure a protection group’s alert threshold to a level that is higher than
the level that triggered the alert
n (botnet alerts only) when the protection level is changed to be greater than or equal to
the level that triggered the alert
Configuring notifications for bandwidth alerts

In AED and APS, you can configure notifications that send messages when a bandwidth
alert occurs. See “Configuring Notifications” in the AED or APS User Guide.
Viewing the Status of Protection Groups

The List Protection Groups page displays the protection groups that are configured for the
AED and APS devices that AEM manages. This page allows you to view which protection
groups and which of the managed devices have active threshold alerts.
You can also add, edit, and delete protection groups on this page. See “Adding, Editing,
and Deleting Protection Groups” on page 220.

Viewing information for each protection group and its assigned devices
You can view the following information about each protection group in the list:
n the AED and APS devices that are assigned to that protection group
n the server type and a list of the protected hosts
n the protection level and whether the protection level automation is enabled
n the protection mode
n the traffic that was passed and blocked during the past hour
n the configuration status for the bandwidth threshold alerts
n a description of the protection group, and information about when the protection
group was last modified
If you expand a protection group, then you can view the following information about each
device that is assigned to the protection group:
n the protection level and whether the protection level automation is enabled
n the protection mode
n the traffic that was passed and blocked for the protection group on the managed
device during the past hour
n the configuration status for the bandwidth threshold alerts
Viewing the protection groups list

To view the list of protection groups:
By default, all of the protection groups appear on the List Protection Groups page. At
the top of the page, the number to the right of the Protection Group Configuration
subheading indicates the total number of protection groups in the list.
When the list contains more than 10 protection groups, use the paging controls in the
upper right of the page to view the additional protection groups.
2. (Optional) To filter the list, search for specific protection groups. See “Searching for
protection groups” on the next page.
3. View additional information about the protection groups in the following ways:
n To view traffic activity for a single protection group, click the protection group
name link. See “Viewing the Traffic Activity for a Protection Group” on page 187.
n To view all of the managed devices that are assigned to all of the protection
groups, if any, click Expand All. To hide all of the device assignments, click
Collapse All.
n To view the managed devices that are assigned to a single protection group, click
(expand) next to a protection group name. To hide device assignments for a
protection group, click (collapse).

Searching for protection groups

By default, all of the protection groups appear on the List Protection Groups page, which
can span multiple pages. The number to the right of the Protection Group Configuration
section heading indicates the total number of protection groups in the list.
You can filter the list to view only specific protection groups.
To search for specific protection groups:
2. On the List Protection Groups page, In the Search box, type a search string in any of
the following ways:
n As the partial name or full name of a protection group, AED, APS, or server type.
n As any portion of a protection group’s description.
n As a partial prefix or full prefix. The search returns only the protection groups that
contain an exact match to the partial prefix or full prefix. It does not return any
matches to the prefixes that are within a subnet mask.
3. Click Search.
4. To clear the results of a search and view the entire list of protection groups, click the
x in the Search box.
Information on the List Protection Groups page

By default, the protection groups are sorted by the Protection Group Name column in
ascending order. You also can sort the list by the following columns:
n Server Type
n Protection Mode
n Protection Level
n Alerts
n Last Modified
The List Protection Groups page contains the following information:
Information about the protection groups
Search box Allows you to filter the list of protection groups that appear on
the List Protection Groups page.
Add IPv4 Allow you to add an IPv4 protection group or an IPv6 protection
Protection Group, group.
Add IPv6 See “Adding, Editing, and Deleting Protection Groups” on
Protection Group page 220.
buttons
Expand All, Allow you to view or hide the managed devices that are assigned
Collapse All buttons to the protection groups, if any.

Information about the protection groups (continued)
Protection Group Displays the protection group name in the form of a link. You
Name column can click the link to view the traffic activity for the protection
group. See “Viewing the Traffic Activity for a Protection Group”
on page 187.
This column also displays a list of the protected hosts.
To view the managed devices that are assigned to a protection
group, click the right arrow ( ) to the left of the protection
group name. You can click the device’s name link to open the
device in a new window. The device also has its own context
menu, which contains the following options:
n Edit — Allows you to edit the protection group configuration
on the device.
n Blocked Hosts — Opens the Blocked Hosts Log page with the
device and protection group as filters.
n Unassign from Protection Group — Deletes the protection
group assignment for the device.
n Packet Capture — Opens the Packet Capture page on the
device with the protection group selected as a filter.
(protection Appears when you hover your mouse pointer over a protection
group context group name.
menu) You can use the options on the protection group context menu
to perform the following actions:
n Edit or delete the protection group. See “Adding, Editing, and
Deleting Protection Groups” on page 220.
n Manage the AED and APS devices that are assigned to the
protection group. See “Assigning Managed Devices to
Protection Groups” on page 226.
n Delete the protection group.
n View the blocked hosts that are related to the protection
group on the Blocked Hosts Log page. See “Viewing the Blocked
Hosts Log” on page 244.

(AED or APS Appears when you hover your mouse pointer over the name of
context menu) an AED or APS.
You can use the options on the AED or APS context menu to
perform the following actions:
n Change the protection group settings for protection level,
protection mode, and threshold alerts for the managed
device. See “Overriding a Protection Group’s Settings on a
Managed Device” on page 228.
n View the blocked hosts that are related to the protection
group on the managed device. See “Viewing the Blocked
n Remove the managed device from the protection group. See
“Assigning Managed Devices to Protection Groups” on
page 226.
n Capture information about packets destined for a protection
group’s prefixes on the managed device. See “About
bps and pps Display minigraphs that represent the traffic flow during the last
columns hour for the protection group or the managed device, in bits per
second and packets per second. Passed and Blocked show the
average rate of traffic that was passed and blocked by the
protection group or the device during that time.
The y-axis scale for protection group minigraphs can vary.
However, for analysis purposes, the AED and APS minigraphs for
a protection group use the same y-axis scale as the protection
group.
Every 60 seconds AEM refreshes the data display for the
minigraphs and the Passed and Blocked statistics.
(cannot retrieve Indicates that AEM cannot retrieve the data for a protection
data) group minigraph from at least one AED or APS.
To identify the problem, expand the protection group and locate
each device that has and a No Data message instead of a
minigraph.
You can hover your mouse over to view a warning message.
Server Type column Lists the type of server that the protection group protects, in the
form of a link. You can click the link to view or edit the protection
settings.
See “Changing the Protection Settings for Server Types” on
page 108.

(protection group Indicates an override of the original protection group setting for
setting override) a managed device. See “Overriding a Protection Group’s Settings
on a Managed Device” on page 228.
The next to the setting in a protection group row indicates an
override for at least one managed device. The next to the
setting in a device’s row indicates an override for that device.
Protection Mode Indicates whether the protection mode for the protection group
column or the managed device is Active or Inactive.
Protection Level Displays the protection level that is set for the protection group
column or the managed device. The protection level determines which
protection settings the protection group uses.
The protection level icons are defined as follows:
n — Global, which indicates that the protection group
inherits the protection level of each managed device to which
it is assigned.
n — Low
n — Medium
n — High
n — low automated
n — high automated
To view the protection level for the managed devices that are
assigned to a protection group, click (expand) next to the
protection group name.
See “About the Protection Levels” on page 96. For information
about protection level automation, see “About protection level
automation” on page 225.
(alerts Indicates that one or more of the bandwidth threshold alerts are
configured) configured for the protection group.
You can click this icon to view the threshold alert settings in the
Alerts popup window.
See “About Bandwidth Alerts” on page 212.
(alerts not Indicates that bandwidth threshold alerts are not configured for
the protection group or that the alerts are disabled for a
configured)
managed device assignment.
(active alerts) Displays the total number of active bandwidth threshold alerts
for the protection group in the red circle (5 in this example). You
can click this icon to open the Alerts popup window and view
additional information about the active threshold alerts.
See “About the active threshold alerts” on the next page.

Last Modified Indicates the last time that the protection group or the managed
column device was changed by a user or by the system.
(information) Appears in the Last Modified column if there is an audit trail entry
for the last change to the protection group or the managed
device. You can click this icon to view the audit trail entry.
To close the information window, click the x icon.
About the active threshold alerts

To learn what traffic thresholds triggered alerts for a protection group, click (active
alerts) in that protection group’s Alerts column. The Alerts window displays information
about the thresholds and alerts that are associated with that protection group.
For each alert type (Total Traffic, Blocked Traffic, and Botnet Traffic), the Alerts popup
window displays the following information:
n the threshold alert settings for the protection group
n the total number of active alerts by type for the protection group
When you finish viewing the alert information, take one of the following steps:
n To close the Alerts window, click the x icon.
n To open the Security Alerts page for the protection group, click the View Alerts link in
the Alerts popup window. The Security Alerts page is filtered for that protection group.
See “Viewing Security Alerts” on page 293.
Adding, Editing, and Deleting Protection Groups

In AEM, you can create protection groups to protect hosts on one or more AED or APS
devices, with the most appropriate protection settings for those hosts. We recommend
that you create a custom protection group for each of the services that you want to
protect.
See “About Protection Groups” on page 207.
After you add a protection group in AEM, you can assign one or more managed devices to
it. See “Assigning Managed Devices to Protection Groups” on page 226.
Important

Adding a protection group

To add a protection group:
2. On the List Protection Groups page, click Add IPv4 Protection Group or Add IPv6
Protection Group.
Tip
If you add both IPv4 protection groups and IPv6 protection groups, then we
recommend that you prepend “IPv4” or “IPv6” to the protection group name. This
prefix helps you to quickly identify the protection group’s protocol when you see the
name.
3. In the Add Protection Group window, configure the protection group settings.
See “Protection group settings” on page 223.
4. Click Save.
6. On the List Protection Groups page, you can assign one or more managed devices to
the protection group in the following ways:
n In the status message at the top of the List Protection Groups page, click Assign it
to a device.
n In the protection groups list, click (context menu) to the right of the protection
group name, and then select Manage Device Assignments.
You can assign a managed device to a maximum of 50 protection groups. See
“Assigning Managed Devices to Protection Groups” on page 226.
About editing a protection group

You can make the following changes to protection groups in AEM:
n When you first create and test a new protection group, you can set its protection mode
to inactive so that it does not affect traffic. After you assign managed devices to the
protection group and test the protection group on those devices, you can change the
protection mode to active.
n You can change a protection group’s protection level to mitigate attacks against the
protected hosts on the managed devices that are assigned to the protection group.
n You can change the bandwidth thresholds that determine the amount of traffic that
automates the protection level or triggers an alert for a protection group.
n You can add or remove protected hosts. The default protection group protects any
IPv4 hosts that are not assigned to a custom protection group.
n You can rename a protection group, and change its description.
Note
You can override a protection group’s settings for protection mode, protection level,
threshold alerts, and protection level automation on an individual managed device. See
“Overriding a Protection Group’s Settings on a Managed Device” on page 228.

Editing a protection group

To edit a protection group:
3. Hover your mouse pointer over the protection group name, and then click
(context menu).
4. In the context menu, select Edit.
5. In the Edit Protection Group window, change the protection group settings.
See “Protection group settings” on the next page.
6. Click Save.
About deleting a protection group

You can delete protection groups on the List Protection Groups page in Arbor Enterprise
Manager (AEM). However, you cannot delete the default protection group.
When you delete a protection group, AEM makes the following changes on all of the
managed devices that are assigned to the protection group:
n removes the protection group, and the default protection group protects any of the
IPv4 prefixes that are not assigned to another protection group
Note
The default protection group does not protect IPv6 prefixes.
n removes the items that were added to the deny list or allow list for that protection
group
n removes the protection group from any scheduled reports in which the protection
group is included
Note
AEM never removes data from existing reports.
Deleting a protection group

To delete a protection group:
3. Hover your mouse pointer over the protection group name, and then click
(context menu).
4. In the context menu, select Delete.
5. In the confirmation message window, click Delete.

Protection group settings

The following table describes the protection group settings in the Add Protection Group
window and Edit Protection Group window.
Protection group settings
Setting Description
Name box Type a name to identify the protection group throughout the UI.
Protected Hosts box You can specify IPv4 hosts and IPv6 hosts in any of the following forms:
n A host IP address, such as 192.0.2.1 or 2001:DB8::2.
n A valid hostname, such as myserver.mycompany.net. The hostname
resolves to its corresponding IP address and prefix.
n An IP address and routing prefix in CIDR form, such as 192.0.2.0/24
or 2001:DB8::/32.
To protect a large number of hosts — for example, thousands of hosts
— we recommend that you use a CIDR prefix instead of specifying
individual prefixes.
Note
You can add the same prefix to multiple protection groups. However,
you cannot assign a managed device to multiple protection groups
that contain the same prefix.
Server Type list Select the type of server that the protection group protects. The server
type determines the protection settings that are available for the
protection group.
When you create an IPv4 protection group, you can select a standard
IPv4 server type.
When you create an IPv6 protection group, the Generic IPv6 Server
server type is selected by default. This server type is the only standard
server type that is available for IPv6 protection groups.
Protection Mode options Select Active or Inactive to configure the protection mode.
The managed devices mitigate traffic for a protection group only when
the protection mode is active for both the protection group and the
devices.
To change the protection mode for all of the managed devices that are
assigned to the protection group, see “About editing a protection
group” on page 221. To change the protection mode for a specific
device, see “Overriding a Protection Group’s Settings on a Managed
Device” on page 228.

Protection group settings (continued)
Setting Description
Protection Level options Select an icon to set the protection level for the protection group
(global, low, medium, or high). A check mark in the icon indicates which
level is selected.
The protection level icons are defined as follows:
— Global
— Low
— Medium
— High
If you select the global icon, then the protection group uses the
protection level of the managed device. For information about the
global protection level, see “About the Protection Levels” on page 96.
Also, see “Changing the Protection Level” on page 238.
Note
To change the protection level for a protection group on a specific
managed device, see “Overriding a Protection Group’s Settings on a
Managed Device” on page 228.
Description box Type a description that can help to identify the protection group.
Detection and Automation Use the settings in this section to configure alerting that is based on a
Policy section user-specified traffic threshold or a global traffic threshold. You also
can automate the protection level for a protection group, based on the
total traffic threshold. See “About protection level automation” on the
next page.
Total Traffic options Select an option to configure the level of total traffic that causes the
managed device to automate the protection level or trigger total traffic
alerts for the protection group:
n Automatically change the protection level using the global total
traffic threshold setting on the managed device
The managed devices use the global total traffic threshold setting to
determine when to automate the protection level and trigger this
type of alert.
n Automatically change the protection level when traffic exceeds
Specify a total traffic threshold in bps, pps, or both bps and pps.
n Alert using global total traffic threshold setting on the managed
device
The managed devices use the global total traffic threshold setting to
determine when to trigger this type of alert.
n Alert when traffic exceeds
Specify a traffic threshold in bps, pps, or both bps and pps.
n Do not alert based on the total traffic threshold
Disables the protection level automation and total traffic alerts for
the protection group.

Protection group settings (continued)
Setting Description
Blocked Traffic options Select an option to configure the level of blocked traffic that causes the
managed devices to trigger blocked traffic alerts for the protection
group:
n Alert using global blocked traffic threshold setting on the
managed device
The managed devices use the global blocked traffic threshold setting
to determine when to trigger this type of alert.
n Do not alert based on the blocked traffic threshold
Disables the blocked traffic alerts for the protection group.
Botnet Traffic options (IPv4 protection groups only) Select an option to configure the level of
botnet traffic that causes the managed devices to trigger botnet traffic
alerts for the protection group:
n Alert using global botnet traffic threshold setting on the
managed device
The managed devices use the global botnet traffic threshold setting
to determine when to trigger this type of alert.
n Do not alert based on botnet traffic threshold
Disables the botnet traffic alerts for the protection group.
About protection level automation

To automate the protection level for a protection group, you select a Detection and
Automation Policy for total traffic to change the protection level automatically. After you
select a policy that changes the protection level, AED or APS sets the protection group’s
protection level to low. If traffic to the protection group exceeds the total traffic threshold,
then, within one minute, AED or APS changes the protection level to high and triggers an
alert.
The protection level remains high for at least five minutes. At any time after that, if the
traffic level falls below the threshold, the protection level returns to low.
After AEM synchronizes with the managed devices, the protection group's protection level
is set to low on each device that is assigned to the protection group. However, after the
synchronization, AEM no longer controls the protection group’s protection level on the
managed devices.
Instead, on the List Protection Groups page, the Protection Level column for each managed
device displays the current state of the protection level on that device.
See “Viewing the Status of Protection Groups” on page 214.

If you change a protection group’s protection level when automation is enabled, then
AEM disables automation and changes the protection level on the assigned managed
devices.
You also can disable the automation by changing the total traffic setting to an alerting
option or by turning off the automation and alerting. In this case, the protection level is
set to low on all of the managed devices, even AED and APS devices that are at the high
protection level.
To disable the protection level automation on a single AED or APS, see “Overriding a
Protection Group’s Settings on a Managed Device” on page 228.
Assigning Managed Devices to Protection Groups

After you add a protection group in AEM, you can assign one or more AED or APS devices
to that protection group. After you assign a device to a protection group, the next time
AEM synchronizes with its managed devices, it copies the protection group to the
assigned device.
Important
The maximum number of custom protection groups to which you can assign devices
depends on the device, as shown in the following table.
Maximum number of device assignments for custom protection groups
Maximum number of
Managed device assignments
2800 99
2600 99
vAED or vAPS 49
vAED or vAPS with a minimum configuration 9
Note
For information about the minimum configuration for vAED or vAPS, see the respective
Installation Guide.
All of the devices that AEM manages are assigned to the default protection group
automatically. However, the default protection group only protects IPv4 prefixes. The
default protection group does not protect IPv6 prefixes.
After you assign at least one device to a protection group, you can view the protection
group traffic on the View Protection Group page. See “Viewing the Traffic Activity for a
Protection Group” on page 187.
User access
Only administrators can assign devices to, or remove devices from, protection groups.

Assigning managed devices to a protection group

To assign managed devices to a protection group:
1. Navigate to the Manage Device Assignments window in one of the following ways:
From the status message Click the Assign it to a Device link.

that appears at the top of
the List Protection Groups
page after adding a
protection group
From the menu 1. Select Protect > Inbound Protection > Protection
Groups.
2. (Optional) On the List Protection Groups page, filter
the list to find a specific protection group. See
“Searching for protection groups” on page 216.
3. Hover your mouse pointer over the name of a
specific protection group, and then click
(context menu).
4. In the context menu, select Manage Device
Assignments.
2. (Optional) In the Manage Device Assignments window, type a string in the Filter List
box to filter the device names in the Available list.
The Available and Assigned lists display up to 25 characters of a device’s name. If a
device name exceeds 25 characters, hover your mouse pointer over it to view the
entire name.
3. Assign managed devices to the protection group in one of the following ways:
To assign all of the available Click Assign All.

managed devices
To assign individual devices 1. Select the device names in the Available list.
2. Click Assign.
To assign a single device Double-click the name in the Available list.
4. Click Save.
If a prefix in the protection group is included in a protection group that is already
assigned to a selected device, you cannot save the assignments. You also cannot save
the assignments if a selected device is assigned to its maximum number of
protection groups. To proceed, unassign any devices that cannot be assigned or click
Cancel.

Removing managed assignments from a protection group

To unassign managed devices that are assigned to a protection group:
3. Hover your mouse pointer over the protection group name, and then click (context
menu).
4. In the context menu, select Manage Device Assignments.
5. (Optional) In the Manage Device Assignments window, type a string in the Filter List
box to filter the names in the Assigned list.
The Available and Assigned lists display up to 25 characters of a device’s name. If a
device name exceeds 25 characters, hover your mouse pointer over it to view the
entire name.
6. Remove a device from the protection group in one of the following ways:
To unassign a single Double-click the device name in the Assigned list.

device
To unassign individual 1. Select the device names in the Assigned list.

devices 2. Click Unassign.
To unassign all of the Click Unassign All.

devices
7. Click Save.
Removing a single device assignment from a protection group

To unassign a single device:
3. To view the managed devices that are assigned to a protection group, click the right
arrow ( ) to the left of a protection group name.
4. Hover your mouse pointer over the name of a specific device, and then click
(context menu).
5. In the context menu, select Unassign from Protection Group.
Overriding a Protection Group’s Settings on a Managed

Device
By default, every AED and APS device that is assigned to a protection group uses the
settings that you configure for that protection group. However, for a specific device, you

can override the protection group’s settings for protection level, protection mode, and
bandwidth alert thresholds.
Indicator of an override
To indicate the override of a protection group setting, AEM displays (protection group
override) next to the setting on the List Protection Groups page.
The in a protection group row indicates that there is an override for the setting on at
least one managed device. The in the row for an managed device indicates that there is
an override for the setting on that device.
Overriding a protection group’s settings for a managed device

To override a protection group’s settings for a specific device:
3. Click (expand) next to the name of a protection group to view its device
assignments.
4. Next to the name of a managed device, click (context menu), and then select Edit.
5. In the Configure Protection Group on Device window, for each setting that you want to
change, click Configure the Protection Group setting for this device. You can
change the following settings:
n Protection level. You also can choose to automate the protection level by using a
total traffic threshold. See “About protection level automation” on page 225.
n Protection mode
n Threshold alerts for total traffic, blocked traffic, and botnet traffic
6. Configure the protection group settings that you selected to override on this device.
See “Protection group settings” on page 223 for the descriptions of these settings.
7. Click Save.
Reverting to the original protection group settings

To revert to the original protection group settings for a specific AED or APS:
3. Next to the name of a protection group, click (expand) to view its device
assignments.
4. Next to the name of a managed device, click (context menu), and then select Edit.
5. In the Configure Protection Group on Device window, click Use the Protection Group
setting for this device for each setting that you want to revert.
6. Click Save.

Section 15:
Mitigating Attacks
AED and APS block attacks automatically based on the protection settings that define
malicious traffic. However, certain attacks may require that you take action to block them.
This section describes how to respond to attacks that are not blocked automatically.
In this section
About Attack Mitigation 230

Workflow for Routine System Monitoring 232
Indicators of Attacks and Mitigations 234
Mitigating an Attack by Raising the Protection Level 236
Changing the Protection Level 238
Identifying and Blocking an Attack 239
About Attack Mitigation

The focus of AED and APS is on the detection and mitigation of DDoS attacks. When AED
or APS is in active mode, it continually blocks any malicious traffic according to its
configuration.
When to actively mitigate an attack

You might need to take steps to block an attack under the following conditions:
n The protection settings and thresholds for the active protection level do not block the
attack.
For example, if the ICMP Flood Detection settings are disabled for the low protection
level, then the AED or APS does not detect ICMP floods at that protection level.
n The threshold for automatic Cloud Signaling is disabled or no threshold is configured.
n An AED or APS cannot mitigate the attack for reasons beyond its control.
For example, if an attack overloads routers that are deployed upstream of AED or APS,
then the AED or APS cannot detect or mitigate that attack.
About attack mitigation from AEM

When you use AEM to manage AED and APS devices, you should perform any mitigation
tasks in AEM.

Section 15: Mitigating Attacks
Caution
Because the configurations from AEM can overwrite the configurations on AED and APS,
any local changes that you make on AED and APS might be lost. Generally, you should
not make local changes on a managed device, although you might occasionally need to
do so. For example, you might lose the connection between AEM and a managed device
during a high-volume DDoS attack. In that case, you can make local changes on the
device to mitigate the attack.
Options for mitigating inbound attacks

The following table describes your options to block an attack that is not mitigated. The
options that you use depend on the type of attack, your knowledge of network security,
and your organization’s policies.
Options for mitigating inbound attacks
Option Description
Follow your If your organization has an attack policy or a playbook, then

organization’s standard follow the procedures that are outline in the policy or
procedures. playbook. If your organization does not have an policy or
playbook, then continue with the following steps.
Raise the protection You can try to mitigate an attack by raising the global
level. protection level or the protection group protection level. Use
this option when you have little time or knowledge of
network security and you need to stop an attack as quickly
as possible. Alternatively, you might raise the protection level
only after other attempts to mitigate an attack are
unsuccessful. See “Mitigating an Attack by Raising the
Protection Level” on page 236.
Remember that the risk of blocking clean traffic increases
with the level of protection. For information about the
protection levels and the protection and risk that are
associated with each one, see “About the Protection Levels”
on page 96.
Identify and block If you can identify the source of an attack, then you can block
specific attack traffic. its traffic in the following ways:
n Add the traffic source to the deny list.
n Create a regular expression to match the traffic and enter
it in the appropriate protection setting.
n Create an FCAP expression to match the traffic and enter
it in the appropriate protection setting.

See “Identifying and Blocking an Attack” on page 239.

Options for mitigating inbound attacks (continued)
Option Description
Edit the protection If you can identify the type of attack, then you can try to
settings. block it by changing the protection settings that typically
block that type of attack. See “Changing the Protection
Settings for Server Types” on page 108.
For example, your network experiences an ICMP flood but
the AED or APS does not detect it. If you can block the attack
by changing the Maximum Request Rate for the target
protection group, then you can avoid changing the
protection level.
Enable Attack Analysis. On AED devices that AEM manages, you can enable Attack
Analysis, which identifies possible attacks and generates
protection recommendations to mitigate the attacks.
See “How Attack Analysis Detects Attacks and Generates
Protection Recommendations” on page 156.
Workflow for Routine System Monitoring

Because AED and APS can detect and mitigate most attacks automatically, the majority of
your interaction with the system should be to monitor its operations. By developing a
routine system monitoring workflow, you can ensure that AED and APS always provide
optimum protection from attacks.
Regular monitoring can help you to learn about your network’s normal traffic levels so
that you can more easily recognize anomalies. Regular monitoring also can help you to
detect the attacks that are not mitigated automatically. As you learn more about those
types of attacks, you can refine the protection settings so that AED and APS can detect
and mitigate them according to your preferences.
When you use AEM to manage AED and APS, you can perform these tasks for multiple
managed devices or multiple protection groups.

Workflow
Your monitoring workflow should allow you to answer the following questions:
Questions to answer during routine system monitoring
Question Task
Do any system problems On the Dashboard page, view the System Alerts section. See
need attention? “Viewing Active Alerts on the Dashboard” on page 285. To
investigate further, view the System Alerts page. See
“Viewing a Summary of System Alerts” on page 298.
If you use AEM to In AEM, view the connection status and synchronization
manage AED or APS, is status for each managed device in the System Information
the managed device section on the Summary page.
connected and
synchronized?
Is AED or APS monitoring On the device’s Summary page, view the Overview tab to
traffic? verify that traffic is being processed. Ideally, the majority of
the network traffic should be passed.
See “Viewing the System Overview” in the AED or APS User
Guide.
Is the ATLAS Intelligence On the Configure AIF Settings page, view the status of the AIF
Feed (AIF) update update. On the Change Log page, view the update
working? information. See “Viewing the Status of ATLAS Intelligence
Feed Updates” on page 75.
Is the network under an AED and APS can proactively inform you of attacks and
attack that AED or APS is other traffic anomalies that require your attention. If you
not blocking? enable thresholds for total traffic alerts or botnet alerts,
then an alert occurs when a protection group’s traffic
exceeds one of the thresholds. These alerts appear on the
Security Alerts page as well as on other pages in the UI. See
“Viewing Security Alerts” on page 293.
In the absence of alerts, you can view specific pages in the
UI for information that can help you to detect an attack. See
“Indicators of Attacks and Mitigations” on the next page.
Is AED or APS blocking n Display and review the Blocked Hosts Log page. See
the appropriate traffic? “Viewing the Blocked Hosts Log” on page 244.
n For each protection group, display and review the View
Protection Group page. See “Viewing the Traffic Activity for
a Protection Group” on page 187.
What hosts are currently n Display and review the Blocked Hosts Log page. See
blocked, and should they “Viewing the Blocked Hosts Log” on page 244.
be unblocked or added n Investigate false positives by capturing the packet or
to the allow list? packets that caused a host’s traffic to be blocked. See
“Capturing Packet Information” on page 259.

Indicators of Attacks and Mitigations

AED and APS provide several ways for you to determine whether your network is under
attack and whether an AED or APS is blocking the attack traffic.
If you have enabled alert thresholds, then an alert can be the first sign that you are under
attack, in addition to any external indications. See “Alerts that indicate attacks” below and
“External attack symptoms” on page 236.
Whether or not you receive an alert, you can view the extensive traffic statistics that
appear in AEM. In particular, you can view the traffic graphs that provide a quick visual
indication of the state of your network traffic. Additional statistics provide more details
about the data that is provided in the graphs. See “Graphic indicators of an attack” on the
next page.
For general information about mitigation, see “About Attack Mitigation” on page 230.
How to verify that a mitigation is working

After you take steps to block an attack, confirm that the attack is blocked.
n View the protected service from a customer’s perspective. For example, open a web
browser and try to open the web site that was reported as unavailable.
n If you received a bandwidth alert, then use the information in the alert to find where to
view the behavior that triggered the alert. You might also note whether the alert
expired.
n View the graphs and statistics that indicated the attack.
Alerts that indicate attacks

If you have enabled thresholds for total traffic alerts or botnet alerts, then an alert occurs
when a protection group’s traffic exceeds one of the thresholds. Collectively these alerts
are called bandwidth alerts.
n Total traffic alerts inform you of spikes in the traffic to protected services so that you
can investigate the cause and take action if necessary.
n Botnet alerts indicate that a botnet attack might be underway and suggest the
protection level that would block the botnet traffic.
n Blocked host alerts inform you of spikes in the amount of blocked traffic, which might
indicate that an attack is underway. You might want to determine if blocking the traffic
restored a sufficient level of service or if you need to take action to block additional
traffic.
Each alert includes information that can help you to investigate the alerting behavior
further. The information varies by the type of alert. For example, an alert might include
the protection group name, the blocked host IP address, or a URL to the page where you
can view further information.
When you use AEM to manage AED and APS devices, you can view the alerts for multiple
devices.To do so, view the following pages in AEM:
n Dashboard
n Security Alerts (Explore > Security Alerts)
n System Alerts (Explore > System Alerts)

Graphic indicators of an attack

In the absence of alerts, you can view specific pages in the UI for information that can
help you to detect an attack. In particular, look for a significant increase in traffic or an
unexpected traffic spike in any of the following graphs.
In AEM, these graphs typically represent an aggregate of the inbound traffic for multiple
protection groups or multiple AED and APS devices.
Total traffic graphs

This type of graph can represent the amount of traffic flow, the traffic rate, or the request
rate.
Depending on where the graph appears, the traffic might appear in a color other than
blue, and the graph might display stacked data.
Indicators of attacks and mitigations in the total traffic graphs
Graph Meaning
Unblocked attack — A significant increase in the level of total

traffic usually indicates an attack that is not sufficiently blocked.
Partially blocked attack — The graph shows only a minor drop in

the level of traffic. Additional mitigation steps might be
necessary.
Blocked attack — The graph shows a significant drop in the level

of traffic. The level of traffic appears to be normal.
Blocked-passed traffic graph

This type of graph shows the level of passed traffic in green and the level of blocked
traffic in red, and appears in the following locations:
n On the Dashboard page, in the Total Traffic graph
n On the List Protection Groups page, in the minigraphs for the protection groups and
appliances
n On the View Protection Group page, in the following sections: Total Protection Group
Traffic and IP Location
Indicators of attacks and mitigations in the blocked-passed traffic graphs
Graph Meaning
Unblocked attack — A significant increase in the level of passed

traffic (green) and a low level of blocked traffic (red) usually
indicates an attack that is not sufficiently blocked.
Partially blocked attack — The graph shows only a minor drop

in the level of passed traffic (green). Additional mitigation steps
might be necessary.

Indicators of attacks and mitigations in the blocked-passed traffic graphs (con-

tinued)
Graph Meaning
Blocked attack — The graph shows a significant drop in the

level of passed traffic (green). The level of passed traffic
appears to be normal.
External attack symptoms

The initial signs of an attack might occur external to the AEM UI. The United States
Computer Emergency Readiness Team (US-CERT) states that the following symptoms
could indicate a DoS attack or DDoS attack:
n unusually slow network performance (opening files or accessing web sites)
n unavailability of a particular web site
n inability to access any web site
n dramatic increase in the amount of spam you receive in your account
If you experience any of these symptoms, then use the AEM UI to investigate.
Mitigating an Attack by Raising the Protection Level

Typically, AED and APS can block most attacks automatically. However, when an attack is
not blocked automatically, you must take some action to block the attack traffic.
You can try to mitigate an attack by raising the global protection level or the protection
group protection level. Use this option when you have little time or knowledge of network
security and you need to stop an attack as quickly as possible. Alternatively, you might
raise the protection level only after other attempts to mitigate an attack are unsuccessful.
For additional mitigation options, see “About Attack Mitigation” on page 230.
The more finely tuned your protection settings are, the more successful this method of
blocking traffic will be.
On AEM, you can change the protection level for a protection group. The new protection
level setting is then synchronized on all of the AED and APS devices that are assigned to
that protection group.
Protection level icons

corresponding icon.
To change the protection level, you click the appropriate icon.

Mitigating an attack by raising the protection level

This workflow assumes that you are already aware of an attack on your network. It also
assumes that you can identify the protection group that is under attack. See “Indicators of
Attacks and Mitigations” on page 234 for information about how to recognize an attack.
Workflow for mitigating an attack by raising the protection level
Step Action
1 Does the attack affect all of the AED and APS devices that are assigned to the
protection group?
n Yes — In the following steps, change the protection level for the protection
group. This setting is synchronized on all of the AED and APS devices that
are assigned to the protection group. See “About Configuration Data
Synchronization with AEM” on page 90.
n No — If the protection group is under attack on a specific AED or APS
device, then in the following steps, then change the protection level for that
device. (See the next steps.)
2 Change the protection level to Medium in one of the following ways:

n For a protection group — On the View Protection Group page, edit the
protection group and select Medium. This setting is synchronized on all of
the AED and APS devices that are assigned to the protection group. See
“About Configuration Data Synchronization with AEM” on page 90.
n For an AED or APS device — On the List Protection Groups page, view the
protection group’s device assignments and edit the affected device to

change its level to Medium.
If the attack is not blocked sufficiently, then change the protection level to
High.
3 At the higher protection levels, AED or APS might block valid hosts and
services, such as email servers, DNS servers, database servers, or VPNs.
When you raise the protection level, view the Blocked Hosts Log page. If you
identify a valid host, add it to the allow list by clicking its Details button, and
then clicking Allow List in the Blocked Host Detail window. See “Viewing the
Blocked Hosts Log” on page 244.
4 Is the attack blocked now?

n Yes — Go to Step 6.
n No — Go to Step 5.
5 Follow your organization’s procedure for escalating the attack mitigation. This
procedure might include requesting cloud mitigation.
6 When the level of traffic returns to normal, it indicates that the attack
stopped, and you can reset the protection level to Low.
To remain protected in case the attack recurs, you might wait a few hours
before you reset the protection level.

Changing the Protection Level

The protection level determines which protection settings are in use at any given time.
For example, if the protection level is low, then the low protection settings are used to
inspect the current traffic. You can change the protection level as needed to mitigate
attacks.
Generally, you should set the protection level to low, which offers the least protection but
reduces the risk of blocking clean traffic. Reserve the medium and high levels for
mitigating attacks. See “Balancing protection and risk” on page 99.
About the different protection levels

The global protection level in an AED or APS device affects all of the protection groups on
that device except those that have their own protection level configured. The protection
group protection level determines which protection settings are in use for a specific
protection group. The outbound threat filter can use the global protection level or it can
have its own protection level. The protection group protection levels and the outbound
threat filter’s protection level override the global protection level.
Changing the protection level for multiple devices

When you use AEM to manage AED or APS devices, you can change the protection level
for multiple devices in AEM as follows:
n By default, every device to which a protection group is assigned uses the protection
level that you configure for that protection group. However, for a specific device, you
can override the protection group’s protection level.
n All of the managed devices use the protection level that is set in the AEM outbound
threat filter for outbound traffic.
For example, when an attack targets the servers that are protected by several protection
groups, you can raise the protection level for all of those protection groups.
Protection level icons

corresponding icon.
Changing the protection level for a protection group

To change the protection level for a specific protection group:
2. On the List Protection Groups page, hover your mouse pointer over the protection
group name, and then click (context menu).
3. In the context menu, select Edit.
4. In the Edit Protection Group window, under Protection Level, select Global, Low,

Medium, or High.
5. Click Save.
Changing the protection level for the outbound threat filter

To change the protection level for the outbound threat filter:
2. On the Outbound Threat Filter page, click (configure).
3. Under Protection Level, select Global, Low, Medium, or High.
4. Click Save.
Identifying and Blocking an Attack

Typically, AED and APS can block most attacks automatically. However, when an attack is
not blocked automatically, you must take some action to block the attack traffic.
This process assumes that you are already aware of an attack on your network and that
AED or APS is not blocking the attack. See “Indicators of Attacks and Mitigations” on
page 234 for information about how to recognize an attack.
If you do not want to spend time investigating, then you can try to mitigate the attack by
raising the protection level or by some other method. For additional mitigation options,
see “About Attack Mitigation” on page 230.
Identifying and blocking the source of an attack

We recommend the following process for identifying and blocking the source of an attack.
However, you can perform any of the steps in any order.
n Did you see a security alert, or did you receive a notification that contained a security
alert? Follow the link in the alert to view the View Protection Group page.
If AED or APS does not block the traffic that caused the alert, then follow the next steps
to investigate.
n View the Dashboard page and look for critical traffic alerts or traffic behavior that is
unusual or unexpected. See “Using the Dashboard page to identify an attack” below.
n Look for the ATLAS threat categories that are blocking attack traffic.
n If you can identify the protection group that is under attack, then use the View
Protection Group page to try determine the source of the attack. See “Identifying an
attack against a protection group” on the next page.
n Run and review a packet capture and try to determine the nature of the attack. See
“Identifying an attack by examining captured packets” on page 241.
After any attempt to block the attack traffic, check the attack indicators to determine
whether your actions mitigated the attack. See “Indicators of Attacks and Mitigations” on
page 234.
Using the Dashboard page to identify an attack

View the active alerts, graphs, and data on the Dashboard page and look for traffic
behavior that is unusual or unexpected. In particular, look for unexplained traffic spikes
or a sudden, significant increase in the traffic level or traffic rate, or blocked threats.

If you see any suspicious traffic, you can take steps to investigate further.
Options for investigation or mitigation on the Dashboard page
Dashboard
section Options for investigation or mitigation
Security Alerts n Go to the View Protection Group page for the alerting protection
group.
n Go to the Security Alerts page to view additional details about a
security alert or find additional security alerts.
ATLAS Threat n Go to the Blocked Hosts Log page for a specific category and
Categories view the associated blocked hosts.
n Go to the Explore ATLAS Threat Categories page to examine the
threats that are blocked from your network as a result of the
ATLAS Intelligence Feed settings.
Identifying an attack against a protection group

If you can identify the protection group that is under attack, then use the View Protection
Group page to try determine the source of the attack. You can view and take action on the
protection group information for an individual AED or APS or for all of the managed
devices.
Look for traffic behavior that is unusual or unexpected. In particular, look for unexplained
traffic spikes, a sudden, significant increase in the traffic level or traffic rate, or traffic
from an unknown or unexpected source. Also, a URL or domain that has a high
percentage of the total traffic is often an attack target.
Options for investigation or mitigation on the View Protection Group page
Section Options for investigation or mitigation
Attack Categories Is one category blocking much more traffic than the others? If so,
it is possible that even more of that type of traffic is not blocked. If
the category is one that can be edited, then edit its protection
settings so that more traffic is blocked at the lower protection
levels.
Web Traffic By URL Add the URL or domain to the deny list.
and Web Traffic By
Domain
IP Location n Capture the packets for a country.

n Add the country to the deny list for the protection group or all
protection groups.

Options for investigation or mitigation on the View Protection Group page

(continued)
Section Options for investigation or mitigation
Protocols Create an FCAP expression to match a protocol and enter it in the

Filter List settings for the appropriate server type.
Services n Capture the packets for a service.

n Create an FCAP expression to match a service and enter it in
the Filter List settings for the appropriate server type.
Identifying an attack by examining captured packets

On the Packet Capture page, run and review a packet capture for a specific AED or APS. By
examining the packet payloads, you might be able to determine the nature of the attack.
For example, you might see HTTP packets that are destined for a web page that does not
exist.
When you identify a pattern in the attack traffic, you can create a payload regular
expression to block that type of traffic. See “Configuring Regular Expressions from
Captured Packets” in the AED or APS User Guide.
Investigating and blocking an attack from the Blocked Hosts Log page
After you identify the host IP address that is responsible for the attack, view information
about that host on the Blocked Hosts Log page. From there, you can add the host to the
deny list to prevent future attacks from that host.
If you determine that the host is no longer a threat, then you can remove that host from
the deny list. If you determine that a legitimate host is blocked, then you can add that
host to the allow list.

Section 16:
Traffic Forensics
AED and APS provide reporting and packet capture features that enable you to gather
forensic information about traffic and attacks. In AEM, you can view traffic information
and run packet captures for all of the instances of AED and APS that are under
management.
In this section
About the Blocked Hosts Log 242

Viewing the Blocked Hosts Log 244
Information on the Blocked Hosts Log Page 246
Taking Action on a Blocked Host 250
Viewing the ATLAS Threat Categories on the Summary Page 252
Viewing the ATLAS Threat Categories that Block Traffic 253
About Capturing Packets 258
Capturing Packet Information 259
Alternative Ways to Start a Packet Capture 262
Information on the Packet Capture Page 263
Configuring Regular Expressions from Captured Packets 267
About the Blocked Hosts Log

The Blocked Hosts Log page (Explore > Blocked Hosts) provides a single view of all the
DDoS attacks and threats that were blocked from your network. The Blocked Hosts Log
page displays the hosts that were blocked by all of the AED and APS devices that are
under AEM management. The blocked hosts data in AEM is an aggregation of the data
from all of the managed devices.
You can specify search criteria to limit the scope of the list and you can export the
resulting list. For information about searching and viewing the Blocked Hosts Log page, see
“Viewing the Blocked Hosts Log” on page 244.
The Blocked Hosts Log page allows you to navigate to other areas of the UI, where you can
take action on specific blocked hosts. See “Taking Action on a Blocked Host” on page 250.

Section 16: Traffic Forensics
Why a host appears in the blocked hosts log

A source host can appear in the blocked hosts log for any of the following reasons:
n It is on the inbound deny list and all of its traffic is blocked
n A protection category blocked its traffic and temporarily blocked the host.
n A protection category blocked some of its traffic but did not block the host.
For example, the TCP Connection Limiting category blocks the traffic that exceeds a
certain threshold but it does not block the host. In such cases, the host appears in the
blocked hosts log but not in the Temporarily Blocked Sources list.
The traffic that is blocked by the Traffic Shaping settings is an exception. Its source does
not appear in the blocked hosts log.
Because the outbound deny list in AED or APS and certain protection categories can block
outbound traffic, the blocked hosts log can contain hosts whose outbound traffic was
blocked.
On a managed device, you can configure notifications that send messages when a host is
blocked.
How you can use the blocked hosts log

The following scenarios are examples of how you can use the blocked hosts log:
See a global view of all blocked traffic

When the AED Traffic or APS Traffic section on the Dashboard page shows a large amount
of blocked traffic, you can view the Blocked Hosts Log page to investigate. On the Blocked
Hosts Log page, you can view an aggregate of the traffic that is blocked for each host
across all of the managed devices. If you need to examine a specific host further, you can
navigate to the Blocked Hosts Log page on the managed device that blocked the host.
Support forensic reporting

After an attack on a specific server, you can search the blocked hosts log for that server’s
destination IP address. The resulting list shows the hosts that were involved in the attack.
You can export the list to a file and include it in a report on the attack.
Gather more information about the blocked host by initiating a packet capture from the
Blocked Hosts Log page. After inspecting the packets, you can save the packet information
to a packet capture (PCAP) file for reporting purposes.
Verify and refine protection settings

After you configure a new protection group or change protection settings, you can search
the blocked hosts log for that group or attack category. Inspect the log to determine the
level of traffic that the protection group or attack category blocks, and use that
information to further refine the settings.
Debug unexpected blocking

When a customer reports that a legitimate host cannot access the server, you can search
the blocked hosts log for that source host. After you determine why the host was blocked,
you can edit your protection settings, add that host to the allow list, or relay the
information to the customer for corrective action.

Investigate threats
During or after an attack or another event, the traffic graphs and statistics might indicate
that certain traffic is blocked. The traffic may be blocked by an ATLAS threat category or
by the STIX IoCs in a TAXII collection. View the blocked hosts log to identify the specific
threat and the IP address (external or internal) from which the threat originated.
You can add the IP address to the deny list to block its traffic in the future. If the attack
traffic originated from within your network, then you can notify your security operations
center to the possible threats that are in the network.
Viewing the Blocked Hosts Log

The Blocked Hosts Log page displays the hosts that are blocked now or that were blocked
in the past. You can specify search criteria to limit the scope of the list and you can export
the resulting list.
For general information about the Blocked Hosts Log page and how you can use it, see
“About the Blocked Hosts Log” on page 242. For details about the information on the
Blocked Hosts Log page, see “Information on the Blocked Hosts Log Page” on page 246.
Viewing blocked hosts

To view blocked hosts:
1. Select Explore > Blocked Hosts.
2. On the Blocked Hosts Log page, in the Filter section, specify the search criteria.
See “Blocked hosts search criteria” below.
3. Click Search.
4. If you do not see the results you expect, then adjust the search criteria and click
Search again.
From the Blocked Hosts Log page, you can navigate to other areas of the UI, where you can
take action on a specific blocked host. See “Taking Action on a Blocked Host” on page 250.
Opening the Blocked Hosts Log page from other UI pages

For your convenience, certain pages in the UI allow you to open the Blocked Hosts Log
page and focus on a specific item. The item that you are viewing, such as a protection
group or a source IP address, becomes the filter criteria for the page. You can search the
Blocked Hosts Log page with that filter or specify additional filter criteria. Typically, the
option to open the Blocked Hosts Log page is available from a context menu.
Blocked hosts search criteria

The search criteria that you specify determine the blocked hosts that appear on the
Blocked Hosts Log page. For more information, see “Information on the Blocked Hosts Log
Page” on page 246.
Note
To search for IPv6 hosts, you can specify IPv6 addresses that are compressed or
expanded. For example, AED and APS search for the same host whether you specify
2001:DB8:0:0:0:0:0:0/32 or 2001:DB8::/32.

You can search for blocked hosts by completing any of the following options:
Blocked hosts search criteria
Option Description
Traffic Direction Select one of the following options:

options n Inbound — Displays the source hosts that are responsible for
the inbound blocked traffic. The Blocked Hosts Log page initially
defaults to the inbound blocked traffic.
n Outbound — Displays the source hosts or destination hosts
that are responsible for the outbound blocked traffic.
Time selector Select one of the predefined time increments or click From to
change the timeframe for which the data is displayed. Only the
hosts that were blocked within this timeframe appear in the
search results. See “Changing the display” on page 24.
Filter box To find the hosts that were blocked for specific devices or
protection groups, click the Filter box and then select a device
from the list. If you are searching for inbound blocked hosts, you
also can select from a list of protection groups. If you are
searching for outbound blocked hosts, then the Outbound Threat
Filter option appears instead of the protection groups. You can
select additional devices and protection groups in any
combination.
Traffic Rate slider To find only the hosts that exceeded a certain traffic threshold,
move the slider to the threshold value.
The threshold is measured in bytes or packets, depending on the
display unit of measure that is selected.
Source Hosts box Type one or more hostnames, IP addresses, or CIDR blocks to
specify the source hosts to find.
Type commas or press ENTER to separate multiple hosts.

Blocked hosts search criteria (continued)
Option Description
Threats list If you select one or more threat categories under ATLAS Threat
Categories, you can select a specific threat within the selected
categories. Select a threat from the list or type all or part of a
threat name. As you type, the system displays a list of matching
threats from which to select.
Attack Categories To find the hosts that were blocked by one or more specific attack
check boxes categories, select the appropriate check boxes. You can select
individual categories or groups of categories:
n To search all of the AIF threat categories, select the ATLAS
Threat Categories check box.
n To search all of the TAXII collections, select the STIX Threats
check box.
n To search all of the categories in the list, select the Attack
Categories check box.
Note
Denied Hosts is considered a category. This category displays the
blocked traffic for hosts on the deny list.
Information on the Blocked Hosts Log Page

The Blocked Hosts Log page (Explore > Blocked Hosts) provides a record of all of the hosts
that AED and APS blocked, including the current temporarily blocked hosts.
The Blocked Hosts Log page contains several options that allow you to take action on a
specific blocked host. For example, you can view the protection group that blocked the
host, capture packets for the host, and add the host to the deny list or allow list. See
“Taking Action on a Blocked Host” on page 250.
For information about viewing and using the blocked hosts log, see “Viewing the Blocked
For general information about the Blocked Hosts Log page and how you can use it, see
“About the Blocked Hosts Log” on page 242.
About the search results on the Blocked Hosts Log page

The search criteria that you specify determine the blocked hosts that appear on the
Blocked Hosts Log page. The display includes all of the available information about each
host as follows:
n If you search for a specific attack category, then the display includes all of the
categories or the TAXII collections that blocked each host within the selected
timeframe.
n The first and last times that the host was blocked and the duration of the blockage can
fall outside the specified timeframe. For example, if you select a timeframe of 5

minutes, but a host was blocked continually for 25 minutes, then the displayed
duration is 25 minutes.
The information about the hosts that are blocked by multiple instances of AED or APS can
represent a large amount of data. For efficiency’s sake, when you open the Blocked Hosts
Log page, no data appears until you specify the search criteria. For more information
about searching on the Blocked Hosts Log page, see “Blocked hosts search criteria” on
page 244.
When the search is complete, the resulting information remains on the Blocked Hosts Log
page for an hour, or until you perform another search or cancel a search. After an hour,
the system deletes the search results and resets the Blocked Hosts Log page to an empty
state.
Information on the Blocked Hosts Log page

After you complete the search, a summary of the search appears at the top of the Results
section. The Results section contains the following information:
Information on the Blocked Hosts Log page
Column Description
Source Displays the IP address of the source host. If AED or APS can
identify the country for an IPv4 host, then this column also
includes a flag icon that represents the country. Country flags are
not available for IPv6 hosts.
For inbound traffic, this column represents the host that was
blocked. However, if outbound traffic was blocked because the
destination host is on the outbound deny list, then this column
does not represent the blocked host. (A host that is on the
outbound deny list is blocked when it is either the source or the
destination of traffic that originates from your network.)
(context menu) Appears when you hover your mouse pointer over a source IP
address or destination IP address.
When you click for a source host or destination host, you can
select Capture Packets to open the Packet Capture page for that
host. The context menu for a source host also contains options to
add that source host to a deny list or allow list. See “Capturing
Packet Information” on page 259.
The Capture Packets option is unavailable for a range of IP
addresses.

Information on the Blocked Hosts Log page (continued)
Column Description
Devices Displays the name of the AED or APS that blocked the host and the
protection group for which the host is blocked.
If multiple managed devices blocked the host, or if multiple
protection groups are associated with the blocked host, then this
column displays the number of devices or protection groups. You
can view a list of those devices and protection groups by hovering
your mouse pointer over the device name.
You can click the device name or protection group name to
navigate to the Blocked Hosts Log page in the AED or APS that
blocked the host. The Blocked Hosts Log page displays the
protection groups for which the host is blocked.
Destination Lists the range of destination IP addresses that the blocked host
targeted. However, if outbound traffic was blocked because the
destination host is on the outbound deny list, then this column
represents the blocked host. (A host that is on the outbound deny
list is blocked when it is either the source or the destination of
traffic that originates from your network.)
The ATLAS threat categories contain policies that define domains
that host threats. When traffic matches a domain threat policy, the
managed device only blocks the DNS request for a known bad
host. The DNS server appears as the blocked destination IP
address and appears next to it. Click to display information
about why the host was blocked. To investigate further, capture
packets for that host. See “About matching domain policies” on
page 70 and “Investigate why a DNS server appears to be blocked”
on page 250.
Port Displays the destination port or destination port range on which

the traffic was blocked.
Attack Category Displays the protection categories that blocked the traffic. If
multiple protection categories are associated with the blocked
host, this column displays the number of categories. You can
hover your mouse pointer over the number of protection
categories to view a list of the specific categories.
If the list includes the ATLAS Threat Categories, then the specific
threat categories are listed.
Note
Denied Hosts is considered a category. This category displays the
blocked traffic for hosts on the deny list.
Threats Displays any threats that were blocked by the ATLAS threat
categories. Click next to a threat to view a description of that
threat.

Information on the Blocked Hosts Log page (continued)
Column Description
Last Activity Displays the amount of time since the last time that the host’s
traffic was blocked. If multiple devices blocked the host, you can
view a list of those devices by hovering your mouse pointer over
the Last Activity entry. You can click a device name to navigate to
the Blocked Hosts Log page in the AED or APS that blocked the host.
The Blocked Hosts Log page is filtered for that particular host.
Total Traffic Displays the amount of the host’s traffic that was blocked during
the specified time period. The traffic is displayed in bytes and
packets.
Traffic Rate Displays the rate of the host’s traffic that was blocked during the
specified time period. The traffic rate is displayed in bits per
second or packets per second.
Details button To view additional information about a blocked host and link to
additional workflows, click the host’s Details button. See “About
the Blocked Host Detail window” below.
Note
For some IP addresses, the managed device displays additional information when you
hover your mouse pointer over the address. For example, if you hover over a truncated
IPv6 address, then you can view the entire address. If you hover over an IP address
whose domain name has been resolved, then you can view its fully qualified domain
name.
To copy the displayed information, click the IP address, select the text, and then copy the
selection.
About the Blocked Host Detail window

To view additional information about a host that appears on the Blocked Hosts Log page,
click the Details button. If the host was blocked on multiple managed devices, then select
the device. The Blocked Host Detail window opens and displays the following additional
information about the blocked host:
n A traffic graph, on which you can display the traffic in either bytes or packets.
n The icon, which appears next to a destination IP address that matched a domain
threat policy in the AIF. Click to display information about why the host was blocked.
See “About matching domain policies” on page 70.
n The length of time that the host was blocked.
n The protocol and port.
n The amount and rate of blocked traffic.
n Links to the blocking protection groups or the outbound threat filter.
n The attack categories that blocked the host.
n The device that blocked the host.

n Buttons that allow you to add the host to the deny list or allow list, or remove the host
from the deny list or allow list. See “Taking Action on a Blocked Host” below.
Although a managed device blocks all the threats that it detects, it only stores and reports
information about the first n threats that it blocks for each host. The managed device lists
up to the first 4 blocked threats for inbound traffic, and up to the first 10 blocked threats
for outbound traffic. To view all of the blocked threats, see “Viewing and Analyzing
Threats” on page 307.
Taking Action on a Blocked Host

As you review the information on the Blocked Hosts Log page, you can take action on a
specific blocked host. For example, after an attack, you can review the blocked hosts log
to determine the hosts that were involved in the attack. See “Viewing the Blocked Hosts
Log” on page 244.
You can export the blocked hosts information to a file for forensic reporting, and then
decide which of those hosts to add to the deny list to prevent future attacks.
The following actions are available from the Blocked Hosts Log page.
View the blocking protection group

(Inbound traffic only) You can view information about the protection group that blocked a
host’s traffic by opening the View Protection Group page for that protection group.
On the Blocked Hosts Log page or in the Blocked Host Detail window, click the protection
group name link. See “Viewing the Traffic Activity for a Protection Group” on page 187.
View the outbound threat filter

If a host’s outbound traffic was blocked, then you can view the outbound threat filter to
analyze the current protection settings.
In the Blocked Host Detail window, click the Outbound Threat Filter link to open the
Outbound Threat Filter page. See “Viewing the Outbound Threat Activity” in the AED or APS
User Guide.
Investigate why a DNS server appears to be blocked

The ATLAS threat categories contain policies that define domains that host threats. When
traffic matches a domain threat policy, the managed device does not block all of the
traffic to the DNS server and it does not block the host. Instead, the managed device
blocks the DNS request for a known bad host only.See “About matching domain policies”
on page 70.
n For outbound traffic, the managed device blocks the DNS request for a fully qualified
domain name that is known to be bad.
The managed device sees only the request to the DNS server, not the resolution of the
IP address for the fully qualified domain name. Therefore, the managed device reports
the DNS server as a blocked destination IP address on the Blocked Hosts Log page.
n For inbound traffic, the managed device blocks the response from the DNS server for a
fully qualified domain name that is known to be bad.

When a host is blocked by a domain-related threat policy, appears next to the

destination IP address on the Blocked Hosts Log page. Click to display information
about why the host was blocked.
To determine the hostname that is blocked:

1. On the Blocked Hosts Log page in AEM, click for the destination IP address, and
then select Capture Packets for Device.
2. On the Packet Capture page on the managed device, the filter is set for the destination
IP address that you selected. Run a packet capture to display the dropped packets.
See “Capturing Packet Information” on page 259.
If the DNS requests are intermittent, then you might have to wait until the next
occurrence.
3. Select a dropped packet to view the packet details and see the hostname that is
being requested and blocked.
If you think that the blocked traffic is legitimate, then contact the Arbor Technical
Assistance Center (ATAC) at https://my.netscout.com. Your feedback helps us to
continually improve the AIF content.
Save the blocked hosts information

To save a record of the current blocked hosts view for forensic reporting, you can export
the blocked hosts information as a PDF file. To do so, click (Create a PDF) on the
toolbar. The PDF file contains the hosts that appear on the current page.
Capture packets for a blocked host

You can navigate to the Packet Capture page and view the packet-level information about
the traffic on a specific blocked host.
On the Blocked Hosts Log page, hover your mouse pointer over a source IP address or
destination IP address. Click (context menu), and then select Packet Capture. When
the Packet Capture page opens, the host’s IP address is entered in the Filter section. From
there, you can start the packet capture. See “Capturing Packet Information” on page 259.
Add a blocked host to the deny list or allow list

After you analyze a blocked host’s traffic, you can add the host to the deny list or allow
list, unblock the host, or remove the host from the allow list. Unblocking a host removes it
from the deny list.
The host’s current status determines which options are available. The direction of the
blocked traffic (inbound or outbound) determines whether the action affects the deny list
or allow list for inbound traffic or outbound traffic. If the host’s inbound traffic was
blocked, then these actions apply to all of the protection groups. (Outbound traffic is not
associated with the protection groups.)
To add a blocked host to the deny list or allow list:

n Click the Details button in the blocked host’s row, and then click one of the following
buttons in the Blocked Host Detail window:
l Deny List
l Allow List

l Unblock
l Remove from Allow List
n On the Blocked Hosts Log page, hover your mouse pointer over a source IP address or
destination IP address. Click (context menu), and then select one of the following
actions:
The following options block or allow the host for all protection groups:
l Add to Inbound Global Deny List
l Add to Inbound Global Allow List
The following options block or allow the host for the affected protection group only.
These options are not available when multiple protection groups are associated with
the blocked host:
l Add to Inbound Deny List for PG
l Add to Inbound Allow List for PG
Viewing the ATLAS Threat Categories on the Summary Page

On the Summary page, the ATLAS Threat Categories section displays the five ATLAS threat
categories that blocked the most inbound traffic and outbound traffic during the last
hour. Use this information to examine the threats that are blocked from your network as
a result of the ATLAS Intelligence Feed settings.
For information about configuring the ATLAS threat categories, see “ATLAS Intelligence
Feed Settings” on page 125.
Information in the ATLAS Threat Categories section

The ATLAS Threat Categories section contains the following information for each threat
category:
ATLAS Threat Categories information on the Summary page
Inbound Blocked Represents the average rate of the inbound traffic that was
Threats graph blocked for the top five threat categories.
Outbound Blocked For outbound traffic, represents the number of source hosts that
Threats graph were blocked per minute for the top five threat categories.
Key Shows the color that represents the specific threat category in the
blocked threat graphs and allows you to filter the graph displays.
You can click a threat category’s key to hide or show that category
on the graph, so that you can focus on the traffic for specific
categories.
Category Displays the name of the threat category that blocked the traffic.

ATLAS Threat Categories information on the Summary page (continued)
(context menu) Appears when you hover your mouse pointer over a threat
category name. Click to display the following options:
n Blocked Hosts — Displays the Blocked Hosts Log page, filtered
to display the hosts whose traffic was blocked by this threat
category. If you select this option for an inbound threat
category, then the Blocked Hosts Log page is filtered for inbound
traffic. If you select this option for an outbound threat category,
then the Blocked Hosts Log page is filtered for outbound traffic.
n Learn more — Displays the description of the threat category
that ATLAS provides.
See “About the Blocked Hosts Log” on page 242.
Bytes Blocked (Inbound Blocked Threats graph only) Shows the amount of
inbound traffic that the threat category blocked.
Source Hosts (Outbound Blocked Threats graph only) Shows the aggregate sum
Blocked of the hosts that the threat category blocked for each minute of
the last hour.
Viewing the ATLAS Threat Categories that Block Traffic

The Explore ATLAS Threat Categories page displays the ATLAS threat categories that block
inbound traffic and outbound traffic on all of the devices that AEM manages. Use this
information to examine the threats that are blocked from your network as a result of the
From this page, you can display the Threat Category Details page to view the specific
threats that each threat category blocked.
For general information about the threat categories, see “About the ATLAS Threat
Policies” on page 69.
Viewing the blocking ATLAS threat categories

To view the blocking ATLAS threat categories:
1. Select Explore > ATLAS Threat Categories.
2. (Optional) On the Explore ATLAS Threat Categories page, filter the information that
appears on the page as follows:
increments or click From, select a time range, and then click Update.
n To limit the display to specific managed devices, click the Showing All Devices link
that appears to the right of the time selector. In the Select Devices window, select
each device whose traffic and threat categories you want to view, and then click
Apply. If you remove one or more devices from view, then the link changes to
indicate the number of devices that are shown. Example: Showing 5 of 6 devices.

n To select the unit of measure for displaying traffic, click bps or pps in the upper-
right corner of the page.
3. Select one of the following tabs:
n Inbound — To display the threat categories that are blocking inbound traffic.
n Outbound — To display the threat categories that are blocking outbound traffic.
4. On the Explore ATLAS Threat Categories page, you can view additional information
about the threat categories as follows:
n To hide or show the graph data for one or more threat categories, click the
category’s Key column.
n To view information about the threats that were blocked at a given time, hover
your mouse pointer over a section of a graph until a popup window appears.
5. To view the top 10 threats that a threat category blocked, click the category’s name
link or click in the area of the graph that represents the category.
When the Threat Category Details page appears, it is filtered by the same criteria as the
Explore ATLAS Threat Categories page. You can change the filter criteria as needed.
6. On the Threat Category Details page, you can view additional information about the
threats as follows:
n To hide or show the graph data for one or more threats, click the threat’s Key
column.
n To view information about the threats that were blocked at a given time, hover
your mouse pointer over a section of a graph until a popup window appears.

Information on the Explore ATLAS Threat Categories page

The Explore ATLAS Threat Categories page displays the following information for the threat
categories that blocked traffic within the display timeframe. The selected tab (Inbound or
Outbound) determines which columns appear.
Information on the Explore ATLAS Threat Categories page
Inbound Blocked (Inbound tab only) Represents the average rate of the inbound
Threats graph traffic that was blocked for all of the blocking threat categories.
You can hover your mouse pointer over a section of the graph
until a popup window appears. The popup window displays the
threat category name, amount of blocked traffic, and time that
are associated with the nearest data point on the graph. The
pointer on the popup window indicates the data point.
Outbound Blocked (Outbound tab only) Displays the blocked outbound traffic for
Threats graphs all of the blocking threat categories on the following graphs:
n The stacked graph represents the average rate of the
outbound traffic that was blocked, in bytes per second or
packets per second.
n The line graph represents the number of source hosts that
were blocked per minute.

You can hover your mouse pointer over a section of either
graph until a popup window appears. The popup window
displays the threat category name, amount of blocked traffic or
blocked hosts, and time that are associated with the nearest
data point on the graph. The pointer on the popup window
indicates the data point.
Key Shows the color that represents the specific threat category in
the blocked threat graphs and allows you to filter the graph
displays.
You can click a threat category’s key to hide or show that
category on the graph, so that you can focus on the traffic for
specific categories.
Category Displays the name of the threat category that blocked the traffic.
You can click the threat category’s name link to open the Threat
Category Details page for that category. See “Information on the
Threat Category Details page” on page 257.

Information on the Explore ATLAS Threat Categories page (continued)
category. Click , and then select one of the following options:
n Blocked Hosts — Displays the Blocked Hosts Log page with
the search criteria selected. You can start the search or
specify additional search criteria. See “Viewing the Blocked
n (Learn more) — Displays a description of the threat
category.
Source Hosts Blocked (Outbound tab only) Shows the aggregate sum of the hosts that
the threat category blocked for each minute of the display
timeframe. For example, if the timeframe is 1 hour, then this
column represents the sum of the hosts that were blocked for
each of the last 60 minutes.
Source Hosts Blocked (Outbound tab only) Shows the average number of source hosts
Rate per minute (pm) that the threat category blocked.
Total Bytes Blocked, Shows the amount of traffic and the average rate of traffic that
Bytes Blocked Rate or the threat category blocked.
Total Packets Blocked, The traffic is displayed in bytes or packets, depending on the
Packets Blocked Rate unit of measure that is selected for this page.

Information on the Threat Category Details page

The Threat Category Details page displays the following information for the top 10 threats
that the selected threat category blocked. The selected tab (Inbound or Outbound)
determines which columns appear.
Information on the Threat Category Details page
Inbound Blocked (Inbound tab only) Represents the average rate of the inbound
Threats graph traffic that was blocked for the top 10 threats.
You can hover your mouse pointer over a section of the graph
until a popup window appears. The popup window displays the
threat name, amount of blocked traffic, and time that are
associated with the nearest data point on the graph. The pointer
on the popup window indicates the data point.
Outbound Blocked (Outbound tab only) Displays the blocked outbound traffic for
Threats graphs the top 10 threats on the following graphs:
n The stacked graph represents the average rate of outbound
traffic that was blocked, in bytes per second or packets per
second.
n The line graph represents the number of source hosts that
were blocked per minute.

You can hover your mouse pointer over a section of either
graph until a popup window appears. The popup window
displays the threat name, amount of blocked traffic or blocked
hosts, and time that are associated with the nearest data point
on the graph. The pointer on the popup window indicates the
data point.
Key Shows the color that represents the specific threat in the
blocked threat graphs and allows you to filter the graph
displays.
You can click a threat’s key to hide or show that threat on the
graphs, so that you can focus on the traffic for specific threats.
Threat Displays the name of the threat that the selected category
blocked.
(context menu) Appears when you hover your mouse pointer over a threat.
Click , and then select one of the following options:
n Blocked Hosts — Displays the Blocked Hosts Log page with
the search criteria selected. You can start the search or
specify additional search criteria. See “Viewing the Blocked
n (Learn more) — Displays a description of the threat.
Severity Indicates the severity level that ASERT assigned to this threat.

Information on the Threat Category Details page (continued)
Source Hosts Blocked (Outbound tab only) Shows the aggregate sum of the hosts that
were blocked for this threat for each minute of the display
timeframe. For example, if the timeframe is 1 hour, then this
column represents the sum of the hosts that were blocked for
each of the last 60 minutes.
Source Hosts Blocked (Outbound tab only) Shows the average number of source hosts
Rate per minute (pm) that were blocked for this threat.
Total Bytes Blocked, Shows the amount of traffic and the average rate of traffic that
Bytes Blocked Rate or was blocked for this threat.
Total Packets Blocked, The traffic is displayed in bytes or packets, depending on the
Packets Blocked Rate unit of measure that is selected for this page.
About Capturing Packets

On the Packet Capture page, you capture in real time the packets that AED or APS inspects.
You can save the packet information for further examination. After your analysis of the
packet data, you might want to update protection settings to provide more targeted
protection.
The packet capture provides a sample of the traffic data. It is not intended to capture
complete information about any given stream or application session.
You can open the Packet Capture page from the menu (Explore > Packet Capture) and
select the filters for running the capture. However, for your convenience, certain pages in
the UI allow you to open the Packet Capture page and focus on a specific item. See
“Alternative Ways to Start a Packet Capture” on page 262.
See the following topics for more information about capturing packets:
n “Capturing Packet Information” on the next page
n “Information on the Packet Capture Page” on page 263
n “Configuring Regular Expressions from Captured Packets” on page 267

How you can use captured packets

The following scenarios are examples of how you can use the captured packet
information:
How you can use captured packets
Use Scenario
Create protection Your network is under an attack that is outside the scope of the
settings for unique current protection settings, for example, a custom URL attack.
attacks You identify the targeted protection group and service, but you
cannot determine the targeted URL. You can capture and inspect
the packets that target the protection group and service.
When you identify the targeted URL, you can add it to the deny list
from within the Packet Capture page to block all future traffic to
that URL.
Forensic reporting During an attack on a specific service, you capture the packets
that contain headers for that service. After inspecting the packets,
you save the packet information to a packet capture (PCAP) file.
You can use the PCAP file in a packet analysis program, save it for
reporting purposes, or send it to NETSCOUT for technical
assistance.
See “Saving packet information” on the next page.
Investigate false Clean traffic is blocked and you need to determine the cause so
positives that you can change your protection settings or add the host to
the allow list. You can investigate false positives by capturing the
packet or packets that caused a specific host’s traffic to be
blocked.
Capturing Packet Information

You run a packet capture to sample the packets that APS_AED inspects. Then you can
save the packets to a packet capture (PCAP) file for review and analysis. See “Saving
packet information” on the next page.
As you analyze the packet data, you might want to update protection settings to provide
more targeted protection. The Packet Capture page allows you take immediate action in
the following ways:
n Add a packet’s source address, target domain, or target URL to the global deny list.
n Use the payload data from a captured packet to update the settings in the Payload
Regular Expression protection category. See “Configuring Regular Expressions from
Captured Packets” on page 267.
Also see “Information on the Packet Capture Page” on page 263.

Capturing packet information

Note
If multiple users capture packets on the same AEM, AED, or APS device simultaneously,
then the device returns different packets for each user. No two users receive the same
packet.
To capture packet information:

1. Select Explore > Packet Capture.
You also can open the Packet Capture page from other places in the product. See
“Alternative Ways to Start a Packet Capture” on page 262.
2. (Optional) On the Packet Capture page, in the Filter section, specify the criteria for
capturing packets. See “Packet filter criteria” on the next page.
Note
Some of the filter categories require you to press ENTER or click to add your
selection. If you neglect to do so for your last selection, that selection is added when
you click Start.
3. In the Capture section, click Start.
4. To limit the display of the capture results, either during the capture or after the
capture, click Passed, Dropped, or All.
The managed device always captures all of the packets that match the criteria in the
Filter section, regardless of how you choose to display the packets.
5. (Optional) To stop the packet capture, click Pause.
The packet capture stops automatically after it captures 5,000 packets.
6. To view detailed information about a packet, click the packet, and then scroll down to
the Packet Details section.
7. As you inspect the packet details, you can take action to block future traffic from the
source of the packet, as follows:
n To add the source address, domain, or URL to the deny list, click the associated
Global Deny List Source button. This action adds the item to the deny list for all of
the IPv4 protection groups or all of the IPv6 protection groups.
n To add packet information to the Payload Regular Expression protection category,
click the Add to Payload Regex button. See “Configuring Regular Expressions from
Captured Packets” on page 267.
8. To clear the packet list and start over, click Reset in the Capture section, and then click
OK in the confirmation window.
Saving packet information

When you save the packet information to a packet capture (PCAP) file, the file contains all
of the packets that you select. If you do not select any packets, then the entire packet
capture is saved.
To save packet information to a PCAP file:

1. Capture packets as described in “Capturing packet information” above.
2. (Optional) On the Packet Capture page, in the Capture section, select the packets to
save.
To save multiple packets, press SHIFT or CTRL as you select the packets.

3. In the Capture section, click Export.

4. Save the file according to your browser options.
Packet filter criteria

Filter the packet capture selecting any of the following options.
Note
Some of the filter categories require you to press ENTER or click to add your selection.
If you neglect to do so for your last selection, that selection is added when you click
Start.
Packet capture filter criteria
Option Description
Device list Select the device on which to run the packet capture.
Source Host box Type a source IP address or a CIDR block, and then press ENTER
or click (add). You can enter multiple sources.
The capture is limited to the packets that match that source.
See “Filtering the packet capture by hosts” on the next page.
Blocked host Select this check box to display only the packets that caused a
triggers check box host’s traffic to be blocked.
If you do not see this check box, then expand the Source Host
section.
Destination Host Type a destination IP address or a CIDR block, and then press
box ENTER or click (add). You can enter multiple destinations.
The capture is limited to the packets that match that destination.
See “Filtering the packet capture by hosts” on the next page.
Protection Group To limit the packet capture by protection group or outbound

list threat filter, click any of the following options:
n Outbound Threat Filter — Captures all of the outbound
packets.
n One or more protection groups — Captures the packets that
are destined for a host that matches a prefix in any of the
selected protection groups.
To deselect an item, click it again.
Service list Select one or more services to limit the capture to the packets
that contain headers for those services. To deselect a service,
click it again.
Interface list Select one or more interfaces from which to capture packets. To
deselect an interface, click it again.
The capture is limited to the packets that flow into the specified
interfaces.

Packet capture filter criteria (continued)
Option Description
Country list Select one or more countries, and then press ENTER or click
(add) after each one.
The capture is limited to the packets that match the sources
from the specified countries.
Regular Expression Type a regular expression to limit the capture to the packets that
box match the expression. Use PCRE format.
You can type multiple regular expressions; press ENTER after each
expression. The OR operator is used for multiple regular
expressions.
For information about entering regular expressions, see “About
Regular Expressions” in the AED or APS User Guide.
Filtering the packet capture by hosts

You can filter the packet capture by specifying either IPv4 hosts or IPv6 hosts for Source
Host or Destination Host. You cannot filter by both IPv4 hosts and IPv6 hosts at the same
time.
If you filter the capture by IPv6 hosts, then you can specify IPv6 addresses that are
compressed or expanded. For example, the list displays the same packets whether you
filter by 2001:DB8:0:0:0:0:0:0/32 or 2001:DB8::/32.
Alternative Ways to Start a Packet Capture

To open the Packet Capture page in AEM and enter the filters for running the capture, you
select Explore > Packet Capture from the menu. However, for your convenience, certain
pages in the UI allow you to open the Packet Capture page and focus on a specific item.
The item that you are viewing, such as a protection group or a source address, becomes
the filter criteria for the capture. You can start the packet capture with that filter or
specify additional filter criteria. See “Capturing packet information” on page 260.
Example: As you investigate a blocked host on the Blocked Host Log page, you can open
the Packet Capture page and quickly capture packets for that host.

Ways to access the Packet Capture page

Typically, to open the Packet Capture page from a different page in the UI, you select an
option from a context menu ( ).
Ways to access the Packet Capture page
What to capture Starting page How to access the Packet Capture option
Traffic for a device that is List Protection Click the right arrow ( ) to the left of a protection
assigned to a protection Groups page group name. In the list of assigned devices that
group appears, click for a device.
The Packet Capture page opens in the managed device
and the capture runs on that device.
Traffic for a country or View Protection Click for an IP location (country) or for a service.
service that is associated Group page The Packet Capture page opens in the managed device
with a protection group and the capture runs on that device.
Traffic for a blocked host Blocked Hosts Log Click for a source IP address or a destination IP
on a specific managed page address. If the blocked host is present on multiple
device managed devices, then select the device.
The Packet Capture page opens in AEM and the
capture runs on AEM.
Traffic for a blocked host Threat Analysis On the Threat Analysis page, in the Threats List, click the
on a specific managed page name of a source IP address or a destination IP
device address.
The Packet Capture page opens in AEM and the
capture runs on AEM.
Information on the Packet Capture Page

The Packet Capture page displays information about the packets that you sample from
your network. See “About Capturing Packets” on page 258
and “Capturing Packet Information” on page 259.
As you view the packet details, you can take action to block future traffic from the source
of the packet. For example, you can add the source of the packet to the deny list. The
options are described in “Information in the Packet Details section” on page 265.
Note
If multiple users capture packets on the same AEM, AED, or APS device simultaneously,
then the device returns different packets for each user. No two users receive the same
packet.

Information in the Capture section

In the Capture section of the Packet Capture page, the captured packets are displayed one
per line. The background color of a packet line provides the following information:
n Red — The packet was blocked.
n Blue — The packet is selected.
n Purple — A blocked packet is selected.
The Capture section contains the following information for each packet:
Capture information on the Packet Capture page
Column Description
Time Shows the time in seconds since the packet was captured, relative
to the current time.
Source, Port Displays the IP address and port of the source host and the IP
Destination, Port address and port of the destination host.
If an IPv6 address is truncated, then you can hover your mouse
pointer over it to view the entire address.
Note
You cannot copy the IP address in this section of the Packet
Capture page. To copy the IP address, select a packet, and then
copy the IP address that appears in the Packet Details section.
Service Displays the name of the targeted service.
Bytes Displays the size of the packet.
Information Displays summary information about the packet. The content

depends on the protocol and the types of headers that the packet
contains.

Information in the Packet Details section

When you select a single packet in the Capture section, information about the packet
appears in the Packet Details section. The amount of information that appears depends
on the types of headers that the packet contains.
The Packet Details section contains the following information for each packet:
Detail information on the Packet Capture page
This packet was If a packet was blocked, then this section indicates the reason.
blocked: This information appears at the top of the Packet Details section.
Source, Port Displays the IP address and port of the source host and the IP
Destination, Port address and port of the destination host.
Note
For some IP addresses, the managed device displays additional
information when you hover your mouse pointer over the
address. For example, if you hover over a truncated IPv6
address, then you can view the entire address. If you hover over
an IP address whose domain name has been resolved, then you
can view its fully qualified domain name.
To copy the displayed information, click the IP address, select the
text, and then copy the selection.
The Global Deny List Source button allows you to add the source
IP address to the inbound deny list for all protection groups or to
the outbound deny list.
Service Displays the name of the targeted service.
Bytes Displays the size of the packet.
IP section Displays the following information for IP packets:

n Total Length
n Header Length
n Type of Service
n Time to Live
n Flags
n Fragment Offset
n Sequence Number
n Protocol
n Checksum

Detail information on the Packet Capture page (continued)
TCP section Displays the following information for TCP packets:

n Source Port
n Destination Port
n Sequence Number
n ACK number
n Header Length
n Flags
n Window
n URG (urgent)
n Checksum
UDP section Displays the following information for UDP packets:

n Source Port
n Destination Port
n Data Length
n Checksum
DNS section Displays the following information for DNS packets:

n Operation — for example, Query
n Response
n Name — first name in the query
The Deny List Domain button in this section allows you to add
this domain to the inbound deny list for all IPv4 protection groups.
HTTP section Displays the following information for HTTP packets:

n Operation — for example, GET
n URL, including the host, if known
The Deny List URL button in this section allows you to add this
URL to the inbound deny list for all IPV4 protection groups.
n Registered Domain Name, if known
The Deny List Domain button in this section allows you to add
this domain to the inbound deny list for all IPv4 protection
groups.
ICMP section Displays the following information for ICMP packets:

n Type
n Code
n ID
n Sequence Number
n Gateway
n Checksum

Detail information on the Packet Capture page (continued)
SSL section Displays the following information for SSL packets:

n Content type
n Operation
n Protocol Version
n Client Version
n Session ID
Data section Contains a hex dump of the packet, with the hexadecimal view on
the left and the corresponding ASCII text translation on the right.
The Add to Payload Regex button in this section allows you to
add packet information to the Payload Regular Expression
protection category. You can update the settings for either a
specific server type or the outbound threat filter.
See “Configuring Regular Expressions from Captured Packets”
below.
Configuring Regular Expressions from Captured Packets

You can use information from captured packets to update the settings in the Payload
Regular Expression protection category, for either a specific server type or the outbound
threat filter. When you update the settings for a server type, the change applies to all of
the protection groups that are associated with that server type.
For example, suppose your network is under an attack that is outside the scope of the
current protection settings. You use the Packet Capture page to capture packets and
examine the packets in the attack flow. When you identify a pattern in the attack traffic,
you can update your regular expression settings to protect against that type of traffic in
the future.
Updating the Payload Regular Expression settings

To update the Payload Regular Expression settings:
1. Capture packets as described in “Capturing Packet Information” on page 259.
2. On the Packet Capture page, in the Capture section, select the packet on which to base
the regular expression.
3. Scroll down the Packet Details section to find the Data subsection.
4. In the hexadecimal column or the ASCII column, select the information to add to the
regular expression, and then click Add to Payload Regex.
5. In the Add to Payload Regular Expression window, identify the protection setting to
update as follows:
a. In the Server Type list, select a server type or the Outbound Threat Filter.
b. Click the icon of the Protection Level for which you want to update the setting.
6. Review any settings that appear in the Add to Payload Regular Expression window and,
if necessary, edit them as follows:

Setting Description
TCP Ports box Specify the ports for TCP, UDP, or both.
UDP Ports box Type one or more port numbers in the appropriate box to
define the TCP traffic or UDP traffic to inspect. You can
enter port numbers and port ranges (for example, 10-22).
To inspect all traffic of the protocol type, enter all.
Use spaces or commas to separate multiple port numbers.
The managed device matches the regular expressions
against the packets that are sent from or sent to the
specified ports.
Regular Expression The packet information that you selected is appended to

box the end of any existing regular expression, separated by an
OR sign (|), and highlighted.
Edit the regular expression as needed.
For information about entering regular expressions, see
“About Regular Expressions” in the AED or APS User Guide.
7. Click Save.
8. To add more packet information to the regular expression settings, repeat this
procedure.

Section 17:
Managing Centralized Reports
This section provides information about how to configure and manage centralized
reports on the AEM. A centralized report aggregates the data for multiple AED and APS
devices that the AEM manages.
In this section
About Centralized Reports 269

About the Centralized Executive Summary Report 270
Configuring On-Demand Centralized Reports 274
Viewing and Deleting Centralized Reports 276
About Centralized Reports

On AEM, you create and manage reports on the Centralized Reports page. A centralized
report aggregates the data for multiple AED and APS devices that the AEM manages.
The report provides information about the attacks that one or more managed devices
detected and blocked on your network over time. The report also provides information
about high-level traffic trends on your network over time.
For details about how to configure a centralized report, see “Configuring On-Demand
Centralized Reports” on page 274.
Selecting the managed devices to include in a report

When you configure a centralized report, you select the managed devices to include in
the report. To further refine the report, you select the protection groups on the managed
devices whose data you want to include in the report.
Selecting the date range for a centralized report

When you configure a report, you select a timeframe for that report. You can select a
predefined timeframe for days, weeks, or months. You also can specify a custom
timeframe, to include data from a specific time period.
Generating a centralized report

After you configure and submit a centralized report, the AEM generates the report. The
report runs on each of the selected managed devices and then AEM aggregates the data
in the centralized report.

Section 17: Managing Centralized Reports
About the report data

A centralized report may include the following types of data if the data is available for the
selected protection groups:
n inbound traffic statistics
n top inbound sources
n top inbound destinations
n top inbound countries
n outbound traffic statistics
n top blocked threat categories
For more details about the information included in a centralized report, see “About the
Centralized Executive Summary Report” below.
About the Centralized Executive Summary Report

The centralized Executive Summary report provides information about the attacks that
one or more AED or APS devices detected and blocked on your network over time. This
report also provides information about high-level traffic trends on your network over
time.
You configure these reports on the Centralized Reports page. See “Configuring On-
Demand Centralized Reports” on page 274.
About the top hosts data

To include data about the top hosts in a report, you first must enable Top Sources and
Destinations tracking on the managed devices. See “Configuring General Settings” on
page 57.
Important
Some of the data in the Executive Summary report is based on the traffic for the
selected protection groups. However, the data for the top hosts is based on all of the
traffic for all of the selected AED and APS devices.
About the outbound traffic data

To include data about the outbound traffic in a report, you must enable the outbound
threat filter on the managed devices. See “Viewing the Outbound Threat Activity” in the
User’ Guide for AED or APS.
The outbound information includes IPv4 traffic data only.

Information in the Executive Summary report

Report header and footer
The report header contains descriptive information about the report. Some of this
information is configurable when you create the report.
Information in the report header
Section Description
Report name The user-configurable name of the report, which appears at the
top left of the page.
AEM name The system name of the AEM on which the report is run, which
appears below the report name.
Description The optional user-configurable description for the report, which

appears below the AEM name.
Summary A summary of the number of protection groups and managed

devices whose data is aggregated in the report. This information
appears below the description.
Logo The NETSCOUT logo.
Date range The user-selected date range for the data in the report, which
appears below the logo.
The report footer contains the following information:

n The user name of the person who requested the report
n The date and time when the report was generated on AEM
n Explanations about the data that was not included in the report, if applicable
Cloud Signaling
Important
selected protection groups. However, the data for Cloud Signaling is based on all of the
traffic for all of the selected AED and APS devices.
If cloud-based mitigation occurred during the specified date range, the report includes
Cloud Signaling data. Events Mitigated shows the number of unique DDoS attacks that
were mitigated. Targeted IPs Protected shows the number of hosts in your network that
the selected managed devices protected from DDoS attacks by using cloud-based
mitigation.
See “About Cloud Signaling for DDoS Protection” in the User Guide for AED or APS.
DDoS Protection
If data about the inbound traffic is available, the report includes the following information
for the selected protection groups:

n The amount of blocked inbound traffic, in bytes

n The percentage of inbound traffic that was blocked versus the total amount of inbound
traffic
n The number of unique hosts that were blocked
Note
If the number of blocked hosts exceeds 100,000, the report displays 100000+ as the
blocked hosts statistic.
n A stacked graph that displays the amount of blocked inbound traffic versus the
amount of passed inbound traffic
n The average daily amount, in bytes, of the total inbound traffic, blocked inbound traffic,
and passed inbound traffic during the specified date range
To calculate the average daily inbound traffic, the total amount of outbound traffic for
the selected devices is divided by the number of days in the specified date range.
n The average rate, in bps, for the total inbound traffic, the blocked inbound traffic, and
the passed inbound traffic during the specified date range
If data about the outbound traffic is available, the report includes the following
information for the selected protection groups:
n The amount of blocked outbound traffic, in bytes
n The percentage of outbound traffic that was blocked versus the total amount of
outbound traffic
n The number of unique hosts that were blocked
n A stacked graph that displays the amount of blocked outbound traffic versus the
amount of passed outbound traffic
n The average daily amount, in bytes, of the total outbound traffic, blocked total traffic,
and passed outbound traffic during the specified date range
To calculate the average daily outbound traffic, the total amount of outbound traffic
for the selected devices is divided by the number of days in the specified date range.
n The average rate, in bps, for the total outbound traffic, blocked outbound traffic, and
passed outbound traffic during the specified date range
If no outbound traffic is available during the specified date range, the report omits the
outbound traffic section.
Top Inbound Countries

If the data is available, the report includes the following information about the five
countries that sent the most traffic:
n A flag icon that represents the country
Note
In AED and APS, country mappings do not exist for IPv6 addresses. As a result, the
report displays an IPv6 flag instead of a country flag when the source is an IPv6
address.
n A stacked graph that represents each country’s total passed traffic in green and its
total blocked traffic in red
n The amount of traffic from each country that was passed and blocked, in bps and pps

n The percentage of the total traffic that each country’s traffic represents, shown as a
number and as a proportion bar. The bar for the top country is the full column width
and the remaining bars are in proportion to it.
In this case, total traffic refers to the total traffic for the countries that are included in
this report.
Top Blocked Threat Categories

If the data is available, the report includes the following information about the five threat
categories in the ATLAS Intelligence Feed that blocked the most traffic:
n A stacked graph that represents the amount of inbound traffic that was blocked
n A stacked graph that represents the amount of outbound traffic that was blocked
n A key for each graph that shows the color that represents a specific threat category in
the graph
n The name of the threat category that blocked the traffic
n The amount of inbound traffic and the amount of outbound traffic that was blocked
Top Inbound Sources

Important
selected protection groups. However, the data for Top Inbound Sources is based on all of
the traffic for the selected AED and APS devices.
If the data is available, the report includes the following information about the five
external IP addresses that sent the most traffic:
n The IP address for the source host. If AED or APS can identify the host’s country, this
column also includes a flag icon that represents the country.
Note
In AED and APS, country mappings do not exist for IPv6 addresses. As a result, the
report displays an IPv6 flag instead of a country flag when the source is an IPv6
address.
n A graph that represents the total traffic from the source
n The total amount of traffic from the source, in bytes and packets
n The average rate of traffic from the source, in bps and pps
Top Inbound Destinations

Important
selected protection groups. However, the data for Top Inbound Destinations is based on
all of the traffic for the selected AED and APS devices.
If the data is available, the report includes information about the five internal IP
addresses groups that received the most traffic:
n The IP address to which the traffic is destined
n A graph that represents the total traffic to the destination
n The total amount of traffic to the destination, in bytes and packets
n The average rate of traffic to the destination, in bps and pps

AED and APS Devices

This section lists the AED and APS devices whose data is included in the report. You select
the AED and APS devices when you configure the report, although some devices may be
unavailable when the report runs. See “Configuring On-Demand Centralized Reports”
below.
Note
If some of the selected devices are unavailable when the report runs, then AEM
generates the centralized report using data from the available devices. In this situation,
a warning message identifies the devices that were unavailable. The warning message
appears in the Report Status column on the Centralized Reports page in AEM and on the
first page of the report.
Protection Groups
This section lists the protection groups whose data is included in the report. You select
the protection groups when you configure the report. See “Configuring On-Demand
Centralized Reports” below.
Configuring On-Demand Centralized Reports

You can configure centralized reports on the AEM. Centralized reports aggregate the data
for multiple AED and APS devices that the AEM manages. The AEM runs the report once,
immediately after you create the report.
Note
The time zone that appears on the report results is the time zone for the AEM.
For an overview of centralized reports, see “About Centralized Reports” on page 269. For a
description of the information that the AEM includes in the report, see “About the
Centralized Executive Summary Report” on page 270.
Configuring an on-demand centralized report

To configure an on-demand centralized report:
1. Select the Reports menu.

2. On the Centralized Reports page, click Configure New Report.
3. On the Step 1 page, select a date range for the data to include in the report in one of
the following ways:
4. To select a predefined timeframe, select Quick Date Range, type a number in the
Last box, and select Days, Weeks, or Months.
Note
The report includes data for complete days, weeks, or months only. (A complete
week is Sunday through Saturday.) For example, if you specify a 2-month timeframe
and the AEM generates the report on April 10, the report includes the data for
February and March only.
5. To specify a custom timeframe, select Custom Date Range. Select a start date in the
From calendar and select an end date in the To calendar.
For guidelines on how to specify a custom date range, see “Setting a custom date
range” on page 276.
6. Click Next.

7. On the Step 2 page, all of the AED and APS devices that the AEM manages are
selected by default. If you do not want to include all of the managed devices in the
report, then complete one of the following steps:
n To deselect all of the AED and APS devices, select the check box next to the AED or
APS column header. Then select the check box next to each device to include.
n To exclude an AED or APS device, clear the check box next to the device in the
Name column.
You must select at least one device before you can continue to the next step.
Tip
To filter a large list of AED and APS devices, search by a device name or an IP
address in the Search box. To search by name, enter the full name or a partial name
of one or more devices. To search by IP address, enter the full IP address or a partial
IP address.
8. Click Next.
9. On the Step 3 page, all of the protection groups are selected by default. The list
includes all of the protection groups to which the selected devices are assigned. If
you do not want to include all of the protection groups in the report, then complete
one of the following steps:
n To deselect all of the protection groups, select the check box next to the Protection
Groups column header. Then select the check box next to each protection group to
include.
n To exclude a protection group, clear the check box next to the protection group
name.
You must select at least one protection group before you can continue to the next
step.
Tip
To filter a large list of protection groups, enter the name of a protection group or a
server type in the Search box. You can enter the full name or the partial name of
one or more protection groups or server types.
10. Click Next.
11. On the Step 4 page, in the Reporting on section, review the settings that you selected
on the previous pages. To change any of these settings, click Previous to return to
the appropriate page.
12. In the Name box, type a name for the report. The name may contain up to 56
characters.
13. (Optional) In the Description box, type a description for the report. The description
may contain up to 132 characters.
14. (Optional) In the Audit Trail Change Message box, type a message that describes the
change. This message will appear in the audit trail. See “Viewing the Audit Trail Log”
on page 320.
15. (Optional) To email the report as a PDF file after AEM generates it, type one or more
valid email addresses in the Email Addresses box. Enter multiple email addresses as
a comma-separated list.
Important
To send emails from AEM, you must configure an SMTP server on the Configure
General Settings page (Administration > General). See “Configuring General

16. Click Submit.
After you submit the report, AEM adds the report to the list on the Centralized Reports
page. The location of the report in the list is based on the selected sort order. However, if
you sort the reports by Run Date (ascending or descending), any requested reports or
running reports appear at the top of the list. After AEM generates the report, it adds the
report to the list in the selected Run Date order.
For information about sort order, see “Sorting the list of reports” on page 278. For
information about how to view the report results, see “Viewing the results for a
centralized report” on the next page.
Setting a custom date range

When you specify a custom date range on the Step 1 page of the Configure New Centralized
Report wizard, the following guidelines apply:
n To change the month that appears in a calendar, click (previous) or (next).
n After you select a start date in the From calendar, you cannot select any dates prior to
that date in the To calendar.
n If you select start and end dates that are in the same month, then you cannot select a
new start date in any month that follows the selected month. You have to pick a new
date in the To calendar first.
n In the To calendar, you cannot select an end date that falls after the current date.
n The timeframe for the report starts at 12:00 A.M. on the selected start date and ends at
11:59:59 P.M. on the selected end date.
Note
If you select the current day as the end date in the To calendar, then the end time for
the report is the time at which you submit the report.
Viewing the results

After the AEM generates a centralized report, you can view the results online with your
default browser. You also can export the results as a PDF file. See “Viewing and Deleting
Centralized Reports” below.
Viewing and Deleting Centralized Reports

On the Centralized Reports page, you can view the centralized reports that you configure
and run on AEM. Centralized reports aggregate the data from multiple AED and APS
devices that AEM manages.
You also can delete centralized reports on this page. See “Deleting centralized reports” on
page 279.
For instructions on how to configure centralized reports, see “Configuring On-Demand

Centralized Reports” on page 274.
For a description of the information that the AEM includes in these reports, see “About
the Centralized Executive Summary Report” on page 270.

Viewing the results for a centralized report

To view the report results:
2. (Optional) On the Centralized Reports page, change the sort order of the reports in the
list. See “Sorting the list of reports” on the next page.
3. (Optional) To limit the number of reports in the list, filter the list. See “Filtering the list
of reports” on the next page.
4. Complete one of the following steps:
n Click the report name link to view the report in your default browser.
n
Click (context menu) to the right of the report name and select Export as PDF to
generate a PDF file of the report.
Information on the Centralized Reports page

The Centralized Reports page provides the following information:
Information about centralized reports
Search box Allows you to filter the list of reports by the information in the
following columns:
n Name
n Requested by
Configure New Allows you to configure an on-demand report that aggregates

Report button data from multiple AED and APS devices that the AEM manages.
See “Configuring On-Demand Centralized Reports” on page 274.
Selection check Allow you to select one or more of the reports to delete.
boxes You cannot delete reports with a status of Requested or Running.
Name column Displays the name of the report. After the AEM generates the
report, the report name appears in the form of a link. Click the
link to open the report in your default browser.
Note
If the report fails, then the report name appears, but the name
is not linked to report results. Instead, the Report Status column
indicates that the report failed.
(context menu) Appears in the Name column. Click the icon and select Export as
PDF to generate a PDF file of the report.
Run Date column Indicates the date and time on which the AEM generated the
report. The run date is based on the time zone for the AEM.

Information about centralized reports (continued)
Report Status Indicates the state of the report. The possible states are as
column follows:
n Requested — Appears after the report has been configured,
but before AEM starts generating the report.
n Running — Appears while AEM is generating the report.
n Completed — Appears after the report is complete, and you
can view the results.
n Completed with Errors — Appears after the report is completed
and one or more of the selected devices were unavailable.
n Failed — Appears if the AEM cannot complete the report. If the
report fails, then click (error) to view the reason for the
failure.
Date Range column Indicates the start date and the end date for the data in the
report.
Requested by Indicates the name of the person who configured the report.
column
Delete button Deletes the selected reports.
Filtering the list of reports

To filter the list of reports on the Centralized Reports page, you can search for one or more
reports. You can search by report name or by the name of the person who requested the
report.
To filter the reports:

2. On the Centralized Reports page, in the Search box at the top of the page, enter any of
the following text strings:
n the full name or partial name of one or more reports
n the full name or partial name of a person who requested a report

The AEM filters the list of reports as you type.
Note
If you search for a report that is not in the list, AEM hides all of the scheduled
reports.
3. To clear the filtered list and view all of the reports, click (clear).
Sorting the list of reports

On the Centralized Reports page, you can sort the reports by the information in the
following columns, in ascending or descending order:
n Name
n Run Date

n Report Status
n Requested By
The selected sort applies to all of the reports in the list, including reports that AEM is
generating or reports that have the Requested status. However, if you sort the reports by
Run Date (ascending or descending), any requested reports or running reports always
appear at the top of the list. After the reports are complete, the AEM adds them to the list
in the selected Run Date order.
To change the sort order of the reports on the Centralized Reports page:
2. On the Centralized Reports page, change the order of the reports in one of the
following ways:
n To change the direction of the sort in the currently selected column, click
(ascending) or (descending) to the right of the column name.

n To change the column to sort the reports by, click (ascending) or
(descending) to the right of a different column name.
Deleting centralized reports

Caution
You cannot undo the deletion of reports.
To delete one or more of the centralized reports:

2. On the Centralized Reports page, complete one of the following steps:
n Select the check box for each report to delete, and then click Delete.
n Select the check box to the left of the Name column header to select all of the
reports, and then click Delete.
3. (Optional) in the Confirmation Needed window, type a message in the Audit Trail
Change Message box that describes the change. This message will appear in the
audit trail. See “Viewing the Audit Trail Log” on page 320.
4. Click Delete.

Part IV:
Network Management
Section 18:
Viewing Network Activity on the
Dashboard
This section describes how to use the Dashboard page to view the security status of your
network.
In this section
Viewing a Dashboard of Network Activity 281

Viewing AED and APS Traffic on the Dashboard 282
Viewing Active Alerts on the Dashboard 285
Viewing a Dashboard of Network Activity

The Dashboard page provides an overview of the security status of your network. On the
Dashboard page, you can view an aggregation of the critical events, traffic, and threats
that are identified, blocked, and monitored by AED or APS.
The Dashboard page appears by default when you log in to AEM.
Note
The filters for the timeframe and the unit of measure do not affect the alerts-related
sections of the page.
Viewing the Dashboard page

To view the Dashboard page:
1. Select the Dashboard menu.
2. (Optional) On the Dashboard page, filter the information that appears on the page as
follows:

Section 18: Viewing Network Activity on the Dashboard
Information on the Dashboard page

The Dashboard page contains the following sections:
Sections on the Dashboard page
Section Description
Active Alerts Displays the numbers of total alerts, security alerts, and system
alerts. Click the number of security alerts to open the Security Alerts
page. Click the number of system alerts to open the System Alerts
page.
Security Alerts Displays the 10 most recent security alerts that were generated by
all of the managed devices. A secondary sort by impact value is
applied to multiple alerts that occurred at the same time. Use this
information to determine which security issues require immediate
attention.
Examples of security alerts are traffic threshold violations and
traffic from hosts that are on a deny list or filter list.
System Alerts Displays the five most recent system alerts that were generated by
AEM and the managed devices. A secondary sort by severity level is
applied to multiple alerts that occurred at the same time. Use this
information to determine which system alerts require immediate
attention.
Examples of system alerts are hardware errors, connection errors,
stopped services on a managed device, and license issues.
See “Viewing a Summary of System Alerts” on page 298.
Device Traffic Displays the following information about traffic:

n Total Traffic section — Displays a real-time aggregate of the
traffic that is blocked and passed by all of the managed devices
across the network over time.
Use this information to gain visibility into the combined
performance of the managed devices.
n ATLAS Threat Categories section — Displays the five threat
categories that were responsible for blocking the most inbound

traffic and outbound traffic across all the managed devices.
Use this information to determine the amount of traffic that was
blocked across all of the managed devices as a result of the
See “Viewing AED and APS Traffic on the Dashboard” below.
Viewing AED and APS Traffic on the Dashboard

On the Dashboard page, the Total Traffic section displays information about the traffic for
all the managed AED and APS devices.
If no devices are under AEM management, then a “No Data” message appears.

For general information about the Dashboard page, see “Viewing a Dashboard of Network
Activity” on page 281.

To view the Dashboard page:
1. Select the Dashboard menu.
2. (Optional) On the Dashboard page, filter the information that appears on the page as
follows:
Information in the Total Traffic section

This section displays a real-time aggregate of the traffic that is blocked and passed across
all of the managed devices over time.
Total Traffic details
Traffic graph Displays a stacked graph that represents the total passed traffic in
green and the total blocked traffic in red.
Passed and Below the traffic graph, you can click Passed or Blocked to
Blocked show and hide the different types of traffic. Your selections are
selectors retained until you navigate away from the Dashboard page.
Links: Showing All Displays the number of managed devices that are reporting traffic
Devices compared to the total number of devices that are under
or Showing n of management. This information can indicate any communication
nn devices errors that might affect the data in the graph.

Information in the ATLAS Threat Categories section

This section shows how the ATLAS Intelligence Feed (AIF) helps AED and APS to block
threats automatically. This section displays the five ATLAS threat categories that blocked
the most inbound traffic and outbound traffic on all of the managed devices. Use this
information to examine the threats that are blocked from your network as a result of the
This section contains two graphs and their accompanying data tables; one for inbound
traffic and one for outbound traffic.
ATLAS Threat Categories details
Inbound Blocked Represents the average rate of the inbound traffic that was
Threats graph blocked for the top five threat categories.
For more information, hover your mouse pointer over a section
of the graph. A pop-up window displays the threat category
name, amount of blocked traffic, and time that are associated
with the nearest data point on the graph. The pointer on the pop-
up window indicates the data point.
Outbound Blocked For outbound traffic, represents the number of source hosts that
Threats graph were blocked per minute for the top five threat categories.
For more information, hover your mouse pointer over a section
of the graph. A pop-up window displays the threat category
name, number of blocked hosts, and time that are associated
with the nearest data point on the graph. The pointer on the pop-
up window indicates the data point.
Key Shows the color that represents the specific threat category in the
blocked threat graphs and allows you to filter the graph displays.
You can click a category’s key to hide or show that threat category
on the graphs, so that you can focus on the traffic for specific
categories.
Category Displays the category’s name as a link that allows you to open the
Threat Category Details page for the category. See “Information on
the Threat Category Details page” on page 257.
category. Click , and then select one of the following options:
n Blocked Hosts — Displays the Blocked Hosts Log page with the
search criteria selected. You can start the search or specify
additional search criteria. See “Viewing the Blocked Hosts Log”
on page 244.
n (Learn more) — Displays a description of the threat
category.

ATLAS Threat Categories details (continued)
Bytes Blocked or (Inbound only) Shows the amount of inbound traffic that the
Packets Blocked threat category blocked.
The traffic is displayed in bytes or packets, depending on the unit
of measure that is selected for this page.
Source Hosts (Outbound only) Shows the aggregate sum of the hosts that the
Blocked threat category blocked for each minute of the display timeframe.
For example, if the timeframe is 1 hour, then this column
represents the sum of the hosts that were blocked for each of the
last 60 minutes.
Explore ATLAS Displays the Explore ATLAS Threat Categories page, on which you
Threat Categories can view the threat categories that are blocking traffic on all of
link the managed devices. See “Viewing the ATLAS Threat Categories
that Block Traffic” on page 253.
Viewing Active Alerts on the Dashboard

The Dashboard page displays the most recent active alerts in AEM and in any managed
AED and APS devices. The Security Alerts section displays the 10 most recent system alerts
and the System Alerts section displays the five most recent system alerts. Use these
sections to determine which alerts require immediate attention.
For general information about the Dashboard page, see “Viewing a Dashboard of Network
For general information about alerts, see “About Alerts” on page 288.

The Dashboard page appears by default when you log in to AEM.
To navigate to the Dashboard page from another page in the UI:
n Select the Dashboard menu.
Information in the Security Alerts and System Alerts sections

In the Security Alerts and System Alerts sections, you can view the most recent alerts.
The alerts in each section are sorted by start time, with the newest alerts first. If multiple
alerts occurred at the same time, then a secondary sort is applied: impact value for
security alerts and severity level for system alerts.

Information about active alerts
Alert description Displays a description of the alert and the system name of the
device1 that generated the alert.
Click any alert to open a window that contains additional
information about that alert and links to other alert-related
pages. See “Additional alert details and links” below.
Date and time Indicates when the alert started.
Impact (security Indicates an alert’s importance. The impact value is a comparison

alerts only) of inbound traffic rates to the traffic thresholds and traffic
baseline value for a protection group. The impact is expressed as
a percentage. See “About the Alert Impact Value” on page 297.
Severity indicator Indicates the severity of the alert as follows:

box (system alerts n — Low (1-3)
only)
n — Medium (4-7)
n — High (8-10)
You can hover your mouse pointer over the severity box to view
the numerical severity value.
All Security Alerts Opens the Security Alerts page, where you can view a summary of
link the inbound security alerts that were triggered across your AED
and APS deployment during a selected time period. You also can
open the Security Alerts page by clicking the Security number link
under the Active Alerts heading.
Examples of security alerts are traffic threshold violations and
traffic from hosts that are on a deny list or filter list.
All System Alerts Opens the System Alerts page, where you can view all of the
link system alerts that were generated by AEM and the managed
devices. You also can open the System Alerts page by clicking the
System number link under the Active Alerts heading.
Examples of system alerts are hardware errors, connection
errors, stopped services on a managed device, and license issues.
See “Viewing a Summary of System Alerts” on page 298.
Additional alert details and links

When you click an alert, the information window that appears contains additional details
about the alert, including the device, impact, duration, and category. For security alerts,
the protection group can also appear. The information window also contains links to
1. The Dashboard page contains links and labels whose names contain “APS” or “APS device”. These
instances are generic references to any AED device or APS device. The actual device type appears in
parentheses to the right of the device name.

other pages and an Ignore button, as described below:
Links
The information window contains the following links to other pages, where you can
explore specific aspects of the alert. The type of alert that you select determines the links
that appear.
n Device — (Available for any type of alert.) Opens the Summary page on the device that
generated the alert, where you can view information about the traffic or system
condition that caused the alert. See “Viewing the Traffic Summary” in the AED or APS
User Guide.
n Protection Group — (Available for security alerts that are associated with a protection
group.) Opens the View Protection Group page on the device that generated the alert,
where you can view detailed information in real time about the protection group’s
traffic. See “Viewing the Traffic Activity for a Protection Group” in the AED or APS User
Guide.
Note
The links in the information window open AED or APS. If your AED or APS user account
has the same username as your AEM user account, then the AED or APS opens without
prompting you to log in.
Ignore button
As you review system alerts in AEM, you might decide that an alert with a low or medium
severity level does not need to appear on the Dashboard page. To prevent a non-critical
system alert from appearing on the Dashboard page, you set it to be ignored.
Ignore a system alert by clicking the Ignore button in its information window.

Section 19:
Monitoring Alerts
This section describes how to view all of the alerts in AEM and any managed AED and APS
devices to determine which alerts are the most critical.
In this section
About Alerts 288

About the Security Alerts Page 291
Viewing Security Alerts 293
Filtering the Security Alerts Page 296
About the Alert Impact Value 297
Viewing a Summary of System Alerts 298
Filtering the Alerts on the System Alerts Page 300
Ignoring Alerts 302
About Alerts
Alerts are indicators of certain system events and security events that occur in AEM or in
managed AED and APS devices. To organize and provide additional information about the
alerts, AEM groups the alerts into categories. For example, you can filter the display of the
Security Alerts page and the System Alerts page by category.
About security alerts

Security alerts indicate potential problems that AED and APS detect in the traffic on your
network. Security alerts inform you about attacks and other traffic anomalies that require
your attention. The following types of alerts are security alerts:

Section 19: Monitoring Alerts
Types of security alerts
Alert type Alert causes
DDoS automation A device’s settings and behavior are changed automatically based
on certain settings. For example, in the protection group settings,
you can configure the levels of traffic that cause the managed
device to automate the protection level changes.
Automation alerts also include the alerts that are triggered when
Attack Analysis detects possible attack traffic.
Botnet traffic A protection group’s unblocked botnet traffic exceeds the

threshold.
Botnet alerts indicate that a botnet attack might be underway.
Blocked host, A host’s traffic is blocked from entering or leaving your network
blocked traffic for any of the following reasons:
n The host is on the inbound deny list.
n The host is on the outbound deny list.
n The host is on a filter list.
n A protection category blocked some or all of the host’s traffic.
A spike in blocked traffic typically indicates that an attack is

underway and is blocked.
Blocked traffic alerts inform you of the system’s response to an
attack so that you can respond with further actions. For example,
if you determine that the traffic is legitimate, you can add the
source to the allow list.
Total traffic A protection group’s total traffic exceeds the threshold.
AEM stores the alert data and the associated protection group data for up to two years,
based on the available disk capacity on the AEM device. When the older data reaches the
retention limit, AEM deletes it.
About system alerts

AEM creates system alerts when it detects certain events, conditions, or errors. The alerts
inform you about the system’s health and allow you to take action when necessary to
resolve issues. For example, if an alert indicates that an interface is down, then you can
restart the interface.

The categories of system alerts are as follows:
System alert categories
Alert type Alert causes
Internal resource An event affects a resource that is internal to the device. For
example: An interface is down, disk space is low, or a power
supply fails.
Infrastructure An event affects a resource that is external to the device. For

example: A managed device is down, a GRE tunnel is down, Cloud
Signaling fails, or a backup fails.
License The AEM license is about to expire or the traffic on a managed

device exceeds a certain percentage of its licensed throughput
limit.
About system alert severity levels

The severity of a system alert determines the level of attention that it should receive. AEM
uses the severity level to rank alerts. The severity level also determines which alerts
appear on the Dashboard page.
You can use the severity level to search for alerts and to filter the display on the System
Alerts page.
The severity levels are expressed as either numbers or icons. Typically, when the icons
are displayed, you can hover your mouse over an icon to view the numerical value.
Severity levels for system alerts
Icon Severity level Description
Low (1-3) Traffic is being monitored but does not require

investigation.
For example, a hardware device failure might mean
that a secondary power source is down, which does not
require immediate attention.
Medium (4-7) The problem is not severe but warrants investigation.
High (8-10) The situation requires immediate attention.

For example, if a physical interface is down, then the
device is not forwarding traffic.
The default severity level for system alerts is predefined. However, you can change the
default severity level for system alerts. See “Configuring System Alerts” on page 61.

Where you can view alerts

You can view alerts on the following pages in AEM:
Where to view alerts
Location Description
Dashboard page Displays the 10 most critical security alerts and the 5 most
critical system alerts. See “Viewing Active Alerts on the
Dashboard” on page 285.
System Alerts page Provides a single view of all the system alerts that are generated
(Explore > System by AEM and any devices that it manages. See “Viewing a
Alerts) Summary of System Alerts” on page 298.
Security Alerts page Provides a single view of all the security alerts that are
(Explore > Security generated by AEM and any devices that it manages. See
Alerts) “Viewing Security Alerts” on page 293.
About alert expiration

When a security alert expires, it no longer appears in the UI. When a system alert expires,
it still appears on the System Alerts page, with an Expired status.
System alerts and AED and APS alerts expire automatically when the behavior that
triggered the alert stops. For example: A device that was down is restarted or the traffic
on a managed device drops below a configured threshold.
About ignoring system alerts

See “Ignoring Alerts” on page 302.
About the Security Alerts Page

AEM summarizes the security alerts from your managed devices to provide a
comprehensive view of the suspicious behaviors in your network. You view the security
alerts on the Security Alerts page. The Security Alerts page provides many ways for you to
focus on areas of interest in your network.
For information about using the Security Alerts page, see “Viewing Security Alerts” on
page 293.
Which alerts are displayed?

The Security Alerts page displays the security alerts that the managed devices generate
when the inbound traffic exceeds a configured threshold. These alerts are also known as
bandwidth alerts. The traffic thresholds are configured for the total traffic, blocked traffic,
or botnet traffic, either globally for a managed device or for a protection group. See
“About Alerts” on page 288 and “About Bandwidth Alerts” on page 212.

The Security Alerts page also displays automation alerts, which are triggered when a
device’s settings and behavior are changed automatically based on certain settings. In
AEM, automation alerts include the alerts that are triggered when Attack Analysis detects
possible attack traffic in AED.
The Security Alerts page displays the alerts that were seen during the time range that you
select. The list includes any alerts, active or expired, that were active during the selected
time range.
AEM stores the alert data and the associated protection group data for up to two years,
based on the available disk capacity on the AEM device. When the older data reaches the
retention limit, AEM deletes it.
How the Security Alerts page can help

The information on the Security Alerts page can help you to answer the following
questions. The suggested workflows that answer each question are examples of what you
can do on the Security Alerts page.
n What suspicious behaviors occurred in the network?
View the Top Alert Types chart to see which alert types triggered the most alerts. Filter
the page by the most important alert types. For information about the kinds of attacks
that those alerts indicate, see "Alerts that indicate attacks" on page 234.
Check the Impact column in the Alerts list to see the most critical alerts. View the Alerts
graph to see when the associated attacks occurred.
n When did the suspicious behaviors occur and how long did they last?
View the Alerts graph to see trends in the number of attacks and their duration. Change
the page’s time range to find any peaks in certain alert activity. Are your managed
devices handling these attacks as expected? Are the devices under repeated attacks?
You might need to reconsider your expected normal network capacity and tune the
alert thresholds.
n How significant was the amount of traffic that caused the alerts?
For blocked traffic alerts and total traffic alerts, check the values in the Impact column
of the Alerts list. The alert impact measures the importance of the blocked traffic alerts
and total traffic alerts and helps you to decide which alerts to examine first. The impact
value is a comparison of inbound traffic rates to the traffic thresholds and traffic
baseline value for a protection group. The impact is expressed as a percentage.
n What areas of the network are seeing the most attack traffic?
View the Most Impacted Protection Groups bar chart to see the five most critical
protection groups, as determined by their impact values. When you find a protection
group of interest, filter the Security Alerts page for that protection group. In the Top
Devices chart or the Alerts list, view the devices that are affected. Open the View
Protection Group page for a specific protection group.
This investigation can help you to determine which network resources are affected
more than others. You might need to tune the protection settings for certain
protection groups, or split your protected hosts across different protection groups,
which would allow more targeted mitigations.
How the protection group state affects alerts

Alerts are triggered regardless of a protection group’s protection mode (active or
inactive). When a protection group is in inactive mode, its alerts are displayed in the AEM

UI, but the managed devices do not mitigate the associated traffic.
If a protection group is deleted from a managed device, then any active alerts that are
associated with that protection group are removed from the page.
Viewing Security Alerts

The Security Alerts page provides a comprehensive view of the inbound security alerts that
were triggered across your AED and APS deployment during a selected time period. AEM
summarizes the security alerts from your managed devices to provide a high-level view of
the suspicious behaviors in your network.
For more information about the Security Alerts page, see "About the Security Alerts Page"
on page 291.
Viewing security alerts

To view security alerts:
1. Navigate to the Security Alerts page in one of the following ways:
n From the menu — Select Explore > Security Alerts.
n From the Dashboard page — Click the All Security Alerts link in the Security Alerts
section, or click one of the Security number links under the Active Alerts heading.
2. In the Filters section, specify the time range for the data to display on the page.
3. Explore and analyze the alerts in any of the following ways:
n To focus on specific groups of alerts, use the page filters. See “Filtering the Security
Alerts Page” on page 296.
n To see the most important alerts from different perspectives, view the charts that
appear below the filter area. See “Identifying the most important alerts” below.
n To see trends in the number of alerts that are triggered, view the Alerts graph. See
“Viewing alert trends” on the next page.
n To see more information about individual alerts, view the Alerts list. See “Viewing
alert details” on the next page.
n To focus on the alerts for a shorter time range, click and drag your mouse pointer
across the Alerts graph. For example, you can examine the traffic for a certain peak
or valley within the graph.
Identifying the most important alerts

As you explore the alert data, you can view graphical representations of the most
important alerts. This information can help you to identify the areas of your network that
see the most suspicious traffic.
The following charts display the most important alerts from different perspectives:
n Most Impacted Protection Groups bar chart — The five most critical protection groups, as
determined by the alert of each type with the highest impact value. The pop-up
window displays the protection group’s impact value. See “About the Alert Impact
Value” on page 297.
Because the impact value does not apply to automation alerts or botnet alerts, those
alerts are not represented on the Most Impacted Protection Groups chart.

n Top Devices pie chart — The five devices with the most alerts. If data exists for more
than five devices, then the additional data is aggregated.
n Top Alert Types pie chart — The number of alerts for each alert type. The color coding
for this pie chart matches the colors in the Alerts graph.
For more information, hover your mouse pointer over a segment of a chart or an item in
the chart’s legend. A pop-up window displays information about the alerts that the
segment represents. On the Most Impacted Protection Groups chart, the pop-up shows the
protection group’s impact value. On the pie charts, the pop-up displays the number of
alerts for each alert type.
To filter the page from a chart, click a segment of a chart or an item in the chart’s legend.
To undo or remove the filters that you select from the pie chart, edit the filters in the
Filters section.
Viewing alert trends

The Alerts graph displays the number of alerts that were triggered over the selected time
range. Use this stacked graph to examine alert trends over time. The alerts are color
coded by alert type: total traffic, blocked traffic, botnet traffic, and automation.
Examining alert trends in the Alerts graph
Goal Action
View details about Move your mouse pointer across the graph. As you do so, a pop-
the alerts at a up displays the following information:
given data point. n The date and time of the data point.
n The granularity or data point increments. The selected time
range determines the increments for the data points (the
granularity). For example, for a time range of one hour, the
granularity is one minute.
n The number of alerts that the graph represents at that data
point.
View the alerts Filter the page to focus on certain alerts. See “Filtering the Alerts
from different on the System Alerts Page” on page 300.
perspectives.
Focus on specific Below the graph, click an alert type to show the alerts for that
types of alerts. specific type.
If you select an alert type that has no data, then delete the Type
filter in the Filters section to view the Alerts graph again.
Viewing alert details

On the Security Alerts page, the Alerts list displays information for each alert that was seen
during the selected time period. This information covers the entire duration of each alert,
even if the alert began or ended outside of the selected time period.
For blocked traffic alerts, this information represents the blocked traffic only. For total
traffic alerts, this information represents both the blocked traffic and the passed traffic.

Focusing on data in the Alerts list

To focus on specific data, you can show or hide columns in the list. Click (Show or hide
columns), and then click (toggle button) to select the columns to show or hide.
By default, the list is sorted by the Start column, with the newest alerts first. You can sort
by any column in either ascending order or descending order, but only one column at a
time.
Information in the Alerts list
Column Description
Start , End The time when the alert was triggered and the time when the
behavior that triggered the alert ended.
Duration How long the behavior that triggered the alert continued.
Status An indication of whether the alert is Active or Expired. For

information about alert expiration, see “Bandwidth alert
expiration” on page 214.
Impact The measurement of an alert’s importance, which allows you to

determine which alerts are the most critical. The impact value is a
comparison of inbound traffic rates to the traffic thresholds and
traffic baseline value for a protection group. The impact is
expressed as a percentage.
To view details about the impact for a protection group, hover
your mouse pointer over the percentage in the Impact column. See
“About the Alert Impact Value” on page 297.
Type The type of alert, which can be Automation, Blocked Traffic, Total
Traffic, or Botnet Traffic.
For information about the alert types and what they represent, see
“About security alerts” on page 288.
Description A summary of why the alert was triggered. For all alerts except
automation alerts, the description includes the traffic level that is
associated with each alert. This column contains additional
information for the following alert types:
n Blocked traffic alerts show the amount of traffic over the
threshold level.
n Botnet alerts show the amount of botnet traffic and a
recommendation for the protection level.
n Automation alerts show the action that was taken and what was
affected.
For example, automation alerts that are triggered by Attack
Analysis show details about the attack and a suggestion to view
the Attack Analysis page. See “How Attack Analysis Detects
Attacks and Generates Protection Recommendations” on
page 156.

Information in the Alerts list (continued)
Column Description
Protection Group The protection group on the managed device that contains the
targeted hosts.
To open the View Protection Group page for a protection group,
click the protection group’s name link.
Device The managed device on which the alert was triggered.
About the protection groups that are associated with alerts

The alerts from your managed devices appear on the Security Alerts page even if the
associated protection group is inactive.
associated with that protection group are removed from the list.
Filtering the Security Alerts Page

You can filter the Security Alerts page to view a subset of the alerts and to search for
specific types of alerts. For example, you can view the managed devices with active alerts
that were triggered for a specific protection group.
The following filters are available on the Security Alerts page:

n Devices
n Protection groups
n Alert status — Active or Expired
The default status is Active.
n Alert type — Automation, Blocked Traffic, Botnet Traffic, and Total Traffic
The filters that you select affect the data on the entire page.
To filter the page, you add a filter in the Filters section or click areas of the pie charts. As
you filter the page, the charts, graph, and Alerts list change dynamically to represent only
the alerts that match the selected filters.
Accessing the Security Alerts page

To access the Security Alerts page, select Explore > Security Alerts from the menu. For
more information, see “Viewing Security Alerts” on page 293.
Filtering by a time range

To select a time range for viewing alerts:
1. In the Filters section, in the Time Range box, select a predefined time range or specify
a custom date range and an optional time range.
2. Click Apply.

Adding a filter in the Filters section

To add a filter:
1. Click (Add a filter) to display a list of the available filters for the page.
2. In the list, select a filter.
A new filter box appears to the right of the first one and is labeled with the name of
the filter that you selected.
3. In the new filter box, select one or more filter options from the new list. When you
finish your selections, click (Close) or click away from the filter box.
4. (Optional) Repeat these steps to add more filters.
To remove a single value in a filter box, click its (clear) icon. To remove a filter, which
clears all of its values, hover your mouse pointer over the filter box and click the to the
far right in the box.
Filtering from the charts and graph

To filter the information on the Security Alerts page, click a segment in a chart or graph or
click an item in the legend for a chart or graph. Your selection appears in the Filters
section.
To remove the selected filters, edit the filters in the Filters section.
About the Alert Impact Value

The alert impact measures the importance of your blocked traffic alerts and total traffic
alerts and helps you to decide which alerts to examine first. The impact value is a
comparison of inbound traffic rates to the traffic thresholds and traffic baseline value for
a protection group. The impact is expressed as a percentage.
Because the impact value is based on traffic thresholds, it applies to blocked host alerts
and total traffic alerts only.
Where to view the alert impact

You can view the impact percentage on the following pages in AEM:
n The Security Alerts section on the Dashboard page — The impact value appears to the
right of the alert.
n The Most Impacted Protection Groups chart on the Security Alerts page — Hover your
mouse pointer over a bar on the graph. A pop-up window displays the impact value.
n The Alerts list on the Security Alerts page — Hover your mouse pointer over the
percentage number in the Impact column. A pop-up window shows details about the
impact.
Information in the impact pop-up

The impact pop-up on the Security Alerts page shows an alert’s impact value based on its
peak traffic. The pop-up also displays a brief summary of why the alert was triggered.
The impact pop-up displays data only for the thresholds that are configured for the
protection group. For example, if a given protection group has no packet-based
thresholds that are configured, then AEM does not calculate a packet-based impact value.

When a protection group’s traffic exceeds both bit rate thresholds and packet rate
thresholds, AEM displays the higher impact value of the two.
The following example represents a pop-up for an alert that was triggered because the
protection group’s total traffic exceeded one or more traffic rate thresholds.
How the alert impact is calculated

The impact value calculations are based on the comparison of a protection group’s traffic
to one of the following thresholds:
n Configured threshold — A threshold setting that is configured for a protection group. A
threshold setting can be specific to the protection group or can use the corresponding
global threshold. A threshold setting also can be null.
n Baseline value — The traffic baselines that are calculated based on a protection
group’s traffic for the past week. After the managed device calculates the initial
baselines, it recalculates them every hour. See the sections about baselines and global
bandwidth alerts in “About Bandwidth Alerts” on page 212.
The impact value is calculated as follows and is refreshed every minute thereafter:
Impact calculations
Triggering
Alert type threshold type Impact calculation
Total traffic Baseline (global) ((total blocked + total passed) / baseline value) * 100
Configured ((total blocked + total passed) / configured threshold) * 100
Blocked traffic Baseline (global) (total blocked / baseline value) * 100
Configured (total blocked / configured threshold) * 100
For example, a total traffic rate of 60.7 Mbps compared to a configured threshold of 17.8
Mbps results in an impact value of 341 percent.
Viewing a Summary of System Alerts

The System Alerts page (Explore > System Alerts) displays the alerts that are triggered by
AEM and by managed AED and APS devices. Use the System Alerts page to identify the
most critical alerts. This page also serves as a starting point to explore additional details
about specific alerts on managed devices.
The System Alerts page includes active alerts and expired alerts. An alert continues to
appear on the System Alerts page until you clear it or delete it.
For general information about alerts, see “About Alerts” on page 288.

Viewing all system alerts

To view a summary of alerts, navigate to the System Alerts page in one of the following
ways:
n From the menu — Click Explore > System Alerts.
n From the Dashboard page — Click the View System Alerts link in the System Alerts
section.
If a protection group has any active alerts, then you also can access the System Alerts page
from the Protection Group page and the View Protection Group page. See “Viewing the
Status of Protection Groups” on page 214 and “Viewing the Traffic Activity for a Protection
Group” on page 187.
For each alert, the System Alerts page displays the following information. By default, the
alerts are sorted by start time, with the newest alerts first. You can sort by any of the
columns on the System Alerts page.
Alert details
Selection check Allows you to select the alert to be ignored. See “Ignoring Alerts”
box on page 302.
The check box does not appear for the alerts that cannot be
ignored.
Severity Indicates the severity of the alert as follows:

n — Low (1-3)
n — Medium (4-7)
n — High (8-10)
To view the numerical severity value, hover your mouse pointer
over the severity box.
Description Displays information about the nature of the alert.
Category Displays the threat category to which the alert belongs.
Appliance Displays the system name of the appliance that generated the
alert.
Status Indicates whether the alert is Active, Expired, or Active (Ignored).

A status of Active (Ignored) means that the alert has been ignored,
or removed from the Dashboard page, but it has not expired. See
“Ignoring Alerts” on page 302.

Alert details (continued)
Time Indicates when the alert began and displays the alert’s duration.
(context menu) Appears when you hover your mouse pointer over an active
alert’s name. The options that appear on the context menu allow
you to view additional information about the alert. The options
that are available depend on the type of alert.
The context menu is available for certain types of active alerts
only.
Filtering the alerts

You can filter the display of alerts on the System Alerts page to view a subset of the alerts.
For example, you can view all of the active alerts that have a high severity level. The list of
alerts on the System Alerts page changes as you select the filter criteria. See “Filtering the
Alerts on the System Alerts Page” below.
Alerts associated with protection groups

associated with that protection group are expired. Those alerts continue to appear on the
System Alerts page, but their context menus are disabled.
Note
AED and APS alerts appear on the System Alerts page even if the associated protection
group is inactive.
About ignoring alerts

See “Ignoring Alerts” on page 302.
Filtering the Alerts on the System Alerts Page

You can filter the display of alerts on the System Alerts page to view a subset of the alerts.
For example, you can view all of the active alerts that have a high severity level. The list of
alerts on the System Alerts page changes as you select the filter criteria.
Note
To sort the alerts by a specific column, click the column’s heading.
Options on the Alerts context menu

The options on the context menu allow you to view additional information about the alert
and edit the alert’s configuration. To access the context menu, if available, hover your
mouse pointer over the name of an alert.

For certain types of active alerts, the context menu also provides links to other pages,
some of which may be on a managed device. The type of alert that you select determines
the options that appear on the context menu.
Filtering alerts
To filter alerts:
n On the System Alerts page, specify one or more criteria to filter the alerts display. See
“Filter criteria for alerts” below.
Note
The System Alerts page is already filtered when you access the page from the List
Protection Groups page or the View Protection Group page.
Filter criteria for alerts

You can filter the alerts on the System Alerts page using the following criteria:
Filter criteria for alerts
Option Description
Status buttons Select Active or Expired. By default, the page show both statuses.
Type buttons Select one of the following options:

n All
n Security — Alerts that provide information about advanced
network threats. The security alerts also provide information
about the availability threats that AED or APS identified, blocked,
and monitored. These alerts occur when the traffic that flows
into AED or APS exceeds a configured threshold.
n System — Alerts that provide information about the equipment
that AEM manages.
Start box, End Define the timeframe for which to display the alerts, based on
box when the alerts were active. In the calendar that appears, select
the date and time or click Now to select the current date and time.
Click Done to close the calendar window.

Filter criteria for alerts (continued)
Option Description
Severity buttons Select any combination of the following options to display only the
alerts that have specific severity levels. For example, you can view
only the alerts with a high severity level or all of the alerts with a
medium severity level or high severity level.
n — Low (1-3)
n — Medium (4-7)
n — High (8-10)
To view all of the alerts, select all of the security level options,
which is the default setting.
Filter box Type all or part of a category name, appliance name, protection
group name, or a custom term by which to filter the alerts list. As
you type, the Filter box displays a list of the matching categories,
appliances, and protection groups. Your options are as follows:
n Select a name in the list of Categories, Appliances, or Protection
Groups to filter by that selection.
n Type a custom term, and then press ENTER.
Use the custom term to filter by the alert descriptions,

hostnames, categories, appliances, and protection groups that
match the string.
You can use select multiple categories, appliances, protection
groups, and custom terms in any combination. See “How AEM
combines multiple filter criteria” below.
How AEM combines multiple filter criteria

When you specify multiple items in the Filter box, AEM combines the items as follows:
n The same types of items (category, appliance, protection group, or custom term) are
joined with ORs.
n The different types of items are joined with ANDs.
For example, if you enter category1, category2, appliance5, and appliance6, the system
filters the display as follows:
(category1 OR category2) AND (appliance5 OR appliance6)
Tip
You can use custom terms to filter different items with ORs. For example, to display the
alerts that belong to either category1 or appliance5, type each item as a separate
custom term.
Ignoring Alerts

Options to ignore alerts appear on the Dashboard page and the System Alerts page. Only
active alerts can be ignored.
When you ignore an alert, it is removed from the Dashboard page, but it is not removed
from the system. The alert still appears on the System Alerts page, where its status is
marked as Active (Ignored). The ignored alert’s traffic is included in the traffic statistics on
the UI pages that show alerts.
The alert remains ignored until it expires or until you unignore it. If the associated event
recurs after the initial alert expires, then a new alert is created.
How to ignore alerts
UI page Steps
Dashboard page 1. Select Dashboard from the menu.

2. In the Security Alerts section or the System Alerts section, click
an alert to ignore.
3. In the information popup window, click Ignore.
System Alerts page Select Explore > System Alerts.

n To ignore a single alert, click (context menu) for the alert,
and then select Ignore.
n To ignore one or more alerts, select the check box for each
alert to ignore, and then click Ignore Alerts.

n To ignore all alerts, click the check box in the list heading area,
and then click Ignore Alerts.

When you unignore an alert, it reappears on the Dashboard page.

Section 20:
Viewing and Analyzing Threats
In this section
About Threats 304

About the MITRE ATT&CK Data 306
Viewing and Analyzing Threats 307
Filtering the Threat Analysis Page 309
Viewing Threat Details 310
About Threats
To provide in-depth information about the threats that target your network, AEM obtains
and stores detailed data about the hosts that your managed devices block. AEM receives
the blocked hosts data from your managed devices through syslog notifications of
blocked host notifications.
The blocked host notifications represent the connections that match the protection
settings, policies, and thresholds on each managed device. AEM displays the threats that
are detected in both inbound traffic and outbound traffic.
AEM stores the blocked hosts data in a granular format to retain relevant information,
improve filtering, and support faster queries. The detailed blocked hosts data allows AEM
to display individual threats instead of aggregations, which provides access to the
complete blocked host data.
About the Threat Analysis page

The Threat Analysis page focuses on the hosts that are blocked and the threats that are
identified when traffic matches an ATLAS policy. The ATLAS policies are defined in the
ATLAS Intelligence Feed (AIF). The AIF also contains definitions of the tactics and
techniques in the MITRE ATT&CK database.
Each row in the Threats list represents a single instance of a threat.
The Threat Analysis page provides the following information about the threats that AED
and APS detected in both inbound traffic and outbound traffic:
n High-level, graphical views of the threat activity in your network traffic, which can
provide a starting point for your threat investigations.
n Detailed information about the connections that triggered blocked host notifications
on your managed devices, to help you understand why those connections represent
threats.
See “Viewing and Analyzing Threats” on page 307.

Section 20: Viewing and Analyzing Threats
How to investigate threats

The Threat Analysis page supports workflows that allow you to see more complete threat
details and analyze the blocked hosts quickly and effectively. You can gather supporting
data for forensics reporting and take actions to prevent further attacks.
The following workflow example shows how you might use the Threat Analysis page to
investigate the threats in your network:
n Select values for the time range and page filters, to filter the information on the page.
As you explore the threat data, you can select more filters to refine the page contents.
n View the pie charts for a graphical representation of the most critical threats. Select
different pie charts for other perspectives into threat severity.
n Click through the pie charts to answer the following questions:
l What threats are the most critical?
l From what locations do the most threats originate?
l Which types of threats are the most prevalent in the network?
l Which areas of the network are most affected and which IP addresses are targeted
the most?
l What IP addresses are associated with the most threats?
l What are the threat counts for each segment of the pie charts?
n Select segments of the pie charts to filter the page further.
n Examine the Threats list to answer the following questions:
l What threats are the most critical?
l Why was a host blocked? Which policies did the blocked traffic match and where can
I find more information about those policies?
l On which protocols and ports are the most threats seen?
n Initiate further exploration and actions from the Threats list in the following ways:
l Open the Packet Capture page in AEM to capture packets for certain destinations or
blocked sources. See “Capturing packets from threats” on page 309.
l Open the View Protection Group page for the protection group that is associated with
the threat traffic. View details about the protection group, its threshold levels, and
its protection level. Examine the protection group’s traffic. Add countries and hosts
to the deny list. Capture packets for countries and services. Change the protection
group’s threshold levels or protection level.
How the syslog records blocked hosts

The process of connecting an AED or APS device to AEM adds a syslog notification on the
managed device, with the AEM as the destination. This syslog notification allows the
managed device to send blocked hosts data to AEM
When traffic matches a protection setting, threshold, or policy, the syslog reports the
associated host as blocked regardless of whether the managed device actually blocks the
host.
See “Syslog destination settings on managed devices” under “Configuring Notifications” in

the AED or APS User Guide.

Effects of the notification interval

The number of notifications that a managed device sends for a given blocked host
depends on its Notification Interval setting. This setting specifies how much time the
device waits between blocked host notifications for a specific host. The default interval is
60 minutes, but you can change it. You change the interval on the managed device, on the
Settings tab of the Configure Notifications page.
A managed device reports only the first blocked connection for a unique source host
within each interval, even if the host is blocked again within that time. This setting
provides control over the granularity of the threat notifications that you receive. A longer
interval minimizes the number of notifications per blocked host and a shorter interval
provides a more precise record of how often a host is blocked.
Limitations of the syslog

It is possible for AEM to display fewer blocked hosts than the managed devices recorded.
This discrepancy is the result of the following factors:
n The syslog can record only 1,000 entries per minute, which is fewer entries per minute
than a managed device can record.
n When the connection between AEM and a managed device is down, AEM does not
receive the blocked host notifications that the device generates during that time.
About the MITRE ATT&CK Data

The Threat Analysis page can display information about certain MITRE ATT&CK® tactics
and techniques that match threats. MITRE ATT&CK is a globally-accessible knowledge
base of adversary tactics and techniques based on real-world observations.
The ATT&CK matrix categorizes this data as follows:

n Tactics — Represent the adversary’s goal or the reason for an attack. For example:
Credential Access or Impact. The tactics are similar to the ATLAS categories.
n Techniques and sub-techniques — Represent the actions an adversary takes to achieve
the goal, for example, Brute Force or Network Denial of Service. The tactics are similar
to the ATLAS classifications.
For information about specific MITRE threat categories, visit https://attack.mitre.org/.
This information can help you understand why a threat is important. See “Viewing Threat
Details” on page 310.
How AEM obtains the MITRE data

A component of the ATLAS Intelligence feed (AIF) defines certain MITRE ATT&CK
categories and the associated tactics and techniques. For the MITRE component to be
available, your AEM device and managed AED devices must meet the following
requirements:
n At least one of the AED devices that are connected to AEM is an AED 8100 device.
When you remove the last AED 8100 device from AEM, the MITRE component of AIF
becomes unavailable and the MITRE information is removed from the Threat Analysis
page.

n Both AEM and the managed AED 8100 are at version 7.0.0.0 or later.
n The automated update of AIF is enabled on AEM and the managed AED.
How the MITRE component is enabled

The MITRE component in the AIF is enabled the first time you connect an AED 8100 device
to AEM. The connection affects AEM and the managed devices as follows:
n AEM requests an AIF update that includes the MITRE component. Thereafter, AEM
requests AIF updates at its configured interval.
n The MITRE functionality becomes available on all of the managed AED devices and APS
devices, regardless of how they were installed.
n The Threat Analysis page contains filters for MITRE ATT&CK tactics and MITRE ATT&CK
techniques.
How AEM displays the MITRE data

When one or more ATT&CK categories match a threat’s indicator value, the Threats list on
the Threat Analysis page displays the following information:
n The label MITRE® ATTACK to the right of the threat name.
n Lists of the ATT&CK Tactics and ATT&CK Techniques that match the threat’s indicator
value.
n The (View threat details) icon, which you can click to display the information about
the threat that is provided by ATLAS or MITRE.
On a managed device, the MITRE information is available only for the threats that were
triggered after the device was connected to AEM.
Note
If an indicator value is not available for a threat, then AEM uses the threat ID.
Viewing and Analyzing Threats

The Threat Analysis page provides detailed information about the hosts that are blocked
and the threats that are identified when traffic matches an ATLAS policy. The Threat
Analysis page provides a comprehensive view of the threats that were seen across your
AED and APS deployment during a selected time period. In the list of threats, you can
view details about the traffic so that you can understand why your managed devices
identified them as threats.
The ATLAS policies are defined in the ATLAS Intelligence Feed (AIF). The AIF also can
provide information about the threats that match the tactics and techniques in the MITRE
ATT&CK database. (See “About the MITRE ATT&CK Data” on the previous page.)
The Threat Analysis page supports workflows that allow you to see more complete threat
details and analyze the blocked hosts quickly and effectively. You can gather supporting
data for forensics reporting and take actions to prevent further attacks.
See “About Threats” on page 304.

Viewing the Threat Analysis page

To view the Threat Analysis page:
1. Select Explore > Threat Analysis.
2. In the Filters section, specify the time range for the data to display on the page.
3. Explore and analyze the threats in any of the following ways:
n To focus on specific groups of threats, use the page filters. See “Filtering the Threat
Analysis Page” on the next page.
n To see the most critical threats from different perspectives, view the charts at the
top of the page. See “Identifying the most critical threats” below.
n To view detailed information about the threats, view the Threats list. See “Viewing
the threat details” on page 310.
4. (Optional) Explore a threat further by opening other pages that are related to the
threat, as follows:
n View details about a protection group that is associated with a threat. In the
Threats list, click the protection group name link to open its View Protection Group
page.
n Capture packets from the traffic on the managed device that is associated with a
threat. See “Capturing packets from threats” on the next page.
Identifying the most critical threats

For a high-level view of the threats that were identified in your network traffic, view the
threat pie charts near the top of the Threat Analysis page. This information can provide a
starting point for your threat investigations and help you to decide which threats to
examine first.
As you explore interesting aspects of the threat data, you can view the charts that
represent the most critical threats from different perspectives. Five charts are available;
you can view any three charts at one time. By default, the Threat Analysis page displays
the following charts: Top Threats, Top Countries, and Top Protection Groups.
To display a different chart, click the icon to the right of a current chart’s title and select
a chart from the list. You can select from the following charts:
n Top Destination IPs — The five most targeted destination addresses.
n Top Protection Groups — The five most targeted protection groups, which are the ones
that received the most threats. Each segment of the chart represents the number of
threats for the associated protection group.
n Top Source IPs — The five source IP addresses that triggered the most threats.
n Top Threats — The five threats that matched the most threat policies. If no policy-based
threats were triggered within the selected time period, then this chart is empty.
If data exists for more than five of any of these items, then the additional data is
aggregated.
Exploring the pie chart data

For more information, hover your mouse pointer over a segment of a pie chart or an item
in a chart’s legend. A pop-up window displays the number of threats for the selected item.

To filter the information on the Threat Analysis page from a pie chart, click a segment of a
chart or an item in the legend for a chart.
To remove the filters that you selected from the pie chart, edit the filters in the Filters
section.
Capturing packets from threats

When you click the IP address for a blocked source or destination, the Packet Capture
page opens in AEM. The Packet Capture page is filtered for the IP address that you clicked.
You can start the packet capture or you can specify additional filter criteria. See “About
Filtering the Threat Analysis Page

You can filter the Threat Analysis page to explore different facets of the threats that
appear there and to search for specific types of threats. For example, you can view
malware threats with a high severity level that originated in the United States. The
available filters represent most of the columns in the Threats list. The filters that you
select affect the data on the entire page.
To filter the page, you add a filter in the Filters section or click the pie charts at the top of
the page. As you filter the page, the charts and the Threats list change dynamically to
represent only the threats that match the filters.
If you copy and share the page URL, the elected filters persist when someone opens the
page from that URL.
Accessing the Threat Analysis page

To access the Threat Analysis page, select Explore > Threat Analysis from the menu. For
more information, see “Viewing and Analyzing Threats” on page 307.
Filtering by a time range

To select a time range for viewing threats:
1. In the Filters section, in the Time Range box, select a predefined time range or specify
a custom date range and an optional time range.
2. Click Apply.
Adding a filter in the Filters section

To add a filter:
1. Click (Add a filter) to display a list of the available filters for the page.
2. In the list, select a filter.
A new filter box appears to the right of the first one and is labeled with the name of
the filter that you selected.
3. In the new filter box, select one or more filter options from the new list. When you
finish your selections, click (Close) or click away from the filter box.
4. (Optional) Repeat these steps to add more filters.

To remove a single value in a filter box, click its (clear) icon. To remove a filter, which
clears all of its values, hover your mouse pointer over the filter box and click the to the
far right in the box.
Note
If you select the Port filter, you must specify a port number in the filter box.
Filtering from the pie charts

To filter the information on the Threat Analysis page from a pie chart, click a segment of a
chart or an item in the legend for a chart.
To remove the filters that you selected from the pie chart, edit the filters in the Filters
section.
Viewing Threat Details

View the Threats list on the Threat Analysis page to see the traffic that triggered blocked
host notifications on your managed devices. This list shows details about the traffic to
help you understand why AED or APS identified them as threats.
To access the Threat Analysis page, select Explore > Threat Analysis from the menu. For
more information, see “Viewing and Analyzing Threats” on page 307. As you filter the
page, the Threats list changes dynamically to represent only the threats that match the
filters.
For performance reasons, the list displays a maximum of 2,000 threats, even when the
data set for the selected time period and filters exceeds 2,000 threats. However, when
you sort the table, the sort is based on all of the data that matches the time period and
filter criteria.
Viewing the threat details

To focus on specific data, you can show or hide columns in the list. Click (Show or hide
columns), and then click (toggle button) to select the columns to show or hide.
By default, the list is sorted by the Time column, with the newest threats first. You can sort
by any column in either ascending order or descending order, but only one column at a
time.
Each row in the Threats list represents a single instance of a threat.
Information in the Threats list
Column Description
Time The time at which the threat was triggered on the managed device.
(Country) The country that is associated with the threat. Hover your mouse pointer over
the flag icon to view the country name.
The Countries filter includes options for known private IP spaces and
Unknown countries.

Information in the Threats list (continued)
Column Description
Threat The type of threat that matched the policy. Additional information that is
related to this threat appears below the threat name, as follows:
n Categories — The group of related ATLAS policies that contains the policies
that the traffic matched. The categories also include ATT&CK tactics.
n Classifications — The top-level classification of threats that ATLAS defines
and the associated components of the ATLAS Intelligence Feed (AIF). Some
examples of threat classifications are: Command and Control, DDoS
Reputation, Location Based Threats, Malware, and Targeted Attacks.
When a threat matches certain MITRE ATT&CK1 categories, a label appears
next to the threat name. The following information is available:
n ATT&CK Tactics — The group of related MITRE ATT&CK policies that
represent the reason for an attack. The tactics are similar to the ATLAS
categories.
n ATT&CK Techniques — The group of related techniques and sub-techniques
that define how the attack is achieved. The techniques and sub-techniques
are similar to the ATLAS classifications.
To view information that can help you to understand why this threat, category,
or classification is important, click (View threat details). A pop-up window
displays the ATLAS and MITRE descriptions of the threat. You can copy or print
this description.
Severity The relative risk of a threat, based on the severity level of the policy that was
matched: low, medium, or high.
Confidence The value that represents the ASERT team’s confidence that the rules in a
threat policy will identify malicious traffic. The scale is 1 to 100.
The confidence values are as follows:
n 1 to 59 = low
n 60 to 79 = medium
n 80 to 100 = high
See “About the ATLAS Confidence Index” on page 70.
Indicator The domain, IP address, or URI that matched an ATLAS policy.

An indicator identifies behavior or data that is observed on a network and is
associated with potentially malicious activity.
Protocol The packet’s transport layer protocol.
Blocked Source The IP address and port of the packet source. The service is displayed if it is
known.
Click the IP address link to open the Packet Capture page in AEM. The Packet
Capture page is filtered for this IP address.
1. See “About the MITRE ATT&CK Data” on page 306.

Information in the Threats list (continued)
Column Description
Destination The IP address and port of the packet destination. The service is displayed if it
is known.
Click the IP address link to open the Packet Capture page in AEM. The Packet
Capture page is filtered for this IP address.
Protection Group The protection group that contains the host that is associated with the policy
match.
Click the protection group’s name to open it on the View Protection Group page.
Device The managed device that detected the threat.

Section 21:
Monitoring the Status of the Network
and Devices
The Summary page provides an overview of the current state of your AEM deployment,
including the historical traffic across your configured devices.
User access
System analysts and system users can search and view the summary information, but
they cannot access all the pages that are described in this section. Only administrators
can access all the pages and perform all the tasks that are available from the Summary
page.
In this section
Viewing a Summary of System Activity 313

Viewing System Information on the Summary Page 314
Viewing Audit Trail Information on the Summary Page 316
Viewing a Summary of System Activity

The Summary page provides a snapshot of your system and includes links to additional
information. The system displays important status messages at the top of the page to
alert you to any problems that require immediate attention.
For more details, see “Viewing System Information on the Summary Page” on the next
page.
Viewing the Summary page

To access the Summary page, select Summary from the menu.

Section 21: Monitoring the Status of the Network and Devices
Sections on the Summary page

The Summary page shows different aspects of the system status in the following sections:
Sections on the Summary page
Section Description
System response This section is located directly below the menu bar. It displays
area any critical messages.
System Status Displays the statistics for your AEM. This section also lists the
total number of devices that are under AEM management.
System Information Displays detailed information about your AEM and the devices
that are under AEM management.
Audit Trail Displays the most recent Audit Trail entries. See “Viewing Audit
Trail Information on the Summary Page” on page 316.
Auto-refresh option on the Summary page

When the Summary page is displayed, (Toggle auto-refresh) appears on the toolbar at
the top of the page.
n Click to refresh the Summary page every 120 seconds. A teal icon ( ) indicates that
the automatic refresh is active.
n To stop the automatic refresh (for example, to preserve interesting data), click .
Viewing System Information on the Summary Page

On the Summary page, the System Information section displays detailed information about
AEM and the devices that it manages. Use the information in this section to determine
how the device is performing.
If a device experiences connectivity problems, then AEM displays that device’s status at
the top of the Summary page to alert you immediately.
For general information about the Summary page, see “Viewing a Summary of System
Activity” on the previous page.
Viewing the Summary page

To access the Summary page, select Summary from the menu.
Information in the System Status section

This section displays the following status information about AEM:

Information in the System Status section
Last AIF Update Indicates the last time that AEM polled the AIF server for new
Check information. You can update the AIF interval time and poll the
server on the Configure AIF Settings page.
If you do not enable automatic AIF updates, then this area
displays Autoupdate Disabled instead of Last AIF Update Check.
See “Configuring the ATLAS Intelligence Feed” on page 74.
Last Backup Indicates the time at which the system backed up AEM data. The
AEM data is backed up automatically every 24 hours. You can
download a copy of the last backup file or upload an older saved
version.
For a description and instructions, see “Configuring Remote
Backup Settings” on page 63.
Total Devices Displays the number of AED and APS devices under AEM
management.
Information in the System Information section

This section displays the following information for each device:
System Information section
Column Description
Severity The relative severity of the alerts that are on the device. See “About
system alert severity levels” on page 290.
Device Type Indicates whether the device is an AEM, an AED, or an APS.
Hostname Displays the user-assigned system name for the managed device.
When you click the name link, the Summary page on the managed
device opens in a new browser tab.
(Launch the Opens the Device Console for the managed device. The Device
device console) Console allows an administrative level user to access the CLI and
UI for a managed device from the AEM UI. Non-administrative
users can access Any actions a user can take with a serial console
or SSH connection can be accomplished using this interface.
For example, you can use it to upgrade managed devices.
Serial Number Displays the serial number for the device.
Uptime Displays the time that has elapsed since the device was last
restarted, in days, hours, and minutes.
If the device is down, then Offline appears in this column. If the
device remains down, then you can delete it. See “Deleting Offline
Devices” on page 99.

System Information section (continued)
Column Description
Last Seen Indicates the last time that the device reported to AEM.
Status Describes the overall status of a device. The status can be one of
the following messages:
n High memory usage: <usage percentage>
n High disk usage: <amount of MB remaining>
n Communication error, last heartbeat received: <time last
received>
n Synchronize times: skew is <amount of time>
n Device is down: last seen <time last seen>
n Multiple Problems: <the list of problems>
n Good
n RAID error: <error message>
n Preparing configuration
n Initial synchronization
n Out of sync
n Unsupported device version. The configurations cannot be
synchronized.
Version Displays the current software version that the appliance is

running.
Delete button When a device goes down or someone disconnects it from AEM,
the Delete button appears within a few minutes. For details and
cautions, see “Deleting Offline Devices” on page 99.
Viewing Audit Trail Information on the Summary Page

On the Summary page, the Audit Trail section displays the 10 most recent Audit Trail
entries. The Audit Trail section contains the same columns as the table on the Audit Trail
page (Administration > Audit Trail).
For more information about the Audit Trail, see “Information in the audit trail” on
page 321 and “Including Change Messages in the Audit Trail” on page 319.
For general information about the Summary page, see “Viewing a Summary of System
Viewing a complete Audit Trail entry

To view a detailed audit trail entry, including the long description, in the Audit Trail Entry
Viewer:
1. Select the Summary menu.
2. On the Summary page, in the Audit Trail section, click a More link that appears in the
Description column.
3. When you finish viewing the audit trail information, click Done.

Viewing all Audit Trail entries

To view all audit trail entries on the Audit Trail page:
n On the Summary page, in the lower right corner of the Audit Trail section, click the View
Full Audit Trail link.

Section 22:
Monitoring System Changes in the
Audit Trail
This section describes how to use the audit trail, which records all of the changes that are
made in AEM.
User access
Users at all authorization levels can include change messages in the audit trail. Only
administrators can view the audit trail and configure the audit trail settings.
In this section
About the Audit Trail 318

Including Change Messages in the Audit Trail 319
Viewing the Audit Trail Log 320
About the Audit Trail

The audit trail records all of the changes that are made in AEM, which allows you to view
and track the changes. You can view the audit trail entries on the Audit Trail page. See
“Viewing the Audit Trail Log” on page 320.
On the Audit Trail page, you can specify a default change message and configure the kinds
of changes that trigger the appearance of the Audit Trail window. See “Configuring the
Audit Trail Settings” on page 60.
About the Audit Trail window

By default, when a user makes a change in the AEM UI, the Audit Trail window appears
and prompts the user to describe the change. See “Including Change Messages in the
Audit Trail” on the next page.
If you disable the Audit Trail window for certain changes, then the window does not
appear when users make those types of changes. AEM logs the changes, but does not
include any messages.
When AEM adds audit trail entries

AEM adds audit trail entries in the following situations:
n System changes occur, such as an ATLAS update.
n Users make changes in the AEM UI.

Section 22: Monitoring System Changes in the Audit Trail
n Users export data from the system by sending email, creating PDF files, or exporting
CSV files.
n Users enter commands in the command line interface (CLI).
How CLI commands are logged in the audit trail

AEM transfers entries from the command log to the audit trail at one-minute intervals.
The command information that is included in the audit trail depends on the type of CLI
command, as follows:
How CLI commands are logged in the audit trail
Command type What is included in the audit trail
All commands The following information is included in the audit trail for
all types of CLI commands:
n the time and date on which the change occurred
n the user who entered the command
n the component that was changed
n the command that was typed
Commands that include a The sensitive data is replaced with “*****”.

password or secret
Commands that include The absolute path is included and any abbreviations are
abbreviations expanded to full words.
For example, the command / serv aem inter is logged as
/ services aem interface.
Command help These commands are not included in the audit trail.
Directory help These commands are included in the audit trail.
About exporting the audit trail

You can export the audit trail in the following ways:
n As a comma-separated values (CSV) file.
See “Exporting the audit trail as a CSV file” on page 321.
n To a syslog destination that you configure in the CLI.
See “Configuring the Syslog Destination for the Audit Trail” on page 61.
Including Change Messages in the Audit Trail

When you make a change in the AEM UI, the system records the change in the audit trail.
By default, when you make a change, the Audit Trail window appears and prompts you to
enter a change message. The best practice is to add a message that provides some
insight into what you did and why you made the change. However, you also have the
following options:
n Do not enter a change message.
n Enter a default message for all of the future changes that you make.

n Disable the Audit Trail window for all of the future changes of that type that you make.
Settings on the Audit Trail page determine the default change message (if any) and the
kinds of changes that trigger the appearance of the Audit Trail window. See “Configuring
the Audit Trail Settings” on page 60.
Administrators can view the audit trail log in the Audit Trail page (Administration > Audit
Trail). See “Viewing the Audit Trail Log” below.
For general information about the audit trail, see “About the Audit Trail” on page 318.
Entering a change message in the Audit Trail window

To enter a change message in the Audit Trail window:
1. In the Audit Trail window, type a description of the change in the change message
box.
You can enter a maximum of 1024 characters.
2. (Optional) Select Set as my default audit trail message to use this change message
for all of the future changes that you make.
3. (Optional) Select Do not show this dialog again... to disable the Audit Trail window
for all of the future changes of this type that you make.
AEM logs the changes even if the Audit Trail window is disabled.
4. Click Save.
Viewing the Audit Trail Log

The audit trail records all of the changes that are made in AEM, which allows you to view
and track the changes. See “About the Audit Trail” on page 318.
For information about recording changes to AEM, see “Including Change Messages in the
Audit Trail” on the previous page.
For information about editing the default settings for audit trail changes, see “Configuring
the Audit Trail Settings” on page 60.
Viewing the audit trail

To view the audit trail:

2. On the Audit Trail page, select the Audit Trail Log tab.
3. (Optional) To find specific entries, use the Search All Audit Trail Entries box.
4. (Optional) To view additional information about an entry, click the More link to the
right of the entry’s description.

Information in the audit trail

The Audit Trail page displays the following information for each entry:
Audit trail details
Time Displays the time and date on which the change occurred.
User Displays the user who made the change, or “system” if it is a

system-generated change.
Appliance Displays the AEM name.
Action Indicates the type of change, such as Add, Edit, Delete, Update, and
so on.
Component Indicates the type of object that was changed.
Name Displays the name of the changed object, if it has one.
Message Displays the text from the change message that a user typed, or a
system message for system-generated entries.
Description Describes the change.
More link Allows you to view additional information about an entry by

opening the Audit Trail Entry Viewer window.
Note
You also can view the entries in the audit trail on the Summary page. See “Viewing Audit
Trail Information on the Summary Page” on page 316.
Exporting the audit trail as a CSV file

You can save a copy of the audit trail by exporting it to a comma-separated values (CSV)
file.
To export the audit trail as a CSV file:
2. On the Audit Trail page, display the entries that you want to export, as described in
“Viewing the audit trail” on the previous page.
3. Select one of the following options:
n Export — Exports only the entries that appear on the current page.
If you use a search to filter the audit trail list, then the exported file contains the
search results only.
n Export All — Exports all of the audit trail entries.
4. Open or save the file according to your browser options.

Part V:
Command Line Interface
Section 23:
Using the Command Line Interface
This section provides the instructions for connecting to and using the Command Line
Interface (CLI).
In this section
About the Command Line Interface 323

About the Connections to the Command Line Interface 323
Logging in to and out of the AEM Command Line Interface 324
Getting Help in the Command Line Interface 325
About the CLI Command Components 327
Entering CLI Commands 328
Navigating the CLI Command Hierarchy 329
Editing Command Lines 330
Viewing Statuses in the CLI 331
About the Command Line Interface

The command line interface (CLI) allows you to enter commands and navigate through
the directories on the AEM.
Typically, the CLI is used to install and upgrade the software and to complete the initial
configuration. In addition, some advanced and support functions can only be configured
by using the CLI.
To access the AEM command line interface (CLI), you can connect to the appliance directly
or remotely. See “About the Connections to the Command Line Interface” below and
“Logging in to and out of the AEM Command Line Interface” on the next page.
Prerequisite
Before you can log in to and access the CLI, complete the initial installation and
configuration procedures that are listed in the AEM Installation Guide.
About the Connections to the Command Line Interface

To access the AEM command line interface (CLI), you can connect to the AEM appliance or
you can connect to AEM remotely.

Section 23: Using the Command Line Interface
Serial port connection

You can connect a computer directly to the serial port on the AEM appliance.
Alternatively, you can connect a serial console to the serial port on the AEM appliance,
and then use a terminal emulator to access the CLI. An example of a terminal emulation
program is HyperTerminal. See “Terminal emulation settings” below.
The boot commands are available when you connect through the serial port.
To use the serial port, connect it to the serial console with a null modem (RJ45) cable. This
type of cable is not included in your appliance package.
Instructions for connecting the serial cable are in the AEM Installation Guide.
Terminal emulation settings

Use the following settings to configure your terminal emulation program to connect to
the CLI:
Typical terminal emulation settings
Setting Value
Baud rate 9600
Data bits 8
Stop bits 1
Parity None
Flow control None
Direct monitor and keyboard connection

You can access the appliance directly by connecting a monitor and keyboard to the VGA
and USB ports respectively. When you connect directly, you can access the CLI without
having to enter an IP address.
This connection method is typically used during the initial configuration and emergencies.
The boot commands are available when you connect directly.
SSH connection
You can access the AEM appliance by using a network protocol such as SSH. The boot
commands are not available when you connect through SSH.
The SSH service is enabled by default.
Logging in to and out of the AEM Command Line Interface

AEM has a command line interface (CLI) that you can use to perform advanced
configurations and other tasks.
The method that you use to connect to AEM determines your login procedure. You can
log in directly, through terminal emulation or a keyboard and monitor connection to the
serial port, or through an SSH session. See “About the Connections to the Command Line
Interface” on the previous page.

Using the CLI

For information about using the CLI, see “About the CLI Command Components” on
page 327 and “Entering CLI Commands” on page 328.
Default username and password

When you log in to the CLI for the first time, you can use the default username and
password. The default username is admin. The default password is arbor. Typically, the
first login occurs during the installation.
Important
For security purposes, change this password after you log in for the first time. See
“Changing the administrator password” below.
Logging in to the serial port through terminal emulation

To log in to the serial port through terminal emulation:
1. Start your terminal emulator and establish a connection to the AEM serial port.
2. If you are prompted to press any key, do so. If you do not press a key within five
seconds, AEM tries to boot automatically.
3. If the boot menu appears, select disk, and then press ENTER.
4. At the CLI login prompts, enter your administrator user name and password.
Logging in through SSH

To log in through SSH:
1. Start your SSH client and establish a connection by typing the IP address or DNS
hostname for AEM as needed.
2. At the CLI login prompts, enter your administrator user name and password.
Logging out of the CLI

To log out of the CLI, enter exit
Changing the administrator password

To change your administrator password:
1. Enter / services aaa local password admin interactive
2. Enter the new password.
3. Re-enter the new password.
Getting Help in the Command Line Interface

Throughout the command line interface (CLI), you can get help for the commands and
command arguments that are available.

Types of Help commands

The CLI provides the following Help commands:
CLI Help commands
Command Description
help Lists the commands that are available within a directory.
help global Lists the commands that are available from all directories.
? Lists the commands that are available within a directory or the

arguments that are available within a command.
Note
You do not have to press ENTER after you type the question mark.
Example: Help commands

The following examples show the types of Help commands that are available in the CLI:
Directory-level Help
admin@example.com:/ help
Subcommands:
ip/ IP and network configuration
services/ System services
system/ System configuration
admin@valium:/# help global
Global commands:
.. Return to previous menu
/ Return to root menu
? Show command information
clock Show or set the system clock
config Show or save the system configuration
edit Enter configuration mode
help Show command information
help/? Show available commands
ping Ping a network host
ping6 Ping a network host (IPv6)
quit/exit Exit the command shell
reload Reload the system
shutdown Shutdown the system
traceroute Trace route to a network host
traceroute6 Trace route to a network host (IPv6)
users Show user login summary
Command-level Help
admin@example.com:/# clock ?
set Set the system clock
<cr>
admin@example.com:/# clock set ?
[MMDDhhmm[[CC]YY][.ss]]

About the CLI Command Components

The CLI commands follow a specific syntax and consist of several components. These
components are represented in a specific way in this guide and the CLI Help.
Components of CLI commands

The CLI command syntax is command keyword argument parameter.
The components of a CLI command are as follows:
Components of CLI commands
Component Description
command The actual command or action to be taken, which might take other
arguments.
For example, the help command takes no keywords or arguments;
the mode command takes keywords (for example, set) and arguments
(for example, mem).
keyword A specific action that the command must take.
argument An entity to be acted upon by the keyword.
parameter A user-defined parameter (variable) that is required for some

arguments.
For example, IP_address requires that you type a specific host IP
address. Where possible, this guide provides valid parameters or
parameter guidelines in a command’s description.
Conventions for commands and expressions

The following conventions show the syntax of commands and expressions. Do not type
the brackets, braces, or vertical bar in commands or expressions.
Typographic conventions for commands and expressions

italics

[ ] (square brackets) A set of choices for options or variables, any of which is optional.

Entering CLI Commands

The command line interface (CLI) uses a standard command line command hierarchy that
allows you to enter commands and navigate through the directories.
For information about using the CLI, see “About the CLI Command Components” on the
previous page and “Editing Command Lines” on page 330.
Command types
The types of CLI commands are as follows:
CLI command types
Command type Description
Subcommand The command is specific to the current directory.
Global The command is available anywhere in the command hierarchy.
Entering a command
To enter a command in the CLI:
n At the command prompt, type the command, and then press ENTER.
Guidelines for typing commands

When you type a CLI command, follow these guidelines:
n Because the commands are case sensitive, type them exactly as they are shown in this
guide or in the CLI Help.
n You are only required to type the minimal number of characters that form a unique
abbreviation of a command. For example, you can type sy instead of system.
n Alternatively, if you cannot remember a complete command name, type the first few
letters and press TAB. The system completes the command.
n You can group multiple commands into one compound command. See “Examples of
singular and compound commands” on the next page.
Typically, the procedures in this guide present an entire compound command in each
step.
n After you type a command, press ENTER or RETURN to execute it.
n When you type a string that contains one or more spaces, enclose the string within
double quotation marks.
The CLI parses literal text that contains spaces only if the string is within quotation
marks. All of the text that is within quotation marks is parsed as case sensitive. See
“Examples of literal text parsing” on the next page.

Examples of singular and compound commands

The following examples show how to enter singular commands or compound commands
to show the system time zone:
Singular commands
admin@example.com:/# system
admin@example.com:/system# timezone
System timezone: GMT
Compound command
admin@example.com:/# system timezone
System timezone: GMT
Examples of literal text parsing

n services aaa groups show My Group generates an error.
n services aaa groups show "My Group" displays the desired output.
Saving the configuration

It is important to save the configuration whenever you make changes. Saving the
configuration ensures that the current changes take effect immediately and preserves the
configuration if AEM is rebooted.
Typically, you do not need to save the configuration after every command that you enter.
It is usually sufficient to save the configuration at the end of every session.
To save the configuration:

n From anywhere within the CLI, enter config write
Navigating the CLI Command Hierarchy

The command line interface (CLI) commands are arranged in a hierarchical manner,
similar to a file system. When you log in to the CLI, you are in the root directory, which is
represented in the command prompt by a / (slash). For example: admin@example.com:/#
As you enter commands in the CLI, the command prompt displays your location in the
command hierarchy.
Navigating the CLI hierarchy

The commands for navigating the CLI are as follows:
Commands for navigating the CLI hierarchy
Command type Description
Move down the Enter one or more directory commands. For example:
hierarchy. system files
Back up one level. Enter .. (two periods).
Return to the root Enter / (slash).

directory.

As with all of the CLI commands except the ? (question mark), press ENTER after each
command.
Example: Navigating the hierarchy

The following example shows how to navigate the CLI hierarchy:
admin@example.com:/# system files
admin@example.com:/system/files# ..
admin@example.com:/system# ..
admin@example.com:/# ip
admin@example.com:/ip# interfaces
admin@example.com:/ip/interfaces# /
admin@example.com:/#
Editing Command Lines

The command line interface (CLI) contains a command line editor that provides entry
shortcuts and editing capabilities. This command line editor is similar to the Emacs real-
time text editor.
Moving the cursor around the command line

To move the cursor around the command line and make corrections or changes, use the
following keystrokes:
Keystrokes for moving the cursor around the command line
Keystrokes Description
CTRL + B or the Left Arrow key Moves the cursor back (left) one character.
CTRL + F or the Right Arrow key Moves the cursor forward (right) one character.
CTRL +A Moves the cursor to the beginning of the command

line.
CTRL +E Moves the cursor to the end of the command line.
ESC +B Moves the cursor back one word.
ESC +F Moves the cursor forward one word.
Recalling commands
The CLI contains a command buffer that stores the last 30 commands that you entered.
You can recall these commands and paste them into the command line. This feature is
particularly useful for recalling long or complex commands or entries.

To recall commands from the buffer, use the following keystrokes:
Keystrokes for recalling commands
CTRL+ P or the Recalls commands in the buffer, beginning with the most recent
Up Arrow key command. Repeat the key sequence to recall successively older
commands.
Note
If you press CTRL + P more than 30 times, you loop back to the first
entry.
CTRL+ N or the Returns to more recent commands in the buffer after you have
Down Arrow recalled commands. Repeat the key sequence to recall successively
key more recent commands.
Deleting entries
To delete command entries if you make a mistake or change your mind, use the following
keystrokes:
Keystrokes for deleting entries
BACKSPACE Deletes the character to the left of the cursor.
CTRL +D Deletes the character at the cursor.
CTRL +K Deletes all of the characters from the cursor to the end of the
command line.
CTRL +U Deletes all of the characters from the cursor to the beginning of the
command line.
ESC +D Deletes from the cursor to the end of the word.
Transposing mistyped characters

To transpose a mistyped command entry, press CTRL + T. The character that is to the left
of the cursor is replaced with the character that is to the right of the cursor.
Breaking out of long outputs

Some commands result in outputs that run for multiple screens. To interrupt these long
outputs, press CTRL + C. After you press this key sequence, the CLI prompt re-appears
immediately.
Viewing Statuses in the CLI

You can view system status information in the command line interface (CLI).

Viewing the status of the current directory

In the CLI, you can view the status of any directory that contains configuration-level
information. The results represent the state of the configurations that you can set within
that directory. For example, when you show the status of the services/aaa directory, the
authentication and user information appears.
To view the status of the current CLI directory:

n Enter show
Viewing the current configuration

To view the current configuration:
n From anywhere within the CLI, enter config show

Part VI:
AEM Maintenance and Management
Section 24:
Managing AEM Files
This section describes how to use the Manage Files page (Administration > Files) to
manage the files that are on AEM. You can also manage files that are on the AED and APS
devices that AEM manages.
User access
Only administrators can perform the tasks that are described in this section. System
users cannot view the Files page.
In this section
About the Files Page 334

Managing the Files on AEM and Managed Devices 336
Managing Diagnostics Packages 337
About the Files Page

The Manage Files page (Administration > Files) is the central location from which you can
manage the files that are on AEM. You also can use this page to manage the files on the
AED and APS devices that AEM manages.
The Files page is divided into sections that allow you to perform the following file
management tasks:
n Upload, download, and delete the files on AEM and managed devices.
n View the amount of free space on the selected device.
See “Managing the Files on AEM and Managed Devices” on page 336.
About the Files section

The Files section of the Manage Files page contains the following information:
n A Show files on list, from which you can select the device whose files you want to view.
n A disk space pie chart that displays the amount of used disk space and free disk space
on the selected device.
n A table that includes detailed information about the files on the selected device.

Section 24: Managing AEM Files
The tables displays the following information for each file that is on the selected device:
File listing details
Name The name of the file.
Size The size of the file.
Date The time and date when the file was uploaded.
Type The type of file. A file can be one of the following types:
n Text file
n Directory
n Gzip compressed
n Signed package
n SSH host keys
n Unknown
Status Indicates whether the file has been installed on the selected
device. This status applies to installation packages only.
Selection check box Allows you to select the file for deletion.
About the Diagnostics Packages section

Diagnostics packages are helpful if you need the Arbor Technical Assistance Center (ATAC)
to troubleshoot AEM system problems. For information about creating the diagnostics
packages, see “Managing Diagnostics Packages” on page 337.
The table in the Diagnostics Packages section contains the following information for each
package:
Diagnostics package details
Name The name of the diagnostics package. You can download the
package by clicking the name link.
Size The size of the diagnostics package.
Date The time and date on which a diagnostics package was

created.
Email button Allows you to email the diagnostics package.
Create Diagnostics Allows you to create a new diagnostics package.

Package button
About the SSL Certificate section

You can upload a custom SSL certificate to authenticate users in the AEM UI. See “Using a
Custom SSL Certificate for User Authentication” on page 65.

About the Logo section

You can upload a custom logo to replace the default AEM logo. See “Adding a Custom
Logo to the UI” on page 66.
About the System Files section

The System Files section allows you to download the MIB files from AEM. The MIB files can
help you decode the SNMP traps that AEM sends for notifications. The MIB files can also
help you understand the OIDs (object identifiers) that can be queried on AEM.
See “Configuring SNMP Polling” on page 58.
For information about downloading the files, see “Managing the Files on AEM and
Managed Devices” below.
Managing the Files on AEM and Managed Devices

You can use the Manage Files page (Administration > Files) to manage the various files
that are on AEM and managed AED and APS devices.
When you manage files on the Manage Files page, the changes apply only to the device
that is selected in the Show files on list.
See “About the Files Page” on page 334.
Viewing the files on a managed device

By default, the Manage Files page lists the files that are on AEM. You also can view the files
that are on the devices that AEM manages.
To view the files on a managed device:

2. On the Manage Files page, in the Show files on list, select the device whose files you
want to view.
Uploading files to AEM

To upload a file to AEM using SCP or HTTP:
2. On the Manage Files page, in the Show files on list, select the AEM.
3. Click Upload.
4. In the Upload File window, click Browse to locate the file.
5. In the File Upload window, select the file, and then click Open.
6. In the Upload File window, click Upload.
Deleting files from a managed device

Caution
You cannot undo the deletion of files.

To delete a file from a managed device:

2. On the Manage Files page, in the Show files on list, select the managed on which you
want to delete a file.
3. In the list of files, complete one of the following tasks:
n Select the check box for each file that you want to delete.
n Select the Select All check box to delete all of the files.
4. Click Delete.
Downloading files from AEM

You can download diagnostics packages and MIB files from the Manage Files page on
AEM.
To download a file from AEM:
2. On the Manage Files page, in the Show files on list, select the AEM.
3. Select the file to download in any of the following ways:
n In the System Files section, click the AEM MIB link or the SMI MIB link.
n In the Diagnostics Packages section, click the file name link.
Managing Diagnostics Packages

A diagnostics package contains debugging information for AEM. The diagnostics package
helps the Arbor Technical Assistance Center (ATAC) to diagnose and correct any potential
issues that are related to your system.
You can create new diagnostics packages and download, email, and delete the packages.
Viewing diagnostics packages

The Files page displays the existing diagnostics packages and their creation dates, file
names, and file sizes.
For general information about the Files page, see “About the Files Page” on page 334.
Creating a diagnostics package

To create a diagnostics package:
2. In the Diagnostics Packages section, click Create Diagnostics Package.
The package creation might take several minutes. A message at the top of the page
indicates that the package creation is in progress.

Tip
If the diagnostics package does not appear within a few minutes, then click (Refresh
this page) on the toolbar.
Emailing a diagnostics package to the Arbor Technical Assistance Center

To email a diagnostics package to the Arbor Technical Assistance Center (ATAC):
2. In the Diagnostics Packages section, to the right of the package that you want to send,
click Email.
3. In the Email Diagnostics window, type the following information:
Setting Description
From box Type your email address.
Subject box Type a subject for the email message.
Message box Type a message that explains how you want ATAC to process
the diagnostics package.
4. Click Email.
Downloading a diagnostics package

If you cannot email from AEM, then you can download the diagnostics package. See
“Downloading files from AEM” on the previous page.

Section 25:
Backing Up AEM
This section describes how to back up AEM data.
User access
Users at all authorization levels can view the backup configurations. Only administrators
can perform the backup tasks that are described in this section.
In this section
About AEM Backups 339

Running a Local Backup Manually 340
Restoring AEM from a Backup 341
About AEM Backups

AEM supports remote backups and local backups. Both remote backups and local
backups copy the same AEM configuration settings and data.
About remote backups

For remote backups, you configure a recurring backup schedule.
About remote backups
Typical use To recover data after a hardware failure or other outage.
How they are AEM runs remote backups automatically, based on a user-defined
created schedule. You also can run a remote backup manually at any time.
See “Configuring Remote Backup Settings” on page 63.
Where they are On a remote backup server.

stored
How many are 1

stored

Section 25: Backing Up AEM
About local backups

Local backups run automatically every night at midnight or that you can run manually.
About local backups
Typical use To restore a known configuration state. For example, you might
want to restore AEM to a known configuration state after you
perform benchmark tests or try new configurations.
How they are AEM runs local backups automatically, every night at midnight. You
created also can run a local backup manually at any time. See “Running a
Local Backup Manually” below.
Where they are On AEM.

stored
How many are 5

stored
About backing up and restoring in a central management environment

AEM synchronizes configuration data with the AED and APS devices that it manages by
copying the data that is specific to a managed device to that device. When you back up
and restore AEM and its managed devices, you must follow certain guidelines to maintain
the data synchronization. See “How Restoring Backups Affects the AEM - Device
Synchronization” on page 93.
About restoring backup data

To restore AEM from a backup, you must use the command line interface (CLI).
See “Restoring AEM from a Backup” on the next page.
Running a Local Backup Manually

AEM generates a local backup automatically every night at midnight. The Configure Backup
Settings page also allows you to run local backups manually.
You might back up AEM locally in the following situations:

n To save the initial system configuration after you finish configuring settings.
n To save a known configuration state before you perform benchmark tests or try new
configurations. When you finish your tests, use the backup to restore AEM to the last
known configuration.
n To save any configuration changes immediately instead of waiting for the next
scheduled backup.
For general information about backups, see “About AEM Backups” on the previous page.
For information on configuring remote backups, see “Configuring Remote Backup
Settings” on page 63

Running a local backup manually

To run a local backup manually:
2. On the Configure Backup Settings page, in the Local Backups of Arbor Enterprise
Manager Configuration and Data section, click Back Up Now.
About the Backups list

A list of the last five local backups appears in the Local Backups of Arbor Enterprise Manager
Configuration and Data section on the Configure Backup Settings page. The list includes the
following information for each backup:
Backup details
Date The date and time on which the backup was created.
Age The length of time since the backup was run.
Size The size of the backup file.
Username Displays AEM for an automatic backup. For a manual backup, this
column displays the user name of the person who requested the
backup.
Download Downloads the backup file to a user-specified location. See

“Downloading a local backup file” below.
Downloading a local backup file

You can download a local backup file at any time.
To download a local backup file:
2. On the Configure Backup Settings page, in the Local Backups of Arbor Enterprise
Manager Configuration and Data section, click the Download button for the file to
download.
Restoring AEM from a Backup

You typically can restore AEM from a backup in the following situations:
n To recover data after a hardware failure or other outage.
n To restore AEM to a known configuration state.
You can restore from a local backup or from a remote backup.
Caution
Restore AEM from AEM backups only. Do not try to restore an NSI backup on AEM. Also,
when you restore from a backup, any existing data is overwritten.

About backups
For information about the types of backups that AEM supports, see “About AEM Backups”
on page 339.
For information about the remote backup configuration, see “Configuring Remote Backup
AEM synchronizes configuration data with the AED and APS devices that it manages by
copying the data that is specific to a managed device to that device. When you back up
and restore AEM and its managed devices, you must follow certain guidelines to maintain
the data synchronization. See “How Restoring Backups Affects the AEM - Device
Synchronization” on page 93.
About session termination after a restart

At the end of the restoration process, AEM restarts. If you use SSH to access the CLI, then
your session terminates during the restart. If you want to view the entire restart session,
then you must access the CLI from a serial console.
About the RSA key

If you use RSA authentication to access the remote backup server, an RSA key is required.
Typically, you generate the RSA key when you configure the backup server settings on the
Backup Settings page (Settings > Backup).
The Backup Settings page contains options to generate the RSA key and download the
public RSA key. See “Configuring Remote Backup Settings” on page 63.
You can view the RSA key in the CLI: / services aem restore rsa
Restoring AEM from a remote backup

To use SCP to restore your system from a remote backup:
2. To stop the AEM services, enter / services aem stop
3. Enter / services aem restore remote host_name port_number absolute_path
user_name {password password | rsa}
host_name = the host name of the remote backup server
port_number = the port number on the remote backup server (typically, 22)
absolute_path = the absolute path to the directory that contains the backup files
user_name = the user name with which to authenticate on the backup server
{password password | rsa} = To authenticate with a password, enter password,
followed by the password. To authenticate with an RSA key, enter rsa
4. Enter the number that corresponds to the action that you want to perform. Select
one of the following options:
n 1 — View the configuration that is stored in the backup.
n 2 — Restore the configuration and data.

n 3 — Restore the configuration and data, but keep the current IP settings.
5. To confirm your choice, enter y
6. To restart the system, enter y

The system restarts with the configuration restored and AEM running.
If you used SSH to access the CLI, then your session terminates.
Restoring from a local backup

To restore your system from a local backup:
2. Enter / services aem restore local
3. Enter the number that corresponds to the backup that you want to restore.
4. Enter the number that corresponds to the action that you want to perform. Select
one of the following options:
n 1 — View the configuration that is stored in the backup.
n 2 — Restore the configuration and data.

n 3 — Restore the configuration and data, but keep the current IP settings.
5. To confirm your choice, enter y
6. To restart the system, enter y
The system restarts with the configuration restored and AEM running.
If you used SSH to access the CLI, then your session terminates.

Section 26:
Installing, Upgrading, and Reinstalling
AEM
This section describes how to install, upgrade, and reinstall the AEM appliance and
software.
In this section
Installing AEM 344

Installing the License Keys for AEM 348
Upgrading the AEM Software 348
Reinstalling AEM 351
Installing AEM
Typically, you install AEM by following a quick installation script that prompts you to enter
the information that is required. The installation script instructions are in the AEM
Installation Guide.
If the installation script prompts, such as System hostname? [arbos], do not appear,
you can install AEM by typing a series of commands in the command line interface (CLI).
You can also use the CLI to configure options that are not in the script or to redo any of
the original configurations.
You can install AEM as a virtual machine on a VMware hypervisor. See the Virtual AEM
Installation Guide.

Section 26: Installing, Upgrading, and Reinstalling AEM
Installation task sequence

Perform the following tasks in sequence to install AEM by using the CLI without
installation script prompts.
Installing the AEM software
Task Description
1 Start the CLI.

Connect the serial console, turn on the appliance, and log in. See “Starting the
CLI” below.
2 Configure interfaces and services.

Specify IP address information for the management port, optional flow ports,
and the default gateway. Next, add services, such as HTTPS, PING, and SSH.
For each service, set the allowed address range for communications.
See “Configuring the interfaces and services” below.
3 Configure the system clock.

Specify IP address information for an optional Network Time Protocol (NTP)
server, and then set the system date and time.
See “Configuring the system clock” on the next page.
4 Configure the password and license.

Change the administrator password, enter the system name for the AEM
appliance, and then configure any optional DNS servers in your deployment.
Next, specify the AEM model and software license key.
See “Configure the password and licenses” on page 347.
5 Initialize the AEM database and start services.

Perform this task, and then commit configuration changes.
See “Initializing the AEM database and starting services” on page 347.
Starting the CLI

1. If you are using a serial console server, connect it to the serial port on the appliance.
2. Turn on the appliance. If an installation script starts, you can follow its prompts to
enter the information that is in this procedure.
3. At the login prompt, enter admin
4. At the password prompt, enter arbor
The CLI starts and the command prompt appears.
Configuring the interfaces and services

1. To configure the management port, enter ip interfaces ifconfig port
mgtPortAddr up
port = the management port to configure; in this case, mgt0
mgtPortAddr = the address of the management port

Tip
For information about the format for specifying the port address, use the CLI help.
Type the beginning of the command, and then type a question mark at that place in
the command. For example, type / ip interfaces mgt0 ?
2. Enter / ip route add default IP_address
IP_address = the IP address of the default gateway, for example, 192.0.2.1
3. To configure access to services, enter the following command for each of the services
that are listed below: / ip access add service { mgt0 | all} CIDR
service = one of the following services:
https = required for access to the AEM UI
https = required for communication between AEM and managed AED and
APS devices
ping = optional for checking the communications between the appliances in
the deployment
ssh = optional but strongly recommended for administrative access to the
CLI
snmp = allows SNMP access to AEM
{mgt0 | all} = the name of the management interface on which to apply a service
exclusively, or to apply the rule to all of the interfaces
CIDR = the address range from which you want to allow communications to a
service, for example, 192.0.2.0/24
Caution
We strongly recommend that you do not use 0.0.0.0/0 or ::/0, because these address
ranges allow unrestricted access to a service. To restrict access, specify the
narrowest address range that you can.
4. Repeat the preceding step for each service that you want to add.
Important
Do not skip this step.
Configuring the system clock

1. (Optional) To configure an NTP server, enter / services ntp server add IP_
address
IP_address = the IP address of your NTP server
2. To set the system clock, enter / clock set MMDDhhmmCCYY.ss.
MM = the month of the year as a two-digit integer between 01 and 12
DD = the day of the month as a two-digit integer between 01 and 31
hh = the hour of the day as a two-digit integer from 00 to 23
mm = the minute of the hour as a two-digit integer from 00 to 59
CC = (Optional) the century as a two-digit integer
YY = (Optional) the year as a two-digit integer
ss = (Optional) the seconds as a two-digit integer between 00 and 59

Configure the password and licenses

1. (Optional) At this point, you can log in to AEM over SSH to complete the configuration,
if you configured the SSH service above.
2. To change the administrator password, follow these steps:
a. Enter / services aaa local password admin interactive
b. At the prompts, enter the new password.
After the installation, you can add more users from the UI.
3. To identify the AEM, enter / system name set system_name
system_name = The unique name that identifies this AEM appliance on the
network. The system name must meet the following requirements:
n It starts with a letter and ends with a letter or number.
n It contains any combination of letters, numbers, and hyphens.
n It does not contain underscores or spaces.
n If it is a simple host name, then it contains no more than 63 characters
and does not contain a period.
n If it is an FQDN, then it contains periods with no more than 63 characters
between each period, and no more than 253 characters in total.
n The case matches all instances in which the system name appears. We
recommend lowercase letters.
4. (Optional but strongly recommended for full functionality in the UI) To configure a
DNS server, enter / services dns server add IP_address
IP_address = the IP address of the DNS server
5. (Optional) Repeat the preceding step to specify additional DNS servers.
6. Configure the SSH host keys in one of the following ways:
n To have AEM generate the SSH host key files, enter / services ssh key
generate
n To import a file that contains the SSH host keys, enter / services ssh key host
set disk:fileName
fileName = the name of the file that contains the SSH host keys
7. Enter / services ssh start
8. Enter / system license set Pravail "APS-CONSOLE" license_key
license_key = your AEM license key
Important
This command is case sensitive. Type the model and license key exactly as they
appear on the product label or in your license key email, including any spaces and
punctuation.
9. To set the shared secret, enter / services aem secret set string
string = A word or phrase to authenticate internal communication. The same
secret must be configured on every device that AEM manages.
Initializing the AEM database and starting services

1. To initialize the AEM database, enter / services aem database initialize
2. To start the AEM services, enter / services aem start

3. To save the configuration and log out of the CLI, enter the following commands, one
at a time:
/ config write
/ exit
Installing the License Keys for AEM

You install the license key for the AEM software during the initial AEM installation and
configuration. You also must install or replace the license keys if you upgrade your AEM
license to a different model.
You install the AEM license key through the command line interface (CLI).
Installing the license keys during a new AEM installation or reinstallation

The license key installation is part of the procedures for installing and reinstalling the
AEM software.
n The procedure for a new AEM installation is in the AEM Installation Guide and in
“Installing AEM” on page 344.
n The procedure for an AEM reinstallation is in “Reinstalling AEM” on page 351.
If you do not have your original Installation Guide, you can download one from the Arbor
Technical Assistance Center (ATAC) or contact your reseller.
Replacing an existing AEM license key with a new AEM license key
When you replace an existing AEM license key with a new AEM license key, you do not
need to remove the original license key.
To install a new license key on an existing AEM installation:
3. Enter / system license set Pravail "APS-CONSOLE" license_key
license_key = your AEM license key
Important
This command is case sensitive. Type the model and license key exactly as they
appear on the product label or in your license key email, including any spaces and
punctuation.
4. To verify that you installed the license key successfully, view the current model and
license by entering / system license show
Upgrading the AEM Software

Use this procedure to upgrade the AEM software on an appliance or virtual machine. You
perform an AEM upgrade from the CLI.

Important
Do not use the procedures below to upgrade an AEM that runs as a virtual machine on a
single appliance (AEM models 7000 and 8000). That configuration was used in AEM
versions 6.6.0 through 6.9.0.0. In such cases, see the Arbor Enterprise Manager Upgrade
Guide for version 7.0.0.0.
Before you begin an AEM upgrade, review the current release notes for any additional
preparations or steps that might be required for that upgrade. For example, before you
upgrade vAEM, you might need to upgrade the virtual machine configuration.
Downloading the upgrade package files

If you cannot access the files as described below, then contact your account
representative.
To download the upgrade packages for AEM:

1. Go to https://my.netscout.com and log in with your user name and password.
2. On the my.NETSCOUT home page, click LICENSING & DOWNLOADS on the top menu.
3. On the LICENSING & DOWNLOADS page, in the Security list, click Arbor Enterprise
Manager.
4. At the top of the Arbor Enterprise Manager page, select the AEM version.
5. Scroll down the page, select Software Downloads, and then click Arbor Enterprise
Manager.
6. On the Product Information page, on the General Availability tab, click the link for the
appropriate AEM version.
7. In the list of files on the Product Download page, click the links to download the
following files:
n The ArbOS upgrade package (arbos-x.x.x.x-XXXX-x86_64 ). ArbOS is the
operating system for AEM.
n The AEM upgrade package (Arbor-Enterprise-Manager-x.x.x.x-XXXX-x86_64).
x.x.x.x = the product version number
XXXX = the product build number

8. Copy the files to a location that the AEM device can access.
9. Make a note of the upgrade file names because you will need them during the
upgrade procedure.
Uploading the upgrade package files to the device

To upload the upgrade package files to the AEM device:
1. Log in to the AEM UI with your administrator user name and password.
2. Select Settings > Files.
3. On the Files page, in the Show files on list, select the name of the device to upgrade.
(Typically, the list shows the device that you are logged in to.)
The table in the File Listings section shows the files that are stored on the selected
device.
4. On the right side of the Files page, under the storage capacity pie chart, check the Free
space value before you continue. The free space must be greater than the sum of the

upgrade package file sizes.

If the device does not have enough free space, clear off any unnecessary data until
there is enough free space for the files, and then continue.
5. Upload the upgrade package files to the AEM. For each package file, complete the
following steps:
a. In the lower right corner of the table, click Upload.
b. In the Upload File window, click Choose File.
c. In the Open window, choose the upgrade package file to upload and then click
Open.
d. In the Upload File window, click Upload.
e. If the Audit Trail window appears, then type a message for the audit trail or accept
6. Verify that the new upgrade package files appear in the list of files.
7. Log out of the UI.
Installing the AEM upgrade

To install the upgrade on the AEM device:
2. To stop the AEM services, enter one of the following commands:
/ services aem stop — On AEM version 6.9.0.0 or later
/ services aps-console stop — On an AEM version that is earlier than 6.9.0.0
4. To view the AEM package that is currently installed on the device, enter / system
files show
Make a note of the AEM package name.
Note
Be sure to copy the AEM package name because it differs from the file name. The
file name typically contains the version number and the build number.
5. To uninstall the existing AEM software, enter / system files uninstall old_
package_name
old_package_name = the name of the AEM software package to uninstall, which
you noted above
6. To show the installed packages again, enter / system files show
Verify that the AEM software package that you uninstalled does not appear.
7. To install the operating system upgrade, enter / system files install
disk:arbos_file_name
arbos_file_name = The name of the ArbOS upgrade file that you uploaded to
AEM
The following message appears:
Extracting package...done.
Changes to ArbOS will take effect after the next reload.
8. Restart AEM as follows:
a. Enter reload, and then enter y at the confirmation prompt.
b. After AEM restarts, log in again with your administrator user name and password.

9. To verify that the ArbOS upgrade was installed, enter / system files show
The new version of the ArbOS package should appear.
10. To install the AEM upgrade, enter
/ system files install disk:aem_file_name
aem_file_name = the name of the AEM upgrade file that you uploaded to AEM
11. To verify that the AEM upgrade was installed, enter / system files show
The new versions of the ArbOS package and the AEM package should appear.
12. Restart AEM as follows:
a. Enter reload, and then enter y at the confirmation prompt.
b. After AEM restarts, log in again with your administrator user name and password.
16. After the upgrade is finished, restart your browser and clear the cache.
Reinstalling AEM
Use the following procedure to reinstall the AEM software.
Caution
Reinstalling the AEM software erases all data from the system and returns it to its
factory state. Reinstall the software only in an emergency situation and under the
direction of the Arbor Technical Assistance Center. See “Contacting the Arbor Technical
Assistance Center” on page 11.
Note
If you subscribe to the ATLAS Intelligence Feed (AIF), you must reinstall the AIF license
key during the AEM reinstallation.
Before you begin

Before you reinstall the software, see the checklists on your appliance’s Installation Guide
to verify that you have all of the information that you need.
What you need

To reinstall AEM, you need the following items:
n a computer to use as your configuration interface
n the most recent backup, which should be on your remote backup server
n the Installation Guide that came with your appliance
Note
You can download the Installation Guide for your appliance from the Arbor Technical
Assistance Center (https://my.netscout.com) or contact your reseller.

Reinstallation task sequence

Perform the following tasks in sequence to reinstall the AEM software.
Reinstalling on an appliance
Task Description
1 If you do not have a current backup, create a full backup.

You can create backups from the UI. See “About AEM Backups” on page 339.
2 Reinstall the software. “Reinstalling the AEM software from on-board flash”
below
3 Configure the appliance settings. (These instructions are included in the

Installation Guide that came with your appliance.)
4 Restore the backup data.

See “Restoring AEM from a Backup” on page 341.
Reinstalling the AEM software from on-board flash

To reinstall the AEM software from on-board flash memory:
1. Choose one of the following methods to connect the appliance to initiate recovery:
n Connect a VGA monitor and keyboard to the appropriate ports on the back of the
appliance.
n Connect a serial cable from the serial console to the appliance.
2. Restart the appliance as follows:
Note
If AEM is unresponsive, restart it by turning the power off and then turning it on.
a. Log in to the CLI with your administrator user name and password.
b. To stop the AEM services, enter / services aem stop
c. Enter reload
d. At the prompt You are about to reboot the system. Do you wish to
proceed? enter y
3. When the Press any key to continue prompt appears, press a key within five
seconds.
Important
If the system continues before you can press a key, turn off the appliance and start
over.
4. At the GRUB menu, press the up arrow key or down arrow key to stop the 10-second
countdown.
Important
If the system continues before you can stop the countdown, turn off the appliance
and start over.
5. Depending on how you connected to the appliance, select one of the following
options on the GRUB menu:

n (re)install from on-board flash (serial console)

n (re)install from on-board flash (VGA)
6. Enter y in response to the following prompt:
Do you want to begin the install process?
This will remove all current data and configuration
The installation initializes the system, installs the software, and builds the databases.
These processes take some time.
7. After the appliance restarts, continue the configuration by following the procedure in
the AEM Installation Guide or in “Installing AEM” on page 344.

Appendixes
Appendix A:
AEM Communication Ports
This section describes the ports that AEM uses to forward and receive data.
In this section
AEM Communication Ports 355
AEM Communication Ports

AEM uses specific ports for each of the services that it allows.
Note
If you have firewalls between your appliances, you must open the ports used by AEM on
the firewall to ensure that your appliances can forward and receive data.
The following table shows the ports that you can enable for AEM. In the table, “managed
device” refers to both AED and APS.
AEM communication ports
Services Port/Protocol Direction Feature or Function
HTTPS 443/TCP browser to AEM Operation/administration
managed device to AEM Configuration transfer
AEM to AIF server ATLAS Intelligence Feed (AIF)
HTTP 80/TCP AEM to file server sys file https:// ...
NTP 123/UDP AEM to NTP server Timestamps
RADIUS 1812/UDP AEM to RADIUS server Administration of user

Authentication authentication
RADIUS 1813/UDP AEM to RADIUS server Administration of user accounting

Accounting
SMTP 25/TCP AEM to SMTP server n System error reports

n Security reports
n Security notifications
SNMP TRAPs 162/UDP AEM to network Security notifications

management service

Appendix A: AEM Communication Ports
AEM communication ports (continued)
Services Port/Protocol Direction Feature or Function
SNMP polls 161/UDP Network management AEM status

service to AEM
Network management Device status of APS or AED

service to AED or APS
SSH 22/TCP Administrator to AEM Configuration and advanced

Administrator to AED or administration
APS
SSH/SCP 22/TCP AEM to file server n sys file copy scp://...

n remote backups using SCP
TACACS 49/TCP AEM to TACACS server Administration of user

authentication and accounting
SYSLOG 514/UDP AEM to syslog server Syslog messages

Appendix B:
Using FCAP Expressions
This section describes the FCAP (Flow Capture) fingerprint expression language that you
can use to match layer 3 traffic information. This expression language is an extended
version of the standard fingerprint expression language that is used by programs such as
tcpdump.
In this section
Available FCAP Expressions 357

FCAP Expression Reference 358
Logical Operators for Compound FCAP Expressions 363
FCAP Expressions that Indicate Direction 364
Examples of FCAP Expressions 365
Available FCAP Expressions

This topic discusses the basic FCAP expressions that AEM supports, and well as the syntax
conventions in the documentation for these expressions.
Conventions for commands and expressions

The following table shows the syntax of commands and other types of user input. Do not
type the brackets, braces, or vertical bars that indicate options and variables.
Conventions for commands and user input

italics

[ ] (square brackets) A set of choices for options or variables, all of which are optional.

Appendix B: Using FCAP Expressions
Basic FCAP expressions

These expressions are case insensitive. For example, both src and SRC are valid.
Available FCAP expressions
Expression Reference
[src | dst] [net | host] addr “Matching networks and hosts” on the
next page
[protocol | proto] protocol-name “Matching protocols” on page 360

{protocol | proto} number
{tflags | tcpflags} flags/flag-mask “Matching TCP flags” on page 360
[src | dst] port {port-name | number } [ .. {port-name | “Matching ports” on page 361
number} ]
bytesnumber [ ..number] “Matching IP length” on page 361
icmptype {icmptype | number} “Matching ICMP messages” on page 361

icmpcode code
tosnumber “Matching the Type of Service” on

page 363
Note
This expression is for IPv4 traffic only.
ttlnumber “Matching the Time to Live” on page 363

Note
frag “Matching fragments” on page 363

Note
FCAP Expression Reference

This topic describes how to use the FCAP expressions. For additional information, see the
following topics.
n basic expressions — See “Basic FCAP expressions” above.
n the operators AND, OR, NOT, and () — See “Logical Operators for Compound FCAP
Expressions” on page 363.
n expressions that indicate direction — See “FCAP Expressions that Indicate Direction” on
page 364.
n examples — See “Examples of FCAP Expressions” on page 365.
Note
Unless otherwise noted, FCAP expressions are supported for IPv4 traffic and IPv6 traffic.

Comments in FCAP expressions

To add a comment to an FCAP expression, type the number sign (#) at the beginning of
the line of text.
Any line that begins with # is considered a comment and is not evaluated as part of the
FCAP expression.
Numbers in FCAP expressions

In expressions that contain a number, you can type the number in decimal notation or
hexadecimal notation. For example, the following expressions are equivalent:
tos 255
tos 0XFF
Action expressions that drop or pass traffic

Use the FCAP action expressions to either drop traffic or pass traffic without further
inspection. To specify which action to perform, precede the FCAP expressions with one of
the following expressions:
pass
drop
The action expression is optional. If you do not specify one, then a drop action is used.
Matching networks and hosts

Use the following expression to match a network or a host:
[src | dst] [net | host] addr
To match a network or host, specify its IP address. You can use CIDR notation (IP/number)
to specify a network. For example:
net 192.0.2.0/24
host 192.0.2.1
If you specify an address without a netmask or without the expression net or host, then
the address is assumed to be a host.
If you do not specify a direction, then both the source and the destination are evaluated.
See “FCAP Expressions that Indicate Direction” on page 364.
Additional examples of expressions for matching hosts or networks
Item to match Expression
any source or destination that is part of the Either of the following expressions:
network 198.51.100.0/24 192.0.2.0/24
src net 192.0.2.0/24 or dst net
203.113.0/24
any source that is part of the network src net 198.51.100.0/24

198.51.100.0/24

Matching protocols
Use the following expressions to match a protocol:
[protocol | proto] protocol-name
{protocol | proto} number
To match a protocol, specify its name or number. If you specify the protocol by name,
then you can omit the expression protocol. For example:
protocol tcp
tcp
proto 6
Matching TCP flags

Use the following expression to match a packet’s TCP flags:
{tflags | tcpflags} flags/flag-mask
flags = the flag or flags that must be set for the expression to match
flag-mask = the flag or flags to examine
For example, tflags FSA/FSA matches all of the traffic whose SYN, ACK, and FIN flags are
set.
For the flag fields, you can specify any combination of the following TCP flags:
n F — FIN
n S — SYN
n R — RST (reset)
n P — PSH (push)
n A — ACK
n U — URG (urgent)
n E — ECE (ECN-Echo)
n W — CWR (Congestion Window Reduced)
Do not separate multiple flags with any characters, including spaces or commas.
Additional examples of expressions for matching TCP flags
packets that contain the SYN flag Either of the following expressions:
tflags S/S
proto tcp and (tflags S/S)
all of the TCP SYN traffic that is not SYN- Either of the following expressions:
ACK proto tcp and (tflags S/SA)
proto tcp and (tflags S/S) and !
(tflags SA/SA)
all of the traffic for which the A bit is set, tflags A/FA
but the F bit is not set

Matching ports
Use the following expression to match ports:
[src | dst] port {port-name | number} [ .. {port-name | number} ]
To match a port, specify its name or number. For example:

port http
port 22
To match a range of port numbers, separate the first number and the last number with
two periods. For example:
port 0..1024
If you do not specify the source or the destination, then both the source and the
destination are evaluated. See “FCAP Expressions that Indicate Direction” on page 364.
Additional examples of expressions for matching ports
IP address 192.0.2.1, port 22 host 192.0.2.1 port 22
any traffic with a destination IP address of dst host 192.0.2.1 and (dst
192.0.2.1 and a destination port of either 22 or 80 port 22 or dst port http)
Matching IP length
Use the following expression to match a packet’s IP length: bytes number [..number]
Specify the IP length as a number of bytes. For example: bytes 100
To match a range of bytes, separate the first number and the last number with two
periods. For example: bytes 100..102
Matching ICMP messages

Use the following expressions to match an ICMP message by specifying its type:
icmptype {name | number}
icmpcode code
For example, to match ICMPv4 echo request traffic by type, you can use either of the
following expressions:
icmptype icmp-echo
icmptype 8
Note
ICMPv4 and ICMPv6 message types are supported. However, for ICMPv6, you can specify
message type numbers only. You cannot use message type names for ICMPv6.

The ICMP code is a subtype of a given type. For example, the following expressions match
the ICMP control message type “Destination Unreachable”, and the subtype of “Host
Unreachable” (ICMPv4) or “address unreachable” (ICMPv6):
n ICMPv4
icmptype icmp-unreach and icmpcode 1
n ICMPv6
icmptype 1 and icmpcode 3
The table below lists some common ICMPv4 message types.
ICMPv4 message types
ICMP type
number ICMP type name Description
0 icmp-echoreply Echo Reply
3 icmp-unreach Destination Unreachable
4 icmp-sourcequench Source Quench
5 icmp-redirect Redirect
8 icmp-echo Echo Request
9 icmp-routeradvert Router Advertisement
10 icmp-routersolicit Router Selection
11 icmp-timxceed Time Exceeded
12 icmp-paramprob Parameter Problem
13 icmp-tstamp Timestamp
14 icmp-tstampreply Timestamp Reply
15 icmp-ireq Information Request
16 icmp-ireqreply Information Reply
17 icmp-maskreq Address Mask Request
18 icmp-maskreply Address Mask Reply
For a complete list of the ICMPv4 message types and codes, refer to an IPv4 reference or
go to the following URL: http://www.iana.org/assignments/icmp-parameters/icmp-
parameters.xhtml
For a complete list of the ICMPv6 message types and codes, refer to an IPv6 reference or
go to the following URL: http://www.iana.org/assignments/icmpv6-parameters/icmpv6-
parameters.xhtml

Matching the Type of Service

Note
This expression is for IPv4 traffic only. You cannot filter by the IPv6 header field Traffic
Class.
Use the following expression to match the Type of Service (TOS):

tosnumber
Specify the eight-bit TOS field as a number from 0 to 255. For example:
tos 255
tos 0XFF
Matching the Time to Live

Note
This expression is for IPv4 traffic only. You cannot filter by the IPv6 header field Hop
Limit.
Use the following expression to match the Time to Live (TTL ) value:
ttlnumber
Specify the eight-bit TTL field as a number from 0 to 255. For example:
ttl 6
Matching fragments
The following expression allows you to match IP fragments:
frag
Logical Operators for Compound FCAP Expressions

You can create compound FCAP expressions by using logical operators to join
expressions.
For more information about using FCAP expressions, see the following topics:
n “FCAP Expression Reference” on page 358
n “FCAP Expressions that Indicate Direction” on the next page
n “Available FCAP Expressions” on page 357
n “Examples of FCAP Expressions” on page 365
Operators for joining expressions

To join FCAP expressions, use the following operators:
n parentheses ( ) — establishes precedence for complex expressions
n NOT — negates an expression (negation)
For example, not port 33 matches all of the ports except port 33. You also can use an
exclamation mark (!) instead of not.

n OR — joins expressions where any can be true (alternation)

For example, dst port 22 or dst port 25 or dst port 80 matches all of the
traffic that is destined for any one of these three ports.
n AND — joins expressions where both are true (concatenation)
For example, dst host 192.0.2.1 and dst port 22 matches all of the traffic that is
destined for port 22 on the host 192.0.2.1.
Order of evaluation for compound expressions

AEM evaluates expressions in the following order:
1. Expressions in parentheses. If you use a combination of adjacent objects with AND
and OR operators, then use parentheses to indicate the explicit order.
2. NOT expressions.
3. OR and AND expressions, which have equal precedence and are evaluated from left to
right.
For example, the following expressions are equivalent:

not tcp port 3128 and tcp port 23
(not tcp port 3128) and tcp port 23
Omitting the operators and parentheses can produce unexpected results. For example, to
block all TCP traffic on port 80 or port 443, you might type the following expression:
tcp port 80 or tcp port 443
However, this expression does not do what you intend because the order of operations
interprets it as follows:
tcp and (port 80 or tcp) and (port 443)
Instead, you should use one of the following expressions:

tcp (port 80 or port 443)
(tcp port 80) or (tcp port 443)
FCAP Expressions that Indicate Direction

The direction expressions indicate whether a network, host, or port represents the source
or the destination.
In an FCAP expression, the direction refers to the source or destination section of the
packets that are evaluated.
For information about how to use FCAP expressions, see “FCAP Expression Reference” on
page 358.
Indicating direction
The following expressions indicate direction:
src — source
dst — destination
For example:
src host 192.0.2.1

dst port 33
Default direction
If you do not specify a direction, then both the source and the destination are evaluated.
For example, the following expressions are equivalent:
host 192.0.2.1
(src host 192.0.2.1) or (dst host 192.0.2.1)
Examples of FCAP Expressions

To help further your understanding of FCAP expressions, this topic provides examples of
expressions and shows how AEM interprets them.
In particular, observe how AEM interprets expressions when you omit certain
components. For example, you can omit the direction and the drop or pass action. You
can also omit the logical operators, although doing so can produce unexpected results.
For more information about FCAP expressions, see “FCAP Expression Reference” on
page 358.
Examples
The following examples show how AEM interprets FCAP expressions and how it makes
assumptions about any information that is omitted from the typed expressions.
Note
AEM interprets FCAP expressions that use IPv6 addresses in the same way that it
interprets FCAP expressions that use IPv4 addresses.
FCAP expressions and how they are interpreted
Expression Interpretation
host 192.0.2.1 drop src host 192.0.2.1 or dst host 203.0.113.1

203.0.113.1
protocol tcp drop proto 6

tcp
tflags saf/saf drop tflags FSA/FSA

You do not have to type the flags in any particular order; the
system orders them for you.
port 33 drop src port 33 or dst port 33
not port 33 drop (src port 0..32 or src port 34..65535) and
(dst port 0..32 or dst port 34..65535)
dst host 192.0.2.1 drop dst host 192.0.2.1 and (src port 22 or dst
and port 22 port 22)

FCAP expressions and how they are interpreted (continued)
Expression Interpretation
src 192.0.2.1 src drop (src net 0.0.0.0/0)

192.0.2.9 The system assumes that the two addresses are joined by
an AND operator. However, because no packet can ever have
two sources, the expression is interpreted as “drop
everything.”
src 192.0.2.4 or src drop src host 192.0.2.4 or src host 192.0.2.9
192.0.2.9
src 192.0.2.1 dst drop src host 192.0.2.1 and dst host 203.0.113.1
203.0.113.1

Appendix C:
Notification Formats
This section provides examples of the notifications that AEM sends to the configured
destinations when it detects system alerts.
In this section
Email Notification Examples 367

Syslog Notification Examples 368
Email Notification Examples

The following examples show the different types of email notifications that AEM sends
when it detects system alerts.
Device down alert

The following example shows a device down alert:
Type: APS Device Down
URL: https://example01.com/summary/
APS Device: example01
Last seen: 22:05 23/03/15
Device up alert
The following example shows a device up alert:
Type: APS Device Up
URL: https://example01.com/summary/
APS Device: example01
Down since: 22:05 23/03/15
Downtime: 0h11m
Infrastructure alert
The following example shows an infrastructure alert:
Type: Infrastructure
URL: https://example-01/summary/
Message: Hardware device failure. Power Supply PS2: Presence detected,
Power Supply AC lost

Appendix C: Notification Formats
Syslog Notification Examples

The following examples show the different types of syslog notifications that AEM sends
when it detects system alerts.
APS down alert

The following example shows a device down alert:
APS Down: my_device,URL: https://example01.com/summary/,Last seen: 22:05
23/03/15
APS up alert
The following example shows a device up alert:
APS Up: my_device,URL: https://example01.com/summary/,Last seen: 22:05
23/03/15,Downtime: 0h18m
Infrastructure alert
The following example shows an infrastructure alert:
Infrastructure: Your cert will expire in 1 day,URL:
https://example01.com/summary/

Glossary
A
AAA (Authentication, Authorization, & Accounting) — An acronym that describes the process of
authorizing access to a system, authenticating the identity of users, and logging their behaviors.
ACL (Access Control List) — A list composed of rules and filters stored in a router to allow, deny, or
otherwise regulate network traffic based on network parameters such as IP addresses, protocol
types, and port numbers.
active mode — A state within the inline deployment modes, in which AED and APS mitigate attacks in
addition to monitoring traffic and detecting attacks.
address — A coded representation that uniquely identifies a particular network identity.
AIF (ATLAS Intelligence Feed) — A service that downloads real-time threat information from our Active
Threat Level Analysis System (ATLAS). This information is used to detect and block emerging
botnet attacks and application-layer attacks.
alert — A message informing the user that certain events, conditions, or errors in the system have
occurred.
allow list — A list of hosts whose traffic is passed without further inspection.
anomaly — An event or condition in the network that is identified as an abnormality when compared to a
predefined illegal traffic pattern.
API (Application Programming Interface) — A well-defined set of function calls providing high-level
controls for underlying services.
AED — A protection system that focuses on securing the internet data center edge from threats against
availability by analyzing and blocking malicious traffic.
AEM — A single user interface that allows for the central management of multiple AED devices and APS
devices, to more effectively monitor and respond to attacks across your network.
APS — A protection system that focuses on securing the internet data center edge from threats against
availability by analyzing and blocking malicious traffic.
Arbor Cloud DDoS Protection — A cloud-based DDoS mitigation service that scrubs the high-bandwidth,
volumetric attacks that are too large to mitigate at the data center’s premises.
ArbOS — NETSCOUT’s proprietary, embedded operating system.

Glossary
ARP (Address Resolution Protocol) — A protocol for mapping an IP address to a physical machine
address.
ASCII (American Standard Code for Information Interchange) — A coded representation for standard
alphabetic, numeric, and punctuation characters, also referred to as “plain text”.
ATLAS (Active Threat Level Analysis System) — A globally scoped threat analysis network that analyzes
data from darknets and the core backbone of the internet to provide information to participating
customers about malware, exploits, phishing, and botnets.
authentication — An identity verification process.
B
black hole routing — A technique to route traffic to null interfaces that can never forward the traffic.
block — To prevent traffic from passing to the network, or to prevent a host from sending traffic. In AED
and APS, blocking occurs for a specific length of time, after which the traffic is allowed to pass
again.
bot — A program that runs automated tasks over the internet.
botnet — A set of compromised computers (bots) that respond to a controlling server to generate attack
traffic against a victim server.
bps — Bits per second.
Bps — Bytes per second.
C
CA (Certificate Authority) — A third party that issues digital certificates for use by other parties. CAs are
characteristic of many public key infrastructure (PKI) schemes.
CAR (Committed Access Rate) — A tool for managing bandwidth that provides the same control as ACL
with the additional property that traffic can be regulated based on bandwidth usage rates in bits
per second.
CDN (Content Delivery Network) — A collection of web servers that contain duplicated content and are
distributed across multiple locations to deliver content to users based on proximity.
cflowd — Developed to collect and analyze the information available from NetFlow. It allows the user to
store the information and enables several views of the data. It produces port matrices, AS
matrices, network matrices, and pure flow structures.
CIDR (Classless Inter-Domain Routing) — Method for classifying and grouping internet addresses.
CLI (command line interface) — A user interface that uses a command line, such as a terminal or
console (as opposed to a graphical user interface).
client — The component of client/server computing that uses a service offered by a server.
cloud — A metaphor for the internet.

Glossary
Cloud Signaling — Cloud Signaling is the process of requesting and receiving cloud-based mitigation of
volumetric attacks in real time from an upstream service provider.
Cloud Signaling widget — A graphical element in the UI that allows the user to monitor the status of the
Cloud Signaling connection and mitigations in real time. It also allows the user to enable, activate,
and deactivate Cloud Signaling.
Common Event Format (CEF) — An open log management standard, which AED and APS can use to
format syslog notifications.
CSV (comma-separated values) file — A file that stores spreadsheet or database information in plain
text, with one record on each line, and each field within the record separated by a comma.
customer — An ISP, ASP, or enterprise user of AED, AEM, or APS.
customer edge — The location at the customer premises of the router that connects to the provider edge
of one or more service provider networks.
customer edge router — A router within a customer's network that is connected to an ISP's customer
peering edge.
D
Dark IP — Regions of the IP address space that are reserved or known to be unused.
data center — A centralized facility that houses computer systems and associated components, such as
telecommunications and storage systems, and is used for processing or transmitting data.
DDoS (Distributed Denial of Service) — An interruption of network availability typically caused by

many, distributed malicious sources.
deployment mode — Indicates how AED or APS is installed in the network: inline bridged, inline routed
(layer 3 traffic), or out-of-line through a span port or network tap (monitor).
deny list — A list of hosts whose traffic is blocked without further inspection.
DNS (Domain Name System) — A system that translates numeric IP addresses into meaningful, human-
consumable names and vice-versa.
DNS server — A server that uses the Domain Name System (DNS) to translate or resolve human-readable
domain names and hostnames into the machine-readable IP addresses.
DoS (Denial of Service) — An interruption of network availability typically caused by malicious sources.
E
edge — The outer perimeter of a network.
encryption — The process by which plain text is scrambled in such a way as to hide its content.
Ethernet — A series of technologies used for communication on local area networks.
exploit — Tools intended to take advantage of security holes or inherent flaws in the design of network
applications, devices, or infrastructures.

Glossary
F
fail closed — The hardware bypass mode in which AED or APS disconnects the protection interfaces and
does not allow traffic to pass after a system failure occurs. The hardware bypass mode is set from
the CLI.
fail open — The hardware bypass mode in which AED or APS allows unmonitored network traffic to
bypass the protection interfaces after a system failure occurs. The hardware bypass mode is set
from CLI.
failover — A configuration of two devices so that if one device fails, the second device takes over the
duties of the first, ensuring continued service.
FCAP — A fingerprint expression language that describes and matches traffic information.
Fibre Channel — Gigabit-speed network technology primarily used for storage networking.
fidelity period — The maximum amount of time for which AED or APS saves data in the connection
database.
fingerprint — A pattern or profile of traffic that suggests or represents an attack. Also known as a
signature.
firewall — A security measure that monitors and controls the types of packets allowed in and out of a
network, based on a set of configured rules and filters.
FQDN (Fully Qualified Domain Name) — A complete domain name, including both the registered
domain name and any preceding node information.
FTP (File Transfer Protocol) — A TCP/IP protocol for transferring files across a network.
G
Gb — Gigabit.
GB — Gigabyte.
Gbps — Gigabits per second.
global protection level — Determines which protection settings are in use for an AED or APS.
GMT (Greenwich Mean Time) — A world time standard that is deprecated and replaced by UTC.
GRE (Generic Routing Encapsulation) — A protocol that is used to transport packets from one network
through another network.
GRE tunnel — A logical interface whose endpoints are the tunnel source address and tunnel destination
address.
H
handshake — The process or action that establishes communication between two telecommunications
devices.

Glossary
header — The data that appears at the beginning of a packet to provide information about the file or the
transmission.
heartbeat — A periodic signal generated by hardware or software to indicate that it is still running.
host — A networked computer (client or server); in contrast to a router or switch.
HTTP (HyperText Transfer Protocol) — A protocol used to transfer or convey information on the World
Wide Web. Its original purpose was to provide a way to publish and retrieve HTML pages.
HTTPS (HyperText Transfer Protocol over SSL) — The combination of a normal HTTP interaction over
an encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) transport mechanism.
I
ICMP (Internet Control Message Protocol) — An IP protocol that delivers error and control messages
between TCP/IP enabled network devices, for example, ping packets.
IMAP (Internet Message Access Protocol) — An application layer internet protocol that allows a local
client to access email on a remote server. (Also known as Internet Mail Access Protocol,
Interactive Mail Access Protocol, and Interim Mail Access Protocol.)
inactive mode — A state within an inline deployment mode, in which AED or APS analyzes traffic and
detects attacks without performing mitigations.
inline mode — A deployment mode in which AED or APS acts as a physical connection between two end
points. All of the traffic that traverses the network flows through AED or APS.
interface — An interconnection between routers, switches, or hosts.
IP (Internet Protocol) — A connectionless network layer protocol used for packet delivery between hosts
and devices on a TCP/IP network.
IP address — A unique identifier for a host or device on a TCP/IP network.
IPS (Intrusion Prevention System) — A computer security device that exercises access control to
protect computers from exploitation.
ISP (Internet Service Provider) — A business or organization that provides to consumers access to the
internet and related services.
L
LAN (Local Area Network) — A typically small network that is confined to a small geographic space.
Log Event Extended Format (LEEF) — An event format that AED or APS can use to format syslog
notifications.
K
Kbps — Kilobits per second.

Glossary
M
MAC (Media Access Control) Address — A unique hardware number associated with a networking
device.
malformed — Refers to requests or packets that do not conform to the RFC standards for internet
protocol. Such requests or packets are often used in DoS attacks.
Mbps — Megabits per second.
MBps — Megabytes per second.
MIB (Management Information Base) — A database used by the SNMP protocol to manage devices in
a network. Your SNMP polling device uses this database to understand AED and APS SNMP traps.
mitigation — The process of using recommendations to apply policies to the network to reduce the
effects of an attack.
monitor mode — A deployment mode in which AED or APS is deployed out-of-line through a span port or
network tap. AED or APS monitors traffic and detects attacks but does not mitigate the attacks.
MPLS (Multiprotocol Label Switching) — A packet-switching protocol developed by the Internet

Engineering Task Force (IETF) initially to improve switching speeds, but other benefits are now
seen as being more important.
MSSP (Managed Security Service Provider) — An internet service provider (ISP) that provides an
organization with network security management,
multicast — Protocols that address multiple IP addresses with a single packet (as opposed to unicast and
broadcast protocols).
N
NetFlow — A technology that Cisco Systems, Inc. developed to allow routers and other network devices to
periodically export information about current network conditions and traffic volumes.
netmask — A dotted quad notation number that routers use to determine which part of the address is
the network address and which part is the host address.
network tap — A hardware device that sends a copy of network traffic to another attached device for
passive monitoring.
NIC (Network Interface Card) — A hardware component that maintains a network interface
connection.
notification — An email message, SNMP trap, or syslog message that is sent to specified destinations to
communicate certain alerts.
NTP (Network Time Protocol) — A protocol that synchronizes clock times in a network of computers.
NXDomain — A response that results when DNS cannot resolve a domain name.

Glossary
O
outbound threat filter — A group of protection settings that block malicious outbound traffic.
out-of-band — Communication signals that occur outside of the channels that are normally used for
data.
P
packet — A unit of data transmitted across the network that includes control information along with
actual content.
password — A secret code used to gain access to a computer system.
payload — The data in a packet that follows the TCP and UDP header data.
PCAP (packet capture) file — A file that consists of data packets that have been sent over a network.
Perfect Forward Secrecy (PFS) — An encryption method that protects layer 7 traffic in current and past
TLS sessions by generating a unique private key for each session.
ping — An ICMP request to determine if a host is responsive.
policy — The set of rules that network operators determine to be acceptable or unacceptable for their
network.
POP (Post Office Protocol) — A TCP/IP email protocol for retrieving messages from a remote server.
PoP (Point of Presence) — A physical connection between telecommunications networks.
port — A field in TCP and UDP packet headers that corresponds to an application level service (for
example TCP port 80 corresponds to HTTP).
pps — Packets per second.
prefix — The initial part of a network address, which is used in address delegation and routing.
protection category — A group of related protection settings that detect a specific type of attack traffic.
protection group — A collection of one or more protected hosts that are associated with a specific type
of server.
protection level — Defines the strength of protection against a network attack and the associated
intrusiveness and risk of blocking clean traffic. The protection level can be set globally or for
specific protection groups.
protection mode — A state within an inline deployment mode, in which the mitigations are either active
or inactive.
protection settings — The criteria by which AED and APS define clean traffic and attack traffic.
protocol — A well-defined language used by networking entities to communicate with one another.

Glossary
R
RADIUS (Remote Authentication Dial In User Service) — A client/server protocol that enables remote
access servers to communicate with a central server to authenticate dial-in users and authorize
their access to the requested system or service.
rate limit — The number of requests, packets, bits, or other measurement of data that a host is allowed
to send within a specified amount of time.
RDN (Registered Domain Name) — A domain name as registered, without any preceding node
information (for example, “example.net” instead of www.example.net).
real time — When systems respond or data is supplied as events happen.
redundancy — The duplication of devices, services, or connections so that, in the event of a failure, the
duplicate item can perform the work of the item that failed.
refinement — The process of continually gathering information about anomalous activity that is
observed on a network.
regular expression — A standard set of rules for matching a specified pattern in text. Often abbreviated
as regex or regexp.
report — An informational page that presents data about a traffic type or event.
route — A path that a packet takes through a network.
router — A device that connects one network to another. Packets are forwarded from one router to
another until they reach their ultimate destination.
S
secret key — A secret that is shared only between a sender and receiver of data.
server type — A class of servers that AED or APS protects and that is associated with one or more
protection groups.
shared secret — A word or phrase that AEM uses to authenticate the internal communication between
itself and the devices that it manages.
signature — A pattern or profile of traffic that suggests or represents an attack. Also known as a
fingerprint.
SIP (Standard Initiation Protocol) — An IP network protocol that is used for VoIP (Voice Over IP)
telephony.
SMTP (Simple Mail Transfer Protocol) — The de facto standard protocol for email transmissions across
the internet.
SNMP (Simple Network Management Protocol) — A standard protocol that allows routers and other
network devices to export information about their routing tables and other state information.
span port — A designated port on a network switch onto which traffic from other ports is mirrored.

Glossary
spoofing — A situation in which one person or program successfully masquerades as another by

falsifying data (usually an IP address) and thereby gains an illegitimate advantage.
SSH (Secure Shell) — A command line interface and protocol for securely accessing a remote computer.
SSH is also known as Secure Socket Shell.
SSL (Secure Sockets Layer) — A protocol for secure communications on the internet for such things as
web browsing, email, instant messaging, and other data transfers.
SSL certificate — A file that is installed on a secure web server to identify a web site and verify that the
web site is secure and reliable.
stacked graph — A graph in an the product that displays multiple types of data in a color-coded stack.
STIX™ (Structured Threat Information eXpression) — A language that describes cyber threat
information in a standardized and structured manner.
syslog — A file that records certain events or all of the events that occur in a particular system. Also, a
service for logging data.
T
TACACS+ (Terminal Access Controller Access Control System +) — An authentication protocol
common to UNIX networks that allows a remote access server to forward a user’s login password
to an authentication server to determine whether that user is allowed to access a given system.
target — A victim host or network of a malicious denial of service (DoS) attack.
TAXII™ (Trusted Automated Exchange of Intelligence Information) — An application layer protocol

for the communication of cyber threat information in a simple and scalable manner.
TCP (Transmission Control Protocol) — A connection-based, transport protocol that provides reliable
delivery of packets across the internet.
TCP/IP — A suite of protocols that controls the delivery of messages across the internet.
throughput — The data transfer rate of a network or device.
TLS (Transport Layer Security) — An encryption protocol for the secure transmission of data over the
internet. TLS is based on, and has succeeded, SSL.
U
UDP (User Datagram Protocol) — An unreliable, connectionless, communication protocol.
unblock — To remove a source or destination from the temporarily blocked list without adding it to the
allow list.
UNC (Universal Naming Convention) — A standard which originated from UNIX for identifying servers,
printers, and other resources in a network.
URI (Uniform Resource Identifier) — A protocol, login, host, port, path, etc. in a standard format used
to reference a network resource, (for example http://example.net/).

Glossary
URL (Uniform Resource Locator) — Usually a synonym for URI.
UTC (Universal Time Coordinated) — The time zone at zero degrees longitude, which replaces GMT as
the world time standard.
V
vAED, vAPS — The virtual versions of AED and APS that are hardware-independent. vAED and vAPS
contain all of the software packages and configurations but do not require a physical appliance.
vAEM — The virtual version of AEM that is hardware-independent. vAEM contains all of the AEM software
packages and configurations but does not require a physical appliance.
VLAN (Virtual Local Area Network) — Hosts connected in an infrastructure that simulates a local area
network, when the hosts are remotely located, or to segment a physical local network into
smaller, virtual pieces.
VoIP (Voice over Internet Protocol) — Routing voice communications (such as phone calls) through an
IP network.
volumetric attack — A type of DDoS attack that is generally high bandwidth and that originates from a
large number of geographically distributed bots.
VPN (Virtual Private Network) — A private communications network that is often used within a
company, or by several companies or organizations, to communicate confidentially over a public
network using encrypted tunnels.
vulnerability — A security weakness that could potentially be exploited.
W
WAN (Wide Area Network) — A computer network that covers a broad area. (Also Wireless Area
Network, meaning a wireless network.)
UI (User Interface) — A web-based interface for using the product.
widget — A graphical element in a user interface that displays information about an application and
allows the user to interact with the application.
X
XML (eXtensible Markup Language) — A metalanguage written in Standard Generalized Markup
Language (SGML) that allows one to design a markup language for easy interchange of
documents on the World Wide Web.

Index
for system events 61
A ignoring 302
impact 297
About window 22
removing from the Dashboard 302
active protection mode
security 288, 293
about 95
summary 298
for a protection group 96, 223
system 289, 298
for the outbound threat filter 96
types 288-289
Active Threat Level Analysis System
viewing on the Dashboard 285
See ATLAS 68
allow list
AEM
about 167
build number 22
by protection group 168
data synchronization with managed devices 90
capacity 170
initial requirements 16
global 168
installing 344
allow list, inbound
license 22, 348
creating 180
reinstalling 351
searching 181
upgrading software 348
settings 180
aem-admin account for single sign-on 90
viewing 181
aem-user account for single sign-on 90
allow list, outbound
AEM - device synchronization
creating 183
effect of restoring backups 93
searching 185
AIF (ATLAS Intelligence Feed)
settings 183
about 68
viewing 185
components 68
Application Misbehavior settings 125
enabling updates 74
Arbor Technical Assistance Center, contacting 11
proxy 75
Arbor Threat Feed
status 75
See ATLAS Intelligence Feed 68, 74
threat policies 69
ArbOS, upgrading 348
traffic statistics 76
ATAC, contacting 11
AIF updates
ATF
configuring 74
See ATLAS Intelligence Feed 68
proxy server configuration 75
ATLAS confidence index
alert impact 297
about 70
alert notifications
confidence value 70
about 78
ATLAS Intelligence Feed (AIF)
email 79
about 68
SNMP 79
Also see AIF 68
syslog 79
components 68
alerts
proxy 75
about 288
settings 125
automation 289
status 75
bandwidth 212
threat categories 253
blocked host, blocked traffic 289, 304
threat policies 69
botnet traffic alert 289
traffic statistics 76
category 288

Index: ATLAS threat categories – capture packets
ATLAS threat categories

about 69 B
summary 252
backup
ATLAS threat category
about 339
viewing 253
configuration data 340
Attack Analysis
configuring 63
about 156
manual 340
detecting attacks with 158
policy data 340
enable 159
recurring remote 63, 339
enabling or disabling 158
restoring 93, 341
protection recommendations, configuring 160
scheduling 63
protection recommendations, viewing 159
settings 63
attack categories
bandwidth alerts
blocked traffic 192
about 212
protection groups 192
baselines 213
viewing 192
blocked host, blocked traffic 213
attack detection
botnet 213
attack indicators 234
configuration 213
source identification 239
expiration 214
attack mitigation 156, 230
thresholds, about 213
Attacking Analysis
total traffic 213
view current state 158
baseline calculation 213
attacks
bind devices to AEM 86
detecting with Attack Analysis 156
Block Malformed DNS Traffic settings 128
audit trail
Block Malformed SIP Traffic settings 129
about 318
blocked host
configuring settings 60
alert 213, 289, 304
default change message 60
in blocked hosts log 243
enabling change messages 60
total number 197
entering change messages 319
blocked hosts log
exporting to CSV 321
about 242
exporting to syslog 61
contents 246
log 320
details 249
recent entries 316
page 242
summary 316
searching 244
syslog destination settings 61
viewing 244
viewing 320
blocked traffic
audit trail log
alert 213, 289, 304
viewing AIF updates 76
by URL 198
authentication
blocking traffic
about 28
about 167
custom SSL certificate 65
by protection level 236
DNS 131
over blocking, under blocking 115
method, setting 48
botnet alert 213, 289
RADIUS 51
botnet attack
TACACS+ 53
preventing 129
authorization keys
Botnet Prevention settings 129
assigning 33
build number, AEM 22
by group 33
auto-refresh pages 21, 314
automation alerts 289 C
capacity, deny list and allow list 170
capture packets 258
alternative capture points 262

Index: capture traffic profile – default
capturing 259 editing 330

opening from other pages 262 entering commands 328
regular expressions 267 help 325
saving PCAP 260 log in and log out 324
capture traffic profile saving configuration 329
about 110 viewing status 331
capturing data 112 command syntax 10, 357
protection categories profiled 111 comment in FCAP 359
results 114 components of AIF 68
status 114 confidence
stopping 113 about 70
viewing data 114 confidence value 70
workflow 111 configuring 127
categories, protection 118 value 311
category, alerts 288 configuration and policy backup
category, threat about 340
about 69 creating 340
summary 252 Configure Notifications page 83
CDN and Proxy Support settings 131 connection limit, TCP 149
central management from AEM connection status
configuring 86 ATLAS Intelligence Feed 75
data synchronization 90 context menu
disconnecting 88 on System Alerts page 300
centralized report context menu icon
description of 270 opening the Blocked Hosts Log 244
centralized reports opening the Packet Capture page 262
about 269 conventions, typographic
configuring 274 commands 10, 357
deleting 279 in commands and expressions 327
filtering the list of 278 countries traffic
managing 276 adding to the deny list 202
sorting the list of 278 unblocking 202
viewing results for 277 viewing by protection group 201
change messages in audit trail 319 custom logo 66
CLI custom server type
about 323 adding 106
accessing on managed device 88 deleting 106
accessing on managed devices from AEM 315 duplicating 107
command hierarchy 329 maximum allowed 101, 107
components 327 settings, configuring 108
compound commands 329 customer support, contacting 11
connections 323
editing commands 330 D
entering commands 328
dashboard
help 325
active alerts 285
log in and log out 324
device traffic 282
saving configuration 329
ignoring alerts 302
viewing status 331
viewing network activity on 281
command line interface
data recovery 341
about 323
data synchronization with AEM 90
command hierarchy 329
debugging information 337
components 327
default
compound commands 329
logo 67
connections 323

Index: deny list – fragmentation attack
protection group 207 domains

deny list adding to the deny list 201, 266
about 167 unblocking 201
by protection group 168 viewing traffic for 199
capacity 170 download
country 202 files 337
domain 201, 266 DSA key for backup restore 342
global 168
IP address 265 E
URL 199, 266
email notifications
deny list, inbound
about 79
creating 172, 177
configuring 81
searching 174
examples 367
settings 172
ephemeral ports in Services view 204
viewing 174
error page 22
deny list, outbound
examples
searching 178
email notifications 367
settings 177
syslog notifications 368
viewing 178
expired password, TACACS+ 54
destinations for notifications
export UI page to PDF 21-22
configuring 80
export web UI page
destinations for syslog notifications
to PCAP file 260
on managed devices 86
details
attack categories 195, 197 F
blocked hosts log 249 FCAP expressions
captured packet 263 about 357
Device Console comment line 359
accessing managed device CLI 88, 315 direction 364
devices examples 365
binding to AEM 86 filter lists 161, 164
configuring for AEM management 86 joining 363
disconnecting from AEM 88 master filter lists 163
unbinding from AEM 88 operators 363
devices, managed reference 358
about AEM management 13 specifying direction 364
accessing using Device Console 88 files
aggregated data 274 deleting from an appliance 336
assigning to protection groups 227 downloading from an appliance 337
communications with AEM 14 Files page 334
data synchronization with AEM 90 packet capture 260
local protection group settings 228 uploading to an appliance 336
log in from AEM 15 viewing 336
total traffic 282 filter lists 164
traffic status 282 about 161
unassigning a protection group from 228 Flexible Rate-based Blocking Filter settings 134
viewing traffic activity for 191 flood attack
diagnostics package 337 ICMP 139
DNS Authentication settings 131 spoofed SYN flood 146-147
DNS malformed 128 SYN flood detection 151
DNS NXDomain Rate Limiting settings 132 TCP SYN flood detection 151
DNS Rate Limiting settings 133 UDP flood detection 155
DNS Regular Expression settings 134 Fragment Detection settings 136
documentation 9 fragmentation attack 136

Index: general settings – managed devices
inbound deny list

G creating 172
searching 174, 178
general settings
settings 172
configuring 57
viewing 174
global allow list 168
Inbound Deny Lists page 172
global deny list 168
inbound traffic
global protection level
viewing by type 189
about 97
installation, AEM 344
changing 238
installed hardware information 22
graph data
installed software information 22
about 23
Invalid Packets category 194
changing timeframe 24
IOCs
minigraph 24
enable STIX feeds 149
stacked 24
IP addresses
unit of measure 24
denied 265
IP fragmentation attack 136
H IP locations
help viewing traffic by protection group 201
using 21 IPv4 prefix matching in protection groups 211
Help, CLI 325
histograms, traffic profile 114
hosts
L
license agreements 22
total number blocked 197
license key
HTTP attack
installing 348
malformed 140
limits
slow 131
custom protection groups 208
HTTP Blocked Locations category 194
custom server types 101
HTTP header authentication
List Protection Groups page
about 54
viewing 216
configuring 55
locking a user account 46
HTTP Header Regular Expressions settings 137
log
HTTP malformed attack
audit trail 320
protection settings 140
log in
HTTP Rate Limiting settings 137
CLI 324
HTTP Reporting settings 138
from AEM 15
UI 17
I log out
ICMP Flood Detection settings 139 CLI 324
icons, tool bar 21 UI 17
idle TCP attack 150 login attempts, configuring 46
ignoring alerts 302 logo
impact value, alerts 297 default 67
inactive protection mode logo, adding to UI 66
about 95
for a protection group 96, 223
for the outbound threat filter 96
M
malformed DNS 128
inbound allow list
Malformed HTTP Filtering settings 140
creating 180
malformed SIP 129
searching 181
managed devices
settings 180
about AEM management 13
viewing 181
accessing using Device Console 88, 315
Inbound Allow Lists page 180
aggregated data 274

Index: manual backup – password
assigning to protection groups 227 viewing 83

communications with AEM 14 notifications, blocked hosts
data synchronization with AEM 90 about 304
deleting offline devices 99
local protection group settings 228 O
log in from AEM 15
offline device, deleting 99
total traffic 282
operating system
traffic status 282
upgrading 348
unassigning a protection group from 228
outbound allow list
viewing traffic activity for 191
creating 183
manual backup
searching 185
about 340
settings 183
creating 340
viewing 185
master filter lists
Outbound Allow List page 183
about 161
outbound deny list
configuring 163
creating 177
menu bar 20
settings 177
messages, password expiration 40
viewing 178
minigraph 24
Outbound Deny Lists page 177
mitigation
outbound threat filter
about 230
attack categories, viewing 192
Attack Analysis 156
configuring 119, 121
by blocking source 239
protection level 238
manual 236
protection mode 95-96
options 231
when to mitigate manually 230
workflow 236, 239 P
MITRE ATT&CK packet capture
about 306 about 258
in AIF 306 adding domain, IP address, or URL to deny list 266
in the Threats list 311 alternative access points 262
mode capturing packets 259
protection, see protection mode 95 clearing 260
monitoring traffic 232 contents 263
Multicast Blocking settings 140 details 263
file, exporting 260
N opening from other pages 262
regular expressions 267
NAS identifier, configuring 52
saving PCAP 260
navigation
uses 258
UI 20
viewing 263
network activity
Packet Capture page 263
viewing on dashboard 281
packets
notification
evaluating and processing 162
SNMP 79
page, UI
syslog 79
emailing as PDF 21, 23
notifications
export to PDF file 21-22
about 78
printing 21, 23
configuring 80
password
email 79, 81
admin, changing 325
email examples 367
changing 17
SNMP 81
changing in CLI 325
syslog 82
choosing 31
syslog examples 368
criteria 31

Index: password requirements – protection mode
expired, TACACS+ 54 configuring from traffic profiles 114

length, changing 40 protection group
requirements 31 about 207-208
password requirements 38 add to allow list 168
complexity 41 add to deny list 168
expiration 39 adding 208, 221
expiration warning messages 40 assigning devices to 227
length 40 default 207
viewing 42 deleting 222
passwords domain traffic 199
complexity settings 41 editing 221
expiration settings 39 prefix matching 211
expiration warning messages 40 protection mode 95
length settings 40 removing from a device 228
requirements for 38 searching for 216
payload inspection, UDP 141 settings 223
Payload Regular Expression settings settings, configuring from traffic profiles 114
about 141 settings, restoring 115
configuring from captured packets 267 top countries 201
PCAP export 260 top protocols 203
PDF file top services 204
emailing UI page 21, 23 top URLs 198
export UI page as 21-22 traffic summary 190
exporting centralized report as 277 viewing 215
permanent allow list 167 viewing traffic for 187
permanent deny list 167 protection group protection level
permissions about 97
assigning 33 changing 238
authorization keys 33 changing from AEM 238
ping exploitation 139 protection group protection mode
policy and configuration backup 340 setting 223
ports protection group settings
ephemeral 204 original 229
used by AEM 355 overriding 228
prefix matching revert to original 229
IPv4 211 protection groups
IPv6 211 limits 208
prefix matching in protection groups 211 protection level
print a page 21, 23 about 96
Private Address Blocking settings 143 changing 238
private IP address 143 changing from AEM 238
profiling traffic for protection settings 97, 119
about 110 global 97
capturing data 112 protection group level 97
protection categories profiled 111 recommendations 99
results 114 viewing 97
status 114 protection mode
stopping 113 about 95
viewing data 114 active and inactive 95
workflow 111 changing by protection group 96, 223
protected host changing for outbound threat filter 96
about 209 changing from AEM 95
protection categories outbound threat filter,about 95
about 118 setting by protection group 223

Index: protection recommendations – security alerts
protection recommendations rate-based protection categories for profiling 111

configuring 160 rate limit
generated by Attack Analysis 156 any source host 144
viewing 159 DNS 133
protection settings DNS NXDomain 132
about 118 HTTP 137
AIF 125 SIP 145
Application Misbehavior 125 traffic shaping 154
Block Malformed DNS 128 recurring remote backups
Block Malformed SIP 129 about 339
Botnet Prevention 129 creating 63
categories 118 refresh a page 21
CDN and Proxy Support 131 refresh a page automatically 21
configuring 108 regular expression
configuring from traffic profiles 114 configuring from captured packets 267
DNS authentication 131 DNS 134
DNS NXDomain Rate Limiting 132 HTTP header 137
DNS Rate Limiting 133 payload 141
DNS Regular Expression 134 reinstallation
Flexible Rate-based Blocking Filters 134 AEM 351
Fragment Detection 136 requirements 351
HTTP Header Regular Expressions 137 reports
HTTP Rate Limiting 137 aggregated 276
HTTP Reporting 138 aggregated device data 274
ICMP Flood Detection 139 custom date range 276
Malformed HTTP Filtering 140 reports, centralized
Payload Regular Expression 141 about 269
protection level 97, 119 configuring 274
Rate-based Blocking 144 deleting 279
restoring defaults 115 description of 270
SIP Request Limiting 145 exporting as PDF file 277
Spoofed SYN Flood Prevention 146 filtering the list of 278
TCP Connection Limiting 149 managing 276
TCP Connection Reset 150 sorting the list of 278
TCP SYN Flood Detection 151 viewing results for 277
TLS Attack Prevention 153 requirements
Traffic Shaping 154 AEM 16
UDP Flood Detection 155 passwords 38
when to change 119 restore from backup 341
protocols, top 10 203 affect on synchronization 93
proxy server routine monitoring 232
for AIF 75
proxy support settings 131 S
publications 9
scheduled backups
about 339
R configuring 63
RADIUS integration search engine
authentication method 48 web crawler support 73
configuring 51 secret, shared in AEM 347
default user group 51 security alerts
timeout period 52 about 288
user group assignment 50 filtering 296
Rate-based Blocking settings 144 impact 297

Index: Security Alerts page – threat categories, ATLAS
viewing 293 System Information 314

Security Alerts page 291, 293 viewing 313
filtering 296 support, contacting 11
server types SYN flood
about 101 spoofed 146-147
adding 106 TCP 151
custom server types 106 syntax
deleting 106 FCAP expressions 358
duplicating 107 syntax, commands 10, 357
filter lists for 162 syslog
limits 101 destination settings 61
restoring default settings 115 syslog notifications
settings, configuring 108 about 79, 304
standard server types 102 configuring 82
viewing 105 examples 368
Server Types page 108 for AEM 86
services traffic 204 system alerts
shared secret, setting 347 about 289
sign-on configuring 61
from AEM 15 ignoring 302
single sign-on System Alerts page
about 89 contents 300
from AEM to managed devices 88-89 viewing 298
HTTP header, about 54 System Information summary 314
HTTP header, configuring 55
SIP malformed 129 T
SIP Request Limiting settings 145
TACACS+ integration
slow HTTP attack
authentication method 48
preventing 131
configuring 53
SNMP notifications
default user group 51
about 79
password expiration 54
configuring 81
timeout period 54
SNMP polling
user group assignment 50
about 58
tactics, MITRE 306
agent community 58-59
TCP
enabling 58
idle connections 150
source of attack 239
payload inspection 141
TCP Connection Limiting settings 149
about 146
TCP Connection Reset settings 150
automating 147
TCP SYN Flood Detection settings 151
SSH keys for single sign-on 90
techniques, MITRE 306
SSL
temporarily blocked hosts
attack, prevention 153
in blocked hosts log 243
certificate, custom 65
temporary ports in Services view 204
stacked graph 24
Threat Analysis page
standard server types 102
details 310
status
filtering 309
ATLAS Intelligence Feed 75
identifying critical threats 308
STIX
threats list 310
settings 149
viewing 307
Summary page
workflow 305
ATLAS Threat Categories 252
threat categories, ATLAS
audit trail information 316
about 69
opening in APS_AED from AEM 315

Index: threat category – user group
summary 252 traffic summary for protection group 190

threat category traffic, using filter lists to drop and pass 164
viewing 253 transient ports in Services view 204
threat policy, ATLAS typographic conventions
about 69 commands 10, 357
categories 69 commands and expressions 327
confidence index 70
confidence value 70 U
threats
UDP Flood Detection settings 155
about 304
UDP payload inspection 141
analysis workflow 305
UI
blocked 253
about 15
critical threats 308
accessing on managed device 88
filtering 309
accessing on managed devices from AEM 315
list 310
log in and log out 17
viewing 307
navigating 20
threshold, bandwidth alerts
unbind devices from AEM 88
about 213
unblock
timeframe, display
country 202
blocked hosts log 245
domain 201
changing 24
URL 199
View Protection Group page 188
unit of measure, graphs 24
timeout period
unlocking a user account 46
RADIUS 52
upgrade, AEM 348
TACACS+ 54
upload
TLS Attack Prevention settings 153
files 336
to AEM 54-55
URLs
tool icons 21
adding to the deny list 199, 266
toolbar 21
unblocking 199
top domains per protection group 199
viewing traffic for 198
top IP locations per protection group 201
user account
top protocols per protection group 203
about 30
top services per protection group 204
adding 42
top URLs per protection group 198
adding to user group 47
total traffic alert 213
configuring 42
traffic
deleting 43
blocking, see blocking traffic 167
disabling 46
monitoring 232
editing your account 17
statistics, ATLAS Intelligence Feed 76
enabling 46
viewing for protection group 187
locking manually 46
traffic alert 213
number of login attempts before lockout 46
traffic data
password 31
filtering by device 191
password requirements 38
traffic profile capture
settings 44
about 110
unlocking 46
capturing data 112
user group
protection categories profiled 111
adding 32
results 114
adding users 47
status 114
assigning in RADIUS 50
stopping 113
assigning in TACACS+ 50
viewing data 114
authorization assignment 33
workflow 111
authorization keys 33
Traffic Shaping settings 154
configuring 32
traffic status, viewing 282

Index: user group, about – workflow for traffic profile captures
customizing 32
default for RADIUS or TACACS+ 51
deleting 32
permissions, assigning 33
permissions, authorization keys 33
user group, about 29
user input, syntax 10, 357
username
entering 44
requirements 44
V
vAEM 348
version number, AEM 22
View Protection Group page 187
deny list, adding items to 202
unblocking countries 202
unblocking domains 201
unblocking URLs 199
viewing AIF updates 76
VoIP attack, preventing 145
W
web crawler support, about 73
Web Traffic By Domain
disabling 138
viewing 199
Web Traffic By URL
disabling 138
viewing 198
web UI
custom logo 66
workflow
manual mitigation 236
mitigation 239
routine system monitoring 232
workflow for traffic profile captures 111

End User License Agreement
End User License Agreement

The end user license agreement (EULA) contains updated terms and conditions with
respect to your license of NETSCOUT product and services and is deemed to replace any
previous license terms provided with respect thereto; provided, however, if you and
NETSCOUT have executed a direct agreement, such direct agreement shall govern your
license of NETSCOUT product and services.
You can read the complete end user license agreement online at
https://www.netscout.com/sites/default/files/2018-06/NetScout-Systems-End-User-
Product-License-Agreement.pdf.

AEM 7.0.0.0 User Guide

Uploaded by

Copyright:

Available Formats

AEM 7.0.0.0 User Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AEM 7.0.0.0 User Guide

Uploaded by

Copyright:

Available Formats

Arbor Enterprise Manager

© 2014-2023 NETSCOUT All rights reserved. Confidential and Proprietary.

Part I: AEM Overview

Part II: AEM Implementation

© NETSCOUT Confidential and Proprietary 3

Configuring the Syslog Destination for the Audit Trail 61

Part III: Device Management

© NETSCOUT Confidential and Proprietary 4

DNS Regular Expression Settings 134

© NETSCOUT Confidential and Proprietary 5

Section 14: Managing Protection Groups 207

Part IV: Network Management

© NETSCOUT Confidential and Proprietary 6

Filtering the Threat Analysis Page 309

Part V: Command Line Interface

Part VI: AEM Maintenance and Management

© NETSCOUT Confidential and Proprietary 7

Appendix C: Notification Formats 367

End User License Agreement 390

© NETSCOUT Confidential and Proprietary 8

About the AEM Documentation 9

About the AEM Documentation

© NETSCOUT Confidential and Proprietary 9

AEM documentation set

Conventions for commands and user input

Monospaced bold Information that you must type exactly as shown.

Monospaced A variable for which you must supply a value.

{ } (braces) A set of choices for options or variables, one of which is

| (vertical bar) Separates the mutually exclusive options or variables.

© NETSCOUT Confidential and Proprietary 10

Contacting the Arbor Technical Assistance Center

Submitting documentation comments

© NETSCOUT Confidential and Proprietary 11

About Managing Devices from AEM 13

About Managing Devices from AEM

© NETSCOUT Confidential and Proprietary 13

Device management tasks

About connecting a device to AEM

Communication between AEM and the managed devices

© NETSCOUT Confidential and Proprietary 14

Single sign-on to managed devices from AEM

About the AEM User Interfaces

About the CLI

See “About the Command Line Interface” on page 323.

© NETSCOUT Confidential and Proprietary 15

Before You Begin to Use AEM 16

Before You Begin to Use AEM

Supported web browsers

Logging in as a new user

© NETSCOUT Confidential and Proprietary 16

Logging in to and out of the AEM UI

Logging in as a new user

About the SSL certificate for secure sessions

Logging in to the AEM UI

To log in to the AEM UI:

Logging out of the AEM UI

Editing Your User Account

© NETSCOUT Confidential and Proprietary 17

When to change your password