Check Point DDoS
Protector
6 March 2013
Software Version - 6.07
User Guide
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=12676
For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Revision History
Date Description
4 March2013 Converted from WBM OLH and edited for print documentation.
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments
(mailto:[email protected]?subject=Feedback on Check Point Lights Out Management Administration Guide).
v
Contents
Important Information ...3
DDoS Protector Overview ...1
Network Flood Protection ... 1
Server Flood Protection ... 1
Application Layer Protection ... 1
Configuring File Parameters ...3
Software Update ... 3
Support ... 3
Configuration ... 4
Send Configuration File to Device ... 4
Receive from Device ... 4
Log File ... 4
Software List ... 5
Configuring Device Parameters ...7
Reboot Device ... 7
Device Shutdown ... 7
Global Parameters ... 7
Device Information ... 8
Utilization ... 9
SME Utilization... 9
Device Resource Utilization ... 9
License Upgrade ... 9
Port Mirroring ... 10
Port Mirroring and Traffic Rate Port Mirroring ... 10
Forwarding Table ... 12
Interface Grouping ... 13
Physical Interface ... 13
L2 Interface ... 13
Link Aggregation ... 14
Link Aggregation: Trunk Table ... 14
Link Aggregation: Port Table ... 14
Jumbo Frames Settings ... 15
Traffic Exclusion ... 16
Session Table ... 16
Session Table Global Parameters ... 16
Advanced Session Table Global Parameters ... 18
Session Table Entries ... 19
IP Fragmentation ... 20
Device Overload Mechanism ... 20
High Availability ... 21
High Availability Global Parameters ... 21
High Availability Advanced Configuration ... 22
Pair Definition ... 24
Switch Over ... 25
Activate Baseline Sync with Peer Device ... 25
Reset Secondary ... 25
Tunneling ... 25
IP Version Mode ... 26
Dynamic Protocols ... 26
Dynamic Protocols: General ... 26
Dynamic Protocols: FTP ... 27
Dynamic Protocols: TFTP ... 27
Dynamic Protocols: Rshell ... 28
Dynamic Protocols: Rexec ... 28
Dynamic Protocols: H.225 ... 29
Dynamic Protocols: SIP ... 29
Configuring Router Parameters ... 31
IP Router ... 31
Operating Parameters ... 31
Interface Parameters... 31
Routing Table ... 33
ARP Table ... 34
Configuring DDoS Protector Parameters ... 35
DoS Signatures ... 35
Application Security ... 35
DoS Shield ... 36
Filters ... 36
Attacks ... 42
Exclude Attacks ... 48
Denial of Service ... 49
Behavioral DoS ... 49
DNS Protection ... 58
SYN Protection ... 71
Out-of-State ... 76
Connection Limit ... 78
HTTP Mitigator ... 81
Authentication tables ... 87
DNS Authentication Table ... 87
TCP Authentication table ... 88
HTTP Authentication table ... 88
Server Protection ... 89
Protected Servers ... 89
White List ... 91
Black List ... 93
Network Protection Policies... 96
Policies Resources Utilization ... 98
Global ... 99
Suspend Table ... 99
Reporting ... 101
Reporting Global Parameters ... 101
Top Ten Attacks ... 103
Data Report ... 103
Security Log ... 104
Packet Trace ... 105
vii
Attack Database Version ... 106
Attack Database Send to Device ... 107
Activate Latest Changes ... 107
Packet Anomalies ... 107
Packet Anomalies Attacks ... 107
Service Discovery ... 110
Service Discovery Global Parameters ... 110
Service Discovery Profiles ... 111
Restore Default Configuration ... 112
Configuring Services Parameters ... 115
Tuning ... 115
Security ... 115
Device Tuning ... 118
Memory Check ... 119
Classifier Tuning ... 120
SYN Protection Tuning ... 121
Diagnostics Tuning ... 122
Diagnostics ... 122
Capture ... 122
Trace ... 123
Trace Files ... 126
Diagnostics Policies ... 127
Syslog Reporting ... 128
Daylight Saving ... 130
Management Interfaces ... 131
Telnet ... 131
Web Server ... 132
SSL ... 133
SSH ... 133
Event Log ... 134
Network Time Protocol (NTP) ... 134
RADIUS ... 135
SMTP ... 136
DNS Client Parameters ... 137
Configuration Auditing ... 138
Event Scheduler ... 138
Configuring Security Parameters ... 141
Management Ports ... 141
Ports Access ... 141
SNMP ... 142
SNMP Global Parameters ... 142
SNMP: User Table ... 142
SNMP: Community Table ... 143
SNMP: Groups Table ... 144
SNMP: Access Table ... 144
SNMP: View Table ... 145
SNMP Notify Table ... 145
SNMP Target Parameters ... 146
SNMP: Target Address ... 147
Ping Physical Ports Table ... 148
Users ... 148
Certificates Table ... 150
Exporting PKI Components ... 151
Importing a PKI Component ... 151
Certificate Default Values ... 152
Configuring Classes Parameters ... 153
View Active Networks ... 153
Modify ... 153
Modify Networks ... 153
Modify Services ... 154
Modify Application Port Groups ... 161
Modify Physical Port Groups ... 161
Modify VLAN Tag Groups ... 162
Modify MAC Groups ... 163
View Active ... 163
View Active Networks ... 163
View Active Services ... 163
Viewing Application Port Groups ... 164
View Active Physical Port Groups ... 164
View Active VLAN Tag Groups ... 164
View Active MAC Groups ... 164
Activate Latest Changes ... 164
Configuring Performance Parameters ... 165
Element Statistics ... 165
IP Packet Statistics ... 165
SNMP ... 165
IP Router ... 166
DDoS Protector Web Based Management User Guide | 1
Chapter 1
DDoS Protector Overview
Check Point DDoS Protector™ appliances block denial-of-service (DoS) attacks within seconds with multi-layered protection and up to 12-Gbps performance.
Modern distributed DoS (DDoS) attacks use new techniques to exploit areas that traditional security solutions are not equipped to protect. These attacks can cause serious network downtime to businesses that rely on networks and Web services to operate. DDoS protector extends company security perimeters to block destructive DDoS attacks before they cause damage.
Network Flood Protection
DDoS Protector uses behavioral analysis to provide network-flood-attack protection. After baselining normal daily and weekly patterns for network traffic, DDoS Protector identifies abnormal traffic— especially spikes from network floods.
Server Flood Protection
DDoS Protector protects against misuse of application resources. With its automatic signature-generation capability, DDoS Protector automatically generates new signatures to mitigate suspected attacks, and uses predefined signatures to prevent known bad behavior. DDoS Protector also prevents misuse of TCP/IP stack by fending off SYN-flood attacks using SYN cookies.
Application Layer Protection
DDoS Protector blocks automated tools and fake users with challenge/response techniques, while transparently redirecting legitimate users to the desired destinations.
DDoS Protector Web Based Management User Guide | 3
Chapter 2
Configuring File Parameters
Software Update
Check Point may release updated versions of the device software. Upload these updated versions to benefit from enhanced functionality and performance. The password is provided with the new software documentation.
Note: If the upload is not successful, the current device software does not change. If the download is successful, reset the device to implement the new version.
To upload software
1. Select File > Software Update.
2. In the Password field, enter the password received with the new software version. Note: The password is case-sensitive.
3. In the Software version field, type the software version number as specified in the new software documentation.
4. In the File field, enter the filepath. Alternatively, click Browse to navigate to the file. 5. Select the Enable New Version check box.
6. Click Set.
7. Select Device > Reboot Device. 8. Click Set.
Support
In case of problems, debugging is required. When debugging is required, DDoS Protector generates a separate file. This file is delivered in text format and it aggregates all the CLI commands needed by the Check Point Support Center. The file also includes an output of various CLI commands, such as printout of the Client table, ARP table and others.
You can download this file using the Support command, which is then sent to the Check Point Support Center.
To download the support file 1. Select File > Support. 2. Click Download.
Configuration
Send Configuration File to Device
Use the Send to Device pane to send a configuration file to the device. To send the configuration file to a device
1. Select File > Configuration > Send to Device.
2. Select the upload mode: Replace configuration file, Append commands to configuration file, or Append commands to configuration file with reboot.
3. Enter the name of the Configuration file, or click Browse to navigate to the file. 4. Click Set.
5. Select Device > Reboot Device and then Set to apply the changes in the configuration.
Receive from Device
The Receive from Device window enables you to download the configuration file. To download the configuration file
1. Select File > Configuration > Receive from Device. 2. Select whether to include private keys.
3. Click Set.
Note: When downloading a configuration file using WBM, the configuration file cannot be uploaded to a device that was configured to use SNMPv3 only.
Log File
Log File: Show
The Configuration Error Log window enables you to view the configuration errors. The report of configuration errors presented in this log file is automatically generated by the device.
To view the log file
Select File > Configuration > Logfile > Show.
Log File: Clear
The Clear Error Log window enables you to clear the information contained in the Show Log file. To clear the error log
1. Select File > Configuration > Logfile > Clear. 2. Click Set.
Log File: Download
The Download Error Log window enables you to download the latest log file that contains configuration errors. Once the file is downloaded, you can view it.
To download the error log
1. Select File > Configuration > Logfile > Download. 2. Click Set.
DDoS Protector Web Based Management User Guide | 5
Software List
The device can hold two different software versions at the same time and their respective
configuration files. You can set which one of the existing versions is currently active. In addition, you can delete the inactive version.
To update the device software 1. Select File > Software List.
2. In order to filter the software list, enter or select a parameter and click Reset Filter. 3. Select the version that you want to delete and click Delete.
4. Select Device > Reboot Device and Set.
Parameter Description
Name The name of the version that you have selected. Index The index of the version in the Software List. Valid The version validity.
Active The status of the version. Version The version number.
DDoS Protector Web Based Management User Guide | 7
Chapter 3
Configuring Device Parameters
Reboot Device
This feature resets (restarts) the device. This may be necessary after completing the configuration of some features, such as Device Tuning. The changes are updated and reflected in the device only after the reset.
To reboot the device
1. Select Device > Reboot Device. 2. Click Set.
Device Shutdown
To shut down a device
1. Select Device > Device Shutdown. 2. Click Shutdown.
Global Parameters
To set the global device parameters 1. Select Device > Global Parameters. 2. Configure the parameters, and click Set.
Parameter Description
Description The general description of the device.
Name The user-assigned name of the device, which is displayed in the windows describing the device.
Location The geographic location of the device.
Contact Person The person or people responsible for the device. System Up Time The time elapsed since the last reset.
System Time The current user-defined device time, in hh:mm:ss format. System Date The current user-defined device date, in dd/mm/yyyy format. Bootp Server
Address
The IP address of the BootP server. The device forwards BootP requests to the BootP server and acts as a Bootp relay.
BootP Threshold How many seconds the device will wait before relaying requests to the BootP server. This delay allows local BootP Servers to answer first.
Device Information
Use the Device Information pane to view information about the device. To access the device information pane
Select Device >Device Information. The following parameters are displayed:
Parameter Description
Type The device type
Platform The hardware platform type, for example On-Demand Switch.
Device The device name
Ports The number of ports on the device. Ports Config The port configurations.
HW Version The hardware version. SW Version The software version.
Build The software build date, time, and version number. Throughput
License
The throughput license (limit)
Version State The version state, for example "Final.”
APSolute OS The APSolute OS build date, time, and version number. Network Driver The Network driver version.
RAM Size The amount of RAM, in GB.
Flash Size The size of the flash (permanent) memory, in MB. Hard Disk(s) The number of hard disks installed.
Registered Whether the device is registered or not. Date The date of version.
Time The time of version.
DDoS Protector Web Based Management User Guide | 9 Base MAC The MAC address of the first port on the device.
Active Boot The active boot version. Secondary Boot The secondary boot version. Power Supply The power supply status. DoS Mitigator The DoS Mitigator type.
SME The SME type.
Utilization
SME Utilization
The Engines utilization pane displays values relating to the utilization of internal hardware
components. The information is intended only for advanced tuning and debugging by the Check Point Support Center.
Device Resource Utilization
To view device resource utilization statistics Select Device > Utilization > General. The following parameters are displayed:
Parameter Description
Resource Utilization The percentage of the device’s CPU currently utilized.
RS Resource Utilization The percentage of the device’s routing services (RS) resource currently utilized.
RE Resource Utilization The percentage of the device’s routing engine (RE) resource currently utilized.
Last 5 sec. Average Utilization
The average utilization of resources in the last 5 seconds.
Last 60 sec. Average Utilization
The average utilization of resources in the last 60 seconds.
License Upgrade
The License Upgrade window enables you to upgrade the software license. To upgrade the software license
1. Select Device > License Upgrade.
3. Enter your throughput license key. (The earlier throughput license key is displayed.) Note: The license code is case sensitive.
4. Click Set.
5. In the Reset the Device window, click Set to perform the reset. The reset may take a few minutes.
Port Mirroring
Port Mirroring and Traffic Rate Port Mirroring
Port Mirroring enables the device to mirror traffic from one physical port on the device to another physical port on the device. This is useful when a monitoring device is connected to one of the ports on the device. You can choose to mirror either received and transmitted traffic, received traffic only, or transmitted traffic only. You can also decide whether received broadcast packets should be mirrored or not.
To avoid high bandwidth DoS and DDoS attacks, you can perform traffic rate port mirroring mirror the traffic arriving to DDoS Protector to a dedicated sniffer port. This allows collecting packet data in an event of an attack. The mirroring is performed only when the device is under attack, and is based on a predefined traffic threshold.
To set the device to operate in port mirroring mode 1. Select Device > Port Mirroring > Table.
2. Click Create.
3. Configure the parameters, and click Set.
Parameter Description
Input Port The port from which the traffic is mirrored. Output Port The port to which traffic is mirrored. Receive\Transmit The direction of traffic to be mirrored.
DDoS Protector Web Based Management User Guide | 11 Promiscuous Mode This parameter enables you to either copy all traffic from the input port to the
output port or to copy only the traffic that is destined to the input port. Values:
Enabled—Setting this parameter to enabled means that all traffic is copied to the Output Port.
Disabled—Setting this parameter to Disabled means that only traffic destined to the Input port is copied.
Default: Enabled.
Backup Port A backup port for the output. Mode Define the relevant mode, either:
Enabled—Port Mirroring is continuously enabled.
Traffic Rate—Port Mirroring is defined according to the Traffic Rate over the network (PPS or Kbps) therefore the Threshold must be defined. Threshold The threshold value.
Global Parameters
To set the Port Mirroring Global Parameters
1. Select Device > Port Mirroring > Global Parameters.
2. Configure the parameters, and click Set.
Parameter Description
Traffic Threshold Units
The Traffic Threshold units, according to which to detect attacks. Values:
PPS—The amount of Packets per Second being sent over the network. kbps—The number of kbps that can pass through the Input port before the
mirroring process begins. If the number of kbps on the traffic interface port is higher than the threshold value, it means that there is an attack and the traffic is mirrored to the output port for the period of time configured by Threshold Interval.
Thresholds Interval The number of seconds in which the mirroring process takes place. Default: 30 sec.
Reset Traffic Rate Threshold
The Port Mirroring Reset Traffic Rate Threshold window enables you to set the device to record the traffic that exceeds the predefined limit within a new threshold interval.
To reset the Traffic Rate Threshold
1. Select Device > Port Mirroring > Reset Traffic Rate.
2. Click Set.
Forwarding Table
You can configure scanning ports using the Static Forwarding mode. In the Static Forwarding mode, DDoS Protector functions as in promiscuous mode in the network, which means that the device acts as completely transparent network element.
Scanning ports have a one-to-one forwarding ratio, where the traffic that comes from the receiving port is always sent out from its corresponding transmitting port. The ports are paired, meaning one port receives traffic while another transmits traffic. The ports are defined in the Forwarding Table. Note: When using the SYN Flood Protection filters, you must set the inbound and the outbound traffic to operate in the Process mode.
You can assign the same Destination Port to more than one Source Port. For example, you can define that Source Port 1 is associated with Destination Port 3, and also Source Port 2 is associated with Destination Port 3.
To configure promiscuous ports 1. Select Device > Forwarding Table. 2. Click Create.
3. Configure the parameters, and click Set.
Parameter Description
Source The user-defined source port for received traffic. Destination The user-defined destination port for transmitted traffic.
Operation The operation mode that can be assigned to a pair of ports: Process or Switch. Failure Mode The failure mode.
Values: Fail-Open, Fail-Close Port Type The port type.
Values: Source, Destination
Note: When you assign the same Destination Port to more than one Source Port, you must set the Destination Port of the traffic in the opposite direction, otherwise the traffic transmitted in that direction is ignored. For example, Source Port 1 is associated with Destination Port 3, and also Source Port 2 is associated with Destination Port 3. In that case, for the traffic in the opposite direction, the Source Port is 3 and the Destination Port must be defined (typically it is 1 or 2).
DDoS Protector Web Based Management User Guide | 13
Interface Grouping
When installing DDoS Protector between two L2 switches operating with multiple links (with Link Aggregation, for example), a link failure of one L2 switch would not be detected by the remote L2 switch, as DDoS Protector would continue to keep the link up. Interface Grouping shuts both endpoints of a link once a failure is detected on one of the endpoints. The endpoints of the links are set by the Static Forwarding table. Interface Grouping is configured globally per device.
To enable interface grouping
1. Select Device > Forwarding Table.
2. From the Interface Grouping drop-down list, select Enable.
Physical Interface
The Physical Interface window enables you to change the physical attributes of each port individually. To update the ports physical attributes
1. Select Device > Physical Interface. 2. Configure the parameters, and click Set.
Parameter Description
Port Index The index number of the port. Speed The traffic speed of the port.
Values: Ethernet, Fast Ethernet, Giga Ethernet
Duplex Whether the port allows both inbound and outbound traffic (Full Duplex) or one way only (Half Duplex)
Auto Negotiate
Automatically detects and configures the speed and duplex required for the interface.
L2 Interface
The L2 Interface window enables you to configure the administrative status and view settings for each interface.
To configure the administrative status of an interface 1. Select Device > L2 Interface.
2. Select the relevant interface.
3. From the InterfaceAdmin Status drop-down list, select the required status of the interface. Values: up, down.
Link Aggregation
Link Aggregation: Trunk Table
The Port Trunking feature allows for defining up to seven trunks. Up to eight (8) physical links can be aggregated in to one trunk. All trunk configurations are static.
The Trunk Table, which is read-only, enables you to view the Trunk Index settings that were defined in the Port Table.
To view the link aggregation trunk table
Select Device > Link Aggregation>Trunk Table. The following parameters are displayed:
Parameter Description
Trunk Index Displays the trunk index.
Trunk MAC Address Displays the MAC Address assigned to the trunk Trunk Status Values:
Individual—(False) No ports are attached to this trunk. Aggregated—(True) Ports attached to this trunk.
Link Aggregation: Port Table
The Port Table enables you to attach ports to a trunk.Note: Only ports that are connected (Link Up) and operating in full duplex mode can be attached to a trunk.
To set the link aggregation port table parameters 1. Select Device > Link Aggregation > Port Table. 2. Select the port index to edit.
3. Configure the parameters, and click Set.
Parameter Description
Port Index (Read-only) The physical port index.
Port MAC (Read-only) The MAC address assigned to the port. Trunk Index Values:
The trunk to which the port is attached Unattached
DDoS Protector Web Based Management User Guide | 15 Port Status (Read-only)
Values:
Individual—The Port is not attached to any trunk. Aggregate—The Port is attached to a trunk.
Jumbo Frames Settings
You can specify whether jumbo frames bypass the device or are discarded—available only on x412 platforms.
To configure the jumbo-frame settings 1. Select Device > Jumbo Frames. 2. Configure the parameters, and click Set.
Parameter Description
Jumbo Frames Mechanism Status
Values:
enable—The device inspects frames up to 9216 bytes. disable—The device discards frames that are larger than
1550 bytes. Default: disable
Notes:
Changing the configuration of this option takes effect only after a device reset.
When this option is enabled, all DDoS Protector monitoring and protection modules support monitoring, inspection, detection, and mitigation of traffic and attacks on packets up to 9216 bytes. For example, when this option is enabled, TCP Authentication using Transparent Proxy supports an additional maximum segment size (MSS) value to improve performance of the protected networks.
Jumbo Frames Bypass Values:
enable — Frames of 1550 – 9216 bytes bypass the device without any inspection or monitoring.
disable — The device discards frames that are larger than 1550 bytes.
Default: disable
Notes:
Changing the configuration of the option takes effect only after a device reset.
When the option is enabled on an x412 platform, there may be some negative effect on the following features: Packet Anomalies, Black and White Lists, and BDoS real-time
signatures.
When the option is enabled on an x06 platform, there may be some negative effect on Black and White lists.
When the option is enabled, TCP SYN Protection may not behave as expected because the third packet in the TCP three-way-handshake can include data and be in itself a jumbo frame.
When the option is enabled, some protections that rely on the DDoS Protector session table might produce false-negatives and drop traffic when all the session traffic bypasses the device in both directions for a period longer than Session Aging Time.
Traffic Exclusion
This feature is available only on x412 platforms.
You can specify whether the device passes through all traffic that matches no network policy configured on the device — regardless of any other protection configured.
If Traffic Exclusion is enabled, to inspect traffic that matches a Server Protection policy, you must configure the Server Protection policy as a subset of the Network Protection policy.
To configure traffic exclusion 1. Select Device > Traffic Exclusion.
2. From the Traffic Exclusion Status drop-down list, select Enable or Disable, and click Set. Default: Enable.
Session Table
Session Table Global Parameters
DDoS Protector includes a Session table, which tracks sessions bridged and forwarded by the device. To set the parameters for the session table
1. Select Device > Session Table > Global Parameters. 2. Configure the parameters, and click Set.
Parameter Description
Session Table Status Specifies whether the device uses the Session table. Default: Enabled
Idle TCP-Session Aging Time The time, in seconds, that the Session table keeps idle TCP sessions.
Values: 1 – 7200 Default: 100
DDoS Protector Web Based Management User Guide | 17 Idle UDP-Session Aging Time The time, in seconds, that the Session table keeps idle UDP
sessions. Values: 1 – 7200 Default: 100 Idle SCTP-Session Aging
Time
The time, in seconds, that the Session table keeps idle SCTP sessions.
Values: 1 – 7200 Default: 100
Idle ICMP-Session Aging Time The time, in seconds, that the Session table keeps idle ICMP sessions.
Values: 1 – 7200 Default: 100
Idle GRE-Session Aging Time The time, in seconds, that the Session table keeps idle GRE sessions.
Values: 1 – 7200 Default: 100 Idle Other-Protocol-Session
Aging Time
The time, in seconds, that the Session table keeps idle sessions of protocols other than TCP, UDP, SCTP, ICMP, or GRE.
Values: 1 – 7200 Default: 100
Session Table No Aging Mode Enables or disables session table aging mode. If enabled, the Session Table and Flow Table will not be aged.
This parameter can be only configured if Session Table lookup mode is L4 Dest Port.
Session Table Lookup Mode The layer of address information that is used to categorize packets in the Session table.
Values:
Full L4—An entry exists in the Session table for each source IP, source port, destination IP, and destination port
combination of packets passing through the device.
L4 Destination Port—Enables traffic to be recorded based only on the TCP/UDP destination port. This mode uses minimal Session table resources (only one entry for each port that is secured).
Default: Full L4
Caution: Check Point recommends that you always use the Full L4 option. When Session Table Lookup Mode is Layer 4
Destination Port, the following Protections do not work:
Connection Rate Limit, HTTP Mitigator, HTTP Replies Signatures, Out-of-State protection.
Remove Session Table Entry at Session End
Specifies whether the device removes sessions from the Session Table after receiving a FIN or RST packet if no additional packets are received on the same session within the Remove Session Entry at Session End Timeout period.
Default: Enabled Remove Session Entry at
Session End Time
(This option is supported only if Remove Session Entry at Session End is enabled.)
When Remove Session Entry at Session End is enabled, the time, in seconds, after which the device removes sessions from the Session Table after receiving a FIN or RST packet if no additional packets are received on the same session.
Values: 1 – 60 Default: 5
Send Reset To Server Status Specifies whether the DDoS Protector device sends a RST packet to the destination of aged TCP sessions.
Values:
Enabled—DDoS Protector sends reset a RST packet to the destination and cleans the entry in the DDoS Protector Session table.
Disabled—DDoS Protector ages the session normally (using short SYN timeout, but the destination might hold the session for quite some time.
Default: Disabled
Advanced Session Table Global Parameters
To set the session table advanced configuration parameters1. Select Device > Session Table > Advanced Configuration. 2. Configure the parameters, and click Set.
Parameter Description
Session-Table-Full Action The action that the device takes when the Session table is at full capacity.
Values:
Bypass New Sessions—The device bypasses new sessions until the Session table has room for new entries.
Block New Sessions—The device blocks new sessions until the Session table has room for new entries. Default: Bypass New Sessions
Incomplete TCP-Handshake Timeout
How long, in seconds, the device waits for the three-way handshake to be achieved for a new TCP session. When the timeout elapses, the device deletes the session and, if the Send Reset To Server option is enabled, sends a reset packet
DDoS Protector Web Based Management User Guide | 19 to the server.
Values:
0—The device uses the specified Session Aging Time. 1 – 10—The TCP Handshake Timeout in seconds. Default: 10
Session Table Entries
To set the number of Session Table entries to be shown 1. Select Device > Session Table > View Table Query Results.
2. In the Maximum Displayed Entries text box, enter the number of Session table entries to be shown.
To set the session table query filters
1. Select Device > Session Table > View Table Query Results. 2. Click Create.
3. Configure the parameters, and click Set.
Parameter Description
Name A unique name of the filter.
Source IP The source IP within the defined subnet.
Source IP mask The source IP used to define the subnet that you want to present in the Session Table.
Dest IP The destination IP within the defined subnet.
Dest IP mask The destination IP used to define the subnet that you want to present in the Session Table.
Source Port The session source port. Dest Port The session destination port.
IP Fragmentation
In some cases, when the length of the IP packet is too long to be transmitted, the originator of the packet or one of the routers transmitting the packet has to fragment the packet to multiple shorter packets.
IP Fragmentation allows the device to forward fragmented IP packets. The device identifies that all the fragments belong to same datagram and treats them accordingly in terms of classification, load balancing and forwarding. The device does not reassemble the original IP packet, but it forwards the fragmented datagrams to their destination, even if the datagrams arrives to the device out of order. Note: In case of asymmetric routing, when the device does not see all fragmented packets, the device drops uncompleted fragments.
To set the IP fragmentation parameters 1. Select Device > IP Fragmentation. 2. Configure the parameters, and click Set.
Parameter Description
Status Allows you to enable or disable IP Fragmentation.
Note: Enabling IP Fragmentation requires reboot.
Queueing-limit The percentage of IP packets that the device allocates for out of ordered fragmented IP datagrams.
Values: 0 – 100 Default: 25
Aging The amount of time, in seconds, that the device keeps the fragmented datagrams in the queue.
Values: 1 – 255 Default: 1
Device Overload Mechanism
In cases when the traffic load goes beyond the processing power limitations of the device, you can allow using of the Overload mechanism. Using of this mechanism maintains a high level of availability and hardware/software stability, reducing traffic delays or packet loss.
The Overload mechanism identifies overload conditions, notifies about them, and automatically takes actions that aim to reduce the relevant operations that consume resources.
Note: When the device operations are reduced, some of the security functionalities are compromised.
DDoS Protector Web Based Management User Guide | 21 To enable the overload mechanism
1. Select Device >Overload Mechanism. 2. Select one of the following:
Enable to start the Overload mechanism. Disable to stop the Overload mechanism. 4. Click Set.
High Availability
High Availability Global Parameters
To support high availability (HA), you can configure two compatible DDoS Protector devices to operate in a two-node cluster.
To be compatible, both cluster members must be of the same platform, software version, software license, throughput license, and Check Point signature file.
One member of the cluster is the primary; the other member of the cluster is the secondary. The primary device is the device that device with the High Availability Pair Definition.
When you configure a cluster and submit the configuration, the newly designated primary device configures the required parameters on the designated secondary device.
The members of a cluster work in an active-passive architecture. When a cluster is created:
The primary and secondary devices negotiate the active/passive status according to the specified triggers and thresholds. If both device environments are nominal, the primary device becomes the active member.
The primary device transfers the relevant configuration objects to the secondary device. A secondary device maintains its own configuration for the device users, IP interfaces, routing, and the port-pair Failure Mode (see Forwarding Table).
A primary device immediately transfers each relevant change to its secondary device. For example, after you make a change to a Network Protection policy, the primary device immediately transfers the change to the secondary device. However, if you change the list of device users on the primary device, the primary device transfers nothing (because the secondary device maintains its own list of device users).
The passive device periodically synchronizes baselines for BDoS and HTTP Mitigator protections. If a passive device does not detect the active device according to the specified Heartbeat Timeout, the device switches to the active state (even though the peer might actually be in a nominal situation). The following situations trigger the active device and the passive device to switch states (active to passive and passive to active):
All links are identified as down on the active device according to the specified Link Down Timeout and the peer device has at least one link up.
Optionally, the traffic to the active device falls below the specified Idle Line Threshold for the specified Idle Line Timeout.
You issue the Switch Over command.
If the Enable Failback option is enabled (default: disabled), the secondary device switches from active to passive after the secondary device detects that the primary-device situation is nominal. You cannot perform many actions on a secondary device.
You can perform only the following actions on a secondary device:
Switch the device state (that is, switch over active to passive and passive to active) Break the cluster if the primary device is unavailable
Configure management IP addresses and routing Configure the port-pair Failure Mode.
Manage device users
Download a device configuration Upload a signature file
Download the device log file Download the support log file Reboot
Shut down
Change the device name Change the device time
Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management. Notes:
By design, an active device does not to fail over during a user-initiated reboot. Before you reboot an active device, you can manually switch to the other device in the cluster.
You can initiate a baseline synchronization if a cluster member is passive.
When you upgrade the device software, you need to break the cluster (that is, ungroup the two devices). Then, you can upgrade the software and reconfigure the cluster, as you require.
In an existing cluster, you cannot change the role of a device (primary to secondary or vice versa). To change the role of a device, you need to break the cluster (that is, ungroup the two devices), and then, reconfigure the cluster as you require.
When a passive device becomes active, any grace time resets to 0 (for example, the time of the Graceful Startup Mode Startup Timer).
To configure the global setting for high availability 1. Select Device > High Availability > Global Parameters. 2. Configure the parameter, and click Set.
Parameter Description
Mechanism Status Specifies whether the device is a member of a two-node cluster for high availability.
High Availability Advanced Configuration
Note: For more information on high availability, see Global Parameters. To configure the advanced settings for high availability1. Select Device > High Availability > Advanced Configuration. 2. Configure the parameters, and click Set.
DDoS Protector Web Based Management User Guide | 23
Parameter Description
Baseline Sync Interval The interval, in seconds, that the active device synchronizes the BDoS and HTTP Mitigator baselines.
Values: 3600 – 86,400 Default: 3600
Heartbeat Timeout The time, in seconds, that the passive device detects no heartbeat from the active device before the passive device becomes active. Values: 1 – 10
Default: 5
Link Down Timeout The time, in seconds, after all links to the active device are identified as being down before the devices switch states. Values: 1 – 65,535
Default: 1
Note: If a dead link or idle line is detected on both cluster members, there is no switchover.
Switchover Sustain Timeout The time, in seconds, after a manual switchover that the cluster members will not change states.
Values: 30 – 3600 Default: 180
Idle Line Detection Status Specifies whether the devices switch states due to an idle line detected on the active device.
Default: disable
Note: If an idle line is detected on both cluster members, there is no switchover.
Total BW Threshold The minimum bandwidth, in Kbit/s, that triggers a switchover when the Idle Line Detection Status is enable.
Values: 512 – 4,294,967,296 Default: 512
Note: If Idle Line Detection Status is disable, this parameter is ignored.
Idle Line Timeout The time, in seconds, with line bandwidth below the Total BW Threshold that triggers a switchover when Idle Line Detection Status is enable.
Values: 3 – 65,535 Default: 10
Note: If Idle Line Detection Status is disable, this parameter is ignored.
Enable Failback Specifies whether the secondary device can automatically fail back to the primary.
Pair Definition
High Availability Pair Definition
Note: For more information on high availability, see Global Parameters. To define a high-availability pair
1. Select Device > High Availability > Pair Definition > Pair Parameters. 2. Configure the parameters, and click Set.
Parameter Description
MNG-1 Peer IP address The IP address of the MNG-1 port on the peer device. MNG-2 Peer IP address The IP address of the MNG-2 port on the peer device. Secondary User Name The name of the secondary device.
Secondary Password The password of the secondary device.
Update High Availability Pair Definition
Note: For more information on high availability, see Global Parameters. To update a definition of a high-availability pair
1. Select Device > High Availability > Pair Definition > Update Pair. 2. Click Set.
High Availability Monitoring
You can monitor high-availability parameters.Note: For more information on high availability, see Global Parameters. To monitor high-availability
Select Device > High Availability > Monitoring. The following information is displayed: High-Availability Priority
High-Availability State
High-Availability Protection State Last Successful Baseline Sync Incompatibility Status (primary only) Synchronization IP Interface Peer IP
DDoS Protector Web Based Management User Guide | 25
Switch Over
Note: For more information on high availability, see Global Parameters. To switch over to the peer device
1. Select Device > High Availability > Switch Over. 2. Click Set.
Activate Baseline Sync with Peer Device
Note: For more information on high availability, see Global Parameters. To activate a baseline sync with the peer device1. Select Device > High Availability > Baseline Sync. 2. Click Set.
Reset Secondary
You can reset the secondary device when the device role is primary Note: For more information on high availability, see Global Parameters. To reset the secondary device
1. Select Device > High Availability > Reset secondary. 2. Click Set.
Tunneling
Carriers, service providers, and large organizations use various tunneling protocols to transmit data from one location to another. This is done using the IP network so that network elements are unaware of the data encapsulated in the tunnel.
Tunneling implies that traffic routing is based on source and destination IP addresses. When tunneling is used, IPS devices and load balancers cannot locate the relevant information because their decisions are based on information located inside the IP packet in a known offset, and the original IP packet is encapsulated in the tunnel.
To provide a carrier-grade IPS/DoS solution, DDoS Protector inspects traffic in tunnels, positioning DDoS Protector in peering points and carrier network access points.
You can install DDoS Protector in different environments, which might include encapsulated traffic using different tunneling protocols. In general, wireline operators deploy MPLS and L2TP for their tunneling, and mobile operators deploy GRE and GTP.
DDoS Protector can inspect traffic that may use various encapsulation protocols. In some cases, the external header (tunnel data) is the data that DDoS Protector needs to inspect. In other cases, DDoS Protector needs to inspect the internal data (IP header and even the payload). You can configure DDoS Protector to meet your specific inspection requirements.
Note: Changing the configuration of this feature takes effect only after a device reset. To configure tunneling
1. Select Device > Tunneling.
2. Configure the parameters, and click Set.
Parameter Description
Apply Black and White List Rules to the Encapsulated Headers
Specifies whether the device apply Black List and White List rules to the encapsulated headers.
Default: Disabled Inspect Encapsulated GRE
Traffic
Specifies whether the device inspects this type of traffic. Default: Disabled
Inspect Encapsulated GTP Traffic
Specifies whether the device inspects this type of traffic. Default: Disabled
Inspect Encapsulated L2TP Traffic
Specifies whether the device inspects this type of traffic. Default: Disabled
Inspect VLAN (802.1Q) and MPLS Traffic
Specifies whether the device inspects this type of traffic. Default: Disabled
Note: You can configure the device to inspect the traffic using the common Layer 2 tunneling protocols, VLAN (802.1Q) and MPLS. Inspecting these types of L2 tunnels, as part of the protection criteria, is essential in environments such as for Managed Security Service Providers (MSSP).
Inspect Encapsulated IP-in-IP Traffic
Specifies whether the device inspects this type of traffic. Default: Disabled
Bypass IPSec Traffic Specifies whether the device bypasses IPsec traffic (that is, whether the device passes-through IPsec traffic).
Default: Enabled
IP Version Mode
Use the IP Version Mode pane you to set the IP version to IPv4 and IPv6 or only to IPv4. To set the IP version mode
1. Select Device > IP Version Mode.
2. From the drop-down list, select ipv4and6 or ipv4. 3. Click Set.
Dynamic Protocols
Dynamic Protocols: General
Check Point's Classification Engine classifies both static applications and dynamic applications. Dynamic application is an application that has multiple connections belonging to the same session. For example, FTP has Control Session and Data Session, SIP has Signaling sessions, Data sessions (RTP) and the Control sessions (RTCP).
DDoS Protector Web Based Management User Guide | 27 In some scenarios, the dynamic sessions should be in the Session Table for a longer time than regular sessions. In VoIP, SIP, and H.255, for example, there may be a period with no traffic, however, the call is still active, and the session should not age.
You may configure different aging time for various dynamic applications and configure different policies for different connections of the same session. In FTP, for example, you can set one policy for the FTP data and another policy for the FTP control.
Note: The default status for all Dynamic Protocols, other than SIP is enabled. You can set the aging time for the following Dynamic Protocols:
FTP TFTP Rshell Rexec H.225 SIP
Dynamic Protocols: FTP
The FTP Configuration window enables you to configure the control session and data session Aging Time for FTP Dynamic Protocol.
Note: When Dynamic Protocol Support is enabled for FTP, it is not possible to limit the bandwidth of a specific file download (using a filter for the RETR command and the file name).
To set the FTP dynamic protocol parameters 1. Select Device > Dynamic Protocols > FTP. 2. Configure the parameters, and click Set.
Parameter Description
Status Specifies whether to enable FTP Dynamic Protocol. Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
Data Session Aging Time The new value for Data Session Aging Time, in seconds. Default: 0
Dynamic Protocols: TFTP
The TFTP Configuration window enables you to configure the data session Aging Time for TFTP Dynamic Protocol.
To set the TFTP dynamic protocol parameters 1. Select Device > Dynamic Protocols > TFTP. 2. Configure the parameters, and click Set.
Parameter Description
Status Specifies whether to enable TFTP Dynamic Protocol. Data Session Aging
Time
The Data Session Aging Time, in seconds. Default: 0
Dynamic Protocols: Rshell
The Rshell Configuration window enables you to configure the control session and Error session Aging Time for Rshell.
To set the Rshell configuration parameters 1. Select Device > Dynamic Protocols > Rshell. 2. Configure the parameters, and click Set.
Parameter Description
Status Specifies whether to enable Rshell Dynamic Protocol. Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
Error Session Aging Time The Error Session Aging Time, in seconds. Default: 0
Dynamic Protocols: Rexec
The Rexec Configuration window enables you to configure the control session and Error session Aging Time for Rexec.
To set the Rexec dynamic protocol parameters 1. Select Device >Dynamic Protocols > Rexec. 2. Configure the parameters, and click Set.
Parameter Description
Status Specifies whether to enable Rexec Dynamic Protocol. Control Session Aging Time (sec) The Control Session Aging Time, in seconds.
Default: 0
Error Session Aging Time (sec) The Error Session Aging Time, in seconds. Default: 0
DDoS Protector Web Based Management User Guide | 29
Dynamic Protocols: H.225
The H.225 Configuration window enables you to configure and control the session and H254 Session Aging Time for H225.
To set the H225 configuration parameters 1. Select Device > Dynamic Protocols > H.225
2. Configure the parameters, and click Set.
Parameter Description
Status Specifies whether to enable H.225 Dynamic Protocol. Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
H.245 Session Aging Time The H.245 Session Aging Time, in seconds. Default: 0
Dynamic Protocols: SIP
The SIP Configuration window enables you to configure the Signaling session, RTCP session, and SIP TCP Segments Aging Time for SIP.
Note: Enabling and Disabling Dynamic Protocol Support for SIP requires reboot. To set the SIP dynamic protocol parameters
1. Select Device > Dynamic Protocols > SIP. 2. Configure the parameters, and click Set.
Parameter Description
Status Specifies whether to enable SIP Dynamic Protocol. Signaling Session Aging
Time
The Signalling Session Aging Time, in seconds. Default: 20
RTCP Session Aging Time The RTCP Session Aging Time, in seconds. Default: 0:
SIP TCP Segments Aging Time
When SIP runs over TCP and packets are segmented, the SIP TCP Segments Aging Time parameter indicates how long the device keeps the packet.
Default: 5
DDoS Protector Web Based Management User Guide | 31
Chapter 4
Configuring Router Parameters
IP Router
Operating Parameters
The IP Router Parameters window enables you to monitor, add, and edit router settings. To set the IP router parameters
1. Select Router > IP Router > Operating Parameters. 2. Configure the parameters, and click Set.
Parameter Description
Inactive ARP Timeout
The time, in seconds, that inactive ARP cache entries can remain in the ARP table before the device deletes them. If an ARP cache entry is not refreshed within a specified period, it is assumed that there is a problem with that address. Default: 60,000
ARP Proxy Specifies whether the device responds to ARP requests for nodes located on a different direct sub-net. (The device responds with its own MAC address.) Values:
Enabled—The device responds to all ARP requests.
Disabled—The device responds only to ARP requests for its own IP addresses.
Default: Disabled ICMP Error
Messages
Specifies whether ICMP error messages are generated.
Interface Parameters
To configure an interface1. Select Router > IP Router > Interface Parameters. 2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set.
Parameter Description
IP Address The IP address of the interface. Network Mask The associated subnet mask.
If Number The interface identifier. If the interface is a VLAN, the included interfaces are listed in the box in the Edit window.
Fwd Broadcast Specifies whether the device forwards incoming broadcasts to this interface.
Broadcast Addr Specifies whether to fill the host ID in the broadcast address with ones or zeros.
VlanTag The VLAN tag to be associated with this IP interface.
When multiple VLANs are associated with the same switch port, the switch needs to identify to which VLAN to direct incoming traffic from that specific port. VLAN tagging provides an indication in the Layer 2 header, which enables the switch to make the correct decision.
Peer Address The address of the peer.
To update the ICMP interface parameters
1. Select Router > IP Router> Interface Parameters.
2. Click on the IP address of the ICMP interface that you want to update. 3. Configure the parameters, and click Set.
Parameter Description
IP Address The IP address of the interface.
Advert. Address The IP destination address for multicast Router Advertisements sent from the interface. Possible values are the all-systems multicast address, 224.0.0.1, or the limited-broadcast address, 255.255.255.255.
Max Advert. Interval The maximum time, in seconds, between multicast Router Advertisements from the interface. Possible values are between the Minimum Advert Interval defined below and 1800 seconds.
Min Advert. Interval The minimum time, in seconds, between sending unsolicited multicast Router Advertisements from the interface. Possible values are between 3 seconds and the maximum interval defined above. Default value is 0.75 of the Maximum Interval.
Advert. Lifetime The maximum time, in seconds, the advertised addresses are considered valid. Must be no less than Maximum Interval defined above, and no greater than 9000 seconds. Default value is three times the Maximum Advert Interval.
DDoS Protector Web Based Management User Guide | 33 Advertise Enables to advertise the device IP using ICMP Router Advertise.
Preference Level The preference level of the address as a default router address, relative to other router addresses on the same subnet.
Reset to Defaults Resets the ICMP interface parameters to the default values.
Routing Table
DDoS Protector supports IP routing compliant with RFC1812 router requirements. Dynamic addition and deletion of IP interfaces is supported. This ensures that extremely low latency is maintained. IP router supports RIP I, RIP II and OSPF routing protocols. OSPF is an intra-domain IP routing protocol, intended to replace RIP in bigger or more complex networks. OSPF and its MIB are supported as specified in RFC 1583 and RFC 1850, with some limitations.
To configure a route
1. Select Router > Routing Table. 2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set.
Parameter Description
Destination Address The destination IP address of this router. Network Mask The destination network mask of this route.
Next Hop The address of the next system of this route, local to the interface.
Interface Index The IF Index of the local interface through which the next hop of this route is reached.
Type How remote routing is handled. Values:
remote—Forwards packets. reject—Discards packets.
Metric The number of hops to the destination network.
ARP Table
The ARP (Address Resolution Protocol) Table window allows you to update and create ARP addresses on the local route.
To update an existing ARP 1. Select Router > ARP Table. 2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set.
Parameter Description
Interface Index The interface number on which the station resides. IP Address The station's IP address.
MAC Address The station's MAC address.
Type Values:
Other Invalid
Dynamic—The entry is learned from the ARP protocol. If the entry is not active for a predetermined time, the node is deleted from the table.
Static—The entry has been configured by the network management station and is permanent.
DDoS Protector Web Based Management User Guide | 35
Chapter 5
Configuring DDoS Protector
Parameters
DoS Signatures
Application Security
Application Security Global Parameters
Application Security is a mechanism that delivers advanced attack detection and prevention
capabilities. This mechanism is used by several security modules to provide maximum protection for network elements, hosts, and applications.
To set the application security global parameters
1. Select DDoS Protector > DoS Signatures >Application Security > Global Parameters. 2. Configure the parameters, and click Set.
Parameter Description
Protection Status Select enable to start protection. Default: enable.
MAX URI Length The maximum URI length permitted. If URI is longer than the configured value, this URI is considered as illegitimate and is dropped.
Default: 500
MIN fragmented URI packet Size The minimum permitted size, in bytes, of an incomplete URI in an HTTP request. A shorter packet length is treated as URI protocol anomaly and is dropped.
Default: 50 Security Tracking Tables Free-Up
Frequency [ms]
How often, in milliseconds, the device clears unnecessary entries from the table, and stores information about newly detected security events.
Default: 1250
Unicode Encoding The language encoding (the language and character set) to use for detecting security events.
Tcp Reassembly Mechanism Status Specifies whether the device tries to reassemble fragmented TCP packets.
Default: enable
Session-Drop Mechanism Status When enabled, terminates the whole session when a single malicious packet is recognized.
Default: enable
DoS Shield
DoS Shield Global Parameters
The DoS Shield Global Parameters window enables you to enable the DoS Shield module and set its global parameters.
The DoS Shield mechanism implements the Sampling algorithm, and accommodates traffic flooding targeted to create denial of the network services. Prior to using DoS Shield, you need to enable the DoS Shield module.
To configure DoS shield global parameters
1. Select DDoS Protector >DoS Signatures > DoS Shield > Global Parameters. 2. Configure the parameters, and click Set.
Parameter Description
Protection Status
Specifies whether DoS Shield module is enabled.
Sampling Rate
The rate at which packets are sampled and compared to the Dormant Attacks. You can configure a number that indicates per how many packets the sampling is performed.
Default: 100—that is, 1 out of 100 packets is checked. Sampling
Frequency
How often, in seconds, DoS Shield compares the predefined thresholds for each Dormant Attack to the current value of counters of packets matching the attack. Default: 5
Filters
Basic Filters
Basic Static Filters
The Basic Static Filters window enables you to view the Basic Filter, which constitutes protection against a specific attack, meaning that each Basic Filter has a specific attack signature and protection parameters.
The Advanced Filter represents a logical AND between two or more Basic Filters. Some attacks have a complex signature comprised of several patterns and content strings. These attacks require more than one basic filter to protect against them.
DDoS Protector Web Based Management User Guide | 37 To view the basic static filters
1. Select DDoS Protector > DoS Signatures > Filters > Basic Filters >Static. 2. Select the basic static filter for which you want to view the details.
Basic User Filters
Note: If you edit the parameters of a filter that is bound to an existing policy, you need to activate the latest changes.
To create a basic filter
1. Select DDoS Protector > DoS Signatures > Filters > Basic Filters > User. 2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set.
Parameter Description
Name The name of the filter.
Protocol The protocol used.
Values: IP, UDP, TCP, ICMP Source App. Port The source application ports. Destination App. Port The destination application ports.
Values: 0 - 65535 Default: 0
OMPC Offset The location in the packet from which the checking of data is started in order to find specific bits in the IP/TCP header.
Values: 0 - 1513 Default: 0
OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative. Values: None IP Header IP Data L4 Data Ethernet L4 Header IPV6 Header Default: None
