0% found this document useful (0 votes)

10 views326 pages

Arrayos Asf 3.0.3 User Guide

The ArrayOS ASF 3.0.3 User Guide provides comprehensive information about the Array Networks product, including copyright statements, compliance declarations, and company contact information. It covers various deployment modes, initial configurations, network defense, application defense, and advanced security options. The document is structured into chapters that detail system setup, configuration, and monitoring, ensuring users can effectively utilize the Array Networks solutions.

Uploaded by

bienth89

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

10 views326 pages

Arrayos Asf 3.0.3 User Guide

Uploaded by

bienth89

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 326

ArrayOS ASF 3.0.

3
User Guide
Copyright Statement

Copyright Statement
Copyright©2022 Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, California
95035, USA. All rights reserved.

This document is protected by copyright and distributed under licenses restricting its
use, copying, distribution, and compilation. No part of this document may be
reproduced in any form by any means without prior written authorization of Array
Networks. Documentation is provided “as is” without warranty of any kind, either
express or implied, including any kind of implied or express warranty of
non-infringement or the implied warranties of merchantability or fitness for a
particular purpose.

Array Networks reserves the right to change any products described herein at any
time, and without notice. Array Networks assumes no responsibility or liability
arising from the use of products described herein, except as expressly agreed to in
writing by Array Networks. The use and purchase of this product does not convey a
license to any patent copyright, or trademark rights, or any other intellectual property
rights of Array Networks.

Warning: Modifications made to the Array Networks unit, unless expressly approved by
Array Networks, could void the user’s authority to operate the equipment.

Declaration of Conformity
We, Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, CA 95035,
1-866-692-7729; declare under our sole responsibility that the product(s) Array
Networks, Array Appliance complies with Part 15 of FCC Rules. Operation is subject
to the following two conditions: (1) this device may not cause harmful interference,
and (2) this device must accept any interference received, including interference that
may cause undesired operation.

Warning: This is a Class A digital device, pursuant to Part 15 of the FCC rules. These
limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. This equipment generates, uses, and
can radiate radio frequency energy, and if not installed and used in accordance with the
instruction manual, may cause harmful interference to radio communications. In a
residential area, operation of this equipment is likely to cause harmful interference in
which case the user may be required to take adequate measures. In a domestic
environment this product may cause radio interference in which case the user may be
required to take adequate measures.

2022 Array Networks, Inc.

About Array Networks

Array Networks is a global leader in networking solutions for connecting users and
applications while ensuring performance, availability and security. Using Array,
companies can provide access for any user, anywhere, on any device to applications,
desktops and services running in either the cloud or the enterprise data center. From
Web sites to e-commerce to enterprise applications to cloud services, Array solutions
deliver a premium end-user experience and demonstrable security while ensuring that
revenue and productivity gains always outweigh CAPEX and OPEX.

Engineered for the modern data center, Array Networks application, desktop and
cloud service delivery solutions support the scalability, price-performance, software
agility and leading-edge feature innovation essential for successfully transforming
today's challenges in mobile and cloud computing into opportunities for mobilizing
and accelerating business.

Contacting Array Networks

Please use the following information to contact us at Array Networks:

 Website:

https://www.arraynetworks.com/

 Telephone:

Phone: (408)240-8700

Toll Free: 1-866-692-7729 (1-866-MY-ARRAY)

Support: 1-877-992-7729 (1-877-99-ARRAY)

Fax: (408)240-8754

Telephone access to Array Networks is available Monday through Friday, 9 A.M. to 5

P.M. PST.

 E-mail:

[email protected]

 Address:

1371 McCarthy Boulevard

Milpitas, California 95035, USA

2022 Array Networks, Inc.

Revision History
Date Description
September, 2021 Initial release.

2022 Array Networks, Inc.

Table of Contents
Copyright Statement ...................................................................................................... I

Declaration of Conformity............................................................................................. I

About Array Networks .................................................................................................. II

Contacting Array Networks .......................................................................................... II

Revision History .......................................................................................................... III

Table of Contents .........................................................................................................IV

Chapter 1 Introduction to ASF Product ......................................................................... 1

1.1 Product Overview ............................................................................................ 1

1.2 Major Product Concepts .................................................................................. 1

Chapter 2 ASF Appliance Deployment ......................................................................... 6

2.1 Working Mode ................................................................................................. 6

2.1.1 Transparent Working Mode.................................................................. 6

2.1.2 Proxy Working Mode ........................................................................... 6

2.2 Deployment Mode ........................................................................................... 7

2.2.1 Bridge Deployment Mode..................................................................... 7

2.2.2 Routing Deployment Mode................................................................... 9

2.2.3 TAP Deployment Mode ...................................................................... 14

2.2.4 Defense Options Supported by Different Deployment Modes ........... 16

Chapter 3 Appliance Access and Initial Configurations .............................................. 21

3.1 Connecting ASF Appliance ........................................................................... 21

3.1.1 Console Connection ............................................................................ 21

3.1.2 SSH Connection .................................................................................. 21

3.1.3 WebUI Connection ............................................................................. 22

3.1.4 WebUI SSL Configuration ................................................................. 23

3.2 Reading the LED............................................................................................ 24

3.2.1 LEDs in the Front Panel ...................................................................... 24

3.2.2 LEDs in the Rear Panel ....................................................................... 25

2022 Array Networks, Inc.
All Rights Reserved. IV
Table of Contents

3.3 CLI Overview ................................................................................................ 25

3.3.1 Command Usage Breakdown ............................................................. 25

3.3.2 Access Control Levels ........................................................................ 26

3.4 Initial System Setup and Configuration ......................................................... 27

3.4.1 Configure management port ............................................................... 28

3.4.2 Set the default gateway IP address...................................................... 28

3.4.3 Check the configuration of the IP address. ......................................... 28

3.4.4 Set the system date, time and time zone ............................................. 29

3.4.5 Setting the Listening IP Address for the SSH Service ........................ 30

3.4.6 Start the WebUI .................................................................................. 30

3.4.7 Save the configuration ........................................................................ 30

3.4.8 Import CA Certificate for ASF WebUI .............................................. 30

Chapter 4 General System and Network Configuration .............................................. 32

4.1 Basic System Configuration .......................................................................... 32

4.1.1 System Time ....................................................................................... 32

4.1.2 Host Name .......................................................................................... 33

4.1.3 System Email ...................................................................................... 34

4.2 Network Configuration .................................................................................. 35

4.2.1 Interfaces ............................................................................................. 35

4.2.2 Bridge .................................................................................................. 45

4.2.3 ARP/NDP............................................................................................ 46

4.2.4 DNS..................................................................................................... 48

4.2.5 Route Configuration............................................................................ 48

4.2.6 Proxy IP Pool ...................................................................................... 49

4.2.7 GeoIP .................................................................................................. 51

4.2.8 Geolocation Map ................................................................................. 52

4.2.9 TAP Mode........................................................................................... 53

Chapter 5 Network Defense ......................................................................................... 55

2022 Array Networks, Inc.

5.1 Security Zone ................................................................................................. 55

5.2 Network DDoS Defense ................................................................................ 56

5.2.1 Relations Between Network DDoS Profiles, Rules and Policies ....... 56

5.2.2 Network DDoS Profile........................................................................ 57

5.2.3 TCP DDoS Attack Defense ................................................................ 59

5.2.4 UDP DDoS Attack Defense ................................................................ 61

5.2.5 ICMP DDoS Attack Defense .............................................................. 63

5.3 Global Network DDoS Defense..................................................................... 63

5.3.1 Global Network DDoS Profile ............................................................ 63

5.3.2 Common DoS Attack Defense ............................................................ 64

5.3.3 Malformed Single-packet Attack Defense .......................................... 67

Chapter 6 Application Defense .................................................................................... 72

6.1 Security Service ............................................................................................. 72

6.1.1 Overview ............................................................................................. 72

6.1.2 Configuration Example ....................................................................... 73

6.1.3 Load Balancing ................................................................................... 76

6.2 WAF............................................................................................................... 79

6.2.1 Negative WAF and Positive WAF Security Models .......................... 79

6.2.2 Relationship Between the WAF Profile, Rule and Policy .................. 79

6.2.3 WAF Profile ........................................................................................ 80

6.2.4 WAF Policy ........................................................................................ 92

6.2.5 WAF Automatic Decoding ................................................................. 92

6.2.6 Array Signature Library (ASL) ........................................................... 93

6.3 Application DDoS Defense............................................................................ 97

6.3.1 Relationship Between Application DDoS Profile, Rule and Policy ... 97

6.3.2 Application DDoS Profile ................................................................... 98

6.3.3 HTTP DDoS Defense ....................................................................... 102

6.3.4 SSL DDoS Defense........................................................................... 105

2022 Array Networks, Inc.

6.3.5 DNS DDoS Profile............................................................................ 106

6.4 HTTP Profile................................................................................................ 110

6.4.1 General Settings of HTTP Profile ..................................................... 110

6.4.2 HTTP Filter ....................................................................................... 112

6.4.3 Brute Force Defense ......................................................................... 118

6.4.4 HTTP Pattern Validation .................................................................. 120

6.4.5 HTTP File Control ............................................................................ 121

6.4.6 Cookie Tampering Defense .............................................................. 121

6.4.7 Redirecting HTTP Requests to HTTPS ............................................ 122

6.4.8 HTTP Cookie Security Hardening .................................................... 122

6.4.9 HTTP Via Header Masking .............................................................. 123

6.4.10 Header String Insert for HTTP Request/Response ......................... 123

6.4.11 HTTP Response Header Removal .................................................. 124

6.4.12 HTTP Response Rewrite................................................................. 124

6.4.13 HTTP Header X-Forwarded-For Field Insertion ............................ 125

6.5 Advanced HTTP Defense Options............................................................... 125

6.5.1 HTTP Access Logging ...................................................................... 125

6.5.2 Allowed Hostname............................................................................ 126

6.5.3 HTTP URL Monitoring .................................................................... 126

6.5.4 HTTP URL Detection ....................................................................... 127

6.5.5 HTTP Error Page Customization ...................................................... 128

6.5.6 HTTP Real Source IP Detection ....................................................... 128

6.5.7 HTTP Compression Forbidding........................................................ 129

6.5.8 Client Certificate Information Forwarding ....................................... 129

6.5.9 HTTP Request and Response Detection Tuning .............................. 132

6.5.10 Connection Reuse ........................................................................... 134

6.6 DNS Domain Security ................................................................................. 134

6.6.1 DNS Domain Management ............................................................... 135

2022 Array Networks, Inc.

6.6.2 DNS Domain Query Filter ................................................................ 135

6.6.3 DNS Domain Query Rate Limiting .................................................. 136

6.6.4 DNS Domain Monitoring ................................................................. 137

Chapter 7 Secure Sockets Layer (SSL) ...................................................................... 139

7.1 Overview ...................................................................................................... 139

7.2 Understanding SSL ...................................................................................... 139

7.2.1 Cryptography .................................................................................... 139

7.2.2 Digital Signatures.............................................................................. 140

7.2.3 Digital Certificates ............................................................................ 141

7.3 SSL Acceleration Configuration .................................................................. 149

7.3.1 Configuration Guidelines .................................................................. 149

7.3.2 Configuration Example ..................................................................... 151

Chapter 8 Global and Advanced Security Options .................................................... 164

8.1 Enabling WAF and DDoS Mitigation Functions ......................................... 164

8.2 Traffic Baseline Learning ............................................................................ 164

8.2.1 Traffic Baseline-learning Period ....................................................... 165

8.2.2 Traffic Baseline-learning Content..................................................... 165

8.2.3 Refreshing Automatic DDoS Profile ................................................ 166

8.2.4 Saving Traffic Baseline-learning Result ........................................... 168

8.2.5 Viewing Traffic Baseline-learning Result ........................................ 169

8.2.6 Configuration Example ..................................................................... 169

8.3 Business Model Learning ............................................................................ 173

Chapter 9 IP Reputation ............................................................................................. 175

9.1 Overview ...................................................................................................... 175

9.2 IP Reputation Library Auto-update ............................................................. 176

9.3 IP Reputation Data Filtering ........................................................................ 177

9.4 IP Reputation Profile and Defense Rule ...................................................... 177

Chapter 10 Advanced ACL........................................................................................ 179

2022 Array Networks, Inc.

10.1 TCP ACL Rule ........................................................................................... 179

10.2 UDP ACL Rules ........................................................................................ 181

10.3 ICMP ACL Rules ....................................................................................... 182

10.4 HTTP ACL Rule ........................................................................................ 183

10.4.1 RPS Control .................................................................................... 183

10.4.2 Control Download Speed ................................................................ 185

10.5 DNS ACL Rule .......................................................................................... 186

10.6 IP Whitelist ................................................................................................ 187

10.6.1 Manual IP Whitelist ........................................................................ 187

10.6.2 Automatic IP Whitelist ................................................................... 188

10.7 IP Blacklist ................................................................................................. 188

10.7.1 Manual IP Blacklist......................................................................... 188

10.7.2 Automatic IP Blacklist .................................................................... 189

10.8 URL Whitelist ............................................................................................ 189

Chapter 11 Security Logs........................................................................................... 191

11.1 HTTP Access Logs .................................................................................... 191

11.2 HTTP Violation Logs ................................................................................ 191

11.2.1 Violation Logs for HTTP Filter ...................................................... 191

11.2.2 Violation Logs for Brute Force Defense ......................................... 194

11.2.3 Violation Logs for HTTP Pattern Validation.................................. 195

11.2.4 Violation Logs for HTTP File Control ........................................... 195

11.3 DDoS Attack Logs ..................................................................................... 196

11.4 DDoS Warning Logs.................................................................................. 197

11.5 Web Attack Log ......................................................................................... 198

11.6 WAF Audit Logging .................................................................................. 199

11.7 IP Reputation Logs .................................................................................... 200

Chapter 12 Monitoring Center ................................................................................... 201

12.1 System Status Graphs ................................................................................ 201

2022 Array Networks, Inc.

12.2 Attack Statistics Graphs ............................................................................. 201

12.2.1 Global Attack Statistics................................................................... 201

12.2.2 Network Attack Statistics ............................................................... 203

12.2.3 Application Attack Statistics........................................................... 204

12.3 Traffic Statistics Graphs ............................................................................ 208

12.3.1 Global Traffic Statistics .................................................................. 208

12.3.2 Secuirty Zone’s Traffic Statistics.................................................... 210

12.3.3 Security Service’s Traffic Statistics ................................................ 212

12.4 Packet Drop Statistics Graphs .................................................................... 214

12.4.1 Global Packet Drop Statistics ......................................................... 215

12.4.2 Security Zone’s Packet Drop Statistics ........................................... 215

12.4.3 Security Service’s Packet Drop Statistics ....................................... 216

12.5 Access Statistics Graphs ............................................................................ 217

12.5.1 HTTP Service Access Statistics ...................................................... 217

12.5.2 HTTPS Service Access Statistics.................................................... 218

12.6 Custom Statistics Graph Pane .................................................................... 218

Chapter 13 Report System ......................................................................................... 221

13.1 Overview .................................................................................................... 221

13.2 Creating Report Tasks................................................................................ 221

13.2.1 Creating a Monitoring Report Task ................................................ 221

13.2.2 Creating a System Status Report Task ............................................ 222

13.2.3 Creating a Security Service Status Report Task ............................. 223

13.2.4 Creating a Security Zone Status Report Task ................................. 224

13.2.5 Creating a PCI DSS Compliance Report Task ............................... 225

13.3 Managing Report Tasks ............................................................................. 226

13.3.1 Executing a Report Task ................................................................. 226

13.3.2 Pausing or Resuming a Report Task ............................................... 227

13.3.3 Editing a Report Task ..................................................................... 227

2022 Array Networks, Inc.

13.3.4 Deleting a Report Task ................................................................... 228

13.3.5 Clearing All Report Tasks .............................................................. 228

13.4 Viewing and Downloading Generated Reports ......................................... 228

13.5 Customizing Reports .................................................................................. 230

Chapter 14 High Availability ..................................................................................... 231

14.1 Clustering ................................................................................................... 231

14.1.1 Overview ......................................................................................... 231

14.1.2 Clustering Working Principle ......................................................... 231

14.1.3 Clustering Configuration Example ................................................. 233

14.2 Bypass Function ......................................................................................... 240

14.2.1 Hardware Bypass ............................................................................ 241

14.2.2 Software Bypass.............................................................................. 241

14.3 Emergency Mode ....................................................................................... 242

Chapter 15 System ..................................................................................................... 244

15.1 User Management ...................................................................................... 244

15.1.1 Administrator .................................................................................. 244

15.1.2 Administrator AAA ........................................................................ 244

15.1.3 Role-based Privilege Management ................................................. 245

15.1.4 Pre-defined Roles and Users ........................................................... 247

15.1.5 Administrator Audit Logging ......................................................... 248

15.2 Access Control Management ..................................................................... 251

15.2.1 WebUI Access ................................................................................ 251

15.2.2 WebUI SSL Settings ....................................................................... 252

15.2.3 RESTful API Access....................................................................... 255

15.2.4 Enable Mode Settings ..................................................................... 256

15.2.5 Config Mode Settings ..................................................................... 256

15.2.6 USB Access Control ....................................................................... 256

15.3 System Management .................................................................................. 257

2022 Array Networks, Inc.

15.3.1 System Software Version................................................................ 257

15.3.2 ASF License .................................................................................... 258

15.3.3 System Upgrade .............................................................................. 259

15.3.4 System Reboot and Shutdown ........................................................ 260

15.3.5 System Email .................................................................................. 261

15.3.6 System Disk Space Extension......................................................... 261

15.4 System Alert............................................................................................... 263

15.4.1 Alert Triggering .............................................................................. 263

15.4.2 WebUI Alert Notification ............................................................... 263

15.4.3 Viewing Alerts ................................................................................ 265

15.4.4 Disk Space Insufficiency Alert ....................................................... 266

15.4.5 Security Alert .................................................................................. 268

15.4.6 ASL Event Alert ............................................................................. 271

15.4.7 IRL-update Event Alert................................................................... 272

15.5 Configuration Management ....................................................................... 273

15.5.1 Startup Configuration and Running Configuration......................... 273

15.5.2 Backing Up and Restoring Running Configuration ........................ 274

15.5.3 Backing Up and Restoring Entire Configuration ............................ 275

15.5.4 Clearing Configuration ................................................................... 276

15.5.5 Configuration Synchronization ....................................................... 277

15.6 Database Management ............................................................................... 277

15.6.1 Database Backup ............................................................................. 279

15.6.2 Database Export .............................................................................. 280

15.6.3 Database Import .............................................................................. 280

15.6.4 Database Restore ............................................................................. 281

15.6.5 Database Reset ................................................................................ 281

15.6.6 Database Retention ......................................................................... 281

Chapter 16 Admin Tools ............................................................................................ 282

2022 Array Networks, Inc.

16.1 Logging ...................................................................................................... 282

16.1.1 Overview ......................................................................................... 282

16.1.2 Understanding Logging .................................................................. 282

16.1.3 Logging Configuration.................................................................... 283

16.2 SNMP......................................................................................................... 285

16.2.1 SNMP Request ................................................................................ 286

16.2.2 SNMP Trap ..................................................................................... 286

16.2.3 Configuration Example ................................................................... 287

16.2.4 Configuring SNMP Traps ............................................................... 288

16.3 Troubleshooting ......................................................................................... 288

16.3.1 Debug .............................................................................................. 288

16.3.2 Tools ............................................................................................... 288

16.3.3 Managing Remote Devices ............................................................. 289

Chapter 17 Packet Filtering ....................................................................................... 291

17.1 Overview .................................................................................................... 291

17.2 Packet Filtering Configuration ................................................................... 291

17.2.1 Configuration Scenario ................................................................... 291

17.2.2 Configuration Steps ........................................................................ 292

Appendix I SNMP OID List ...................................................................................... 296

Appendix II Abbreviations and Acronyms ................................................................ 310

2022 Array Networks, Inc.

Chapter 1 Introduction to ASF Product

1.1 Product Overview

Array ASF application security firewall, provides the enterprise-grade Web
Application Firewall and Distributed Denial of Service (DDoS) mitigation solution,
helping protect the critical services of the enterprise data center against the OWASP
Top 10 Web attacks, information leakage, Denial of Service (DoS) attacks, DDoS
attacks and other security threats.

1.2 Major Product Concepts

 WAF

WAF refers to the network security product that performs HTTP protocol and content
inspection on HTTP requests accessing Web servers and server responses based on
predefined filter rules and defense rules so as to provide security defense for Web
servers and Web applications.

 DDoS Mitigation

DDoS attacks employ the client/server technologies to combine multiple computers as

attack platform to initiate distributed DoS attacks against one or more targets,
multiplying the impact of the DoS attacks. DDoS mitigation function can recognize
and block DoS and DDoS attacks and thus mitigate the impact of such attacks.

 Working Mode

The working mode refers to the way that the system process packets when providing
defense for applications. The system supports transparent and proxy defense modes.
Under the transparent working mode, the system will not change the source IP, and
source port, destination IP and destination port of packets. Under the proxy working
mode, the virtual service will provide external services instead of the real service.
When the client request passes the appliance, the system will change at least one of
the destination IP and destination port.

 Deployment Mode

The deployment mode refers to how the ASF appliance is connected to the customer
network. The ASF appliance supports three deployment modes: bridge mode, routing
mode and Terminal Access Point (TAP) mode. In the bridge deployment mode, the
ASF appliance is connected to the network topology in path as a Layer 2 bridge. In
the routing deployment mode, the ASF appliance is connected to the network as a
Layer 3 device. Upstream and downstream devices route the traffic (requests and
responses) to the appliance, and the appliance forwards the traffic out based on

2022 Array Networks, Inc.

routing rules after processing packets. In the TAP deployment mode, the ASF
appliance is used as an out-of-path sniffing device connected to the network and
receives mirrored traffic copied from an external switch.

 Bridge

Bridge is a Layer 2 forwarding device. It works on the data link layer, connects two
Local Area Networks (LANs), and forwards frames based on MAC addresses. When
the ASF appliance is deployed in bridge mode, the administrator needs to create a
bridge, and add the uplink and downlink interfaces to the bridge.

 Security Service

Security service defines a defense object for which the defense against attacks of the
DNS, HTTP, or HTTPS protocol is provided. The defense scope of the security
service is determined by the IP+port pairs and IP subnet+port pairs added to it. The
system provides application DDoS mitigation and WAF (for HTTP-type and
HTTPS-type security services) for traffic only when its destination IP and port
matches an IP+port pair or IP subnet+port pair added to the security service.

 Security zone

The security zone defines the defense object for which defense against network-layer
DoS and DDoS attack is provided and determines the network scope to be protected
by adding the network subnets to the security zone. The system provides the L3 and
L4 DDoS defense services for the traffic only when the destination IP in the traffic
hits the address in the security zone.

 Negative WAF Security Model

The negative WAF security model identifies and blocks abnormal traffic and permits
normal traffic. This model will match client requests and server responses against
built-in signature library and other attack defense rules in order to determine whether
sessions are valid. If they match one or more signatures, client accesses will be
recognized as illegal accesses and the system will block client accesses or record
attack logs according to the configuration made by the administrator.

 Positive WAF Security Model

The positive WAF security model identifies normal traffic and blocks other abnormal
traffic. This model identifies the characteristics of normal application traffic by
automatic traffic learning. This model can generate positive whitelists, which allows
only traffic matching these whitelists to pass. The positive WAF function supports
generating positive whitelists manually or automatically based on the automatic traffic
learning results. If a request does not match any positive whitelist, it will be regarded
as illegal and the system will block the client access or record the attack log according
to the configuration made by the administrator.

2022 Array Networks, Inc.

 WAF Profile

The WAF profile is a set of Web application defense rules integrating both the
negative and positive WAF security models.

 WAF Defense Mode

The WAF defense mode defines that the action will be taken against Web attacks and
is one attribute of the WAF profile. The system supports two WAF defense modes:

 detect: detects and records Web attacks.

 defend: detects, records and prevents Web attacks.

 Signature Rule

Signature rule is a kind of Web attack inspection that recognizes attack behaviors
based on the signatures of known attacks. It is a type of defense rule under the
negative WAF security model and is part of the WAF profile. The system has built in
the Array Signature Library (ASL) released by Array Security Center (ASC), which
contains the signatures of the latest known attacks. ASC will release new ASL
versions regularly. The system that has purchased the subscription license with ASL
update can update the ASL version to obtain the defense capability of latest attacks. In
addition, the system allows the administrator to create custom signatures for attack
inspection.

 DLP Rule

Data Leak Protection (DLP) rules are a type of defense rules that are used to prevent
the user’s private or sensitive information, such as identity information, mobile phone
number, email address, credit card number, from being exposed. They are under the
negative WAF security model and are part of the WAF profile. If the response
returned by the server contains private information, the system will hide sensitive
information or record logs according to the actions configured by the administrator.

 Content Filter Function

The content filter function is used to detect whether the server response contains
sensitive words in order to avoid the exposure of users’sensitive information or to
meet security compliance requirements. It is a type of defense function under the
negative WAF security model and is part of the WAF profile. If the server response
contains any sensitive keyword, the system will perform the configured action, either
to deny the client access, mask the sensitive word or record logs.

 Virtual Patch

The virtual patch function converts external Web vulnerability scanner’s scanning
results (XML-format report) into virtual patches of Web servers, helping shorten the

2022 Array Networks, Inc.

window time that Web server vulnerabilities are exploited by attackers. It is suitable
for hardening the security of Web applications before security events.

 WAF Policy

The WAF policy is used to apply the WAF profile to the specific HTTP-type or
HTTPS-type security service, so as to provide attack detection and blocking for traffic
accessing this service.

 HTTP Filter

The system provides the HTTP filter function to support the HTTP protocol
compliance checks for HTTP-type and HTTPS-type security services. The HTTP
filter function can filter traffic based on HTTP protocol characteristics such as request
method, header length, header count, cookie count, cookie length, URL keyword,
URL length, URL query parameter count, request file MIME type, and HTTP status
code.

 Application DDoS Profile

The application DDoS profile provides the defense function to detect and mitigate
DoS or DDoS attacks specific to certain application protocol, and it protects security
services by providing application-layer DoS and DDoS defense after being applied to
them. According to the application protocol type, the application DDoS profiles can
be classified into HTTP-type DDoS profiles, HTTPS-type DDoS profiles, and
DNS-type DDoS profiles, which provide DDoS defense for HTTP, HTTPS and DNS
applications respectively.

 Network DDoS Profile

The network DDoS profile provides defense functions to detect and mitigate Layer 3
and Layer 4 DoS and DDoS attacks, and it protects security zones by providing Layer
3 and Layer 4 DoS and DDoS defense after being applied to them.

 Global DDoS Profile

The system has built-in global DDoS profile, providing defense against common DoS
attacks and malformed packet attacks. After security zones are added, the global
DDoS profile automatically provides corresponding network-layer defense for them.

 DDoS Defense Mode

The DDoS defense mode is a DDoS profile attribute, which defines what action will
be taken when the DDoS profile detects DDoS attacks. The system supports two
DDoS defense modes:

 detect: detects and records DoS and DDoS attacks.

 block: detects, records and blocks DoS and DDoS attacks.

2022 Array Networks, Inc.

 DDoS Defense Rule

A DDoS defense rule defines one or a set of DDoS attack inspection actions and is
part of the DDoS profile.

 DDoS Policy

The DDoS policy is used to apply the DDoS profile to the DDoS defense object. The
network DDoS policy is used to apply the network DDoS profile to the security zone;
the application DDoS policy is used to apply the application DDoS profile to the
security service.

 Automatic IP Blacklist and Whitelist

The system can automatically generate IP blacklists and whitelists (also called
automatic IP blacklists and whitelists) based on traffic learning to control the client
access.

 Manual IP Blacklist and Whitelist

The system allows the administrator to manually configure IP blacklists and whitelists
(also called manual IP blacklists and whitelists) to control the client access.

 Advanced ACL

The advanced ACL function provides advanced access control on traffic of the
network protocols and application protocols so as to prevent malicious attacks of large
traffic and improve the availability of intranet resources.

 High Availability

High availability is a series of solutions that network appliances provide to avoid

service interruption. For ASF appliance in bridge deployment mode, the administrator
can achieve the high availability of services by using the hardware and software
bypass functions or taking advantage of the upstream and downstream HA devices or
load balancers. For ASF appliances in routing deployment mode, the administrator
can achieve the high availability of services by using the Clustering function provided
by the ASF appliance; the ASF appliances can work in active-standby or active-active
mode.

2022 Array Networks, Inc.

Chapter 2 ASF Appliance Deployment

2.1 Working Mode

The working mode refers to the way that the system process packets when providing
defense for applications. The system supports two working modes: transparent
working mode and proxy working mode.

2.1.1 Transparent Working Mode

Under the transparent working mode, the system will not change the source IP, and
source port, destination IP and destination port of packets. The packets pass the
appliance transparently.

Note: The transparent working mode cannot provide defense for HTTPS-type
applications.

2.1.2 Proxy Working Mode

Under the proxy working mode, the virtual service will provide services externally
instead of the real service. When the client request passes the appliance, the system
will change at least one of the destination IP and destination port. The proxy working
mode supports the Keep Source IP and Port Unchanged option. If this option is
enabled, the appliance will still use the client source IP and port when establishing
connections with real service. If this option is disabled, the appliance will change the
source IP and port to the interface IP and the port assigned by the system when
establishing connections with the real service.

Note: If any system proxy IP pool is configured, the appliance will choose IP addresses
from the pool to establish connections instead of real service. For details, refer to section
4.2.6 Proxy IP Pooll.

According to the binding of the virtual IP (IP address of the virtual service) to the
interface, the proxy working mode can be further divided into arp proxy working
mode and noarp proxy working mode.

Under the arp proxy working mode, the system binds the VIP to the interface and
replies to ARP requests for the VIP.

Under the noarp proxy working mode, the system does not bind the VIP to any
interface. The administrator needs to change the network topology or configuration to
point the traffic accessing the VIP to the appliance. For example, the administrator

2022 Array Networks, Inc.

can point the traffic accessing the VIP to the interface IP by changing the routing
configuration.

2.2 Deployment Mode

2.2.1 Bridge Deployment Mode

In the bridge deployment mode, the appliance is connected to the network topology in
path as a Layer 2 bridge.

The bridge deployment mode supports the transparent working mode (recommended)
and proxy working mode. For deployment suggestionss and configuration example
for the bridge proxy scenario, please refer to the ASF Bridge Proxy Configuration
Guide.

2.2.1.1 Bridge Transparent Scenario

In this deployment scenario, the administrator just needs to connect the appliance to
the network topology in path and do not need to change the existing network
configuration or data flow.

Figure 2–1 Bridge Transparent Scenario

The system receives traffic from an interface of the bridge and sends out at another
interface of the bridge. If the traffic hits any security zone or security service, the
system will forward traffic to corresponding modules for inspection. The system
directly sends out the traffic at another interface of the bridge after inspection.

This scenario supports the hardware bypass function. When the system becomes down,
it can directly bypass the traffic through the bypass unit.

2.2.1.1.1 Deployment Suggestions

To complete the deployment:

2022 Array Networks, Inc.

1. Create a bridge and add two system interfaces to the bridge. It is recommended to
use the pair of interfaces with the bypass unit.

2. Set the two system interface as uplink and downlink interfaces respectively.

3. Connect the uplink interface to the upstream device, and the downlink interface to
the downstream device.

4. Verify that the traffic can transparently pass the appliance normally.

5. Add defense configurations such as security services, profiles, and policies after
verification.

6. Verify that the traffic can pass the appliance normally again.

2.2.1.1.2 Configuration Example

1. Create a bridge, and add system interfaces Port1 and Port2 to the bridge.

AN(config)#bridge name br1

AN(config)#bridge member br1 port1
AN(config)#bridge member br1 port2

2. Set system interfaces port1 and port2 as uplink and downlink interfaces
respectively.

AN(config)#interface uplink port1

AN(config)#interface downlink port2

3. Connect port1 to the upstream device, and port2 to the downstream device, and
verify that the traffic can transparently pass the appliance normally.

4. Define a security service, such as an HTTP-type security service named s1.

AN(config)#security service name s1 http

5. Configure the IP+port pair for the security service.

AN(config)#security service address s1 192.168.100.11 80

6. Define a security zone to provide network DoS/DDoS defense.

AN(config)#security zone name g1

7. Add the IP subnet to which the IP address of the security service belongs to the
security zone.

AN(config)#security zone address g1 192.168.100.0 255.255.255.0

To configure network defense for the defense objects, refer to Chapter 5 Network
Defense. To configure application defense for the defense objects, refer to Chapter 6
Application Defense.

2022 Array Networks, Inc.

2.2.2 Routing Deployment Mode

In the routing deployment mode, the appliance is connected to the network as a Layer
3 device. Upstream and downstream devices route the traffic (requests and responses)
to the appliance, and the appliance forwards the traffic out based on routing rules after
processing packets.

The routing deployment mode supports the transparent working mode and proxy
working mode.

2.2.2.1 Routing Transparent Scenario

In this scenario, the administrator needs to connect the appliance to the network as a
Layer 3 device and set the next-hop of the traffic to the appliance’s interface IP on the
upstream and downstream devices. After the traffic is inspected by the appliance, the
source IP, source port, destination IP, and destination port of packets will not change.

Figure 2–2 Routing Transparent Scenario

In the preceding example, the administrator has set the next-hop of the traffic destined
for the backend server to the IP address of the uplink interface on the upstream
gateway, and set the gateway to the IP address of the downlink interface on the
backend server.

For traffic hitting any security zone or security service, the appliance will forward
them based on routing rules after inspection. For traffic not hitting any security zone
or security service, the appliance directly forwards them based on routing rules.

2.2.2.1.1 Deployment Suggestions

To complete the deployment:

2022 Array Networks, Inc.

1. Set the two system interface as uplink and downlink interfaces respectively and
configure IP addresses for them.

2. Change the network configuration so that request traffic accessing security zones
or security services and the response traffic from the backend server will be
routed to the appliance.

3. Connect the uplink interface to the upstream device, and the downlink interface to
the downstream device.

4. Verify that the appliance can receive and forward traffic from upstream and
downstream devices normally.

5. After verifying that the traffic can pass the appliance normally, add defense
configurations such as security zones, security services, profiles, and policies.

6. Verify that the appliance can receive and forward traffic accessing security zones
or security services normally again.
2.2.2.1.2 Configuration Example

1. Set system interfaces port1 and port2 as uplink and downlink interfaces
respectively.

AN(config)#interface uplink port1

AN(config)#interface downlink port2

2. Configure IP addresses for port1 and port2.

AN(config)#ip address port1 192.168.10.2 255.255.255.0

AN(config)#ip address port2 192.168.100.2 255.255.255.0

3. Connect port1 to the upstream device, and port2 to the downstream device, and
verify that the appliance receives and forwards traffic normally.

4. Define a security service, such as an HTTP-type security service named s1.

AN(config)#security service name s1 http

5. Configure the IP+port pair for the security service.

AN(config)#security service address s1 192.168.100.11 80

6. Define a security zone to provide network DoS/DDoS defense.

AN(config)#security zone name g1

7. Add the IP subnet to which the IP address of the security service belongs to the
security zone.

AN(config)#security zone address g1 192.168.100.0 255.255.255.0

2022 Array Networks, Inc.

To configure network defense for the defense objects, refer to Chapter 5 Network
Defense. To configure application defense for the defense objects, refer to Chapter 6
Application Defense.

2.2.2.2 Routing Proxy Scenario

In this scenario, the appliance functions as the proxy server for the real service. When
users access the real server, they need to access the virtual service on the appliance
first. After the traffic passes the appliance, its destination IP will be changed to the IP
address of the real service. If the administrator has enabled the Keep Source IP and
Port Unchanged option, the source IP and port of request packets will keep unchanged.
Otherwise, the source IP and port of the request packets will be changed to the
interface IP and the port assigned by the system.

According to whether the IP address of the virtual service is bound to the appliance’s
interface, the routing proxy scenario can be further divided into:

 Routing arp proxy: The system binds the IP address of the virtual service (VIP) to
the appliance and replies to ARP requests. The administrator must point the
service traffic that need to be inspected to the VIP on the appliance, as shown
in Figure 2–4.

 Routing noarp proxy: The system does not bind the IP address of the virtual
service (VIP) to the appliance or reply to ARP requests. The administrator must
point the service traffic that need to be inspected to the interface IP on the
appliance, as shown in Figure 2–5.

2022 Array Networks, Inc.

Figure 2–3 ARP Proxy Defense Scenario in Routing Deployment Mode

Figure 2–4 Non-ARP Proxy Defense Scenario in Routing Deployment Mode

Note:

 The routing proxy scenario supports only HTTP-type and HTTPS-type security
services and does not support DNS-type security services.
 If the Keep Source IP and Port Unchanged option is enabled, the administrator also
needs to set gateway of the server to the IP address of the appliance’s downlink
interface.
 Usually, the administrator can point the service traffic that needs to be inspected to

2022 Array Networks, Inc.

the VIP or interface IP on the appliance in two ways: (1) Configure NAT rules on the
upstream gateway or router to change the destination IP and port of the service traffic
to the IP address and port of the appliance; (2) Change the resolved IP address for the
domain name to the appliance’s IP address on the DNS server.

2.2.2.2.1 Deployment Suggestions

To complete the deployment:

1. Set the two system interface as uplink and downlink interfaces respectively and
configure IP addresses for them.

2. Add defense configurations such as security zones, security services, profiles, and
policies.

3. Add DNAT rules on the gateway or modify the DNS resource records on the
DNS server so that the traffic that need to be inspected is pointed to the VIP (in
the routing arp proxy scenario) or the uplink interface IP (in the routing noarp
proxy scenario)) of the appliance.

4. Connect the uplink interface to the upstream device, and the downlink interface to
the downstream device.

5. Verify that the appliance can receive and forward traffic accessing security zones
or security services normally.

2.2.2.2.2 Configuration Example

1. Set system interfaces port1 and port2 as uplink and downlink interfaces
respectively.

AN(config)#interface uplink port1

AN(config)#interface downlink port2

2. Configure IP addresses for port1 and port2.

AN(config)#ip address port1 192.168.10.2 255.255.255.0

AN(config)#ip address port2 192.168.100.2 255.255.255.0

3. Connect port1 to the upstream device, and port2 to the downstream device, and
verify that the appliance receives and forwards traffic normally.

4. Define a virtual service, such as an HTTP-type security service named s1.

AN(config)#security service name s1 http virtual

Note: If you want to keep the client source IP and port unchanged, the administrator can
enable the Keep Source IP and Port Unchanged option, that is “security service name s1
http virtual keepsource”. In addition, the administrator also needs to change the default

2022 Array Networks, Inc.

gateway of the server to the IP address of the appliance’s downlink interface.

5. Configure the IP+port pair for the security service.

AN(config)#security service address s1 192.168.10.3 80 arp

Note: In the routing arp proxy scenario, the arp keyword should be set for the IP address
of the virtual service, while in the routing noarp proxy scenario, the noarp keyword should
be set.

6. Define a real service and associate it with the virtual service.

AN(config)#security real service rs1 http 192.168.100.11 80

AN(config)#security service policy static s1 rs1

7. Define a security zone.

AN(config)#security zone name g1

8. Add the IP address of the virtual service to the security zone as an IP subnet.

AN(config)#security zone address g1 192.168.10.3 255.255.255.255

To configure network defense for the defense objects, refer to Chapter 5 Network
Defense. To configure application defense for the defense objects, refer to Chapter 6
Application Defense.

2.2.3 TAP Deployment Mode

In the Terminal Access Point (TAP) deployment mode, the appliance is used as an
out-of-path sniffing device connected to the network and receives mirrored traffic
copied from an external switch. This deployment mode is simple because it does not
need to change the network topology, nor affect the flow of the current service traffic.
The administrator just needs to configure port mirroring policies on the switch to copy
the traffic that needs to be inspected to the sniffing (TAP) interface of the appliance,
as shown in the following figure.

2022 Array Networks, Inc.

Figure 2–5 TAP Deployment Mode

This deployment mode supports only the transparent working mode. The TAP mode
supports detecting the traffic. The system can record or block detected attacks based
on the settings of the administrator. To block attacks, the administrator needs to use a
system interface as the blocking interface and configure an IP address to ensure that
this interface can communicate with both the client- and server-side networks. In TAP
mode, the system supports resetting the TCP connection by sending TCP RST packets
to the client and server through the blocking interface to block the detected attacks. In
TAP mode, some functions supports only detection and other functions support
detection and blocking. For more details, refer to 2.2.4.

Note: In the TAP mode, since the receiving interface does not have an IP address, it
cannot be found when the system reversely checks the routing table of packets. As a
result, the system does not support IP Spoofing in the TAP mode.

2.2.3.1.1 Deployment Suggestions

To complete the deployment:

1. Enable the TAP mode for the device, specify the sniffing (TAP) interface and
enable the promiscuous mode for the interface.

2. Add defense configurations such as security services, profiles and policies.

3. Configure port mirroring policies on the switch to copy the traffic that needs to be
inspected to the switch port connecting the appliance.

2022 Array Networks, Inc.

4. Verify that the appliance can receive the mirrored traffic normally.

2.2.3.1.2 Configuration Example

1. Enable the TAP Mode

AN(config)#tap on

2. Set port2 as the TAP interface and enable the promiscuous mode for it.

AN(config)#interface promisc port2 enable

3. Define a security service, such as an HTTP-type security service named s1.

AN(config)#security service name s1 http

4. Configure the IP+port pair for the security service.

AN(config)#security service address s1 192.168.100.11 80

5. Define a security zone.

AN(config)#security zone name g1

6. Add the IP address of the security service to the security zone as an IP subnet.

AN(config)#security zone address g1 192.168.100.11 255.255.255.255

To configure network defense for the defense objects, refer to Chapter 5 Network
Defense. To configure application defense for the defense objects, refer to Chapter 6
Application Defense.

2.2.4 Defense Options Supported by Different Deployment

Modes

Bridge Mode Routing Mode TAP Mode

Deployment
Mode Proxy Proxy Proxy
Transparent Transparent Transparent
(noarp) (arp) (noarp)
HTTP-type
security Yes Yes Yes Yes Yes Yes
service
HTTPS-type
security No Yes No Yes Yes No
service
DNS-type
Yes No Yes No No Yes
security

2022 Array Networks, Inc.

Deployment Bridge Mode Routing Mode TAP Mode

Mode
service
Security
Yes Yes Yes Yes Yes Yes
group
Hardware
Yes Yes Yes Yes Yes No
Bypass
Software
Yes Yes Yes Yes Yes No
Bypass
Clustering Yes Yes Yes Yes Yes No
Source
Yes Yes Yes Yes Yes No
Verification
Service
Model Yes Yes Yes Yes Yes Yes
Learning
Traffic
Baseline-lear Yes Yes Yes Yes Yes Yes
ning
Real Source
Yes Yes Yes Yes Yes Yes
Detection
URL
Yes Yes Yes Yes Yes Yes
Detection
URL
Yes Yes Yes Yes Yes Yes
Monitoring
Request
Yes Yes Yes Yes Yes Yes
parsing
Response
Yes Yes Yes Yes Yes No
parsing
Error Page
Customizatio Yes Yes Yes Yes Yes No
n
Attack
detection and Yes Yes Yes Yes Yes Yes
recording
Attack
Yes Yes Yes Yes Yes Yes[a]
blocking
Manual IP
blacklist and Yes Yes Yes Yes Yes No
whitelist
Automatic IP
blacklist and Yes Yes Yes Yes Yes No
whitelist

2022 Array Networks, Inc.

Deployment Bridge Mode Routing Mode TAP Mode

Mode
URL whitelist Yes Yes Yes Yes Yes No
Global DDoS
Yes Yes Yes Yes Yes Yes[b]
defense
Network
DDoS Yes Yes Yes Yes Yes Yes[b]
defense
HTTP
GET/POST Yes Yes Yes Yes Yes No
Flood defense
HTTP
Slowloris/Slo
Yes Yes Yes Yes Yes Yes[c]
w POST
defense
HTTP CC
Attack Yes Yes Yes Yes Yes No
defense
HTTP packet
anomaly Yes Yes Yes Yes Yes Yes[c]
detection
SSL
Handshake
No Yes No Yes Yes No
Attack
defense
SSL
renegotiation No Yes No Yes Yes No
attack defense
SSL Packet
anomaly No Yes No Yes Yes No
detection
DNS DDoS
Yes No Yes No No Yes[d]
defense
Brute Force
Yes Yes Yes Yes Yes No
Defense
Cookie
Tampering/Se
Yes Yes Yes Yes Yes No
ssion
hijacking
HTTP filter
(Request/Res Yes Yes Yes Yes Yes No
ponse)

2022 Array Networks, Inc.

Deployment Bridge Mode Routing Mode TAP Mode

Mode
HTTP Proxy
(Insert/Mask/
Yes Yes Yes Yes Yes No
Redirect/Rem
ove/Rewrite)
Signature-bas
ed defense Yes Yes Yes Yes Yes Yes
(request)
Signature-bas
ed defense Yes Yes Yes Yes Yes No
(response)
DLP Yes Yes Yes Yes Yes No
Virtual patch Yes Yes Yes Yes Yes Yes
Positive WAF Yes Yes Yes Yes Yes Yes
Content Filter Yes Yes Yes Yes Yes No
CSRF
Yes Yes Yes Yes Yes No
Defense
Anti-leech Yes Yes Yes Yes Yes Yes
Web
Anti-Defacem Yes Yes Yes Yes Yes No
ent (WAD)
Anti-crawling Yes Yes Yes Yes Yes No
ICMP/UDP/T
CP/HTTP/DN
Yes Yes Yes Yes Yes No
S/DNS
Domain ACL
IP reputation Yes Yes Yes Yes Yes No

Note:

 The transparent working mode does not support HTTPS-type security services.
 The proxy working mode does not support DNS-type security services.
 Keep in mind the following notes for the TAP mode:
- Attack blocking supports only RST.
- Global DDoS defense and network DDoS defense supports only detecting but
not blocking attacks.
- HTTP Slowloris defense rule, HTTP Slow Post defense rule and HTTP packet
anomaly detection supports only detecting but not blocking attacks.
- DNS DDoS defense (Cache Poisoning, Cache Snooping, NXDomain Flood,
Query Flood, Respone Flood, Packet Length Check, TTL check and packet
anomaly detection) supports only detecting but not blocking attacks.

2022 Array Networks, Inc.

Chapter 3 Appliance Access and Initial

Configurations

3.1 Connecting ASF Appliance

The section explains how to access the ASF appliance using console, SSH and WebUI
management ways to so as to configure and manage it.

3.1.1 Console Connection

If the administrator wants to connect to the ASF appliance using the console, first
connect the management host to the Console interface of the ASF appliance using the
Console cable and install the terminal simulation program software supporting the
VT100 terminal on the management host (for example, PuTTY), and then open the
terminal simulation program software, create a new serial console connection and set
the following parameters:

 The Baud bit is 9600

 The Number of Bits is 8.

 Do not set the Parity bit.

 The Stop Bits is 1

 No Flow Control

After entering the username and password (the default username and password is
“array” and “admin”), the administrator can establish a console connection with the
ASF appliance and enter the command line mode to configure and manage the
appliance.

3.1.2 SSH Connection

The ASF appliance has built-in SSH service. After the SSH service is enabled, the
ASF appliance can work as an SSH server to support the user remote access. If the
administrator needs to establish an SSH connection with the ASF appliance, first
connect the ASF appliance and the management host to the network using the
network cable, install the SSH client on the management host and establish the SSH
connection with the appliance using the SSH client. The administrator needs to input
the IP address of the SSH server when establishing SSH connection with the ASF
appliance. The IP address of the SSH server is the IP address that the administrator

2022 Array Networks, Inc.

configures for the system interface. The default port used to access the appliance
through SSH is 22, and the port value can be modified by the “ssh port” command.

To enhance the system security, the administrator can configure SSH source IP
address and/or source MAC address restriction rules to control the sources that are
allowed to access the SSH service.

Note: If you require the SSH software for Windows, MacOS or UNIX, it is available
on-line at http://www.openssh.com

Assume that the SSH service has been enabled, and the IP address “10.3.55.251” is
configured for a system interface. An example of establishing an SSH connection
with the ASF appliance using the SSH client is as follows:

Run the SSH client program on the management host and execute the following
command:

>> #ssh [email protected]

After the connection is established, the administrator is prompted to enter the

password: The default username is array and the default password is admin.

>> #ssh [email protected]

>> #[email protected]'s password:

Note: Make sure the configurations of IP addresses and general network are correct so that
you can connect to the appliance by using SSH.

3.1.3 WebUI Connection

WebUI provides graphical user interface for configuring and managing the ASF
appliance in a visual and friendly way, which greatly simplifies the configuration
operation but achieves the same configuration effects as the CLI.

Advantages of ASF WebUI:

 Improve user experience with fast response time.

 Maximize the functionality and performance of the ASF appliance.

 Simplify system configuration and management.

Note: WebUI is disabled by default. To configure and manage the ASF appliance using the
WebUI, refer to section 3.4.6 Start the WebUI

2022 Array Networks, Inc.

The ASF appliance provides the WebUI interface, which can be accessed by entering
the IP address and port number of the WebUI in the address bar of the browser. For
example, 8888 is the default port number of the WebUI.

https://192.168.1.200:8888

Press Enter and the welcome page appears in the browser, prompting for the username
and password. The default username is array and the default password is admin. After
the correct username and password are entered, you can access WebUI.

WebUI supports Chrome, Firefox, Edge and Safari. In addition, the browser
resolution should be set to 1024*768 or higher.

3.1.4 WebUI SSL Configuration

3.1.4.1 SSL Client Authentication Settings

In SSL communication, the SSL negotiation process usually only authenticates the
identity of the server, that is, performs one-way SSL authentication. In some scenarios
that have strict requirements on the client identity, the SSL negotiation process needs
to authenticate both the client identity and the server identity, that is, two-way SSL
authentication needs to be performed.

The ASF appliance supports the WebUI SSL client authentication function to meet
the two-way SSL authentication requirements in specific scenarios. At the same time,
ASF also supports mandatory mode for the WebUI SSL client authentication function.
When the mandatory mode is enabled, the WebUI client must pass the client
authentication before establishing an SSL connection with the ASF WebUI.
Otherwise, the WebUI access will fail. If SSL client authentication is enabled but the
mandatory mode is not enabled, the administrator can still access the WebUI, but the
SSL client will not provide the client certificate.

 Configuration Example via CLI

To enable the WebUI SSL client authentication function, perform the following steps:

1. Import certificate chain file for WebUI.

AN(config)#webui ssl import certificate ftp://10.8.6.20/cert/chain.pem

2. Import client CA certificate.

AN(config)#webui ssl import clientca ftp://10.8.6.20/cert/webui.pem

3. Enable the SSL client authentication function for the WebUI.

AN(config)#webui ssl settings clientauth enable

2022 Array Networks, Inc.

4. Enable the mandatory mode of the SSL client authentication function for the
WebUI.

AN(config)# webui ssl settings authmandatory enable

3.1.4.2 SSL Protocol Versions and Cipher Suites Settings

The system also supports modifying the SSL protocol versions and cipher suites
supported by the WebUI (SSL server).

 Configuration Example via CLI

Use the following command to modify the SSL protocol versions supported by the
WebUI:

AN(config)#webui ssl settings protocol TLSv11:TLSv12

Use the following command to modify the cipher suites supported by the WebUI:

AN(config)#webui ssl settings ciphersuites

“ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384”

3.2 Reading the LED

3.2.1 LEDs in the Front Panel

The ASF appliance has three LEDs in the front panel: one yellow, one green and one
blue. The following table describes the usage of each LED in the front panel:

Table 3–1 LEDs in the Front Panel

LED Color Meaning Description

Indicates the status of the power supply and the startup state of the
Blue Power
ASF appliance (shutdown/started)
This light is on when the ArrayOS system is booting up. It
Green Run indicates the CPU usage. The higher the CPU utilization, the
faster the CPU flashes.
This light is always off when the system is running properly.
When it turns on, it indicates that one or several of the following
problems may occur on the ASF appliance:
 The CPU fan stops working.
Yellow Fault  The CPU is overheated. (over 85℃ )
 The system is overheated. (over 75°C on 1U appliances, or
85℃ on 2U appliances)
 One of the dual power supply modules breaks down. (If dual
power supply is supported)

2022 Array Networks, Inc.

LED Color Meaning Description

Note: When the Yellow LED light is on, contact the Array Customer support. You can also
check for the issues by viewing the logs.

3.2.2 LEDs in the Rear Panel

There are two LEDs in the rear panel of ASF appliance for each Ethernet interface:

 Link LED: indicates the speed mode of the link, which can be 1Gbps, 10Mbps
and 100Mbps.

 Activity LED: indicates the active status of the Ethernet interface.

The LED’s meaning of onboard network card and extended network card of the ASF
appliance is introduced respectively below.

Table 3–2 Descriptions for LEDs of Ethernet interface

Network LED Name

Description
Card Type
The Link LED has the following colors:
 Amber: indicates the speed mode is 1 Gbps.
Link LED
Onboard  Green: indicates the speed mode is 100 Mbps.
Network  Off: indicates no connection or the speed mode is 10 Mbps.
Card The Activity LED has the following colors:
Activity
 Blinking Yellow: Active
LED
 Off: Inactive
If the link LED is yellow, it indicates the speed mode of the link is
Link LED
Extended 1 Gbps, 10 Mbps or 100 Mbps.
Network The Activity LED has the following colors:
Activity
Card  Blinking Green: Active
LED
 Off: Inactive

3.3 CLI Overview

The ASF CLI allows you to configure and control major functions of the ASF
appliance using the CLI commands via the Console or SSH connection.

3.3.1 Command Usage Breakdown

The ASF appliance’s software has been designed with specific enhancements to make
interaction with the ASF appliance more user friendly, such as Shorthand. Shorthand
is the intuitive method by which the ASF appliance completes CLI commands based

2022 Array Networks, Inc.

on the first letters entered. The following table lists the user shortcuts supported by
ASF CLI:

Table 3–3 List of Shortcuts

CLI Shortcuts Description

Ctrl+a Move the cursor to the beginning of a line.
Ctrl+e Move the cursor to the end of a line.
Ctrl+f Move the cursor forward one character.
Ctrl+b Move the cursor backward one character.
Esc+f Move the cursor forward one word.
Esc+b Move the cursor backward one word.
Ctrl+d Delete the character under the cursor.
Ctrl+k Delete from the cursor to the end of the line.
Ctrl+u Delete the entered line.

The ASF CLI commands will generally adhere to the following style conventions:

Table 3–4 CLI Style Conventions

Style Meaning
Bold typeface The body of a CLI command is in Boldface.
Italic CLI parameters are in Italic.
<> Parameters enclosed in angle brackets “< >” are mandatory.
Parameters enclosed in square brackets “[ ]” are optional.
[]
Indicates the sub commands like “no”, “show” and “clear”.
Alternative parameters are grouped in braces and separated by
{x|y|…}
vertical bars. One should be selected.
Optional alternative parameters are grouped in square brackets
[x|y|…]
and separated by vertical bars. One or none is selected.

Note: It is recommended to enclose the string-type parameter value by double quotes to

make sure that the ASF appliance can execute the command correctly.

A CLI example is as follows:

ip address {system_ifname|mnet_ifname|vlan_ifname|bond_ifname} <ip_address>

3.3.2 Access Control Levels

The ASF appliance offers three levels or modes for global configuration and access to
the ArrayOS. Each mode is designated by a unique cursor prompt. The CLI prompt
consists of the hostname of the ASF appliance followed by either “>”, “#” or
“(config)#”.

2022 Array Networks, Inc.

 User mode

The lowest access level is User mode. Users in this mode are only authorized to
execute some very basic operations and non-critical functions. The User mode prompt
“AN>” appears in the CLI.

 Enable mode

Users in this mode have access to a majority of view-only commands such as the
“show version” command. Commands from both the User and Enable modes can be
executed. To enter the Enable mode, you need to execute the “enable” command in
User mode and enter the correct Enable mode password. The default enable password
is null.

Once you access the Enable mode successfully, the CLI prompt changes from “AN>”
to “AN#”.

 Config mode

The highest level is Config mode. Users in this mode can make changes to any part of
the ASF appliance configuration. To access the Config mode, you should execute the
“config terminal” command in Enable mode. Once you access the Config mode
successfully, the CLI prompt changes from “AN#” to “AN(config)#”.

Only one administrator can be in Config mode at one time. To forcibly access the
Config mode when another administrator is already in Config mode, you can execute
the “config terminal force” command.

Note:

 In the ArrayOS, administrator accounts can be created and assigned the Enable or
Config access privilege. Only the administrator accounts with the Config access
privilege can be used to access the Config mode. For details, refer to section 15.1
User Management.
 In any mode, you can enter “?” to view the currently available CLI commands.
 All the configuration examples via CLI in this document are based on the assumption
that you have logged into the ASF CLI and entered the required access mode
successfully.

3.4 Initial System Setup and Configuration

The following is a list of commands required for the system initialization
configuration. For more details, refer to the Array ASF CLI Handbook.

2022 Array Networks, Inc.

Table 3–5 Initial System Setup and Configuration Command

Operation Command
Configure an IP
ip address {system_ifname|mnet_ifname|vlan_ifname|bond_ifname}
Address for the
<ip_address> <netmask>
management port.
Configure
interface management <interface_id> <gateway_ip>
management port
Set the default
ip route default <gateway_ip>
gateway IP address.
Check the ping {ip|hostname}
configuration of the show ip address
IP address. show ip route
Set the system date,
system date <year> <month> <date>
time and time zone
system time <hour> <minute> <second>
for the ASF
system timezone
appliance.
webui on
Start the WebUI. webui port <port>
webui ip <ip_address>
Save the
write memory
configuration.

3.4.1 Configure management port

To isolate the management traffic and business traffic, you need to configure a
management interface for the appliance, for example:

AN(config)#interface management port1 10.10.0.1

3.4.2 Set the default gateway IP address.

Set the default gateway IP address for the ASF appliance. For example:

AN(config)#ip route default 10.10.0.1

3.4.3 Check the configuration of the IP address.

To verify whether the connection between ASF appliance and the network is correct,
you can use the “ping” command to verify the gateway can correctly connect to the
backend server.

Verify the connectivity to the gateway using the “ping” command:

2022 Array Networks, Inc.

AN(config)#ping 10.10.0.1
PING 10.10.0.1(10.10.0.1): 56 data bytes
64 bytes from 10.10.0.1: icmp_seq=0 ttl=128 time=0.671 ms
64 bytes from 10.10.0.1: icmp_seq=1 ttl=128 time=0.580 ms
64 bytes from 10.10.0.1: icmp_seq=2 ttl=128 time=0.529 ms
64 bytes from 10.10.0.1: icmp_seq=3 ttl=128 time=0.486 ms
64 bytes from 10.10.0.1: icmp_seq=4 ttl=128 time=0.638 ms

--- 10.10.0.1 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.486/0.581/0.671/0.068 ms

Verify the connectivity to the backend server using the “ping” command:

AN(config)#ping 192.168.10.1
PING 192.168.10.1(192.168.10.156 data bytes
64 bytes from 192.168.10.1: icmp_seq=0 ttl=128 time=0.661 ms
64 bytes from 192.168.10.1: icmp_seq=1 ttl=128 time=0.581 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=128 time=0.552 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=128 time=0.484 ms
64 bytes from 192.168.10.1: icmp_seq=4 ttl=128 time=0.632 ms

--- 192.168.10.1 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.486/0.581/0.671/0.068 ms

To confirm or view the configuration of the IP address and route, execute the
following commands:

AN(config)#show ip address
ip address "port1" 10.10.0.2 255.255.255.0
ip address "port2" 192.168.10.1 255.255.255.0

AN(config)#show ip route
Destination Netmask Gateway
default 10.10.0.1

3.4.4 Set the system date, time and time zone

1. Set the system date to October 20, 2018.

AN(config)#system date 18 10 20

2. Set the system time to 11:33:51 AM.

2022 Array Networks, Inc.

AN(config)#system time 11 33 51

3. Set the time zone using the “system timezone” command.

a. Select the continent.

b. Select the country.

c. Select the time zone.

3.4.5 Setting the Listening IP Address for the SSH Service

By default, the SSH service is enabled. For system security, please set the listening IP
address for the SSH service. After the listening IP address is set for the SSH service,
you can access the SSH service only via the specified IP address.

Execute the following command to set the listening IP address for the SSH service:

AN(config)#ssh ip 10.10.0.2

3.4.6 Start the WebUI

To manage and configure the ASF appliance using the WebUI, the administrator
needs to enable the WebUI.

Execute the following command to enable WebUI:

AN(config)#webui on

Note:

 To customize the IP address used by WebUI, use the “webui ip” command.
 To customize the port number used by WebUI, use the “webui port” command.

3.4.7 Save the configuration

To save the configuration, execute the following command:

AN(config)#write memory

3.4.8 Import CA Certificate for ASF WebUI

By default, the ASF WebUI uses a test SSL certificate issued by Array Networks. So
upon the initial log onto the WebUI, a warning message will be prompted in the
browser as shown below, and users need to bypass the warning to log onto the ASF
WebUI during the first login.

2022 Array Networks, Inc.

 In Chrome, the “Your connection is not private” warning will be prompted.

Please click on the “Advanced” link to expand the warning and then click on the
“Proceed to <website address> (unsafe)” link. After the first login, this warning
will not appear again.

 In Firefox, the “Your Connection is Not Secure” warning will be prompted.

Please click on the “Advanced” link to expand the warning and then click “Add
Exception” button. In the prompted “Add Security Exception” window, paste
the ASF WebUI URL and click the “Confirm Security Exception” button. After
the first login, this warning will not appear again.

 In Internet Explorer, the “There is a problem with this website’s security

certificate” warning will be prompted. Please click the “Continue to this
website (not recommended)” link to continue. Administrators need to repeat this
operation every time they log onto the WebUI until the test SSL certificate is
replaced by CA certificates.

However, the self-signed certificate is inadequate for high-security scenarios, and will
also cause the browser to prompt the above-mentioned warnings. To avoid the
security risk and enhance WebUI access experience, administrators need to use SSL
certificates issued by a trusted Certificate Authority (CA), namely CA certificates, to
replace the self-signed certificate. Currently, the ASF WebUI allows administrators to
import a PEM-format certificate and an intermediate certificate to replace the
self-signed SSL certificate.

For detailed information on how to import SSL certificates, please refer to section
15.2.2 WebUI SSL Settings.

2022 Array Networks, Inc.

Chapter 4 General System and Network

Configuration

4.1 Basic System Configuration

You can configure the system and the network as per your requirement.

4.1.1 System Time

The system allows the administrator to set the system date, time and time zone for the
ASF appliance.

4.1.1.1 Manual System Time Setting

Manual settings of time applies to the situation where there is no Network Time
Protocol (NTP) server available.

 Configuration Example via CLI

1. Set the system date to October 20, 2018.

AN(config)#system date 18 10 20

2. Set the system time to 11:33:51 AM.

AN(config)#system time 11 33 51

3. Set the time zone using the “system timezone” command.

a. Select the continent.

b. Select the country.

c. Select the time zone.

4. View the system time zone.

AN#show system timezone

system timezone "CST"

4.1.1.2 NTP
The NTP function enables the ASF appliance to synchronize its system time with the
configured NTP server.

To enable the NTP function, you need to configure at least one NTP server first.
When the NTP function is enabled, the ASF appliance will act as an NTP client,

2022 Array Networks, Inc.

automatically synchronizing its system time with the configured NTP server at the
interval of about 15 minutes. Both IPv4 and IPv6 NTP servers are supported.

If multiple NTP servers are configured, the ASF appliance will calculate the
round-trip delays according to the time information in the response packet from each
NTP server and synchronize its system time with the NTP server with the minimum
delay.

 Configuration Example via CLI

1. Configure an NTP server.

AN(config)#ntp server 192.168.1.100

2. Enable the NTP function.

AN(config)#ntp on

You can also view the current NTP configurations and the time dispersion and
association with the configured NTP server by executing the “show ntp” command.

AN#show ntp
ntp on
ntp server 10.3.0.1

synchronised to NTP server (10.3.0.1) at stratum 3

time correct to within 7987 ms
polling server every 64 s

remote refid st t when poll reach delay offset jitter

======================================================================
========
*10.3.0.1 10.137.38.86 2 u 106 64 376 55.234 -2.290 1.147

4.1.2 Host Name

By default, the host name of the ASF appliance is AN. The system allows you to
change the host name of the ASF appliance.

 Configuration Example via CLI

Change the host name of the ASF appliance by executing the “hostname” command.

AN(config)#hostname my_asf
my_asf(config)#

2022 Array Networks, Inc.

4.1.3 System Email

The system supports sending alert emails via built-in local email server or a
configured external email server.

4.1.3.1 Local Email Server

The system has a built-in local email server. By default, the system uses the local
email server to send alert emails.

The administrator can modify the hostname and the email account of the sender used
to send the alert mail via the local email server.

 Configuration Example via CLI

1. Modify the email account of the sender used to send the alert mail via the local
email server by executing the “system mail from” command.

AN(config)#system mail from "[email protected]"

2. Modify the host name of the alert mail sent via the local mail server by executing
the “system mail hostname” command.

AN(config)#system mail hostname "asf01"

4.1.3.2 External Email Server

The system supports the external email server function. When this function is enabled,
the system will act as the email client and log into the external email server using the
configured sender’s email account to send alert emails. Currently, the system supports
only the external SMTP email server. Only one external SMTP email server can be
configured in the system. By default, this function is disabled. When this function is
disabled, the system will use the built-in local email server to send the alert mail.

 Configuration Example via CLI

1. Configure the external SMTP email server using the “system mail external
server” command.

AN(config)#system mail external server "192.168.1.12" 465 1

2. Configure the email account of the sender used to send the alert mail via the
external SMTP email server by executing the “system mail external user”
command.

AN(config)#system mail external user test testpasswd1

3. Enable the external email server function using the “system mail external on”
command.

2022 Array Networks, Inc.

AN(config)#system mail external on

4.1.3.3 Email Replay

The system supports the email relay function. After this function is enabled, alert
emails sent to email addresses of the specified domain will be sent to the email relay
server for forwarding. By default, this function is disabled. A maximum of 10 email
replay servers can be configured.

 Configuration Example via CLI

1. Configure an email relay server for email servers of the specified domain using
the “system mail relay server” command.

AN(config)#system mail relay server arraynertworks.com.cn relay.com

2. Enable the email relay function using the “system mail relay on” command.

AN(config)#system mail relay on

4.2 Network Configuration

Note: Basic network configurations such as IP address and default route, and advanced
network configurations are usually be associated or referenced by other configurations.
After these configured are completed, do not modify or delete them randomly; otherwise,
unpredictable issues may occur. If administrators need to modify network configuration,
they should execute commands “write memory/file”, “clear config all”, and “config
memory/file” in sequence after modification of network configuration.

4.2.1 Interfaces

4.2.1.1 System Interfaces

System interfaces are the logical names of the physical ports provided by the ASF
appliance. You can view the information and statistics of system interfaces by
executing the “show interface” command.

AN(config)#show interface
port1(port1): flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::20c:29ff:fe0e:610 prefixlen 64 scopeid 0x1
inet 192.168.0.131 netmask 0xffffff00 broadcast 192.168.0.255
inet 192.168.0.132 netmask 0xffffffff broadcast 192.168.0.132
ether 00:0c:29:0e:06:10
media: autoselect (10Gbase-T <full-duplex>)
status: active

2022 Array Networks, Inc.

deploy direction: UPLINK

Hardware is VMXNET3 Ethernet Controller
Input total: 50964 packets, 12629255 bytes
multicasts: 30229, Input errors: 0
drops: 0
Output total: 24298 packets, 26908037 bytes
multicasts: 0, Output errors: 0
Collosions: 0
packet drop (not permit): 0
tcp 0 udp 0 icmp 0 ah 0 esp 0
packet drop (deny): 0
tcp 0 udp 0 icmp 0 ah 0 esp 0
5 minute input rate 1776 bits/sec, 0 packets/sec
5 minute output rate 8 bits/sec, 0 packets/sec
port2(port2):
flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC>
mtu 1500
inet6 fe80::20c:29ff:fe0e:61a prefixlen 64 scopeid 0x2
ether 00:0c:29:0e:06:1a
media: autoselect (10Gbase-T <full-duplex>)
status: active
deploy direction: UPLINK
Hardware is VMXNET3 Ethernet Controller
Input total: 0 packets, 0 bytes
multicasts: 0, Input errors: 0
drops: 0
Output total: 14 packets, 1212 bytes
multicasts: 0, Output errors: 0
Collosions: 0
packet drop (not permit): 0
tcp 0 udp 0 icmp 0 ah 0 esp 0
packet drop (deny): 0
tcp 0 udp 0 icmp 0 ah 0 esp 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
port3(port3):
flags=10028943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC
> mtu 1500
inet6 fe80::20c:29ff:fe0e:624 prefixlen 64 scopeid 0x3
ether 00:0c:29:0e:06:24
media: autoselect (10Gbase-T <full-duplex>)
status: active

2022 Array Networks, Inc.

deploy direction: UPLINK

Hardware is VMXNET3 Ethernet Controller
Input total: 0 packets, 0 bytes
multicasts: 0, Input errors: 0
drops: 0
Output total: 14 packets, 1212 bytes
multicasts: 0, Output errors: 0
Collosions: 0
packet drop (not permit): 0
tcp 0 udp 0 icmp 0 ah 0 esp 0
packet drop (deny): 0
tcp 0 udp 0 icmp 0 ah 0 esp 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
port4(port4): flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::20c:29ff:fe0e:62e prefixlen 64 scopeid 0x4
ether 00:0c:29:0e:06:2e
media: autoselect (10Gbase-T <full-duplex>)
status: active
deploy direction: UPLINK
Hardware is VMXNET3 Ethernet Controller
Input total: 0 packets, 0 bytes
multicasts: 0, Input errors: 0
drops: 0
Output total: 21 packets, 1806 bytes
multicasts: 0, Output errors: 0
Collosions: 0
packet drop (not permit): 0
tcp 0 udp 0 icmp 0 ah 0 esp 0
packet drop (deny): 0
tcp 0 udp 0 icmp 0 ah 0 esp 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec

4.2.1.1.1 Interface Attributes

A system interface has the following basic attributes:

 Interface name: The default system interface name is the same as the system
interface ID, for example, port1, port2 and port3. The administrator can
customize the name of the system interface.

 MAC address: is the physical MAC address of the system interface. The
administrator can modify the MAC address of the system interface.

2022 Array Networks, Inc.

 MTU: is Maximum Transmission Unit (MTU) of the system interface. The

administrator can modify the MTU of the system interface.

 Speed: indicates the speed and working mode of the system interface. If the
interface is connected to a device (such as a router or switch with a specific speed
and duplex mode), the administrator needs to configure the interface speed and
working mode to match those requirements.

 Configuration Example via CLI

1. Modify the name of the system interface by executing the “interface name”
command:

AN(config)#interface name port1 uplink1

2. Modify the MAC address of the system interface by executing the “interface
mac” command:

AN(config)#interface mac port1 00:0c:29:0e:06:2e

3. Modify the MTU of the system interface by executing the “interface mtu”
command:

AN(config)#interface mtu port1 1440

4. Modify the speed and working mode of the system interface by executing the
“interface speed” command:

AN(config)#interface speed port1 auto

4.2.1.1.2 Promiscuous Mode

The promiscuous mode enables a system interface to process the packets whose
destination MAC address is not a local MAC address. The promiscuous mode is
disabled for the system interface by default.

 Configuration Example via CLI

Enable the promiscuous mode for a system interface by executing the “interface
promisc” command:

AN(config)#interface promisc port1 enable

4.2.1.1.3 Deployment Direction

According to the location that the system interface is deployed in the data flow,
system interfaces can be classified into:

 Uplink interfaces: connect to upstream network devices.

 Downlink interfaces: connect to downstream network devices.

2022 Array Networks, Inc.

By default, all system interfaces are set as uplink interfaces. Administrators need to
change the deployment direction of system interfaces according to the actual
deployment situation.

 Configuration Example via CLI

Modify the system interface as an uplink interface by executing the “interface

uplink” command:

AN(config)#interface uplink port1

View all uplink interfaces by executing the “show uplink” command:

AN(config)#show uplink
up-link interfaces:
port1 port2 port3 bond1 bond2 bond3
bond4 bond5 bond6 bond7 bond8 VLAN1

Modify the system interface as a downlink interface by executing the “interface

downlink” command:

AN(config)#interface downlink port4

View all downlink interfaces by executing the “show downlink” command:

AN(config)#show downlink
down-link interfaces:
port4

4.2.1.2 Bond Interface

4.2.1.2.1 Overview

This section will introduce the link aggregation function. Link aggregation, also
called trunking, enhances the network performance and stability greatly.

4.2.1.2.2 Principle of Link Aggregation

Link aggregation combines (bonding) two or more data channels into one single
high-bandwidth logical link. All bond interfaces are regarded as a “high-bandwidth”
interface. If every bonding link is a different physical link, the bond interface can
multiply the network bandwidth, increase interfaces’ reliability, and provide link
redundancy and tolerance capability. However, link aggregation cannot be used
together with the interface redundancy function.

It should be configured before MNET and VLAN interfaces are configured. If

configurations such as MNET or VLAN are added for the bond interface, the
administrator must save these configurations and reboot the system when these
configurations of this bond interface are changed.

2022 Array Networks, Inc.

The ASF appliance supports a maximum of eight bond interfaces, and a maximum of
12 system interface can be bond to one bond interface. The bond interface will check
whether every system interface works normally. If a system interface becomes down,
the traffic processed by this interface will be directed to other working system
interfaces in the bond interface.

When adding a system interface into a bond interface, the administrator can further set
the interface as the primary or backup interface in the bond interface. Multiple
primary or backup interfaces can be set in the bond interface. When all the primary
interfaces in the bond interface fail, the backup interfaces will take the place of
primary interfaces to work.

Note: When binding a system interface with a bond interface, the system interface should
be configured with no IP address. If there is IP configuration on the system interface, the
administrator needs to remove the IP configuration first. Otherwise, the system will refuse
to add the system interface into the bond interface.

In addition, the ASF appliance also supports configuring MNET or VLAN on bond
interface. The bond interface configuration must be performed before configuring
MNET or VLAN on it.

4.2.1.2.3 Link Aggregation Health Check

The link aggregation health check is used to determine the health status (“up” or
“down”) of the bond interface. It allows the ASF appliance to check every
sub-interface of the bond interface and mark the sub-interface as “up” or “down”.
With this function, administrators can use the sub-interfaces which are marked as
“up” to transmit traffic.

Note: When the health status of all the bond sub-interfaces are marked “down” with the
transmission of ARP and IPv6 NS packets still behaving normally, the bond interface will
still be in a usable state, and service traffic will continue to be sent to every sub-interface.
Meanwhile, verify the destination IP of the health check is configured properly.

4.2.1.2.4 Link Aggregation Configuration

 Configuration Guidelines

In order to maximize the performance of the ASF appliance through configuration,

draw the network topology that can guide the configuration according to actual
conditions of your network. All link aggregation configuration examples in this
section are based on the following figure.

2022 Array Networks, Inc.

Figure 4–1 Link Aggregation Configuration

The following table lists all commands required for configuring the link aggregation
function. For details of these commands, refer to the Array ASF CLI Handbook.

Table 4–1 ASF Commands for Configuring Link Aggregation

Operation Command
Bind a system
interface with the bond interface <bond_name> <interface_name> [1|0]
bond interface
Assign a name of
bond name <bond_id> <bond_name>
the bond interface
Configure an IP
ip address {system_ifname|mnet_ifname|vlan_ifname|bond_ifname}
address for the bond
<ip_address> {netmask|prefix}
interface
Configure the
ip route default <gateway_ip>
default gateway
Configure the health bond health <bond_name> <destination_ip> [interval] [timeout]
check [up_check_times] [down_check_times] [gateway_ip]

 Configuration Example

1. Bind a system interface with the bond interface.

In this example, the “port1” interface and the “port4” interface are bond with bond
interface bond1 and they are set as the primary and the backup interfaces in the bond
interface respectively.

AN(config)#bond interface bond1 port1 1

AN(config)#bond interface bond1 port4 0

2. Assign a name of the bond interface.

You can set the bond name for the configured bond interface by using the “bond
name” command.

AN(config)#bond name bond1 link1

2022 Array Networks, Inc.

3. Configure an IP address for the bond interface

AN(config)#ip address link1 10.10.0.2 255.255.255.0

4. Configure the gateway IP.

AN(config)#ip route default 10.10.0.1

To verify that the ASF appliance has successfully completed the basic network
configuration, test the connectivity to the gateway to the backend servers by using the
“ping” command. If the preceding configurations are correct, the following
information will be returned by using the “ping” command.

--- 10.10.0.1 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.486/0.581/0.671/0.068 ms

5. Configure and enable the link aggregation health check. (Optional)

AN(config)#bond health link1 172.16.77.81 5 3 3 3 172.16.77.1

4.2.1.3 VLAN
VLAN (Virtual Local Area Network) is used to logically segment a network into
smaller networks by application, or function, without regard to the physical location
of the users. Each VLAN is considered a separate logical network. There are two
types of VLAN specifications for Ethernet network.

 Port-based VLAN

Define VLAN based on port number of the switch. Port-based VLAN is easy to
configure but often limited to one single switch.

 Tag-based VLAN

Tag-based VLAN allows a group of devices on different physical LAN segments to

communicate with each other as if they were all on the same physical LAN segment.
In tag based VLAN, an identifying number, called a “VLAN ID” or a “tag”, is written
into the Ethernet frame itself, so that switches and routers can use this information to
make switching decisions. A tagged frame is four bytes longer than an untagged

2022 Array Networks, Inc.

frame and contains two bytes of Tag Protocol Identifier (TPID) and two bytes of Tag
Control Information (TCI).

The ASF appliance supports Tag-based VLAN on system interfaces and bond
interfaces. The ASF appliance’s VLAN can work in both the IPv4 and IPv6 network
environments. Administrator can view all the IPv4 and IPv6-based VLAN
configurations by executing the “show interface” command. For example:

AN(config)#show interface
……
V1(vlan1): flags=8843<UP,BROADCAST,RUNNING,SIMPLEX> mtu 1500
inet6 fe80::230:48ff:fe93:a73e prefixlen 64 scopeid 0xb
ether 00:30:48:93:a7:41
media: autoselect
status: no carrier
vlan : 10 parent interface: port2
webwall status: OFF
packet drop (not permit): 0
tcp 0 udp 0 icmp 0 ah 0 esp 0
packet drop (deny): 0
tcp 0 udp 0 icmp 0 ah 0 esp 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec

V2(vlan2): flags=8843<UP,BROADCAST,RUNNING,SIMPLEX> mtu 1500

inet6 fe80::230:48ff:fe93:a73e prefixlen 64 scopeid 0xc
ether 00:30:48:93:a7:41
media: autoselect
status: no carrier
vlan : 20 parent interface: port2
webwall status: OFF
packet drop (not permit): 0
tcp 0 udp 0 icmp 0 ah 0 esp 0
packet drop (deny): 0
tcp 0 udp 0 icmp 0 ah 0 esp 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec

 VLAN Configuration Example

In this example, you will create two VLANs, “inside-vlan1” and “inside-vlan2”. The
“inside-vlan1” has a tag of 500 and “inside-vlan2” has a tag of 3001. These tags are
inserted into the Ethernet frame.

1. Create a VLAN interface by using the “vlan” command.

2022 Array Networks, Inc.

AN(config)#vlan port2 inside-vlan1 500

AN(config)#vlan port2 inside-vlan2 3001

2. Assign an IP address to each VLAN interface by using the “ip address”

command

AN(config)#ip address inside-vlan1 192.168.1.1 255.255.255.0

AN(config)#ip address inside-vlan2 192.168.2.1 255.255.255.0

For the interface with VLAN configuration, it needs to be connected to a switch or

router with Tag VLAN or Trunking turned on.

4.2.1.4 MNET
MNET (Multi-Netting) is used to assign more than one IP address on a physical
interface. When assigning IP addresses, the network administrator can choose the
following way: assign an IP address to the server and assign new IP addresses to new
servers.

Also, another way of assigning addresses can be used. The administrator can assign
four IP addresses to the server. Each IP address will match the IP address to be used
in the future on the new servers. The network administrator now knows what
addresses will be used and can create DNS entries for the new devices with the
correct addresses. This process of providing more than one IP address on an interface
is often called MNET.

The ASF appliance’s MNET can work in both the IPv4 and IPv6 network
environments.

4.2.1.4.1 MNET Configuration

MNET configuration on the interface is very similar to VLAN configuration. In this

example, you will configure two IP address for port2 192.168.1.1/24 and
192.168.2.1/24.

1. Create MNET interfaces on the interface by using the “mnet” command.

AN(config)#mnet port2 mnet1

AN(config)#mnet port2 mnet2

2. Assign an IP address to each MNET interface by using the “ip address”

command

AN(config)#ip address mnet1 192.168.1.1 255.255.255.0

AN(config)#ip address mnet2 192.168.2.1 255.255.255.0

Refer to the documentation of your switch/router connecting to port2 on how to set up

their interface to work with MNET.

2022 Array Networks, Inc.

4.2.1.5 Management Interface

The system supports the configuration of management interface, so that the
management traffic (SSH, SNMP, WebUI, RESTful API traffic) of the appliance and
the business traffic are isolated from each other. When the management traffic
reaches the management interface, the traffic will flow in and out through the
management interface connected to the management route.

 Configuration Example via CLI

Use the “interface management” command to configure the management interface:

AN(config)#interface management port1 10.3.0.1

Use the “no interface management” command to delete the specified management
interface:

AN(config)#no interface management port1 4

Use the “show management” command to display the management interface

configuration:

AN(config)#show management

Use the “clear interface management” command to clear the management interface
configuration:

AN(config)#clear interface management

4.2.2 Bridge

In bridge deployment mode, the ASF appliance is connected to the network topology
in path as a Layer 2 bridge. Multiple bridge instances can be created on the ASF
appliance, different physical ports can be added to different bridges. In VLAN
environment, the ASF appliance support the access and trunk modes of VLAN.

Note: On the ASF appliance, bridge supports only layer 2 forwarding and does not bear
services of layer 3 or higher.

 Configuration Example via CLI

1. Add a bridge instance, named br1.

AN(config)#bridge name br1

2. Add two system interfaces to the bridge instance, such as port2 and port3.

AN(config)#bridge member br1 port2

AN(config)#bridge member br1 port3

2022 Array Networks, Inc.

3. Configure VLAN for system interfaces in the bridge, such as VID=10.

AN(config)#bridge vlan br1 port2 10

AN(config)#bridge vlan br1 port3 10

4. View the MAC learning results of the bridge.

AN(config)#show bridge mactable br1

bridge name: br1
Index Destination MAC VLAN Interface Bridge Expire
1 00:50:56:9f:3c:66 0 port2 br1 0h19m56s

5. View the forwarding statistics of the bridge.

AN(config)#show statistics bridge br1

bridge name: br1(bridge0)

statistics:
receive packets: 132
receive bcast/mcast: 0
receive unicast: 132
upload packets: 132
reject packets: 0
drop packets: 0
forward flood: 0
forward unicast: 0
forward bpdu packets: 0

4.2.3 ARP/NDP

4.2.3.1 ARP
ARP (Address Resolution Protocol) is a TCP/IP protocol used to obtain the physical
address based on the IP address. When sending information, the host broadcasts the
ARP request including the destination IP to all hosts on the network and receives their
responses to determine the physical address of the target host; after receiving the ARP
response, it will save the mapping between the IP address and the physical address
into the local ARP cache for a period of time. In next request, the host can directly
query the ARP cache, which saves resources.

The administrator can add static ARP entries to the system. A maximum of 128 static
ARP entries can be added to the system.

 Configuration Example via CLI

1. Add a static ARP entry by using the “ip arp” command.

2022 Array Networks, Inc.

AN(config)#ip arp 192.168.100.10 00:21:9C:45:80:9F

2. View static and dynamic ARP entries in the system by using the “show ip arp”
command.

AN(config)#show ip arp
(192.0.0.1) at 76:f0:74:e9:dc:22 permanent [ethernet]
(192.168.0.105) at 70:8b:cd:7b:e3:a5 [ethernet]
(192.168.0.1) at 3c:46:d8:8d:08:d8 [ethernet]
(192.168.0.131) at 00:0c:29:0e:06:10 permanent [ethernet]
(192.168.0.132) at 00:0c:29:0e:06:10 permanent [ethernet]
(192.168.0.103) at 78:45:61:14:8a:e0 [ethernet]
(192.168.0.102) at b0:89:00:fd:58:1d [ethernet]
(192.168.0.100) at (incomplete) [ethernet]

4.2.3.2 NDP
NDP (Neighbor Discovery Protocol), a key protocol of the IPv6 stack, can be used for
obtaining the link address information of other neighbor nodes connected with the
local nodes.

Similar to the ARP of the IPv4 stack, NDP can perform address transformation
between the network layer and the link layer. The difference is that NDP uses
ICMPv6 (Internet Control Message Protocol version 6) and multicast to manage the
information exchanged among the neighbored nodes (within the same link) and keeps
the address mapping between the network layer and the link layer in the same subnet.

The administrator can add static NDP entries to the system. A maximum of 128 static
NDP entries can be added to the system.

 Configuration Example via CLI

1. Add a static NDP entry by using the “ipv6 ndp” command.

AN(config)#ipv6 ndp 1030::C9B4:FF12:48AA:1A2B 00:21:9C:45:80:9F

2. View static and dynamic NDP entries in the system by using the “show ipv6
ndp” command.

AN(config)#show ipv6 ndp

Neighbor Linklayer Address S Flags
fe80::74f0:74ff:fee9:dc22%veth0 76:f0:74:e9:dc:22 R
fe80::20c:29ff:fe0e:62e%port4 0:c:29:e:6:2e R
fe80::20c:29ff:fe0e:624%port3 0:c:29:e:6:24 R
fe80::20c:29ff:fe0e:61a%port2 0:c:29:e:6:1a R
fe80::20c:29ff:fe0e:610%port1 0:c:29:e:6:10 R

2022 Array Networks, Inc.

4.2.4 DNS

4.2.4.1 External DNS Server

The ASF appliance supports external DNS servers. When the system cannot resolve
DNS queries itself, it will forward the DNS queries to the configured external DNS
server. A maximum of three external DNS servers can be configured on the ASF
appliance. Both IPv4 and IPv6 external DNS servers are supported.

 Configuration Example via CLI

Execute the “ip nameserver” command to add an external DNS server.

AN(config)#ip nameserver 10.3.0.10

4.2.4.2 Local DNS Resource Record

The ASF appliance supports local DNS resource records for fast DNS resolution. A
maximum of 64 DNS resource records can be configured on the ASF appliance. Both
A and AAAA resource records are supported on the ASF appliance.

 Configuration Example via CLI

Add a DNS resource record by using the “ip host” command for DNS resolution.

AN(config)#ip host www.example.com 192.168.100.10

AN(config)#ip host www.example.com 1030::C9B4:FF12:48AA:1A2B

4.2.5 Route Configuration

4.2.5.1 Static Route

The administrator can configure static routes for the ASF appliance.

 Configuration Example via CLI

Add a static route by executing the “ip route static” command.

AN(config)#ip route static 192.168.100.0 255.255.255.0 10.8.6.1

4.2.5.2 Dynamic Route

Dynamic route is a process in which routers automatically adjust to changes in
network topology or traffic. It is more robust than static route. Now, there are several
protocols used to support dynamic route including RIPv1 (Routing Information
Protocol version 1), RIPv2 (Routing Information Protocol version 2), OSPFv2 (Open
Shortest Path First version 2) and OSPFv3 (Open Shortest Path First version 3), and
BGP (Border Gateway Protocol, including multi-protocol extensions).

2022 Array Networks, Inc.

Dynamic Route is especially suitable for today’s large, ever-changing networks. It

adapts to changes in network topology through automatic convergence. And it
distributes routing information between routers and chooses the best path for the
network.

4.2.5.3 Dynamic Route Configuration

Figure 4–2 Dynamic Route Configuration

1. Configure the RIP protocol.

AN(config)#rip on
AN(config)#rip version 2
AN(config)#rip network 172.16.31.0 255.255.255.0
AN(config)#rip network 172.16.32.0 255.255.255.0

2. Configure the OSPF protocol.

AN(config)#ospf on
AN(config)#ospf network 172.16.32.0 255.255.255.0 0
AN(config)#ospf network 172.16.31.0 255.255.255.0 0

After the configuration is completed, view the dynamic route configuration by using
the “show ip route” command.

AN(config)#show ip route
Destination Netmask Gateway
RIP routes:
Destination Netmask Gateway
172.16.39.0 255.255.255.0 172.16.31.67
OSPF routes:
Destination Netmask Gateway
172.16.41.0 255.255.255.0 172.16.32.2

4.2.6 Proxy IP Pool

An IP pool contains multiple IP address from the same subnet.

Under the proxy working mode, the appliance uses the interface IP to establish
connections with real services by default. The administrator can configure an IP pool

2022 Array Networks, Inc.

as the system proxy IP pool, whose IP addresses will be used to establish connections
with real services instead of the interface IP. In this way, the appliance can select IP
addresses from a large number of IP addresses in the proxy IP pool to establish
connections with real services. This enhances the appliance’s concurrent connections
capability.

The maximum number of IP pools supported by different models is determined by

their memory amount. For details, see the following table:

Table 4–2 Maximum Number of IP Pools

System Memory Maximum Number of IP Pools

4GB 32
8GB 64
16GB 128
32GB 256

When configuring the IP pool, note that:

 Each IP pool should be assigned with a unique name in the system.

 IP addresses can be added to the IP pool by adding single IP addresses or IP

segments. An IP segment is consisted of continuous IP addresses.

 Multiple IP segments or single IP addresses can be added to one IP pool.

 Every IP pool contains a maximum of 256 IP addresses.

 All IP addresses in one IP pool must be either IPv4 or IPv6.

 IP addresses in one IP pool must belong to the same subnet of an interface IP.

 IP segments in different IP pools can overlap.

 An IP address can be added to multiple IP pools.

 IP addresses in the IP pool must be legal:

– IP addresses beyond the subnets of interface IPs are illegal.

– Broadcast IP address is illegal.

– IP address with host part being 0 is illegal.

 Configuration Example

1. Create an IP pool. For example:

AN(config)#ip pool "pool1" 2.2.2.100 2.2.2.150

AN(config)#ip pool "pool1" 2.2.2.151 2.2.2.180

2022 Array Networks, Inc.

Note: The administrator can add single IP addresses to the IP pool, for example “ip pool
pool1 2.2.2.181”.

2. Set the created IP pool as the system proxy IP pool.

AN(config)#security proxyip "pool1"

4.2.7 GeoIP

GeoIP database is used to locate the geographic locations of IP addresses, such as

their longitude and latitude, countries/regions, and states/provinces. In ASF, GeoIP is
mainly used for two purposes:

 Access control based on GeoIP regions: The administrator can generate IP

blacklist based on the IP region table to achieve the region-based access control.

 The WebUI can generate and display region-based statistics graphs.

4.2.7.1 Configuration Example

 (Optional) GeoIP Database

The ASF appliance has pre-installed default GeoIP databases. The administrator can
import a new GeoIP database by using the “ipregion geoip import” command.

AN(config)#ipregion geoip import country

ftp://10.6.1.1.62/GeoLite2-Country-CSV_20180605.zip

 Access Control Based on GeoIP Region

1. Generate IP region tables by using the “ipregion geoip convert” command.

AN(config)#ipregion geoip convert country china

2. View the generated IP region tables by using the “show ipregion name”
command.

AN(config)#show ipregion name

countryipv4_China
countryipv6_China

3. Generate an IP blacklist file based on an IP region table by using the “acl

blacklist ipregion” command.

AN(config)#acl blacklist ipregion countryipv4_China

4. Apply the blacklist file to the system blacklist by using the “acl blacklist ipfile
apply” command.

2022 Array Networks, Inc.

AN(config)#acl blacklist ipfile apply countryipv4_China

4.2.8 Geolocation Map

Geolocation map displays the attack source areas by coutry on the WebUI interface.
The WebUI has a built-in default geolocation map. Besides, WebUI supports
importing customized the geolocation map. The customized the geolocation map
needs to conform to the GeoJSON specification (RFC 7946).

For GeoJSON specification (RFC 7946), refer to https://geojson.org/

4.2.8.1 Configuration Example

 View the Geolocation Map

Select Platform>Network> Geolocation Map. In the Geolocation Map area, select

one map name and click it, as shown in Figure 4–3.

Figure 4–3 View the Geolocation Map

 Upload the Geolocation Map

Click the Upload New Map ( ) button to upload a customized geolocation map, as
shown in Figure 4–4.

Figure 4–4 Upload the Geolocation Map

If you hover your mouse over a specific country, the geolocation of the specific
country will be highlighted, as shown in Figure 4–5.

2022 Array Networks, Inc.

Figure 4–5 Display the Geolocation Map of a Specific Country

 Reset the Geolocation Map

Click the Reset ( ) button to reset the map to the default geolocation map.

4.2.9 TAP Mode

TAP mode, as one deployment mode of the ASF appliance, is used to meter the
mirrored traffic (in both the unlink and downlink directions) and detect threats or
attacks. It does not block or provide defense against attacks. View whether the ASF
appliance is in TAP mode by executing the “show tap” command.

Figure 4–6 TAP Deployment Mode

In TAP mode, the ASF appliance does not support:

 HTTPS-type security service

 Source authentication

 Rate limit and advanced ACL

2022 Array Networks, Inc.

 Traffic learning

 Configuration Example via CLI

1. Enable the TAP mode by executing the “tap on” command and reboot the
system.

AN(config)#tap on
AN(config)#system reboot

2. To use the TAP mode, you also need to enable the promiscuous mode for the
sniffing port used to receive mirrored traffic from upstream devices by executing
the “interface promisc” command.

AN(config)#interface promisc port1 enable

3. To disable the TAP mode, execute the “tap off” command and reboot the system.

AN(config)#tap off
AN(config)#system reboot

4. View the current status of the TAP mode by executing the “show tap” command.

AN(config)#show tap
TAP mode on

Note: Enabling and disabling the TAP mode takes effect only after system reboot.

2022 Array Networks, Inc.

Chapter 5 Network Defense

5.1 Security Zone

The security zone defines the defense object for which defense against the L3/L4
DDoS attack is provided and determines the network scope to be protected by adding
the network subnets to the security zone. The appliance provides the L3 and L4 DDoS
defense services for the traffic only when the destination IP in the traffic hits the
address in the security zone.

 Configuration Example via CLI

1. Execute the “security zone name” command to create a security zone.

AN(config)#security zone name g1

2. Execute the “security zone address” command to add a subnet to the security
zone.

AN(config)#security zone address "g1" 192.168.1.0 255.255.255.0

3. Execute the “show security zone summary” command to view the configuration
summary of the security zone.

AN#show security zone summary

---------------------------------
security zone name "g1"
type : ipv4
subnet: 1
172.16.83.0 255.255.255.0
ddos_profile: "auto_profile_g1"
defense mode: detect
auto blacklist: on
auto whitelist: on
traffic topn : off
rule information:
icmp.flood :pps_alert 10, pps
_limit 20
tcp.synflood :pps_alert 500
tcp.sackflood :pps_alert 500
tcp.ackflood :pps_alert 500
tcp.finflood :pps_alert 500
tcp.resetflood:pps_alert 500
tcp.fragflood :pps_alert 500
tcp.connflood :cc_alert 10000, cps_alert 500, src_cc_check 500, src_new_conn_alert 200,
src_new_conn_cycle 5

2022 Array Networks, Inc.

tcp.slowconn :check_cycle 5, check_times:5

tcp.abnconn :win_min 10, retrans_max 200, pkt_min 1, pkt_cycle 30, abnconn_alert 30,
abnconn_cycle 15
udp.flood :pps_alert 5000, pps
_limit 10000
udp.fragflood :pps_alert 5000, pps_limit 10000
udp.fingerprint :fingerprint_offset 20, fingerprint_len 8
Active destination ip count: 0

5.2 Network DDoS Defense

The network DDoS defense provides the defense against IP, TCP, UDP and ICMP
attacks, respectively.

5.2.1 Relations Between Network DDoS Profiles, Rules

and Policies

The following figure displays the relations between network DDoS profiles, rules and
policies.

Figure 5–1 Relations Between Network DDoS Profiles, Rules and Policies

The network DDoS profile is a set of rules which can provide a series of network
DDoS defense for the security zone. The maximum number of network DDoS profiles
supported by the system varies with the appliance memory. For more details, refer to
Appendix II System Specifications in the ASF CLI Handbook.

Network DDoS defense rules are the DDoS attack mitigation rules provided for the
security zones using specific defense methods. According to the protocol type, they

2022 Array Networks, Inc.

can be divided into TCP DDoS defense rules, UDP DDoS defense rules and ICMP
DDoS defense rules.

The network DDoS policy is used to apply the network DDoS profile to the security
zone.

5.2.2 Network DDoS Profile

5.2.2.1 Automatic Network DDoS Profile

When a security zone is created, for example “g1”, an automatic network DDoS
profile “auto_profile_g1” is created by default. The control switches and defense rules
in the profile are initialized to the system default values. When the traffic
baseline-learning task is enabled for the security zone “g1”, the system automatically
refresh rules in the “auto_profile_g1” based on the traffic baseline-learning result, so
that the appliance can dynamically adjust the defense rules based on the actual
situation of the customer network environment. Refer to section 8.2 Traffic Baseline
Learning for details. You can manually set the defense rules in the “auto_profile_g1”.
Once you manually adjust a defense rule, this rule cannot be dynamically refreshed by
the traffic baseline-learning result. The automatic network DDoS profile is
automatically created and deleted with the creation/deletion of the security zone. You
cannot create or delete the automatic profile and can only modify the control switches
and defense rules in the profile.

5.2.2.2 Manual Network DDoS Defense

When a security zone is created, for example “g1”, an automatic network DDoS
profile is created by default. The administrator can still create the custom manual
network DDoS profile, such as “manual_profile_g1”, and manually set the control
switches and defense rules in the profile. When the administrator associates the
profile manually created with the the specified security zone “g1”, the manual profile
will completely replace the automatic profile to provide the network DDoS defense
function. One manual profile can be associated with multiple different security zones.

 Configuration Example via CLI

1. Execute the “ddos profile zone name” command to create a manual network
DDoS profile.

AN(config)#ddos profile zone name manual_profile_g1

2. Execute the “ddos policy zone” command to associate the manual network DDoS
profile with the specified security zone.

AN(config)#ddos policy zone g1 manual_profile_g1

2022 Array Networks, Inc.

3. Execute the “show ddos profile zone summary” command to view the
association between the manual network DDoS profile and the security zone and
the configuration summary.

AN(config)#show ddos profile zone summary manual_profile_g1

---------------------------------
DDoS profile name "manual_profile_g1"
defense mode: detect
auto blacklist: on
auto whitelist: on
traffic topn : on
apply: 1
"g1"
rule information:
icmp.flood :pps_alert 100000,pps_limit 100000
tcp.synflood :pps_alert 10000
tcp.sackflood :pps_alert 10000
tcp.ackflood :pps_alert 10000
tcp.finflood :pps_alert 10000
tcp.resetflood :pps_alert 10000
tcp.fragflood :pps_alert 10000
tcp.connflood :cc_alert 10000, cps_alert 10000, src_cc_check 500, src_new_conn_alert
200, src_new_conn_cycle 5
tcp.slowconn :check_cycle 5, check_times:5
tcp.abnconn :win_min 10, retrans_max 200, pkt_min 1, pkt_cycle 30, abnconn_alert 30,
abnconn_cycle 15
udp.flood :pps_alert 10000, ps_limit 10000
udp.fragflood :pps_alert 10000,pps_limit 10000
udp.fingerprint :fingerprint_offset 20, fingerprint_len 8

5.2.2.3 Profile Attribute Settings

5.2.2.3.1 Packet Anomaly Logging

Network DDoS profile supports the packet anomaly logging function. After this
function is configured, the system will record the packet anomaly logs when abnormal
packets are detected for the security zone.

 Configuration Example via CLI

Configure the packet anomaly logging function for the network DDoS profile by
executing the “ddos profile zone anomalylog” command.

AN(config)# ddos profile zone anomalylog profile1 summary

2022 Array Networks, Inc.

5.2.2.3.2 TopN Statistics

Network DDoS profile supports the TopN traffic statistics function. Currently, the
system can perform TopN statistics for only the TCP, UDP and ICMP traffic. The IP
address of the TopN attack source can be IPv4 or IPv6. By default, this function is
disabled.

 Configuration Example via CLI

Enable the TopN traffic statistics function for the network DDoS profile by executing
the “ddos profile zone topn on” command.

AN(config)#ddos profile zone topn on profile_icmp 3

5.2.3 TCP DDoS Attack Defense

The administrator can add TCP DDoS attack defense capabilities to the network
DDoS profile by setting TCP DDoS defense rules.

5.2.3.1 Defense Against SYN Flood Attack

 Attack Description:

The attacker sends a large number of SYN packets to the destination, which leads to
lots of TCP semi-connections in the target server and therefore the server resources
are exhausted.

 Defense Principle:

The system performs source authentication and adds the source IPs that have passed
the authentication to the whitelist.

Execute the “ddos profile zone rule tcp synflood” command to set the SYN Flood
defense rule in the network DDoS profile.

AN(config)#ddos profile zone rule tcp synflood grp_pf1 100000

5.2.3.2 Defense Against SYN-ACK Flood Attack

 Attack Description:

The attacker sends a large number of SYN-ACK packets to the destination, which
leads to the server resource exhaustion because the target server needs to reply to
multiple packets.

 Defense Principle:

The system will perform session check.

Execute the “ddos profile zone rule tcp synackflood” command to set the SYN
-ACK Flood defense rule in the network DDoS profile.

2022 Array Networks, Inc.

2022 Array Networks, Inc.

AN(config)#ddos profile zone rule tcp connflood grp_pf1 10000 500 500 200 5

When detecting the connection flood attack, the system enables the slow and
abnormal connection detection for TCP connections based on the configuration of the
commands “ddos profile zone rule tcp slowconn” and “ddos profile zone rule tcp
abnconn”.

2. Execute the “ddos profile zone rule tcp slowconn” command to set the slow
connection defense rule in the network DDoS profile.

AN(config)#ddos profile zone rule tcp slowconn grp_pf1 5 5

3. Execute the “ddos profile zone rule tcp abnconn” command to set the abnormal
connection defense rule in the network DDoS profile.

AN(config)#ddos profile zone rule tcp abnconn grp_pf1 10 200 1 30 30 15

5.2.3.6 Defense Against TCP Fragment Flood Attack

 Attack Description:

TCP fragmentation is rare in the normal network traffic. If lots of TCP fragments
exist in the network, there may be a DDoS attack. The attacker sends lots of TCP
fragments to the target, usually causing the following hazards:

 Lots of TCP fragments occupy bandwidth resources. As a result, the victim is

slow in response or even fail to respond.

 The network appliance or server receives a large number of TCP fragments and
performs fragment reassembly, which might cause the network device or server
to degrade the performance or even unable to work properly.

 Defense Principle:

The system will reassemble TCP fragments.

Execute the “ddos profile zone rule tcp fragflood” command to set the TCP
fragment Flood defense rule in the network DDoS profile.

AN(config)#ddos profile zone rule tcp fragflood grp_pf1 100000

5.2.4 UDP DDoS Attack Defense

The administrator can add UDP DDoS attack defense capabilities to the network
DDoS profile by setting UDP DDoS defense rules.

5.2.4.1 Defense Against UDP Flood Attack

 Attack Description:

2022 Array Networks, Inc.

The attacker sends a large number of UDP packets to the destination, which leads to
the server resource exhaustion because the target server needs to reply to lots of this
type of packets.

 Defense Principle:

The system will perform the fingerprint identification and limit the rate.

Execute the “ddos profile zone rule udp flood” command to set the UDP Flood
defense rules in the network DDoS profile.

AN(config)#ddos profile zone rule udp flood grp_pf1 5000 100000

Execute the “ddos profile zone rule udp fingerprint” command to set the UDP
fingerprint identification defense rule in the network DDoS profile.

AN(config)#ddos profile zone rule udp fingerprint grp_pf1 20 8

5.2.4.2 Defense Against UDP Fragment Flood Attack

 Attack Description:

The attacker sends lots of UDP fragments to the target, usually causing the following
hazards:

 Attacks usually consume a large amount of bandwidth resources, which results in

serious network congestion.

 Large amounts of UDP fragments significantly degrade the performance of

network devices during session reorganization.

 Large amounts of UDP interface packets changes the performance of network

devices that forward traffic based on sessions and causes session exhaustion,
resulting in network crash.

If attack packets reach the open UDP ports of the server, the server will consume
computing resources to check the validity of packets. As a result, the server is slow in
response or even fail to respond.

 Defense Principle:

The system will reassemble the UDP fragment packets.

Execute the “ddos profile zone rule udp fragflood” command to set the UDP
fragment flood defense rule in the network DDoS profile.

AN(config)#ddos profile zone rule udp fragflood grp_pf1 100000 100000

2022 Array Networks, Inc.

5.2.5 ICMP DDoS Attack Defense

The administrator can add ICMP DDoS attack defense capabilities to the network
DDoS profile by setting ICMP DDoS defense rules.

5.2.5.1 Defend ICMP Flood Attack

 Attack Description:

The attacker sends a large number of ICMP packets to the destination, which leads to
the server resource exhaustion because the target server needs to reply to multiple
type of packets.

 Defense Principle:

The system will limit the rate.

Execute the “ddos profile zone rule icmp flood” command to set the ICMP Flood
defense rule in the network DDoS profile.

AN(config)#ddos profile zone rule icmp flood grp_pf1 5000 100000

5.3 Global Network DDoS Defense

The system has built-in global network profiles, providing defense against common
DoS attack and malformed packet attack.

After security zones are added, the global network DDoS profile automatically
provides corresponding network defense for them.

5.3.1 Global Network DDoS Profile

5.3.1.1 Profile Attribute Settings

5.3.1.1.1 Packet Anomaly Logging

Global network DDoS profile supports the abnormal packet logging function. The
system supports configuring the packet anomaly logging mode for all common DoS
defense rules for the global network DDoS profile. After this function is configured,
the system will record the abnormal packet logs when abnormal packets are detected
for the global network DDoS profile.

 Configuration Example via CLI

Configure the packet anomaly logging function for the global network DDoS profile
by executing the “ddos profile global anomalylog” command.

AN(config)# ddos profile global anomalylog summary

2022 Array Networks, Inc.

AN(config)# ddos profile global defend teardrop on

5.3.2.6 UDP Fraggle

 Attack Principle:

UDP Fraggle is a variant of the Smurf attack. The attacker sends UDP packets to the
network of the victim. The source address of the packet is the address of the victim
host. The destination address is the broadcast address or the network address of the
subnet to which the victim host belongs and the destination port is 7 or 19. In this case,
hosts with ports 7 (ECHO) and 19 (Chargen) enabled in the subnet will send
responses to the victim host, which generates a large amount of traffic and occupies
the bandwidth, resulting in blocked network or system crash.

Even hosts with ports 7 (ECHO) and 19 (Chargen) disabled will generate an ICMP
unreachable message, which also consumes the bandwidth. If the attacker changes the
source port of the UDP packet to 19 and the destination port to 7, it will keep
generating a large number of responses, which is more harmful.

 Defense method:

The system detects the UDP packets and discards them if the destination port is 7 or
19.

 Configuration Example via CLI

Execute the “ddos profile global defend fraggle” command to enable the Fraggle
attack defense function for the global network DDoS profile.

AN(config)# ddos profile global defend fraggle on

5.3.2.7 ICMP Tracert

 Attack Principle:

TraceRT attack means that the attacker spies on the structure of the network by the
routing path through which the packet reaches the destination by using the ICMP
timeout packet. The ICMP timeout packet is returned when TTL is 0 and the ICMP
port unreachable packet is returned when the destination address is reached.

 Defense method:

The system discards the detected ICMP timeout packet or port unreachable packet.

 Configuration Example via CLI

Execute the “ddos profile global defend tracert” command to enable the TraceRT
attack defense function for the global network DDoS profile.

2022 Array Networks, Inc.

AN(config)# ddos profile global defend tracert on

5.3.2.8 TCP Winnuke

 Attack Principle:

TCP WinNuke is also known as “Out-of-band transmission attack”. It aims at the

target port. The target port to be attacked is generally 139 and the URG bit is set to 1,
which is the emergency mode. The WinNuke attack uses the vulnerability of the
Windows system to send some TCP OOB data packets to the port. But unlike normal
OOB data packets, these attack packets have pointer fields that do not match the
actual location of the data, that is, they overlap with each other. As a result, the
Windows system crashes when it processes the data.

 Defense method:

If the target port of the TCP packet is 139, the URG bit is 1 and the URG pointer is
not empty, the system will discard this packet.

 Configuration Example via CLI

Execute the “ddos profile global defend winnuke” command to enable the Winnuke
attack defense function for the global network DDoS profile.

AN(config)# ddos profile global defend winnuke on

5.3.3 Malformed Single-packet Attack Defense

The malformed single-packet attack defense defends against all kinds of malformed
single-packet attacks.

5.3.3.1 IP Packet Attack with Routing Record Option

 Attack Principle:

In IP routing technology, the routing record option is used to record the path through
which the IP packet passes from the source address to the destination address, that is,
it records a list of routers that have processed this packet. The IP routing record option
is often used to troubleshoot network paths but can also be used by malicious
attackers to spy on network structures.

 Defense method:

The system detects whether the IP routing record option is set in the packet and if so,
discard the packet.

 Configuration Example via CLI

2022 Array Networks, Inc.

Execute the “ddos profile global drop ipoption routerecord” command to enable
the function of discarding the IP packets with routing record option for the global
network DDoS profile.

AN(config)# ddos profile global drop ipoption routerecord

5.3.3.2 IP Packet Attack with Source Routing Option

 Attack Principle:

In IP routing technology, the routing of the IP packets is determined by the router in

the network based on the destination address of the packet. In the meantime, it also
provides a way for the sender of the packet to determine the packet path, that is the
source routing option. The source routing option allows the source to explicitly
specify a route to the destination and override the routing options of the intermediate
routers. The source routing option is often used for troubleshooting network paths and
temporary transmissions of a particular service. Since the IP source routing option
ignores the intermediate forwarding process and the working state of the forwarding
interface of each device in the packet transmission path, it may be used by malicious
attackers to spy on the network structure.

 Defense method:

The system detects whether the IP source routing option (Loose/Strict) is set in the
packet. If this option is set, the packet is discarded.

 Configuration Example via CLI

Execute the “ddos profile global drop ipoption sourceroute” command to enable
the function of discarding the IP packets with (Loose/Strict) source routing option for
the global network DDoS profile.

AN(config)# ddos profile global drop ipoption sourceroute

5.3.3.3 IP Packet Attack with Timestamp Option

 Attack Principle:

In IP routing technology, the timestamp option is used to record the path and time of
the IP packet from the source address to the destination address, that is, it records a
list of routers that have processed this packet. The timestamp option is often used to
troubleshoot network paths but can also be used by malicious attackers to spy on
network structures.

 Defense method:

The system detects whether the timestamp option is set in the packet. If this option is
set, the packet is discarded.

 Configuration Example via CLI

2022 Array Networks, Inc.

Execute the “ddos profile global drop ipoption timestamp” command to enable the
function of discarding the IP packets with timestamp option for the global network
DDoS profile.

AN(config)# ddos profile global drop ipoption timestamp

5.3.3.4 TCP Packet Flag Attack

 Attack Principle:

The attacker makes damage to the hosts by sending packets with illegal TCP flag
combinations.

 Defense method:

The system checks each flag bit of the TCP packet and discards it if one of the
following cases occurs:

 All of the 6 flag bits are 1.

 All of the 6 flag bits are 0.

 Both the SYN and FIN bit are 1.

 Both the SYN and RST bit are 1.

 The FIN bit is 1 and the ACK bit is 0.

 Both the FIN and RST bit are 1.

 The FIN, PUSH and URG bit are all 1.

 Only the FIN bit is 1.

 Only the PUSH bit is 1.

 Only the URG bit is 1.

 The fragment packet with SYN bit set to 1.

 The fragment packet with RST bit set to 1.

 The fragment packet with FIN bit set to 1 and no payload.

 Configuration Example via CLI

Execute the “ddos profile global drop tcp errflag” command to enable the function
of discarding the packets with illegal TCP flag combinations for the global network
DDoS profile.

AN(config)# ddos profile global drop tcp errflag

2022 Array Networks, Inc.

5.3.3.5 Large UDP Packet Attack

 Attack Principle:

The attacker initiates the attack against the target system by using the large UDP
packets. For this type of attack, if the system does not handle it properly, a system
crash or reboot will occur.

 Defense method:

Users can configure the maximum length of UDP packets allowed to pass through the
system based on the actual network requirement. When the length of the actual UDP
packet exceeds the value, the system determines it as the large UDP packet attack and
discards the packet.

 Configuration Example via CLI

Execute the “ddos profile global drop udp largepkt” command to enable the
function of discarding the large UDP packets for the global network DDoS profile.

AN(config)# ddos profile global drop udp largepkt on 5000

5.3.3.6 ICMP Redirecting Packet Attack

 Attack Principle:

In general, the network device sends ICMP redirecting packets to hosts in the same
subnet, requesting the hosts to change routes, and it only sends ICMP redirecting
packets to the host but not to other devices. However, some malicious attacks may
send fake redirecting packets to hosts in another network across the network segment,
so as to change the routing table of the target host and interfere with the normal IP
packet forwarding of the target host.

 Defense method:

The system discards the ICMP redirecting packets.

 Configuration Example via CLI

Execute the “ddos profile global drop icmp redirect” command to enable the
function of discarding ICMP redirecting packets for the global network DDoS profile.

AN(config)# ddos profile global drop icmp redirect on

5.3.3.7 ICMP Unreachable Packet Attack

 Attack Principle:

Different hosts have different ways to process ICMP unreachable packets. When
receiving network or host unreachable ICMP packets, some hosts determines the
subsequent packets to this destination address as unreachable, which cuts off the

2022 Array Networks, Inc.

connection between the destination address and the host. Attackers exploit this
vulnerability by constructing unreachable ICMP packets to cut off the connection
between the victim and the destination and therefore causing an attack.

 Defense method:

The system discards the ICMP unreachable packets.

 Configuration Example via CLI

Execute the “ddos profile global drop icmp unreachable” command to enable the
function of discarding the ICMP unreachable packets for the global network DDoS
profile.

AN(config)# ddos profile global drop icmp unreachable on

5.3.3.8 Large ICMP Packet Attack

 Attack Principle:

The attacker initiates the attack against the target system by using the large ICMP
packet attack. In some cases, if the system fails to process large ICMP packets, it will
cause system crash or reboot.

 Defense method:

Users can configure the maximum length of ICMP packets allowed to pass through
the system based on the actual network requirement. When the length of the actual
ICMP packet exceeds the value, the system determines it as the large ICMP packet
attack and discards the packet.

 Configuration Example via CLI

Execute the “ddos profile global drop icmp largepkt” command to enable the
function of discarding the large ICMP packets for the global network DDoS profile.

AN(config)# ddos profile global drop icmp largepkt on 4000

2022 Array Networks, Inc.

Chapter 6 Application Defense

6.1 Security Service

6.1.1 Overview

Security service defines a defense object for which the defense against attacks of the
DNS, HTTP, or HTTPS protocol is provided. The defense scope of the security
service is determined by the IP+port pairs and IP subnet+port pairs added to it. The
system provides application DDoS mitigation and WAF security services (for
HTTP-type and HTTPS-type security services) for traffic only when its destination IP
and port matches an IP+port pair or IP subnet+port pair added to the security service.

According to the application protocol, security services can be divided into

HTTP-type security services, HTTPS-type security services, and DNS-type security
services. For HTTP-type and HTTPS-type security services, the system can provide
WAF and application DDoS defense services; for DNS-type security services, the
system can provide application DDoS defense services. For the description and
configuration of WAF defense, refer to section 6.2 WAF. For the description and
configuration of application DDoS defense, refer to section 6.3 Application DDoS
Defense.

According to the working mode, security services can be divided into virtual services
and non-virtual services. In “transparent” working mode, the IP+port pairs or IP
subnet+port pairs added to the security service are the IP addresses and ports of the
services to be defensed in the internal network. Therefore, the security services to be
configured are non-virtual services. While in “proxy” working mode, the security
service will proxy the real services to provide external services. Therefore, the
security services to be configured must be virtual services (set the “virtual” keyword
for the security services). In addition, real services need to be configured to represent
services to be defensed in the internal network and be associated with virtual services.

Note:

 HTTP-type security services support both “transparent” and “proxy” working modes.
 HTTPS-type security services support only the “proxy” working mode.
 DNS-type security services support only the “transparent” working mode.
 Only one IP+port pair can be added to one virtual service.
 In “proxy” working mode, one virtual service can only be associated with one real
service, while one real service can be associated with multiple virtual services.

2022 Array Networks, Inc.

6.1.2 Configuration Example

6.1.2.1 Security Service in “Transparent” Working Mode

 Configuration Example via CLI

1. Create a security service by executing the “security service name” command.

Take an HTTP-type security service as an example:

AN(config)#security service name http_srv1 http

2. Add an IP+port pair to the security service by executing the “security service
address” command. The maximum number of IP+port pairs that can be added to
every security service varies with system memories. For details, refer to
Appendix II System Specifications in the ASF CLI Handbook.

AN(config)#security service address "http_srv1" 192.168.1.2 80

You can also add an IP subnet+port pair to the security service by executing the
“security service netaddress” command. The maximum number of IP subnet+port
pairs that can be added to every security service varies with system memories. For
details, refer to Appendix II System Specifications in the ASF CLI Handbook.

AN(config)#security service netaddress "http_srv1" 192.168.1.0 255.255.255.0 80

3. View the configuration summary of the security service by executing the “show
security service summary” command.

AN(config)#show security service summary http http_srv1

---------------------------------
Security service name "http_srv1"
Type: http
Option: -
Address: ipv4
ipport: 1
192.168.1.2(80)
netport: 1
192.168.1.0/255.255.255.0(80)
Host allow: "-"
Policy static: "-"
Policy default: "-"
DDoS profile: "auto_profile_http_srv1"
Defense mode : detect
Auto blacklist: on
Anomaly check : off
Anomaly log : off

2022 Array Networks, Inc.

http.getflood : rps_alert 5000, rps_ratio 30%

http.postflood : rps_alert 1000, rps_ratio 30%
http.slowloris : cc_alert 100000, inter_time 500, timeout 5000, abcnt 10, check_cycle 30
http.slowpost : cc_alert 100000, inter_time 500, timeout 10000, abcnt 10, check_cycle
30
http.urlmonitor: rps_alert 100, rps_ratio 30%
http_accesslog: off
http_compression:
forbid: on
Http profile: -
Http errpage: 0
http request:
body_limit: 13107200
inspect_mode: buffer
http response:
body_limit: 65536
inspect_mode: buffer
body_mimetype: text/plain:text/html:text/xml:application/xml

6.1.2.2 Security Service in “Proxy” Working Mode

 Configuration Example via CLI

1. Create a security service to function as a virtual service by executing the

“security service name” command. Currently, HTTP-type and HTTPS-type
security services can be configured as virtual services. Take the HTTP-type
security service as an example.

AN(config)#security service name "http_srv2_v" http virtual

Note: To keep the client source IP and port unchanged, the administrator can enable the
Keep Source IP and Port Unchanged option, that is “security service name http_srv2_v
http virtual keepsource”. In addition, the administrator also needs to change the default
gateway of the server to the IP address of the appliance’s downlink interface.

2. Add an IP+port pair to the security service by executing the “security service
address” command. For a virtual service, only one IP+port pair can be added. If
the added IP address needs to respond to ARP requests, the administrator also
needs to set the “arp” keyword option.

AN(config)#security service address "http_srv2_v" 119.75.217.109 80 arp

3. Configure the real service that actually needs to be defensed by executing the
“security real service” command. Currently, HTTP-type and HTTPS-type real
services are supported.

2022 Array Networks, Inc.

AN(config)#security real service "http_real1" "http" 192.168.1.3 80

4. Associate the virtual service with the real service by executing the “security
service policy static” command. Currently, the HTTP-type and HTTPS-type
virtual services can be associated with the HTTP-type and HTTPS-type real
services.

AN(config)#security service policy static "http_srv2_v" "http_real1"

5. View the configuration summary of the security service by executing the “show
security service summary” command.

AN(config)#show security service summary "http" "http_srv2_v"

---------------------------------
Security service name "http_srv2_v"
Type: http
Option: virtual
Address: ipv4
ipport: 1
119.75.217.109(80) arp
netport: 0
Host allow: "-"
Policy static: "http_real1"
type: http
ipport: 192.168.1.3(80)
health: tcp 3 3
connreuse: on 0 300(s)
Policy default: "-"
DDoS profile: "auto_profile_http_srv2_v"
Defense mode : detect
Auto blacklist: on
Anomaly check : off
Anomaly log : off
http.getflood : rps_alert 5000, rps_ratio 30%
http.postflood : rps_alert 1000, rps_ratio 30%
http.slowloris : cc_alert 100000, inter_time 500, timeout 5000, abcnt 10, check_cycle 30
http.slowpost : cc_alert 100000, inter_time 500, timeout 10000, abcnt 10, check_cycle
30
http.urlmonitor: rps_alert 100, rps_ratio 30%
http_accesslog: off
http_compression:
forbid: on
Http profile: -
Http errpage: 0

2022 Array Networks, Inc.

http request:
body_limit: 13107200
inspect_mode: buffer
http response:
body_limit: 65536
inspect_mode: buffer
body_mimetype: text/plain:text/html:text/xml:application/xml

6.1.3 Load Balancing

The system supports providing the load balancing function for protected virtual
services, and evenly distributes service traffic to multiple real services in the backend.

To use the load balancing function, the administrator needs to add the real service to a
real service group (load balancing group), and then bind the group with the virtual
service.

6.1.3.1 Load Balancing Working Principle

In a typical network environment, the working mechanism of the load balancing
function is as follows:

1. The client visits the virtual service.

2. ASF forwards the traffic to the associated real service group.

3. The real service group forwards requests to the real services in the group
according to the load balancing methods.

6.1.3.2 Load Balancing Methods

Load balancing methods determine how to distribute requests among different real
services in the real service group. The following table lists the load balancing methods
supported by ASF.

Table 6–1 Load Balancing Methods Supported by ASF

Methods Description
If we have three servers in Group 1with two in Group 2, and chose round
Round Robin
robin as our metric, each request would follow the real services in order
(rr)
[1,2,3, 1, 2, 3…] for Group 1 and [4,5, 4, 5…] for Group 2.
Least The lc method tells SLB to select the real service with the fewest number of
Connections (lc) active connections.
The chi method forwards the client request hitting this real service group for
Consistent Hash the first time to one real service selected based on the hash value of the source
IP (chi) IP address and forwards the subsequent client requests whose source IP
addresses have the same hash value to the same real service persistently.

2022 Array Networks, Inc.

6.1.3.3 Health Check

The Health Check function allows the ASF appliance to collect real service
information and make a health status diagnosis (Down or Up) based on this
information. The results of these diagnoses will assist ASF to understand the real
services and decide which real service to forward the request to for processing.

ASF supports the following types of health check methods:

 ICMP Health Check

It is a limited health check method that simply sends an ICMP echo (ping) to the
server. If the server responds with an ICMP reply then the server is marked as “up”.
The server is marked as “down” otherwise. This does NOT check for the running
service or the quality of the service.

 TCP Health Check

TCP health check simply opens a TCP connection to a specific port of the real service.
If that connection fails, the server will be marked as “down”. The server will be
marked as “up” if the TCP connection succeeds. This health check does not indicate if
the service is actually functioning. A more effective health check is achieved through
HTTP requests.

The administrator can also use the “health interval” command to set the interval and
timeout of the health check function. Health check statistics can be viewed using the
“show statistics health” command.

6.1.3.4 Configuration Example

 Configuration Example via CLI

1. Define real services

Define real services by using the “security real service” command:

AN(config)#security real service service1http http 192.168.10.10 80 tcp 3 3

AN(config)#security real service service2http http 192.168.10.11 80
AN(config)#security real service service3http http 192.168.10.12 80

When you define an HTTP real service with just the real service name, IP address and
port, it will use the following default values:

 Health check type: TCP

 Consecutive up health check results before server is marked up: 3

 Consecutive down health check results before server is marked down: 3

2. Define a real service group and SLB method.

2022 Array Networks, Inc.

Configure for a real service group using the lc method by using the “security group
method” command.

AN(config)#security group method lcgroup lc

3. Add the real services into the defined group.

Add the created real services into the real service group by using the “security group
member” command.

AN(config)#security group member lcgroup service1http

AN(config)#security group member lcgroup service2http
AN(config)#security group member lcgroup service3http

4. Define a virtual service and add IP address and port to it.

Define an HTTP-type virtual service by using the “security service name” command
and add an IP address and port to it by using the “security service address”
command.

AN(config)#security service name virtual1http http virtual

AN(config)#security service address virtual1http 10.10.0.10 80

Note: The VIP address cannot be the same IP as any management IP address. The VIP
address configured must be within the same subnet as any system interface on the
appliance (except the 0.0.0.0 and noarp cases). For the VIP address that does not match
the subnet of any interface, the system will not allow it to be configured. If a VIP address
is not associated with a real service or service group, the client will get a 503 Service
Unavailable response from the ASF appliance. 503 will also be returned when all real
services are down in a group.

5. Assoiciate the real service group with the virtual service.

Assoiciate the real service group with the virtual service by using the “security
service policy default” command.

AN(config)#security service policy default virtual1http lcgroup

6. Enable the Health Check function.

Configure the interval and timeout value of the health check by using the “health
interval” command, and enable the function by using the “health on” command.

AN(config)#health interval 10 5
AN(config)#health on

2022 Array Networks, Inc.

6.2 WAF
If WAF defense needs to be provided for a security service, the administrator can
configure a WAF profile, add defense rules to the WAF profile, and apply the WAF
profile to the security service through a WAF policy.

The WAF defense provided by the system integrates the negative WAF security
model and positive WAF security model. You can add defense rules under the two
security models into the same WAF profile. The defense rules under the negative
WAF security model take precedence over those under the positive WAF security
model.

6.2.1 Negative WAF and Positive WAF Security Models

The negative WAF security model recognizes and blocks abnormal traffic and permits
normal traffic. This model will match client requests and server responses against
built-in signature library and other attack defense rules in order to determine whether
sessions are valid. If they match one or more signatures, client accesses will be
recognized as illegal accesses and the system will block client accesses or record
attack logs according to the configuration made by the administrator.

The positive WAF security model recognizes normal traffic and blocks other
abnormal traffic. This model recognizes the characteristics of normal application
traffic by automatic traffic learning. This model can generate positive whitelists,
which allows only traffic matching these whitelists to pass. The positive WAF
function supports generating positive whitelists manually or automatically based on
the automatic traffic learning results. If a request does not match any positive whitelist,
it will be considered as illegal and the system will block the client access or record the
attack log according to the configuration made by the administrator.

In the system, requests first go through the processing of the negative WAF security
model, and then through the positive WAF security model.

6.2.2 Relationship Between the WAF Profile, Rule and

Policy

The following figure displays the relationship between the WAF profile, rule, and
policy.

2022 Array Networks, Inc.

Figure 6–1 Relationship Between the WAF Profile, Rule and Policy

The WAF profile is a set of rules that provide WAF defense for the security services.
The maximum number of WAF profiles that the system supports varies with system
memories. For details, refer to Appendix II System Specifications in the ASF CLI
Handbook.

WAF defense rules are attack defense rules that are provided to the security service by
using specific defense methods, such as signature rules, Data Leak Protection (DLP)
rules, content filter rules, virtual patch rules, and positive whitelist rules.

The WAF policy is used to apply the WAF profile to the security service. One WAF
profile can be used to provide WAF defense for multiple security services, while one
security service can have only one applied WAF profile.

6.2.3 WAF Profile

6.2.3.1 Profile Definition and Attribute Settings

6.2.3.1.1 Creating a WAF Profile

When a WAF profile is created, the system will automatically add default WAF rules
and attribute settings to it. The administrator can modify the defense rules and
attribute settings of the WAF profile as required. The maximum number of WAF
profiles that the system supports varies with system memories. For details, refer to
Appendix II System Specifications in the ASF CLI Handbook.

 Configuration Example

To create a WAF profile, execute the following command:

AN(config)#waf profile name p1

2022 Array Networks, Inc.

To view the defense rules and attribute settings of the WAF profile, execute the
following command:

AN(config)#show waf profile config p1

waf profile auditlog off "p1"
waf profile auditlog requestbody off "p1"
waf profile auditlog response off "p1"
waf profile negative defensemode "p1" detect
waf profile negative defenselevel "p1" 1
waf profile negative patch on "p1"
waf profile negative signature on "p1"
waf profile negative signature predefine "p1" "multi" "multi" "multi"
waf profile negative signature pending on "p1"
waf profile negative signature pending period "p1" 168
waf profile negative dlp off "p1"
waf profile negative dlp action "p1" mask
waf profile negative contentfilter off "p1"
waf profile negative contentfilter action "p1" deny
waf profile negative csrf off "p1"
waf profile negative csrf reqtoken "p1" "waf_csrf_token"
waf profile negative csrf cookietoken "p1" "waf_csrf_token"
waf profile negative leech off "p1"
waf profile negative antics off "p1"
waf profile negative antics action "p1" block
waf profile negative antics trapurl "p1" /acs_traplink
waf profile negative leech action "p1" deny
waf profile positive off "p1"
waf profile positive learning on "p1"
waf profile positive defensemode "p1" detect
waf profile positive whitelist auto off "p1"
waf profile positive whitelist auto allowtime "p1" 0 24
waf profile wad off "p1"
waf profile wad action "p1" deny

6.2.3.1.2 Defense Mode

The WAF defense mode is a WAF profile attribute, which defines what action will be
taken when the WAF profile detects suspicious traffic. The system supports two WAF
defense modes:

 detect: detects and records Web attacks.

 defend: detects, records and prevents Web attacks.

2022 Array Networks, Inc.

The administrator can set the defense mode for the negative WAF and positive WAF
respectively. The default defense modes of the negative WAF and positive WAF are
both “detect”.

 Configuration Example

To set the defense mode for the negative WAF, execute the following command:

AN(config)#waf profile negative defensemode p1 defend

To set the defense mode for the positive WAF, execute the following command:

AN(config)#waf profile positive defensemode p1 defend

6.2.3.1.3 WAF Audit Log

The system supports recoding detailed audit logs for attacks detected by the WAF
profile, which facilitate the audit of client accesses by the administrator. By default,
WAF audit logging is disabled for the WAF profile. For the description of the WAF
audit logs’ format, refer to section 11.6 WAF Audit Logging.

 Configuration Example

To enable WAF audit logging for the WAF profile, execute the following command:

AN(config)#waf profile auditlog on p1

6.2.3.2 Signature Rule Configuration

By default, signature-based defense is enabled for the WAF profile. You need to filter
predefined signature rules to be enabled for the WAF profile, or associate custom
signature rules with it.

6.2.3.2.1 Defense Levels of Predefined Signatures

Every predefined signature rule has a defense level, which ranges from 0 to 4.

A defense level ranging from 0 to 4 can be set for the WAF profile. The smaller the
defense level, the smaller the defense scope, but the higher defense accuracy and less
false positives; the larger the defense level, the larger the defense scope, but the lower
defense accuracy and more false positives.

 0: indicates that the WAF profile contains a core subnet of predefined signature
rules whose defense level is 1.

 1: indicates that the WAF profile contains predefined signature rules whose
defense level is 1.

 2: indicates that the WAF profile contains predefined signature rules whose
defense level is 1 and 2.

2022 Array Networks, Inc.

 3: indicates that the WAF profile contains predefined signature rules whose
defense level is 1, 2 and 3.

 4: indicates that the WAF profile contains predefined signature rules whose
defense level is 1, 2, 3 and 4.

The default defense level of the WAF profile is 1.

 Configuration Example via CLI

To set the defense level for the WAF profile, execute the following command:

AN(config)#waf profile negative defenselevel p1 2

6.2.3.2.2 Filtering Predefined Signatures by Application Characteristics

The ASL contains all predefined signatures supported by the system. These
predefined signatures take effect only when being added to the WAF profile. You can
select an optimal set of predefined signatures by the characteristics of the application
to be defended (platform on which the application runs, application type, and the
programming languages used by the application), and add them to the WAF profile.

By default, common predefined signatures have been added to the WAF profile. You
can filter predefined signatures according to actual application characteristics and add
them to the WAF profile.

 Configuration Example via CLI

To filter the predefined signatures to be enabled for the WAF profile by application
characteristics, execute the following command:

AN(config)#waf profile negative signature predefine p1 "multi:WordPress" "multi:iis"

"multi"

6.2.3.2.3 Adding Custom Signatures to the WAF Profile

In addition to predefined signatures, you can create custom signatures. You need to
add the created custom signatures to the WAF profile for them to take effect.

 Configuration Example via CLI

1. Create a custom signature by executing the “waf negative signature custom

name <custom_signature_name> <effect_phase>” command.

AN(config)#waf negative signature custom name cs 1

In this example, 1 stands for the phase in which this signature takes effect. Custom
signatures support the following effect phases:

– 1: takes effect before all signatures.

2022 Array Networks, Inc.

– 2: takes effect in the phase in which request signatures are used.

– 3: takes effect in the phase in which response signatures are used.

– 4: takes effect after all signatures.

2. (Optional) Import the external data file on which preceding custom signature
depends by executing the “waf negative signature custom data <url>”
command.

AN(config)#waf negative signature custom data http://192.168.1.200/rule.data

3. Import the external signature rule file by executing the “waf negative signature
custom rule <custom_signature_name> <url>” command.

AN(config)#waf negative signature custom rule cs http://192.168.1.200/rule.conf

4. Associate the custom signature with the WAF profile by executing the “waf
profile negative signature custom <waf_profile_name>
<custom_signature_name>” command.

AN(config)#waf profile negative signature custom p1 cs

6.2.3.2.4 Configuring Whitelist URLs for Signature-based Defense

To save system resources and enhance the defense efficiency, administrators can
configure whitelist URLs for the signature-based defense function. A maximum of
255 whitelist URLs can be configured for the signature-based defense function of
every WAF profile.

If the request URL matches any configured whitelist URL, the system skips the
checks of signature-based defense for such requests.

 Configuration Example via CLI

To configure a whitelist URL for the signature-based defense function of a specified

WAF profile, execute the “waf profile negative signature whitelist
<waf_profile_name> <index> <url> [query_parameter]” command. For example:

AN(config)#waf profile negative signature whitelist p1 1 /legacy/ "abc"

6.2.3.2.5 Excluding Signature Rules

Predefined signature rules may cause false positives in different production

environment. In this case, you can exclude some signatures to avoid false positives.

You can exclude a specific signature by its signature ID.

AN(config)#waf profile negative signature excludeid p1 800920350

2022 Array Networks, Inc.

6.2.3.2.6 Excluding URL for a Signature

You can also exclude a specific URL for a specified signature rule.

AN(config)#waf profile negative signature excludeurl p1 "/dashboard/upload.php"

800920350

6.2.3.3 CSRF Defense Rule Configuration

As one type of defense rules in the negative WAF security model, the Cross-Site
Request Forgery (CSRF) defense rule can prevent an attacker from using a trusted
user to send an unexpected request to the server, for example, sending an email,
purchasing goods, transferring money, or modifying data. The CSRF defense rule is
part of the WAF profile.

After the CSRF defense function is enabled in the WAF profile, the system will use
the token value to determine whether the request is a CSRF attack. Requests that are
determined to be CSRF attacks will be intercepted by the system. The system also
allows the administrator to customize the token name for the token value in the
request to access the site.

The CSRF defense function provides defense only for configured protected URL path.
If certain URLs or URL paths under the protected URL path do not require CSRF
defesne, you can configure them as the whitelist URL paths in order to save system
resources. The CSRF defense function also supports the configuration of script
injection exceptions to skip script injection for specified URL paths, which avoids
service interruption caused by abnormal script insertion.

Note:

 The CSRF defense function supports checking only clients’ HTTP/HTTPS requests
with request method being GET or POST.
 The CSRF defense function has the following limitations:
- It does not support checking clients’ HTTP/HTTPS POST requests with
Content-type header being “application/json” or “text/xml”.
- It does not support checking clients’ HTTP/HTTPS requests with Content-type
header being “application/xhtml+xml”.
- It does not support checking clients’ HTTP/HTTPS requests whose request URLs
are obtained via JavaScript. Currently, only the clients’ HTTP/HTTPS requests
whose request URLs are defined in HTML tag attributes can be checked by this
function.

 Configuration Example via CLI

1. Add a protected URL path for the CSRF defense function of a specified WAF
profile.

2022 Array Networks, Inc.

AN(config)#waf profile negative csrf urlpath protect p1 1 "/file"

2. (Optional) Add a whitelist URL path that does not need the CSRF defense for the
CSRF defense function of a specified WAF profile.

AN(config)#waf profile negative csrf urlpath whitelist p1 1 "/file/picture"

3. (Optional) Add a script injection exception to the CSRF defense function of a

specified WAF profile.

AN(config)#waf profile negative csrf urlpath scriptexcept p1 1 "/file/vedio"

4. (Optional) Configure the token name and Cookie token name for the token value
and Cookie token value in the request to access the site for the CSRF function of
a specified WAF profile.

AN(config)#waf profile negative csrf reqtoken p1 "p1reqtoken"

AN(config)#waf profile negative csrf cookietoken p1 "p1cookietoken"

5. Enable the CSRF defense function for the WAF profile.

AN(config)#waf profile negative csrf on p1

6.2.3.4 Anti-crawling/scanning Defense Rule Configuration

As one type of defense rules in the negative WAF security model, the
anti-crawling/scanning defense rule can prevent web crawlers and scanners from
crawling back-end server information or scanning for potential vulnerabilities in the
backend server.

After the anti-crawling/scanning function is enabled in the WAF profile, the system
will automatically recognize web crawlers and scanners, and conduct the configured
action against crawling/scanning attacks. This function supports the following two
actions against crawling/scanning attacks:

 block: blocks the client from accessing sercurity services for a period of time and
records attack logs. The system will add the client’s source IP address to the
automatic IP blacklist as an entry. The requests from the blacklisted clients will
be blocked before the automatic IP blacklist entry times out.

 log: only records attack logs but does not block attacks.

The default action is “block”.

 Configuration Example via CLI

1. Enable the anti-crawling/scanning function for a specified WAF profile.

AN(config)#waf profile negative antics on p1

2022 Array Networks, Inc.

2. Set the action that the system conducts against crawling/scanning attacks for the
anti-crawling/scanning function.

AN(config)#waf profile negative antics action p1 block

3. (Optional) Set the trap URL path for the anti-crawling/scanning function.

AN(config)#waf profile negative antics trapurl p1 "/homepage_trap"

6.2.3.5 DLP Rule Configuration

Data Leak Protection (DLP) rules are a type of rules under the negative WAF security
model and are used to prevent the user’s private or sensitive information, such as
identity information, mobile phone number, email address, credit card number, from
being exposed. DLP rules are a part of the WAF profile.

When the DLP function is enabled for the WAF profile, the system will detect
whether server responses contain above-mentioned information. If the response
returned by the server contains private information, the system will process it
according to the configured action. The DLP function supports the following actions:

 mask: masks the private keyword contained in the response.

 log: only records the logs.

The default action is “mask”.

The system masks the private information by the following rules. For the email
address, the system will mask the username before the “@” character; for the identity
card information and bank card number, the system will mask the part other than the
first six and the last four digits; for the mobile phone number, the system will mask
the part other than the first three and last four digits.

 Configuration Example via CLI

1. Configure the action for the DLP function.

AN(config)#waf profile negative dlp action p1 mask

2. Enable the DLP function in the WAF profile.

AN(config)#waf profile negative dlp on p1

3. Configure DLP rules as required.

AN(config)#waf profile negative dlp bankcard p1

For every type of DLP rule, the system provides a default regular expression. You can
also configure a custom regular expression to match special sensitive information.

AN(config)#waf profile negative dlp bankcard p1 "\b([1-9]{1})(\d{15}|\d{18})\b"

2022 Array Networks, Inc.

6.2.3.6 Content Filter Rule Configuration

The content filter function can prevent server response from containing sensitive
words, in order to avoid the exposure of the user’s sensitive information or to meet
security compliance requirements. You can customize a sensitive keyword dictionary
and import it to the system. The sensitive keyword dictionary has a sensitive keyword
in each line and supports UTF-8 and ASCII encoding.

If the server response contains any sensitive keyword, the system will perform the
configured action. The content filter function supports the following actions:

 mask: masks the sensitive keyword contained in the response.

 deny: blocks the client access.

 log: only records logs.

The default action is “deny”.

 Configuration Example via CLI

1. Import the sensitive keyword dictionary from an external server:

AN(config)#waf profile negative contentfilter dictionary import p1

"http://192.168.1.200/dict.txt"

2. Configure the action for the content filter function.

AN(config)#waf profile negative contentfilter action p1 deny

3. Enable the content filter function for the WAF profile

AN(config)#waf profile negative contentfilter on p1

6.2.3.7 WAD Function Configuration

The Web Anti-Defacement (WAD) function can detect and prevent the defaced web
pages from being returned to the client. The WAD defense rule is part of the WAF
profile.

With this function enabled, the system will cache the protected web resources and
detect whether the web resources returned subsequently by the web server have been
defaced. If the web returned by the web server is defaced, the system will perform the
anti-defacement action. Two types of anti-defacement actions are supported:

 returns the cached original web page to make the anti-defacement effects
unnoticeable.

 (default) returns a 503 error page to the client to end the service.

To add anti-defacement function to a web page, administrators only need to configure

the web page as a protected web resource.

2022 Array Networks, Inc.

Note:

 This function does not support refreshing the cached web pages manually. To update
the protected web resource and its cache, you need to disable the WAD function first,
then clear the cache of its web pages using the “waf profile wad evict” command, and
enable the WAD function at last.
 This function does not support processing HTTP responses with a
“Transfer-Encoding: chunked” response header.
 The WAF function can cache only web pages less than 64MB. Each WAF profile can
protect a maximum of 4096 web pages.

 CLI Configuration Example

To enable WAD function for a specified web resource, perform the following steps:

1. Add a web resource to the WAD function of the specified WAF profile.

AN(config)#waf profile wad resource p1 "abc_protect" "/path/homepage"

2. Specify the anti-defacement action for the WAD function of a specified WAF
profile.

AN(config)#waf profile wad action p1 recover

3. Enable the WAD function for a specified WAF profile.

AN(config)#waf profile wad on p1

6.2.3.8 Anti-leech Rule Configuration

As one type of defense rules under the negative WAF security model, the anti-leech
rule can prevent the attacker from using technical means to bypass other commercial
end-user windows (such as advertisement) and providing services belonging to other
service providers to end users on their own website, thus defrauding the end-user
browsing and clicking rate. The anti-leech rule is part of the WAF profile.

When the anti-leech function is enabled for the WAF profile, the system determines
the request is a leech attack if any of the following case occurs:

 The host part of the Referer header in the client request is not the same as the
Host header and they do not contain each other.

 The host part of the Referer header in the client request does not match any
Referer whitelist.

After a request is determined as a leech attack, the system takes action configured by
the “waf profile negative leech action” command. By default, this function is
disabled.

 Configuration Example via CLI

2022 Array Networks, Inc.

1. Add a protected URL path for the anti-leech function of a specified WAF profile.

AN(config)#waf profile negative leech urlpath protect p1 1 "/file"

2. Configure the action the system takes when a leech attack is detected for this
WAF profile.

AN(config)#waf profile negative leech action p1 deny

3. Add a whitelist Referer to the anti-leech function of the WAF profile.

AN(config)#waf profile negative leech referer whitelist p1 1 "www.baidu.com"

4. Enable the anti-leech function for the WAF profile.

AN(config)#waf profile negative leech on p1

6.2.3.9 Virtual Patch Rule Configuration

The virtual patch function converts external Web vulnerability scanner’s scanning
results (XML-format report) into virtual patches of Web servers, helping shorten the
window time that Web server vulnerabilities are exploited by attackers. It is suitable
for hardening the security of Web applications before security events. Currently, the
virtual patch function supports the IBM Rational AppScan Web vulnerability scanner.

To use the virtual patch function, you need to first import the scanning results of the
Web vulnerability scanner into the system as the virtual patch source, and then
generate the virtual patch based on the virtual patch source. A virtual patch is a set of
custom signatures generated and converted based on the scanning results. Finally, you
need to apply the virtual patch to the WAF profile and enable the virtual patch
function for it. The virtual patch function is enabled for the WAF profile by default.

 Configuration Example via CLI

1. Import the external scanning results of the Web vulnerability scanner as the
virtual patch source.

AN(config)#waf negative patch source source1 "http://192.168.1.200/result.xml"

2. Generate the virtual patch based on the virtual patch source.

AN(config)#waf negative patch name patch1 source1

3. Apply the virtual patch to the WAF profile.

AN(config)# waf profile negative patch apply p1 patch1

4. Enable the virtual patch function for the WAF profile.

AN(config)#waf profile negative patch on p1

2022 Array Networks, Inc.

6.2.3.10 Positive WAF Configuration

The positive WAF security model recognizes the characteristics of normal application
traffic by automatic traffic learning in order to form the positive security model
(whitelist model), which allows only traffic matching these whitelists to pass. The
positive WAF function supports generating positive whitelists manually or
automatically based on the automatic traffic learning results. If a request does not
match any positive whitelist, it will be considered as illegal request and the system
will block the client access or record the attack log according to the configuration
made by the administrator.

To use the positive WAF function, you need to enable positive WAF for the WAF
profile and enable the learning mode. After a period of learning, you can generate
positive whitelists based on learning logs of positive WAF. The system supports
generating positive whitelists manually or automatically.

After the learning mode of positive WAF is disabled, positive WAF enters into the
configured defense mode.

6.2.3.10.1 Positive Whitelist

With the function of automatically generating positive WAF whitelist enabled, the
system will automatically generate the positive WAF whitelist if the triggering
condition for auto generation (configured using the command “waf profile positive
whitelist auto count” or “waf profile positive whitelist auto period”) is met within
the time range that is allowed to automatically generate positive WAF whitelist
(configured using the “waf profile positive whitelist auto allowtime” command). By
default, this function is disabled.

6.2.3.10.2 Trusted Source

The system supports configuring the trusted source for positive WAF of the WAF
profile. If the learning mode is enabled for positive WAF (using the “waf profile
positive learning on” command), positive WAF will learn the characteristics of the
trusted sources' traffic. If the learning mode is disabled for positive WAF, positive
WAF allows the traffic of trusted sources to pass, but the system will still record
attack and audit logs when their traffic does not match the postive whitelist.

6.2.3.10.3 Configuration Example

 Configuration Example via CLI

1. Enable positive WAF for the WAF profile.

AN(config)#waf profile positive on p1

2. Enable the learning mode of positive WAF for the WAF profile.

AN(config)#waf profile positive learning on p1

2022 Array Networks, Inc.

3. (Optional) Configure the trusted source for positive WAF.

AN(config)#waf profile positive trustsource p1 1 1.1.0.0 255.255.0.0

4. After the learning mode is enabled for a period of time, manually generate
positive whitelists.

AN(config)#waf profile positive whitelist generate p1

Note: You can also configure the system to automatically generate positive whitelists. For
details, refer to the ASF CLI Handbook.

5. After you confirm that positive whitelists have been generated successfully,
disable the learning mode of positive WAF.

AN(config)#waf profile positive learning off p1

6. Set the defense mode of positive WAF.

AN(config)#waf profile positive defensemode p1 defend

6.2.4 WAF Policy

The WAF policy is used to apply the WAF profile to the security service. A WAF
profile can be used to provide WAF defense for multiple security services, while a
security service can have only one applied WAF profile.

 Configuration Example

To configure a WAF profile, execute the following command:

AN(config)#waf policy default s1 p1

6.2.5 WAF Automatic Decoding

Encoding tricks are common ways to bypass attack detection. WAF supports the
automatic decoding function, which allows the WAF engine to decode user inputs to
prevent attackers from bypassing attack detection using encoding tricks.

This function can decode Base64, Unicode and hexadecimal data, such as request
URL, cookie, query parameters and body.

 Configuration Example via WebUI

Select Application Defense > WAF Defense > Global > General Settings, in the
Basic Settings area, set the Automatic Decoding slider to ON, and click Apply
Changes.

2022 Array Networks, Inc.

Figure 6–2 Enabling Automatic Encoding

 Configuration Example via CLI

Enable the automatic decoding function for the WAF engine:

AN(config)#waf decode auto on

6.2.6 Array Signature Library (ASL)

ASL contains the signatures of latest attacks, including predefined signatures of

negative WAF and signatures of positive WAF.

Array Security Center (ASC) will regularly release ASL versions in the form of ASL
images. If customers have purchased the subscription license of security update
services, they can manually download or configure the system to automatically
download ASL images to update the ASL version of the appliance. The ASL update is
independent from the system update.

6.2.6.1 ASL Automatic Update

After the ASL automatic update function is enabled, the appliance will check whether
the ASC site has a new version of ASL image in the permitted automatic update
period. After fetching a new version of ASL image, the appliance will determine the
update mode based on the configured automatic update option:

 If the automatic update option is “effect”, the appliance will immediately

download and apply the new version of ASL image.

 If the automatic update option is “notify”, the appliance will notify the
administrator to manually apply the new version of ASL image.

 Configuration Example via WebUI

Select Application Defense > WAF Signature > Signature Library > ASL Update,
in the Automatic Update page, set Automatic Update option as “On - Notify
(Notify admin of new ASL update if any)” or “On - Effect (Apply new ASL update if
any)”, and configure Automatic Update URL, Automatic Update Period, and
(optional) Automatic Update Proxy settings, and then click Apply Changes.

2022 Array Networks, Inc.

Figure 6–3 ASL Automatic Update

 Configuration Example via CLI

1. Configure the ASC URL address of the new version of ASL image by executing
the “waf asl update auto address” command.

AN(config)#waf asl update auto address

https://asc.arraynetworks.com.cn/zh_Hans_CN/component/ASL

2. Configure the automatic update period by executing the “waf asl update auto
period” command.

AN(config)#waf asl update auto period 5 8

3. (Optional) Configure the proxy for Internet connectivity by executing the “waf
asl update auto proxy” command. This command needs to be configured only
when the appliance needs to access the Internet through a proxy.

AN(config)#waf asl update auto proxy 10.3.0.73:443 admin 123456

4. Enable the ASL automatic update function and specify the automatic update
option by executing the “waf asl update auto on” command.

AN(config)#waf asl update auto on effect

Note: If the specified automatic update option is “notify”, you need to apply the new version
of ASL image downloaded by the ASL automatic update function by executing the “waf asl
version apply” command.

6.2.6.2 ASL Manual Update

To update the ASL manually, contact Array Networks Customer Support to obtain the
latest version of ASL image, place the image on an FTP or HTTP/HTTPS server, and

2022 Array Networks, Inc.

manually update the ASL from this URL. In addition, WebUI also supports manually
updating the ASL by selecting a local ASL image.

 Configuration Example via WebUI

Select Application Defense > WAF Signature > Signature Library > ASL Update,
in the Manual Update page, specify the URL address of the new version of ASL
image or select a local ASL image, and then click Update Now.

Figure 6–4 ASL Manual Update

 Configuration Example via CLI

Manually update the ASL image by executing the “waf asl update manual”
command.

AN(config)#waf asl update manual

http://192.168.1.200/Array_Signature_Library_1.1.0_2019-04-10.array

6.2.6.3 ASL Image Management

The system provides operations to facilitate the ASL image management. The system
allows you to view images, delete images, and switch the effective image.

 Configuration Example via WebUI

Select Application Defense > WAF Signature > Signature Library > Basic
Settings, and in the ASL Image List area, view all ASL images available on the
appliance. If you want to delete an ASL image or switch the effective image, in the
Actioncolumn of the ASL image, click the Delete ( ) button and the Apply ( )
button.

In the Description column, “Effective” indicates the ASL image is currently effective;
“Latest” indicates that the ASL image is the latest image; “Built-in” indicates the ASL
image is system built-in. Effective image and built-in image cannot be deleted.

2022 Array Networks, Inc.

Figure 6–5 ASL Image Management

 Configuration Example via CLI

View all ASL images on the appliance by executing the “show waf asl version
status” command. “#” indicates the latest version; “*” indicates the effective version;
“&” indicates the system built-in version.

AN(config)#show waf asl version status

#Array_Signature_Library_1.1.0_2019-04-10.array(latest image)
*Array_Signature_Library_1.0.2_2019-03-12.array(effective image)
&Array_Signature_Library_1.0.1_2018-11-30.array(built-in image)

Switch the effective ASL image by executing the “waf asl version apply” command.

AN(config)#waf asl version apply Array_Signature_Library_1.1.0_2019-04-10.array

Delete a specified ASL image by executing the “no waf asl image” command.

AN(config)#no waf asl image Array_Signature_Library_1.1.0_2019-04-10.array

Clear all ASL images except the system built-in image and the effective image by
executing the “clear waf asl image” command.

AN(config)#clear waf asl image

6.2.6.4 Predefined Signatures of Negative WAF

The predefined signatures of negative WAF in the ASL can be divided into two types:

 Common signatures: can be used to counter against known vulnerabilities of Web

applications and protect Web applications that are implemented using third-party
software or developed by customers.

 Signatures specific to a Web application, platform, or programing language: for

example, signatures specific to the WordPress application.

2022 Array Networks, Inc.

6.2.6.5 Signatures of Positive WAF (Blacklist)

Signatures of positive WAF include only simple known signatures, which can be
viewed by executing the following command:

AN(config)#show waf positive signature

6.2.6.6 Signature Pending

To avoid negative impact on customer services during ASL upgrade, the system
supports configuring signature pending function for a WAF profile. After this
function is enabled, the system will set the state of the specified signature to
“Pending” within the specified period. If the client traffic hits a signature that is in
pending state, it will not be intercepted. By default, this function is enabled.

 Configuration Example via CLI

1. Apply the signature pending function to a signature by executing the “waf profile
negative signature pending id” command.

AN(config)#waf profile negative signature pending id p1 800920350

2. Configure the signature pending period by executing the “waf profile negative
signature pending period” command.

AN(config)#waf profile negative signature pending period p1 100

3. Enable the signature pending function by executing the “waf profile negative
signature pending on” command.

AN(config)#waf profile negative signature pending on

4. Display the signature pending status by executing the “show waf profile
negative signature pending status” command.

AN(config)#show waf profile negative signature pending status p1

6.3 Application DDoS Defense

Application DDoS defense is used to provide application-layer DDoS protection for
traffic of specific application-layer protocols.

6.3.1 Relationship Between Application DDoS Profile, Rule

and Policy

The following figure shows the relationship between application DDoS profile, rule
and policy.

2022 Array Networks, Inc.

Figure 6–6 Relationship between Application DDoS Profile, Rule and Policy

Application DDoS profile is a set of rules that provide a range of application-layer

DDoS protections for security services. The maximum number of application DDoS
profiles supported by the system varies with device memory. For details, refer to
Appendix II System Specifications in the ASF CLI Handbook.

Application DDoS defense rule is a rule used to provide DDoS attack defense rule the
security service by employing specific defense techniques, such as the HTTP Flood
defense rules and the DNS Flood defense rules.

Application DDoS policy is used to apply the application DDoS profile to the security
service.

6.3.2 Application DDoS Profile

Various DDoS defense rules and function switches for the application DDoS attack
defense are defined in the application DDoS profile. According to the creation
methods, the application DDoS profiles can be classified into automatic application
DDoS profiles and manual application DDoS profiles. According to the protocol type
of the protected traffic, the application DDoS profiles can be classified into
HTTP-type DDoS profiles, HTTPS-type DDoS profiles, and DNS-type DDoS profiles.
The DDoS defense rules supported by the automatic application DDoS profile are the
same as those of the manual application DDoS profile. The DDoS defense rules
supported by DDoS profiles of different protocol types are different because different
DDoS attacks are defended.

6.3.2.1 Automatic Application DDoS profile

When a security service is created, such as “srv1”, the system will create an automatic
application DDoS profile (such as “auto_profile_srv1”) by default, and the control

2022 Array Networks, Inc.

switches and defense rules in the profile will use default values. After the system
starts the traffic baseline learning task for the security service (refer to section 8.2.6.2
Traffic Baseline Learning of Security Service), the system can refresh the rules in the
automatic application DDoS profile based on the traffic learning result, so that the
appliance can dynamically adjust the defense rules according to the actual situation of
the customer network environment. The administrator can also manually configure
the defense rules in the automatic application DDoS profile. Once the specified rules
are manually configured by the administrator, these rules will not be dynamically
refreshed by the traffic learning result. Automatic application DDoS profile is
automatically created and deleted with the creation and deletion of the security service.
The administrator cannot manually create or delete the automatic profiles and can
only modify the control switches and defense rules in the profile.

6.3.2.2 Manual Application DDoS Profile

When a security service is created, such as “srv1”, the system will create an automatic
application DDoS profile by default, but the administrator can still create a manual
application DDoS profile and manually configure the control switches and defense
rules in the profile. Once an administrator binds a manually created profile to a
specified security service, the manual profile replaces the automatic profile to provide
application DDoS defense for the security service. A manually created profile can be
bound to multiple different security services at the same time.

 Configuration Example via CLI

1. Create a manual application DDoS profile (take DNS-type application DDoS

profile as an example) by executing the “ddos profile service name” command.

AN(config)#ddos profile service name manual_profile_dns dns

2. Bind the manual application DDoS profile to the specified security service by
executing the “ddos policy service” command.

AN(config)#ddos policy service srv_dns manual_profile_dns

3. View the binding relationship between the application DDoS profile and the
security service and the configuration summary by executing the “show ddos
profile service summary” command.

AN(config)#show ddos profile service summary dns manual_profile_dns

---------------------------------
DDoS profile name "manual_profile_dns"
type: dns
defense mode : detect
auto blacklist: on
auto whitelist: on
traffic topn : off

2022 Array Networks, Inc.

anomaly check : off

anomaly log : off
rule information:
dns.queryflood : pps_alert 500
dns.nxdomain : pps_alert 500 pps_ratio 30%
dns.replyflood : pps_alert 500
dns.cachepoison: 1
dns.verify : passive
dns.lengthcheck:
query, msg_len 512
reply, msg_len 512
dns.ttlcheck :

6.3.2.3 Profile Attribute Settings

6.3.2.3.1 Defense Mode

Application DDoS profile supports two defense modes:

 detect: indicates the detecting mode. The system only detects traffic anomalies
and attacks, but not blocks the traffic.

 block: indicates the blocking mode. The system has full defense ability, which
means that it not only detects traffic anomalies and attacks, but also blocks the
attack traffic.

The default value is “detect”.

 Configuration Example via CLI

Configure the defense mode for the application DDoS profile by executing the “ddos
profile service defensemode” command.

AN(config)#ddos profile service defensemode manual_profile_dns detect

6.3.2.3.2 Dynamically Generating Automatic IP Blacklists

Application DDoS profile supports dynamically generating automatic IP blacklists.

After this function is enabled, when detecting and identifying the source IP address of
the attack, the system automatically puts this IP address on the automatic IP blacklist
and thereby blocks the attack traffic and improves the defense performance. After this
function is disabled, the system defends the service traffic using only DDoS defense
rules. By default, this function is enabled.

 Configuration Example via CLI

Enable the function of dynamically generating automatic IP blacklists for the

application DDoS profile by executing the “ddos profile service bl_auto” command.

2022 Array Networks, Inc.

AN(config)#ddos profile service bl_auto on manual_profile_srv1

6.3.2.3.3 Dynamically Generating Automatic IP Whitelists

Application DDoS profile supports dynamically generating automatic IP whitelists.

After this function is enabled, when detecting and identifying the legal source IP
address, the system automatically puts this IP address on the automatic IP whitelist.
The system skips part of the defense process and quickly forward traffic if its source
IP matches the automatic IP whitelist, and thereby the defense performance is
improved. After this function is disabled, the system inspects the traffic only based on
the defense rules and forwards traffic that passes the inspection. By default, this
function is enabled.

Currently, only the DNS-type DDoS profile supports the function of dynamically
generating automatic IP whitelists.

 Configuration Example via CLI

Enable the function of dynamically generating automatic IP blacklists for DNS-type

DDoS profile by executing the “ddos profile service wl_auto” command.

AN(config)#ddos profile service wl_auto on manual_profile_dns

6.3.2.3.4 Packet anomaly detection

Application DDoS profile supports the packet anomaly detection function. After this
function is enabled, the system will perform the packet anomaly detection for the
security service and the detected abnormal packets will be discarded directly. By
default, this function is disabled.

Application DDoS profile also supports the packet anomaly logging function. After
this function is enabled, the system will perform the packet anomaly detection for the
security service and record the packet anomaly logs when abnormal packets are
detected. By default, this function is disabled.

 Configuration Example via CLI

Enable the packet anomaly detection function for the application DDoS profile by
executing the “ddos profile service anomalycheck” command.

AN(config)#ddos profile service anomalycheck on manual_profile_dns

Enable the packet anomaly logging function for the application DDoS profile by
executing the “ddos profile service anomalylog” command.

AN(config)#ddos profile service anomalylog on manual_profile_dns

2022 Array Networks, Inc.

6.3.2.3.5 TopN Statistics

Application DDoS profile supports the TopN traffic statistics function. Only the
DNS-type DDoS profile supports TopN traffic statistics. The IP address of the TopN
attack source can be IPv4 or IPv6. By default, this function is disabled.

 Configuration Example via CLI

Enable the TopN traffic statistics function for the DNS-type DDoS profile by
executing the “ddos profile service topn on” command.

AN(config)#ddos profile service topn on manual_profile_dns 20

6.3.2.4 Modify Configurations of Automatic/Manual

Application DDoS Profiles
The configurations of both automatic and manual application DDoS profiles can be
modified by changing related defense rule and attribute settings.

 Configuration Example via CLI

Modify the DNS Query Flood defense rule for the DNS-type application DDoS
profile by executing the “ddos profile service rule dns queryflood” command.

AN(config)#ddos profile service rule dns queryflood auto_profile_srv_dns 10000

6.3.3 HTTP DDoS Defense

HTTP and HTTPS DDoS profiles support HTTP DDoS defense. The administrator
can configure HTTP DDoS defense rules for the profiles to defend against HTTP
flood attacks.

6.3.3.1 Defense Against HTTP Flood Attack

 Attack Description:

The attacker sends a large number of HTTP requests to the target server, causing the
server to exhaust the resources and unable to respond to normal requests.

 Defense Principle:

When the HTTP GET/POST RPS of the security service reaches the threshold, the
system initiates source authentication for the client. The administrator configures the
threshold through the HTTP GET Flood attack defense rule and the HTTP POST
Flood attack defense rule.

The system supports two source authentication methods:

 Basic Mode (Redirection)

2022 Array Networks, Inc.

The system determines whether it is a normal user access or machine access by

redirecting the client request.

If the client is successfully redirected, the source authentication succeeds, and the
system releases the client request; otherwise, the source IP address of the client is
distributed to the automatic IP blacklist.

 Enhanced Mode (Verification Code)

If the basic mode source authentication succeeds and the HTTP GET/POST request
RPS of the security service still exceeds the threshold, the system will send a
verification code page to the client to determine whether it is a normal user access or a
machine access.

If the client returns the correct authentication code, the source authentication will
succeed, and the system will release the client request; otherwise, the source IP
address of the client will be distributed to the automatic IP blacklist.

 Configuration Example via CLI

Modify the HTTP GET Flood defense rule for HTTP/HTTPS-type application DDoS
profile by executing the “ddos profile service rule http getflood” command.

AN(config)#ddos profile service rule http getflood manual_profile_http 100000 30

Modify the HTTP POST Flood defense rule for HTTP/HTTPS-type application DDoS
profile by executing the “ddos profile service rule http postflood” command.

AN(config)#ddos profile service rule http postflood manual_profile_http 100000 30

6.3.3.2 Defense Against HTTP Slowloris Attack

 Attack Description:

The attacker establishes a large number of connections with the server and sends the
request header or body slowly through GET or POST requests, so that each
connection is maintained for a long time, and the server cannot provide services to
legitimate users.

 Defense Principle:

Slowloris attack defense is enabled when the number of concurrent connections of the
specified HTTP/HTTPS-type security service reaches the configured threshold. The
administrator can configure thresholds through HTTP Slowloris attack defense rules
and HTTP Slow POST attack defense rules.

If the HTTP request header or body is not completely received within the configured
timeout period, the request is determined as a Slowloris attack. If the interval of each
received request header fragment or body fragment exceeds the maximum interval

2022 Array Networks, Inc.

threshold, it is regarded as an exception; if three exceptions occur in one request, the

request is determined as a Slowloris attack.

If the request is determined as a Slowloris attack, the system will block the request. If
the dynamically distributing automatic IP blacklist function is enabled, the system
will send the client’s source IP address to the automatic IP blacklist. As long as it is
blacklisted, requests from the client will be blocked.

 Configuration Example via CLI

Configure the HTTP Slowloris defense rule for the HTTP/HTTPS-type application
DDoS profile by executing the “ddos profile service rule http slowloris” command.

AN(config)#ddos profile service rule http slowloris manual_profile_http 10000 500 5000 10
30

Configure the HTTP Slow Post defense rule for the HTTP/HTTPS-type application
DDoS profile by executing the “ddos profile service rule http slowpost” command.

AN(config)#ddos profile service rule http slowpost manual_profile_http 10000 500 10000 10
30

6.3.3.3 Defense Against CC Attack

 Attack Description:

The Challenge Collapsar (CC) attack is sending a large number of GET or POST
requests to the Web service to obtain information. If the requested URL involves
database operations or consumes other system resources, the large number of requests
will exhaust the server resources and cause the server unable to respond to the normal
requests.

 Defense Principle:

Configure URL monitoring rules for the specified HTTP/HTTPS-type security service.
The system will detect the RPS of the monitored URL and the ratio of requests to all
requests in real time. If both of the monitoring data exceed the configured thresholds,
the system will initiate source authentication for the client accessing the URL. If the
client fails the source authentication, the system adds the client IP to the dynamic IP
blacklist.

 Configuration Example via CLI

1. Configure the HTTP URL Monitoring rule for the specified HTTP/HTTPS-type
application DDoS profile by executing the “ddos profile service rule http
urlmonitor” command.

AN(config)#ddos profile service rule http urlmonitor manual_profile_http 10000 30

2022 Array Networks, Inc.

2. Associate the HTTP/HTTPS DDoS profile with the specified HTTP/HTTPS-type

security service by executing the “ddos policy service” command.

AN(config)#ddos policy service srv1 manual_profile_http

3. Configure a URL monitor object for the specified HTTP/HTTPS-type security

service by executing the “http urlmonitor” command.

AN(config)#http urlmonitor srv1 1 "<regex>.js"

For more information about HTTP URL Monitoring, refer to the “6.5.3 HTTP URL
Monitoring” section.

6.3.4 SSL DDoS Defense

HTTPS DDoS profile supports SSL DDoS defense. Administrators can defend against
the SSL attack by configuring SSL DDoS defense rules for profiles.

The HTTPS DDoS profile also supports HTTP DDoS defense, which supports the
same HTTP DDoS defense rules as those supported by the HTTP DDoS profile. For
more information, refer to the “6.3.3 HTTP DDoS Defense” section.

6.3.4.1 Defense Against SSL Handshake Attack

 Attack Description:

The SSL handshake attack consumes the server’s SSL connection resources, causing
the server unable to respond to normal requests.

 Defense Principle:

If the SSL handshake time exceeds the configured threshold, the session is marked as
an abnormal session. If the number of abnormal sessions of a source IP exceeds the
threshold during the abnormal session check period, the system will block the request.
If the dynamically distributing automatic IP blacklist function is enabled, the system
will send the client’s source IP address to the automatic IP blacklist. As long as it is
blacklisted, requests from the client will be blocked.

 Configuration Example via CLI

Configure the defense rule of the SSL handshake attack for the HTTPS-type
application DDoS profile by executing the “ddos profile service rule ssl handshake”
command.

AN(config)#ddos profile service rule ssl handshake manual_profile_https 5000 5 30

6.3.4.2 Defense Against SSL Renegotiation Attack

 Attack Description:

2022 Array Networks, Inc.

The resource consumption of the client and the server is asymmetric when the SSL
handshake is performed, and the resource overhead on the server side is about 15
times of that on the client. The attacker exploits this (asymmetry) characteristic
through SSL renegotiation to consume server resources, causing the server unable to
respond to normal requests.

 Defense Principle:

When the check period is configured and the number of renegotiations exceeds the
configured threshold during the check period, the SSL session is determined as an
attack and the system will block the session. If the dynamically distributing automatic
IP blacklist function is enabled, the system will send the client’s source IP address to
the automatic IP blacklist.

 Configuration Example via CLI

Configure the defense rule of the SSL renegotiation attack for the HTTPS-type
application DDoS profile by executing the “ddos profile service rule ssl
renegotiation” command.

AN(config)#ddos profile service rule ssl renegotiation manual_profile_https 5 30 3 180

6.3.5 DNS DDoS Profile

6.3.5.1 Defense Against DNS Query Flood

 Attack Description:

The attacker sends a large number of DNS queries to the target server, causing the
server to exhaust the resources and unable to respond to normal DNS queries.

 Defense Principle:

When the query PPS of DNS-type security service reaches the configured PPS alarm
threshold, the source authentication is enabled for the DNS query.

The system supports three source authentication methods:

 “passive”: the first packet is discarded. If the client resends the DNS query in a
certain period of time, it will pass the source authentication; otherwise, the source
authentication fails.

 “basic”: the client should resend the DNS query through TCP and the system
performs client source authentication based on TCP.

 “redirect”: the client should resend the CNAME qurey. If the client sends the
CNAME query, it will pass the source authentication; otherwise, it fails to pass
the source authentication.

2022 Array Networks, Inc.

The administrator can set the mode of source authentication as required. The default
value is “passive”.

If the client passes the source authentication, the system will bypass client’s DNS
query packet. If the dynamically distributing automatic IP whitelist function is
enabled, the system will send client’s source IP address to the automatic IP whitelist.

If the client fails to pass the source authentication, the system will block the client’s
DNS query. If the dynamically distributing automatic IP blacklist function is enabled,
the system will send client’s source IP address to the automatic IP blacklist.

 Configuration Example via CLI

1. Configure the defense rule of DNS Query Flood attack for the DNS-type
application DDoS profile by executing the “ddos profile service rule dns
queryflood” command.

AN(config)#ddos profile service rule dns queryflood dns_pf1 100000

2. Configure the source authentication method for the DNS-type application DDoS
profile by executing the “ddos profile service rule dns verify” command.

AN(config)#ddos profile service rule dns verify dns_pf1 basic

6.3.5.2 Defense Against DNS Respond Flood

 Attack Description:

The attacker sends a large number of DNS response packets to the target server,
causing the server to be overloaded and resources to be exhausted.

 Defense Principle:

When the response PPS of the DNS-type security service reaches the configured PPS
alarm threshold, the system performs a session check.

 Configuration Example via CLI

Configure the defense rule of DNS Reply Flood attack for the DNS-type application
DDoS profile by executing the “ddos profile service rule dns replyflood” command.

AN(config)#ddos profile service rule dns replyflood dns_pf1 100000

6.3.5.3 Defense Against DNS NXDomain Flood

 Attack Description:

The attacker selects a primary domain name and then sends a large number of
non-existing subdomains to the attacked DNS server, causing the server to crash.

 Defense Principle:

2022 Array Networks, Inc.

When the NXDomain query message PPS of the DNS-type security service reaches
the configured PPS alarm threshold and the NXDomain message ratio exceeds the
threshold, the system enables source authentication for the DNS Nxdomain query
message.

If the client passes the source authentication, the system will bypass the DNS
NXDomain query of the client. If the dynamically distributing automatic IP whitelist
function is enabled, the system will send client’s source IP address to the automatic IP
whitelist.

If the client fails to pass the source authentication, the system will block the DNS
NXDomain query of the client. If the dynamically distributing automatic IP blacklist
function is enabled, the system will send client’s source IP address to the automatic IP
blacklist.

 Configuration Example via CLI

1. Configure the defense rule of DNS NXDomain Flood attack for the DNS-type
application DDoS profile by executing the “ddos profile service rule dns
nxdomain” command.

AN(config)#ddos profile service rule dns nxdomain dns_pf1 100000 60

2. Configure the source authentication method for the DNS-type application DDoS
profile by executing the “ddos profile service rule dns verify” command.

AN(config)#ddos profile service rule dns verify dns_pf1 basic

6.3.5.4 Defense Against DNS Cache Poisoning Attack

 Attack Description:

The attacker selects a primary domain name and then sends a non-existing subdomain
to the attacked DNS cache server. The DNS cache server sends a query request to the
authorization server. Before receiving the response message from the authorization
server, the attacker forges a large number of DNS response messages and sends them
to the cache server to hit the correct response message. After the hit, the attacker’s
forged response message contains the fake resolution address of the primary domain
name, and the poisoning is successful.

 Defense Principle:

Session Check.

 Configuration Example via CLI

Enable the function of DNS cache poisoning attack defense for the DNS-type
application DDoS profile by executing the “ddos profile service rule dns
cachepoison” command. By default, this function is disabled.

2022 Array Networks, Inc.

AN(config)#ddos profile service rule dns cachepoison on dns_pf1

6.3.5.5 Defense Against DNS Cache Snooping Attack

 Attack Description:

DNS cache snooping is an attack that the attacker determines whether a specified
resource record exists in the cache of a DNS server. During the attack, the DNS server
receives DNS queries without the recursive flag and the attacker can determine which
sites have been visited recently by users using the DNS cache server.

 Defense Principle:

The system rejects non-recurive DNS queries.

 Configuration Example via CLI

Enable DNS cache snooping defense for the DNS-type application DDoS profile by
executing the “ddos profile service rule dns cachesnoop” command. By default, this
function is disabled.

AN(config)#ddos profile service rule dns cachesnoop on dns_pf1

6.3.5.6 Defense Against DNS Domain Hijacking Attack

 Attack Description:

DNS domain hijacking attack is a type of attack that redirects users to malicous sites
by modifying the replies to DNS queries.

 Defense Principle:

Session check. The system will check whether the Query ID and domain name of the
DNS reply match those of the DNS query.

 Configuration Example via CLI

Enable DNS domain hijacking defense for the DNS DDoS profile by executing the
“ddos profile service rule dns domainhijack” command. By default, this function is
disabled.

AN(config)#ddos profile service rule dns domainhijack on dns_pf1

6.3.5.7 DNS Packet Length Check Rule

This rule checks the length of the DNS query and response packets and discards
packets whose length exceeds the threshold.

1. Configure the DNS query packet length check rule for the specified DNS-type
application DDoS profile by executing the “ddos profile service rule dns
lengthcheck” command.

2022 Array Networks, Inc.

AN(config)#ddos profile service rule dns lengthcheck dns_pf1 query 512

2. Configure the DNS respond packet length check rule for the specified DNS-type
application DDoS profile by executing the “ddos profile service rule dns
lengthcheck” command.

AN(config)#ddos profile service rule dns lengthcheck dns_pf1 reply 512

6.3.5.8 DNS TTL Check Rule

This rule checks the IP TTL of DNS query and response packets, and discard packets
whose TTL exceeds the configured threshold.

1. Configure the DNS query packet TTL check rule for the DNS-type application
DDoS profile by executing the “ddos profile service rule dns ttlcheck”
command.

AN(config)#ddos profile service rule dns ttlcheck dns_pf1 query 64 128

2. Configure the DNS response packet TTL check rule for the DNS-type application
DDoS profile by executing the “ddos profile service rule dns ttlcheck”
command.

AN(config)#ddos profile service rule dns ttlcheck dns_pf1 reply 64 128

6.4 HTTP Profile

The HTTP profile provides a series of protection mechanisms specific to the HTTP
protocol for HTTP-type and HTTPS-type security services, such as HTTP filter and
brute force defense. The HTTP profile will take effect only when being applied to a
security service. One HTTP profile can be applied to multiple security services, but
one security service can have only one applied HTTP profile.

6.4.1 General Settings of HTTP Profile

The maximum number of HTTP profiles that the system supports varies with system
memories. For details, refer to Appendix II System Specifications in the ASF CLI
Handbook.

 Configuration Example via CLI

1. Execute the “http profile name” command to create an HTTP profile.

AN(config)#http profile name hp1

2. Execute the “http policy default” command to apply the HTTP profile to a
specified security service.

2022 Array Networks, Inc.

AN(config)#http profile policy default s1 hp1

3. Execute the “show http profile summary” command to view the security service
and configuration summary of the HTTP profile.

AN(config)#show http profile summary

---------------------------------
http profile name "hp1"
service : "ss1" "s1"
insert :
response.cookie.httponly : off
response.cookie.secure : on
response.header :-
request.xforwardedfor : on
Mode:"header"
Customized Name:"X-Forwarded-For"
Ipport:"ipport"
Chain:"chain"
request.header :
"afa" "af"
remove :
response.header : off
response.header.name :
"Server"
"X-AspNetMvc-Version"
"X-AspNet-Version"
"X-Powered-By"
mask :
header.via : on
filter : off
log : off
request.headerlength : 1024
request.cookielength : 1024
request.cookienumber :-
request.urllength :-
request.version : 0.9:2.0
request.urlquerynumber :-
request.method :-
request.mimetype :-
request.urlkeyword :-
response.headerlength : 1024
response.cookielength : 1024
response.errcode :

2022 Array Networks, Inc.

402 403 405 406 408 409 410 411 412 413
414 415 416 500 501 502 504 505 506 507
508 509 510 511
bruteforce : off
log : off
cookietamper: -
rewrite :-
redirect :
https : off
upload : off
log : off
download : off
log : off
pattern : off
name :-
action : log
log : off

6.4.2 HTTP Filter

The HTTP profile supports the HTTP filter function, which can be used for HTTP
protocol compliance check to prevent system cache overflow. After this function is
enabled, if the client request or server response matches any HTTP filter rule applied
to the security service, the device will return the 403 error page to the client. If the
administrator customizes the error page for the 403 error code, the system will return
the customized error page. By default, this function is disabled.

Currently, the system supports the following types of HTTP filter rules:

 HTTP request filter rules

– Request method filter rule

– HTTP version filter rule

– Request header length filter rule

– Request cookie length filter rule

– Request cookie count filter rule

– Request URL keyword filter rule

– Request URL length filter rule

– Request URL query parameter count filter rule

– Request file MIME type filter rule

2022 Array Networks, Inc.

 HTTP response filter rules

– Response error code filter rule

– Response header length filter rule

– Response cookie length filter rule

6.4.2.1 General Configurations

 Configuration Example via CLI

1. Execute the “http profile filter on” command to enable the HTTP filter function
for the specified HTTP profile.

AN(config)#http profile filter on hp1

2. Execute the “http profile log filter on” command to enable the HTTP violation
logging function for the HTTP filter function of the specified HTTP profile.

AN(config)#http profile filter log on hp1

3. Execute the “show http profile filter request all” command to view the
configurations of the HTTP request filter rules of the specified HTTP profile.

AN(config)#show http profile filter request all "hp1"

http profile filter request method hp1 deny DELETE
http profile filter request headerlength hp1 deny 1024
http profile filter request cookielength hp1 deny 1024
http profile filter request urlkeyword hp1 deny 1 "<regex>.js"
http profile filter request mimetype hp1 deny .js
http profile filter request mimetype hp1 deny .abcde

4. Execute the “show http profile filter request all” command view the
configurations of the HTTP response filter rules of the specified HTTP profile .

AN(config)#show http profile filter response all "hp1"

http profile filter response headerlength hp1 deny 1024
http profile filter response cookielength hp1 deny 1024
http profile filter response errcode hp1 deny 402
http profile filter response errcode hp1 deny 403
http profile filter response errcode hp1 deny 405
http profile filter response errcode hp1 deny 406
http profile filter response errcode hp1 deny 408
http profile filter response errcode hp1 deny 409
http profile filter response errcode hp1 deny 410
http profile filter response errcode hp1 deny 411
http profile filter response errcode hp1 deny 412

2022 Array Networks, Inc.

http profile filter response errcode hp1 deny 413

http profile filter response errcode hp1 deny 414
http profile filter response errcode hp1 deny 415
http profile filter response errcode hp1 deny 416
http profile filter response errcode hp1 deny 500
http profile filter response errcode hp1 deny 501
http profile filter response errcode hp1 deny 502
http profile filter response errcode hp1 deny 504
http profile filter response errcode hp1 deny 505
http profile filter response errcode hp1 deny 506
http profile filter response errcode hp1 deny 507
http profile filter response errcode hp1 deny 508
http profile filter response errcode hp1 deny 509
http profile filter response errcode hp1 deny 510
http profile filter response errcode hp1 deny 511

6.4.2.2 HTTP Request Method Filter Rule

The HTTP profile supports the request method filter rule. If the client request method
matches the restricted request method in the filter rule, the system will deny the client
request and return the 403 error page.

 Configuration Example via CLI

Execute the “http profile filter request method” command to configure the request
filter rule for the specified HTTP profile .

AN(config)#http profile filter request method hp1 deny DELETE

6.4.2.3 HTTP Version Filter Rule

The HTTP profile supports the HTTP version filter rule to prevent the clients from
accessing the services using prohibited HTTP versions. The ASF appliance will reject
the client access and return a 403 error page if the client request’s HTTP version hits
an HTTP version filter rule.

 CLI Configuration Example

To configure an HTTP version filter rule for a specified HTTP profile, execute the
“http profile filter request version” command.

AN(config)#http profile filter request version p1 deny "0.9:2.0"

6.4.2.4 HTTP Request Header Length Filter Rule

The HTTP profile supports the HTTP request header (not Cookie header) length filter
rule. If the request header length is greater than the maximum header length set in this
rule, the system will reject the client request and return the 403 error page.

2022 Array Networks, Inc.

 Configuration Example via CLI

Execute the “http profile filter request headerlength” command to configure the
HTTP request header length filter rule for the specified HTTP profile.

AN(config)#http profile filter request headerlength hp1 deny 1024

6.4.2.5 HTTP Request Cookie Length Filter Rule

The HTTP profile supports the request Cookie length filter rule. If the request Cookie
length is greater than the maximum Cookie length set in this rule, the system will
reject the client request and return the 403 error page.

 Configuration Example via CLI

Execute the “http profile filter request cookielength” command to configure the
request Cookie length filter rule for the specified HTTP profile.

AN(config)#http profile filter request cookielength hp1 deny 1024

6.4.2.6 HTTP Request Cookie Count Filter Rule

The HTTP profile supports the HTTP request cookie count filter rule. If the request
Cookie count is greater than the maximum Cookie length set in this rule, the system
will reject the client request and return the 403 error page.

 Configuration Example via CLI

Execute the “http profile filter request cookienumber” command to configure the
HTTP request Cookie count filter rule for the specified HTTP profile.

AN(config)#http profile filter request cookienumber hp1 deny 5

6.4.2.7 HTTP Request URL Keyword Filter Rule

The HTTP profile supports the URL keyword filter rule. If the request URL in the
client request matches the rule, the system will reject the client request and return the
403 error page. A maximum of 100 URL keyword filter rules can be configured for
every HTTP profile.

The filter keyword supports both quick and full regular expressions. When the value
is set to a regular expression, it must be enclosed by double quotes. The string of the
full regular expression must begin with “<regex>” to differentiate from the quick
regular expression. To ensure the correctness of the configured regular expression, the
administrator can use the “regextest <regex> <target_string>” command to test
whether a target string can match the configured regular expression.

 Configuration Example via CLI

Execute the “http profile filter request urlkeyword” command to configure the
HTTP request URL keyword filter rule for the specified HTTP profile.

2022 Array Networks, Inc.

AN(config)#http profile filter request cookietamper hp1 deny "cookie1" hijack

6.4.2.8 HTTP Request URL Length Filter Rule

The HTTP profile supports the request URL length filter rule. If the length of request
URL in the client request exceeds the maximum length specified by the rule, the
system will reject the client request and return the 403 error page.

 Configuration Example via CLI

Execute the “http profile filter request urllength” command to configure the request
URL length filter rule for the specified HTTP profile.

AN(config)#http profile filter request urlkeyword hp1 deny 1 "<regex>.js"

6.4.2.9 HTTP Request URL Query Parameter Count Filter Rule

The HTTP profile supports the request URL query parameter count filter rule. If the
URL query parameter count in the request is greater than the maximum URL query
parameter count set in this rule, the system will reject the client request and return the
403 error page.

 Configuration Example via CLI

Execute the “http profile filter request urlquerynumber” command to configure

request URL query parameter count filter rule for the specified HTTP profile.

AN(config)#http profile filter request urllength hp1 deny 2048

6.4.2.10 HTTP Request File MIME Type Filter Rule

The HTTP profile supports the MIME (Multipurpose Internet Mail Extensions) type
filter rule. If the suffix of the Web resource file in the request URL matches the rule,
the system will reject the client request and return the 403 error page.

6.4.2.10.1 System Predefined MIMEs

Execute the “show http mimetype predefine” command to view the predefined
MIME types.

AN(config)#show http mimetype predefine

INDEX SUFFIX DESCRIPTION
0 .323 text/h323
1 .3gp video/3gpp
2 .aab application/x-authoware-bin
3 .aam application/x-authoware-map
4 .aas application/x-authoware-seg
5 .acx application/internet-property-stream
6 .ai application/postscript

2022 Array Networks, Inc.

7 .aif audio/x-aiff
8 .aifc audio/x-aiff
9 .aiff audio/x-aiff
10 .als audio/X-Alpha5
11 .amc application/x-mpeg
12 .ani application/octet-stream
13 .apk application/vnd.android.package-archive
14 .asc text/plain
15 .asd application/astound
16 .asf video/x-ms-asf
17 .asn application/astound
…
482 .json application/json

6.4.2.10.2 User-Defined MIMEs

Execute the “http mimetype customize” command to create a user-defined MIME

type.

AN(config)#http mimetype customize .abcde selftype

AN(config)#show http mimetype customize
http mimetype customize ".abcde" "selftype"

6.4.2.10.3 Configuration Example

The administrator can configure filter rules for the system predefined and
user-defined MIME types.

 Configuration Example via CLI

Execute the “http profile filter request mimetype” command to configure the
request file MIME type filter rule.

AN(config)#http profile filter request mimetype hp1 deny ".js"

AN(config)#http profile filter request mimetype hp1 deny ".abcde"

6.4.2.11 HTTP Response Error Code Filter Rule

The HTTP profile supports the response error code filter rule. If the error code
returned by the server matches any error code disallowed by the rule, the system will
reject the client request and return the 403 error page. By default, the system disallow
the server to return the following error codes: 402, 403, 405, 406, 408, 409, 410, 411,
412, 413, 414, 415, 416, 500, 501, 502, 504, 505, 506, 507, 508, 509, 510 and 511.

 Configuration Example via CLI

Execute the “http profile filter response errcode” command to configure the
response error code filter rule for the specified HTTP profile.

2022 Array Networks, Inc.

AN(config)#http profile filter response errcode hp1 deny 520

6.4.2.12 HTTP Response Header Length Filter Rule

The HTTP profile supports the response header (not Set-Cookie header) length filter
rule. If the length of the header in the response is greater than the maximum header
length set in this rule, the system will reject the client request and return the 403 error
page.

 Configuration Example via CLI

Execute the “http profile filter response headerlength” command to configure the
response header length filter rule for the specified HTTP profile.

AN(config)#http profile filter response headerlength hp1 deny 1024

6.4.2.13 HTTP Response Cookie Length Filter Rule

The HTTP profile supports the response Cookie (Set-Cookie header) length filter rule.
If the length of the Set-Cookie header returned by the server is greater than the
maximum Cookie length set in this rule, the system will reject the client request and
return the 403 error page.

 Configuration Example via CLI

Execute the “http profile filter response cookielength” command to configure the
response Cookie length filter rule for the specified HTTP profile.

AN(config)#http profile filter response cookielength hp1 deny 1024

6.4.3 Brute Force Defense

Brute force is a type of attack that the attacker tries all possible login credentials until
finding the correct one. By employing brute force attacks, attackers can gain the
access privileges of the site, and thus steal digital assets, maliciously jeopardize the
site, and distribute malicious malware. Even if a brute force does not succeed, it will
consume the server resources and bandwidth, which degrades the site’s performance
or even causes the site to fail to provide external services.

The brute force defense function is a security mechanism provided by the HTTP
profile and can effectively protect customers’ sites from brute force attacks. Every
HTTP profile can provide brute force defense for a maximum of five login pages. The
brute force defense function supports the source IP login verification rule and the
global login rate limit rule. If the number of the times that a client fails to log in a
specified login page within a check period exceeds the threshold set in the source IP
verification rule, the system will block the client from login for a period of time. If the
number of login attempts on a specified login page in one minute exceeds the

2022 Array Networks, Inc.

threshold set in the global login rate limit rule, the system will deny subsequent login
attempt requests.

Note: If both the source IP login verification rule and the global login rate limit rule are
configured for the same login page, the source IP login verification rule has a higher
priority.

The administrator can customize multiple login success signs and login failure signs
for every login page. The system supports using HTTP response status code, response
header and response cookie name as the login success signs and using HTTP response
status code and response header as the login failure signs. If a login request does not
match all login success signs or matches any login failure sign, the system determines
this login as failure.

 Configuration Example via CLI

1. Execute the “http profile bruteforce on” command to enable the brute force
defense function of the specified HTTP profile.

AN(config)#http profile bruteforce on hp1

2. Execute the “http profile bruteforce loginurl” command to configure a

protected login page for the brute force defense function of the specified HTTP
profile.

AN(config)#http profile bruteforce loginurl "hp1" 1 "/dvwa/login.php"

3. Execute the “http profile bruteforce success” and “http profile bruteforce
failure” commands to configure login success signs and login failure signs for a
specific login page of the specific HTTP profile. For example, response status
code 200 is set as a login success sign and 403 as a login failure sign.

AN(config)#http profile bruteforce success statuscode "hp1" 1 200

AN(config)#http profile bruteforce failure statuscode "hp1" 1 403

4. Execute the “http profile bruteforce verifyip” command to configure a source

IP login verification rule for a specific login page of the specified HTTP profile.

AN(config)#http profile bruteforce verifyip "hp1" 1 10 1 block 5

5. Execute the “http profile bruteforce ratelimit global” command to configure a

global login rate limit rule for a specific login page of the specified HTTP profile.

AN(config)#http profile bruteforce ratelimit global "hp1" 1 100 deny

6. Execute the “http profile bruteforce log on” command to enable the HTTP
violation logging function for the HTTP bruteforce defense function of the
specified HTTP profile.

2022 Array Networks, Inc.

AN(config)#http profile bruteforce log on hp1 detail

6.4.4 HTTP Pattern Validation

The system supports HTTP pattern validation function.

A user's API site is often developed based on a specific OpenAPI specification, such
as Swagger. The Swagger (OpenAPI) specifictation file defines the request and
privilege control for site API access. The system supports importing the Swagger
specification of the API site as an HTTP pattern. The system validates client requests
against the HTTP pattern, thus realizing fine-grained access control of API and
improving the security of the API site.

When receiving API HTTP requests, the system matches the requests with the
Swagger (OpenAPI) specifications of the HTTP pattern. Only the requests matched
with the HTTP pattern can pass through the appliance; otherwise they will be
regarded as violations.

 CLI Configuration Example

1. Executed the “http pattern name” command to define an HTTP pattern.

AN(config)#http pattern name pattern1

2. Execute the “http pattern import” command to import an Swagger standard file
as the content of the HTTP pattern.

AN(config)#http pattern import pattern1 "ftp://10.3.109.1/test.json"

3. Execute the “http profile pattern apply” command to associate the HTTP
pattern with an HTTP profile.

AN(config)#http profile pattern apply profile1 pattern1

4. Execute the “http profile pattern action” command to configure the action that
the system will take when the client request fails the HTTP pattern validation.

AN(config)#http profile pattern action profile1 deny

5. Execute the “http profile pattern on” command to enable the HTTP pattern
validation function.

AN(config)#http profile pattern on

6. Execute the “http profile pattern log on” command to enable HTTP violation
logging.

AN(config)#http profile pattern log on profile1 summary

2022 Array Networks, Inc.

6.4.5 HTTP File Control

The system supports configuring file upload control function for the HTTP profile,
which limits the type and size of the file allowed to be uploaded. With this function
enabled, the system matches the file to be uploaded with the file upload allowing rule
(configured using the “http profile upload allow” command). If the type of the file to
be uploaded matches the file type specified by the rule, but the size exceeds the
threshold, the system will take the corresponding action. If the file to be uploaded
does not matches any rule, the system will refuse the file uploading.

The system supports configuring file download control function for the HTTP profile,
which controls the type and size of the file allowed to be downloaded. With this
function enabled, the system matches the file to be downloaded with the file
download forbidding rule (configured via the “http profile download forbid”
command). If the type of the file to be downloaded matches the type of the file
download forbidding rule, but the size exceeds the threshold, the system will takc the
corresponding action. If the file to be downloaded does not match any rule, the system
will allow the user to download the file.

 Configuration Example via CLI

Configure the file upload control function.

AN(config)#http profile upload allow profile1 deny ".asp" 400

AN(config)#http profile upload log on profile1 summary
AN(config)#http profile upload on profile1

Configure the file download control function.

AN(config)#http profile download forbid profile1 deny "text/html" 300

AN(config)#http profile download log on profile1 summary
AN(config)#http profile download on profile1

6.4.6 Cookie Tampering Defense

The HTTP profile supports the HTTP request cookie tampering defense rule to defend
against cookie tampering and session hijacking attacks. When the cookie name carried
in a server response is the same as that specified by any rule, the ASF appliance will
add a cookie signature to its cookie value. If a client request carrying this cookie
accesses the security service again, the ASF appliance will perform cookie tampering
defense checks for the cookie. If the cookie value has not been tampered, the ASF
appliance will allow the client to access the resources. Otherwise, the ASF appliance
will deny the client request and return the 403 error page.

 Configuration Example via CLI

2022 Array Networks, Inc.

Execute the “http profile cookietamper” command to configure the HTTP request
cookie tampering defense rule for a specified HTTP profile.

AN(config)#http profile cookietamper hp1 deny "cookie1" hijack

6.4.7 Redirecting HTTP Requests to HTTPS

The system supports redirecting HTTP requests to HTTPS for the HTTP profile.
Upon receiving an HTTP request, the appliance will reply with an HTTP redirect
response in which the Protocol value of the Location header is changed to “HTTPS”.

This function can solve the protocol compatibility issue that will occur when the
system receives client requests after an HTTP-type real service is upgraded to an
HTTPS-type real service.

 Configuration Example via CLI

Execute the “http profile redirect https” command to to enable the function of
redirecting HTTP requests to HTTPS for the specified HTTP profile.

AN(config)#http profile redirect https on "httpsecure"

6.4.8 HTTP Cookie Security Hardening

6.4.8.1 Inserting Httponly Attribute to HTTP Response Cookie

The HTTP profile supports the function of inserting the httponly attribute to the
HTTP response cookie. After this function is enabled, if the HTTP response cookie
does not contain the httponly attribute, the appliance will insert the httponly attribute
to the response cookie. By default, this function is disabled.

 Configuration Example via CLI

Execute the “http profile insert response cookie httponlyattr on” command to
enable the function of inserting the httponly attribute to the HTTP response cookie for
a specified HTTP profile.

AN(config)#http profile insert response cookie httponlyattr on "hp1"

6.4.8.2 Inserting Secure Attribute to HTTP Response Cookie

The HTTP profile supports the function of inserting the secure attribute to the HTTP
response cookie. With this function enabled, if the HTTP response cookie does not
contain the secure attribute, the appliance will insert the secure attribute to the
response cookie. By default, this function is enabled.

This function takes effect only when the HTTP profile is applied to an HTTP-type
security service.

2022 Array Networks, Inc.

 Configuration Example via CLI

Execute the “http profile insert response cookie secureattr on” command to enable
the function of inserting the secure attribute to the HTTP response cookie for a
specified HTTP profile.

AN(config)#http profile insert response cookie secureattr on "hp1"

6.4.9 HTTP Via Header Masking

The HTTP profiles support the HTTP via header masking function. After this function
is enabled, the system clears the via header in the response returned to the client,
preventing the client from obtaining proxies through which the responses pass. This
function is enabled by default.

 Configuration Example via CLI

Execute the “http filter mask via on” command to enable the HTTP via header
masking function for a specified HTTP profile.

AN(config)#http filter mask via on "hp1"

6.4.10 Header String Insert for HTTP Request/Response

The system supports adding a header string to be inserted into an HTTP

request/response for the specified HTTP profile. After the HTTP profile is applied to
a specific security service, the system will insert the configured header string into the
HTTP request that hits the security service. The system supports adding a maximum
of 10 header strings to be inserted into HTTP requests for an HTTP profile.

 CLI Configuration Example

The following is an example of inserting a header string into an HTTP request.

1. Add header strings to be inserted into HTTP requests for the specified HTTP
profile using the “http profile insert request header” command.

AN(config)#http profile insert request header "httpsecure" "diyheader" "123456"

AN(config)#http profile insert request header "httpsecure" "diyheader02" "abcdef"

2. Display all the header strings to be inserted into HTTP requests for the specified
HTTP profile using the “show http profile insert request header” command.

AN(config)#show http profile insert request header " httpsecure"

http profile insert request header httpsecure diyheader02 abcdef
http profile insert request header httpsecure diyheader 123456

2022 Array Networks, Inc.

6.4.11 HTTP Response Header Removal

The HTTP profile supports removing the response header which includes the backend
server information to avoid the disclosure of security information. By default, the
system will remove response headers Server, X-Powered-By, X-AspNet-Version and
X-AspNetMvc-Version.

 Configuration Example via CLI

Execute the “http profile remove response header on” command to enable the
HTTP response header removal function for a HTTP profile.

AN(config)#http profile remove response header on "hp1"

Execute the “http profile remove response header on” command to add the
response header to be removed for the specified HTTP profile.

AN(config)#http profile remove response header name hp1 Public

Execute the “show http profile remove response header config” command to view
the configurations of the HTTP response header removal function for the specified
HTTP profile.

AN(config)#show http profile remove response header config "hp1"

http profile remove response header off "hp1"
http profile remove response header name "hp1" "Server"
http profile remove response header name "hp1" "X-AspNetMvc-Version"
http profile remove response header name "hp1" "X-AspNet-Version"
http profile remove response header name "hp1" "X-Powered-By"

6.4.12 HTTP Response Rewrite

The system supports adding an HTTP response rewrite rule for the specified HTTP
profile. The HTTP response rewrite rule is used to rewrite the Location header
protocol and port value in the HTTP response returned by the real service. The
administrator can rewrite HTTP response protocol as “https” or “http” and specify a
new port value.

This function can solve the problem that the redirection URL returned by the real
service to an HTTPS-type virtual service is an HTTP-type URL.

 CLI Configuration Example

The following is an example of rewriting the HTTP response protocol to “https”.

1. Add an HTTP response rewrite rule for the specified HTTP profile using the
“http profile rewrite response header location” command.

2022 Array Networks, Inc.

AN(config)#http profile rewrite response header location "httpsecure" https 0

2. View the HTTP response rewrite rule for the specified HTTP profile using the
“show http profile rewrite response header location” command.

AN(config)#show http profile rewrite response header location

http profile rewrite response header location httpsecure https

6.4.13 HTTP Header X-Forwarded-For Field Insertion

The system supports the function of inserting the client IP address into HTTP requests
for the specified HTTP profile. After this function is enabled for an HTTP profile that
is applied to a security service, client IP addresses that hit the security service will be
forwarded to real services associated with the security service. By default, this
function is disabled.

 CLI Configuration Example

The following uses the HTTP header to forward the client IP address as an example.

1. Use the “http profile insert request xforwardedfor on” command to enable the
function of inserting the client IP address into HTTP requests for the specified
HTTP profile.

AN(config)#http profile insert request header h1 header "X-Forwarded-For" ipport chain

2. Use the “show http profile insert request xforwardedfor” command to display
the configuration of this function.

AN(config)# show http profile insert request xforwardedfor "h1"

http profile insert request xforwardedfor on "h1" header "X-Forwarded-For" ipport chain

6.5 Advanced HTTP Defense Options

6.5.1 HTTP Access Logging

The HTTP-type and HTTPS-type security services support the HTTP access logging
function. After this function is enabled, the system records client access logs for the
security service. By default, this function is disabled.

 Configuration Example via CLI

Execute the “http accesslog on” command to enable the HTTP access logging
function for a HTTP-type or HTTPS-type security service.

AN(config)#http accesslog on "srv1"

2022 Array Networks, Inc.

6.5.2 Allowed Hostname

The system supports configuring the hostnames that are allowed to access for the
HTTP-type or HTTPS-type security service.

When any allowed hostname is configured for a security service, the system allows
users to access only allowed hostnames. When no allowed hostname is configured for
a security service, the system allows users to access all hostnames of the security
service.

 Configuration Example via CLI

Execute the “http host allow” command to configure an allowed hostname for an
HTTP-type or HTTPS-type security service

AN(config)#http host allow s1 example.com

Execute the “no http host allow” command to delete an allowed hostname configured
for an HTTP-type or HTTPS-type security service

AN(config)#no http host allow s1 example.com

6.5.3 HTTP URL Monitoring

The administrator should configure a URL monitor object for a specified HTTP-type
or HTTPS-type security service. A maximum of 100 URL monitor objects can be
configured for a security service. The URL monitor object supports both quick and
full regular expressions. When the value is set to a regular expression, it must be
enclosed by double quotes. The string of the full regular expression must begin with
“<regex>” to differentiate from the quick regular expression. When the value is not
using regular expression, it must begin with “/”. To ensure the correctness of the
configured regular expression, the administrator can use the “regextest <regex>
<target_string>” command to test whether a target string can match the configured
regular expression. It can defend the secutiy services against CC attacks against by
using together with the “ddos profile service rule http urlmonitor” command.

 Configuration Example via CLI

1. Execute the “http urlmonitor” command to add a URL monitor object for a
HTTP-type or HTTPS-type security service.

AN(config)#http urlmonitor srv1 1 "<regex>.js"

2. Execute the “ddos profile service rule http urlmonitor” command to configure
a URL monitoring rule for a HTTP-type or HTTPS-type security service.

AN(config)#ddos profile service rule http urlmonitor srv1 10000 30

2022 Array Networks, Inc.

When the RPS of the URL monitor object exceeds the set threshold 10000, and the
access rate of this URL monitor object in all URL monitor objects exceeds the set
threshold 30%, it triggers the system to perform source authentication against the
client that accesses this URL. The source IP addresses of the clients who failed to pass
authentication will be distributed to the system dynamic blacklist.

3. Execute the “show http urlmonitor rule” and “show http urlmonitor status”
commands to display all the URL monitor objects and the running status of the
URL monitoring function of a security service.

AN(config)#show http urlmonitor rule

http urlmonitor srv1 1 "<regex>.js"

AN(config)#show http urlmonitor status

--------------------------------------------------------------------------------------------------------
#security service name “srv1” http
alert rps: 100/s ratio: 30%
0/s 0% 1 <regex>.js

6.5.4 HTTP URL Detection

The HTTP-type or HTTPS-type security service support URL detection function,

allowing the system to resolve the request URL received by the security service and
collect RPS statistics in real time. The RPS statistics recorded by the URL detection
function can be used by the URL monitoring function.

 Configuration Example via CLI

1. Execute the “http urldetect start [service_name] [duration_time]” command to

start a URL detection task and configure the duration time of the URL detection
task for a HTTP-type or HTTPS-type security service. The system saves the
automatic learning result to the database every 5 minutes during the learning
process.

AN(config)#http urldetect start "srv1" 168

2. Execute the “show http urldetect summary [service_name]” command to view

the summary of the URL detection task.

AN(config)#show http urldetect summary srv1

---------------------------------
Service: srv1(http)
Status : start
Duration : 10079(min)
url count :0

2022 Array Networks, Inc.

3. Execute the “show http urldetect running” command to view the real-time
detection result of the URL detection of the specified HTTP-type or HTTPS-type
security service.

AN(config)#show http urldetect running "srv1"

service: srv1(http)
url count: 1
[10/s]: /index.html

4. Execute the “show http urldetect savefile” command to view the URL detection
result of the latest week saved for the specified HTTP-type or HTTPS-type
security service.

6.5.5 HTTP Error Page Customization

The system provides the error page customization function. This function allows the
administrator to customize the error page returned by the system and the backend
server. Both HTTP-type and HTTPS-type security service support this function.

To use this function, the administrator should import a customized error page and set
this page as the error page for the specific error code of the security service.

 Configuration Example via CLI

1. Executes the “http errpage import” command to import a customized error

page.

AN(config)#http errpage import ftp://10.8.3.28/403.html error_403

2. Executes the “http errpage apply” command to configure the customized error
page for the specified HTTP-type or HTTPS-type security service.

AN(config)#http errpage apply sr1 403 error_403

6.5.6 HTTP Real Source IP Detection

The system provides the HTTP real source IP detection function. After this function is
enabled, the system can retrieve the real source IP by resolving specific request
headers (configured using the “http realsource request” command), such as
X-Forwarded-For and X-Real-IP. When a proxy device is deployed upstream, the
administrator can use this function to improve the attack traceability and attack
blocking accuracy.

2022 Array Networks, Inc.

 Configuration Example via CLI

1. Executes the “http realsource request” command to configure the request

header that contains the real source IP address for the real source detection
function.

AN(config)#http realsource request X-Forwarded-For

AN(config)#http realsource request X-Real-IP

2. Executes the “http realsource on” command to enable the real source detection
function.

AN(config)# http realsource on

6.5.7 HTTP Compression Forbidding

The system supports the HTTP compression forbidding function. After this function is
enabled, if the Accept-Encoding header value of the client request contains any
compression value (such as compress and gzip), the system will change the header
value to a non-compression value (identity). For every HTTP/HTTPS-type security
service, this function is enabled by default.

Some defense rules, such as CSRF, DLP and content filter, require deep parsing of the
response body, and the response body must be uncompressed. Therefore, if the
security service needs to use these defense rules, you must enable this function for it.

 CLI Configuration Example

To enable the HTTP compression forbidding function for an HTTP/HTTPS-type

security service, execute the “http compression forbid on” command:

AN(config)#http compression forbid on s1

To disable the HTTP compression forbidding function for an HTTP/HTTPS-type

security service, execute the “http compression forbid off” command:

AN(config)#http compression forbid off s1

6.5.8 Client Certificate Information Forwarding

The system supports forwarding the complete client certificate or the client certificate
field to the backend server for a security service of the HTTPS protocol type to
implement the business logic, such as access control, auditing, credential binding or
user authentication. Before using this function, the administrator should enable the
client authentication function (using the “ssl settings clientauth” command) for the
SSL virtual host associated with the security service.

2022 Array Networks, Inc.

6.5.8.1 Forwarding Client Certificate to Backend Server

The system supports forwarding the client certificate to the backend server by
inserting the complete client certificate in ciphertext as the request header or cookie.
Besides, the system supports the following custom settings:

 Set the name of the inserted request header. The default value is “X-Client-Cert:”.

 Set the format of the inserted certificate, which can be a complete PEM-format
certificate or body of the PEM-format certificate (not including the begin line, the
end line or the seperator).

 Set the separator used to separate the PEM-format certificate. The default value is
“;”.

 CLI Configuration Example

1. Execute the “http xclientcert ciphertext” command to enable the function of

inserting the client certificate into HTTP requests for a security service of the
HTTPS protocol type.

AN(config)#http xclientcert ciphertext service1 header body

2. Execute the “http xclientcert header” command to configure a customized name

of the HTTP request header used to insert the client certificate.

AN(config)#http xclientcert header service1 X-Client-Cert

3. Execute the “http xclientcert pemsep” command to to set the separator used to
separate PEM certificates when inserting a PEM certificate in the HTTP request.

AN(config)#http xclientcert pemsep service1 ";"

6.5.8.2 Forwarding Client Certificate Field to Backend Server

The system supports forwarding the specific field or the custom Relative
Distinguished Name (RDN) of the client certificate to the backend server in plain text
in any of the following ways:

 Inserting the request header

 Inserting the request cookie

 Inserting the URL query string

 All the preceding three methods

The system supports forwarding the following standard certificate fields to the
backend server:

 Subject

2022 Array Networks, Inc.

 Issuer

 Validity

 Serial

 NotBefore

 NotAfter

 CommonName

 Publickey

The system also supports forwarding the content specified by the custom Relative
Distinguished Name to the backend server. The format of the Relative Distinguished
Name is “<scope>.<symbol or OID>” or “<OID expression>”.

The value of “scope” is shown in the following table:

Scope Description
The value of the symbol or specific OID will be searched in the client certificate’s
Subject
subject DN.
The value of the symbol or specific OID will be searched in the client certificate’s
Issuer
issuer DN.
The value of the symbol or specific OID will be searched in the client certificate’s
Ext
external field. The client certificate must be in the SSL v2.0 or SSL v3.0 version.
The value of the specific OID will be searched in the client certificate’s TBS (To
OID or <null>
Be Signed).

The value of “symbol” and the corresponding OID are shown in the following table:

Symbol OID Standard Name

C 2.5.4.6 Country Name
ST 2.5.4.8 State or Province Name
L 2.5.4.7 Locality Name
O 2.5.4.10 Organization Name
OU 2.5.4.11 Organizational Unit
CN 2.5.4.3 Common Name
serialNumber 2.5.4.5 Serial Number
dnQualifier 2.5.4.46 DN Qualifier
pseudonym 2.5.4.65 Pseudonym
title 2.5.4.12 Title
generationQualifer 2.5.4.44 Generation Qualifier
initials 2.5.4.43 Initials
name 2.5.4.41 Name
givenName 2.5.4.42 Given Name

2022 Array Networks, Inc.

Symbol OID Standard Name

surname 2.5.4.4 Surname
0.9.2342.19200300.100.1.
UID User ID
1
0.9.2342.19200300.100.1.
DC Domain Component
25
emailAddress 1.2.840.113549.1.9.1 Email Address
{OID expression} OID information, for example: 1.2.3.4

 CLI Configuration Example

1. Execute the “http xclientcert plaintext” command to insert a specific certificate

field into HTTP requests for a security service of the HTTPS protocol type.

AN(config)#http xclientcert plaintext cookie Subject.OU service1 OU positive

2. Execute the “http xclientcert rdnsep” command to set the RDN separator.

AN(config)#http xclientcert rdnsep service1 "," post

3. Execute the “http xclientcert dnencoding” command to specify the encoding

format for transferring the client certificate DN.

AN(config)#http xclientcert dnencoding service1 "UTF-8"

4. Execute the “http xclientcert oidname” command to configure a customized

name for the OID of the client certificate field.

AN(config)#http xclientcert oidname service1. "2.5.4.6" oid1

6.5.9 HTTP Request and Response Detection Tuning

6.5.9.1 Request Detection Tuning Settings

For the security service of the HTTP/HTTPS type, the system supports adjusting the
mode and the length threshold of the request body detection.

The security service supports the following two request body detection modes:

 “stream”: indicates that the system will not buffer request bodies, but directly
forward them to the server.

 “buffer”: indicates that the system will buffer request bodies and will forward
them to the server until complete request bodies are received.

The default request body detection mode of the security service of HTTP/HTTPS type
is “buffer”.

2022 Array Networks, Inc.

You can set the length threshold for the request body detection of the security service
of HTTP/HTTPS type. The default length threshold is 13,107,200 bytes.

 CLI Configuration Example

To set the request body detection mode for the security service of HTTP/HTTPS type,
execute the following command:

AN(config)#http request inspectmode service1 buffer

To set the length threshold for the request body detection of the security service of
HTTP/HTTPS type, execute the following command:

AN(config)#http request bodylimit service1 13107200

6.5.9.2 Response Detection Tuning Settings

For the security service of the HTTP/HTTPS type, the system supports adjusting the
mode, the length threshold and the MIME types of the response body detection.

The security service of HTTP/HTTPS type supports the following two response body
detection modes:

 “stream”: indicates that the system will not buffer response bodies, but directly
forward them to the client.

 “buffer”: indicates that the system will buffer response bodies and will forward
them to the client until complete response bodies are received.

The default response body detection mode of the security service of HTTP/HTTPS
type is “buffer”.

You can set the length threshold of the response body detection for the security
service of HTTP/HTTPS type. The default length threshold is 65,536 bytes.

You can set the MIME types supported by the response body detection for the
security service of HTTP/HTTPS type. The default MIME types supported are
“text/plain:text/html:text/xml:application/xml”.

 CLI Configuration Example

To set the response body detection mode for the security service of HTTP/HTTPS
type, execute the following command:

AN(config)#http response inspectmode service1 buffer

To set the length threshold of the response body detection for the security service of
HTTP/HTTPS type, execute the following command:

AN(config)#http response bodylimit service1 13107200

2022 Array Networks, Inc.

To set the MIME types supported by the response body detection for the security
service of HTTP/HTTPS type, execute the following command:

AN(config)#http response bodymimetype service1 "text/plain"

6.5.10 Connection Reuse

The system now supports enabling the connection reuse function for real services, that
is, reusing server connections for multiple transactions. After this function is enabled,
each server connection can deal with multiple transactions. This function takes effect
only after the connection persistence function is enabled (by the “http serverpersist
on” command). By default, this function is enabled.

The system now supports enabling the conneciton persistence function for real
services, that is, keeping persistent connections to the real service. After this function
is enabled, the appliance will insert the Keep-Alive header into HTTP requests before
forwarding them to the real service. Then the connections to the real service will
persist. By default, this function is enabled.

 CLI Configuration Example

To enable the connection reuse function for a real service, execute the following
command:

AN(config)#http serverconnreuse on rs 3000 500

To disable the connection reuse function for a real service, execute the following
command:

AN(config)#http serverconnreuse off rs

To enable the connection persistence function for a real service, execute the following
command:

AN(config)#http serverpersist on rs

To disable the connection persistence function for a real service, execute the
following command:

AN(config)#http serverpersist off rs

6.6 DNS Domain Security

The system supports the following security functions for DNS domain names:

 Domain query filter

 Domain query rate limiting

2022 Array Networks, Inc.

 Domain monitoring

6.6.1 DNS Domain Management

The DNS domain is the defense object of DNS Application Firewall (DAF). The
system allows the administrators to create DNS domain names or to import DNS
domain files, which contain a list of DNS domain names. A maximum of 1000 DNS
domain names can be created and a maximum of 10 DNS domain files can be
imported. Every DNS domain file can contain a maximum of 5000 domain names and
should not be greater than 10 MB.

Note: The created DNS domain names and the domain names in the DNS domain
files should not duplicate.

 Configuration Example via CLI

Create a DNS domain name.

AN(config)#dns domain name 1 www.xyz.com

Import a DNS domain file.

AN(config)#dns domain file import ftp://192.168.100.1/dnslist.txt dnsfile1

Export a DNS domain name.

AN(config)#dns domain file export dnsfile1 ftp://192.168.100.1/dnsfile1

Delete a DNS domain name.

AN(config)#no dns domain name 1

Delete an imported DNS domain file.

AN(config)#clear dns domain file dns dnsfile1

6.6.2 DNS Domain Query Filter

The system supports the DNS domain filter function, which controls the clients’ query
on domain names. With this function enabled, if the client DNS query matches a DNS
domain filter rule, the system will perform the action defined in the rule. If not
matching any DNS domain filter rule, the system will perform the default action. By
default, this function is disabled.

The administrators can configure the DNS domain filter rule for a specified DNS
domain name or DNS domain file. The priority of the DNS domain filter rule’s action
is higher than the default action.

2022 Array Networks, Inc.

In addition, the system supports violation logging for the DNS domain filter function.
With this function enabled, if a client DNS query violates the DNS domain filter
function, the system will record a domain filter violation log.

 Configuration Example via CLI

Create a DNS domain filter rule for a DNS domain name.

Configure a DNS domain rate limiting rule for the global.

AN(config)#acl dns domain global 10000

Delete a DNS domain rate limiting rule configured for a DNS domain name.

AN(config)#no acl dns domain name 1

Delete a DNS domain rate limiting rule configured for a DNS domain file.

AN(config)#no acl dns domain file dnsfile1

Delete the DNS domain rate limiting rule configured for the global.

AN(config)#no acl dns domain global

Enable the DNS domain rate limiting function.

AN(config)#acl dns domain on

6.6.4 DNS Domain Monitoring

The system supports the DNS domain monitoring function, which monitors the status
of key domain names. The system will record the domain monitoring results to the
database every 30 seconds. By default, this function is disabled.

 Configuration Example via CLI

Enable the DNS domain monitoring function.

AN(config)#dns domain monitor on

Enable the DNS domain monitoring function for a DNS domain name.

AN(config)#dns domain monitor name 1

Enable the DNS domain monitoring function for a DNS domain file.

AN(config)#dns domain monitor file dnsfile1

Disable the DNS domain monitoring function for a DNS domain name.

AN(config)#no dns domain monitor name 1

Disable the DNS domain monitoring function for a DNS domain file.

2022 Array Networks, Inc.

AN(config)#no dns domain monitor file dnsfile1

2022 Array Networks, Inc.

Chapter 7 Secure Sockets Layer (SSL)

7.1 Overview
The system supports setting up the SSL (Secure Sockets Layer) acceleration
functionality to provide secure transactions with your clients. The SSL acceleration
working mode is to decrypt the security data and pass the decrypted information to the
backend server. In an alternative mode the SSL accelerator can be used to decrypt the
secure traffic, apply traffic management processing on decrypted traffic and then
encrypt it back before passing it to SSL enabled origin server.

7.2 Understanding SSL

The main role of SSL is to provide security for Web traffic. Security includes
confidentiality, message integrity, and authentication. SSL achieves these elements of
security through the use of cryptography, digital signatures, and certificates.

7.2.1 Cryptography

SSL protects confidential information through the use of cryptography. Sensitive data
is encrypted when passing cross public networks to achieve a level of confidentiality.
There are two types of cryptographic algorithms, symmetric and asymmetric
algorithms.

 For the symmetric algorithm, encryption and decryption use the same secret key.
The secret key is determined by both parties of the communication, but it might
be intercepted by a third party. Therefore, in actual applications, the secret key is
always encrypted by an asymmetric algorithm and then delivered. Commonly
used symmetric algorithms include DES and AES.

 Asymmetric algorithm is also known as public key algorithm. It employs a pair of

keys, which are the public key and the private key. The public key is public
known, while the private key is privately owned. Data encrypted by the public
key can only be decrypted by the private key. Asymmetric algorithms supported
by the system include RSA, ECC and SM2.

 RSA algorithm

RSA is the most commonly used asymmetric cryptography. Its security increases with
the key length’s increase. Gradual increases in the RSA key length has slowed down
the algorithm’s computation speed.

 ECC algorithm

2022 Array Networks, Inc.

Compared with the RSA algorithm, the ECC algorithm provides the same level of
confidentiality with shorter key lengths.

 SM2 algorithm

SM2 is a public key algorithm based on elliptic curves, published by the Office of
State Commercial Cryptography Administration (OSCCA) of China. Beginning with
SM2v1.1, SM2 employs the dual-certification system. An SSL server needs two
certificates, a signature certificate and an encryption certificate. The corresponding
key pairs are the signature key pair and the encryption key pair.

 Signature key pair and signature certificate

The signature certificate is used for identity verification during SSL handshakes.

In the process of server certificate verification, the server will send the two SM2
certificates via the Server Certificate message, and use the private key of its signature
key pair to do signature in the Server Key Exchange message. The client will confirm
the server’s identity by using the public key of the server’s signature key pair to verify
the signature.

If the server needs to verify the client’s certificate, the client will send the two SM2
certificates via the Client Certificate message and use the private key of its signature
key pair to do signature in the follow-up Client Certificate Verify message. The server
will confirm the client’s identity by using the public key of the client’s signature key
pair to verify the signature.

 Encryption key pair and encryption certificate

The encryption certificate is used to generate the premaster secret key.

In the ECC key exchange mode, the client will generate the premaster secret key,
encrypt it using the public key of the server’s encryption key pair, and then send it to
the server via the Client Key Exchange message. The server will use the private key
of its encryption key pair to obtain the plaintext of the premaster secret key.

In the ECDHE key exchange mode, after the client sends the Client Key Exchange
message to the server, each of the communicating parties will generate the premaster
secret key by themselves.

7.2.2 Digital Signatures

Digital signature is calculated using irreversible signature algorithms. Validating a

digital signature helps confirm the identity of the information sender or signer and
whether the information was distorted during transmission. In SSL handshake process,
SSL virtual host and real host support negotiation of RSA and ECC signature

2022 Array Networks, Inc.

algorithms and the validation of RSA-signed and ECDSA-signed digital certificates in

SSL handshake process.

In Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) key exchange section, the

server will send the ephemeral public key via the Server Key Exchange message
which carries a digital signature. The client will validate the digital signature to
confirm the reliability and integrity of the public key.

In client certificate authentication section, the client will send a digital signature to the
server via the Certificate Verify message. This digital signature is to enable the server
to confirm the identity of client. The server will use the public key in the client
certificate to validate the digital signature.

The following table lists the signature algorithms supported by SSL virtual hosts.

Type SSL Virtual Host SSL Real Host

SHA256RSA SHA1RSA
SHA384RSA SHA224RSA SHA256RSA
RSA Signature
SHA512RSA SHA384RSA
Algorithm
SHA1RSA SHA512RSA
SHA224RSA MD5RSA
SHA256ECDSA SHA1ECDSA
SHA384ECDSA SHA224ECDSA
ECDSA Signature
SHA512ECDSA SHA256ECDSA
Algorithm
SHA1ECDSA SHA384ECDSA
SHA224ECDSA SHA512ECDSA

7.2.3 Digital Certificates

Certificates contain information identifying the user or device. They are digital
documents that will attest to the binding of a public key to an individual or other
entity. They allow verification of the claim that a specific public key does, in fact,
belong to the specified entity. Certificates help prevent someone from impersonating
the server with a false key. SSL uses X.509 standard certificates to validate identities.
X.509 standard certificates contain information about the entity, including public key
and name. A certificate authority then validates this certificate. The following table
lists the contents of the X.509 certificate:

Table 7–1 Contents in X.509 Certificate

Name Meaning
Indicates the certificate version number. Certificate format varies by
Version
versions.
Indicates the certificate serial number, which is unique among all
Serial Number
certificates issued by an authority. If a certificate is revoked, its serial

2022 Array Networks, Inc.

Name Meaning
number will be added to the Certificate Revocation List (CRL).

Indicates the authority that issues the certificate. Generally, a certificate

Issuer
is issued by a Certificate Authority (CA).
Valid from Indicates the valid start date of the certificate.

Valid to Indicates the valid expiration date of the certificate.

Subject Indicates the person or enterprise identified by the certificate.

Public key Indicates the public key of the certificate holder.

Signature algorithm Indicates the signature algorithm used to generate the signature.
Indicates the thumbprint and thumbprint algorithm. Thumbprint is a
Thumbprint,
hashed value of the entire certificate calculated by the thumbprint
Thumbprint algorithm
algorithm and then encrypted by the private key of the CA.

The system supports three types of digital certificates: RSA, ECC and SM2
certificates.

Digital certificates are issued by CA. To obtain a certificate from CA, individuals or
enterprises need to send Certificate Signing Request (CSR) to CA, and then import
and activate the certificate. The system supports generation of RSA, ECC and SM2
CSRs for a virtual host.

 Generating a CSR

 To apply for an RSA certificate, execute the “ssl csr” command to generate an
RSA CSR.

 To apply for an ECC certificate, execute the “ssl ecc csr” command to generate
an ECC CSR.

 To apply for an SM2 certificate, execute the “ssl sm2 csr” command to generate
an SM2 CSR.

CA will send back the desired certificate via Email. After receiving the certificate,
administrators need to import it by using CLI commands.

 Importing a certificate

– RSA and ECC certificates are imported using the “ssl import certificate”
command.

– For an SM2 certificate application, CA will issue a signature certificate, an

encryption certificate and an encryption key. The encryption key may be
plaintext or encrypted (digital envelop). The signature certificate is imported
by using the “ssl sm2 import signcertificate” command; the encryption

2022 Array Networks, Inc.

certificate is imported by using the “ssl sm2 import enccertificate”

command; the plaintext encryption key is imported by using the “ssl sm2
import enckey” command; and the digital envelope is imported by using the
“ssl sm2 import encevp” command. Before the digital envelop is imported,
the signature key must be imported.

 Activating a certificate

All RSA, ECC and SM2 certificates are activated by using the “ssl activate
certificate” command. It allows you to activate both types of certificates at a time or
only the specific type of certificate.

The number of certificates that can be imported and activated for a virtual host or a
real host is different.

For a virtual host:

 If it is associated with one or more domain names, you can import three RSA
certificates, three ECC certificates for each domain of the virtual host. Each
domain of it can have one active RSA certificate and one active ECC certificate.

 For a virtual host not associating with a domain name, you can import three RSA
certificates, three ECC certificates and three SM2 certificates. Besides, it can
have one active RSA certificate, one active ECC certificate and one SM2
certificate.

For a real host, you can import three RSA certificates and three ECC certificates. It
can have one active RSA certificate and one active ECC certificate.

The following is an example for importing and activate an RSA certificate and an
ECC certificate with index 2 for real host “rhost”.

1. Import the RSA certificate.

AN(config)#ssl import certificate rhost 2

You may overwrite an existing certificate.
Type YES to continue, NO to abort: YES
Enter the certificate file in PEM format,
use "..." on a single line, without quotes
to terminate import
-----BEGIN CERTIFICATE-----
MIIDPDCCAqWgAwIBAgIFAK+57hMwDQYJKoZIhvcNAQELBQAwgaoxCzAJBgNVBAYTA
lVTMQswCQYDVQQIEwJDQTERMA8GA1UEBxMITWlscGl0YXMxGzAZBgNVBAoTEkFy
cmF5TmV0d29ya3MgSW5jLjEUMBIGA1UECxMLQVBWIFByb2R1Y3QxHjAcBgNVBAMTF
Xd3dy5hcnJheW5ldHdvcmtzLm5ldDEoMCYGCSqGSIb3DQEJARYZc3VwcG9ydEBhcnJheW5
ldHdvcmtzLm5ldDAeFw0xNjA3MTEwOTMwMzhaFw0yNDA5MjcwOTMwMzhaMIGUMQsw
CQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTEQMA4GA1UEBwwHRmxvcmlkY

2022 Array Networks, Inc.

TEOMAwGA1UECgwFQXJyYXkxCzAJBgNVBAsMAlBPMQswCQYDVQQLDAJQTzELMA
kGA1UECwwCUE8xDjAMBgNVBAMMBXZob3N0MRowGAYJKoZIhvcNAQkBFgthYmNA
MTI2LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMlV4+6s/0zYho
akPUNNwGdh1HCtOyKWpXl7vw6YLxQlKIvlEel69HsfIL1hKV+YmZOuY1istLPqBdxPqLniy
VIcttX9QpPJJYiRnaU/OjylWLKQt61yLGPrsTzrDKnv2KE9RTpe8MWEwgzy42pmW3Wptl6Y3
Xoox1k521gYVoDSfU+mqzwEFftclx0CD35v8TFbS0AP6js3iikZIddcZiMmtm87oSgQ0Q9Tn8jv
jNYXpLJ/BcEnGHFsAP1S5MFC8Wj7jNJ5wHNSPPpdePDnQ49j+E7Ah9XFY502svxbgUjEt1z
wu2CAVt4jvKTEU3tbWE+tGIjJpFtkFa4f3urUXvkCAwEAATANBgkqhkiG9w0BAQsFAAOBg
QB/CD9eCsXPllVqmCasL0XpeOF/pAgon6pgC4BVf1quZEb7C78IATQWrQJfHdYSZVQwXws
bg6YLHnpI+SdpoNwjsrd25K6AvCmBMANtqFighIwjcbNJqINGWWxZUIquHVmyD+L/53x2Ni
h4qJ5zjMfWzPbR7KbwF0cDJs1/YfMEwg==
-----END CERTIFICATE-----
...
PEM format.
Certificate import successful !!!

2. Import the ECC certificate.

AN(config)#ssl import certificate rhost 2

You may overwrite an existing certificate.
Type YES to continue, NO to abort: YES
Enter the certificate file in PEM format,
use "..." on a single line, without quotes
to terminate import
-----BEGIN CERTIFICATE-----
MIICIzCCAcqgAwIBAgIFAI88UzkwCgYIKoZIzj0EAwIwgaoxCzAJBgNVBAYTAlVTMQswC
QYDVQQIDAJDQTERMA8GA1UEBwwITWlscGl0YXMxGzAZBgNVBAoMEkFycmF5TmV
0d29ya3MgSW5jLjEUMBIGA1UECwwLQVBWIFByb2R1Y3QxHjAcBgNVBAMMFXd3dy5h
cnJheW5ldHdvcmtzLm5ldDEoMCYGCSqGSIb3DQEJARYZc3VwcG9ydEBhcnJheW5ldHdvcm
tzLm5ldDAeFw0xNjA3MTEwOTMxMjdaFw0yNDA5MjcwOTMxMjdaMIGHMQswCQYDVQ
QGEwJDTjELMAkGA1UECAwCQ04xCzAJBgNVBAcMAkNOMQswCQYDVQQKDAJDTjE
LMAkGA1UECwwCQ04xCzAJBgNVBAsMAkNOMQswCQYDVQQLDAJDTjEOMAwGA1U
EAwwFdmhvc3QxGjAYBgkqhkiG9w0BCQEWC2FiY0AxNjIuY29tMFkwEwYHKoZIzj0CAQY
IKoZIzj0DAQcDQgAECXCDImdSY1/eq400+rReCE5qLfL9VeIHygJR8lAOzFTG58stV9kBjKR
BTBL5p5tdZqFX1DbxZ0bT7+mCuBvS7jAKBggqhkjOPQQDAgNHADBEAiAfDVKFeeeyEq9
HvOmXEGEueaYDCMoVg1zm2T396BOBVQIgKZUTOqn+Kb0Nh64b9mS0Fr8mtTqps5Fl7Q/
v2YO4MqQ=
-----END CERTIFICATE-----
...
PEM format.
Certificate import successful !!!

3. Activate the imported RSA and ECC certificates.

2022 Array Networks, Inc.

AN(config)#ssl activate certificate rhost 2 "" all

Do you want to activate all Certificates #2? [YES/(NO)]: YES

Warning: RSA certificate chain is incomplete for rhost. Please add interca or rootca certificate.
RSA Certificate #2 is activated successfully!

Warning: ECC certificate chain is incomplete for rhost. Please add interca or rootca certificate.
ECC Certificate #2 is activated successfully!

7.2.3.2 Client Certificate Authentication

In client certificate authentication, a client sends its certificate to a server for
authentication upon receiving a Client Certificiate Request message from the server.
The system supports using the Array Certificate Parser (Array Networks patent) to
verify the X.509 certificate in a fast way.

 When the system functions as an SSL proxy client (SSL real host), if client
certificate authentication is enabled for the SSL real host, it will send its
certificate to the real service. In this scenario, if the SSL real host has both RSA
and ECC certificates activated, it will select the certificate to be sent according to
the following principles:

– If RSA certificate type is specified in the Client Certificate Request message,

the RSA certificate will be sent to the real service.

– If only ECC certificate type is specified in the Client Certificate Request

message, and the negotiated cipher suite is of the “ECDHE…” type, the ECC
certificate wil be sent to the real service.

– If only ECC certificate type is specified in the Client Certificate Request

message, but the negotiated cipher suite is not an “ECDHE…” one, the SSL
real host will reset the connection.

 When the system functions as a proxy server (SSL virtual host), the SSL virtual
host with client certificate authentication enabled will request the SSL client to
provide a certificate for authentication.

7.2.3.3 Server Name Indication (SNI)

SNI provides the SSL authentication for each website running on an SSL server. The
SNI function provide the SSL authentication for multiple websites on an SSL server
by associating multiple domain names with a virtual host instead of assigning an IP
address for each website and associating a unique virtual service, which simplifies
virtual service configurations and lessens IP address exhaustion.

Configuration Example

 Prerequisites:

2022 Array Networks, Inc.

 Two websites www.a.com and www.b.com run on an SSL server.

 A private key and the corresponding certificate have been imported for the
specified SSL virtual host, and the certificate has been activated.

Figure 7–1 SNI Architecture

 Configuration Example via CLI

1. Configure an HTTPS-type virtual service.

Add HTTPS-type virtual services “vs_service1” and “vs_service2”, real services

“rs_service1” and “rs_service2” and binds them one by one.

AN(config)#security service name "vs_service1" https virtual

AN(config)#security service address "vs_service1" 192.168.2.100 443 arp
AN(config)#security real service "rs_service1" http 192.168.1.50 80
AN(config)#security service policy static "vs_service1" "rs_service1"
AN(config)#security service name "vs_service2" https virtual
AN(config)#security service address "vs_service2" 192.168.2.101 443 arp
AN(config)#security real service "rs_service2" http 192.168.1.51 80
AN(config)#security service policy static "vs_service2" "rs_service2"

2. Add the SSL virtual hosts “vshost1” and “vshost2” and associate them with the
virtual service “vs_service1” and “vs_service2” respectively.

AN(config)#ssl host virtual vshost1 vs_service1

AN(config)#ssl host virtual vshost2 vs_service2

Associate the domain “www.a.com” and “www.b.com” with the SSL virtual host
“vshost1” and “vshost2”.

AN(config)#ssl sni vshost1 www.a.com

AN(config)#ssl sni vshost2 www.b.com

3. Import a private key for the domain “www.a.com”.

For how to get the private key and certificate and other ways to import the private key
and certificate, refer to section 7.3.2 Configuration Example.

AN(config)#ssl import key vshost1 1 www.a.com

You may overwrite an existing key file. This may require you

2022 Array Networks, Inc.

to purchase a new certificate. Type YES to continue: YES

Enter key, use "..." on a single line, without quotes
to terminate import
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7B26776D2C14EB1F

WwU2hyREMjGi+6k5nq5gecnTSJSTk8q3ori+1jooOfgvRV72x/e3hGRFIysKb15J
1xeyUHFjtNJIHlEVjNg2XURXIRDO+qatI0cnvW1sYbuQodat0jGzpP/oOxGVcRsg
kTuP8xObpUou0RevvZVbfYHWsdWZnY5qhLjje1UGKUu8HwaMp3Q7OJ7pper7TOAXCkiVn
1zHgeFkB4p2lGwCHxbdNJg7ee5U2HFiSoC/8P8G64kIkEfxuMFwzkaVlia+Anf40WlBcvixZaN
ZqHkZdcfJGlqKnqnpcJWiyLd8oPr3npYu6+c1PyHiyEua67nEzK5G4KVFacW0POPLHfj/Q1yM
qYcWySyecJvtq0jxYLujGH6qckLhMMltdptCfFvZ6gfncRanNWEU+2v+nc509XKv9zJeR58Ws
Ah81AN7aChuEBj69cjL4HwOtk3nttVmpr5+cluF6mpbk2rJuZ14l+Hwc63XRAaHXV0bIQfo+rQ
BIWHkItvN4S2a0G23IC9N32Y1qTqQgoj9qxSXvw1oKmV+UcVjtt78GyT3m7pYPtNc/wdehUP
rR4Lc8hSiV3m29ZGIoNpdhVgCGw/MM65tr3dRZfYcG8cPJ4pk/3WKq9OfznlugAxo4KWebea5
1CaT4YBMO5nETHT9WesX9viiKtbhPaAIKQOd4Rwcs5FK0ETHSfBBpW0tsXw562s6QnNSm
nWuoksvqqXqCbnuNSz611z3dOhiLwHdqCqLEDNEhv231ielOk1qoUo+ad0eiM0ETrP6Zyw+j6i
9K71sSe28Zm4gVQMnSHxGyp0K+zK3cYs=
-----END RSA PRIVATE KEY-----
...
PEM format.
Enter passphrase for the private key:

Key import successful !!!

4. Import the corresponding certificate for the domain “www.a.com”.

AN(config)#ssl import certificate vshost1 1 www.a.com

You may overwrite an existing certificate.
Type YES to continue, NO to abort: YES
Enter the certificate file in PEM format,
use "..." on a single line, without quotes
to terminate import
-----BEGIN CERTIFICATE-----
MIIDPDCCAqWgAwIBAgIFAK+57hMwDQYJKoZIhvcNAQELBQAwgaoxCzAJBgNVBAYTA
lVTMQswCQYDVQQIEwJDQTERMA8GA1UEBxMITWlscGl0YXMxGzAZBgNVBAoTEkFy
cmF5TmV0d29ya3MgSW5jLjEUMBIGA1UECxMLQVBWIFByb2R1Y3QxHjAcBgNVBAMTF
Xd3dy5hcnJheW5ldHdvcmtzLm5ldDEoMCYGCSqGSIb3DQEJARYZc3VwcG9ydEBhcnJheW5
ldHdvcmtzLm5ldDAeFw0xNjA3MTEwOTMwMzhaFw0yNDA5MjcwOTMwMzhaMIGUMQsw
CQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTEQMA4GA1UEBwwHRmxvcmlkY
TEOMAwGA1UECgwFQXJyYXkxCzAJBgNVBAsMAlBPMQswCQYDVQQLDAJQTzELMA

2022 Array Networks, Inc.

kGA1UECwwCUE8xDjAMBgNVBAMMBXZob3N0MRowGAYJKoZIhvcNAQkBFgthYmNA
MTI2LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMlV4+6s/0zY
hoakPUNNwGdh1HCtOyKWpXl7vw6YLxQlKIvlEel69HsfIL1hKV+YmZOuY1istLPqBdxPqLn
iyVIcttX9QpPJJYiRnaU/OjylWLKQt61yLGPrsTzrDKnv2KE9RTpe8MWEwgzy42pmW3Wptl6
Y3Xoox1k521gYVoDSfU+mqzwEFftclx0CD35v8TFbS0AP6js3iikZIddcZiMmtm87oSgQ0Q9Tn
8jvjNYXpLJ/BcEnGHFsAP1S5MFC8Wj7jNJ5wHNSPPpdePDnQ49j+E7Ah9XFY502svxbgUjEt
1zwu2CAVt4jvKTEU3tbWE+tGIjJpFtkFa4f3urUXvkCAwEAATANBgkqhkiG9w0BAQsFAAOB
gQB/CD9eCsXPllVqmCasL0XpeOF/pAgon6pgC4BVf1quZEb7C78IATQWrQJfHdYSZVQwXw
sbg6YLHnpI+SdpoNwjsrd25K6AvCmBMANtqFighIwjcbNJqINGWWxZUIquHVmyD+L/53x2
Nih4qJ5zjMfWzPbR7KbwF0cDJs1/YfMEwg==
-----END CERTIFICATE-----
...
PEM format.
Certificate import successful !!!

5. Import a private key for the domain “www.b.com”.

AN(config)#ssl import keyvshost2 www.b.com

You may overwrite an existing key file. This may require you
to purchase a new certificate. Type YES to continue: YES
Enter key, use "..." on a single line, without quotes
to terminate import
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7B26776D2C14EB1F

2022 Array Networks, Inc.

Key import successful !!!

6. Import the corresponding certificate for the domain “www.b.com”.

AN(config)#ssl import certificate vshost2 1 www.b.com

You may overwrite an existing certificate.
Type YES to continue, NO to abort: YES
Enter the certificate file in PEM format,
use "..." on a single line, without quotes
to terminate import
-----BEGIN CERTIFICATE-----
MIICIzCCAcqgAwIBAgIFAI88UzkwCgYIKoZIzj0EAwIwgaoxCzAJBgNVBAYTAlVTMQswC
QYDVQQIDAJDQTERMA8GA1UEBwwITWlscGl0YXMxGzAZBgNVBAoMEkFycmF5TmV
0d29ya3MgSW5jLjEUMBIGA1UECwwLQVBWIFByb2R1Y3QxHjAcBgNVBAMMFXd3dy5h
cnJheW5ldHdvcmtzLm5ldDEoMCYGCSqGSIb3DQEJARYZc3VwcG9ydEBhcnJheW5ldHdvcm
tzLm5ldDAeFw0xNjA3MTEwOTMxMjdaFw0yNDA5MjcwOTMxMjdaMIGHMQswCQYDVQ
QGEwJDTjELMAkGA1UECAwCQ04xCzAJBgNVBAcMAkNOMQswCQYDVQQKDAJDTjE
LMAkGA1UECwwCQ04xCzAJBgNVBAsMAkNOMQswCQYDVQQLDAJDTjEOMAwGA1U
EAwwFdmhvc3QxGjAYBgkqhkiG9w0BCQEWC2FiY0AxNjIuY29tMFkwEwYHKoZIzj0CAQY
IKoZIzj0DAQcDQgAECXCDImdSY1/eq400+rReCE5qLfL9VeIHygJR8lAOzFTG58stV9kBjKR
BTBL5p5tdZqFX1DbxZ0bT7+mCuBvS7jAKBggqhkjOPQQDAgNHADBEAiAfDVKFeeeyEq9
HvOmXEGEueaYDCMoVg1zm2T396BOBVQIgKZUTOqn+Kb0Nh64b9mS0Fr8mtTqps5Fl7Q/
v2YO4MqQ=
-----END CERTIFICATE-----
...
PEM format.
Certificate import successful !!!

7. Activate the certificate for the domain “www.a.com” and “www.b.com”.

AN(config)#ssl activate certificate vshost1 1 www.a.com

AN(config)#ssl activate certificate vshost2 1 www.b.com

8. Enable the SSL virtual host “vshost1” and “vshost2”.

AN(config)#ssl start vshost1

AN(config)#ssl start vshost2

7.3 SSL Acceleration Configuration

7.3.1 Configuration Guidelines

The following terminologies are used extensively throughout this chapter:

2022 Array Networks, Inc.

Table 7–2 SSL Acceleration Terminologies

Name Meaning
An SSL virtual host is associated with virtual services. An SSL virtual host
Virtual Host acts as an SSL server and is used to communicate by using SSL between
browser and ASF appliance.
An SSL host associated with an SLB real. An SSL real host acts as an SSL
Real Host client and is used to communicate by using SSL between ASF Advanced
SSL Configuration for SSL Real Host.
Original Server A backend server that will accept clear-text or encrypted requests.
Clear-text Any traffic that is not encrypted.
Virtual Host Port The port that SSL virtual host will listen on. Typically port 443 is used.
A private key that is stored on the ASF appliance for PKI (Public Key
Key (private) Infrastructure) authentication purposes. The maximum length of the key
supported by the system is 4096 bits.
This is used for authentication purpose and to help set up secure
Certificate
communications between the appliance and the browser.
Certificate A certificate authority is an entity that will create a certificate from a CSR
Authority (CA) (Certificate Signing Request).
Current Web Browsers have a list of known CA’s public keys that are used
Trusted Certificate to verify certificates authenticity. If the browser cannot identify the CA it
Authority will inform the user. In a similar manner the ASF appliance also maintains a
list of Trusted Certificate Authorities to verify certificates.

In this example, for our SSL purposes “www.example.com” is the SSL virtual host.
This SSL virtual host is associated with a virtual service using IP 10.10.0.10 and port
443.

SSL virtual Host: www.example.com

ASF virtual service address: 10.10.0.10:443

There are two methods for setting up SSL acceleration.

 The first method applies if you have never set up SSL, and you will need to walk
through the whole process of setting up the SSL virtual host and generation of a
CSR to send to the CA of your choice. The CA will send you a signed certificate
that you will then import it.

 The second method applies if you already have a key and certificate, and you can
skip the CSR step and import your key and certificate.

Table 7–3 General Settings of SSL

Operation Command
Create an SSL ssl host virtual <virtual_host_name> [virtual_service_name]

2022 Array Networks, Inc.

Operation Command
virtual host and ssl host real <real_host_name> [virtual_service_name]
real host
ssl csr <virtual_host_name> [key_length] [certificate_index]
[signature_algorithm_index] [domain_name]
ssl ecc csr <virtual_host_name> [curve_name] [certificate_index]
[signature_algorithm_index] [domain_name]
Import certificate
ssl import certificate <host_name> [certificate_index] [domain_name]
and key for SSL
[tftp_ip] [file_name]
virtual host
ssl import key <host_name> [certificate_index] [domain_name] [tftp_ip]
[file_name]
ssl activate certificate <host_name> [certificate_index] [domain_name]
[certificate_type]
ssl stop <host_name>
ssl settings ciphersuite <host_name> <cipher_string>
ssl settings protocol <host_name> <version>
ssl settings reuse < host_name>
ssl settings clientauth <host_name>
ssl settings certfilter <virtual_host_name> <condition_1> [condition_2]
ssl import rootca [host_name] [domain_name] [tftp_ip] [file_name]
Advanced
ssl settings crl offline <host_name> <cdp_name> <cdp_url>
configuration for
[domain_name] [time_interval] [delay_time]
an SSL virtual host
ssl settings crl online <virtual_host_name>
ssl settings ocsp <virtual_host_name> <ocsp_server_url>
ssl settings minimum <virtual_host_name> <cipher_strength>
<redirect_url>
ssl start <host_name>
ssl import error <error_code> <url> [virtual_host_name]
ssl load error <error_code> [virtual_host_name]
ssl settings ciphersuite <host_name> <cipher_string>
ssl settings protocol <host_name> <version>
Advanced
ssl settings reuse <host_name>
configuration for
ssl settings clientauth <host_name>
an SSL real host
ssl import rootca [host_name] [domain_name] [tftp_ip] [file_name]
ssl settings servername <real_host_name> <common_name>

7.3.2 Configuration Example

 Create an ASF virtual service.

Firstly, execute the “security service…” command to create an HTTPS-type virtual

service. Secondly, run the “ssl host” command to create an SSL virtual host and
associate it with the virtual service.

2022 Array Networks, Inc.

AN(config)#security service name "virtual1https" https virtual

AN(config)#security service address "virtual1https" 192.168.2.100 443 arp
AN(config)#security real service "rhost1" http 192.168.1.50 80
AN(config)#security service policy static "virtual1https" "rhost1"
AN(config)#ssl host virtual www.example.com virtual1https

In this example, “vitrual1https” is the created ASF virtual service, and

“www.example.com” is the created SSL virtual host.

 Import certificate and key for the new SSL virtual host

The following configuration illustrates an example for applying for, importing and
activating an RSA key and certificate for virtual host “www.example.com”.

1. Execute the “ssl csr” command to generate an RSA CSR for

“www.example.com”. (To apply for an ECC certificate, execute the “ssl ecc csr”
command to generate an ECC CSR. To apply for an SM2 certificate, run the “ssl
sm2 csr” command.)

AN(config)#ssl csr www.example.com

Generating keys for "www.example.com"....please wait
We will now gather some required information about your SSL virtual host.
This information will be encoded into your certificate.
TWO-character country code for your organization (eg. US) :US
State or province []:CA
location or local city []:San Jose
Organization Name :Example.com
Organizational Unit :Example.com
Organizational Unit []:
Organizational Unit []:
Do you want to use the virtual host name "www.example.com"
as the Common Name? (recommended) [Y/N]: Y
email address of administrator []:[email protected]
Do you want to add Subject Alternative Names? (recommended) [Y/N] N
-----BEGIN CERTIFICATE REQUEST-----
MIIC6jCCAdICAQAwgZUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1U
EBwwIU2FuIEpvc2UxFDASBgNVBAoMC0V4YW1wbGUuY29tMRQwEgYDVQQLDAtFeGF
tcGxlLmNvbTEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMSAwHgYJKoZIhvcNAQkB
FhFhZG1pbkBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggE
BAKfPzHgGQA2DKh7kkzSKczUO9RkMRvrMX+MssKiVwGUpwUZ3B0YlW5gqUQ0ieYqNQ
bYr4s7G+d+zHe7NtsyUADMJwgDKK4pQaiBuxVWzQtqQqIGEZc4NqIaltJzOpzZSMqY0SvbQ
3MJqrvVgZpdObeedW5SRVjn8zyebr2j/re4tTIJpm+lj9FiFf/yVHsJdXjJrOONYfsAcaI9c8a5BLqe
PavZEvzh3p+eiCwjGflv8n48O8ub+PIGU1W230gkfRdG5D6e1yWlXFdceveunuOlfuoL2yBgHu
yxxgu+RkQd6ZqV6eACLbv47OTMr9MUGuW6TuQ0TI+T24lY8DBn/TxcCAwEAAaAPMA0G
CSqGSIb3DQEJDjEAMA0GCSqGSIb3DQEBCwUAA4IBAQCRl4Mao7hBqsqH/+kU8IQK7aq

2022 Array Networks, Inc.

wdujSDj5KxO5rKkSutslaqfsIbpr85nGKFqxrBxpy0lFs6NegztSV0dCc/Dt3iVaAqLEgeVmdFA9Z
bcpwHecQmeg1D200GmpsU3T2xiqM0mDc7jmRywWenCJkRWmO3EWeO9N5mbbeoOUs4Kel
KvVayMe2k9YvArSmOa3NHzyTQ1Zhqc80Q6Jg7mSw6B9et0JpKIim+3Hw12ULOdhIDijLOa8
GiDdhuL4J5FBDW0wY8Jl+YKeW7r8GDldENP1bdvWDdDkI0zHhVuwPDOuAcwWj23gT7jLo
wcNYRNIVW5RGrXHjlfb9UXKqMboJmpp+
-----END CERTIFICATE REQUEST-----

Do you want the private key to be exportable [Yes/(No)]:Yes

Enter passphrase for the private key:

Confirm passphrase for the private key:

Warning: RSA certificate chain is incomplete for www.example.com. Please add interca or rootca
certificate.

Besides the RSA CSR, this command also generates an RSA key pair and a testing
certificate for virtual host “www.example.com”. The testing certificate is used for
testing purpose only. To use it for testing or demonstration, you can directly start the
SSL virtual host.

AN(config)#ssl start www.example.com

Now, you can connect to the website securely via a web browser.

2. Forward the CSR to a CA.

Copy the content from “----BEGIN CERTIFICATE REQUEST-----” to “-----END

CERTIFICATE REQUEST-----” in the output of the “ssl csr” command and forward
it to CA. CA will return an email including the digital certificate. The following is an
example certificate.

2022 Array Networks, Inc.

pQc+5KLydK1ZYcTkbxJq41K4RHM11OClXVjm3xRhqKQnjzNboExIvkZsKIBbfLkBrM1eBnE
aiYWXmsYGfxPkwdhKlQCLQgN+G3IKu2cRQLU=
-----END CERTIFICATE-----

Note: Be cautious when configuring SSL. It is imperative that you do not delete the SSL
virtual host before importing the certificate received from CA. Otherwise, you will have to
send another CSR to CA to re-apply for a certificate. Fortunately, most CAs provide a
30-day trial period for getting another certificate in case that something goes wrong. If the
trial period elapses, you have to pay for another certificate.

3. Execute the “ssl import certificate” command to import the received certificate
for the SSL virtual host.

AN(config)#ssl import certificate www.example.com 1

You may overwrite an existing certificate.
Type YES to continue, NO to abort: YES
Enter the certificate file in PEM format,
use "..." on a single line, without quotes
to terminate import
-----BEGIN CERTIFICATE-----
MIICnjCANgcANgEUMA0GCSqGSIb3DQEBBAUAMIG5MQswCQYDVQQGEwJVUzETMB
EGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxHDAaBgNVBAoTE0
NsaWNrQXJyYXkgTmV0d29ya3MxFDASBgNVBAsTC0RldmVsb3BtZW50MSMwIQYDVQ
QDExpkZXZlbG9wbWVudC5jbGlja2FycmF5LmNvbTEpMCcGCSqGSIb3DQEJARYaZGV2Z
WxvcG1lbnRAY2xpY2thcnJheS5jb20wHhcNMDIwMjEzMTgwMTI5WhcNMDMwMjA4MTgw
MTI5WjB0MQswCQYDVQQGEwJVUzEMMAoGA1UECBMDRE9EMQwwCgYDVQQHEw
NET08xCzAJBgNVBAoTAkRPMQswCQYDVQQLEwJETzETMBEGA1UEAxMKMTAuMTIu
MC4xNDEaMBgGCSqGSIb3DQEJARYLbWhAZGtkay5jb20wgZ8wDQYJKoZIhvcNAQEBBQ
ADgY0AMIGJAoGBAMx4r+ae4kTZggtyU047OsKUyqCt+V1MHgTPTpVxdtxYhSTSOZwYIX
gRqBEdJvs2/ua1XZRzLOCTa58VI/8I3derAPqz79WpBRsxD25rCT1rzmalfkTea3V8jHJYP6Yin
DTWKFKztxeUclkzukzPUZO6M0fI5ToXNuLEe+IwvOkfAgMBAAEwDQYJKoZIhvcNAQEEB
QADgYEAodV5O0LKUr/O0BbxOnwmyP/DkLj4bpe9XxQO6B4psDey/+xBHs6tgGKuy8spbcJ4
pQc+5KLydK1ZYcTkbxJq41K4RHM11OClXVjm3xRhqKQnjzNboExIvkZsKIBbfLkBrM1eBnE
aiYWXmsYGfxPkwdhKlQCLQgN+G3IKu2cRQLU=
-----END CERTIFICATE-----
…

You can also import the certificate from a remote TFTP server, which needs the TFTP
server’s IP address and certificate file name (“example.crt” in this case).

AN(config)#ssl import certificate www.example.com 1 10.10.13.82 example.crt

You may overwrite an existing certificate.
Type YES to continue, NO to abort: YES

2022 Array Networks, Inc.

Note:

Available key and certificate files can be directly imported into an SSL virtual host using
the “ssl import key” and “ssl import certificate” commands (without applying for a
certificate using CSR). These commands support copy and paste of the key or certificate
content into the command prompt or import of the files from a remote TFTP server.
Whichever method is used, note following principles:

 The key file must be imported first and then the certificate file.
 Keys and certificates in non-PEM format can only be imported using the TFTP
method.

4. Execute the “ssl activate certificate” command to activate the certificate.

AN(config)#ssl activate certificate www.example.com 1

Note: The system will check the certificate chain when the certificate is activated. A
warning message, stating that the certificate chain is incomplete, will be printed if its root
CA certificate or intermediate CA certificate cannot be found in the virtual host’s global
trusted CA file or intermediate CA file. These certificates can be imported by using the
“ssl import rootca” and “ssl import interca” commands.

5. Start the SSL virtual host.

AN(config)#ssl start www.example.com

Till now, SSL acceleration configuration for “www.example.com” is completed. A

client can access the virtual host via HTTPS.

 Import Certificate and Key from IIS and NS iPlanet Web Servers

IIS

If you are using the Microsoft IIS server, the ASF appliance will allow you to import
the certificate from IIS versions 4 and 5 through TFTP mechanism. IIS stores the SSL
key and certificate in the same file. This file is in .PFX format. You need to put this
file onto a TFTP server in its root directory and rename it as <host_name>.crt. This
file then can be imported into ASF appliance through the “ssl import certificate”
command. This command takes TFTP server IP address as an extra argument.

AN(config)#ssl import certificate www.example.com 1 10.10.0.3

This command will download a file that is named “<host_name>.crt”. In our case it is
“www.example.com.crt” from the TFTP server (10.10.0.3).

After importing the certificate successfully, you can activate the certificate via the
command “ssl activate certificate”.

2022 Array Networks, Inc.

SJ-Box1(config)#ssl activate certificate www.example.com 1

Once the certificate and key import is successful through TFTP server, you need to
start the SSL subsystem with the “ssl start” command.

AN(config)#ssl start www.example.com

Netscape/iPlanet:

If you are using the Netscape or iPlanet servers, the ASF appliance will also allow
you to import the certificate and key. The iPlanet server stores the key/cert pair in the
directory /<serverroot>/alias/ where <serverroot> is the directory where the server is
installed. In that directory there will be two files of the form
<serverid-hostname>-key3.db and <serverid-hostname>-cert7.db. You will need to
copy the first file to your TFTP server's root directory and rename it as
“<vhostname>.key”. For the cert file, rename it as “<vhostname>.crt”. Ensure that the
renaming is correct, or the SSL subsystem will not load them correctly.

Now we can import the certificate and key.

SJ-Box1(config)#ssl import certificate www.example.com 1 10.10.0.3 www.example.com.key

Import the certificate file “www.example.com.crt” from 10.10.0.3.

SJ-Box1(config)#ssl import key www.example.com 1 10.10.0.3 www.example.com.crt

Import the key file “www.example.com.key” from 10.10.0.3 .

Note: You must first import the certificate and then import the key when importing an SSL
cert/key pair from iPlanet.

After importing the certificate successfully, you can activate the certificate via the
command “ssl activate certificate”.

SJ-Box1(config)#ssl activate certificate www.example.com 1

Then we can start the SSL subsystem:

AN(config)#ssl start www.example.com

 Creating an SSL Real Host

The system allows you to use the SSL subsystem to talk to SSL enabled real servers.
This allows an encrypted transaction between the ArrayOS and the backend servers.

Configuration of SSL real host is very simple and can be explained as follows:

1. Use the “security service name” command to add an HTTPS-type virtual service
“vshost1”, use the “security real service” command to add a real service

2022 Array Networks, Inc.

“rhost1” and use the “security service policy static” command to associate
them.

2. Use the “ssl host real” comamnd to define an SSL real host and associate it with
the real service.

For example:

AN(config)#security service name "vshost1" https virtual

AN(config)#security service address "vshost1" 192.168.2.100 443 arp
AN(config)#security real service "rhost1" https 192.168.1.50 443
AN(config)#security service policy static "vshost1" "rhost1"
AN(config)#ssl host real www.myreal.com rshost1

In the above example, please note that “rhost1” is our newly created real service,
which represents a backend server running on IP 192.168.1.50 and port 443 and is
capable of handling SSL requests. As a final step, we can start the SSL subsystem:

AN(config)#ssl start www.myreal.com

Now the system is configured to take full advantage of the SSL functionality while
communicating with the backend server.

7.3.2.1 Advanced configuration for SSL virtual host

1. Disable SSL virtual host.

AN(config)#ssl stop www.example.com

SSL virtual host must be disabled before you change its configurations.

2. Configure cipher suites for the SSL virtual host.

AN(config)#ssl settings ciphersuite "www.example.com" "DES-CBC3-SHA"

The following table lists the RSA, ECC (ECDHE-ECDSA...) and SM2 cipher suites
allowed for an SSL virtual host with different protocol versions. “Y” indicates that the
cipher suite is supported. “N” indicates that the cipher suite is not supported.

SSL Protocols – Virtual Hosts

Cipher Suites Bits SSLv3 TLS TLSv1 TLSv1 SM2v1
.0 v1 .1 .2 .1
AES256-GCM-SHA384 256 N N N Y N
AES128-GCM-SHA256 128 N N N Y N
AES256-SHA256 256 N N N Y N
AES256-SHA 256 Y Y Y Y N
AES128-SHA256 128 N N N Y N
AES128-SHA 128 Y Y Y Y N
DES-CBC3-SHA 192 Y Y Y Y N

2022 Array Networks, Inc.

Cipher Suites Bits SSL Protocols – Virtual Hosts

DES-CBC-SHA 64 Y Y Y N N
RC4-SHA 128 Y Y Y Y N
RC4-MD5 128 Y Y Y Y N
EXP-DES-CBC-SHA 40 Y N N N N
EXP-RC4-MD5 40 Y N N N N
ECDHE-RSA-AES256-GCM-SHA384 256 N N N Y N
ECDHE-RSA-AES128-GCM-SHA256 128 N N N Y N
ECDHE-RSA-AES256-SHA384 256 N N N Y N
ECDHE-RSA-AES256-SHA 256 Y Y Y Y N
ECDHE-RSA-AES128-SHA256 128 N N N Y N
ECDHE-RSA-AES128-SHA 128 Y Y Y Y N
ECDHE-ECDSA-AES256-GCM-SHA384 256 N N N Y N
ECDHE-ECDSA-AES128-GCM-SHA256 128 N N N Y N
ECDHE-ECDSA-AES256-SHA384 256 N N N Y N
ECDHE-ECDSA-AES256-SHA 256 Y Y Y Y N
ECDHE-ECDSA-AES128-SHA256 128 N N N Y N
ECDHE-ECDSA-AES128-SHA 128 Y Y Y Y N
ECDHE-SM4-SM3 128 N N N N Y
ECC-SM4-SM3 128 N N N N Y

To enable multiple ciphers for a single SSL virtual host, you will need to separate
each cipher with colon (:).

3. Configure the protocol version for the SSL virtual host.

AN(config)#ssl settings protocol "www.example.com" "SSLv3:TLSv1:TLSv12"

SSL protocols can be set to SSLv3, TLSv1, TLSv11, TLSv12 or SM2v11, or a few of
them or all of them.

Note: Parameter value “TLSv11” stands for the TLSv1.1 protocol. TLSv12” stands for the
TLSv1.2 protocol , and “SM2v11” stands for the SM2v1.1 protocol.

4. Configure session reuse for SSL virtual host.

AN(config)#ssl settings reuse "www.example.com"

This feature is enabled by default. You can disable it by using the “no ssl settings
reuse” command.

5. Configure client authentication for SSL virtual host.

The ASF appliance supports the SSL based client authentication. If enabled, the ASF
appliance will require each client to present an SSL certificate for authorization,
before the client can access the SSL virtual host.

2022 Array Networks, Inc.

AN(config)#ssl settings clientauth "www.example.com"

Note: If you enable SSL client authentication for an SSL virtual host, you must provide a
trusted CA certificate. This will be used by the ASF appliance to verify client certificates.

AN(config)#ssl import rootca "www.example.com"

This command will prompt you to copy and paste the trusted CA certificate in PEM
format. You may configure multiple trusted CAs for one SSL virtual host.

Furthermore, the SSL virtual host will check the client certificate based on the
configured certificate filters (by using the command “ssl settings certfilter”). If the
client certificate fails the certificate verification, the SSL host will reject the client’s
access. At most three pieces of “certfilter” configuration (by using the “ssl settings
certfilter” command) can be configured for an SSL virtual host. The logical
relationship among the three pieces of “certfilter” configuration is “OR”. If the client
certificate does not match any piece of “certfilter” configuration, the SSL virtual host
will reject the client’s access.

The filters can be configured with any of the supported RDNs on the ASF appliances.
Table 1–1 Supported RDN on ASF

RDN Standard Name

C Country Name
ST State or Province Name
L Locality Name
O Organization Name
OU Organizational Unit Name
CN Common Name
SN Serial Number
dnQualifier DN Qualifier
Pseudonym Pseudonym
Title Title
GQ Generation Qualifier
Initials Initials
Name Name
givenName Given Name
Surname Surname
DC Domain Component
emailAddress Email Address
{OID expression} OID information, for example: 1.2.3.4

For example:

2022 Array Networks, Inc.

AN(config)#ssl settings certfilter vhost

"subject:/C=US/O=Array/OU=QA/[email protected]"
"issuer:/C=US/"

In this example, client certificates can pass the certificate verification only when the
following conditions are both met:

 In the “subject” field, “C” is “US”, “O” is “Array”, “OU” is “QA” and
“emailAddress” is “[email protected]”.

 In the “issuer” field, “C” is “US”.

Otherwise, the client will fail the authentication.

Two kinds of client authentication modes are supported: mandatory and

non-mandatory. Client authentication mode defaults to mandatory. In non-mandatory
client authentication mode, when the server sends a certificate request to the client, if
the client has no matched certificate or cancels the authentication by clicking the
Cancel button, the server will permit the client to finish the SSL handshake process
instead of dropping the SSL connection.

6. Configure CRL for SSL virtual host.

ASF supports the CRL (Certificate Revocation List) function. You can configure the
ASF appliance to fetch the C+RL file periodically from a CRL Distribution Point
(CDP) by using HTTP, FTP or LDAP. The ASF appliance supports a maximum of 10
CDPs.

For our example, let’s consider a case when you have put your CRL file (Array.crl)
on an HTTP Web server (www.crldp.com) and you want to fetch it every one minute.
You can configure the ASF appliance as follows:

AN(config)#ssl settings crl offline www.example.com cdp1 "http://www.crldp.com/Array.crl"

This will enable the ASF appliance to fetch the CRL file at the regular interval of one
minute from the “www.crldp.com” site.

You can also specify an FTP URL to download the CRL file.

AN(config)#ssl settings crl offline www.example.com cdp1 "ftp://ftp.crldp.com/Array.crl" 1

You may also specify an LDAP URL to download the CRL file.

AN(config)#ssl settings crl offline www.example.com cdp1

"ldap://ldap.crldp.com/cn=array,dc=arraynetworks,dc=com" 1
Start and view SSL settings.

7. Configure OCSP for SSL virtual host to check the certificate validation online.

2022 Array Networks, Inc.

The system supports the OCSP (Online Certificate Status Protocol) protocol. You
may configure the system to validate the certificate on an OCSP server online.

For our example, configure an OCSP server (ocsp.crldp.com:8888) and to validate the
certificate online, you may configure the system as follows:

AN(config)#ssl settings ocsp www.example.com "http:// ocsp.crldp.com:8888"

Note: The OCSP has top priority. When configured, the OCSP will validate the
certification by only checking the OCSP server.

8. Configure redirect for clients without strong encryption support.

The system provides you with a facility to redirect the weak clients (clients who are
not using strong ciphers) to another URL. You can specify the minimum strength of
the cipher as acceptance criteria. Any client that uses a cipher weaker than this will be
redirected to the configured URL.

For example, consider a scenario where you want to redirect all clients that does not
support cipher suites with at least 168 bits key length to a different site
“www.example2.com”.

This can be configured by using the following command:

AN(config)#ssl settings minimum www.example.com 168 "http://www.example2.com"

9. Start the SSL virtual host:

AN(config)#ssl start www.example.com

View the current SSL settings.

AN(config)#show ssl settings www.example.com

7.3.2.2 Advanced SSL Configuration for SSL Real Host

1. Dsiable SSL real host.

AN(config)#ssl stop www.myreal.com

SSL real host must be disabled before you change its configurations.

2. Configure cipher suites for the SSL real host.

AN(config)#ssl settings ciphersuite "www.myreal.com" "DES-CBC3-SHA"

The following table lists the RSA and ECC (ECDHE-ECDSA…) cipher suites
allowed for an SSL real host with different SSL protocol versions. “Y” indicates that
the cipher suite is supported. “N” indicates that the cipher suite is not supported.

2022 Array Networks, Inc.

SSL Protocols – Virtual Hosts

Cipher Suites Bits TLSv1 TLSv1
SSLv3.0 TLSv1.0
.1 .2
AES256-GCM-SHA384 256 N N N Y
AES128-GCM-SHA256 128 N N N Y
AES256-SHA256 256 N N N Y
AES256-SHA 256 Y Y Y Y
AES128-SHA256 128 N N N Y
AES128-SHA 128 Y Y Y Y
DES-CBC3-SHA 192 Y Y Y Y
RC4-SHA 128 Y Y Y Y
RC4-MD5 128 Y Y Y Y
ECDHE-RSA-AES256-GCM-SHA384 256 N N N Y
ECDHE-RSA-AES128-GCM-SHA256 128 N N N Y
ECDHE-RSA-AES256-SHA384 256 N N N Y
ECDHE-RSA-AES256-SHA 256 Y Y Y Y
ECDHE-RSA-AES128-SHA256 128 N N N Y
ECDHE-RSA-AES128-SHA 128 Y Y Y Y
ECDHE-ECDSA-AES256-GCM-SHA384 256 N N N Y
ECDHE-ECDSA-AES128-GCM-SHA256 128 N N N Y
ECDHE-ECDSA-AES256-SHA384 256 N N N Y
ECDHE-ECDSA-AES256-SHA 256 Y Y Y Y
ECDHE-ECDSA-AES128-SHA256 128 N N N Y
ECDHE-ECDSA-AES128-SHA 128 Y Y Y Y

3. Configure protocol version for SSL real host.

AN(config)#ssl settings protocol "www.myreal.com" "SSLv3:TLSv1"

SSL protocols allowed to be set include SSLv3, TLSv1, TLSv11 and TLSv12. To set
multiple protocols, separate them with colons (:).

4. Configure session reuse for SSL real host.

This allows you to enable SSL session reuses between the ASF appliance and
backend servers. This feature is enabled by default.

AN(config)#ssl settings reuse www.myreal.com

5. Configure client authentication for SSL real host.

The ASF appliance can use SSL client authentication while communicating with the
backend server. If this setting is enabled, the ASF appliance will submit the client
certificate to the backend sever for authentication during SSL handshake.

AN(config)#ssl settings clientauth www.myreal.com

2022 Array Networks, Inc.

Note: If you want to enable client authentication for an SSL real host, you will need to
import a certificate and key pair for the SSL real host. The SSL real host will present this
certificate to the backend server for authentication. This may be accomplished by using
the “ssl import certificate” and “ssl import key” commands for an SSL real host. These
two commands work exactly the same for an SSL virtual host and an SSL real host. For
detailed instruction on using these commands, please refer to the SSL virtual host
configuration described earlier.

6. Configure checking common name of real server certificate.

If you want to verify the certificate of the real backend server, you will need to turn
on global settings for verifying the server certificate. In addition, make certain the
common name of the server certificate matches a specific name by running the
command “ssl settings servername”.

For example, if the certificate common name of the real server associated with the
real host “www.myreal.com” is “Myreal Inc.”, you can use the following command:

AN(config)#ssl settings servername www.myreal.com "Myreal Inc."

7. Import trusted CA certificate for SSL real host.

Since the SSL subsystem acts like a client to the real server, it has several root CA
certificates just like a common Web browser. If you are using a self-signed certificate,
or a certificate issued by your own local CA on your origin servers, then you need to
use the “ssl import rootca” command to import the self-signed certificate that is on
the real server or the local CA certificate.

The certificate must be in PEM format and is imported the same way you import a
PEM certificate. The ASF appliance will prompt you to cut and paste the text to the
terminal and enter “...” to accept the certificate.

AN(config)#ssl import rootca

8. Apply modified SSL settings.

You will need to activate the SSL real host to take advantage of all the configuration
steps taken to this point.

AN(config)#ssl start www.myreal.com

2022 Array Networks, Inc.

Chapter 8 Global and Advanced Security

Options

8.1 Enabling WAF and DDoS Mitigation Functions

The WAF function and the DDoS mitigation function can be globally enabled or
disabled in the system. The security zones and security services defined by
administrators can be protected by DDoS profiles only when the DDoS mitigation
function is enabled. The HTTP/HTTPS-type security services can be protected by the
WAF profiles only when the WAF function is enabled. The WAF and DDoS
mitigation functions are enabled by default.

Enable the WAF function by the following command:

AN(config)#waf on

Enable the DDoS mitigation function by the following command:

AN(config)#ddos on

8.2 Traffic Baseline Learning

Networks can be deployed in different ways, and traffic in different network
environments has different characteristics. In this case, a fixed DDoS profile cannot
adapt to the traffic with different characteristics, and it is unrealistic to rely on the
administrator to modify the DDoS profile in real time. The system provides a traffic
baseline-learning mechanism to help administrators learn the traffic baseline
characteristics of the network and applications and help timely refresh DDoS profiles
to provide the most accurate targeted protection.

The system supports enabling the traffic baseline-learning function for security zones
and security services and supports dynamically refreshing the automatic DDoS profile
of the defense objects based on the learning result. For the HTTPS-type security
service, only the HTTP traffic can be learned after the traffic baseline-learning
function is enabled, and the SSL traffic learning is not supported.

Note that before enabling the traffic baseline learning, ensure that there is at least 10
minutes for the current hour to be used for traffic baseline learning. Otherwise, traffic
baseline learning will be enabled from the next hour. In addition, the system writes
the learning result of each hour to the historical database after completing the hourly
traffic baseline learning.

2022 Array Networks, Inc.

8.2.1 Traffic Baseline-learning Period

The minimum learning period for traffic baseline learning is 24 hours, and the
recommended complete learning period is 7*24 hours.

Each hour is a time node, so 24 hourly time nodes are maintained every day, and the
system maintains the traffic baseline-learning result with 7*24 hourly time nodes in
memory.

 Time Node Status

There are two types of status for each time node: basic status and extended status.

The basic time node status is as follows:

 Init: indicates the initial status when no traffic baseline learning is in progress.

 Learn: indicates that the traffic baseline learning is in progress.

 Ready: After each hourly learning task is completed, the learning result for that
hour will be marked as “Ready”.

The extended time node status is as follows:

 _ap: indicates that the traffic baseline-learning result of this time node is used to
refresh the current profile.

 _db: indicates that the learning result of this time node has been stored in the
historical database. The system automatically stores the learning result (time
nodes already marked as “Ready”) into the historical database every hour.

 _bk: indicates that a learning result backup operation has been performed at this
time.

 _up: indicates that the statistics of the current network traffic have refreshed the
learning result of this time node. This status takes effect only when the traffic
baseline learning is enabled.

8.2.2 Traffic Baseline-learning Content

Traffic baseline learning builds the traffic model for a defense object by learning its
important data indicators, thus constructing the behavioral pattern of the defense
object. The traffic model of the current period provides predictive guidance for attack
detection in the next period.

For different defense objects, the traffic baseline learning can learn different data
indicators, as shown in the following table in detail.

2022 Array Networks, Inc.

Defense Object Data Indicator Meaning

http.rps_get HTTP GET request RPS
HTTP/HTTPS-type
Secu http.rps_post HTTP POST request RPS
security service
rity http.cc HTTP concurrent connections
servi dns.pps_query DNS query PPS
DNS-type security
ce dns.pps_nxdomain DNS NxDomian reply PPS
service
dns.pps_reply DNS reply PPS
tcp.pps_syn TCP SYN PPS
tcp.pps_synack TCP SYN-ACK PPS
tcp.pps_ack TCP ACK PPS
tcp.pps_finrst TCP FIN/RST PPS
tcp.pps_frag TCP fragment PPS
security zone
tcp.cc TCP concurrent connections
tcp.cps TCP connections per second
udp.pps UDP PPS
udp.pps_frag UDP fragment PPS
icmp.pps ICMP PPS

8.2.3 Refreshing Automatic DDoS Profile

The traffic baseline-learning result can be used to refresh the defense rules in the
automatic DDoS profile for the security zone and security services. The traffic
baseline-learning result is the peak value of the data indicator for the specified traffic
during the hour period. When the traffic exceeds this peak value, the system will
check and protect according to the rules refreshed automatically. Note that only the
traffic baseline-learning result whose status is “Ready” is used to refresh the defense
rules in the automatic DDoS profile. If the traffic baseline-learning result status is
Ready, but the learning result value is 0, the rules in the DDoS profile will be
refreshed to the system default value; if the traffic baseline-learning result status is not
Ready, the rules in the DDoS profile will remain unchanged.

Based on the traffic baseline-learning result, the automatic DDoS profiles of the
security zone and the security service can be dynamically refreshed every 1, 3, 6, 12,
or 24 hour(s). For example, if the system time is not modified and the time frequency
is 1 hour, the automatic DDoS profiles will be refreshed at 0, 1...23 o’clock. If the
time frequency is 3, it is refreshed at 3, 6, 9, 12, 15, 18, 21, and 0 o’clock.

8.2.3.1 Refresh Priority

The traffic baseline learning adopts the “learning first and refreshing second” model.
According to the time period of the current traffic baseline learning, the priority of the
refreshing result is as follows:

2022 Array Networks, Inc.

 If 7*24 hours of traffic learning has been completed, the system will check
whether the status of the learning result at the same time (hour) on the same date
is “Ready”. If yes, the traffic baseline-learning result of this time period will be
selected to refresh the defense rules in the automatic DDoS profile, otherwise
proceed to the next step.

 If the system has learned for more than 24 hours but has not completed 7*24
hours, the system will check whether the status of the learning result in the same
period of the previous day is “Ready”. If there is a learning result with the status
“Ready”, the result will be used to refresh the defense rules in the automatic
DDoS profile, otherwise proceed to the next step.

 If the system has not learned for 24 hours, the system will check whether the
status of the learning result in the previous period of the day is “Ready”. If there
is a learning result with the status “Ready”, the result will be used to refresh the
defense rules in the automatic DDoS profile, otherwise proceed to the next step.

 The defense rules in the automatic DDoS profile are not refreshed.

8.2.3.2 Refresh Method

The specific formula for using the traffic baseline-learning result to refresh the
defense rules in the automatic DDoS profile is as follows:
Defense rule threshold of the automatic profile = Traffic baseline-learning result * Tuning value

For example, the HTTP GET Flood defense rule is as follows:

rps_alert (alert threshold of HTTP GET RPS) = http.rps_get * get_weight.

If the learning result for refreshing the defense rules in the automatic DDoS profile is
already marked as “Ready”, but the value of a data indicator in the traffic
baseline-learning result is 0, the system then refreshes the threshold of the
corresponding defense rule in the automatic DDoS profile to the system default value.
In the above example, if the value of http.rps_get is 0, rps_alert will be reset to system
default value.

For security services, the function of the traffic baseline-learning result is as follows:

 http.rps_get: used to refresh the rps_alert (alert threshold of HTTP GET RPS) of
the HTTP GET flood defense rule.

 http.rps_post: used to refresh the rps_alert (alert threshold of HTTP POST RPS)
of the HTTP POST flood defense rule.

 http.cc: used to refresh the cc_alert (alarm threshold of the concurrent connection
number) of the HTTP Slowloris and Slow Post defense rules.

2022 Array Networks, Inc.

 dns.pps_query: used to refresh the pps_alert (packet rate threshold of DNS query)
of the DNS Query Flood defense rule.

 dns.pps_nxdomain: used to refresh the pps_alert (packet rate threshold of DNS

NXDomain) of the DNS NXDomain defense rule.

 dns.pps_reply: used to refresh the pps_alert (packet rate threshold of DNS reply)
of the DNS Reply Flood defense rule.

For the security zone, the function of the traffic baseline-learning result is as follows:

 icmp.pps: used to refresh the pps_alert (Packet rate threshold of ICMP packet) of
the ICMP Flood defense rule.

 tcp.pps_syn: used to refresh the pps_alert of the TCP SYN flood defense rule.
(Packet rate threshold of TCP SYN packet)

 tcp.pps_synack: used to refresh the pps_alert of the TCP SYN-ACK flood

defense rule. (Packet rate threshold of TCP SYN-ACK packet)

 tcp.pps_ack: used to refresh the pps_alert of the TCP ACK flood defense rule.
(Packet rate threshold of TCP ACK packet)

 tcp.pps_finrst: used to refresh the pps_alert of the TCP FIN/RST flood defense
rule. (Packet rate threshold of TCP FIN/RST packet)

 tcp.pps_frag: used to refresh the pps_alert of the TCP fragment flood defense rule.
(Packet rate threshold of TCP fragment packet)

 tcp.cc: used to refresh the cc_alert of the TCP connection flood defense rule.
(Concurrent TCP connection threshold)

 tcp.cps: used to refresh the cps_alert of the TCP connection flood defense rule.
(New TCP connection rate threshold)

 udp.pps: used to refresh the pps_alert of the UDP flood defense rule. (Packet rate
threshold of UDP packet)

 udp.pps_frag: used to refresh the pps_alert of the UDP fragment flood defense
rule. (Packet rate threshold of UDP fragment)

8.2.4 Saving Traffic Baseline-learning Result

When a 7*24 hour traffic baseline-learning result can reasonably reflect the actual
traffic model, the current 7*24 hour traffic baseline-learning result can be backed up
to the disk configuration file and the traffic baseline learning can be stopped. In this
way, when the device is rebooted or the system is upgraded, the previous traffic
baseline-learning result can still be used without having to re-trigger the learning task.
Note that the backup operation will overwrite the previously saved backup file.

2022 Array Networks, Inc.

Administrators can manually back up or configure periodic automatic backups.

8.2.5 Viewing Traffic Baseline-learning Result

The administrator can view the configuration summary of the traffic baseline learning
of the security zone and the security service by “show ddos traffic learning zone
summary” command and “show ddos traffic learning service summary” command.

8.2.6 Configuration Example

8.2.6.1 Traffic Baseline Learning of Security Zone

1. Enable traffic baseline-learning tasks.

AN(config)# ddos traffic learning zone start g1 168

2. Enable the function of dynamically refreshing the automatic profile generated

when the specified security zone is created based on the traffic baseline-learning
result for the security zone and set refresh frequency.

AN(config)#ddos traffic learning zone apply g1 24

3. Configure the tuning value used to periodically refresh the defense rule in the
automatic profile of the security zone based on the traffic baseline-learning result.

AN(config)#ddos traffic learning zone tune icmp g1 5

AN(config)#ddos traffic learning zone tune tcp g1 5 5 5 5 5 5 5
AN(config)#ddos traffic learning zone tune udp g1 5 5

4. Create a task for the security zone to back up the latest 7*24h traffic
baseline-learning result whose status is “Ready” from memory to a disk
configuration file.

AN(config)#ddos traffic learning zone running backup g1

5. Restore the backup traffic baseline-learning result whose status is “Ready” in the
disk to the memory for the specified security zone.

AN(config)#ddos traffic learning zone running restore g1

6. View the latest 7*24h traffic baseline-learning result of the security zone and the
7*24h traffic baseline-learning result backed up in the disk file.

AN(config)#show ddos traffic learning zone running g1

----------------------------------------------------------------------------------------------------------------------
-
zone: g1
current time: Tuesday 2(h)

2022 Array Networks, Inc.

Sunday:
status hour icmp.pps tcp.pps_syn tcp.pps_synack
tcp.pps_ack tcp.pps_finrst tcp.pps_frag tcp.cc tcp.cps udp.pps
udp.pps_frag
init 0 0 0 0
0 0 0 0 0
0 0
init 1 0 0 0
0 0 0 0 0
0 0
init 2 0 0 0
0 0 0 0 0
0 0
--More--

AN(config)#show ddos traffic learning zone backup g1

----------------------------------------------------------------------------------------------------------------------
-
zone: g1
Sunday:
status hour icmp.pps tcp.pps_syn tcp.pps_synack
tcp.pps_ack tcp.pps_finrst tcp.pps_frag tcp.cc tcp.cps udp.pps
udp.pps_frag
init 0 0 0 0
0 0 0 0 0
0 0
init 1 0 0 0
0 0 0 0 0
0 0
init 2 0 0 0
0 0 0 0 0
--More--

7. View the summary of the current configurations of the traffic baseline learning
for the specified security zone.

AN(config)#show ddos traffic learning zone summary g1

---------------------------------
Zone: "g1"
Current time: Tuesday 2(h)
Status : start at 2019-4-2 2:46:9
Duration : 10080 min, lasts 0 min, remain 10080 min

2022 Array Networks, Inc.

Auto profile refresh: unapply

Runfile save refresh: manual
Tune paramater:
icmp: pps_w 5
tcp : syn_w 5, sack_w 5, ack_w 5, finrst_w 5, frag_w 5, cc_w 5, cps_w 5
udp : pps_w 5, frag_w 5

8.2.6.2 Traffic Baseline Learning of Security Service

1. Enable the task of traffic baseline learning and configure the duration of the
traffic baseline learning for the security service. The default duration is 7*24
hours. After the timeout, the traffic baseline-learning task will stop automatically.

AN(config)#ddos traffic learning service start http srv1 168

2. Enable the function of dynamically refreshing the automatic profile generated

when the security service of the specified application protocol type is created
based on the traffic baseline-learning result and set the refresh frequency.

AN(config)#ddos traffic learning service apply http srv1 24

3. Set the tuning value used to periodically refresh the defense rules in the automatic
profile of the security service based on the traffic baseline-learning result.

AN(config)#ddos traffic learning service tune http srv1 5 5 5 5 5

AN(config)#ddos traffic learning service tune dns dns1 5 5 5

4. Back up the latest 7*24h traffic baseline-learning result in memory to the disk
configuration file for the security service.

AN(config)#ddos traffic learning service running backup http srv1

5. Restore the backup traffic baseline-learning result whose status is “Ready” in the
disk to the memory for the security service.

AN(config)#ddos traffic learning service running restore http srv1

6. View the latest 7*24h traffic baseline-learning result in the security service
memory and the 7*24h traffic baseline-learning result configuration backed up in
the disk file.

AN(config)#show ddos traffic learning service running http srv1

----------------------------------------------------------------------------------------------------------------------
-
service: srv1(http)
current time: Tuesday 2(h)
Sunday:

2022 Array Networks, Inc.

status hour http.rps_get http.rps_post http.cnt_cookie

http.cnt_query http.cc
init 0 0 0 0
0 0
init 1 0 0 0
0 0
init 2 0 0 0
0 0
init 3 0 0 0
0 0
init 4 0 0 0
0 0
init 5 0 0 0
0 0
init 6 0 0 0
0 0
init 7 0 0 0
0 0
--More--

AN(config)#show ddos traffic learning service backup http srv1

----------------------------------------------------------------------------------------------------------------------
-
service: srv1
Sunday:
status hour http.rps_get http.rps_post http.cnt_cookie
http.cnt_query http.cc
init 0 0 0 0
0 0
init 1 0 0 0
0 0
init 2 0 0 0
0 0
init 3 0 0 0
0 0
init 4 0 0 0
0 0
init 5 0 0 0
0 0
init 6 0 0 0
0 0

2022 Array Networks, Inc.

init 7 0 0 0
0 0
init 8 0 0 0
--More--

7. View the summary of the current configurations of the traffic baseline learning
for the security service.

AN(config)#show ddos traffic learning service summary http srv1

---------------------------------
Service: srv1(http)
Current time: Thursday 7(h)
Status : start at 2019-4-11 7:40:27
Duration : 10080 min, lasts 0 min, remain 10080 min
Auto profile refresh: apply, frequency 24(hour)
Runfile save refresh: manual
Tune paramater:
http: get_w 5, post_w 5, cookie_w 5, query_w 5, cc_w 5

8.3 Business Model Learning

The system can analyze the application layer protocol in the user access traffic and
provide reference for the user to configure the application layer defense object and
security service. Currently, the system identifies protocol types only based on
well-known port numbers. The supported port numbers are
HTTP(80)/HTTPS(443)/DNS(53).

 Configuration Example via CLI

1. Enable the service model learning task and configure the duration of the service
model learning by executing the “security service learning start
[duration_time]” command. When the traffic comes from the uplink port of the
system and is forwarded by the system, it will be learned by the service model.

AN(config)#security service learning start 100

2. View the learning result of the service model by executing the “show security
service learning” command.

AN(config)#show security service learning

Service model learning status: start, timeout: 99(min)

Service type: http(80) v4: 1 v6: 0

Address: 192.168.4.61
Input total : 9 packets, 448bytes

2022 Array Networks, Inc.

Input rate : 688 bits/sec, 2 pa

ckets/sec
Input rate max : 1184 bits/sec, 3 packets/sec
Output total : 0 packets, 0 bytes
Output rate : 0 bits/sec, 0 packets/sec
Output rate max : 0 bits/sec, 0 packets/sec

2022 Array Networks, Inc.

Chapter 9 IP Reputation

9.1 Overview
IP reputation data is a kind of information used to describe the network behavior
characteristics of an IP address. It mainly records the negative network behavior
characteristics of the IP addresses, such as offensive characteristics (malware and
spam, etc.) and unhealthy network behavior characteristics (gambling, pornography,
and network deception, etc.). IP reputation data is collected and released by
professional threat intelligence venders to help security devices identify and filter
network threat traffic.

Array’s IP reputation function will keep updated with the latest IP Reputation Library
(IRL) synchronized from the Array Security Center.Therefore, the IP reputation
function can help users quickly detect, respond to and prevent various network and
application attack threats by using threat intelligence to improve rapid response
capability for security incidents.

Currently, Array’s IP reputation function has the following features:

 Supports real-time update of IRL from Array Security Center.

 Supports detection and interception of malicious IP addresses with multiple

categories.

 Supports detection of malicious IP and recording IP reputation logs.

 Supports filtering IP reputation data based on IP reputation score.

 Supports configuring alerts for IRL update events. For details, please refer to
15.4.7 IRL-update Event Alert section.

The following figure shows the working mechanism of the ASF appliance based on
the IP reputation function.

2022 Array Networks, Inc.

Figure 9–1 IP Reputation Mechanism

1. The client request hits ASF security service.

2. ASF obtains the source IP and destination IP of the message.

3. (Optional) ASF checks whether the source IP matches the IP whitelist function. If
it matches, the traffic will be released directly to access the real service.

4. ASF checks whether the source IP matches the IRL data. If it matches, it will be
processed according to the configured action (reject or log).

5. Client requests that have not been rejected access the real service.

 CLI Configuration Example

1. Enable the IP reputation function.

AN(config)#ipreputation on

2. Enable the logging function for the IP reputation profile.

AN(config)#ipreputation log on

9.2 IP Reputation Library Auto-update

Array Networks cooperates with 3rd-party threat intelligence vendors to develop and
maintain its own IP reputation data, and release it regularly in Array Security Center
in the form of an IP Reputation Library (IRL).

If the appliance imports a subscription license that includes the “IRLupdae” function,
it can automatically update the IRL from the Array Security Center in real time.

 CLI Configuration Example

2022 Array Networks, Inc.

1. Configure the URL address where to update the IRL.

AN(config)#ipreputation update auto address http://...

2. Configure the interval for the IRL auto-update function.

AN(config)#ipreputation update auto interval 120

3. (Optional) Configure an Internet proxy for the IRL auto-update function. It is

only required when the appliance cannot directly access the Internet.

AN(config)#ipreputation update auto proxy 10.3.0.73:443 admin 123456

4. Enable the IRL auto-update function.

AN(config)#ipreputation update auto on

5. Check the auto-update record of IRL.

AN(config)#show ipreputation update record

6. (Optional) Check and update the IRL immediately.

AN(config)#ipreputation update immediate

9.3 IP Reputation Data Filtering

The quality and credibility of the IP reputation data is measured by the IP reputation
score. Each IP reputation data has a corresponding IP reputation score. IP reputation
data with too low score can easily lead to misjudgment and should not be adopted.

For the imported IP reputation data, the administrator can filter out low-score data
based on the reputation score to improve the overall IRL data quality for a specified
IP reputation profile.

 CLI Configuration Example

Filter out the data in IRL whose reputation score is lower than 70 for a specified IP
reputation profile by the following command.

AN(config)#ipreputation profile trustscore p1 70

9.4 IP Reputation Profile and Defense Rule

ASF supports using IP reputation profile to provide IP reputation-based network
traffic protection for the specified security service. IP reputation defense rule needs to
be defined in the IP reputation profile.

2022 Array Networks, Inc.

After enabling this function, the system will filter the source IP addresses accessing
the security service based on the IRL data. If client’s source IP matches the IRL data,
the system will perform the defense actions.

Currently, ASF supports the detection of IP reputation data with various categories
(botnet/cybercrime/gambling/malware/phishing/porn/scanner/spam/tor). And the
following two types of defense actions are supported:

 drop (default): rejects the request and records IP reputation logs.

 log: only records IP reputation logs but not reject the request.

 CLI Configuration Example

To configure IP reputation profile and defense rules, perform the following steps:

1. Create an IP reputation profile.

AN(config)# ipreputation profile name iprep1

2. Configure an IP reputation defense rule for a specific IP category in a specified IP

reputation profile.

AN(config)#ipreputation profile rule iprep1 spam drop warning

3. Apply the specified IP reputation profile to a specific HTTP/HTTPS-type security

service.

AN(config)#ipreputation profile apply s1 iprep1

Note: Administrators can also use the “ ipreputation globalapply” command to apply the
IP reputation profile to all HTTP/HTTPS-type security services.

2022 Array Networks, Inc.

Chapter 10 Advanced ACL

The system supports configuring Access Control List (ACL) to limit the network
traffic and control the client’s access behavior, so as to prevent malicious attacks of
large traffic and improve the availability of Intranet resources. This function is
implemented through the access control rule. It can check the source IP, protocol and
domain name of the packet, and determine whether to allow the packet to pass or
adopt other processing methods based on whether the packet matches the conditions
specified in the access control list. The ACL function supports the following types of
access control rules: TCP ACL rule, UDP ACl rule, ICMP ACL rule, HTTP ACL rule
and DNS ACL rule. These rules apply to both IPv4 and IPv6 environments.

10.1 TCP ACL Rule

The TCP ACL rule limits the Connections Per Second (CPS) and Connections Per
Second (CC) that allowed on the security zone. It can be applied to all the TCP-type
security zones.

The TCP ACL rule supports two control modes and two control types.

 Control Mode

– “total”: indicates that all the clients in the subnet will be controlled as a
whole by the ACL rule.

– “per-ip”: indicates that every client in the subnet is controlled individually by

the ACL rule.

 Control Type

– Cps Type: indicates that the TCP ACL rule will limit the CPS.

– Type: indicates that the TCP ACL rule will limit the CC.

When configuring the ACL rule, the administrator can combine the control mode and
control type as required. For the same subnet, four ACL rules can be combined, as
shown in the following table:

Table 10–1 Four TCP ACL Rules in the Same Subnet

Mode
cps concurrent
Type
The total number of CPSs on all clients The total number of CCs on all
total in the subnet cannot exceed the clients in the subnet cannot exceed
maximum setting. the maximum setting.
The number of CPS of each client in The number of CC of each client
per-ip
the subnet cannot exceed the maximum in the subnet cannot exceed the

2022 Array Networks, Inc.

Mode
cps concurrent
Type
set. maximum set.

The system supports configuring one or more of the above combinations for the same
subnet. If multiple combinations are configured for a subnet, all these rules will take
effect.

 Subnet Nesting

The ACL rule supports subnet nesting. If the IP address of the client hits multiple
subnets, the client will be limited by all rules of the minimum hit subnet and the
“total” rules of all the parent subnets of the minimum subnet. A maximum of 3
subnets can be configured for the system.

Example:

10.8.0.0/16: Both “total” and “per-ip” rules are configured.

10.8.1.0/24: Both “total” and “per-ip” rules are configured.

The rules to limit the clients in the 10.8.1.0/24 subnet are as follows:

10.8.1.0/24: “total” and “per-ip” rules

10.8.1.0/16: “total” rules

 Configuration Example via CLI

When configuring TCP ACL rules, add TCP ACL rules and then apply the rules to a
single security zone and all security zones.

1. Execute the following commands to add ACL rules:

acl tcp rule <rule_name> <client_ip> {netmask|prefix} <control_mode> <control_type>

<max_limit>

Example:

AN(config)#acl tcp rule rule1 61.130.10.0 255.255.255.0 total cps 1000000

AN(config)#acl tcp rule rule2 61.130.10.0 255.255.255.0 total concurrent 50000
AN(config)#acl tcp rule rule3 61.130.10.0 255.255.255.0 per-ip cps 10000
AN(config)#acl tcp rule rule4 61.130.10.0 255.255.255.0 per-ip concurrent 500

2. Execute the following commands to apply ACL rules to security zones:

acl tcp apply rule zone <rule_name> <zone_name>

Example:

AN(config)#acl tcp apply rule zone rule1 g1

2022 Array Networks, Inc.

AN(config)#acl tcp apply rule zone rule2 global

10.2 UDP ACL Rules

The UDP ACL rule limits the Packets Per Second (PPS) that are allowed on the
security zone. It can be applied to the UDP-type security zones.

The UDP ACL rule supports two control modes and one control type.

 Control Mode

– “total”: indicates that all the clients in the subnet will be controlled as a
whole by the ACL rule.

– “per-ip”: indicates that every client in the subnet is controlled individually by

the ACL rule.

 Control Type

– pps type: indicates that the number of packets per second will be controlled.

 Subnet Nesting

The ICMP ACL rule limits the Packets Per Second (PPS) that are allowed on the
security zone. It can be applied to all the ICMP-type security zones.

The ICMP ACL rule supports two control modes and one control type.

 Control Mode

– “total”: indicates that all the clients in the subnet will be controlled as a
whole by the ACL rule.

– “per-ip”: indicates that every client in the subnet is controlled individually by

the ACL rule.

 Control Type

– pps type: indicates that the number of packets per second will be controlled.

 Subnet Nesting

Example:

10.8.0.0/16: Both “total” and “per-ip” rules are configured.

10.8.1.0/24: Both “total” and “per-ip” rules are configured.

The rules to limit the clients in the 10.8.1.0/24 subnet are as follows:

10.8.1.0/24: “total” and “per-ip” rules

10.8.1.0/16: “total” rules

 Configuration Example via CLI

2022 Array Networks, Inc.

When configuring ICMP ACL rules, add ICMP ACL rules and then apply the rules to
a single security zone and all security zones.

1. Execute the following commands to add ACL rules:

acl icmp rule <rule_name> <client_ip> {netmask|prefix} <control_mode> <control_type>

<max_limit>

Example:

AN(config)#acl icmp rule rule1 61.130.10.0 255.255.255.0 total pps 1000000

AN(config)#acl icmp rule rule3 61.130.10.0 255.255.255.0 per-ip pps 10000

2. Executes the following commands to apply ACL rules to security zones:

acl icmp apply rule zone <rule_name> <zone_name>

Example:

AN(config)#acl icmp apply rule zone rule1 g1

AN(config)#acl icmp apply rule zone rule2 global

10.4 HTTP ACL Rule

The HTTP ACL rule supports controlling the RPS (Request Per Second) and the
downloading speed of the client that accesses the HTTP-type or HTTPS-type security
services. When the HTTP ACL rule of the RPS control type is triggered, the system
will control the access behavior of the client or take the corresponding action
according to the rules. The HTTP ACL rule of the download speed control type is
used to keep the download speed of the client within a specific range.

The HTTP ACL rule allows the administrator to customize the HTTP traffic control
rule. The administrator can execute the “acl http rule” command to configure the
static HTTP ACL rule and apply the “acl http apply rule service” command to a
HTTP-type or HTTPS-type security service.

acl http rule <rule_name> <client_ip> {netmask|prefix} <control_type> <max_limit>

<effect_condition>
acl http apply rule service <rule_name> <service_name>

The HTTP ACL rule supports two control types: RPS control type and download
speed control type.

10.4.1 RPS Control

The HTTP ACL rule of the RPS control type conducts statistics on the HTTP RPS
number of a client or all clients in the subnet. When the number of HTTP requests

2022 Array Networks, Inc.

reach the specified threshold, the system takes the action specified in the rule for the
subsequent HTTP requests received, so as to prevent a large number of HTTP
requests from causing server overload and improve the availability of the server.

 Matching Condition

The statistics of RPS is counted according to the matching condition set in the HTTP
ACL rule. When the HTTP request meets the following conditions, it will be counted
in the RPS count of the HTTP ACL rule.

 The client IP address is in the subnet of the HTTP ACL rule.

 The URL in the request matches the URL regular expression of the HTTP ACL
rule.

 The HTTP request method matches the HTTP method setting of the HTTP ACL
rule.

The appliance supports HTTP requests using the following methods:

 all: indicates all HTTP request methods, that is, all HTTP requests are included in
the RPS.

 GET, POST, HEAD, DELETE or PUT: The HTTP request using the specific
method is included in the RPS.

 Processing Methods:

If the RPS count of the HTTP ACL rule reach the specified threshold, the system will
take measures for subsequent client requests received that match the rules. The system
supports two types of processing methods:

 Returns the error page. By default, the appliance returns the build-in 480 error
page the system. The administrator can customize the format and content of the
error page by error page import or error page redirect. If a customized error page
is imported by using the “http errpage import” command, the appliance will
return the customized error page.

 Sends the RST packet to reset connection.

Configuration Example:

AN(config)#acl http rule rule1 10.8.6.0 24 rps 1000 “url=<regex>abc* method=GET

action=errorpage”

In this example, when the clients in the 10.8.6.0/24 subnet try to match the URL
address including “abc*”, a maximum of 1000 HTTP GET requests are allowed by
the system per second. For subsequent client requests that exceed this limit, the
system will return the built in 480 error page.

2022 Array Networks, Inc.

10.4.2 Control Download Speed

The HTTP ACL rule of the control download speed type detects the download speed
of a client or each client in the subnet and limits the download speed of each client
within the threshold configured in the HTTP ACL rule.

 Matching Condition

The system detects the download speed of the client according to the matching
condition set in the HTTP ACL rule. When the HTTP request meets the following
conditions, the download speed will be controlled by the HTTP ACL rule:

 The client’s IP address is in the subnet of the HTTP ACL rule.

 The URL in the request matches the URL regular expression of the HTTP ACL
rule.

Configuration Example:

AN(config)#acl http rule rule1 10.8.6.0 24 throughput 1000 “url=<regex>abc*”

In this example, when the clients in the 10.8.6.0/24 subnet access the URL address
that matches “abc*”, the download speed cannot exceed 1000 Kbps.

 Subnet Nesting

The HTTP ACL rule supports a maximum of 3 levels of subnet nesting. Each
HTTP-type or HTTPS-type security service can be associated with a maximum of 5
HTTP ACL rules corresponding to a subnet.

If the IP address of a client hits multiple subnets and the HTTP request matches
HTTP ACL rules corresponding to multiple subnets at the same time, the client will
be limited only by the HTTP ACL rule of the minimum subnet.

For example, the client IP address is 10.8.6.11, and the request matches following
rules:

The HTTP ACL rule corresponding to the subnet 10.0.0.0/8

The HTTP ACL rule corresponding to the subnet 10.8.0.0/16

The HTTP ACL rule corresponding to the subnet 10.8.6.0/24

The system will be limited by the HTTP ACL rule corresponding to the subnet
10.8.6.0/24.

If the request does not match any HTTP ACL rule corresponding to the subnet
10.8.6.0/24, the system will follow the HTTP ACL rule corresponding to the subnet
10.8.0.0/16.

2022 Array Networks, Inc.

10.5 DNS ACL Rule

The DNS ACL rule is used to control the RPS of the DNS query and can be applied to
the DNS load balancing and SDNS balancing. The DNS ACL rule specifies the RPS
threshold. When the number of DNS query requests reaches the threshold, the
subsequent DNS query requests will be discarded.

In the DNS scenario, the DNS ACL rule controls the number of DNS query request of
the security service through the RPS threshold.

The DNS ACL rule allows the administrator to customize the control rule of the DNS
traffic, and the administrator can execute the “acl dns rule” command to configure
the static DNS ACL rule, and apply the “acl dns apply rule service” command to a
DNS-type security service.

acl dns rule <rule_name> <client_ip> {netmask|prefix} <control_mode> <dns_type>

<max_limit>
acl dns apply rule service <rule_name> <service_name>

 Control Mode

The control mode indicates the effective range of the DNS ACL rule in the specific
subnet. There are “total” and “per-ip” modes.

– “total”: indicates that all the clients in the subnet will be controlled as a
whole by the DNS ACL rule.

– “per-ip”: indicates that each client in the subnet is controlled individually by

the DNS ACL rule.

 Matching Condition

The statistics of RPS is counted according to the matching condition set in the DNS
ACL rule. When the DNS query request meets the following conditions, it will be
counted in the RPS of the DNS ACL rule.

 The client’s IP address is in the subnet of the DNS ACL rule.

 The DNS query request matches the types of the DNS resource records set in the
DNS ACL rule.

The appliance supports the DNS resource records of the following types:

 all: indicates DNS query requests of all resource types.

 A, NS, MD, MF, CNAME, SOA, MB, MG, MR, NULL, WKS, PTR, HINFO,
MINFO, MX, TXT, AAAA, ANY: Only the DNS query request of the specified
type will be included in the RPS.

2022 Array Networks, Inc.

Configuration Example:

acl dns rule dnsrule1 192.168.0.0 16 per-ip AAAA 100

In this example, for any client in the 192.168.0.0/16 subnet, if the number of DNS
query requests of the AAAA type initiated by the client per second reaches 100, the
system will discard the subsequent DNS query requests of the AAAA type received
from this client.

10.6 IP Whitelist
The IP whitelist records all IP addresses that are granted the access. The system
supports the manual and automatic IP whitelists.

After this function is enabled, the system will check the source IP addresses of all
packets. If a source IP address matches any manual or automatic IP whitelist entry,
the packet will be fast forwarded by the system and stay free from the limitation
imposed by the defense function afterwards. The manual IP whitelist has a higher
priority than the automatic IP blacklist. By default, this function is disabled.

The manual and automatic IP whitelists can take effect only when the IP whitelist
function is enabled.

Enable the IP whitelist function.

AN(config)#acl whitelist on

10.6.1 Manual IP Whitelist

The administrator can manually add IP addresses or subnets to the manual IP whitelist,
or import an IP whitelist file from the external URL address, apply it to the manual IP
whitelist and set the timeout.

 Configuration Example:

Add the “192.168.0.0/24” subnet to the manual IP whitelist and set the timeout to 10
minutes.

AN(config)#acl whitelist rule 192.168.0.0 24 10

Import the customized IP whitelist file from “ftp://10.8.3.28/iplist”, apply it to the

manual IP whitelist and set the timeout to 10 minutes.

AN(config)#acl whitelist import “ftp://10.8.3.28/iplist”

AN(config)#acl whitelist ipfile apply iplist 10

2022 Array Networks, Inc.

10.6.2 Automatic IP Whitelist

The system will enable the function of dynamically generating automatic IP whitelists
for the security service and security zone by using the “ddos profile service wl_auto
on <application_profile_name>” and “ddos profile zone wl_auto on
<network_profile_name>” commands.

When this function is enabled, the client IP address is added to the automatic IP
Whitelist after it is confirmed as a legitimate client IP address by the system security
module. In 10 minutes, the system skips some of the defense process for the access
traffic from this client and forwards it quickly. By default, this function is disabled.
When this function is disabled, the legitimate client IP detected will not be added to
the automatic IP whitelist.

Note: The automatic IP whitelist generated for one type of security service is also
effective for other security services of the same protocol type. The automatic IP whitelist
generated for the security zone takes effect for the upper protocols based on this protocol.

10.7 IP Blacklist
The IP blacklist records all IP addresses that are forbidden to be access. The system
supports the manual and automatic IP blacklists.

After this function is enabled, the system will check the source IP addresses of all
packets. If a source IP address matches any manual or automatic IP blacklist entry, the
system will drop the packet. By default, this function is disabled.

The manual and automatic IP blacklists can take effect only when the IP blacklist
function is enabled.

Enable the IP blacklist function.

AN(config)#acl blacklist on

10.7.1 Manual IP Blacklist

The administrator can manually add IP addresses or subnets to the manual IP blacklist,
or import an IP blacklist file from the external URL address, apply it to the manual IP
blacklist and set the timeout.

 Configuration Example:

Add the “192.168.0.0/24” subnet to the manual IP blacklist and set the timeout to 10
minutes.

2022 Array Networks, Inc.

AN(config)#acl blacklist rule 192.168.0.0 24 10

Import the customized IP blacklist file from “ftp://10.8.3.28/iplist”, apply it to the

manual IP blacklist and set the timeout to 10 minutes.

AN(config)#acl blacklist import “ftp://10.8.3.28/iplist”

AN(config)#acl blacklist ipfile apply iplist 10

10.7.2 Automatic IP Blacklist

Automatic IP blacklists are IP blacklists generated by security modules dynamically.

Automatic IP blacklists have a validity period of 10 minutes, and will be be deleted
automatically after they time out. Before an automatic IP blacklist times out, the
access traffic hitting it will be discarded.

Currently, the system allows the WAF and DDoS mitigation security modules to
dynamically generate automatic IP blacklists.

When the action of specific defense rule under the WAF profile is set to “block”, the
system will add the client IP address into the automatic IP blacklist if the WAF
security module detects an attack.

When the function of dynamically generating automatic IP blacklists is enabled for a

DDoS profile (using the “ddos profile service bl_auto on
<application_profile_name>” or “ddos profile service bl_auto on
<network_profile_name>” commands), the system will add the client IP address to
the automatic IP blacklist after the DDoS mitigation security module detects an attack
and confirms the client as an attacker. When this function is disabled, the detected
attacker will not be added to the automatic IP blacklist.

Note: The automatic IP blacklist generated for one type of security service is also effective
for other security services of the same protocol type. The automatic IP blacklist generated
for the security zone takes effect for the upper protocols based on this protocol.

10.8 URL Whitelist

The URL whitelist controls all URLs that are allowed to be accessed. With this
function enabled, the system will check the URLs accessed by all clients. If an
accessed URL matches the URL whitelist, the system will permit the client access;
otherwise, the system will reject the client access. By default, this function is
disabled.

When using this function, the administrator can add the URL address to the URL
whitelist in two ways:

2022 Array Networks, Inc.

 Method 1: Add a single URL address by adding a URL whitelist rule.

 Method 2: Import the custom URL whitelist files containing a batch of URL
addresses, and bulk add these addresses in bulk by applying the imported URL
whitelist file as the URL whitelist.

A maximum of 5000 URL whitelist rules can be configured. A maximum of 10 URL

whitelist files can be imported into the system and applied to the URL whitelist.

 Configuration Example

1. Add a single URL address to the URL whitelist by adding the URL whitelist rule.
For example:

AN(config)#acl urlwhitelist rule "http://www.example.com/test"

2. Import the custom URL whitelist file containing a batch of URL addresses. For
example:

AN(config)#acl urlwhitelist import "ftp://10.8.3.28/urllist.csv" urllist1

3. Add these URL addresses in bulk by applying the imported URL whitelist file to
the URL whitelist.

AN(config)#acl urlwhitelist urlfile apply urllist1

4. Enable the URL whitelist function.

AN(config)#acl urlwhitelist on

5. Query whether a specified URL address matches the URL whitelist, For example:

AN(config)#show acl urlwhitelist match "http://10.3.0.20/commandtree"

"http://10.3.0.20/commandtree" does not match URL whitelist

2022 Array Networks, Inc.

Chapter 11 Security Logs

11.1 HTTP Access Logs

The HTTP access logging function can be enabled for each security service of the
HTTP or HTTPS type. After this function is enabled, the system generates the HTTP
access logs for the security service, which include:

 Date

 Time

 Source IP

 Source port

 Destination IP

 Destination port

 Hit service

 HTTP Host name

 HTTP method

 HTTP status code

 URL

 Log Example

AN(config)#show http accesslog record s1

Date Time SrcIP SrcPort DstIP DstPort Service
HOST Method Status Code URL
----------------------------------------------------------------------------------------------------------------------
2019-03-07 09:44:29 192.168.2.103 2425 192.168.2.111 80 s1
192.168.2.111 GET 302 /
2019-03-07 09:44:17 192.168.2.103 2432 192.168.2.111 80 s1
192.168.2.111 GET 302 /

11.2 HTTP Violation Logs

11.2.1 Violation Logs for HTTP Filter

The HTTP filter logging function can be enabled for each security service of the
HTTP or HTTPS type. After this function is enabled, if the request or response

2022 Array Networks, Inc.

matches any HTTP filter rule associated with the security service, the system will
record the HTTP filter log, which includes:

When the HTTP violation logging function is enabled for the HTTP filter function of
the HTTP profile, the system will record HTTP violation logs for events that violate
the HTTP filter rules.

HTTP filter violation logs contain the following contents:

 Date and time when the violation occurs

 Source IP, destination IP and destination port of the violation

 Name of the hit security service and name of the hit HTTP profile

 Action conducted by the system

 Violation type

 Details of the violation

In some filter types, if there are no information in some fileds, “-” will be displayed.

 Log Example

AN#show http profile record filter

Time SrcIP DstIP DstPort
Service Profile Action Direction Type
SubType Count Detail
2021-03-05 23:08:04 183.172.1.11 183.172.1.114 443
ser_vhttps2 pro_http1 deny response cookielength
set-cookie 1 name=a; Secure
2021-03-05 22:57:39 183.172.1.11 183.172.1.114 443
ser_vhttps2 pro_http1 deny response headerlength Date
1 Fri, 05 M
ar 202106:53:36 GMT
2021-03-05 22:56:43 183.172.1.11 183.172.1.114 443
ser_vhttps2 pro_http1 deny response errcode 404
1 /adafafsafa.txt
2021-03-05 22:54:59 183.172.1.11 183.172.1.114 443
ser_vhttps2 pro_http1 deny request mimetype .txt
1 /a.txt
2021-03-05 22:53:58 183.172.1.11 183.172.1.114 443
ser_vhttps2 pro_http1 deny request method
GET 1 -
2021-03-05 22:51:37 183.172.1.11 183.172.1.114 443
ser_vhttps2 pro_http1 deny request method
PUT 1 -

2022 Array Networks, Inc.

2021-03-05 22:51:31 183.172.1.11 183.172.1.114 443

ser_vhttps2 pro_http1 deny request method
HEAD 1 -
2021-03-05 22:51:27 183.172.1.11 183.172.1.114 443
ser_vhttps2 pro_http1 deny request method
POST 1 -
2021-03-05 22:51:12 183.172.1.11 183.172.1.114 443
ser_vhttps2 pro_http1 deny request method
GET 1 -
2021-03-05 22:49:59 183.172.1.11 183.172.1.114 443
ser_vhttps2 pro_http1 deny request headerlength Host
1 183.172.1.114
2021-03-05 22:49:01 183.172.1.11 183.172.1.114 443
ser_vhttps2 pro_http1 deny request cookielength
cookie 1 name=https
2021-03-05 22:48:43 183.172.1.11 183.172.1.114 443
ser_vhttps2 pro_http1 deny request urlkeyword /a
1 /a.txt
2021-03-05 22:46:10 183.172.1.11 183.172.1.114 443
ser_vhttps2 pro_http1 deny request urlkeyword /a
1 /a.txt
2021-02-25 19:33:47 183.172.1.11 183.179.1.11 8080
ser_http1 pro_http1 deny response cookielength
set-cookie 1 name=a
2021-02-25 18:58:17 183.172.1.11 183.179.1.11 80
ser_http1 pro_http1 deny response errcode 404
1 /aadasdasad.txt
2021-02-25 18:57:39 183.172.1.11 183.179.1.11 80
ser_http1 pro_http1 deny response headerlength Date
1 Thu, 25 Feb 2021 02:
53:53 GMT
2021-02-25 18:55:53 183.172.1.11 183.179.1.11 80
ser_http1 pro_http1 deny request cookielength
cookie 1 name=test
2021-02-25 18:54:44 183.172.1.11 183.179.1.11 80
ser_http1 pro_http1 deny request headerlength Host
1 183.179.1.11
2021-02-25 18:53:23 183.172.1.11 183.179.1.11 80
ser_http1 pro_http1 deny request mimetype .txt
1 /a.txt
2021-02-25 18:52:16 183.172.1.11 183.179.1.11 80
ser_http1 pro_http1 deny request method
PUT 1 -

2022 Array Networks, Inc.

2021-02-25 18:52:06 183.172.1.11 183.179.1.11 80

ser_http1 pro_http1 deny request method
HEAD 1 -
2021-02-25 18:51:59 183.172.1.11 183.179.1.11 80
ser_http1 pro_http1 deny request method
POST 1 -
2021-02-25 18:51:07 183.172.1.11 183.179.1.11 80
ser_http1 pro_http1 deny request method
GET 1 -
2021-02-25 18:46:39 183.172.1.11 183.179.1.11 80
ser_http1 pro_http1 deny request urlkeyword /a
1 /a.txt

11.2.2 Violation Logs for Brute Force Defense

When the HTTP violation logging function is enabled for the the brute force defense
function of the HTTP profile, the system will record HTTP violation logs for events
that violate the HTTP profile.

HTTP violation logs contain the following contents:

 Date and time when the violation occurs

 Severity of the violation

 Source IP, source port, destination IP and destination port of the violation

 Name of the hit security service and name of the hit HTTP profile

 Attack or violation type

 Action conducted by the system

 Host name, HTTP method and URL of the violation request

 Description of the violation

For some attack or violation types, some fields will be displayed as “-” if no
information is recorded.

 Log Example:

AN(config)#show http profile record bruteforce

Time Severity SrcIP SrcPort DstIP DstPort
Service Profile Attack Action Host
Method URL Count Description

2022 Array Networks, Inc.

2020-10-12 05:30:19 critical - - - - s1

h1 bruteforce deny - -
/DVWA/vulnerabilities/brute/ 1 Global login attempt rate exceeding threshold

11.2.3 Violation Logs for HTTP Pattern Validation

When the HTTP violation logging function is enabled for the HTTP Pattern
Validation function of the HTTP profile, the system will record HTTP violation logs
for events that violate the HTTP profile.

HTTP pattern violation logs contain the following contents:

 Date and time when the violation occurs

 Source IP, destination IP and destination port of the violation

 Name of the hit security service and name of the hit HTTP profile

 Action conducted by the system

 Violation type

 Details of the violation

 Log Example:

AN(config)#show http profile record pattern

Time SrcIP DstIP DstPort
Service Profile Action Type
Count Detail
2020-11-23 16:29:20 192.168.30.100 192.168.31.12 8888 vs1
p1 deny parameter 1 hello
monday

11.2.4 Violation Logs for HTTP File Control

When the HTTP violation logging function is enabled for of the HTTP upload and
download control functions of the HTTP profile, the system will record HTTP
violation logs for events that violate the HTTP profile.

HTTP upload and download violation logs contain the following contents:

 Date and time when the violation occurs

 Source IP, destination IP and destination port of the violation

 Name of the hit security service and name of the hit HTTP profile

 Action conducted by the system

2022 Array Networks, Inc.

 Violation type

 Details of the violation

For some violation types, some fields will be displayed as “-” if no information is
recorded.

 Log Example:

AN(config)#show http profile record filecontrol

Time SrcIP DstIP DstPort
Service Profile Action Type
Count Detail
2021-02-25 20:01:51 183.172.1.11 183.179.1.11 80
ser_http1 pro_http1 deny Upload Violation 1
-
2021-02-25 20:00:56 183.172.1.11 183.179.1.11 80
ser_http1 pro_http1 deny Upload Violation 1
-
2021-02-25 20:00:44 183.172.1.11 183.179.1.11 8080
ser_http1 pro_http1 deny Upload Violation 1
-
2021-02-25 19:44:50 183.172.1.11 183.179.1.11 8080
ser_http1 pro_http1 deny Upload Violation 1
-

11.3 DDoS Attack Logs

The system supports displaying DDoS attack logs of the specified attack type in the
specific time period, which includes:

 Time

 Severity

 Source IP

 Destination IP

 Destination port

 Hit security zone

 Hit security service

 Protocol

 Attack type

2022 Array Networks, Inc.

 Action

 Anomaly Counts

 Details

In some attack types, if there are no information in some fileds, “-” will be displayed.

 Log Example

AN#show ddos record

Time Severity SrcIP DstIP DstPort Zone
Service Protocol AttackType Action AnomalyCounts Detail
--
--------------------------------------------------------------------------------------------------------------------
2019-03-27 06:31:27 ERROR - - - g1
- TCP TCP_ANOMALY detect 221523 SYN with payload
2019-03-27 06:31:27 ERROR - - - g1
- IP LAND detect 867

11.4 DDoS Warning Logs

The system supports displaying DDoS warning logs that matches the specified filter
string in the description field within the specific time period, which includes:

 Time

 Severity

 Source IP

 Destination IP

 Destination port

 Hit security zone

 Hit security service

 Protocol

 Description

In some attack types, if there are no information in some fileds, “-” will be displayed.

 Log Example

AN#show ddos warning

Time Severity SrcIP DstIP DstPort Zone
Service Protocol Description
----------------------------------------------------------------------------------------------------------------------

2022 Array Networks, Inc.

2018-12-19 07:06:41 NOTICE - 192.168.201.49 - g1

- TCP TCP RST Flood recovery
2018-12-19 07:06:39 NOTICE - 192.168.201.49 - g1
- TCP TCP FIN Flood recovery
2018-12-19 07:03:39 WARNING - 192.168.201.49 - g1
- TCP TCP RST Flood warning value:823 att_times:1

11.5 Web Attack Log

Web attack logs will be recorded for the following events:

 The request hits a negative WAF attack signature.

 The request hits a positive WAF attack signature but does not match the whitelist
of the positive WAF when the learning mode of the positive WAF is disabled.

 The server response hits the DLP rule.

 The server response hits the content filter rule

Web attack logs include:

 The date and time that the attack occurs

 The severity of the event

 The source IP and port and destination IP and port of the attack

 The name of the security service of the attack and the name of the WAF profile

 Attack type

 ID of the hit attack signature

 The response action of the system

 The domain name, HTTP method and URL of the attack request

Example:

2022 Array Networks, Inc.

11.6 WAF Audit Logging

To help trace web attack events, the system supports the WAF audit logging function.
After this function is enabled for the WAF profile, the system will record a piece of
audit log for every HTTP transaction (one HTTP request and its corresponding
response) that violates any defense rule.

 Transaction ID: identifies the HTTP transaction violates any defense rule. The
administrator can quickly locate the corresponding audit log using the transaction
ID.

 Attack detail: describes the attack(s) in detail, such as attack type(s), action(s),
and connection information.

 Request header: is recorded by default.

 Request body: can be recorded when request body recording is enabled.

 Response header: can be recorded when response header recording is enabled.

 Response body: can be recorded when response body recording is enabled.

The system stores audit logs in the WAF audit log databases permanently, and also
prints them as syslogs. The administrator can export the syslogs of WAF audit logs to
an external SIEM (Security Information and Event Management) platform or
monitoring and management platform. For details on how to export syslogs to an
external syslog host, refer to section 16.1.3 “Logging Configuration”.

If an HTTP transaction violates multiple defense rules simultaneously, the system will
combine the attack types and record only the action with the highest priority in the
syslog of the WAF audit log.

 Configuration Example via CLI

2022 Array Networks, Inc.

1. Enable the audit logging function for a specified WAF profile:

AN(config)#waf profile auditlog on p1

2. Enable request body recording for audit logs:

AN(config)#waf profile auditlog requestbody on p1

Note: If you want to also record the files contained in the request body, execute the
“waf profile auditlog requestbody on p1 file” command.

3. Enable response header recording and response body recording for audit logs:

AN(config)#waf profile auditlog response on p1 body

Note: If you want to record only the response header, execute the “waf profile auditlog
response on p1” command.

11.7 IP Reputation Logs

The IP reputation logging function supports displaying IP reputation logs of a specific
category within a specified time period, and supports backing up IP reputation logs
within a specified time period.

 CLI Configuration Example

1. Display the IP reputation logs of a specific category within a specified time

period by the following command.

AN(config)#show ipreputation record malware 2020-11-11 2020-11-30

2. Back up the IP reputation logs within a specified time period by the following
command.

AN(config)#database backup ipreputation 2020-09-11 2020-10-11

2022 Array Networks, Inc.

Chapter 12 Monitoring Center

The Monitoring Center allows administrators to view system status graphs, attack
statistics graphs, traffic statistics graphs, packet drop statistics graphs, access statistics
graphs, and custom statistics graphs.

Click Save icon in the upper left corner of the page to save page options (such as time
range settings). Click Export PDF in the upper left corner of the page to generate a
monitoring report in PDF format on the Reports > Report Browse page.

12.1 System Status Graphs

To view the system status graphs, select Monitoring Center > System Status to
view network throughput, overall CPU usage, overall memory usage, and disk usage.

Figure 12–1 System Status Graphs

12.2 Attack Statistics Graphs

To view the attack statistics graph, select Monitoring Center > Attack Statistics to
view global attack statistics, network attack statistics, and application attack statistics.

12.2.1 Global Attack Statistics

To view global attack statistics, select Monitoring Center > Attack Statistics >
Global Attack to view global DDoS attacks, global WAF attacks, and global HTTP
filter.

2022 Array Networks, Inc.

Figure 12–2 Global DDoS Attack Statistics Graphs

Figure 12–3 Global WAF Attack Statistics Graphs

To view global DDoS/WAF attack graphs concerning total attacks, attack severity
distribution, attack type distribution, attack source region distribution, Top5 attack
source IPs, and Top5 attack targets, click Global DDoS Attack tab and Global WAF
Attack tab.

2022 Array Networks, Inc.

Figure 12–4 Global HTTP Filter Graphs

To view total HTTP filter, HTTP filter type distribution, HTTP filter source region
distribution, Top5 HTTP filter source IPs, and Top5 HTTP filter targets, click Global
HTTP Filter tab.

12.2.2 Network Attack Statistics

To view network attack statistics, select Monitoring Center > Attack Statistics >
Network Attack.

Figure 12–5 Network Attack Statistics Graphs

To view the security zone’s network attack graphs concerning total attacks, attack
severity distribution, attack type distribution, attack source region distribution, Top5
attack source IPs, and Top5 attack targets, select Security Zone Name.

2022 Array Networks, Inc.

12.2.3 Application Attack Statistics

To view the application attack statistics, select Monitoring Center > Attack
Statistics > Application Attack to view HTTP attacks, HTTPS attacks, and DNS
attacks.

Figure 12–6 HTTP DDoS Attack Statistics Graphs

To view the selected service’s HTTP DDoS attack graphs concerning total attacks,
attack severity distribution, attack type distribution, attack source region distribution,
Top5 attack source IPs, and Top5 attack targets, specify the HTTP Service Name
parameter and clicking the HTTP DDoS Attack tab.

2022 Array Networks, Inc.

Figure 12–7 HTTP WAF Attack Statistics Graphs

To view the selected service’s HTTP WAF attack graphs concerning total attacks,
attack severity distribution, attack type distribution, attack source region distribution,
Top5 attack source IPs, Top5 attack target hosts, and Top5 attack target URLs,
specify the HTTP Service Name parameter and clicking the HTTP WAF Attack
tab.

Figure 12–8 HTTP Filter Statistics Graphs

To view the selected service’s HTTP filter graphs concerning total HTTP filter, HTTP
filter type distribution, HTTP filter source region distribution, Top5 HTTP filter
source IPs, and Top5 HTTP filter targets, specify selecting the HTTP Service Name
parameter and clicking the HTTP Filter tab.

2022 Array Networks, Inc.

Figure 12–9 HTTPS DDoS Attack Statistics Graphs

To view the selected service’s HTTPS DDoS attack graphs concerning total attacks,
attack severity distribution, attack type distribution, attack source region distribution,
Top5 attack source IPs, and Top5 attack targets, specify the HTTPS Service Name
parameter and clicking the HTTPS DDoS Attack tab.

Figure 12–10 HTTPS WAF Attack Statistics Graphs

To view the selected service’s HTTPS WAF attack graphs concerning total attacks,
attack severity distribution, attack type distribution, attack source region distribution,
Top5 attack source IPs, Top5 attack target hosts, and Top5 attack target URLs,

2022 Array Networks, Inc.

specify the HTTPS Service Name parameters and clicking the HTTPS WAF Attack
tab.

Figure 12–11 HTTPS Filter Statistics Graphs

To view the selected service’s HTTPS filter graphs concerning total HTTP filter,
HTTP filter type distribution, HTTP filter source region distribution, Top5 HTTP
filter source IPs, and Top5 HTTP filter targets, specify the HTTPS Service Name
parameter and clicking the HTTPS Filter tab.

2022 Array Networks, Inc.

Figure 12–12 DNS Attack Statistics Graphs

To view the selected service’s DNS attack graphs concerning total attacks, attack
severity distribution, attack type distribution, attack source region distribution, Top5
attack source IPs, and Top5 attack targets, specify the DNS Service Name parameter.

12.3 Traffic Statistics Graphs

To view the traffic statistics graphs, select Monitoring Center > Traffic Statistics to
view global network traffic statistics, global application traffic statistics, security
zone’s traffic statistics, and security service’s traffic statistics.

12.3.1 Global Traffic Statistics

Figure 12–13 Global Network Traffic Statistics Graphs (1)

2022 Array Networks, Inc.

Figure 12–14 Global Network Traffic Statistics Graphs (2)

Figure 12–15 Global Network Traffic Statistics Graphs (3)

Figure 12–16 Global Network Traffic Statistics Graphs (4)

To view global network traffic statistics, select Monitoring Center > Traffic
Statistics > Global Network Traffic to view total traffic inbound, total traffic
outbound, TCP traffic inbound, TCP traffic outbound, UDP traffic inbound, UDP
traffic outbound, ICMP traffic inbound, ICMP traffic outbound, other traffic inbound
and other traffic outbound. Click Kbps and packets/s to switch the traffic statistics
unit.

2022 Array Networks, Inc.

Figure 12–17 Global Application Traffic Statistics Graphs (1)

Figure 12–18 Global Application Traffic Statistics Graphs (2)

To view global application traffic statistics, select Monitoring Center > Traffic
Statistics > Global Application Traffic to view HTTP traffic inbound, HTTP traffic
outbound, SSL traffic inbound, SSL traffic outbound, DNS traffic inbound and DNS
traffic outbound. Click Kbps and packets/s to switch the traffic statistics unit.

12.3.2 Secuirty Zone’s Traffic Statistics

To view the security zone’s traffic statistics, select Monitoring Center > Traffic
Statistics > Zone Traffic.

2022 Array Networks, Inc.

Figure 12–19 Security Zone’s Traffic Statistics Graphs (1)

Figure 12–20 Security Zone’s Traffic Statistics Graphs (2)

2022 Array Networks, Inc.

Figure 12–21 Security Zone’s Traffic Statistics Graphs (3)

Figure 12–22 Security Zone’s Traffic Statistics Graphs (4)

To view the security zone’s total traffic inbound, total traffic outbound, TCP traffic
inbound, TCP traffic outbound, UDP traffic inbound, UDP traffic outbound, ICMP
traffic inbound, ICMP traffic outbound, other traffic inbound and other traffic
outbound, specify the Security Zone Name parameter. Click kbps and packets/s to
switch the traffic statistics unit.

12.3.3 Security Service’s Traffic Statistics

To view security service’s traffic statistics, select Monitoring Center > Traffic
Statistics > Service Traffic to view HTTP service traffic, HTTPS service traffic, and
DNS service traffic.

2022 Array Networks, Inc.

Figure 12–23 HTTP Traffic Statistics Graphs (1)

Figure 12–24 HTTP Traffic Statistics Graphs (2)

To view the selected service’s total HTTP traffic inbound and total HTTP traffic
outbound, specify the HTTP Service Name parameter. Click Kbps and packets/s to
switch the traffic statistics unit.

Figure 12–25 HTTPS Traffic Statistics Graphs (1)

2022 Array Networks, Inc.

Figure 12–26 HTTPS Traffic Statistics Graphs (2)

To view the selected service’s total SSL traffic inbound, total SSL traffic outbound,
total HTTP traffic inbound and total HTTP traffic outbound, specify the HTTPS
Service Name parameter. Click Kbps and packets/s to switch the traffic statistics
unit.

Figure 12–27 DNS Traffic Statistics Graphs (1)

Figure 12–28 DNS Traffic Statistics Graphs (2)

To view the selected service’s total DNS traffic inbound and total DNS traffic
outbound, specify the DNS Service Name parameter. Click Kbps and packets/s/s to
switch the traffic statistics unit.

12.4 Packet Drop Statistics Graphs

To view the packet drop statistics, select Monitoring Center > Drop Statistics to
view global packet drop statistics, security zone’s packet drop statistics, and security
service’s packet drop statistics.

Figure 12–34 HTTP Service Access Statistics Graphs

To view HTTP service access statistics, select Monitoring Center > Access
Statistics > HTTP Service Access to view service total accesses, per-method access

2022 Array Networks, Inc.

distribution, per-host access distribution, source IP region distribution, Top10 request

URLs and Top10 source IPs.

12.5.2 HTTPS Service Access Statistics

Figure 12–35 HTTPS Service Access Statistics Graphs

To view HTTPS service access statistics, select Monitoring Center > Access
Statistics > HTTPS Service Access to view service total accesses, per-method access
distribution, per-host access distribution, source IP region distribution, Top10 request
URLs and Top10 source IPs.

12.6 Custom Statistics Graph Pane

Select the Monitoring Center menu and click + in the lower left corner of the page.
In the Add Pane window, specify the related parameters and click Confirm to add a
custom graph.

2022 Array Networks, Inc.

Figure 12–36 Creating a Custom Statistics Graph Pane

To view the created custom statistics graph, select Monitoring Center > Custom
Statistics, and then click newly created graph name to open it.

Figure 12–37 Custom Statistics Graph Pane

To add a new graph to the custom graph pane, click Add Widget, and in the Add
Widget window, specify related parameters and click Confirm.

Figure 12–38 Adding a New Graph to the Custom Statistics Graph Pane

Click Edit Pane to enter the edit mode of the custom graph pane. In the edit mode,
you can modify the pane name, or delete/edit each widget graph.

2022 Array Networks, Inc.

Figure 12–39 Edit Mode of the Custom Statistics Graph Pane

Click Delete Pane to delete a custom statistics graph pane.

2022 Array Networks, Inc.

Chapter 13 Report System

13.1 Overview
The report system helps administrators to get an overview of the system running
status, service running status, service security status, and so on.

The report system supports the following types of reports:

 Monitoring reports: converts specific monitoring pages in the Monitoring Center

into reports.

 Advanced reports: predefined report types, including:

– System status: evaluates the system running status.

– Security service status: evaluates the running status and security status of a
specified security service or all services as a whole.

– Security zone status: evaluates the running status and security status of a
specified security zone.

– PCI DSS (Payment Card Industry Data Security Standard) compliance:

evaluates the compliance status of a specified security service based on the
PCI DSS security standard.

The preceding types of reports support both the PDF and CSV formats. In addition,
the report system supports generating reports periodically at the daily, weekly or
monthly basis and sending the generated reports to administrators’ email addresses
automatically. To use the function of automatically sending the generated reports, you
should configure the external SMTP server correctly first.

The general workflow of report is as follows:

1. Create a one-time or periodic report task.

2. Execute the report task (skip it for periodic report task).

3. View and download the report.

13.2 Creating Report Tasks

13.2.1 Creating a Monitoring Report Task

1. Select a monitoring page in the monitoring center, click Export as Report.

2022 Array Networks, Inc.

2. In Add Report Task window, set Task Type to onetime or crontab, specify the
relevant parameters and click Confirm to create the monitoring report task. To
configure the system to automatically send the generated report to the
administrator’s email address, you just need to specify the Send to parameter.

Figure 13–1 Creating a One-time Monitoring Report Task

Figure 13–2 Creating a Periodic Monitoring Report Task

13.2.2 Creating a System Status Report Task

1. Select Reports > Report Tasks and click the Add button.

2. In the Add Report Task window, set the Report Type to System Status, set
Task Type to onetime or crontab, specify the related parameters and click the
Confirm button to generate an advanced report task. To configure the system to
automatically send the generated report to the administrator’s email address, you
just need to specify the Send to parameter.

2022 Array Networks, Inc.

Figure 13–3 Creating a One-time System Status Report Task

Figure 13–4 Creating a Periodic System Status Report Task

13.2.3 Creating a Security Service Status Report Task

1. Select Reports > Report Tasks and click the Add button.

2. In the Add Report Task window, set the Report Type to Security Service
Status, set Task Type to onetime or crontab, specify other related parameters
and click the Confirm button. To configure the system to automatically send the
generated report to the administrator’s email address, you just need to specify the
Send to parameter.

2022 Array Networks, Inc.

Figure 13–5 Creating a One-time Security Service Status Report Task

Figure 13–6 Creating a Periodic Security Service Status Report Task

13.2.4 Creating a Security Zone Status Report Task

1. Select Reports > Report Tasks and click the Add button.

2. In the Add Report Task window, set the Report Type to Security Zone Status,
set Task Type to onetime or crontab, specify other related parameters and click
the Confirm button. To configure the system to automatically send the generated
report to the administrator’s email address, you just need to specify the Send to
parameter.

2022 Array Networks, Inc.

Figure 13–7 Generating a One-time Security Zone Status Report

Figure 13–8 Generating a Periodic Security Zone Status Report

13.2.5 Creating a PCI DSS Compliance Report Task

1. Select Reports > Report Tasks and click the Add button.

2. In the Add Report Task window, set the Report Type to PCI DSS Compliance,
set Task Type to onetime or crontab, specify other related parameters and click
the Confirm button. To configure the system to automatically send the generated
report to the administrator’s email address, you just need to specify the Send to
parameter.

2022 Array Networks, Inc.

Figure 13–9 Generating a One-time PCI DSS Compliance Report Task

Figure 13–10 Generating a Periodic PCI DSS Compliance Report Task

13.3 Managing Report Tasks

13.3.1 Executing a Report Task

This operation applies to one-time report tasks.

To execute a report task, select Reports > Report Task, find the desired report task,
and click the Executing button in the Action column.

2022 Array Networks, Inc.

Figure 13–11 Executing a One-time Report Task

13.3.2 Pausing or Resuming a Report Task

These operations apply to periodic report tasks.

To pause a periodic report task that is running, select Reports > Report Task, find
the desired report task, and click the Pausing button in the Action column, as shown
in Figure 13–11.

To resume a periodic report task that is running, select Reports > Report Task, find
the desired report task, and click the Continuing button in the Action column, as
shown in Figure 13–11.

13.3.3 Editing a Report Task

This operation applies to both one-time and periodic report tasks.

To edit a report task:

1. Select Reports > Report Task, find the desired report task, and click the Edit
button in the Action column, as shown in Figure 13–11.

2. In the prompted Edit Report Task window, modify the parameter settings as
required, and click the Confirm button.

2022 Array Networks, Inc.

Figure 13–12 Editing a Report Task

13.3.4 Deleting a Report Task

This operation applies to both one-time and periodic report tasks.

To delete a report task, select Reports > Report Task, find the desired report task,
and click the Delete button in the Action column, as shown in Figure 13–11.

13.3.5 Clearing All Report Tasks

This operation will clear all one-time and periodic report tasks.

To clear all report tasks, select Reports > Report Task, find click the Clear button,
as shown in Figure 13–11.

13.4 Viewing and Downloading Generated Reports

Reports will be generated when a one-time report task is executed successfully or a
periodic report task is automatically executed at a scheduled time.

To view and download the generated report, select Reports > Report Browse, select
the report and click Download in the Action button.

2022 Array Networks, Inc.

Figure 13–13 Downloading a Generated Report

Figure 13–14 Report Sample

In addition, if you have specified the Send to parameter of the report task, the
generated report will also be send to the administrator’s email address. You can view
and download the report from the administrator’s email box.

2022 Array Networks, Inc.

13.5 Customizing Reports

To customize the logo of the reports, select Reports > Report Customization. Click
the Update Logo button to modify the logo in the reports.

Figure 13–15 Customizing the Report Logo

2022 Array Networks, Inc.

Chapter 14 High Availability

ASF products offer a variety of High Availability (HA) options that maximize
application online time and ensure high availability of application services.

 The cluster function needs two or more ASF devices deployed in route
transparent or proxy mode. The ASF device can work in active/standby mode or
Active/Active mode.

 In a redundant network environment, the external HA mechanism can provide

service high availability for ASF devices deployed in transparent bridge mode or
proxy mode.

 The software and hardware bypass function can help avoid service interruption
caused by a failure of a single ASF device deployed in transparent bridge mode.

14.1 Clustering

14.1.1 Overview

With the continuous deepening and development of network applications, users have
higher requirements for the reliability of network and network devices. In order to
improve the reliability of the network during network planning and design, it is
generally necessary to perform redundant backup of network devices of key nodes.
The ASF clustering function solves the Single Point Of Failure (SPOF) problem
through the Virtual Router Redundancy Protocol (VRRP) technology and can provide
reliability guarantee for the ASF-protected website.

The clustering function can work only in route deployment mode.

14.1.2 Clustering Working Principle

The ASF clustering function allows two or more ASF devices to be interconnected to
form a single logical device to provide high reliability and high availability for local
websites, as shown in the following figure.

2022 Array Networks, Inc.

Figure 14–1 ASF Clustering Technology

The ASF clustering function supports two modes: Active-Standby mode and
Active-Active mode.

 Active-Standby Mode

In Active-Standby mode, all VIPs on one ASF device in the cluster are in Active
status, while the VIPs are on the other devices in the cluster are in standby status.

 Active-Active Mode

In Active-Active mode, each ASF device in the cluster has a different VIP or
cluster ID in the active status.

14.1.2.2 IPv6 Support of Clustering

Currently, the ASF clustering function supports IPv6 VIP switching. In this way, the
ASF device supports both IPv4 and IPv6 VRRP packets.

When both IPv4 and IPv6 addresses are configured on the corresponding interfaces
for the clustering function, or only IPv4 addresses are configured, the clustering
function uses IPv4 VRRP packets to communicate between ASF devices. When only
IPv6 addresses are configured on the corresponding interfaces for the clustering
function, the clustering function uses IPv6 VRRP packets to communicate between
ASF devices.

2022 Array Networks, Inc.

Note: VRRP packets are not compatible with different OS versions of ASF devices,
ensure the same OS version is used in the cluster.

14.1.3 Clustering Configuration Example

14.1.3.1 Clustering Configuration for SLB VIP

When using ASF cluster, we first need to define the VIP address of the security
service. The VIP address to be used is defined in the following paragraphs.

For information about the VIP address of the security service, refer to section 6.1
Security Service.

14.1.3.1.1 Active-Standby Mode (Two Units)

In Active-Standby mode, only one unit can become the owner of the VIP and the
other unit becomes the backup unit. Once the master unit fails, the backup unit
becomes the owner of the VIP address. If the preemption mode is enabled on the
master unit and after the master unit becomes up again, it will preempt the master
status. In addition, the VIP address will always be used by the new master unit until it
fails.

The typical Active-Standby mode network architecture is shown in the following

figure.

Figure 14–2 Two-node Active-Standby Mode Network Architecture

As shown in the figure above, ASF1 is the master unit which handles the traffic of the
VIP address. ASF2 is the backup unit that listens for broadcast messages from the
master unit. If ASF1 fails (due to a failure for example) and stops sending broadcast
messages, ASF2 will switch from the backup status to the master status.

2022 Array Networks, Inc.

To configure the Active-Standby cluster mode for ASF1 and ASF2.

1. Configure the ASF function for ASF1 and ASF2.

ASF1(config)#security service name "vip1" http virtual

ASF1(config)#security service address "vip1" 192.168.2.100 80 arp
ASF1(config)#security real service "server1" http 192.168.1.50 80
ASF1(config)#security service policy static "vip1" "server1"

ASF2(config)#security service name "vip1" http virtual

ASF2(config)#security service address "vip1" 192.168.2.100 80 arp
ASF2(config)#security real service "server1" http 192.168.1.50 80
ASF2(config)#security service policy static "vip1" "server1"

2. Configure the virtual cluster interface name.

ASF1(config)#cluster virtual ifname "port1" 100

ASF2(config)#cluster virtual ifname "port1" 100

3. Configure virtual cluster authentication function.

ASF1(config)#cluster virtual auth port1 100 0

ASF2(config)#cluster virtual auth port1 100 0

4. Configure the virtual cluster preemption mode.

Enable the preemption mode on ASF1, and do not enable the preemption mode on
ASF2.

ASF1(config)#cluster virtual preempt port1 100 1

ASF2(config)#cluster virtual preempt port1 100 0

5. Configure the VIP address for a virtual cluster using the “cluster virtual vip”
command.

ASF1(config)#cluster virtual vip "port1" 100 192.168.2.100

ASF2(config)#cluster virtual vip "port1" 100 192.168.2.100

6. Configure the priority.

The priority determines which unit will become the master unit, and the unit with the
highest priority becomes the master unit. Since we want the VIP on the ASF1
appliance to be in the master status, configure the VIP priority on the ASF1 to 255.
For the ASF2 appliance, configure a lower VIP priority, such as 100. In the

2022 Array Networks, Inc.

deployment of a two-unit cluster, the above configuration is allowed. When a cluster

contains multiple units, you need to configure different priorities for the VIPs on each
unit to ensure that the communication and failover between units works normally.
Configure the priority by the following commands:

ASF1(config)#cluster virtual priority port1 100 255

ASF2(config)#cluster virtual priority port1 100 100

Note: With the above configurations, ASF2 will become the backup appliance because it
has a lower priority than that of ASF1.

7. Enable the clustering function.

ASF1(config)#cluster virtual on

ASF2(config)#cluster virtual on

14.1.3.1.2 Active-Active Mode (Two Units)

In Active-Active mode, ASF1 will become the master unit of the VIP address 1 and
will also become the backup unit of VIP address 2. ASF2 will become the master unit
of VIP address 2 and will become the backup unit of VIP address 1. This
configuration can improve the website performance.

The following example demonstrates this design. Two Virtual Cluster IDs (VCIDs)
need to be configured, each of which contains at least one VIP address, as shown in
the following figure.

2022 Array Networks, Inc.

Figure 14–3 Two-node Active-Active Mode Network Architecture

The VCID1 contains the VIP address 192.168.2.100, and the VCID2 contains the VIP
address 192.168.2.101.

It is assumed that ASF1 is configured as a master unit of VIP address 1 and a backup
unit of VIP address 2, and ASF2 is configured as a backup unit of VIP address 1 and a
master unit of VIP address 2.

To configure the appliances:

1. Configure ASF virtual services for ASF1 and ASF2.

ASF1(config)#security service name "vip1" http virtual

ASF1(config)#security service address "vip1" 192.168.2.100 80 arp
ASF1(config)#security real service "server1" http 192.168.1.50 80
ASF1(config)#security service policy static "vip1" "server1"
ASF1(config)#security service name "vip2" http virtual
ASF1(config)#security service address "vip2" 192.168.2.101 80 arp
ASF1(config)#security real service "server2" http 192.168.1.51 80
ASF1(config)#security service policy static "vip2" "server2"

ASF2(config)#security service name "vip1" http virtual

ASF2(config)#security service address "vip1" 192.168.2.100 80 arp
ASF2(config)#security real service "server1" http 192.168.1.50 80
ASF2(config)#security service policy static "vip1" "server1"
ASF2(config)#security service name "vip2" http virtual
ASF2(config)#security service address "vip2" 192.168.2.101 80 arp
ASF2(config)#security real service "server2" http 192.168.1.51 80
ASF2(config)#security service policy static "vip2" "server2"

2. Configure the virtual cluster interface name.

ASF1(config)#cluster virtual ifname "port1" 100

ASF1(config)#cluster virtual ifname "port1" 101

ASF2(config)#cluster virtual ifname "port1" 100

ASF2(config)#cluster virtual ifname "port1" 101

3. Configure the virtual cluster authentication function.

We recommend that you use a cluster with an authentication mechanism to prevent

unauthorized appliances from joining the cluster.

ASF1(config)#cluster virtual auth port1 100 0

ASF1(config)#cluster virtual auth port1 101 0

2022 Array Networks, Inc.

ASF2(config)#cluster virtual auth port1 100 0

ASF2(config)#cluster virtual auth port1 101 0

4. Configure the cluster preemption mode.

ASF1(config)#cluster virtual preempt port1 100 1

ASF1(config)#cluster virtual preempt port1 101 0

ASF2(config)#cluster virtual preempt port1 100 0

ASF2(config)#cluster virtual preempt port1 101 1

5. Configure the VIP address using the “cluster virtual vip” command.

ASF1(config)#cluster virtual vip "port1" 100 192.168.2.100

ASF1(config)#cluster virtual vip "port1" 101 192.168.2.101

ASF2(config)#cluster virtual vip "port1" 100 192.168.2.100

ASF2(config)#cluster virtual vip "port1" 101 192.168.2.101

6. Configure the priority.

The cluster priority determines which unit will become the master unit, and the unit
with the highest priority becomes the master unit.

ASF1(config)#cluster virtual priority port1 100 255

ASF1(config)#cluster virtual priority port1 101 100

ASF2(config)#cluster virtual priority port1 100 100

ASF2(config)#cluster virtual priority port1 101 255

7. Enable the clustering function.

ASF1(config)#cluster virtual on

ASF2(config)#cluster virtual on

14.1.3.1.3 Active-Active Mode (Three Units)

This section describes how to configure a cluster on multiple units. This mechanism
can be better explained by using the matrix concept: configure the priority of multiple
units respectively, so that the network load can be correctly distributed onto other
working units after one unit fails. Of course, in extreme cases, when two of the three
units in the cluster fail, the remaining unit will handle all the traffic load on the
website. The following figure is a typical example.

ASF2(config)#cluster virtual vip port1 3 10.10.0.30
ASF2(config)#cluster virtual priority port1 3 50
ASF2(config)#cluster virtual on

3. Configure ASF3.

ASF3(config)#security service name "vip1" http virtual

ASF3(config)#security service address "vip1" 10.10.0.10 80 arp
ASF3(config)#security real service "server1" http 192.168.1.50 80
ASF3(config)#security service policy static "vip1" "server1"
ASF3(config)#security service name "vip2" http virtual
ASF3(config)#security service address "vip2" 10.10.0.20 80 arp
ASF3(config)#security real service "server2" http 192.168.1.51 80
ASF3(config)#security service policy static "vip2" "server2"
ASF3(config)#security service name "vip3" http virtual
ASF3(config)#security service address "vip3" 10.10.0.30 80 arp
ASF3(config)#security real service "server3" http 192.168.1.52 80
ASF3(config)#security service policy static "vip3" "server3"
ASF3(config)#cluster virtual ifname port1 1
ASF3(config)#cluster virtual auth port1 1 0
ASF3(config)#cluster virtual preempt port1 1 0
ASF3(config)#cluster virtual vip port1 1 10.10.0.10
ASF3(config)#cluster virtual priority port1 1 50
ASF3(config)#cluster virtual ifname port1 2
ASF3(config)#cluster virtual auth port1 2 0
ASF3(config)#cluster virtual preempt port1 2 0
ASF3(config)#cluster virtual vip port1 2 10.10.0.20
ASF3(config)#cluster virtual priority port1 2 75
ASF3(config)#cluster virtual ifname port1 3
ASF3(config)#cluster virtual auth port1 3 0
ASF3(config)#cluster virtual preempt port1 3 1
ASF3(config)#cluster virtual vip port1 3 10.10.0.30
ASF3(config)#cluster virtual priority port1 3 100
ASF3(config)#cluster virtual on

14.2 Bypass Function

The Bypass function prevents the stand-alone device deployed in transparent bridge
transparent mode from being interrupted due to a fault, thus ensuring the service high
availability. The system provides two kinds of bypass functions: hardware bypass
function and software bypass function.

2022 Array Networks, Inc.

The hardware bypass function is implemented with a dedicated bypass hardware card.
The software bypass function does not require a dedicated hardware bypass card. The
scenarios for the two bypass functions are different. The hardware bypass function is
used for scenarios where hardware appliances are used, and a dedicated bypass card is
used to implement hardware-level bypass function. The appliance’s hardware bypass
card monitors the health of the system. When a system failure occurs, it automatically
switches to the bypass state and transmits all traffic in transparent mode. When the
system resumes, the bypass state is automatically turned off.

The software bypass function is mainly used for virtual appliances. The system
utilizes the software-simulated bypass function to achieve transparent transmission of
the traffic and monitoring of the software system. The specific function is similar to
that of the dedicated bypass card.

14.2.1 Hardware Bypass

 Configuration Example via WebUI

Figure 14–5 Enabling the Hardware Bypass Function

 Configuration Example via CLI

1. Enable the hardware bypass function.

AN(config)#bypass hardware on

2. View the status of the hardware bypass card.

AN(config)#show bypass hardware

14.2.2 Software Bypass

 Configuration Example via WebUI

2022 Array Networks, Inc.

Figure 14–6 Enabling the Software Bypass Function

Figure 14–7 Configuring the Port Pair of the Software Bypass Card

 Configuration Example via CLI

1. Enable the software bypass function.

AN(config)#bypass software on

2. Configure the port pair of the software bypass card.

AN(config)#bypass software port port1 port2

3. After saving the configuration and rebooting the device, the administrator should
view the status of the software bypass function.

AN(config)#show bypass software

14.3 Emergency Mode

The system supports the emergency mode. After the emergency mode is enabled, the
system will enter the emergency mode if the number of the cocurrent connections
exceeds the cocurrent connections threshold (set by the “emergency cc” command).
In emergency mode, the processing is as follows:

 For all existing connections, the system continues the normal-mode process.

2022 Array Networks, Inc.

 For new connections:

– If they hit the HTTP/HTTPS security services, the system skips WAF
defense and directly performs transparent transmission.

– If they do not hit the HTTP/HTTPS security services, the system follows the
normal-mode process.

When the number of the cocurrent connections remains below the cocurrent
connections threshold set by the “emergency cc” command for 3 seconds or more, the
system automatically exits the emergency mode and returns to the normal mode. After
returning to the normal mode, the system will follow the normal-mode process and
perform WAF checks on connections hitting the HTTP/HTTPS security services.

 CLI Configuration Example

1. Executes the “emergency cc” command to set the cocurrent connections

threshold to trigger the emergency mode.

AN(config)#emergency cc 3000

2. Executes the “emergency on” command to enable the emergency mode.

AN(config)#emergency on

2022 Array Networks, Inc.

Chapter 15 System

15.1 User Management

The system allows the creation of a system administrator and allows the administrator
to specify the access control level (Enable level and Config level) for the appliance. If
you need more precise control over the administrator’s appliance configuration and
operation privilege, you can use role-based privilege management to control the CLI
commands that administrators can execute.

15.1.1 Administrator

The system allows the creation of three types of administrators: the Enable-level, the
Config-level and the API-level administrator. The Enable-level administrator can only
execute all commands allowed at the Enable and User levels. The Config-level
administrator can execute all commands allowed at the Config, Enable, and User
levels. The API-level administrator can access the RESTful API Web service.

Note: To enhance the security of the administrator account password, you can use the
“passwd forcemode on” command to enable the Secure Password mode. For details, refer
to the CLI Handbook.

 Configuration Example via CLI

Add an administrator and configure its access control level by executing the following
command:

user <user_name> [password] [level]

For example:

AN(config)#user admin1 abcabc config

15.1.2 Administrator AAA

The administrator AAA supports using an external AAA server for the administrator
authentication, authorization and billing .

If you have an external authentication server (RADIUS/TACACS+), you can use

these servers for SSH/WebUI login verification. When the username you entered does
not exist in the Array system and the “admin aaa” command is set to On, external
authentication will be enabled. Execute the following commands:

AN(config)#admin aaa on

2022 Array Networks, Inc.

AN(config)#admin aaa method RADIUS

AN(config)#admin aaa server es01 "10.1.1.1" 1812 radiussecret
AN(config)#admin aaa server es02 radius_host 1812 radiussecret

15.1.3 Role-based Privilege Management

The role-based privilege management function enables more flexible administrator

privilege control by assigning roles to administrators to control CLI commands that
administrators can execute.

One or more roles can be assigned to the administrator. The relationship between
multiple roles is a logical “OR”. If any role assigned to the administrator is allowed to
execute a specific CLI command, the administrator is allowed to execute this
command as well; if none of the role is allowed to execute a specific CLI command,
the administrator is not allowed to execute this command. If no role is assigned to the
administrator, the administrator can execute all commands allowed by the configured
access level.

Role is a set of privilege rules. A privilege rule consists of rule strings and operation
privilege.

 Rule String

A rule string defines one or a set of command line configurations. In the actual
configuration, the following three forms are supported:

 Full form: security service name r1 http virtual

 Incomplete form with some parameters: security service name r1

 Incomplete form with a part of the command body: security service name

When configuring a rule string, you should notice the following limitations:

 Abbreviations are not allowed in the main part of the command line.

 The command line parameters are case sensitive.

 The entire rule string needs to be enclosed by double quotes. If double quotes are
needed inside the rule string, use single quotes instead.

 If there are multiple consecutive spaces in the command line, it will be treated as
a single space.

The system will check the command entered by the administrator against the rule
strings from the first letter. If the command is identical with or comprises a rule string,
the command is regarded as matching the rule string and will follow the rule.

 Operation Privilege

2022 Array Networks, Inc.

Operation privilege includes two types: “permit” and “deny”. Depending on the
operation privilege, the privilege rules can be divided into “permit” rule and “deny”
rule, which are respectively used to control whether a role is allowed or not allowed to
execute one or a group of commands. If no “permit” rule is configured for a role, the
system does not allow the role to execute any CLI commands allowed at all access
levels.

When the CLI command matches both the “permit” and “deny” rules, the “deny” rule
takes higher priority in the system.

For example:

role1:

 “permit” rule: “no security”

 “deny” rule: “no security service”

The system will not allow role1 to execute all commands starting with “no security
service” but will allow other CLI commands starting with “no security”.

role2:

 “permit” rule: “no security service”

 “deny” rule: “no security”

Because the “deny” rule takes precedence, the system will not allow role2 to execute
any CLI commands beginning with “no security”, although the “permit” rule allows
the execution of commands starting with “no security service”.

If you want to prevent a role from performing configure, display, and delete
operations related to a feature such as WAF, you should configure the following
privilege rules for the role:

 “deny” rule: “waf”

 “deny” rule: “no waf”

 “deny” rule: “show waf”

 “deny” rule: “clear waf”

Note: The view operation of the WebUI depends on the “show” command in the CLI.
Ensure that the administrator who needs to perform the WebUI view operation is assigned
the privilege to execute the “show” command of the corresponding module.

 Configuration Example via CLI

1. Add a role by executing the following command:

2022 Array Networks, Inc.

role name <role_name>

For example:

AN(config)#role name role1

2. Execute the following commands to configure the privilege rules for the role:

role deny <role_name> <filter_string>

role permit <role_name> <filter_string>

For example:

AN(config)#role deny role1 "clear config"

AN(config)#role permit role1 "show run config"

3. Assign a role to the administrator account by executing the following command:

role user <user_name> <role_name>

For example:

AN(config)#role user admin1 role1

15.1.4 Pre-defined Roles and Users

For the purpose of different scenarios, the system creates three pre-defined users:
administrator, operator and auditor. The system assigns corresponding pre-defined
roles to pre-defined users, namely “role_administrator”, “role_operator” and
“role_auditor”.

The functions of the pre-defined users are described as follows:

 Administrator: has execution rights for all commands except logging operations.

 Operator: has execution rights for all commands except logging, role,and user
operations.

 Auditor: only has the execution authority for “show” commands and some
logging operations.

Note: Administrator users have the right to modify the passwords of all users
except other administrator users, while operator user and auditor user can only
modify their own passwords.

 Operation rules for pre-defined roles and users

2022 Array Networks, Inc.

To ensure the stability of pre-defined users, the pre-defined user itself and the
associated pre-defined roles and associated role rules cannot be deleted. The binding
relationship between pre-defined users and predefined roles cannot be deleted.

Administrators can add/delete self-defined rules for pre-defined roles, and can assign
pre-defined roles to self-defined users.

 Pre-defined User Permissions

The pre-defined role rules corresponding to different pre-defined users are shown in
the following table:

Pre-defined Users Permission Rules for Predefined Roles

Cannot perform logging Cannot use “log” and “admin auditlog”
and auditing operations related CLIs
Administrator
Cannot delete logs of DDoS, DNS, WAF,
Cannot delete logs
HTTP, IP reputation and etc.
Cannot perform logging Cannot use “log” and “admin auditlog”
and auditing operations related CLIs
Cannot create/delete
Cannot use “user” and “role” related CLIs
users and roles
Operator
Allowed to modify its Can use “passwd changing” and “passwd
own password user” CLIs
cannot delete logs of DDoS, DNS, WAF,
Cannot delete logs
HTTP, IP reputation and etc.
Allowed to perform Can use “show” CLIs
“show” CLI
Allowed to perform Can use “log” and “admin auditlog” related
logging and auditing CLIs
Auditor operations
Allowed to modify its Can use “passwd changing” and “passwd
own password user” CLIs
Allowed to delete logs Can delete logs of DDoS, DNS, WAF, HTTP,
IP reputation and etc.

15.1.5 Administrator Audit Logging

After the administrator audit logging function is enabled, the system will record the
administrator’s login record and operation record, which will be retained after
appliance reboot. It can be filtered based on keywords, start date and end date.

15.1.5.1 Function Switch

The administrator audit logging function is disabled by default. Enable or disable the
administrator audit logging function by executing the following commands:

2022 Array Networks, Inc.

Enable the administrator audit logging function by executing the following command:

AN(config)#admin auditlog on

Disable the administrator audit logging function by executing the following

command:

AN(config)# admin auditlog off

15.1.5.2 Login Record

Display the administrator login record by executing the “show admin auditlog sign”
command.

Clear the administrator login record by executing the “clear admin auditlog sign”
command.

The administrator login record includes the following information:

 Time

 User name

 Source IP

 Source port

 Destination IP

 Destination port

 Login information

For example:

AN#show admin auditlog sign

Time User SrcIP SrcPort
DstIP DstPort SignInfo
----------------------------------------------------------------------------------------------------------------------
2018-12-20 06:49:07 array 10.8.6.50 14519
10.8.6.51 22 SSH login successfully
2018-12-19 10:18:42 array 10.8.6.50 14518
10.8.6.51 22 SSH logout
2018-12-19 08:41:32 "array" 10.8.6.50 2212
10.8.6.51 8888 "login successful"
2018-12-19 07:53:08 "array" 10.8.6.50 1904
10.8.6.51 8888 "login successful"
2018-12-19 03:25:03 "array" 10.8.6.50 14525
10.8.6.51 8888 "login successful"

2022 Array Networks, Inc.

2018-12-19 03:24:47 array 10.8.6.50 14518

10.8.6.51 22 SSH login successfully
2018-12-19 03:03:34 array 10.8.6.50 14422
10.8.6.51 22 SSH login successfully
2018-12-17 10:15:36 array 10.8.6.50 6659
10.8.6.51 22 SSH logout
2018-12-17 05:48:02 array 10.8.6.50 6659
10.8.6.51 22 SSH login successfully
2018-12-14 06:52:42 "array" 10.8.18.134 4559
10.8.18.238 8888 "login successful"
2018-12-14 06:05:21 "array" 10.8.18.134 4206
10.8.18.238 8888 "login successful"

15.1.5.3 Operation Record

Display the administrator operation record by executing the “show admin auditlog
operation” command.

Clear the administrator operation record by executing the “clear admin auditlog
operation” command.

The administrator operation record includes the following information:

 Time

 User performing the operation

 Operation

 Result

 Description

For example:

AN#show admin auditlog operation

Time User Action
Result Dscription
----------------------------------------------------------------------------------------------------------------------
2018-12-20 06:58:48 array failed to execute cmd "show show admin
auditlog operation" Faild Faild by unknown reason
2018-12-20 06:58:37 array execute cmd "en"
Success
2018-12-20 06:58:28 webui_agent execute cmd "show interface"
Success
2018-12-20 06:58:28 webui_agent execute cmd "show cluster virtual
status" Success

2022 Array Networks, Inc.

2018-12-20 06:58:28 webui_agent execute cmd "show stati eroute"

Success
2018-12-20 06:58:28 webui_agent execute cmd "show stati droute"
Success
2018-12-20 06:58:28 webui_agent execute cmd "show statistics eroute"
Success
2018-12-20 06:58:28 webui_agent execute cmd "show statistics droute"
Success

15.2 Access Control Management

This section describes the access to WebUI, Restful API, and so on. It also describes
settings of Enable mode and Config mode.

15.2.1 WebUI Access

The WebUI service allows the administrator to connect to the ASF appliance for
management and configuration via a Web-based graphical user interface. The WebUI
service is disabled by default. You need to enable the WebUI service before using it.

The WebUI access is secured using the HTTPS protocol. To establish a WebUI
connection to the ASF appliance, open the URL of the WebUI in a Web browser. The
URL of the WebUI is in the format of “https://<management_IP>:<WebUI_port>”.
The default WebUI port is 8888 and you can change it if required.

To enhance the system security, the administrator can configure WebUI source IP
address and/or source MAC address restriction rules to control the sources that are
allowed to access the WebUI service.

 Configuration Example via CLI

To set the WebUI listening port, execute the following command:

AN(config)#webui port 8888

To set the WebUI listening IP address, execute the following command:

AN(config)#webui ip 192.168.1.100

To configure a WebUI source IP restriction rule, execute the following command:

AN(config)#webui source 192.168.0.0 255.255.0.0

To configure a WebUI source MAC address restriction rule, execute the following
command:

AN(config)#webui srcmac 00:0c:29:0e:06:2e

2022 Array Networks, Inc.

To enable the WebUI service, execute the following command:

AN(config)#webui on

15.2.2 WebUI SSL Settings

By default, the ASF WebUI only uses a test SSL certificate issued by Array Networks.
The system allows administrators to import and use certificates issued by a Certificate
Authority (CA) to enhance ASF WebUI access experience. Currently, administrators
can import a PEM-format end-user certificate and an intermediate CA certificate for
the ASF WebUI.

15.2.2.1 Importing End-user SSL Certificate for WebUI

 Configuration Example via WebUI

Select Platform >System > System Access Control > WebUI SSL Settings, click
Import in the Certificate area. In the prompted Import WebUI SSL Certificate
window, specify the Import Way parameter (Local File/URL/Manual Input) to
import the certificate according to actual need, and then click the Import button.

Figure 15–1 Importing a PEM-format Certificate for ASF WebUI

 Configuration Example via CLI

Execute the “webui ssl import pem” command to import a PEM-format end-user
certificate. With this command, administrators can either import a certificate from a
TFTP/FTP/HTTP server or by copy-n-paste in the CLI.

Example01: import a PEM-format certificate from an FTP server

AN(config)#webui ssl import pem ftp://10.8.6.20/cert/webui.pem

Example02: import a PEM-format certificate by copying and pasting the certificate

into the CLI.

The input of the certificate can be ended by the entering of “…” in the bottom line.

AN(config)#webui ssl import pem

2022 Array Networks, Inc.

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIJAIgypSLjq/+oMA0GCSqGSIb3DQEBDQUAMIGMMQswCQY
D
VQQGEwJVUzELMAkGA1UECBMCQ0ExETAPBgNVBAcTCENhbXBiZWxsMRwwGgY
DVQQK
ExNBcnJheSBOZXR3b3JrcywgSW5jMRcwFQYDVQQDEw5BcnJheSBOZXR3b3JrczEm
MCQGCSqGSIb3DQEJARYXd2VidWlAYXJyYXluZXR3b3Jrcy5uZXQwHhcNMTQwMj
Ez
......
MDkxNTEzWhcNMjIwNTAyMDkxNTEzWjCBjDELMAkGA1UEBhMCVVMxCzAJBgNV
BAgT
AkNBMREwDwYDVQQHEwhDYW1wYmVsbDEcMBoGA1UEChMTQXJyYXkgTmV0d2
9ya3Ms
IEluYzEXMBUGA1UEAxMOQXJyYXkgTmV0d29ya3MxJjAkBgkqhkiG9w0BCQEWF3dl
YnVpQGFycmF5bmV0d29ya3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA6nHWYTlAkIm3O7OhRjjBBWR6H/h8viP8o/Hqc2JVcm1eA0ATtaxO0rel
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA6nHWYTlAkIm3O7OhRjjBBWR6H/h8viP8o/Hqc2JVcm1eA0AT
taxO0relxmSfdr8V5ffC5zRcCrIgcOHm2WP0T6qOPKB+Fxdj2uhYTmFHJjk4Cx9y
MFDyF4s0i+VlWqxqT/6Sqoae49aWwq6mvF6BSHXMQzXN4wdQlsGrpwFnGWxIbn4c
wKHrC/Jq/6W+H2bOeLL8fCRVWCnE1Lkz7WB/drDUyTaClVsMDpSRn2rHw8TMk3pw
TzjsB4NyMxy0xHb7cw+FxvMLk7lLNNS4jvSxCUjUZBhAOTfkN+V6G+8Y1QVyBUDo
......
b8ml72WoiNAp82feVPkss31bvlUZBVgipR9PYUIk9vSQ++p3HV9/wBglwB2XLrpo
yT1goc+j/hrGBY7gAr258yV//Ho9wlaCsuHZSLEwTwQ3wH6uyyTcnqk1Xreeb2cE
Udj/HwKBgAchOvooG/z9RXplUIQqW1jRXRF6KXoiUNugZWMYQGQMN2qe+dEiM/O9
mBsnpTpgXCogKA45jdr+NoE3oJ6nSAjnYKzT1nOf57OwoaKOiYvbaYCt3hdRXCeQ
8r1M0Ijn0ylrEUoC13YxFsjVQCt69Yf7RL8kmDQR7FqJr8CmWZbN
-----END RSA PRIVATE KEY-----
…

15.2.2.2 Importing Intermediate CA Certificate for WebUI

 Configuration Example via WebUI

Select Platform >System > System Access Control > WebUI SSL Settings, click
Import in the Intermediate Certificates area. In the prompted Import WebUI SSL
Intermediate Certificates window, specify the Import Way parameter (Local
File/URL/Manual Input) to import the certificate according to actual need, and then
click the Import button.

2022 Array Networks, Inc.

Figure 15–2 Importing an Intermediate Certificate for ASF WebUI

 Configuration Example via CLI

Execute the “webui ssl import interca” command to import an intermediate CA

certificate. With this command, administrators can either import an intermediate
certificate from a TFTP/FTP/HTTP server or by copy-n-paste in the CLI.

Example01: import an intermediate CA certificate from an FTP server

AN(config)#webui ssl import interca ftp://10.8.6.20/cert/webui-intermediate.pem

Example02: import an intermediate CA certificate by copying and pasting the

certificate into the CLI.

The input of the certificate can be ended by the entering of “…” in the bottom line.

AN(config)#webui ssl import interca

2022 Array Networks, Inc.

To view the imported certificate and intermediate certificate for the ASF WebUI,
execute the following commands:

AN(config)#show webui ssl certificate

AN(config)#show webui ssl interca

15.2.3 RESTful API Access

ASF RESTful Application Programming Interface (API) is an alternative

management method in addition to CLI and WebUI.

With the RESTful API, the administrator can send RESTful API requests to the ASF
appliance via the HTTP or HTTPS protocol to perform Create, Read, Update, and
Delete operations on system resources. The ASF appliance will execute these
operations and return the results in RESTful API responses. For the safety of ASF
RESTful API invocation, the administrator needs to include a valid credential in the
RESTful API requests. Otherwise, the ASF appliance will reject RESTful API
requests.

Every manageable system resource is identified by a URL, in the format of “http(s)://

management_ip:port/path[?query_name=value]”. For all RESTful APIs supported by
the appliance, refer to the ASF RESTful API Reference Guide.

The administrator can send RESTful API requests either using a RESTful API client
installed on the Web browser or using a programming tool such as Java, Python, or
Perl. For details, refer to the ASF RESTful API User Guide.

Before using the ASF RESTful API, you must enable the RESTful API service first.
To enhance the system security, the administrator can configure RESTful API source
IP address and/or source MAC address restriction rules to control the sources that are
allowed to access the RESTful API service.

 Configuration Example via CLI

To set the RESTful API listening IP, execute the following command:

AN(config)#restapi ip 192.168.1.100

To configure a RESTful API source IP restriction rule, execute the following

command:

AN(config)#restapi source 192.168.0.0 255.255.0.0

To configure a RESTful API source MAC address restriction rule, execute the
following command:

AN(config)#restapi srcmac 00:0c:29:0e:06:2e

2022 Array Networks, Inc.

To enable the RESTful API service, execute the following command:

AN(config)#restapi on https 9997

After the preceding configuration, the RESTful API service is enabled using the
HTTPS protocol and listening on IP 192.168.1.100 and port 9997.

To create an administrator account with the API access privilege, execute the
following command:

AN(config)#user rest password api

15.2.4 Enable Mode Settings

The system allows the administrator to set or change the password for accessing the
Enable mode.

 Configuration Example via CLI

Execute the following command to set or change the password for accessing the
Enable mode:

AN(config)#passwd enable 33

15.2.5 Config Mode Settings

The system allows the administrator to forcibly enter the Config mode when another
administrator is already in Config mode and set the command execution timeout when
the system loads the configurations.

 Configuration Example via CLI

Execute the following command to forcibly enter the Config mode when another
administrator is already in Config mode.

AN(config)#config terminal force

Execute the following command to set the command execution timeout when the
system loads the configurations.

AN(config)#system command timeout 200

15.2.6 USB Access Control

The system allows administrators to set access rights to USB devices.

 Configuration Example via CLI

Use the following command to disable the access rights to the USB device:

2022 Array Networks, Inc.

AN(config)#system usbaccess off

15.3 System Management

This section describes the system software version, ASF License, system upgrade,
system reboot and shutdown, email and alert.

15.3.1 System Software Version

To check the current version of ArrayOS software that is running, perform the
following operation:

Execute the “show version” command:

AN(config)#show version

ArrayOS Beta.ASF.1.0.3.30 build on Mon May 11 20:10:45 2020

Host name : AN
System CPU : Intel(R) Xeon(R) CPU
System RAM : 65765304 kbytes.
System boot time : Sun Jun 07 01:45:20 CST (+0800) 2020
Current time : Thu Jun 11 14:34:28 CST (+0800) 2020
System up time : 15 hrs, 20 mins
Platform Bld Date : Thu Jun 11 14:34:28 CST (+0800) 2020
Operation Mode Normal
ASL Version 1.1.3 released on July 24 2019
SSL HW : HW ( 1X56E+ ) Initialized
Power Supply : 2U, AC, 2-cords, Redundancy
Network Interface : 4 x Gigabit Ethernet copper 4 x 10Gigabit Ethernet fiber
Model : Array ASF 5800
Serial Number : 1630M0243953601406154315033541
Licensed Features : Clustering SSL SwCompression MultiLang DynRoute
IPv6 SWMaintenance WAF L7DDoS
License Key : 746d0e44-00b2866c-a7174f8d-5d75f608-293ab5da-ff000000-
0455d8ab-20180912-99999999
Subscribed Services : ASLupdate
Subscription License Key : 37bf8559-b619041a-05674f16-705c8c93-0c7865df-00000000
-00000001-20200426-20201218
Expiration Date Permanent

Array Networks Customer Support

Telephone : 1-877-992-7729 (1-877-99-ARRAY)

2022 Array Networks, Inc.

Email : [email protected]
Update : please contact support for instructions
Website : http://www.arraynetworks.com

Other Root Version

Alpha.ASF.1.0.0.293 build on Fri May 8 14:13:25 2020

15.3.2 ASF License

15.3.2.1 System License

The ASF system license authorizes users to use certain features. Before using an ASF
device, you need to import a valid system license to it.

 Configuration Example via CLI

1. Log into the CLI of the ASF appliance and collect the output of the “show
version” command.

2. Send the output of the “show version” command to Array Networks Customer
Support, Sales, or resellers to obtain a valid system license.

3. In the Config mode of the CLI, import the system license by executing the
“system license <key>” command.

AN(config)#system license
"33a7f79e-59ac3c08-8a564284-ad45f5e4-e7c83e00-00000000-1455d8ab-20170731-99999999"

15.3.2.2 Subscription License

The subscription license is used to authorize users to use security services provided by
Array Security Center (ASC), for example, ASL update. Currently, the subscription
license is required for automatic ASL update (“waf asl update auto on”), manual
ASL update (“waf asl update manual”) and switching the effective ASL version
(“waf asl version apply”).

 Configuration Example via CLI

1. Log into the CLI of the ASF appliance and collect the output of the “show
version” command.

2. Send the output of the “show version” command to Array Networks Customer
Support, Sales, or resellers to obtain a valid subscription license.

3. In the Config mode of the CLI, import the subscription license by executing the
“system sublicense <key>” command.

AN(config)#system sublicense
"37bf8559-b619041a-05674f16-705c8c93-0c7865df-00000000-00000001-20200426-20201218"

2022 Array Networks, Inc.

15.3.3 System Upgrade

Before upgrading the system to a new version, follow these preparation steps:

1. Contact Array Networks Customer Support to gain access to the software and
documentation repository. Contact your customer support representative or send
email to: [email protected].

2. Once you have received a password and confirmed with a customer support
engineer that the system needs an upgrade, you can download the new software
package using the Array Networks Website. You should download the new
software package to either a local Web server or an anonymous FTP server,
which is accessible from the ASF appliance. You just need to download the new
software package to your local host when using the ASF WebUI for upgrade.

Note: If a new ASL version is available in the new system version, the system
will not automatically upgrade the ASL after you perform a system update by
executing the “system update” command. To switch the current ASL to the
new version, you need to manually apply the new ASL version by executing
the the “waf asl version apply” command.

To upgrade the system to a new version, follow these steps:

 Configuration Example via CLI

1. Establish a Console or SSH connection and upgrade the system from an HTTP or
FTP URL of the software package by using the “system update” command.

2. When this command is executed, the system will import the new software
package from the specified HTTP or FTP URL and install the software package.
The new software version will take effect after a system reboot. You can choose
to let the new software version take effect immediately by an automatic system
reboot (immediate option) or take effect on the next system reboot (deferred
option).

For example, use the command to upgrade the system through an HTTP URL with the
immediate option:

AN(config)#system update http://10.3.0.20/build/ArrayOS-Beta_ASF_1_0_3_95.array

Before system upgrade, it is recommended to backup the system database.
Backup system database may take several minutes.
Type "YES" to confirm backup system database :NO
Backup was skipped by user.

2022 Array Networks, Inc.

This will upgrade your system from

http://10.3.0.20/asf/build/ArrayOS-Beta_ASF_1_0_3_95.array
Power outages or other systems failures may corrupt the system.
It is highly recommended that you save your configuration on an
external system prior to upgrading or downgrading.
Any configuration changes that have not been "saved" will be lost.
After a successful patch the system will be rebooted.

Array Networks, Inc.,

Type "YES" to confirm upgrade :

For example, use the command to upgrade the system through an HTTP URL and let
the new software version to take effect on the next system reboot:

AN(config)#system update http://10.3.0.20/build/ArrayOS-Beta_ASF_1_0_3_95.array

deferred
Before system upgrade, it is recommended to backup the system database.
Backup system database may take several minutes.
Type "YES" to confirm backup system database :NO
Backup was skipped by user.

This will upgrade your system from

http://10.3.0.20/asf/build/ArrayOS-Beta_ASF_1_0_3_95.array
After a successful patch, the new software version
will take effect on the next reboot.
Any configuration changes after this command, could
be synchronized to the new software version using
"write all deferred".

Array Networks, Inc.,

Type "YES" to confirm upgrade :

3. (Conditional) Manually reboot the system for the upgrade to take effect using the
“system reboot” command at a convenient time if you use the deferred option.

4. After the new software version takes effect, execute the “show version”
command to verify that the upgrade is successful.

15.3.4 System Reboot and Shutdown

15.3.4.1 System Reboot

 Configuration Example via CLI

2022 Array Networks, Inc.

To reboot the system, execute the following command:

AN(config)#system reboot

Note: When this command is executed, the system will record the status of the
VA instances. After the system reboot, the system will restore the VA
instances to previous status.

15.3.4.2 System Shutdown

The ASF appliance provides two options for system shutdown:

 poweroff (default value): indicates that the system is stopped, and the power is
turned off.

 halt: indicates that the system is stopped but the power is not turned off.

 Configuration Example via CLI

To shut down the system, execute either of the following commands:

AN(config)#system shutdown poweroff

AN(config)#system shutdown halt

15.3.5 System Email

For certain configured events (for example system alerts), the system will send alert
emails to the administrator. The system email function allows the administrator to set
the sender’s email address for the system email. Then the system can use the
configured email address as the sender when sending emails to the administrator.

 Configuration Example via CLI

To set the sender’s email address for the system email, execute the following
command:

AN(config)#system mail from "[email protected]"

15.3.6 System Disk Space Extension

To meet the disk space requirements for log storage, the system supports disk space
extension for the vASF instances deployed on AVX/VMWare/KVM platform. To
extend the disk space of the log partition extension, the administrator can first add an
extra disk to the vASF instance through the AVX/VMWare/KVM platform, and the
extra disk will be automatically added to the Disk Pool of the vASF instance. Then,
the administrator needs to allocate the free space of the Disk Pool to the log disk

2022 Array Networks, Inc.

partition for disk space expansion. The administrator can check the current system
disk usage status of the Disk Pool and log disk partition at any time.

Note:

 Only the vASF instance deployed with an image running ArrayOS ASF 1.0.3.6 or
above system supports this function.
 After the disk space extension is performed, the system cannot be rolled back to a
version that does not support the disk space extension function.

 CLI Configuration Example

To expand the disk space of the vASF instance deployed on AVX, perform the
following operations:

1. In vASF, confirm that the instance is using a version of ArrayOS ASF 1.0.3.6 or
above.

2. In AVX, use the following commands to add an extra disk to vASF.

AN(config)#va shutdown vASF01

AN(config)#va exdisk vASF01 exdisk1 10

3. In AVX, reboot the vASF instance. The extra disk will be automatically added to
the Disk Pool of vASF.

4. In vASF, use the “system disk extend” command to allocate the free space of the
Disk Pool to the log disk partition.

AN(config)#system disk extend

5. In vASF, use the “show system disk usage” command to view the current system
disk space usage.

AN(config)#show system disk usage

pool:
Total Size: 37.80 GiB
Alloc Size: 37.79 GiB
Free Size: 12.00 MiB
partition-log:
Size Used Avail Use%
23G 924M 22G 4%

2022 Array Networks, Inc.

15.4 System Alert

15.4.1 Alert Triggering

The system supports the security log aggregation-based alert triggering function. With
this function enabled, the system will aggregate security logs of a specified type at the
specified aggregation duration and trigger a security alert. By default, this function is
enabled.

 Configuration Example via WebUI

To enable the security log aggregation-based alert triggering function select System >
System Alert > Alert Triggering, set the Log Aggregation-based Alert Triggering
slider to ON, specify the Max Aggregation Duration parameter, and click Apply
Changes.

Figure 15–3 Enabling Security Log Aggregation-based Alert Triggering

 Configuration Example via CLI

To enable the security log aggregation-based alert triggering function, execute the
following command:

AN(config)#system alert aggregation security on 5

15.4.2 WebUI Alert Notification

The system supports the WebUI alert notification function. With this function enabled,
the WebUI will check whether any system alert is generated in the current notification
cycle. If any alert is generated and matches the notification filter, a WebUI alert
notification box will pop up to notify administrators. If no notification filter is
configured, the WebUI will notify administrators of all alerts. By default, this
function is enabled.

2022 Array Networks, Inc.

Figure 15–4 WebUI Alert Notification Box

 Configuration Example via WebUI

To enable the WebUI alert notification function, select System > System Alert >
Alert Notification, set the WebUI Alert Notification slider to ON, specify the
Notification Cycle parameter, and click Apply Changes.

Figure 15–5 Enabling WebUI Alert Notification

To filter the contents of WebUI alert notification, in the WebUI Notificaiton Filter
area, click the Add button. In the prompted Add a WebUI Notification Filter dialog
box, specify the parameters Category and Severity, and click the Confirm button.

Figure 15–6 Adding a WebUI Notificaiton Filter

 Configuration Example via CLI

2022 Array Networks, Inc.

1. To enable the WebUI alert notification function, execute the following command:

AN(config)#system alert notification webui on 1

2. To configure a WebUI notification filter, execute the following command:

AN(config)# system alert notification webui filter waf medium

15.4.3 Viewing Alerts

 WebUI Example

To view historical alert records, select Alert > Alert.

Figure 15–7 Viewing Historical Alerts

To view the details of an alert, click the alert ID, view the alert details and aggregated
security violation events in the Alert Details page. In the Violation table, click the
violation ID to switch to the page of the violation or attack log.

Figure 15–8 Viewing Alert Details

 CLI Example

To view historical alert records, execute the following command:

2022 Array Networks, Inc.

AN#show log alert

StartTime EndTime ObjectType ObjectName Category
AlertType Severity Count Description
SourceUid
2021-03-17 12:01:43 2021-03-17 12:06:42 security service vs1 waf
protocol medium 10 Detected protocol violations
0.1.2021.3.0.2.0000000015;0.1.2021.3.0.2.0000000016;0.1.2021.3.0.2.0000000017;0.1.2021.3.0.
2.0000000018;0.1.2021.3.0.2.0000000019;0.1.2021.3.0.2.0000000020;0.1.2021.3.0.2.000000002
1;0.1.2021.3.0.2.0000000022;0.1.2021.3.0.2.0000000023;0.1.2021.3.0.3.0000000016;
2021-03-10 11:43:00 2021-03-10 11:44:59 security service vs1 waf
protocol medium 6 -
0.1.2021.3.0.2.0000000000;0.1.2021.3.0.2.0000000001;0.1.2021.3.0.2.0000000002;0.1.2021.3.0.
2.0000000003;0.1.2021.3.0.2.0000000004;0.1.2021.3.0.3.0000000000;

The meanings of the fields in the alert records are described in the following table:

Field Meaning
StartTime Start time of the event associated with the alert.
EndTime End time of the event associated with the alert.
ObjectType Type of the object triggering the alert.
ObjectName Name of the object triggering the alert.
Category Category of the object triggering the alert.
AlertType Type of the alert
Severity Severity of the alert
Count Count of event logs aggregated for the alert
Description Description of the alert
Event IDs of attacks or violations aggregated for the alert (if more than
SourceUid 10 attacks or violations have been aggregated for the alert, only the IDs
of the latest 10 events are recorded.)

15.4.4 Disk Space Insufficiency Alert

When the disk space is insufficient, the system will send alerts to administrators via
Email or SNMP Traps.

15.4.4.1 Disk Space Insufficiency Alert via Email

After the disk space insufficiency alert via Email function is enabled, the appliance
will periodically detect the disk space usage of the system. If the disk usage exceeds
the configured threshold, an alert Email will be sent to the configured Email address.

 Configuration Example via WebUI

2022 Array Networks, Inc.

To enable the disk space insufficiency alert via Email function, select System >
System Alert > Disk Space Related System Alert, and set the Alert via Email
slider to ON, specify required parameters, and click Apply Changes.

Figure 15–9 Configure Disk Space Insufficiency Alert via Email

 Configuration Example via CLI

Configure the disk space insufficiency alert via Email function by executing the
following command:

AN(config)#system alert diskspace email on [email protected] 80 60

After this command is executed, the appliance will detect the usage of disk space
every 60 minutes. If the usage exceeds 80%, an alert Email will be sent to the
[email protected] address.

15.4.4.2 Disk Space Insufficiency Alert via SNMP Traps

After the disk space insufficiency alert via SNMP traps function is enabled, the
appliance will periodically detect the disk space usage of the system. If the usage
exceeds the configured threshold, an SNMP traps alert will be sent to the configured
SNMP traps host.

 Configuration Example via WebUI

To enable the disk space insufficiency alert via SNMP traps function, select System >
System Alert > Disk Space Related System Alert, and set the Alert via SNMP
slider to ON, specify required parameters, and click Apply Changes.

2022 Array Networks, Inc.

Figure 15–10 Configure Disk Space Insufficiency Alert via SNMP Traps Function

 Configuration Example via CLI

1. Enable disk space insufficiency alert via SNMP traps function.

AN(config)#snmp enable traps

2. Configure an SNMP traps host.

AN(config)#snmp host 192.168.1.100

3. Configure and enable the disk space insufficiency alert via SNMP traps function.

AN(config)#system alert diskspace snmp on 80 60

After this command is executed, the appliance will detect the usage of disk space
every 60 minutes. If the usage exceeds 80%, an SNMP traps alert will be sent to the
SNMP traps host “192.168.1.100”.

15.4.5 Security Alert

When the attacks suffered by the system meet certain conditions, the system will send
an alert to the administrator through Email or SNMP traps.

15.4.5.1 Security Alert via Email

After the security alert via Email function is enabled, the appliance will periodically
detect the number of attacks whose severity level is equal or greater than the
configured value. If the number exceeds the threshold, an alert Email will be sent to
the configured Email address.

 Configuration Example via WebUI

2022 Array Networks, Inc.

To enable the security alert via Email function, select System > System Alert >
Security Alert > Email Alert, in the Email Alert Filter section, click +. In the
prompted Add an Email Alert Filter window, specify the related parameters and
click Confirm. In the Email Alert section, set the Email Security Alert slider to ON,
specify required parameters, and click Apply Changes.

Figure 15–11 Configure Filter Conditions of the Security Alert via Email Function

Figure 15–12 Enable the Security Alert via Email Function

 Configuration Example via CLI

Configure and enable the security alert via Email function by executing the following
commands:

AN(config)#system alert security email filter [email protected] 60 5 100

AN(config)#system alert security email on

2022 Array Networks, Inc.

After this command is executed, the appliance will detect the number of attacks
whose severity level is equal or greater than the configured value every 60 minutes. If
the attack number exceeds 100, an alert Email will be sent to the [email protected]
address.

15.4.5.2 Security Alert via SNMP Traps

After the security alert via SNMP Traps function is enabled, the appliance will
periodically detect the number of attacks whose severity level is equal or greater than
the configured value. If the number exceeds the threshold, an SNMP traps alert will
be sent to the configured SNMP traps host.

 Configuration Example via WebUI

To enable the security alert via SNMP Traps function, select System > System
Alert > Security Alert > SNMP Alert, in the SNMP Alert section, set the SNMP
Security Alert slider to ON, specify required parameters, and click Apply Changes.

Figure 15–13 Configure and Enable the Security Alert via SNMP Traps Function

 Configuration Example via CLI

Configure and enable the security alert via SNMP Traps function by executing the
following commands:

AN(config)#system alert security snmp filter 60 5 1000

AN(config)#system alert security snmp on

After this command is executed, the appliance will detect the number of attacks
whose severity level is equal or greater than the configured value every 60 minutes. If
the attack number exceeds 1000, an SNMP traps alert will be sent to the configured
SNMP traps host.

2022 Array Networks, Inc.

15.4.6 ASL Event Alert

When specific ASL events occur, the system will send alerts to administrators via
Email or SNMP Traps. Currently, the system supports sending alerts when the
following ASL events occur:

 Failure to automatically apply the new ASL image

 Failure to automatically download the new ASL image

 A new version ASL image being available

15.4.6.1 ASL Event Alert via Email

When the ASL event alert via Email function is enabled, the appliance will
periodically detect the ASL events, and if any ASL event meets triggering conditions,
an alert email will be sent to the configured email address.

 Configuration Example via WebUI

To enable the ASL event alert via Email function, select System > System Alert >
ASL Alert, and set the Alert via Email slider to ON, specify required parameters,
and click Apply Changes.

Figure 15–14 Enabling ASL Event Alert via Email

 Configuration Example via CLI

Use the following CLI command to configure and enable the ASL event alert via
Email function.

AN(config)#system alert asl email on [email protected] A 60

When the preceding command is executed, the appliance will detect the ASL events
every 60 minutes. When any ASL event meets the triggering condition A (failure to
automatically apply the new ASL image), an alert email will be sent to the Email
address “[email protected]”.

2022 Array Networks, Inc.

15.4.6.2 ASL Event Alert via SNMP Traps

When the ASL event alert via SNMP traps function, the appliance will periodically
detect the ASL events, and if any ASL event meets triggering conditions, SNMP traps
alert will be sent to the configured SNMP traps host.

 Configuration Example via WebUI

To enable the ASL event alert via SNMP traps function, select System > System
Alert > ASL Alert, and set the Alert via SNMP slider to ON, specify required
parameters, and click Apply Changes.

Figure 15–15 Enabling ASL Event Alert via SNMP Traps

 Configuration Example via CLI

Use the following CLI command to configure and enable the ASL event alert via
SNMP traps function.

AN(config)#system alert asl snmp on D 60

When the above command is executed, the appliance will detect the ASL events every
60 minutes. When any ASL event meets the triggering condition D (failure to
automatically download the new ASL image), an SNMP traps alert will be sent to the
host configure via the “snmp host” command.

15.4.7 IRL-update Event Alert

The appliance supports setting alerts for IRL-update events, so that the administrator
can timely track the IRL update status. The alert function supports sending alerts via
Email or SNMP traps.

When this function is enabled, the appliance will periodically detect IRL-update
events. If any IRL-update event meets triggering conditions, an alert email will be
sent to the configured “email” address, or an SNMP traps alert will be sent to the
configured SNMP traps host.

2022 Array Networks, Inc.

15.4.7.1 IRL Event Alert via Email

 CLI Configuration Example

Enable and configure the IRL-update event Email alert function.

AN(config)#system alert ipreputation email on [email protected] all 60

After the above command is executed, the appliance will detect the IRL-update events
every 60 minutes. If the system fails to automatically download the IRL image or
apply the new IRL-update image, an alert email will be sent to the Email address
“[email protected]”.

15.4.7.2 IRL Event Alert via SNMP Traps

When this function is enabled, the appliance will periodically detect IRL-update
events. If any IRL-update event meets triggering conditions, an SNMP traps alert will
be sent to the configured SNMP traps host.

 CLI Configuration Example

4. Enable the SNMP traps function.

AN(config)#snmp enable traps

5. Configure SNMP traps host.

AN(config)#snmp host 192.168.1.100

6. Enable and configure the IRL-update event SNMP traps alert function.

AN(config)#system alert ipreputation snmp on [email protected] all 60

After the above command is executed, the appliance will detect IRL-update events
every 60 minutes. If the system fails to automatically download the IRL image or
apply the new IRL-update image, an SNMP traps alert will be sent to the SNMP trap
host “192.168.1.100”.

15.5 Configuration Management

15.5.1 Startup Configuration and Running Configuration

Startup configuration, also called saved configuration, refers to the configurations that
the system will load from the memory when the system starts up. Running
configuration refers to the configurations that the system is currently running. When

2022 Array Networks, Inc.

the system starts up, startup configuration equals to running configuration. After
adding, deleting and modifying configurations, you need to save the running
configuration as startup configuration. Otherwise, unsaved running configurations
will be lost at next system reboot.

15.5.1.1 Saving Running Configuration as Startup

Configuration
 Configuration Example via CLI

To save the running configuration as startup configuration, execute the following

command:

AN(config)#write memory

15.5.1.2 Restoring the Last Saved Configuration

You can cancel the configuration changes made since last save configuration
operation to restore the last saved configuration.

 Configuration Example via CLI

To restore the last saved configuration, execute the following command:

AN(config)#config memory

15.5.2 Backing Up and Restoring Running Configuration

You can back up the running configuration to a configuration backup file on the
system disk and restore the running configuration from the configuration backup file.

 Configuration Example via CLI

To back up the running configuration to a configuration file on the system disk, such
as “config_20180604”, execute the following command:

AN(config)#write file config_20180604

To restore the running configuration from the configuration backup file on the system
disk, execute the following command:

AN(config)#config file config_20180604

You can view all the configuration backup files by executing the “show config file”
command.

For example:

AN#show config file

Running configuration backup files:

2022 Array Networks, Inc.

length date/time name

488 June 04 2018 17:34:01 config_20180604

All configuration backup packages:

length date/time name
488 June 04 2018 17:34:01 config_20180604

15.5.3 Backing Up and Restoring Entire Configuration

You can back up the entire system configuration onto the system disk, or to a remote
Secure Copy (SCP) or Trivial File Transfer Protocol (TFTP) host. The configurations
will be saved as a compressed file, which contains three files: show_version,
backup.conf, and running.conf. The backup.conf file is a tarball package that contains
the following files:

 ca.conf

 System configuration files

 Private keys of SSL virtual hosts

 Certificates of SSL virtual hosts

 CSRs of SSL virtual hosts

 Intermediate certificates of SSL virtual hosts

 Root certificates of SSL virtual hosts

 SSL configuration files

 IP region files

 Crontab configuration

 WAF custom rule files

 Positive WAF whitelist files

 WAF content filtering configuration files

Also, you can restore the entire configuration from the configuration backup file
saved on the system disk or the SCP/TFTP host. For more information, refer to the
ASF CLI Handbook.

 Configuration Example via CLI

To back up the entire configuration to a configuration file on the system disk, such as
“config_20150323” (password:array), execute the following command:

AN(config)#write all file config_20150323 array

2022 Array Networks, Inc.

To back up the entire configuration to a remote SCP host, execute the following
command:

AN(config)#write all scp “10.8.2.115” test “/home/user/config_201600608.tgz” password1

To back up the entire configuration to a remote TFTP host, execute the following
command:

AN(config)#write all tftp “10.8.2.116” “config_20160608.tgz” password1

To restore the running configuration from the configuration backup file on the system
disk, execute the following command:

AN(config)#config all file config_20150323 array

To restore the entire configuration from the configuration backup file saved on the
remote SCP host, execute the following command:

AN(config)#config all scp “10.8.2.115” test “/home/user/config_201600608.tgz” password1

To restore the entire configuration from the configuration backup file saved on the
remote TFTP host, execute the following command:

AN(config)#config all tftp “10.8.2.115” test “config_20160608.tgz” password1

15.5.4 Clearing Configuration

The system provides three options for configuration clearance:

 All: clears the entire configuration on the ASF appliance.

 Primary: clears the primary network configuration on the ASF appliance,

inclduing the IP address, access lists, access groups, WebUI, SSH IP address,
Enable mode password, “array” account password, and etc. At the same time, all
the administrator accounts except “array” will be removed.

 Secondary: clears the entire configuration on the ASF appliance except the
primary network configuration.

 Configuration Example via CLI

1. To clear the entire configuration on the ASF appliance, execute the “clear config
all” command.

AN(config)#clear config all

2. To clear the primary network configuration on the ASF appliance, execute the
“clear config primary” command.

AN(config)#clear config primary

2022 Array Networks, Inc.

3. To clear the entire configuration on the ASF appliance except the primary
network configuration, execute the “clear config secondary” command.

AN(config)#clear config secondary

15.5.5 Configuration Synchronization

The configuration synchronization function of the ASF appliance allows

administrators to transfer configuration between multiple appliances on the same
network. You can use a series of commands of the configuration synchronization
function to manage and configure multiple appliances on the same network. You can
transfer configuration from one appliance to another appliance on the same network.
With the configuration synchronization function, you can quickly set up an
Active-Standby configuration. The following section will demonstrate how to use this
function.

Assume that the IP addresses of the two appliances are 192.168.1.1 and 192.168.1.2
respectively. If you need to synchronize the configuration of device 1 to device 2, you
need to perform the following configurations:

1. Enable configuration synchronization on device 1.

AN1(config)#synconfig challenge synpassword

AN1(config)#synconfig peer machine1 192.168.1.1
AN1(config)#synconfig peer machine2 192.168.1.2

2. Enable configuration synchronization on device2.

AN2(config)#synconfig challenge synpassword

AN2(config)#synconfig peer machine1 192.168.1.1
AN2(config)#synconfig peer machine2 192.168.1.2

3. Synchronize the configuration from device 1 to device 2.

AN1(config)#synconfig to machine2

Note: If packet filter is enabled for the interface that uses the “synconfig” command for
synchronization, you may need to add corresponding packet filtering rules so that packets
can be sent over the service port 65519 on the ASF appliance (ASF appliance and sync
node)

15.6 Database Management

System databases are used to store critical data of the attack, access, traffic statistics,
DDoS traffic learning result and other traffic. Based on the content saved in databases,
system databases can be divided into:

2022 Array Networks, Inc.

 WAF Attack Log databases: Store the Web attack logs.

 WAF Audit Log databases: Store the WAF audit logs.

 DDoS Attack Log databases: Store. the DDoS attack logs and alert logs.

 DDoS Traffic Baseline-Learning History databases: Store the history records of

the DDoS Traffic Baseline Learning.

 HTTP Access Log databases: Store the HTTP access logs.

 HTTP Filter Log databases: Store the HTTP filter logs.

 HTTP Brute Force Log databases: Store the HTTP brute force logs.

 HTTP File Control Violation Log databases: Store the HTTP file upload and
download violation logs.

 HTTP Pattern Violation databases: Store the HTTP pattern violation logs.

 HTTP URL Detection Result databases: Store the HTTP URL detection result.

 DNS Domain Filter Violation Log databases: Store DNS domain filter violation
logs.

 DNS Domain Rate Limiting Violation Log databases: Store DNS domain rate
limiting violation logs.

 DNS Domain Pollution Log databases: Store DNS domain pollution logs.

 DNS Domain Monitoring Record databases: Store DNS domain monitoring

records.

 IP Reputation Log databases: Store IP reputation logs.

 Traffic Statistics databases: Store the system traffic statistics.

 Packet Drop Statistics databases: Store the statistics of system missed packets.

 System Management databases: Store the logs of administrator login, logout and
management operations.

 GeoIP database: Stores the GeoIP data.

 Database Management database: Stores the database management logs.

The system supports backup, export, import and restore of the above types of database
files.

2022 Array Networks, Inc.

15.6.1 Database Backup

To avoid the loss of critical data, the administrator needs to back up the database
periodically and export the backup database to external storage.

The system supports the database automatic backup and manual backup.

The administrator can manually back up the database files when the system is not
busy. Database manual backup can back up all types of databases.

Besides, the system provides the automatic database backup function. The automatic
database backup function can back up all types of databases except the HTTP URL
Detection Result databases, System Management databases, GeoIP database and
Database Management database.

The implementation of automatic database backup function is divided into two steps:
generating automatic backup task and executing automatic backup task. Under the
following circumstances, the system will generate automatic backup tasks:

 When a single database file exceeds 100 MB, the system creates a new database
folder and generates an automatic backup task for the old database.

 When entering a new month, the system creates a new database folder and
generates an automatic backup task for the old database.

After the automatic backup task is generated, the system performs the automatic
backup tasks at the automatic backup time when the administrator sets the automatic
database backup. In addition, when the disk usage reaches the configured automatic
backup threshold, the system performs the automatic backup even if the specified
automatic backup time has not been reached.

 CLI Configuration Example

1. (Optional) Configure the encryption password.

AN(config)#database backup password "testadmin"

2. Back up the DDoS Attack Log databases of a specified period. For example:

AN(config)#database backup ddos attack "2018-10" "2018-11"

3. Display the details of the specified database backup file.

AN(config)#show database backup package "waf_audit.20191201000039"

Host name : AN
System CPU : Intel(R) Xeon(R) CPU
System RAM : 3879192 kbytes
Model : Array vASF
DiskUsage : 28% (file system)

2022 Array Networks, Inc.

Backup time : Sun Dec 01 00:00:39 GMT (+0000) 2019

Backup Passwd : j6Ylc2LM7Fi7k3sc3Rd+UQ==
Module : waf/audit
waf/audit/2019-11

4. Delete the specified database backup files.

AN(config)#no database backup package "waf_audit.20191201000039"

5. (Optional) Enable the automatic database backup function.

AN(config)#database backup auto on 10 30 70

15.6.2 Database Export

The system supports exporting the database backup files to the external storage,
which not only avoids the loss of critical database files, but also saves the disk space
by removing the original backed-up database files. The system supports manual
database export and daily database automatic export.

The administrator can manually export the database backup files when the system is
not busy. The administrator can delete the original database backup files after they are
successfully exported.

In addition, the administrator can configure the daily database automatic export to
achieve the purpose of automatic export of the database backup files.

 CLI Configuration Example

1. Configure the FTP URL address to which the database backup files are exported.
For example:

AN(config)#database export address 1 ftp://10.8.3.28/

2. Manually export the database backup files. For example:

AN(config)#database export manual package "ddos_attack.20191112065124" 1

3. Enable daily database automatic export. For example:

AN(config)#database export auto time "00:10"

15.6.3 Database Import

When the system disk failure results in data loss or incorrect deletion of database files,
the administrator can import the database backup file from the external storage to the
appliance and restore them. The system supports importing the database backup files
of the external storage back to the appliance.

2022 Array Networks, Inc.

 CLI Configuration Example

Import the database backup file to the appliance. For example:

AN(config)#database import package "ftp://10.8.3.28/waf_audit.20190710005313.db"

15.6.4 Database Restore

The system supports restoring the database backup files (including the local and
imported ones). If the database file to be restored already exists in the system, the
current database file will be overwritten when it is restored.

 CLI Configuration Example

1. Restore a local database backup file. For example:

AN(config)#database restore package backup "ddos_attack.20191112065124" admin 1

2. Restore an imported database backup file. For example:

AN(config)#database restore package import "ddos_attack.20191112065124" admin 1

15.6.5 Database Reset

The system supports resetting the database. After the database is reset, the data stored
in the database will be cleared and the database will be initialized.

 CLI Configuration Example

To reset the database, execute the following command:

AN(config)#database reset

15.6.6 Database Retention

The system supports configuring the databases retention policy to control the
retention period of historical databases. By default, the system automatically
determines the database retention period according to the remaining free disk space.

 Configuration Example via CLI

Assume that the current month is March. To reteain the databased of February and
March, execute the following command:

AN(config)#database preserve 1

2022 Array Networks, Inc.

Chapter 16 Admin Tools

16.1 Logging

16.1.1 Overview

This section introduces the logging function of the ASF appliance.

The logging mechanism used by the ASF appliance is Syslog compliant. The logging
subsystem is responsible for recording system errors and HTTP access information
during proxy application. Syslog is a standard program for Unix and there are also
Syslog implementations for Windows. On the Unix platform, syslog is started by the
syslogd daemon. The syslogd daemon listens at UDP 514 port and takes charge of
receiving and storing log messages from local machine or remote machine. The ASF
appliance supports sending log messages to three remote log servers.

16.1.2 Understanding Logging

16.1.2.1 Syslog Mechanism

Syslog is a protocol that is used for the transmission of alerts and event notifications
across networks.

Syslog logging has eight valid levels of log message severity: emerg, alert, crit, err,
warning, notice, info and debug. And the supported facilities are LOCAL0 to
LOCAL7. Administrators can view logs in the internal log buffer, select the transport
protocol, configure syslog source and destination ports, and set the severity of the
alerts on log message string match.

16.1.2.2 RFC 5424 Syslog

RFC5424 defines the standard format of syslog. The ASF appliance supports the RFC
5424 syslog function. When this function is enabled, the system will generate system
logs in the standard format defined by RFC 5424. The standard RFC 5424 format is
“<PRI>VER TIMESTAMP HOSTNAME APPNAME PROCID MSGID
STRUCTURED-DATA MSG-CONTENT”. (The PROCID and
STRUCTURED-DATA fields are not supported temporarily and are displayed as “-”.)
By default, the RFC 5424 syslog function is disabled. The RFC 5424 syslog function
takes effect only after the “log on” and “log rfc5424 on” commands are executed.

16.1.2.3 HTTP Access Logging

The HTTP access logging function records information about every HTTP request
and its response in a specific predefined format.

2022 Array Networks, Inc.

The HTTP access logging function supports four standard formats: Combined, WELF
(WebTrends Enhanced Log), Common and Squid. Administrators can define their
own logging format by using the “log http custom” command.

Note: The ASF appliance will record an HTTP access log only after the HTTP
communication between the client and the Web server is completed successfully.

16.1.2.4 Log Filtering

Log filtering is designed to filter logs to be sent to different log servers by matching
filter strings, which are configured using the “log filter” command.

Log filtering in ArrayOS allows administrators to collect only the logs that they are
interested in instead of having to collect all the logs. For example, the administrator of
“www.site1.com” may want to collect only the HTTP access logs for
“www.site1.com”. If knowing that these logs contain a keyword “site1.com”, the
administrator can create a filter for a log definition that captures only the logs that
match the keyword. The administrator will now have a log file that contains only the
desired logs.

If multiple log filters are set for a syslog host, the logs matching any one of the filter
strings will be sent to the syslog host.

16.1.2.5 Remote Syslog Host

Remote syslog hosts are the remote systems that log system log messages based the
syslog protocol. A maximum of six IPv4 or IPv6 remote syslog hosts can be
configured. When the system generates log messages, it will send them to the
configured remote syslog hosts.

You can configure a remote syslog host to receive all log messages by setting its ID to
0. Also, you can configure a remote syslog host to receive only a part of log messages
by not setting its ID to 0 and configure log filters for it. A maximum of 20 log filters
can be configured for a remote syslog host.

Note: Before configuring a remote syslog host, please make sure that the remote syslog
host is ready to receive log messages.

16.1.3 Logging Configuration

1. Enable the logging function.

By default, this function is disabled.

AN(config)#log on

2022 Array Networks, Inc.

2. Enable the RFC 5424 syslog function.

AN(config)#log rfc5424 on

3. Set the remote syslog host (log server) to which log messages will be sent.

The “log host” command is used to configure the log server to receive log messages
generated by ArrayOS. The log server IP address must be specified in dotted IP
format. The remote port is optional, and the default value is 514. The transport
protocol for the syslog messages can be either UDP or TCP and the default is UDP.

AN(config)#log host 10.2.37.1 514 udp 1

4. Configure log filters for the syslog host.

A maximum of three log filters can be configured one syslog host. Log filters cannot
be configured for the syslog host whose ID is 0. After the following command is
executed, only the logs matching the filter string are sent to the syslog host.

AN(config)#log filter 1 1 "index"

5. Change the minimum log level at which messages will be logged.

Once a log level is set, messages with level below the configured level will be ignored.
The default level is info.

AN(config)#log level err

6. Set the log facility that the ASF appliance used to record logs.

The “log facility” command is used to modify the facility used to record log messages.
The system reserves eight facilities for use: LOCAL0 to LOCAL7. The default
facility is LOCAL0.

AN(config)#log facility LOCAL0

7. Configure the HTTP access logging format.

AN(config)#log http squid

The administrator can configure the system to record HTTP access logs either in one
of the standard formats (Squid, WELF, Common or Combined) or in the customized
format.

8. Generate a test log.

The administrator can generate an emerg-level test log using the “log test” command.

AN(config)#log test

9. View and clear logs.

2022 Array Networks, Inc.

The administrator can view logs in the log buffer by using the “show log buff
{forward|backward} [match_str]” command. The parameters “backward” and
“forward” are used to display the logs that are generated latest and earliest
respectively.

AN(config)#show log buffer backward

start of buffer
<128>1 2012-07-17T06:35:26Z AN - - 100021002 - Array Networks test message

The administrator can clear logs from the log buffer by using the “clear log buff”
command.

AN(config)#clear log buffer

16.2 SNMP
The Simple Network Management Protocol (SNMP) framework consists of three
parts:

 Network Management System (NMS): is the system used to control and monitor
the activities of network hosts using SNMP.

 SNMP agent: The SNMP agent is the software component within the managed
device that maintains the data for the device and reports these data, as needed, to
managing systems.

 Management Information Base (MIB): The MIB is a virtual information storage

area for management information, which consists of managed objects for the
SNMP agent.

The system supports the Simple Network Management Protocol (SNMP) function.
When the SNMP function is enabled, an SNMP agent will be enabled in the system.
Array Networks provides a proprietary MIB file containing the managed objects of
the ASF appliance. Every managed object is assigned a unique Object ID (OID). For
more information about the SNMP OIDs supported by the ASF appliance, refer
to Appendix I SNMP OID List.

The SNMP agent supports SNMP versions v1, v2c and v3. The SNMP agent currently
can provide the following functions:

 Respond to the SNMP GET requests from the NMS

 Send SNMP Traps to the NMS

Both IPv4 and IPv6 NMSs are supported.

2022 Array Networks, Inc.

16.2.1 SNMP Request

The following figure shows the process of SNMP GET request.

Figure 16–1 SNMP GET Request

After importing the MIB file of the ASF appliance to an NMS and setting SNMP
parameters correctly, NMS users can initiate SNMP GET requests to obtain the values
of the OIDs in the MIB files. Then, the SNMP agent on the ASF appliance will return
the value of the queried OIDs by sending the SNMP GET responses.

When using SNMP v3, the SNMP agent can support the User-Based Security Model
(USM), which provides user authentication and privacy for the SNMP messages, and
the View-Based Access Control Model (VACM), which provides IP-based SNMP
access control. Both security models can be used when the SNMP v3 is used.

 When the USM is used, the SNMP agent responds only to the SNMP GET
requests sent from the NMS using a valid SNMP v3 user account. Therefore, to
use the USM, you need to create SNMP v3 user accounts for NMSs in the system.
A maximum of 16 SNMP v3 user accounts can be created.

 When the VACM is used, the SNMP agent responds only to the SNMP GET
requests whose source IPs match any of the configured “permit” SNMP access
control rules. Therefore, to use the USM, you need to enable the IP-based SNMP
access control function and configure “permit” SNMP access control rules.

16.2.2 SNMP Trap

The following figure shows the process of SNMP Trap.

2022 Array Networks, Inc.

Figure 16–2 SNMP Trap

The SNMP agent will send an SNMP Trap to the NMS when any of the following
conditions is met:

 Interface down or up

 Generation of a system log at the error or above level

 License expiration within 15 days

 System startup

 System shutdown

To allow an NMS to receive SNMP Traps from the SNMP agent, you should
configure the NMS as an SNMP Trap host on the ASF appliance. A maximum of 10
SNMP Trap hosts can be configured.

Note: The NMS does not resend responses to the SNMP agent and the
SNMP agent will not resend the SNMP Traps. Therefore, make sure the
SNMP Trap host configured using the “snmp host” command is reachable.

16.2.3 Configuration Example

16.2.3.1 Configuring the SNMP Agent

 Configuration Example via CLI

1. Set the SNMP community, for example:

AN(config)#snmp community privatepassword

2. (Optional) Set the contact information of the SNMP agent.

AN(config)#snmp contact admin

3. (Optional) Set the location information of the SNMP agent.

AN(config)#snmp location Beijing

4. (Optional) Configure SNMP access control, for example:

AN(config)#snmp ipcontrol on
AN(config)#snmp ippermit 192.168.0.0 255.255.0.0

5. Enable the SNMP agent on the ASF appliance, for example enabling the SNMP
agent supporting SNMP v3:

AN(config)#snmp on v3

2022 Array Networks, Inc.

To enable the SNMP agent supporting SNMP v1 and SNMP v2c, execute the “snmp
on default” command.

6. Configure an SNMP v3 user.

AN(config)#snmp v3user test test authNopriv

16.2.4 Configuring SNMP Traps

 Configuration Example via CLI

1. (Optional) Configure an SNMP trap host, for example:

AN(config)#snmp host 11.1.1.20 3 "ryan" "14" "1234567855" authNopriv

2. (Optional) Enable the SNMP Trap service, for example:

AN(config)#snmp enable traps

16.3 Troubleshooting

16.3.1 Debug

The system allows the administrator to collect debug data by executing the “debug
snapshot system” command. This command will take a snapshot for the system
activities and generate the sys_snap.tar.gz.gpg file.

The debug file can be exported to an external FTP server or SCP host.

 Configuration Example via CLI

To take a snapshot of the system activities, execute the following command:

AN(config)#debug snapshot system

To export the debug file to the external FTP server, execute the following command:

AN(config)#debug ftp admin 192.168.10.50 sys_snap

To export the debug file to the external SCP host, execute the following command:

AN(config)#debug scp "[email protected]:temp" sys_snap

16.3.2 Tools

The ASF appliance provides you with the following troubleshooting tools:

 Ping: checks the network connectivity to the specified IPv4 network host by
sending Internet Control Message Protocol (ICMP) echo requests.

2022 Array Networks, Inc.

 Ping6: checks the network connectivity to the specified IPv6 network host by
sending Internet Control Message Protocol Version 6 (ICMPv6) echo requests.

 Traceroute: traces the route to the specified IPv4 network host by sending three
packets to each intermediate node on this route.

 Traceroute6: traces the route to the specified IPv6 network host by sending three
packets to each intermediate node on this route.

 nslookup: domain name resolution.

 Configuration Example via CLI

To check the network connectivity to an IPv4 network host, execute the following
command:

AN>ping 10.8.6.50
AN>ping example.com

To check the network connectivity to an IPv6 network host, execute the following
command:

AN>ping6 2012::c
AN>ping6 ipv6.example.com

To trace the route to an IPv4 network host, execute the following command:

AN>traceroute 10.8.6.50
AN>traceroute ipv6.example.com

To trace the route to an IPv6 network host, execute the following command:

AN>traceroute6 2012::c
AN>traceroute6 ipv6.example.com

To resolve a domain name, execute the following command:

AN>nslookup example.com

16.3.3 Managing Remote Devices

The ASF appliance allows administrators to access remote devices via Telnet and
SSH to perform remote management tasks or assist owners of the remote devices for
troubleshooting issues.

To use the Telnet function on the ASF appliance, execute the “telnet "host port"”
command as follows:

AN#telnet “‘172.16.2.182 -4’”

Trying 172.16.2.182...

2022 Array Networks, Inc.

Connected to 172.16.2.182 -4.

Escape character is '^]'.
Trying SRA secure login:
User (root): array
Password:
[ SRA accepts you ].................succeed

To use the SSH function on the ASF appliance, execute the “ssh remote
"user@hostname"” command as follows:

AN#ssh remote "[email protected]"

[email protected]'s password:
Linux libh-server1 2.6.32-22-generic #33-Ubuntu SMP Wed Apr 28 13:27:30 UTC 2010 i686
GNU/Linux

Welcome to Ylmf_OS!
* Information: http://www.ylmf.com/

0 packages can be updated.

0 updates are security updates.

Last login: Wed Apr 20 00:39:35 2011 from 10.3.46.1

root@libh-server1:~#

2022 Array Networks, Inc.

Chapter 17 Packet Filtering

17.1 Overview
The packet filtering functionality of the ASF appliance allows you to create
permit/deny rules to filter packets passing through your network infrastructure. The
system supports the filtering of TCP, UDP and ICMP packets that are using the IPv4
or IPv6 address. By default, the packet filtering function is disabled on every
interface.

A application scenario of ASF packet filtering is as follows:

Figure 17–1 Application Scenario for Packet Filtering

Packet filtering provides tight control over who may and may not enter the network
by utilizing ASF’s ultra-fast rules engine. This function ensures virtually no
performance loss with up to 1,000 ACL rules, while never consuming more than one
percent of ArrayOS capability.

To use packet filtering, the administrator should create permit and deny packet
filtering rules, associate them with interfaces and then enable the packet filtering
function for the interface.

17.2 Packet Filtering Configuration

17.2.1 Configuration Scenario

Configure packet filtering on the ASF appliance to make sure it processes

management traffic and service traffic based on the following rules:

2022 Array Networks, Inc.

 Permit the IP address 10.10.10.30 to configure and manage the ASF appliance
through port 22 (for SSH access).

 Permit the IP address 10.10.10.30 to configure and manage the ASF appliance
through port 8888 (for New WebUI access).

 Permit all IP addresses except 10.10.10.30 to access the virtual IP address

10.10.0.10.

 Permit all clients on the internal network to ping the IP address of port2 interface
(192.168.10.1).

This configuration example is based on the network topology in the following figure.

Figure 17–2 Packet Filtering Configuration

17.2.2 Configuration Steps

 Configuring packet filtering rules

1. Permit the IP address 10.10.10.30 to configure and manage the ASF appliance by
using SSH at port 22

AN(config)#accesslist permit tcp 10.10.10.30 255.255.255.255 0 192.168.10.1 255.255.255.255

22 100

2. Permit the IP address 10.10.10.30 to configure and manage the ASF appliance by
using the new WebUI at port 8888.

AN(config)#accesslist permit tcp 10.10.10.30 255.255.255.255 0 192.168.10.1 255.255.255.255

8888 100

3. Permit all IP addresses except 10.10.10.30 to access the virtual IP address

10.10.0.10 through port 80.

2022 Array Networks, Inc.

AN(config)#accesslist permit tcp 0.0.0.0 0.0.0.0 0 10.10. 0.10 255.255.255.255 80 150

AN(config)#accesslist deny tcp 10.10.10.30 255.255.255.255 0 10.10. 0.10 255.255.255.255 0
150

4. Permit all IP address on the internal network to ping 192.168.10.1, IP address of

the port2 interface.

AN(config)#accesslist permit icmp echorequest 192.168.10.0 255.255.255.255 192.168.10.1

255.255.255.255 50
AN(config)#accesslist permit icmp echoreply 192.168.10.1 255.255.255.255 192.168.10.0
255.255.255.0 50

 Associating packet filtering rule with interfaces

1. Associates different types of packet filtering rules (with the packet filtering rule
ID 50) with a specified interface.

AN(config)#accessgroup 50 port2

2. Associates packet filtering rules (with the packet filtering rule ID 100) used for
management IP access with a specified interface.

AN(config)#accessgroup 100 port2

3. Associates packet filtering rules (with the packet filtering rule ID 150) related to
virtual IP addresses with a specified interface.

AN(config)#accessgroup 150 port1

 Enabling the Packet Filtering function

Execute the following command to enable the packet filtering function.

AN(config)#webwall port2 on
AN(config)#webwall port1 on

Before enabling the the packet filtering function, please note that:

 If you have configured a DNS server and need to enable packet filtering on the
interface through which DNS traffic will pass, you need to add corresponding
packet filtering rules to permit traffic on port 53.

 If you need to enable packet filtering on the interface where the “synconfig to” or
“synconfig from” command is applied, you need to manually add packet filtering
rules to permit traffic on port 65,519; otherwise, configuration synchronization
will fail.

After the packet filtering function is enabled, if you need to adjust configurations,
please note that the SSH or WebUI session in use might be terminated due to
misconfigurations.

2022 Array Networks, Inc.

 Verification and Troubleshooting

After finishing configurations, you can use the “show accesslist” and “show
accessgroup” commands to check the configurations.

AN(config)#show accesslist
accesslist permit tcp 10.10.10.30 255.255.255.255 0 192.168.10.1 255.255.255.255 22 100
accesslist permit tcp 10.10.10.30 255.255.255.255 0 192.168.10.1 255.255.255.255 8888 100
accesslist permit tcp 0.0.0.0 0.0.0.0 0 10.10. 0.10 255.255.255.255 80 150
accesslist deny tcp 10.10.10.30 255.255.255.255 0 10.10. 0.10 255.255.255.255 0 150
accesslist permit icmp echorequest 192.168.10.0 255.255.255.255 192.168.10.1 255.255.255.255
50
accesslist permit icmp echoreply 192.168.10.1 255.255.255.255 192.168.10.0 255.255.255.0 50
AN(config)#show accessgroup
accessgroup 50 port2
accessgroup 100 port2
accessgroup 150 port1

If packet filtering rules are complicated, keep your configurations simple. With
multiple packet filtering rules, you can apply them once at a time to check which
packet filtering rule is causing problems. You can disable the packet filtering function
to determine if the function itself is indeed causing the problem.

To view the interfaces on which packet filtering is enabled, run the “show interface”
command. For example:

AN(config)#show webwall
webwall "port2" on 0
webwall "port3" on 0

SNMP OID List

The total number of packets that higher-level protocols requested
be transmitted, and which were addressed to a multicast or
.1.3.6.1.4.1.7564.23.4.1.13
broadcast address at this sub-layer, including those that were
discarded or not sent.
For packet-oriented interfaces, the number of outbound packets
that could not be transmitted because of errors. For
.1.3.6.1.4.1.7564.23.4.1.14 character-oriented or fixed-length interfaces, the number of
outbound transmission units that could not be transmitted
because of errors.
.1.3.6.1.4.1.7564.23.4.1.15 The IP address type of infIpv4Address(should always ipv4).
.1.3.6.1.4.1.7564.23.4.1.16 The interface's IPv4 address.
.1.3.6.1.4.1.7564.23.4.1.17 The IP address type of infIpv6Address(should always ipv6).
.1.3.6.1.4.1.7564.23.4.1.18 The interface's IPv6 address.
The inbound throughput (bits/second) of the interfaces in the last
.1.3.6.1.4.1.7564.23.4.1.19
five minutes.
The outbound throughput (bits/second) of the interfaces in the
.1.3.6.1.4.1.7564.23.4.1.20
last five minutes.
The number of packets delivered from this sub-layer to a higher
.1.3.6.1.4.1.7564.23.4.1.21
sub-layer by using a multicast address at this sub-layer.

The total number of packets that higher-level protocols requested

.1.3.6.1.4.1.7564.23.4.1.22 to be transmitted by using a multicast address at this sub-layer,
including those were discarded or not sent.

The number of packets delivered from this sub-layer to a higher

.1.3.6.1.4.1.7564.23.4.1.23
sub-layer by using a broadcast address at this sub-layer.
The total number of packets that higher-level protocols requested
.1.3.6.1.4.1.7564.23.4.1.24 to be transmitted using a broadcast address at this sub-layer,
including those were discarded or not sent.
An estimate of the interface's current bandwidth in 1,000,000 bits
per second. For interfaces which do not vary in bandwidth or for
.1.3.6.1.4.1.7564.23.4.1.25 those where no accurate estimation can be made, this object
should contain the nominal bandwidth. For a sub-layer which has
no concept of bandwidth, this OID should be zero.

The operating mode of the interface - unknown (0), half-duplex

.1.3.6.1.4.1.7564.23.4.1.26
(1), full-duplex (2).

The number of syslog notifications that have been sent. This

number may include notifications that were prevented from being
transmitted due to reasons such as resource limitations and/or
.1.3.6.1.4.1.7564.24.1.1
non-connectivity. If one is receiving notifications, one can
periodically poll this object to determine if any notifications were
missed. If so, a poll of the logHistoryTable might be appropriate.

2022 Array Networks, Inc.

SNMP OID List

Indicates whether logMessageGenerated notifications will or will
not be sent when a syslog message is generated by the device.
.1.3.6.1.4.1.7564.24.1.2
Disabling notifications does not prevent syslog messages from
being added to the logHistoryTable.
Indicates which syslog severity levels will be processed. Any
syslog message with a severity value greater than this value will
.1.3.6.1.4.1.7564.24.1.3 be ignored by the agent. note: severity numeric values increase as
their severity decreases, e.g. error(3) is more severe than
debug(7).
The upper limit on the number of entries that the logHistoryTable
may contain. A value of 0 will prevent any history from being
.1.3.6.1.4.1.7564.24.2.1
retained. When this table is full, the oldest entry will be deleted
and a new one will be created.
A table of syslog messages generated by this device. All
.1.3.6.1.4.1.7564.24.2.2 'interesting' syslog messages (i.e. severity <= logMaxSeverity)
are entered into this table.

A syslog message that was previously generated by this device.

.1.3.6.1.4.1.7564.24.2.2.1
Each entry is indexed by a message index.

A monotonically increasing integer for the sole purpose of

.1.3.6.1.4.1.7564.24.2.2.1.1 indexing messages. When it reaches the maximum value the
agent flushes the table and wraps the value back to 1.
.1.3.6.1.4.1.7564.24.2.2.1.2 The severity of the message.
The text of the message. If the text of the message exceeds 255
bytes, the message will be truncated to 254 bytes and a '*'
.1.3.6.1.4.1.7564.24.2.2.1.3
character will be appended, indicating that the message has been
truncated.

When a syslogTrap message is generated by the device a

2022 Array Networks, Inc.

Abbreviation/Acronym Full Spelling

RFC Request For Comments
RIPv1 Routing Information Protocol version 1
RIPv2 Routing Information Protocol version 2
RPC Remote Procedure Call
RPS Requests per Second
RTSP Real Time Streaming Protocol
RTT Round Trip Time
SCP Session Control Protocol
SIEM Security Information and Event Management
SMTP Simple Mail Transfer Protocol
SNI Server Name Indication
SNMP Simple Network Management Protocol
SQL Structured Query Language
SSH Secure Shell Protocol
SSL Secure Sockets Layer
SSLv3 Secure Sockets Layer version 3
TACACS Terminal Access Controller Access Control System
TCI Tag Control Information
TCL Tools Command Language
TCP Transmission Control Protocol
TELNET Terminal Emulation Protocol in a TCP/IP Environment
TFTP Trivial File Transfer Protocol
TLS Transport Layer Security Protocol
TSO TCP Segmentation Offload
TTL Time to Live
UDP User Datagram Protocol
URI Uniform Resource Identifier
URL Uniform Resource Locator
USM User-Based Security Model
VACM View-Based Access Control Model
VCI VLAN Control Information
VCID Virtual Cluster ID
VIP Virtual IP
VPID VLAN Protocol Identifier
VLAN Virtual Local Area Network
VRRP Virtual Router Redundancy Protocol
WAF Web Application Firewall
WebUI Web User Interface
WELF WebTrends Enhanced Log Format
XSS Cross Site Scripting

2022 Array Networks, Inc.

Basic Configuration AFS
0% (1)
Basic Configuration AFS
180 pages
Sample Assessment Questions
No ratings yet
Sample Assessment Questions
31 pages
Lesson4 Peripheral Devices
75% (4)
Lesson4 Peripheral Devices
4 pages
APV App WebUI
No ratings yet
APV App WebUI
317 pages
Array Networks
No ratings yet
Array Networks
511 pages
Array Network - Webui
No ratings yet
Array Network - Webui
68 pages
Array User Guide PDF
No ratings yet
Array User Guide PDF
305 pages
Array Network - App User Guide PDF
No ratings yet
Array Network - App User Guide PDF
313 pages
Impinj XArray XSpan Installation and Operations Guide 6.4
No ratings yet
Impinj XArray XSpan Installation and Operations Guide 6.4
59 pages
Cisco Aironet 350 340 AP350higp
No ratings yet
Cisco Aironet 350 340 AP350higp
70 pages
Catalogo 3COM
No ratings yet
Catalogo 3COM
91 pages
Apple Pro Training Series Xsan
No ratings yet
Apple Pro Training Series Xsan
175 pages
Cisco Aironet Access Point Hardware Installation Guide: 340 Series and 350 Series
No ratings yet
Cisco Aironet Access Point Hardware Installation Guide: 340 Series and 350 Series
68 pages
Cisco Catalyst 9136 Series Access Point Hardware Installation Guide
No ratings yet
Cisco Catalyst 9136 Series Access Point Hardware Installation Guide
84 pages
20100601-004151-Array Quick Install Guide XN8-16 RevA
No ratings yet
20100601-004151-Array Quick Install Guide XN8-16 RevA
12 pages
0926231818M1353 Inv#6101812
No ratings yet
0926231818M1353 Inv#6101812
1 page
Cisco Application Centric Infrastructure Fabric Hardware Installation Guide
No ratings yet
Cisco Application Centric Infrastructure Fabric Hardware Installation Guide
28 pages
Arbor APS STT Unit 01 Design Basics 25 Jan2018
No ratings yet
Arbor APS STT Unit 01 Design Basics 25 Jan2018
31 pages
Sophos Operating Instructions XG 86 86w Rev1 Oina
No ratings yet
Sophos Operating Instructions XG 86 86w Rev1 Oina
6 pages
Solarwinds Network Management Guide: Revision: H2Cy10
No ratings yet
Solarwinds Network Management Guide: Revision: H2Cy10
17 pages
IEC61850 IBS Startup A3 EN
No ratings yet
IEC61850 IBS Startup A3 EN
98 pages
Network Warrior 1st Ed Edition Gary A. Donahue Full Access
100% (1)
Network Warrior 1st Ed Edition Gary A. Donahue Full Access
152 pages
TEW-410APB Wireless 802.11g AP: User's Manual
No ratings yet
TEW-410APB Wireless 802.11g AP: User's Manual
24 pages
Asr920 Hig
No ratings yet
Asr920 Hig
100 pages
ERS CLI Commands Ref
No ratings yet
ERS CLI Commands Ref
488 pages
Asr 920
No ratings yet
Asr 920
100 pages
Guide c07 744925 - Sensor
No ratings yet
Guide c07 744925 - Sensor
88 pages
AP-0622 Access Point: Installation Guide
No ratings yet
AP-0622 Access Point: Installation Guide
40 pages
Net App Diag
No ratings yet
Net App Diag
481 pages
Cisco Aironet 1130AG Series Access Point Hardware Installation Guide
No ratings yet
Cisco Aironet 1130AG Series Access Point Hardware Installation Guide
132 pages
CyberCity - Deployment Manual - V1.3.0
No ratings yet
CyberCity - Deployment Manual - V1.3.0
104 pages
Ug Tew-510apb
No ratings yet
Ug Tew-510apb
29 pages
Day 59 Slides - Network Automation
No ratings yet
Day 59 Slides - Network Automation
28 pages
AXIS 213 PTZ User Guide - Textmark
No ratings yet
AXIS 213 PTZ User Guide - Textmark
54 pages
99-Book 1718674 294551 0
No ratings yet
99-Book 1718674 294551 0
9 pages
Hardware CISCO
No ratings yet
Hardware CISCO
52 pages
Awesome Cisco IOS Commands and Tricks - Helpful Cisco IOS Commands To Make Your Life A Breeze
100% (2)
Awesome Cisco IOS Commands and Tricks - Helpful Cisco IOS Commands To Make Your Life A Breeze
119 pages
Apple Pro Training Series Xsan Quick Reference Guide 2nd Edition Adam Green
No ratings yet
Apple Pro Training Series Xsan Quick Reference Guide 2nd Edition Adam Green
28 pages
SA-250 Server Installation Guide 7 2 U1 PDF
No ratings yet
SA-250 Server Installation Guide 7 2 U1 PDF
51 pages
Cisco Press - Datacenter Design and Implementation
No ratings yet
Cisco Press - Datacenter Design and Implementation
85 pages
Unifi AP Ac M Pro QSG
No ratings yet
Unifi AP Ac M Pro QSG
28 pages
Mico MC 212 User Guide
No ratings yet
Mico MC 212 User Guide
68 pages
ExtremeWireless WiNG AP7662i - AP7662 Access Point Installation Guide
No ratings yet
ExtremeWireless WiNG AP7662i - AP7662 Access Point Installation Guide
41 pages
XAV2001 UM 1mar11
No ratings yet
XAV2001 UM 1mar11
27 pages
Configuring CISCO C-SM-16P4M2X EtherSwitch Service Module.
No ratings yet
Configuring CISCO C-SM-16P4M2X EtherSwitch Service Module.
124 pages
B Catalyst 8300 Series Edge Platforms Hig
No ratings yet
B Catalyst 8300 Series Edge Platforms Hig
126 pages
Maxserver Getting Started
No ratings yet
Maxserver Getting Started
164 pages
AIRNET 54Mb Indoor High Power AP Quick Configuration Guide
No ratings yet
AIRNET 54Mb Indoor High Power AP Quick Configuration Guide
15 pages
Cisco ONS 15216 EDFA2/EDFA2-A Operations Guide: Product and Software Release 2.4 July 2004
No ratings yet
Cisco ONS 15216 EDFA2/EDFA2-A Operations Guide: Product and Software Release 2.4 July 2004
252 pages
9ARD000015-510 - en AC 800M 5.1 Ethernet IP DeviceNet Installation PDF
No ratings yet
9ARD000015-510 - en AC 800M 5.1 Ethernet IP DeviceNet Installation PDF
80 pages
Switch ABB F60
No ratings yet
Switch ABB F60
148 pages
Xsan 2 Admin Guide
No ratings yet
Xsan 2 Admin Guide
140 pages
Nexus 9348gcfxp
No ratings yet
Nexus 9348gcfxp
66 pages
FortiAP U43xF Deployment Guide PDF
No ratings yet
FortiAP U43xF Deployment Guide PDF
32 pages
Mega Guide CCNA 640-802
No ratings yet
Mega Guide CCNA 640-802
182 pages
BRKRST 2377
No ratings yet
BRKRST 2377
98 pages
Cyberint Takedown Services Datasheet Mar 24 1713268675336001slsN - Cleaned
No ratings yet
Cyberint Takedown Services Datasheet Mar 24 1713268675336001slsN - Cleaned
4 pages
Radware DefensePro Integration and Mitigation Process Guide - Cleaned
No ratings yet
Radware DefensePro Integration and Mitigation Process Guide - Cleaned
20 pages
Cybersecurity Tools: SIEM vs. XDR
No ratings yet
Cybersecurity Tools: SIEM vs. XDR
10 pages
Brksec 3004
No ratings yet
Brksec 3004
126 pages
Partner's Guide to UTD Workshops
No ratings yet
Partner's Guide to UTD Workshops
1 page
ESG Showcase Stellar Cyber Solutions Mar 2020
No ratings yet
ESG Showcase Stellar Cyber Solutions Mar 2020
5 pages
Boost Cybersecurity with SLR
No ratings yet
Boost Cybersecurity with SLR
2 pages
Cisco Product Icons: Hub Router/Hub
No ratings yet
Cisco Product Icons: Hub Router/Hub
8 pages
URL Rewrite and Responder With Citrix NetScaler
No ratings yet
URL Rewrite and Responder With Citrix NetScaler
36 pages
Open Source MGMT Options
100% (1)
Open Source MGMT Options
151 pages
FortiGate - 400D Datasheet
No ratings yet
FortiGate - 400D Datasheet
4 pages
Configurar Camara LPR
No ratings yet
Configurar Camara LPR
11 pages
Ram Concept
100% (1)
Ram Concept
558 pages
Ganttproject Manual
No ratings yet
Ganttproject Manual
24 pages
Catálogo 2021 - Redfil 1
No ratings yet
Catálogo 2021 - Redfil 1
48 pages
Smart Classroom Tech for Educators
No ratings yet
Smart Classroom Tech for Educators
4 pages
CSL QB
No ratings yet
CSL QB
8 pages
Programming & Algorithms Guide
No ratings yet
Programming & Algorithms Guide
122 pages
Revised Energy Account Notice
No ratings yet
Revised Energy Account Notice
17 pages
A 219
No ratings yet
A 219
1 page
Inventory and Procurement List
No ratings yet
Inventory and Procurement List
6 pages
TM CVT Nissan Note
100% (1)
TM CVT Nissan Note
257 pages
2021-01 HK Engineer
100% (1)
2021-01 HK Engineer
52 pages
Biotechnology Book
No ratings yet
Biotechnology Book
1 page
Chapter 7 - Fault Code
No ratings yet
Chapter 7 - Fault Code
34 pages
Import Duty and Tax Structure For Buses
No ratings yet
Import Duty and Tax Structure For Buses
4 pages
Mikrotik Transparent Traffic Shaper Guide
No ratings yet
Mikrotik Transparent Traffic Shaper Guide
9 pages
12P6523F
100% (1)
12P6523F
5 pages
MX Datasheet
No ratings yet
MX Datasheet
12 pages
The Productization Effect-White Paper
No ratings yet
The Productization Effect-White Paper
21 pages
CleverAds: Global Ad Network & Services
No ratings yet
CleverAds: Global Ad Network & Services
59 pages
EWSD Overview
No ratings yet
EWSD Overview
39 pages
AI Tools For Software Developers Part One
No ratings yet
AI Tools For Software Developers Part One
19 pages
LAB Digital Assignment I: Faculty: Prof. Jayakumar Sadhasivam
100% (1)
LAB Digital Assignment I: Faculty: Prof. Jayakumar Sadhasivam
2 pages
Account Certification User Guide
No ratings yet
Account Certification User Guide
16 pages
580CT10324-REV03 B
No ratings yet
580CT10324-REV03 B
20 pages
2024 Mid Sem Question Paper
No ratings yet
2024 Mid Sem Question Paper
14 pages
GSM Training Manual PDF
100% (1)
GSM Training Manual PDF
96 pages
Service DEH-4000UB, 3050UB
No ratings yet
Service DEH-4000UB, 3050UB
77 pages