You can use FastNetMon Advanced with Radware Defense Flow as DDoS sensor. In this case, FastNetMon can detect an attack and enable mitigation using Radware DefenseFlow and APSVision over API.
Capabilities
Integration tool support two major notification modes:
- Per host attack alerts
- Per hostgroup attack alerts
- Full IPv6 support
- Baseline information
For per-host attack alerts FastNetMon can pass following information:
- Hostgroup – will be used as protected object on Defense Flow side
- Attack’s performance
- Attack’s protocol – UDP, TCP, ICMP or OTHER
- Attack’s source port
- Attack’s destination port
- Up to 50 source hosts (/32)
- Host affected by attack (/32)
For per-hostgroup attacks we provide less information as FastNetMon does not capture sample of attack:
- Hostgroup – will be used as protected object on Defense Flow side
- Attack’s performance
- List of all networks which belong to hostgroup
Configure DefenseFlow
As first step, please create protected object in DefenseFlow. Make sure to specify the protected networks in the Protected Object.
Configure integration
For configuration we use JSON format, please create configuration file in /etc/fastnetmon_radware.json with following content:
{
"log_path":"/tmp/fastnetmon_radware_go_notify_script.log",
"vision_ip": "192.168.1.38",
"vision_username": "radware",
"vision_password": "radware",
"skip_ssl_verification": true,
"skip_source_networks": true,
"pass_baseline": false,
"clickhouse_host": "127.0.0.1",
"clickhouse_port": 9000,
"clickhouse_database": "fastnetmon",
"clickhouse_user": "default",
"clickhouse_password": ""
}
We have HA support for this integration and it can be enabled this way:
"secondary_vision": true, "secondary_vision_ip": "11.11.11.11", "secondary_vision_username": "radware", "secondary_vision_password": "secret_password",
You can use fcli to manage plugin’s configuration this way:
sudo fcli set plugin radware_defense_flow vision_ip 192.168.1.38 sudo fcli set plugin radware_defense_flow vision_username admin sudo fcli set plugin radware_defense_flow vision_password radware sudo fcli set plugin radware_defense_flow log_path /tmp/fastnetmon_radware_go_notify_script.log sudo fcli set plugin radware_defense_flow skip_source_networks enable sudo fcli set plugin radware_defense_flow skip_ssl_verification enable
Configure FastNetMon for per-host callbacks
Before enabling this integration, please be sure that you configured hostgroups using our official guide.
To enable per-host callbacks please specify integration tool for FastNetMon:
sudo fcli set main notify_script_enabled enable sudo fcli set main notify_script_format json sudo fcli set main notify_script_path /opt/fastnetmon/libraries/radware_plugin/radware_notify_script sudo fcli commit
To confirm proper integration, please run example ban:
sudo fcli set blackhole 11.22.33.44
To unban host, please follow this process:
sudo fcli show blackhole
Then, please use UUID near blocked host and and unblock it:
sudo fcli delete blackhole 777f81c4-e352-4c69-a193-7a82ee429562 (please replace this UUID by real one)
Configure FastNetMon for per-hostgroup callbacks
In this mode FastNetMon will alert to DefenseFlow when total traffic to specified hostgroup (protected object) exceed specified amount of traffic.
sudo fcli set main notify_script_hostgroup_enabled enable sudo fcli set main notify_script_hostgroup_path /opt/fastnetmon/libraries/radware_plugin/radware_notify_script sudo fcli commit
Run test block:
sudo fcli set hostgroup_block test_total_group
To unblock, list all blocks:
sudo fcli show hostgroup_block
And unblock it using UUID from previous command:
sudo fcli delete hostgroup_block {uuid}
Known issues
In current version of integration DefenseFlow cannot withdraw announce when source networks list in unblock callback does not match to source networks in block callback. We suggest disabling this options for now:
"skip_source_networks": true