FastNetMon Radware Second Generation Integration

This guide is a third generation of Radware integration with FastNetMon Adavanced. It offers best experience and includes all features available in previous version.

To use this integration, you have to use FastNetMon 2.0.189 or newer.

You can use FastNetMon Advanced with Radware Defense Flow as DDoS sensor. In this case, FastNetMon can detect an attack and enable mitigation using Radware DefenseFlow and Apsolute Vision over API.


Integration tool support two major notification modes:

  • Per host attack alerts
  • Per hostgroup attack alerts
  • Full IPv6 support
  • Baseline information

For per-host attack alerts FastNetMon can pass following information:

  • Hostgroup – will be used as protected object on Defense Flow side
  • Attack’s performance
  • Attack’s protocol – UDP,TCP, ICMP or OTHER
  • Attack’s source port
  • Attack’s destination port
  • Up to 50 source hosts (/32)
  • Host affected by attack (/32)

For per-hostgroup attacks we provide less information as FastNetMon does not capture sample of attack:

  • Hostgroup – will be used as protected object on Defense Flow side
  • Attack’s performance
  • List of all networks which belong to hostgroup

Configure DefenseFlow

As first step, please create protected object in DefenseFlow. Make sure to specify the protected networks in the Protected Object.

Install integration

sudo wget https://fastnetmon.com/wp-content/uploads/2019/09/radware_notify_script \
sudo chmod +x /usr/local/bin/radware_notify_script

We ship integration in binary format. It works on any x86_64 compatible platform. It does not need any third party dependencies.

Configure integration

For configuration we use JSON format, please create configuration file in /etc/fastnetmon_radware.json with following content:

    "vision_ip": "",
    "vision_username": "radware",
    "vision_password": "radware",
    "skip_ssl_verification": true,
    "skip_source_networks": true,
    "pass_baseline": false,
    "clickhouse_host": "",
    "clickhouse_port": 9000,
    "clickhouse_database": "fastnetmon",
    "clickhouse_user": "default",
    "clickhouse_password": ""

Since version 2.0.187 you can use fcli to manage plugin’s configuration this way:

sudo fcli set plugin radware_defense_flow vision_ip
sudo fcli set plugin radware_defense_flow vision_username admin
sudo fcli set plugin radware_defense_flow vision_password radware
sudo fcli set plugin radware_defense_flow log_path /tmp/fastnetmon_radware_go_notify_script.log
sudo fcli set plugin radware_defense_flow skip_source_networks enable 
sudo fcli set plugin radware_defense_flow skip_ssl_verification enable 

Configure FastNetMon for per-host callbacks

Before enabling this integration, please be sure that you configured hostgroups using our official guide.

To enable per-host callbacks please specify integration tool for FastNetMon:

sudo fcli set main notify_script_enabled enable
sudo fcli set main notify_script_format json
sudo fcli set main notify_script_path /usr/local/bin/radware_notify_script
sudo fcli commit

To confirm proper integration, please run example ban:

sudo fcli set blackhole

To unban host, please follow this process:

sudo fcli show blackhole

Then, please use UUID near blocked host and and unblock it:

sudo fcli delete blackhole 777f81c4-e352-4c69-a193-7a82ee429562 (please replace this UUID by real one)

Configure FastNetMon for per-hostgroup callbacks

In this mode FastNetMon will alert to DefenseFlow when total traffic to specified hostgroup (protected object) exceed specified amount of traffic.

sudo fcli set main notify_script_hostgroup_enabled enable
sudo fcli set main notify_script_hostgroup_path /usr/local/bin/radware_notify_script
sudo fcli commit

Run test block:

sudo fcli set hostgroup_block test_total_group

To unblock, list all blocks:

sudo fcli show hostgroup_block

And unblock it using UUID from previous command:

sudo fcli delete hostgroup_block {uuid}

Known issues

In current version of integration DefenseFlow cannot withdraw announce when source networks list in unblock callback does not match to source networks in block callback. We suggest disabling this options for now:

"skip_source_networks": true