Deprecation notice
Please use next generation of integration tool.
You can use FastNetMon Advanced with Radware Defense Flow as DDoS sensor. In this case, FastNetMon can detect an attack and enable mitigation using Radware equipment over API.
Configure DefenseFlow
As first step, please create protected object in DefenseFlow. Make sure to specify the protected networks in the Protected Object.
Enable integration with FastNetMon
This integration was tested very well with Ubuntu 16.04. Older versions may have issues with SSL library.
This script requires some additional libraries, please install them:
sudo apt-get install -y libjson-perl libwww-perl
Please this content to file in /etc/fastnetmon_radware_notify_script.pl:
sudo wget https://fastnetmon.com/wp-content/uploads/2019/09/radware_defense_flow_notify.pl -O /etc/fastnetmon_radware_notify_script.pl sudo chmod +x /etc/fastnetmon_radware_notify_script.pl
This script assumes that you use hostgroups with names which match to protected object names. If you do not use protected object, please remove two following lines from script completely:
"protectedObjectName" => $protected_object_name_param,
Set executable bit for it:
sudo chmod +x /etc/fastnetmon_radware_notify_script.pl
Please set credentials for Vision API right inside script.
my $vision_ip = '192.168.1.2'; my $vision_username = 'admin'; my $vision_password = 'example';
Also, you can enable option pass_port_and_protocol_information which will expose much more information to DefenseFlow (source, destination ports, protocol and source hosts). You can enable it this way:
my $pass_port_and_protocol_information = '1';
Then, please enable this script for FastNetMon:
sudo fcli set main notify_script_enabled enable sudo fcli set main notify_script_format json sudo fcli set main notify_script_path /etc/fastnetmon_radware_notify_script.pl sudo fcli commit
To confirm proper integration, please run example ban:
sudo fcli set blackhole 11.22.33.44
And unban operations:
sudo fcli show blackhole
Then, please use UUID near blocked host and and unblock it:
sudo fcli delete blackhole 777f81c4-e352-4c69-a193-7a82ee429562 (please replace this UUID by real one)
This script writes log messages to /tmp/fastnetmon_radware_notify_script.log, please check it in case of any issues.