29.01.2019 FastNetMon

Radware Defense Flow integration with FastNetMon Advanced

Deprecation notice

Please use next generation of integration tool.

You can use FastNetMon Advanced with Radware Defense Flow as DDoS sensor. In this case, FastNetMon can detect an attack and enable mitigation using Radware equipment over API.

Configure DefenseFlow

As first step, please create protected object in DefenseFlow. Make sure to specify the protected networks in the Protected Object.

Enable integration with FastNetMon

This integration was tested very well with Ubuntu 16.04. Older versions may have issues with SSL library.

This script requires some additional libraries, please install them:

sudo apt-get install -y libjson-perl libwww-perl

Please this content to file in /etc/fastnetmon_radware_notify_script.pl:

sudo wget https://fastnetmon.com/wp-content/uploads/2019/09/radware_defense_flow_notify.pl -O /etc/fastnetmon_radware_notify_script.pl
sudo chmod +x /etc/fastnetmon_radware_notify_script.pl

This script assumes that you use hostgroups with names which match to protected object names. If you do not use protected object, please remove two following lines from script completely:

"protectedObjectName" => $protected_object_name_param,

Set executable bit for it:

sudo chmod +x /etc/fastnetmon_radware_notify_script.pl

Please set credentials for Vision API right inside script.

my $vision_ip = '192.168.1.2';
my $vision_username = 'admin';
my $vision_password = 'example';

Also, you can enable option pass_port_and_protocol_information which will expose much more information to DefenseFlow (source, destination ports, protocol and source hosts). You can enable it this way:

my $pass_port_and_protocol_information = '1';

Then, please enable this script for FastNetMon:

sudo fcli set main notify_script_enabled enable
sudo fcli set main notify_script_format json
sudo fcli set main notify_script_path /etc/fastnetmon_radware_notify_script.pl
sudo fcli commit

To confirm proper integration, please run example ban:

sudo fcli set blackhole 11.22.33.44

And unban operations:

sudo fcli show blackhole

Then, please use UUID near blocked host and and unblock it:

sudo fcli delete blackhole 777f81c4-e352-4c69-a193-7a82ee429562 (please replace this UUID by real one)

This script writes log messages to /tmp/fastnetmon_radware_notify_script.log, please check it in case of any issues.