03.10.2019

FastNetMon Radware Second Generation Integration

This guide is a third generation of Radware integration with FastNetMon Adavanced. It offers best experience and includes all features available in previous version.

To use this integration, you have to use FastNetMon 2.0.162 or newer.

You can use FastNetMon Advanced with Radware Defense Flow as DDoS sensor. In this case, FastNetMon can detect an attack and enable mitigation using Radware DefenseFlow and Apsolute Version over API.

Capabilities

Integration tool support two major notification modes:

  • per host attack alerts
  • per hostgroup attack alerts

For per-host attack alerts FastNetMon can pass following information:

  • Hostgroup – will be used as protected object on Defense Flow side
  • Attack’s performance
  • Attack’s protocol – UDP,TCP, ICMP or OTHER
  • Attack’s source port
  • Attack’s destination port
  • Up to 50 source hosts (/32)
  • Host affected by attack (/32)

For per-hostgroup attacks we provide less information as FastNetMon does not capture sample of attack:

  • Hostgroup – will be used as protected object on Defense Flow side
  • Attack’s performance
  • List of all networks which belong to hostgroup

Configure DefenseFlow

As first step, please create protected object in DefenseFlow. Make sure to specify the protected networks in the Protected Object.

Install integration

We ship integration in binary format. It works on any x86_64 compatible platform. It does not need any third party dependencies.

Configure integration

For configuration we use JSON format, please create configuration file in /etc/fastnetmon_radware.json with following content:

Configure FastNetMon for per-host callbacks

To enable per-host callbacks please specify integration tool for FastNetMon:

To confirm proper integration, please run example ban:

To unban host, please follow this process:

Then, please use UUID near blocked host and and unblock it:

Configure FastNetMon for per-hostgroup callbacks

In this mode FastNetMon will alert to DefenseFlow when total traffic to specified hostgroup (protected object) exceed specified amount of traffic.

Run test block:

To unblock, list all blocks:

And unblock it using UUID from previous command: