SPCIFICATIONS隐士ddos

9July2012GettingStartedGuideCheckPointDDoSProtector6.
052012CheckPointSoftwareTechnologiesLtd.
Allrightsreserved.
Thisproductandrelateddocumentationareprotectedbycopyrightanddistributedunderlicensingrestrictingtheiruse,copying,distribution,anddecompilation.
NopartofthisproductorrelateddocumentationmaybereproducedinanyformorbyanymeanswithoutpriorwrittenauthorizationofCheckPoint.
Whileeveryprecautionhasbeentakeninthepreparationofthisbook,CheckPointassumesnoresponsibilityforerrorsoromissions.
Thispublicationandfeaturesdescribedhereinaresubjecttochangewithoutnotice.
RESTRICTEDRIGHTSLEGEND:Use,duplication,ordisclosurebythegovernmentissubjecttorestrictionsassetforthinsubparagraph(c)(1)(ii)oftheRightsinTechnicalDataandComputerSoftwareclauseatDFARS252.
227-7013andFAR52.
227-19.
TRADEMARKS:RefertotheCopyrightpage(http://www.
checkpoint.
com/copyright.
html)foralistofourtrademarks.
RefertotheThirdPartycopyrightnotices(http://www.
checkpoint.
com/3rd_party_copyright.
html)foralistofrelevantcopyrightsandthird-partylicenses.
ImportantInformationLatestSoftwareWerecommendthatyouinstallthemostrecentsoftwarereleasetostayup-to-datewiththelatestfunctionalimprovements,stabilityfixes,securityenhancementsandprotectionagainstnewandevolvingattacks.
Foradditionaltechnicalinformation,visittheCheckPointSupportCenter(http://supportcenter.
checkpoint.
com).
RevisionHistoryDateDescription7June2012FirstreleaseofthisdocumentContentsImportantInformation.
3CheckPointDDoSProtectorOverview5SupportedAppliances5SafetyInstructions.
6Pre-Installation.
17CheckingtheContents17ConnectionsandGrounding.
17PortCables17MountingthePlatform18VerifyingAccessibilityofManagementCommunicationPorts.
18ConnectingCablestoPlatforms18ConnectingCablestotheDPx06SeriesPlatform18ConnectingCablestoDPx412SeriesPlatforms.
19InstallingCheckPointDDoSProtector20DPx06Series20DPx412Series.
21LCDModuleforDPx412Series23CheckPointDDoSProtectorBootCommands26ConnectingandInstallingCheckPointDDoSProtector.
26ConnectingtheManagementPortandInspectionPortCables26ConsiderationsWhenConnectingInspectionPortswithInternalBypass26ConfiguringManagementPorts.
27ConfiguringtheManagementPortfortheFirstTime.
27ModifyingtheRoutetotheManagementPort28EnablingHTTP/HTTPSandWebManagementAccessviatheSerialInterface.
.
28ConfiguringRoutes29ConfiguringHTTP,HTTPS,andSSHAccess.
30ConfiguringaNetworkProtectionPolicyandNetworkProtectionProfiles32ConfiguringaNetworkProtectionPolicy.
32ConfiguringBehavioralDoSProfiles.
33ConfiguringaDNSProtectionProfile.
34ConfiguringDoSShieldProtection36ConfiguringPacketAnomaliesProtection.
36ConfiguringaConnectionLimitProfile.
37ConfiguringaSYNProtectionProfile.
39ConfiguringanOut-of-StateProtectionProfile.
42ConfiguringanHTTPMitigatorProfile43ViewingandConfiguringNetworkClasses.
45ViewingandConfiguringApplication-Port-GroupClasses46ConfiguringServices.
47ConfiguringSyslogReporting47ConfiguringBlackLists.
47ConfiguringWhiteLists.
50CheckPointDDoSProtectorGettingStartedGuide|5Chapter1CheckPointDDoSProtectorOverviewCheckPointDDoSProtectorisareal-timeDoSprotectiondevice,whichmaintainsbusinesscontinuitybyprotectingtheapplicationinfrastructureagainstexistingandemergingnetwork-basedthreats.
Unlikemarketalternativesthatrelyonstaticsignatures,CheckPointDDoSProtectorprovidesuniquebehavioral-based,automaticallygenerated,real-timesignatures,mitigatingattacksthatarenotvulnerabilitybasedandzero-minuteattackssuchas:networkandapplicationfloods,HTTPpagefloods,malwarepropagation,Webapplicationbruteforceattacksaimingtodefeatauthenticationschemes,andmore-allwithoutblockinglegitimateusers'trafficandwithnoneedforhumanintervention.
SupportedAppliancesTheseappliancessupportCheckPointDDoSProtector:x06Series:DP506DP1006DP2006DP3006X412series:DP4412DP8412DP12412CheckPointDDoSProtectorGettingStartedGuide|6Chapter2SafetyInstructionsThefollowingsafetyinstructionsarepresentedinEnglish,French,andGerman.
SafetyInstructionsCAUTIONAreadilyaccessibledisconnectdeviceshallbeincorporatedinthebuildinginstallationwiring.
Duetotherisksofelectricalshock,andenergy,mechanical,andfirehazards,anyproceduresthatinvolveopeningpanelsorchangingcomponentsmustbeperformedbyqualifiedservicepersonnelonly.
Toreducetheriskoffireandelectricalshock,disconnectthedevicefromthepowerlinebeforeremovingcoverorpanels.
ThefollowingfigureshowsthecautionlabelthatisattachedtoCheckPointDDoSProtectorplatformswithdualpowersupplies.
ElectricalShockHazardLabelDUAL-POWER-SUPPLY-SYSTEMSAFETYWARNINGINCHINESEThefollowingfigureisthewarningforCheckPointDDoSProtectorplatformswithdualpowersupplies.
Dual-Power-Supply-SystemSafetyWarninginChineseTranslationofDual-Power-Supply-SystemSafetyWarninginChinese:Thisunithasmorethanonepowersupply.
Disconnectallpowersuppliesbeforemaintenancetoavoidelectricshock.
SERVICINGDonotperformanyservicingotherthanthatcontainedintheoperatinginstructionsunlessyouarequalifiedtodoso.
Therearenoserviceablepartsinsidetheunit.
HIGHVOLTAGEAnyadjustment,maintenance,andrepairoftheopenedinstrumentundervoltagemustbeavoidedasmuchaspossibleand,wheninevitable,mustbecarriedoutonlybyaskilledpersonwhoisawareofthehazardinvolved.
Capacitorsinsidetheinstrumentmaystillbechargedeveniftheinstrumenthasbeendisconnectedfromitssourceofsupply.
SafetyInstructionsCheckPointDDoSProtectorGettingStartedGuide|7GROUNDINGBeforeconnectingthisdevicetothepowerline,theprotectiveearthterminalscrewsofthisdevicemustbeconnectedtotheprotectiveearthinthebuildinginstallation.
LASERThisequipmentisaClass1LaserProductinaccordancewithIEC60825-1:1993+A1:1997+A2:2001Standard.
FUSESMakesurethatonlyfuseswiththerequiredratedcurrentandofthespecifiedtypeareusedforreplacement.
Theuseofrepairedfusesandtheshort-circuitingoffuseholdersmustbeavoided.
Wheneveritislikelythattheprotectionofferedbyfuseshasbeenimpaired,theinstrumentmustbemadeinoperativeandbesecuredagainstanyunintendedoperation.
LINEVOLTAGEBeforeconnectingthisinstrumenttothepowerline,makesurethevoltageofthepowersourcematchestherequirementsoftheinstrument.
RefertotheSpecificationsforinformationaboutthecorrectpowerratingforthedevice.
48VDC-poweredplatformshaveaninputtoleranceof36-72VDC.
SPECIFICATIONCHANGESSpecificationsaresubjecttochangewithoutnotice.
Note-ThisequipmenthasbeentestedandfoundtocomplywiththelimitsforaClassAdigitaldevicepursuanttoPart15BoftheFCCRulesandEN55022ClassA,EN55024;EN61000-3-2;EN61000-3-3;IEC610004-2to4-6,IEC610004-8andIEC61000-4-11ForCEMARKCompliance.
Theselimitsaredesignedtoprovidereasonableprotectionagainstharmfulinterferencewhentheequipmentisoperatedinacommercialenvironment.
Thisequipmentgenerates,uses,andcanradiateradiofrequencyenergyand,ifnotinstalledandusedinaccordancewiththeinstructionmanual,maycauseharmfulinterferencetoradiocommunications.
Operationofthisequipmentinaresidentialareaislikelytocauseharmfulinterferenceinwhichcasetheuserisrequiredtocorrecttheinterferenceathisownexpense.
VCCIELECTROMAGNETIC-INTERFERENCESTATEMENTSStatementforClassAVCCI-certifiedEquipmentTranslationofStatementforClassAVCCI-certifiedEquipment:ThisisaClassAproductbasedonthestandardoftheVoluntaryControlCouncilforInterferencebyInformationTechnologyEquipment(VCCI).
Ifthisequipmentisusedinadomesticenvironment,radiodisturbancemayoccur,inwhichcase,theusermayberequiredtotakecorrectiveaction.
StatementforClassBVCCI-certifiedEquipmentTranslationofStatementforClassBVCCI-certifiedEquipment:ThisisaClassBproductbasedonthestandardoftheVoluntaryControlCouncilforInterferencebyInformationTechnologyEquipment(VCCI).
Ifthisisusedneararadioortelevisionreceiverinadomesticenvironment,itmaycauseradiointerference.
SafetyInstructionsCheckPointDDoSProtectorGettingStartedGuide|8Installandusetheequipmentaccordingtotheinstructionmanual.
KCCKOREAKCC—KoreaCommunicationsCommissionCertificateofBroadcastingandCommunicationEquipmentStatementforClassAKCC-certifiedEquipmentinKoreanTranslationofStatementForClassAKCC-certifiedEquipmentinKorean:ThisequipmentisIndustrial(ClassA)electromagneticwavesuitabilityequipmentandsellerorusershouldtakenoticeofit,andthisequipmentistobeusedintheplacesexceptforhome.
SPECIALNOTICEFORNORTHAMERICANUSERSForNorthAmericanpowerconnection,selectapowersupplycordthatisULListedandCSACertified3-conductor,[18AWG],terminatedinamoldedonplugcaprated125V,[5A],withaminimumlengthof1.
5m[sixfeet]butnolongerthan4.
5m.
.
.
ForEuropeanconnection,selectapowersupplycordthatisinternationallyharmonizedandmarked"",3-conductor,0,75mm2minimummm2wire,rated300V,withaPVCinsulatedjacket.
Thecordmusthaveamoldedonplugcaprated250V,3A.
RESTRICTAREAACCESSTheDCpoweredequipmentshouldonlybeinstalledinaRestrictedAccessArea.
INSTALLATIONCODESThisdevicemustbeinstalledaccordingtocountrynationalelectricalcodes.
ForNorthAmerica,equipmentmustbeinstalledinaccordancewiththeUSNationalElectricalCode,Articles110-16,110-17,and110-18andtheCanadianElectricalCode,Section12.
INTERCONNECTIONOFUNITSCablesforconnectingtotheunitRS232andEthernetInterfacesmustbeULcertifiedtypeDP-1orDP-2.
(Note-whenresidinginnonLPScircuit)OVERCURRENTPROTECTIONAreadilyaccessiblelistedbranch-circuitovercurrentprotectivedevicerated15Amustbeincorporatedinthebuildingwiringforeachpowerinput.
REPLACEABLEBATTERIESIfequipmentisprovidedwithareplaceablebattery,andisreplacedbyanincorrectbatterytype,thenanexplosionmayoccur.
ThisisthecaseforsomeLithiumbatteriesandthefollowingisapplicable:IfthebatteryisplacedinanOperatorAccessArea,thereisamarkingclosetothebatteryorastatementinboththeoperatingandserviceinstructions.
Ifthebatteryisplacedelsewhereintheequipment,thereisamarkingclosetothebatteryorastatementintheserviceinstructions.
Thismarkingorstatementincludesthefollowingtextwarning:CAUTIONRISKOFEXPLOSIONIFBATTERYISREPLACEDBYANINCORRECTBATTERYTYPE.
DISPOSEOFUSEDBATTERIESACCORDINGTOTHEINSTRUCTIONS.
Caution-ToReducetheRiskofElectricalShockandFire1.
ThisequipmentisdesignedtopermitconnectionbetweentheearthedconductoroftheDCsupplycircuitandtheearthingconductorequipment.
SeeInstallationInstructions.
2.
Allservicingmustbeundertakenonlybyqualifiedservicepersonnel.
Therearenotuserserviceablepartsinsidetheunit.
3.
DONOTplugin,turnonorattempttooperateanobviouslydamagedunit.
SafetyInstructionsCheckPointDDoSProtectorGettingStartedGuide|94.
EnsurethatthechassisventilationopeningsintheunitareNOTBLOCKED.
5.
ReplaceablownfuseONLYwiththesametypeandratingasismarkedonthesafetylabeladjacenttothepowerinlet,housingthefuse.
6.
Donotoperatethedeviceinalocationwherethemaximumambienttemperatureexceeds40°C/104°F.
7.
BesuretounplugthepowersupplycordfromthewallsocketBEFOREattemptingtoremoveand/orcheckthemainpowerfuse.
CLASS1LASERPRODUCTANDREFERENCETOTHEMOSTRECENTLASERSTANDARDSIEC60825-1:1993+A1:1997+A2:2001ANDEN60825-1:1994+A1:1996+A2:2001ACunitsforDenmark,Finland,Norway,Sweden(markedonproduct):Denmark-"UnitisclassI-unittobeusedwithanACcordsetsuitablewithDenmarkdeviations.
Thecordincludesanearthingconductor.
TheUnitistobepluggedintoawallsocketoutletwhichisconnectedtoaprotectiveearth.
Socketoutletswhicharenotconnectedtoeartharenottobeused!
"Finland-(Markinglabelandinmanual)-"Laiteonliitettvsuojamaadoituskoskettimillavarustettuunpistorasiaan"Norway(Markinglabelandinmanual)-"Apparatetmtilkoplesjordetstikkontakt"UnitisintendedforconnectiontoITpowersystemsforNorwayonly.
Sweden(Markinglabelandinmanual)-"Apparatenskallanslutastilljordatuttag.
"Toconnectthepowerconnection:1.
Connectthepowercabletothemainsocket,locatedontherearpanelofthedevice.
2.
ConnectthepowercabletothegroundedACoutlet.
CAUTIONRiskofelectricshockandenergyhazard.
Disconnectingonepowersupplydisconnectsonlyonepowersupplymodule.
Toisolatetheunitcompletely,disconnectallpowersupplies.
InstructionsdesécuritéAVERTISSEMENTUndispositifdedéconnexionfacilementaccessibleseraincorporéaucblagedubtiment.
Enraisondesrisquesdechocsélectriquesetdesdangersénergétiques,mécaniquesetd'incendie,chaqueprocédureimpliquantl'ouverturedespanneauxouleremplacementdecomposantsseraexécutéepardupersonnelqualifié.
Pourréduirelesrisquesd'incendieetdechocsélectriques,déconnectezledispositifdublocd'alimentationavantderetirerlecouvercleoulespanneaux.
Lafiguresuivantemontrel'étiquetted'avertissementapposéesurlesplateformesCheckPointDDoSProtectordotéesdeplusd'unesourced'alimentationélectrique.
tiquetted'avertissementdedangerdechocsélectriquesAVERTISSEMENTDESCURITPOURLESSYSTMESDOTSDEDEUXSOURCESD'ALIMENTATIONLECTRIQUE(ENCHINOIS)Lafiguresuivantereprésentel'étiquetted'avertissementpourlesplateformesCheckPointDDoSProtectordotéesdedeuxsourcesd'alimentationélectrique.
SafetyInstructionsCheckPointDDoSProtectorGettingStartedGuide|10Avertissementdesécuritépourlessystèmesdotesdedeuxsourcesd'alimentationélectrique(enchinois)TraductiondelaAvertissementdesécuritépourlessystèmesdotesdedeuxsourcesd'alimentationélectrique(enchinois):Cetteunitéestdotéedeplusd'unesourced'alimentationélectrique.
Déconnecteztouteslessourcesd'alimentationélectriqueavantd'entretenirl'appareilcecipourévitertoutchocélectrique.
ENTRETIENN'effectuezaucunentretienautrequeceuxrépertoriésdanslemanueld'instructions,àmoinsd'êtrequalifiéenlamatière.
Aucunepièceàl'intérieurdel'uniténepeutêtreremplacéeouréparée.
HAUTETENSIONToutréglage,opérationd'entretienetréparationdel'instrumentouvertsoustensiondoitêtreévité.
Sicelas'avèreindispensable,confiezcetteopérationàunepersonnequalifiéeetconscientedesdangersimpliqués.
Lescondensateursauseindel'unitérisquentd'êtrechargésmêmesil'unitéaétédéconnectéedelasourced'alimentationélectrique.
MISEALATERREAvantdeconnectercedispositifàlaligneélectrique,lesvisdeprotectiondelabornedeterredecetteunitédoiventêtrereliéesausystèmedemiseàlaterredubtiment.
LASERCetéquipementestunproduitlaserdeclasse1,conformeàlanormeIEC60825-1:1993+A1:1997+A2:2001.
FUSIBLESAssurez-vousque,seulslesfusiblesàcourantnominalrequisetdetypespécifiésontutilisésenremplacement.
L'usagedefusiblesréparésetlecourt-circuitagedesporte-fusiblesdoiventêtreévités.
Lorsqu'ilestpratiquementcertainquelaprotectionofferteparlesfusiblesaétédétériorée,l'instrumentdoitêtredésactivéetsécurisécontretouteopérationinvolontaire.
TENSIONDELIGNEAvantdeconnectercetinstrumentàlaligneélectrique,vérifiezquelatensiondelasourced'alimentationcorrespondauxexigencesdel'instrument.
Consultezlesspécificationspropresàl'alimentationnominalecorrectedudispositif.
Lesplateformesalimentéesen48CContunetoléranced'entréecompriseentre36et72VCC.
MODIFICATIONSDESSPCIFICATIONSLesspécificationssontsujettesàchangementsansnoticepréalable.
Remarque:CetéquipementaététestéetdéclaréconformeauxlimitesdéfiniespourunappareilnumériquedeclasseA,conformémentauparagraphe15BdelaréglementationFCCetEN55022ClasseA,EN55024,EN61000-3-2;EN61000-3-3;IEC610004-2to4-6,IEC610004-8,etIEC61000-4-11,pourlamarquedeconformitédelaCE.
Ceslimitessontfixéespourfourniruneprotectionraisonnablecontrelesinterférencesnuisibles,lorsquel'équipementestutilisédansunenvironnementcommercial.
Cetéquipementgénère,utiliseetpeutémettredesfréquencesradioet,s'iln'estpasinstalléetutiliséconformémentaumanueld'instructions,peutentranerdesinterférencesnuisiblesauxcommunicationsradio.
Lefonctionnementdecetéquipementdansunezonerésidentielleestsusceptibledeprovoquerdesinterférencesnuisibles,auquelcasl'utilisateurdevracorrigerleproblèmeàsespropresfrais.
SafetyInstructionsCheckPointDDoSProtectorGettingStartedGuide|11DCLARATIONSSURLESINTERFRENCESLECTROMAGNTIQUESVCCIDéclarationpourl'équipementdeclasseAcertifiéVCCITraductiondelaDéclarationpourl'équipementdeclasseAcertifiéVCCI:Ils'agitd'unproduitdeclasseA,basésurlanormeduVoluntaryControlCouncilforInterferencebyInformationTechnologyEquipment(VCCI).
Sicetéquipementestutilisédansunenvironnementdomestique,desperturbationsradioélectriquessontsusceptiblesd'apparatre.
Sitelestlecas,l'utilisateurseratenudeprendredesmesurescorrectives.
Déclarationpourl'équipementdeclasseBcertifiéVCCITraductiondelaDéclarationpourl'équipementdeclasseBcertifiéVCCI:Ils'agitd'unproduitdeclasseB,basésurlanormeduVoluntaryControlCouncilforInterferencebyInformationTechnologyEquipment(VCCI).
S'ilestutiliséàproximitéd'unpostederadiooud'unetélévisiondansunenvironnementdomestique,ilpeutentranerdesinterférencesradio.
Installezetutilisezl'équipementselonlemanueld'instructions.
KCCCoréeKCC—CertificatdelacommissiondescommunicationsdeCoréepourlesequipementsderadiodiffusionetcommunication.
Déclarationpourl'équipementdeclasseAcertifiéKCCenlanguecoréenneTranslationdelaDéclarationpourl'équipementdeclasseAcertifiéKCCenlanguecoréenne:Cetéquipementestunmatériel(classeA)enadéquationauxondesélectromagnétiquesetlevendeuroul'utilisateurdoitprendrecelaencompte.
Cematérielestdoncfaitpourêtreutiliséailleursqu'álamaison.
NOTICESPCIALEPOURLESUTILISATEURSNORD-AMRICAINSPourunraccordementélectriqueenAmériqueduNord,sélectionnezuncordond'alimentationhomologuéULetcertifiéCSA3-conducteur,[18AWG],munid'uneprisemouléeàsonextrémité,de125V,[5A],d'unelongueurminimalede1,5m[sixpieds]etmaximalede4,5m.
.
.
Pourlaconnexioneuropéenne,choisissezuncordond'alimentationmondialementhomologuéetmarqué"",3-conducteur,cblede0,75mm2minimum,de300V,avecunegaineenPVCisolée.
Lapriseàl'extrémitéducordon,seradotéed'unsceaumouléindiquant:250V,3A.
ZONEAACCSRESTREINTL'équipementalimentéenCCnepourraêtreinstalléquedansunezoneàaccèsrestreint.
SafetyInstructionsCheckPointDDoSProtectorGettingStartedGuide|12CODESD'INSTALLATIONCedispositifdoitêtreinstalléenconformitéaveclescodesélectriquesnationaux.
EnAmériqueduNord,l'équipementserainstalléenconformitéaveclecodeélectriquenationalaméricain,articles110-16,110-17,et110-18etlecodeélectriquecanadien,Section12.
INTERCONNEXIONDESUNTES.
Lescblesdeconnexionàl'unitéRS232etauxinterfacesEthernetserontcertifiésUL,typeDP-1ouDP-2.
(Remarque-s'ilsnerésidentpasdansuncircuitLPS)PROTECTIONCONTRELESSURCHARGES.
Uncircuitdedérivation,facilementaccessible,surledispositifdeprotectionducourantde15Adoitêtreintégréaucblagedubtimentpourchaquepuissanceconsommée.
BATTERIESREMPLAABLESSil'équipementestfourniavecunebatterie,etqu'elleestremplacéeparuntypedebatterieincorrect,elleestsusceptibled'exploser.
C'estlecaspourcertainesbatteriesaulithium,lesélémentssuivantssontdoncapplicables:Silabatterieestplacéedansunezoned'accèsopérateur,unemarqueestindiquéesurlabatterieouuneremarqueestinsérée,aussibiendanslesinstructionsd'exploitationqued'entretien.
Silabatterieestplacéeailleursdansl'équipement,unemarqueestindiquéesurlabatterieouuneremarqueestinséréedanslesinstructionsd'entretien.
Cettemarqueouremarqueinclutl'avertissementtextuelsuivant:AVERTISSEMENTRISQUED'EXPLOSIONSILABATTERIEESTREMPLACEPARUNMODLEINCORRECT.
METTREAUREBUTLESBATTERIESCONFORMMENTAUXINSTRUCTIONS.
Attention-Pourréduirelesrisquesdechocsélectriquesetd'incendie1.
CetéquipementestconupourpermettrelaconnexionentreleconducteurdemiseàlaterreducircuitélectriqueCCetl'équipementdemiseàlaterre.
Voirlesinstructionsd'installation.
2.
Toutentretienseraentreprispardupersonnelqualifié.
Aucunepièceàl'intérieurdel'uniténepeutêtreremplacéeouréparée.
3.
NEbranchezpas,n'allumezpasoun'essayezpasd'utiliseruneunitémanifestementendommagée.
4.
Vérifiezquel'orificedeventilationduchssisdansl'unitén'estPASOBSTRUE.
5.
Remplacezlefusibleendommagéparunmodèlesimilairedemêmepuissance,telqu'indiquésurl'étiquettedesécuritéadjacenteàl'arrivéeélectriquehébergeantlefusible.
6.
Nefaitespasfonctionnerl'appareildansunendroit,oùlatempératureambiantedépasselavaleurmaximaleautorisée.
40°C/104°F.
7.
DébranchezlecordonélectriquedelaprisemuraleAVANTd'essayerderetireret/oudevérifierlefusibled'alimentationprincipal.
PRODUITLASERDECLASSE1ETRFRENCEAUXNORMESLASERLESPLUSRCENTES:IEC60825-1:1993+A1:1997+A2:2001ETEN60825-1:1994+A1:1996+A2:2001UnitésàCApourleDanemark,laFinlande,laNorvège,laSuède(indiquésurleproduit):Danemark-Unitédeclasse1-quidoitêtreutiliséeavecuncordonCAcompatibleaveclesdéviationsduDanemark.
Lecordoninclutunconducteurdemiseàlaterre.
L'unitéserabranchéeàuneprisemurale,miseàlaterre.
Lesprisesnon-misesàlaterreneserontpasutilisées!
Finlande(tiquetteetinscriptiondanslemanuel)-LaiteonliitettvsuojamaadoituskoskettimillavarustettuunpistorasiaanNorvège(tiquetteetinscriptiondanslemanuel)-ApparatetmtilkoplesjordetstikkontaktL'unitépeutêtreconnectéeàunsystèmeélectriqueIT(enNorvègeuniquement).
Suède(tiquetteetinscriptiondanslemanuel)-Apparatenskallanslutastilljordatuttag.
Pourbrancheràl'alimentationélectrique:1.
Branchezlecbled'alimentationàlapriseprincipale,situéesurlepanneauarrièredel'unité.
2.
Connectezlecbled'alimentationàlapriseCAmiseàlaterre.
SafetyInstructionsCheckPointDDoSProtectorGettingStartedGuide|13AVERTISSEMENTRisquedechocélectriqueetdangerénergétique.
Ladéconnexiond'unesourced'alimentationélectriquenedébranchequ'unseulmoduleélectrique.
Pourisolercomplètementl'unité,débrancheztouteslessourcesd'alimentationélectrique.
ATTENTIONRisquedechocetdedangerélectriques.
Ledébranchementd'uneseulealimentationstabiliséenedébranchequ'unmodule"AlimentationStabilisée".
PourIsolercomplètementlemoduleencause,ilfautdébranchertouteslesalimentationsstabilisées.
Attention:PourRéduireLesRisquesd'lectrocutionetd'Incendie1.
Touteslesopérationsd'entretienseronteffectuéesUNIQUEMENTpardupersonneld'entretienqualifié.
Aucuncomposantnepeutêtreentretenuouremplacéeparl'utilisateur.
2.
NEPASconnecter,mettresoustensionouessayerd'utiliseruneunitévisiblementdéfectueuse.
3.
Assurez-vousquelesouverturesdeventilationduchssisNESONTPASOBSTRUES.
4.
RemplacezunfusiblequiasautéSEULEMENTparunfusibledumêmetypeetdemêmecapacité,commeindiquésurl'étiquettedesécuritéprochedel'entréedel'alimentationquicontientlefusible.
5.
NEPASUTILISERl'équipementdansdeslocauxdontlatempératuremaximaledépasse40degrésCentigrades.
6.
Assurezvousquelecordond'alimentationaétédéconnectéAVANTd'essayerdel'enleveret/ouvérifierlefusibledel'alimentationgénérale.
SicherheitsanweisungenVORSICHTDieElektroinstallationdesGebudesmusseinunverzüglichzugnglichesStromunterbrechungsgertintegrieren.
AufgrunddesStromschlagrisikosundderEnergie-,mechanischeundFeuergefahrdürfenVorgnge,inderenVerlaufAbdeckungenentferntoderElementeausgetauschtwerden,ausschlielichvonqualifiziertemServicepersonaldurchgeführtwerden.
ZurReduzierungderFeuer-undStromschlaggefahrmussdasGertvorderEntfernungderAbdeckungoderderPaneelevonderStromversorgunggetrenntwerden.
FolgendeAbbildungzeigtdasVORSICHT-Etikett,dasaufdieCheckPointDDoSProtector-PlattformenmitDoppelspeisungangebrachtist.
WarnetikettStromschlaggefahrSICHERHEITSHINWEISINCHINESISCHERSPRACHEFRSYSTEMEMITDOPPELSPEISUNGDiefolgendeAbbildungistdieWarnungfürCheckPointDDoSProtector-PlattformenmitDoppelspeisung.
SicherheitshinweisinchinesischerSprachefürSystememitDoppelspeisungSafetyInstructionsCheckPointDDoSProtectorGettingStartedGuide|14bersetzungvonSicherheitshinweisinchinesischerSprachefürSystememitDoppelspeisung:DieEinheitverfügtübermehralseineStromversorgungsquelle.
ZiehenSiezurVerhinderungvonStromschlagvorWartungsarbeitensmtlicheStromversorgungsleitungenab.
WARTUNGFührenSiekeinerleiWartungsarbeitenaus,dienichtinderBetriebsanleitungangeführtsind,esseidenn,Siesinddafürqualifiziert.
EsgibtinnerhalbdesGerteskeinewartungsfhigenTeile.
HOCHSPANNUNGJeglicheEinstellungs-,Instandhaltungs-undReparaturarbeitenamgeffnetenGertunterSpannungmüssensoweitwiemglichvermiedenwerden.
Sindsienichtvermeidbar,dürfensieausschlielichvonqualifiziertenPersonenausgeführtwerden,diesichderGefahrbewusstsind.
InnerhalbdesGertesbefindlicheKondensatorenknnenauchdannnochLadungenthalten,wenndasGertvonderStromversorgungabgeschnittenwurde.
ERDUNGBevordasGertandieStromversorgungangeschlossenwird,müssendieSchraubenderErdungsleitungdesGertesandieErdungderGebudeverkabelungangeschlossenwerden.
LASERDiesesGertisteinLaser-ProduktderKlasse1inbereinstimmungmitIEC60825-1:1993+A1:1997+A2:2001Standard.
SICHERUNGENVergewissernSiesich,dassnurSicherungenmitdererforderlichenStromstrkeundderangeführtenArtverwendetwerden.
DieVerwendungreparierterSicherungensowiedieKurzschlieungvonSicherungsfassungenmussvermiedenwerden.
InFllen,indenenwahrscheinlichist,dassdervondenSicherungengeboteneSchutzbeeintrchtigtist,mussdasGertabgeschaltetundgegenunbeabsichtigtenBetriebgesichertwerden.
LEITUNGSSPANNUNGVorAnschlussdiesesGertesandieStromversorgungistzugewhrleisten,dassdieSpannungderStromquelledenAnforderungendesGertesentspricht.
BeachtenSiedietechnischenAngabenbezüglichderkorrektenelektrischenWertedesGertes.
Plattformenmit48VDCverfügenübereineEingangstoleranzvon36-72VDC.
NDERUNGENDERTECHNISCHENANGABENnderungendertechnischenSpezifikationenbleibenvorbehalten.
Hinweis:DiesesGertwurdegeprüftundentsprichtdenBeschrnkungenvondigitalenGertenderKlasse1gemTeil15BFCC-VorschriftenundEN55022KlasseA,EN55024;EN61000-3-2;EN;IEC610004-2to4-6,IEC610004-8undIEC61000-4-11fürKonformittmitderCE-Bezeichnung.
DieseBeschrnkungendienendemangemessenenSchutzvorschdlichenInterferenzenbeiBetriebdesGertesinkommerziellemUmfeld.
DiesesGerterzeugt,verwendetundstrahltelektromagnetischeHochfrequenzstrahlungaus.
WirdesnichtentsprechenddenAnweisungenimHandbuchmontiertundbenutzt,knnteesmitdemFunkverkehrinterferierenundihnbeeintrchtigen.
DerBetriebdiesesGertesinWohnbereichenwirdhchstwahrscheinlichzuschdlichenInterferenzenführen.
IneinemsolchenFallwrederBenutzerverpflichtet,dieseInterferenzenaufeigeneKostenzukorrigieren.
ERKLRUNGDERVCCIZUELEKTROMAGNETISCHERINTERFERENZErklrungzuVCCI-zertifiziertenGertenderKlasseAbersetzungvonErklrungzuVCCI-zertifiziertenGertenderKlasseA:DiesisteinProduktderKlasseAgemdenNormendesVoluntaryControlCouncilforInterferencebyInformationTechnologyEquipment(VCCI).
WirddiesesGertineinemWohnbereichbenutzt,knnenelektromagnetischeStrungenauftreten.
IneinemsolchenFallwrederBenutzerverpflichtet,korrigierendeinzugreifen.
SafetyInstructionsCheckPointDDoSProtectorGettingStartedGuide|15ErklrungzuVCCI-zertifiziertenGertenderKlasseBbersetzungvonErklrungzuVCCI-zertifiziertenGertenderKlasseB:DiesisteinProduktderKlasseBgemdenNormendesVoluntaryControlCouncilforInterferencebyInformationTechnologyEquipment(VCCI).
WirddiesesGertineinemWohnbereichbenutzt,knnenelektromagnetischeStrungenauftreten.
MontierenundbenutzenSiedasGertlautAnweisungenimBenutzerhandbuch.
KCCKOREAKCC—KoreaCommunicationsCommissionZertifikatfürRundfunk-undNachrichtentechnikErklrungzuKCC-zertifiziertenGertenderKlasseAbersetzungvonErklrungzuKCC-zertifiziertenGertenderKlasseA:VerkuferoderNutzersolltendavonKenntnisnehmen,dadiesesGertderKlasseAfürindustriellelektromagnetischeWellengeeigneteGertenangehrtunddassdieseGertenichtfürdenheimischenGebrauchbestimmtsind.
BESONDERERHINWEISFRBENUTZERINNORDAMERIKAWhlenSiefürdenNetzstromanschlussinNordamerikaeinStromkabel,dasinderULaufgeführtundCSA-zertifiziertist3Leiter,[18AWG],endendineinemgegossenenStecker,für125V,[5A],miteinerMindestlngevon1,5m[sechsFu],dochnichtlngerals4,5m.
FüreuropischeAnschlüsseverwendenSieeininternationalharmonisiertes,mit""markiertesStromkabel,mit3Leiternvonmindestens0,75mm2,für300V,mitPVC-Umkleidung.
DasKabelmussineinemgegossenenSteckerfür250V,3Aenden.
BEREICHMITEINGESCHRNKTEMZUGANGDasmitGleichstrombetriebeneGertdarfnurineinemBereichmiteingeschrnktemZugangmontiertwerden.
INSTALLATIONSCODESDiesesGertmussgemderlandesspezifischenelektrischenCodesmontiertwerden.
InNordamerikamüssenGerteentsprechenddemUSNationalElectricalCode,Artikel110-16,110-17und110-18,sowiedemCanadianElectricalCode,Abschnitt12,montiertwerden.
VERKOPPLUNGVONGERTENKabelfürdieVerbindungdesGertesmitRS232-undEthernet-müssenUL-zertifiziertundvomTypDP-1oderDP-2sein.
(Anmerkung:beiAufenthaltineinemnicht-LPS-Stromkreis)BERSTROMSCHUTZEingutzugnglicheraufgeführterberstromschutzmitAbzweigstromkreisund15AStrkemussfürjedeStromeingabeinderGebudeverkabelungintegriertsein.
SafetyInstructionsCheckPointDDoSProtectorGettingStartedGuide|16AUSTAUSCHBAREBATTERIENWirdeinGertmiteineraustauschbarenBatteriegeliefertundfürdieseBatteriedurcheinenfalschenBatterietypersetzt,knntedieszueinerExplosionführen.
DiestrifftzufürmancheArtenvonLithiumsbatterienzu,unddasfolgendegilteszubeachten:WirddieBatterieineinemBereichfürBedienereingesetzt,findetsichinderNhederBatterieeineMarkierungoderErklrungsowohlimBetriebshandbuchalsauchinderWartungsanleitung.
IstdieBatterieaneineranderenStelleimGerteingesetzt,findetsichinderNhederBatterieeineMarkierungodereinerErklrunginderWartungsanleitung.
DieseMarkierungoderErklrungenthltdenfolgendenWarntext:VORSICHTEXPLOSIONSGEFAHR,FALLSBATTERIEDURCHEINENFALSCHENBATTERIETYPERSETZTWIRD.
GEBRAUCHTEBATTERIENDENANWEISUNGENENTSPRECHENDENTSORGEN.
Denmark-"UnitisclassI-mitWechselstromkabelbenutzen,dassfürdieAbweichungeninDnemarkeingestelltist.
DasKabelistmiteinemErdungsdrahtversehen.
DasKabelwirdineinegeerdeteWandsteckdoseangeschlossen.
KeineSteckdosenohneErdungsleitungverwenden!
"Finland-(MarkierungsetikettundimHandbuch)-LaiteonliitettvsuojamaadoituskoskettimillavarustettuunpistorasiaanNorway-(MarkierungsetikettundimHandbuch)-ApparatetmtilkoplesjordetstikkontaktAusschlielichfürAnschlussanIT-NetzstromsystemeinNorwegenvorgesehenSweden-(MarkierungsetikettundimHandbuch)-Apparatenskallanslutastilljordatuttag.
AnschlussdesStromkabels:1.
SchlieenSiedasStromkabelandenHauptanschlussaufderRückseitedesGertesan.
2.
SchlieenSiedasStromkabelandengeerdetenWechselstromanschlussan.
VORSICHTStromschlag-undEnergiegefahrDieTrennungeinerStromquelletrenntnureinStromversorgungsmodulvonderStromversorgung.
UmdasGertkomplettzuisolieren,mussesvondergesamtenStromversorgunggetrenntwerden.
Vorsicht-ZurReduzierungderStromschlag-undFeuergefahr1.
DiesesGertistdazuausgelegt,dieVerbindungzwischendergeerdetenLeitungdesGleichstromkreisesunddemErdungsleiterdesGerteszuermglichen.
SieheMontageanleitung.
2.
WartungsarbeitenjeglicherArtdürfennurvonqualifiziertemServicepersonalausgeführtwerden.
EsgibtinnerhalbdesGerteskeinevomBenutzerzuwartendenTeile.
3.
VersuchenSienicht,einoffensichtlichbeschdigtesGertandenStromkreisanzuschlieen,einzuschaltenoderzubetreiben.
4.
VergewissernSiesich,dasssieLüftungsffnungenimGehusedesGertesNICHTBLOCKIERTSIND.
5.
ErsetzenSieeinedurchgebrannteSicherungausschlielichmitdemselbenTypundvonderselbenStrke,dieaufdemSicherheitsetikettangeführtsind,dassichnebendemStromkabelanschluss,amSicherungsgehuse.
6.
BetreibenSiedasGertnichtaneinemStandort,andemdieHchsttemperaturderUmgebung40°Cüberschreitet.
7.
VergewissernSiesich,dasStromkabelausdemWandsteckerzuziehen,BEVORSiedieHauptsicherungentfernenund/oderprüfen.
CheckPointDDoSProtectorGettingStartedGuide|17Chapter3Pre-InstallationCheckingtheContentsBeforebeginningtheinstallation,verifythatallcomponentsareincludedaslistedinthepackinglistdocumentattachedtothedevicebox.
Ifyouaremissinganyofthecomponents,contactCheckPointTechnicalSupport.
ConnectionsandGroundingCaution-Theintra-buildingport(s)oftheequipmentorsubassemblyissuitableforconnectiontointra-buildingorunexposedwiringorcablingonly.
Theintra-buildingport(s)oftheequipmentorsubassemblyMUSTNOTbemetallicallyconnectedtointerfacesthatconnecttotheOSPoritswiring.
Theseinterfacesaredesignedforuseasintra-buildinginterfacesonly(Type2orType4portsasdescribedinGR-1089-CORE,Issue4)andrequireisolationfromtheexposedOSPcabling.
TheadditionofPrimaryProtectorsisnotsufficientprotectioninordertoconnecttheseinterfacesmetallicallytoOSPwiring.
Onlycoppercables,18AWGorlarger,mustbeusedforgroundingpurposes.
WhenmountingaCheckPointDDoSProtectorplatformwithaDCpowersupply,batteryreturnterminalsmustbeintheconfigurationofanIsolatedDCReturn(DC-I)orCommonDCReturn(DC-C).
ThefollowingdiagramshowsthepropergroundingconnectiontoaCheckPointDDoSProtectorplatform.
ProperGroundingTheCheckPointDDoSProtectorplatformmustbeconnectedtothegroundingwirebymeansofthegroundingscrewusingthelistedlug.
Bareconductorsmustbecoatedwithantioxidantbeforemakingcrimpconnections.
Astarwasher(toothwasher)mustbeusednexttooppositesidesofthegroundinglugorterminal.
Thisprovidestheproperlockingmechanism.
Theinternaltoothwasherremovespaintfromthechassistoestablishametal-to-metalcontacttotheun-platedsurface.
PortCablesEthernetportcablesshouldbeshieldedandgroundedatbothends.
Pre-InstallationCheckPointDDoSProtectorGettingStartedGuide|18MountingthePlatformTheplatformcanbeeitherrack-mountedormountedonatabletop.
Thepackageincludesbracketstoenablerack-mountingofthedevice.
Rubberfeetareattachedtothebottomofthedevicetoenabletabletopmounting.
Caution-Afteryoumounttheplatform,ensurethatthereisadequateairflowsurroundingit.
Torack-mounttheplatform:1.
Attachonebrackettoeachsideofthedevice,usingthescrewsprovided.
2.
Attachtheplatformtotherackwiththemountingscrews.
3.
Connectatleastonegroundwirefromtheplatformchassistotherack.
Typically,theplatformhasoneortwo,special,groundscrewsonthebackpanelnearthescrewsthatsecurethepowersupply.
Caution-Reliablegroundingofrack-mountedequipmentshouldbemaintained.
Particularattentionshouldbegiventosupplyconnectionsotherthandirectconnectionstothebranchcircuit(forexample,useofpowerstrips).
Therackmustbeproperlygrounded.
Caution-Installationoftheequipmentinarackshouldbesuchthattheamountofairflowrequiredforsafeoperationoftheequipmentisnotcompromised.
Caution-Mountingoftheequipmentintherackshouldbesuchthatahazardousconditionisnotachievedduetounevenmechanicalloading.
Caution-Considerationshouldbegiventotheconnectionoftheequipmenttothesupplycircuitandtheeffectthatoverloadingofthecircuitsmighthaveonovercurrentprotectionandsupplywiring.
Appropriateconsiderationofequipmentnameplateratingsshouldbeusedwhenaddressingthisconcern.
Caution-Ifinstalledinaclosedormulti-unitrackassembly,theoperatingambienttemperatureoftherackenvironmentmaybegreaterthanroomambient.
Therefore,considerationshouldbegiventoinstallingtheequipmentinanenvironmentcompatiblewiththemaximumambienttemperature(Tma).
Caution-IftheplatformisequippedwithanACpowersupply,connectingagroundwireisnotrequired,butisrecommended.
VerifyingAccessibilityofManagementCommunicationPortsCheckPointDDoSProtectormanagementinterfacescommunicatewithvariousUDP/TCPportsusingHTTPS,HTTP,Telnet,andSSH.
Ifyouintendtousetheseinterfaces,ensuretheyareaccessibleandnotblockedbyyourfirewall.
ConnectingCablestoPlatformsConnectingCablestotheDPx06SeriesPlatformTheinformationinthissectioniscorrectforthebasic,platformmodelandthesub-models.
Note-CheckPointsuppliesaRJ-45–to–DE-9adaptercabletoconnecttheconsoleportoftheplatformtoaconsolePC.
Pre-InstallationCheckPointDDoSProtectorGettingStartedGuide|19ConnectthecablestoaDPx06seriesplatforminthefollowingorder:1.
Insertthe8P8CconnectoroftheRJ-45–to–DE-9adaptercabletotheportlabeledCONSOLE.
2.
InserttheDE-9connectoroftheRJ-45–to–DE-9adaptercabletotheconsolePC.
3.
IfyouaregoingtouseportMNG1forout-of-bandmanagement,connectacabletotheportlabeledMNG1.
4.
Connectthetraffic-portcablestotheplatform.
5.
Connectthepowercabletothepowersocketlocatedontherearpaneloftheplatform.
6.
Connectthepowercabletothepoweroutlet.
ConnectingCablestoDPx412SeriesPlatformsTheinformationinthissectionappliestothebasicplatformmodelsandthesub-models.
ConnectthecablestoaDPx412Seriesplatforminthefollowingorder:1.
Insertthe8P8CconnectoroftheRJ-45–to–DE-9adaptercabletotheportlabeledCONSOLE.
2.
Insertthe8P8CconnectoroftheRJ-45–to–DE-9adaptercabletotheportlabeledCONSOLE.
3.
Connectthecablesinthefollowingorder:a)Powercableb)Serial(RS-232)cablec)Managementportcable(Ethernet10/100/1000)totherelevantport,MNG1orMNG2.
d)Traffic-portcables4.
Connectthepowercable/stothepowersocket/slocatedontherearpanelofthedevice.
5.
Connectthepowercable/stothepoweroutlet/s.
6.
Connecttheserialcabletotheplatform.
7.
Connecttheserialcabletoyourconsole.
CheckPointDDoSProtectorGettingStartedGuide|20Chapter4InstallingCheckPointDDoSProtectorThischapterexplainshowtoinstallaCheckPointDDoSProtectordevice.
ThetermdevicereferstothephysicalplatformandtheCheckPointDDoSProtectorproductsoftware.
DPx06SeriesDP506,1006,and2006,runontheDPx06seriesplatform.
DPx06SeriesFrontPanelFeatureLabel/DescriptionPowerbutton.
Turnspoweronandoff.
Pressingthebuttonfor1to4secondscausesagracefulshutdownofthesystem,thuspreservingsystemintegrity.
Pressingthebuttonformorethanfour(4)secondscausesthehardwaretopowerdown.
Resetbutton.
Resetsthedevice.
SerialRJ-45portforout-of-bandmanagement.
Note:CheckPointsuppliesaRJ-45–to–DE-9adaptercabletoconnecttheconsoleportoftheplatformtoaconsolePC.
USBportforrecoveryandfiletransfer.
RJ-45GbEportsfortrafficandin-bandmanagement.
TheplatformsupportsfourRJ-45GbEportsfortrafficandtwoportsformanagement.
LEDs:ACT-Flashingindicatesactivity.
LINK-Greenindicates1000Mbit/s.
Yellowindicates10or100Mbit/s.
SFPGbEportsfortraffic.
TheplatformsupportstwoSFPGbEportsfortrafficportsfortraffic.
LEDs:ACT-Flashingindicatesactivity.
LINK-Greenindicates1000Mbit/s.
StatusLEDs:PWROK-Greenindicatesnominaloperation.
WhentheLEDisred,aqualifiedservicepersonshouldimmediatelycheckthepowersourceandthepowersupply.
SYSOK-Greenindicatesnominaloperation.
Redindicatesthatthedeviceisbooting.
Redoralternatingredandgreenindicatesawarning(forexample,thetemperatureishigh,butstillintheallowedrange).
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|21DPx06SeriesBackPanelFeatureLabel/DescriptionGroundscrewsScrewstogroundtheplatformchassistotherack.
1Uunitshaveonegroundscrew.
Typically,2Uunitshavetwogroundscrews.
Powersupplysocket(s)Thesockettowhichthepowercableisconnected.
Note-Ifthepowerisdisconnectedandreconnected(forexample,afterthepowercordisremovedandreplaced,orafterapowerfailure),theplatformreturnstoitspreviousstate.
Forexample,iftheplatformwasrunning,andthenyoudisconnectthepowercord,whenyoureconnectthepowercord,theplatformautomaticallyswitcheson.
Likewise,iftheplatformisnotrunning,ifyoudisconnectthepowercordandreconnectit,theplatformstayspoweredoffuntilyoupressthepowerbutton.
DPx412SeriesDP4412,8412,and12412runonDPx412Series.
DPx412SeriesFrontPanelFeatureLabel/Description10GigabitEthernet(10GbE)portsfortrafficormanagement.
TheplatformsupportsfourXFPports.
LEDs:ACT-Flashingindicatesactivity.
LINK-Greenindicates10GbE.
SFPGbEportsfortrafficormanagement.
TheplatformsupportsfourSFPports.
LEDs:ACT-Flashingindicatesactivity.
LINK-Greenindicates1000Mbit/s.
RJ-45GbEportsfortrafficormanagement.
TheplatformsupportseightGbEports.
LEDs:ACT-Flashingindicatesactivity.
LINK-Greenindicates1000Mbit/s.
Yellowindicates10or100Mbit/s.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|22FeatureLabel/DescriptionPowerbutton.
Turnspoweronandoff.
Pressingthebuttonfor1to4secondscausesagracefulshutdownofthesystem,thuspreservingsystemintegrity.
Pressingthebuttonformorethanfour(4)secondscausesthehardwaretopowerdown.
Resetbutton.
Resetsthedevice.
USBportforrecoveryandfiletransfer.
Managementports.
TheplatformsupportstwoRJ-4510/100/1000Ethernetports,whichareformanagementonly.
LEDs:ACT-Flashingindicatesactivity.
LINK-Greenindicates1000Mbit/s.
Yellowindicates10or100Mbit/s.
RS-232DE-9portforout-of-bandmanagement.
StatusLEDs:PWR-Greenindicatesnominaloperation.
Whentheplatformcarriesadualpowersupply,redindicatesthatoneofthetwopowercablesisnotsupplyingpowerorthatoneofthepowersuppliesismalfunctioning.
WhentheLEDisred,aqualifiedservicepersonshouldimmediatelycheckthepowersourceandthepowersupply.
FAN-Greenindicatesnominaloperation.
Redindicatesthatoneormorefansisnotoperating.
SYSOK-Greenindicatesnominaloperation.
Redindicatesthatthedeviceisbooting.
Redoralternatingredandgreenindicatesawarning(forexample,thetemperatureishigh,butstillintheallowedrange).
DPx412SeriesBackPanelFeatureLabel/DescriptionPowersupplysocket(s)Thesockettowhichthepowercableisconnected.
CompactFlashInsertionpointforCompactFlashcard.
GroundscrewsScrewstogroundtheplatformchassistotherack.
1Uunitshaveonegroundscrew.
Typically,2Uunitshavetwogroundscrews.
Note-Ifthepowerisdisconnectedandreconnected(forexample,afterthepowercordisremovedandreplaced,orafterapowerfailure),theplatformreturnstoitspreviousstate.
Forexample,iftheplatformwasrunning,andthenyoudisconnectthepowercord,whenyoureconnectthepowercord,theplatformautomaticallyswitcheson.
Likewise,iftheplatformisnotrunning,ifyoudisconnectthepowercordandreconnectit,theplatformstayspoweredoffuntilyoupressthepowerbutton.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|23LCDModuleforDPx412SeriesDPx412seriesplatformssupportanLCDmodule,whichconsistsoftheLCDitselfandLCDmenubuttons.
DPx412SeriesLCDYoucanusetheLCDmodulefordetaileddevicemonitoringandfortheinitialconfigurationofthemanagementport.
LCDMenuButtonsTherearesixfunctionalLCDmenubuttons:uparrow,downarrow,leftarrow,rightarrow,Enter(),andEscape(*).
Presstheupordownbuttonstoselectdifferentmenuswithinthemenuhierarchies.
Presstherightbuttontochoosetheselectedmenu.
Presstheleftbuttontoreturntothepreviouslevelinthehierarchy.
IfyouareconfiguringtheDPx412seriesplatformforthefirsttime,thebuttonshaveadditionalfunctionality(see"InitialConfigurationoftheManagementPortUsingtheLCDModule").
NominalDisplayWhenyouturnonanOnDemandSwitch,theLCDdisplays:ODSLoadingDuringthebootprocess,thethirdline,Loading…,changestoLoadedBoot.
Aftertheinitialconfiguration,whenthedevicecompletesbooting—orafter30minuteswithoutanyactivity,theLCDdisplays:Time:InitialConfigurationoftheManagementPortUsingtheLCDModuleWhenyouturnontheDPx412seriesplatformforthefirsttime,thereisnodefinedIPaddress,subnetmask,orphysicalportforthemanagementportofthedevice.
YoucandefinetheseparametersusingtheLCDmoduleaftertheplatformbootsanddisplaysSetupConfig.
Caution-WhentheLCDdisplaysSetupConfig,youhave30secondstoenterthesetupconfiguration.
Afterthese30secondselapse,theplatformusesthedefaults,192.
168.
1.
1,255.
255.
255.
0,andG-1respectively.
However,later,usingtheCLI,youcanchangethevaluesasrequired.
WhenyouconfigurethemanagementIPaddressandIPsubnetmaskusingtheLCDmodule,thebuttonshavethefollowingadditionalfunctionality:Theupanddownarrowbuttonsincreaseordecreasenumbers.
Theleftandrightarrowbuttonsmovethecursortothenextdigitorreturnsthecursortothepreviousnumber.
AttheendofthemanagementIPaddressorsubnetmask,therightarrowbuttonmovesthecursortothenextfieldinthismenu.
Toreturntothepreviousfield,presstheleftarrowbutton.
Enter()tosetthevalues.
Escape(*)leavesthevalueunchanged.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|24ToconfigurethemanagementportusingtheLCDmodule:1.
TurnontheDPx412seriesplatform.
Thebootprocessstarts.
2.
Within30secondsaftertheLCDdisplaysSetupConfig,presstherightarrow.
TheLCDdisplaysIPaddresswiththevalue000.
000.
000.
000,andthecursoronthefirstnumber.
3.
EntertheIPaddressofthemanagementportfortheCheckPointDDoSProtector.
4.
Presstherightarrowbutton.
TheLCDdisplaysIPsubnetmaskwiththevalue255.
000.
000.
000.
5.
EntertheIPsubnetmaskofthemanagementportfortheCheckPointDDoSProtector.
6.
Presstherightarrowbutton.
TheLCDdisplaystheselectedmanagementport.
7.
Scrolldowntothephysicalportthatyouwanttouseasthemanagementport(forexample,MNG-1).
8.
Presstherightarrowbutton.
TheLCDdisplaysEnablewebanditsvalue,YesorNo.
9.
PresstheuparrowforYes.
PressthedownarrowforNo.
10.
Presstherightarrowbutton.
TheLCDdisplaysEnabletelnetanditsvalue,YesorNo.
11.
PresstheuparrowforYes.
PressthedownarrowforNo.
12.
Presstherightarrowbutton.
TheLCDdisplaysEnableSSHanditsvalue,YesorNo.
13.
PresstheuparrowforYes.
PressthedownarrowforNo.
14.
Presstosaveandexitthestartupconfiguration.
TheCheckPointDDoSProtectorrebootswithyourconfiguration.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|25LCDMenusAftertheCheckPointDDoSProtectorboots,pressanyoftheLCDbuttonstoaccesstheLCDmenus.
MenuSubmenuSubsubmenuRemarkDeviceInformationPlatformPlatformtypeandversion.
ProductProduct.
VersionVersionofproduct.
MACMACaddressoftheplatform.
SerialTheserialnumberofthedevice.
PowersupplySinglepowersupplyordualpowersupply.
NumberofCPUsNumberofCPUs.
NumberofcoresNumberofCPUcores.
CPUutilCPUutilizationinpercent.
CPUtempCPUtemperatureinCentigrade.
MemoryRAMinmegabytes.
Statistics(seetheNotebelow)PortstatisticsPortPortidentifier,forexampleG-1.
PortstatusEitherupordown.
Pkt:in/outKNumberofinputandoutputpacketsinthousandspersecond.
DisplayedonlywhenPortstatusisup.
Byt:in/OutMBAmountofinputandoutputmegabytespersecond.
DisplayedonlywhenPortstatusisup.
SettingsLCDContrastContrastIncreaseordecreaseLCDcontrastusingtherightandleftarrowbuttons.
LCDBacklightBacklightIncreaseordecreaseLCDbacklightintensityusingtherightandleftarrowbuttons.
SerialBaudRateSerialbaudrateTheselectedrateisenclosedinasterisks,forexample*19200*.
Pressthedownanduparrowbuttonstoscrollbetweenthevalues.
ShutdownShutdownShutdownEnter=YesEscape=NoRebootRebootEnter=YesEscape=NoNote-TheLCDdisplaysstatisticsperportandrefreshesthemeverysecond.
Thus,thepackets-in,packets-out,megabytes-in,andmegabytes-outvaluesarepersecond.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|26CheckPointDDoSProtectorBootCommandsThefollowingtableliststhebootcommandsthattheCheckPointDDoSProtectorplatformssupportandwhichyoumayuse.
FeatureLabel/DescriptionPrintthislist.
@Boot(loadandgo).
aPrintinstalledapplicationslist.
ePrintfatalexception.
Caution-SomebootcommandsareintendedonlyforusebyCheckPointTechnicalSupport.
ConnectingandInstallingCheckPointDDoSProtectorToconnectandinstallCheckPointDDoSProtector:1.
Connectthecablesinthefollowingorder:a)Powercable/sb)Serial(RS-232)cablec)Managementportcable(Ethernet10/100/1000)d)Inspectionportscables(twocablespersegment,copper-10/100/1000,orfiber)2.
Connectthepowercabletothepowersocketlocatedontherearpanelofthedevice.
3.
Connectthepowercabletothepoweroutlet.
4.
Connecttheserialcabletotheplatform.
5.
Connecttheserialcabletoyourconsole.
ConnectingtheManagementPortandInspectionPortCablesCheckPointDDoSProtectorplatformshaveportsforexclusivelyfortrafficinspectionandseparateportsforout-ofbandmanagement.
ConsiderationsWhenConnectingInspectionPortswithInternalBypassCheckPointDDoSProtectorisinstalledbetweentwoendpoints-forexample,betweenaswitchandarouter,betweentwoswitches,orbetweenaswitchandaserver.
TheRJ-45trafficportsonCheckPointDDoSProtectordevicesincludeaconfigurableinternalbypassmechanism.
WhensettoFailOpen,theinternalbypassisactivatedwhentheapplicationdoesnotcontrolthedevice,suchaspowerofforreboot.
Considerthefollowingwhenconnectingtocopper(RJ-45)portsfortrafficinspection:Whenturnedoff,thedeviceportsaresetasswitchports(MDIX).
Connectthedevicewiththepoweroffasyouwouldconnectaswitch.
Useastraight-throughcabletoconnectaserverorarouter.
Useacrossovercabletoconnectaswitch.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|27Makesureyourlinkisactive(internalbypassisworking).
Turnonthedeviceandmakesureyourlinkisactive.
Note-Cablesmaybepurchasedfromthird-partysuppliers.
ConfiguringManagementPortsTomanageCheckPointDDoSProtector,youneedtoconfigureamanagementportusinganIPaddress.
YoucanthenmanagethedevicewithanSSHClient,WebBasedManagement(WBM),orTelnet.
ConfiguringtheManagementPortfortheFirstTimeToconfigurethemanagementportforthefirsttime:1.
EnsurethatanASCIIconsoleisconnectedtothedevicethroughtheserialcableandthatconsolecomputeristurnedon.
ThefollowingprocedureusesHyperTerminalastheconsoleapplication.
2.
FromtheHyperTerminalopenwindow,selectFile>Properties,orclickthePropertiesiconinthetoolbar.
TheNewConnectionPropertiesdialogboxisdisplayed.
3.
IntheNewConnectionPropertiesdialogbox,selectConfigure.
ThePropertieswindowisdisplayedwiththePortSettingspane.
4.
InthePortSettingspane,setthefollowingparameters:Bitspersecond:19200Databits:8Parity:NoneStopbits:1Flowcontrol:None5.
Poweronthedevice.
ThePWRandSYSorSYSOKLEDindicatorsonthefrontpanellightup.
Thedevicestartsup.
Afterapproximatelyaminute,theStartupConfigurationwindowisdisplayed.
6.
IntheStartupConfigurationwindow,providetherequestedinformationfortheIPaddress,IPsubnetmask,portnumber,forthemanagementport,anddefaultrouterIPaddressparameters;andpressEnterforeachoftheremainingsettings.
Thedevicerebootsafterthelastparameterisdefined.
PressEntertoacceptdefaultvalues.
Ifnoconfigurationisenteredwithin30seconds,thedeviceappliesthefollowingdefaultconfiguration:IPAddress:192.
168.
1.
1IPsubnetmask:255.
255.
255.
0Portnumberformanagement.
ThedefaultisMNG-1.
Usernameandpassword:admin7.
Ifthestart-upconfigurationscreendoesnotappear,dothefollowing:a.
WaitforthepromptDefensePro#.
b.
TypeloginandpressEnter.
c.
Entertheusernameandpassword:User:adminPassword:admind.
ToviewthecurrentIPinterfacesettingofthedevice,enter:netip-interfacegete.
Toadd/modify/deletetheexistingIPInterface,enter:netip-interfacehelpInstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|28ModifyingtheRoutetotheManagementPortTomodifytheroutetothemanagementport:1.
ConnecttotheCheckPointDDoSProtectordeviceviatheserialport.
(Forinstructions,seesteps1through5inthepreviousprocedure,"Toconfigurethemanagementportforthefirsttime.
")2.
AttheCheckPointDDoSProtectorprompt(DefensePro#),dooneofthefollowing:ForDPx06Seriesdevices,selectingtheMNG-1managementport,enterthefollowingcommand:netroutetablecreate0.
0.
0.
0-i5ForDPx06Seriesdevices,selectingtheMNG-2managementport,enterthefollowingcommand:netroutetablecreate0.
0.
0.
0-i6ForDPx412Seriesdevices,selectingtheMNG-1managementport,enterthefollowingcommand:netroutetablecreate0.
0.
0.
0-i17ForDPx412Seriesdevices,selectingtheMNG-2managementport,enterthefollowingcommand:netroutetablecreate0.
0.
0.
0-i18Example:netroutetablecreate0.
0.
0.
00.
0.
0.
010.
202.
142.
42-i17EnablingHTTP/HTTPSandWebManagementAccessviatheSerialInterfaceTheproceduresinthefollowingchaptersusetheCheckPointDDoSProtectorWebinterface.
PerformthefollowingproceduretoenableHTTP/HTTPSandWebaccess.
ToenableHTTP/HTTPSaccessforWebBasedManagement:1.
ConnecttotheCheckPointDDoSProtectordeviceviatheserialport.
(Forinstructions,seesteps1through5intheprevioussection"ConfiguringManagementPorts"onpage27.
)2.
AttheCheckPointDDoSProtectorprompt(DefensePro#),toenableaccesstotheCheckPointDDoSProtectorWebinterface,enterthefollowingcommand:managemanagement-port-w3.
ToenableHTTPaccess,enterthefollowingcommand:managewebstatusset14.
ToenableHTTPSaccess,enterthefollowingcommand:managesecure-webstatusset1InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|29Chapter5ConfiguringRoutesCheckPointDDoSProtectorsupportsIProutingcompliantwithRFC1812routerrequirements.
DynamicadditionanddeletionofIPinterfacesissupported.
Thisensuresthatextremelylowlatencyismaintained.
IProutersupportsRIPI,RIPIIandOSPFroutingprotocols.
OSPFisanintra-domainIProutingprotocol,intendedtoreplaceRIPinbiggerormorecomplexnetworks.
OSPFanditsMIBaresupportedasspecifiedinRFC1583andRFC1850,withsomelimitations.
Note-TheprocedureinthischapterusestheCheckPointDDoSProtectorWebinterface.
TheCheckPointDDoSProtectorWebinterfaceissupportedbythefollowingInternetbrowsers:MicrosoftInternetExplorerversion6whenusingWindowsoperatingsystemsMicrosoftInternetExplorerversion7and8MozillawhenusingLinuxoperatingsystemsFirefoxToopentheCheckPointDDoSProtectorWebinterface:EntertheIPaddressoftheCheckPointDDoSProtectordeviceintheaddressbarofyourbrowser.
Toconfigureanentryintheroutingtable:1.
FromtheRoutermenu,selectRoutingTable>Create.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionDestinationAddressSpecifiesthedestinationIPaddressofthisrouter.
NetworkMaskSpecifiesthedestinationnetworkmaskofthisroute.
NextHopSpecifiestheaddressofthenextsystemofthisroute,localtotheinterface.
InterfaceIndexSpecifiestheIFIndexofthelocalinterfacethroughwhichthenexthopofthisrouteisreached.
TypeSpecifieshowCheckPointDDoSProtectorhandlesremoterouting.
Values:Remote-Forwardspackets.
Reject-Discardspackets.
MetricSpecifiesthenumberofhopstothedestinationnetwork.
CheckPointDDoSProtectorGettingStartedGuide|30Chapter6ConfiguringHTTP,HTTPS,andSSHAccessNote-TheprocedureinthischapterusestheCheckPointDDoSProtectorWebinterface.
TheCheckPointDDoSProtectorWebinterfaceissupportedbythefollowingInternetbrowsers:MicrosoftInternetExplorerversion6whenusingWindowsoperatingsystemsMicrosoftInternetExplorerversion7and8MozillawhenusingLinuxoperatingsystemsFirefoxToopentheCheckPointDDoSProtectorWebinterface:EntertheIPaddressoftheCheckPointDDoSProtectordeviceintheaddressbarofyourbrowser.
Toconfigurewhichprotocolsthemanagementportallows:1.
FromtheSecuritymenu,selectManagementPorts.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionSNMPSpecifieswhetherthemanagementportallowsSNMPaccess.
TELNETSpecifieswhetherthemanagementportallowsTelnetaccess.
SSHSpecifieswhetherthemanagementportallowsSSHaccess.
WEBSpecifieswhetherthemanagementportallowsWebaccess.
SSLSpecifieswhetherthemanagementportallowsSSLaccess.
ToconfigureHTTP(Web)access:1.
FromtheServicesmenu,selectManagementInterfaces>WebServer>Web.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionWebServerPortSpecifiestheporttowhichtheWebBasedManagementisassigned.
WebServerStatusEnablesordisablesthestatusoftheWebserver.
WebHelpLocationSpecifiesthelocation(path)oftheWebhelpfiles.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|31FieldNameDescriptionWebAccessLevelValues:readWrite,readOnlyToconfigureHTTPS(SecureWeb)access:1.
FromtheServicesmenu,selectManagementInterfaces>WebServer>SecureWeb.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionSecuredWebPortSpecifiestheportthroughwhichHTTPSgetsrequests.
SecuredWebStatusEnablesordisablesthestatusoftheWebserver.
SecuredWebCertificateFileSpecifiesthecertificatefilethatisusedbysecureWebforencryption.
ToconfigureSSHaccess:1.
FromtheServicesmenu,selectManagementInterfaces>SSH>Server.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionSSHPortSpecifiesthesourceportfortheSSHserverconnection.
SSHStatusEnablesordisablestheSSHfeature.
Whendisabled,SSHconnectionisnotpossible.
SSHSessionTimeoutSpecifiesthetimeout,inminutes,forthedevicetomaintainconnectionduringperiodsofinactivityforTelnetandSSH.
Values:0-Specifiesunlimited.
1-120SSHAuthenticationTimeoutSpecifiesthetimeout,inseconds,forthedevicetocontinuetryingtoauthorizetheconnectionforTelnetandSSH.
Values:0-Specifiesunlimited.
1-120CheckPointDDoSProtectorGettingStartedGuide|32Chapter7ConfiguringaNetworkProtectionPolicyandNetworkProtectionProfilesConfigureaNetworkProtectionpolicyafteryouhaveconfiguredalltheprotectionprofilesthatyouwanttoincludeinthepolicy.
Note-TheproceduresinthischapterusetheCheckPointDDoSProtectorWebinterface.
TheCheckPointDDoSProtectorWebinterfaceissupportedbythefollowingInternetbrowsers:MicrosoftInternetExplorerversion6whenusingWindowsoperatingsystemsMicrosoftInternetExplorerversion7and8MozillawhenusingLinuxoperatingsystemsFirefoxToopentheCheckPointDDoSProtectorWebinterface:EntertheIPaddressoftheCheckPointDDoSProtectordeviceintheaddressbarofyourbrowser.
ConfiguringaNetworkProtectionPolicyToconfigureaNetworkPolicy:1.
FromtheDDoSProtectormenu,selectPolicies>Table>Create.
2.
Configurethefields.
Note–Usetheuppermenubartojumptotheconfigurationpanefortheprotectionprofiles.
3.
ClickSet.
4.
FromtheDefensePromenu,selectUpdatePolicies.
5.
ClickSet.
FieldNameDescriptionorRecommendedValueNameTypealabeltonamethenetworkpolicy.
DirectionSelecttwoway.
SourceAddressCheckPointrecommendsthevalueany.
Specifiesthesourceaddressoutsidenetworkclassification.
DestinationAddressSpecifiestheprotectednetworkclassification.
YoucandefinethisasCIDRorusingaNetworkClassvalue.
StateSelectactive.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|33FieldNameDescriptionorRecommendedValueActionSelectBlockandReportorReportOnly.
BehavioralDosProfileSelecttherequiredprofile.
SignaturesProfileSelectDoS-All.
Note:TheDoSShieldfeaturemustbeenabled.
Formoreinformation,see"ConfiguringDoSShield.
"ConnectionLimitSelecttherequiredprofile.
DNSprotectionProfileSelecttherequiredprofile.
SYNProtectionProfileSelecttherequiredprofile.
ConfiguringBehavioralDoSProfilesEachBehavioralDoSprofilemustbeconfiguredforaparticularNetworkProtectionpolicy.
ThetrafficthattheprofiledescribesneedstoreflecttheactualtrafficmeasurementsoftheNetworkProtectionpolicy.
BeforeyoucanconfigureaBehavioralDoSprofile,youneedtoenabletheBehavioralDoSfeature.
ToenabletheBehavioralDoSfeature:1.
FromtheDDoSProtectormenu,selectDenialofService>BehavioralDoS>GlobalParameters.
2.
FromtheBehavioralDoSStatusdrop-downlist,selectenable.
3.
ClickSet.
ToconfigureaBehavioralDoSprofile:1.
FromtheDefensePromenu,selectDenialofService>BehavioralDoS>BehavioralDoSProfiles>Create.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionorRecommendedValueProfileNameTheuser-definednamefortheprofile.
SYNFloodstatusSpecifieswhetherthisprofileprotectsagainstSYNFloodattacks.
Default:InactiveTCPResetFloodstatusSpecifieswhetherthisprofileprotectsagainstTCPResetFloodattacks.
Default:InactiveTCPFIN+ACKFloodstatusSpecifieswhetherthisprofileprotectsagainstTCPFIN+ACKFloodattacks.
Default:InactiveTCPSYN+ACKFloodstatusSpecifieswhetherthisprofileprotectsagainstTCPSYN+ACKFloodattacks.
Default:InactiveTCPFragmentedFloodstatusSpecifieswhetherthisprofileprotectsagainstTCPFragmentedFloodattacks.
Default:InactiveUDPFloodstatusSpecifieswhetherthisprofileprotectsagainstUDPFloodattacks.
Default:InactiveInstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|34FieldNameDescriptionorRecommendedValueIGMPFloodstatusSpecifieswhetherthisprofileprotectsagainstIGMPFloodattacks.
Default:InactiveICMPFloodstatusSpecifieswhetherthisprofileprotectsagainstICMPFloodattacks.
Default:InactiveConfigurationoftheinboundtrafficin[Kbit/Sec]Specifiesthehighestexpectedvolume,inKbit/s,ofinboundtrafficinKbit/s,ontherelevantnetworksegment.
Configurationoftheoutboundtrafficin[Kbit/Sec]Specifiesthehighestexpectedvolume,inKbit/s,ofoutboundtraffic,ontherelevantnetworksegment.
PacketReportStatusSelectdisable.
PacketTraceStatusSelectdisable.
ConfiguringaDNSProtectionProfileEachDNSProtectionprofilemustbeconfiguredforaparticularNetworkProtectionpolicy.
ThetrafficthattheprofiledescribesneedstoreflecttheactualtrafficmeasurementsoftheNetworkProtectionpolicy.
BeforeyoucanconfigureaDNSProtectionprofile,youneedtoenabletheDNSProtectionfeature.
ToenabletheDNSProtectionfeature:1.
FromtheDefensePromenu,selectDenialofService>DNSProtection>GlobalParameters.
2.
FromtheDNSProtectionStatusdrop-downlist,selectenable.
3.
ClickSet.
ToconfigureaDNSProtectionprofile:1.
FromtheDefensePromenu,selectDenialofService>DNSProtection>DNSProtectionProfiles>Create.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionorRecommendedValueProfileNameSpecifiestheuser-definednamefortheprofile.
ExpectedQPSSpecifiestheexpectedQPS.
DNSAFloodstatusSpecifieswhetherthisprofileprotectsagainsttheseattacks.
Default:InactiveDNSAQuota[%]Setavalueorusethedefault.
Thedevicedisplaysthevalue0untilyouclickSetandresetthedevice.
Then,theactualdefaultvalueisdisplayed.
DNSMXFloodstatusSpecifieswhetherthisprofileprotectsagainsttheseattacks.
Default:InactiveDNSMXQuota[%]Setavalueorusethedefault.
Thedevicedisplaysthevalue0untilyouclickSetandresetthedevice.
Then,theactualdefaultvalueisdisplayed.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|35FieldNameDescriptionorRecommendedValueDNSPTRFloodstatusSpecifieswhetherthisprofileprotectsagainsttheseattacks.
Default:InactiveDNSPTRQuota[%]Setavalueorusethedefault.
Thedevicedisplaysthevalue0untilyouclickSetandresetthedevice.
Then,theactualdefaultvalueisdisplayed.
DNSAAAAFloodstatusSpecifieswhetherthisprofileprotectsagainsttheseattacks.
Default:InactiveDNSAAAAQuota[%]Setavalueorusethedefault.
Thedevicedisplaysthevalue0untilyouclickSetandresetthedevice.
Then,theactualdefaultvalueisdisplayed.
DNSTEXTFloodstatusSpecifieswhetherthisprofileprotectsagainsttheseattacks.
Default:InactiveDNSTEXTQuota[%]Setavalueorusethedefault.
Thedevicedisplaysthevalue0untilyouclickSetandresetthedevice.
Then,theactualdefaultvalueisdisplayed.
DNSSOAFloodstatusSpecifieswhetherthisprofileprotectsagainsttheseattacks.
Default:InactiveDNSSOAQuota[%]Setavalueorusethedefault.
Thedevicedisplaysthevalue0untilyouclickSetandresetthedevice.
Then,theactualdefaultvalueisdisplayed.
DNSNAPTRFloodstatusSpecifieswhetherthisprofileprotectsagainsttheseattacks.
Default:InactiveDNSNAPTRQuota[%]Setavalueorusethedefault.
Thedevicedisplaysthevalue0untilyouclickSetandresetthedevice.
Then,theactualdefaultvalueisdisplayed.
DNSSRVFloodstatusSpecifieswhetherthisprofileprotectsagainsttheseattacks.
Default:InactiveDNSSRVQuota[%]Setavalueorusethedefault.
Thedevicedisplaysthevalue0untilyouclickSetandresetthedevice.
Then,theactualdefaultvalueisdisplayed.
DNSOTHERFloodstatusSpecifieswhetherthisprofileprotectsagainsttheseattacks.
Default:InactiveDNSOTHERQuota[%]Setavalueorusethedefault.
Thedevicedisplaysthevalue0untilyouclickSetandresetthedevice.
Then,theactualdefaultvalueisdisplayed.
MaxAllowedQPSSpecifiesthemaximumallowedQPS.
SignatureRateLimitTargetSettherequiredvalue.
PacketReportStatusSelectdisable.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|36FieldNameDescriptionorRecommendedValuePacketTraceStatusSelectdisable.
ActionSelectBlockandReport.
ConfiguringDoSShieldProtectionTheDoSShieldmechanismimplementsasamplingalgorithm,anddetectstrafficflooding.
TheDoSShieldprotectionisexposedastheDoS-AlloptionfortheSignaturesProfileparameterinaNetworkProtectionpolicy.
ToconfigureDoSShieldglobalparameters:1.
FromtheDefensePromenu,selectIntrusionProtection>SignatureProtection>DoSShield>GlobalParameters.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionorRecommendedValueProtectionStatusSelectenable.
SamplingRateTherateatwhichtheDoSShieldmechanismsamplesapackettocheckforanattack.
Forexample,ifthespecifiedvalueis5001,theDoSShieldmechanismchecks1outof5001packets.
Default:5001SamplingFrequencyHowoften,inseconds,theDoSShieldmechanismcomparesthepredefinedthresholdsforeachdormantattacktothecurrentvalueofpacketcountersmatchingtheattack.
Default:5Note:Ifthesamplingtimeisveryshort,therearefrequentcomparisonsofcounterstothresholds,soregulartrafficburstsmightbeconsideredattacks.
Ifthesamplingtimeistoolong,theDoSShieldmechanismcannotdetectrealattacksquicklyenough.
ConfiguringPacketAnomaliesProtectionPacketAnomaliesisaglobalprotection,whichisnotrelatedtoaNetworkProtectionpolicyorServerProtectionpolicy.
Generally,wheneverapacketmatchingoneofthepredefinedchecksarrives,itisautomaticallyblocked,discarded,andreported.
However,ifyourequire,youcanallowcertainanomaloustraffictoflowthroughthedevicewithoutinspection.
ToconfigurethePacketAnomaliesparameters:1.
FromtheDefensePromenu,selectPacketAnomalies>Table.
2.
FromthePacketTraceStatusdrop-downlist,selectdisable.
3.
Tomodifytheconfigurationofapacketanomaly:a.
SelecttherelevantIDfromthetable.
b.
Configurethefields.
c.
ClickSet.
4.
ClickSet.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|37FieldNameDescriptionorRecommendedValueID(Read-only)TheIDnumberoftheanomaly.
Name(Read-only)Thenameoftheanomaly.
RiskSpecifiestheriskvalueforreporting.
Values:InfoLowMediumHighActionValues:no-reportreportblockReportAction(Read-only)TheactionthatthedevicedoeswhentheActionisreportorno-report.
Values:Bypass-Theanomalouspacketisforwardedtothedestinationwithnofurtherinspection.
Process-Theanomalouspacketcontinuestobeinspectedbytheprotectionmodules.
ConfiguringaConnectionLimitProfileToconfigureaConnectionLimitprofile,firstconfiguretheAttackdefinitionsfortheprofile.
MultipleConnectionLimitprofilescanusethesameAttackdefinitions.
ChangestoanAttackdefinitionapplytoalltheConnectionLimitprofilesthatuseit.
ToconfigurethedefinitionofanAttackforaConnectionLimitprofile:1.
FromtheDefensePromenu,selectDenialofService>ConnectionLimit>Attacks>Create.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionorRecommendedValueIDEnter0.
Thesystemgeneratesanidentifier,beginningwith450000,whenyouclickSet.
Afterwards,theIDisread-only.
AttackNameAuser-definednameforeasyidentificationoftheattack.
DestinationApp.
PortSpecifiestheapplicationportorportsofthedestination.
Values:ALayer4portthatrepresentstheapplicationyouwanttoprotect.
AnApplication-Port-Groupclass,stringobject,forexampleh.
Ablankfieldspecifiesanyport.
Note:YoucanmodifyandconfigureApplicationPortGroupclasses.
Formoreinformation,see"ViewingandConfiguringApplication-Port-GroupClasses.
"InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|38ProtocolSpecifiestheLayer4protocoloftheapplicationyouwanttoprotect.
Values:tcp,udpThresholdSpecifiesthemaximumnumberofnewTCPconnections,ornewUDPsessions,persecond,allowedforeachsource,destinationorsource-and-destinationpair.
Alladditionalsessionsaredropped.
Whenthethresholdisreached,attacksareidentifiedandasecurityeventgenerated.
TrackingTypeSpecifiestheLayer3parametersaccordingtowhichyouwanttotracksessions.
Values:SourceCount-SessionsarecountedpersourceIPaddress.
TargetCount-SessionsarecountedperdestinationIPaddress.
SourceandTargetCount-Sessionsarecountedpersource-anddestination-IP-addresscombination.
Note:WhentheTrackingTypeisTargetCount,theSuspendActioncanonlybeNone.
ActionModeSpecifiestheactionthatthedevicetakesforsessionsthatareoverthethreshold.
Values:ReportOnly,Drop,ResetSourcePacketReportSelectdisable.
RiskSpecifiestheriskassignedtothisAttack.
Values:Low,Medium,HighSuspendActionSpecifieswhetherthesourceIPaddressesthatwereidentifiedasthesourceofthefloodingattackaresuspended.
Values:None-Thesuspendactionisdisabledforthisattack.
SrcIP-AlltrafficfromtheIPaddressidentifiedassourceofthisattackissuspended.
SrcIP\,DestIP-TrafficfromtheIPaddressidentifiedassourceofthisattacktothedestinationIPunderattackissuspended.
SrcIP\,DestPort-TrafficfromtheIPaddressidentifiedassourceofthisattacktotheapplication(destinationport)underattackissuspended.
SrcIP\,DestIP\,DestPort-TrafficfromtheIPaddressidentifiedassourceofthisattacktothedestinationIPandportunderattackissuspended.
SrcIP\,DestIP\,SrcPort,DestPort-TrafficfromtheIPaddressandportidentifiedassourceofthisattacktothedestinationIPandportunderattackissuspendedPacketTraceSelectdisable.
TocreateaConnectionLimitprofile:1.
FromtheDefensePromenu,selectDenialofService>ConnectionLimit>Profiles>Create.
2.
Configurethefields.
3.
ClickSet.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|39FieldNameDescriptionorRecommendedValueConnectionLimitingProfileSpecifiesanamefortheprofile.
ThenamebelongstothelistintheconfigurationoftheNetworkProtectionpolicy.
ConnectionLimitingAttackSpecifiesthenameofanAttackfromtheConnectionLimitingAttacksthatyouconfigured.
ToaddanAttackdefinitiontoanexistingConnectionLimitprofile:1.
FromtheDefensePromenu,selectDenialofService>ConnectionLimit>Profiles.
2.
FortheProfilesTable,clicktheConnectionLimitprofile.
3.
ClickCreate.
4.
FromtheConnectionLimitingAttackdrop-downlist,selecttheAttackdefinitiontoaddtotheprofile.
5.
ClickSet.
TodeleteanAttackdefinitionfromanexistingConnectionLimitprofile:1.
FromtheDefensePromenu,selectDenialofService>ConnectionLimit>Profiles.
2.
FortheProfilesTable,clicktheConnectionLimitprofile.
3.
SelectthecheckboxintherowwiththeAttackyouwanttodelete.
4.
ClickDelete.
ConfiguringaSYNProtectionProfileToconfigureaSYNProtectionprofile,firstconfiguretheAttackdefinitionsfortheprofile.
MultipleSYNProtectionprofilescanusethesameAttackdefinitions.
ChangestoanAttackdefinitionapplytoalltheSYNProtectionprofilesthatuseit.
CheckPointDDoSProtectorprovidesasetofpredefineddefinitionsofSYNattacks.
ApredefineddefinitionofaSYNattackislabeledStaticintheGUI.
YoucanmodifysomeoftheparametersinStaticAttacks.
Inaddition,youcancreateyourowndefinitionsofSYNattacks,whicharelabeledUser.
BeforeyoucanconfigureaSYNProtectionprofile,youneedtoenabletheSYNProtectionfeature.
ToenabletheSYNProtectionfeature:1.
FromtheDefensePromenu,selectDenialofService>SYNProtection>GlobalParameters.
2.
FromtheSYNProtectionStatusdrop-downlist,selectenable.
3.
ClickSet.
ToconfigurethedefinitionofapredefinedAttack:1.
FromtheDefensePromenu,selectDenialofService>SYNProtection>Attacks>Static.
2.
SelecttheIDofthepredefinedAttack.
3.
Configurethefields.
4.
ClickSet.
FieldNameDescriptionorRecommendedValueAttackNameAnameforeasyidentificationoftheAttack.
ActivationThresholdIftheaveragerateofSYNpacketsreceivedatacertainDestinationishigherthanthisthreshold,theprotectionisactivated.
Values:1-150,000Default:2500TerminationThresholdIftheaveragerateofSYNpacketsreceivedatacertainDestinationforthedurationofthetrackingperioddropsbelowthisthreshold,theprotectionisstopped.
Values:1–150,000InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|40FieldNameDescriptionorRecommendedValueRiskSpecifiestheriskassignedtothisAttackforreportingpurposes.
Values:Low,Medium,HighToconfigurethedefinitionofauser-definedAttack:1.
FromtheDefensePromenu,selectDenialofService>SYNProtection>Attacks>User>Create.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionorRecommendedValueIDEnter0.
Thesystemgeneratesanidentifier,beginningwith500000,whenyouclickSet.
Afterwards,theIDisread-only.
AttackNameAuser-definednameforeasyidentificationoftheAttack.
ApplicationPortGroupThegroupofTCPportsthatrepresenttheapplicationthatyouwanttoprotect.
Values:ALayer4portthatrepresentstheapplicationyouwanttoprotect.
AnApplication-Port-Groupclass,stringobject,forexamplehttp.
Ablankfieldspecifiesanyport.
Note:YoucanmodifyandconfigureApplicationPortGroupclasses.
Formoreinformation,see"ViewingandConfiguringApplication-Port-GroupClasses.
"ActivationThresholdIftheaveragerateofSYNpacketsreceivedatacertainDestinationishigherthanthisthreshold,theprotectionisactivated.
Values:1-150,000Default:2500TerminationThresholdIftheaveragerateofSYNpacketsreceivedatacertainDestinationforthedurationofthetrackingperioddropsbelowthisthreshold,theprotectionisstopped.
Values:1–150,000RiskSpecifiestheriskassignedtothisAttackforreportingpurposes.
Values:Low,Medium,HighToconfigureaSYNProtectionprofile:1.
FromtheDefensePromenu,selectDenialofService>SYNProtection>Profiles>ProfilesAttacks>Create.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionorRecommendedValueSYNProfileTheuser-definednamefortheprofile.
SYNAttackSpecifiestheAttackdefinition.
Thelistcontainsthepredefinedanduser-definedAttacks.
ToaddanAttackdefinitiontoanexistingSYNProtectionprofile:1.
FromtheDefensePromenu,selectDenialofService>SYNProtection>Profiles>ProfilesAttacks.
2.
FortheProfilesTable,clicktheSYNProtectionprofile.
3.
ClickCreate.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|414.
FromtheSYNAttackdrop-downlist,selecttheAttackdefinitiontoaddtotheprofile.
5.
ClickSet.
TodeleteanAttackdefinitionfromanexistingSYNProtectionprofile:1.
FromtheDefensePromenu,selectDenialofService>SYNProtection>ProfilesAttacks.
2.
FortheProfilesTable,clicktheSYNProtectionprofile.
3.
SelectthecheckboxintherowwiththeAttackyouwanttodelete.
4.
ClickDelete.
ToviewandmodifyparametersofexistingSYNProtectionprofiles:1.
FromtheDefensePromenu,selectDenialofService>SYNProtection>Profiles>ProfilesParameters.
2.
Clicktheprofile.
3.
Configurethefields.
4.
ClickSet.
FieldNameDescriptionorRecommendedValueProfileName(Read-only)Theuser-definednamefortheprofile.
AuthenticationMethodSpecifiestheAuthenticationMethodthatthedeviceusesatthetransportlayer.
Whenthedeviceisinstalledinandingress-onlytopology,selectthesafe-resetmethod.
Values:transparent-proxy-WhenthedevicereceivesaSYNpacket,thedevicereplieswithaSYNACKpacketwithacookieintheSequenceNumberfield.
IftheresponseisanACKthatcontainsthecookie,thedeviceconsidersthesessiontobelegitimate.
Then,thedeviceopensaconnectionwiththedestinationandactsastransparentproxybetweenthesourceandthedestination.
safe-reset-WhenthedevicereceivesaSYNpacket,thedevicerespondswithanACKpacketwithaninvalidSequenceNumberfieldasacookie.
IftheclientrespondswithRSTandthecookie,thedevicediscardsthepacket,addsthesourceIPaddresstotheTCPAuthenticationTable.
ThenextSYNpacketfromthesamesourcepassesthroughthedevice,andthesessionisapprovedfortheserver.
ThedevicesavesthesourceIPaddressforaspecifiedtime.
Typically,youspecifythismethodwhenthenetworkpolicyrulehandlesonlyingresstraffic.
Default:transparent-proxyHTTPAuthenticationSelectenable.
SpecifieswhetherthedeviceauthenticatesthetransportlayerofHTTPtrafficusingSYNcookiesandthenauthenticatestheHTTPapplicationlayerusingthespecifiedHTTPAuthenticationMethod.
Values:Enabled-ThedeviceauthenticatestheTransportLayerofHTTPtrafficusingSYNcookiesandthenauthenticatestheHTTPApplicationLayerusingthespecifiedHTTPAuthenticationMethod.
Disabled-ThedevicehandlesHTTPtrafficusingthespecifiedTCPAuthenticationMethod.
Default:DisabledInstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|42FieldNameDescriptionorRecommendedValueHTTPAuthenticationmethodSpecifiesthemethodthattheprofileusestoauthenticatesHTTPtrafficattheapplicationlayer.
Values:Redirect-ThedeviceauthenticatesHTTPtrafficusinga302-Redirectresponsecode.
JavaScript-ThedeviceauthenticatesHTTPtrafficusingaJavaScriptobjectgeneratedbythedevice.
Default:RedirectConfiguringanOut-of-StateProtectionProfileYoucancreateanOut-of-StateProtectionprofileanduseitinNetworkProtectionpolicies.
BeforeyoucanconfigureanOut-of-StateProtectionprofile,youneedtoenabletheOut-of-StateProtectionfeature.
ToenabletheOut-of-StateProtectionfeature:1.
FromtheDefensePromenu,selectIntrusionPrevention>Out-of-State>GlobalParameters.
2.
FromtheProtectionStatusdrop-downlist,selectenable.
3.
FromtheOperationalStatedrop-downlist,selectenable.
4.
ClickSet.
ToconfigureanOut-of-StateProtectionprofile:1.
FromtheDefensePromenu,selectIntrusionPrevention>Out-of-State>Profiles>Create.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionorRecommendedValueProfileNameTheuser-definednamefortheprofile.
ActivationThresholdTherate,inPPS,ofout-of-statepacketsabovewhichtheprofileconsidersthepacketstobepartofafloodattack.
Whenthedevicedetectsanattack,itissuesanappropriatealertanddropstheout-of-statepacketsthatexceedthethreshold.
PacketsthatdonotexceedthethresholdbypasstheCheckPointDDoSProtectordevice.
Values:1–250,000Default:5000TerminationThresholdTherate,inPPS,ofout-of-statepacketsbelowwhichtheprofileconsidersthefloodattacktohavestopped;andthedeviceresumesnormaloperation.
Values:1–250,000Default:4000SYN-ACKAllowstatusSpecifieswhetheraSYN-ACKpacketbypassestheCheckPointDDoSProtectordeviceevenwhenthedevicehasnotinspectedSYNpacketforthesession.
Default:enablePacketTracestatusSelectdisable.
PacketReportstatusSelectdisable.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|43ProfileRiskTherisk-forreportingpurposes-assignedtotheattackthattheprofiledetects.
Values:info,low,medium,highDefault:lowProfileActionTheactionthattheprofiletakeswhenitencountersout-of-statepackets.
Values:BlockandReport,ReportOnlyDefault:BlockandReportConfiguringanHTTPMitigatorProfileTheHTTPMitigatordetectsandmitigatesHTTPrequestfloodattackstoprotectWebservers.
TheHTTPMitigatorcollectsandbuildsastatisticalmodeloftheprotectedservertraffic,andthen,usingfuzzylogicinferencesystemsandstatisticalthresholds,detectstrafficanomaliesandidentifiesthemalicioussources.
YouspecifyanHTTPMitigatorprofileinaServerProtectionpolicy.
BeforeyoucanconfigureanHTTPMitigatorprofile,youneedtoenabletheHTTPMitigatorfeature.
ToenabletheHTTPMitigatorfeature:1.
FromtheDefensePromenu,selectDenialofService>HTTPMitigator>GlobalParameters.
2.
FromtheProtectionStatusdrop-downlist,selectenable.
3.
ClickSet.
ToconfigureanHTTPMitigatorprofile:1.
FromtheDefensePromenu,selectDenialofService>HTTPMitigator>Profiles>Create.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionorRecommendedValueProfileNameTheuser-definednamefortheprofile.
SensitivityLevelCheckPointrecommendsthedefaultvaluemedium.
Specifieshowsensitivetheprofileistodeviationsfromthebaseline.
HighspecifiesthatCheckPointDDoSProtectoridentifiesanattackwhenthedevicedetectsonlyasmalldeviationfromthebaselines.
Values:minorlowmediumhighDefault:mediumActionCheckPointrecommendsthedefaultvalueBlockandReport.
Theactionthatthedevicetakeswhentheprofiledetectssuspicioustraffic.
Values:BlockandReport-Blocksandreportsonthesuspicioustraffic.
ReportOnly-Reportsthesuspicioustraffic.
Default:BlockandReportPacketReportSelectdisable.
InstallingCheckPointDDoSProtectorCheckPointDDoSProtectorGettingStartedGuide|44FieldNameDescriptionorRecommendedValuePacketTraceSelectdisable.
ViewingandConfiguringNetworkClassesCheckPointDDoSProtectorGettingStartedGuide|45ViewingandConfiguringNetworkClassesNetworkclassesclassifytrafficinaNetworkProtectionpolicy.
Youcanviewandconfigurenetworkclasses,asyourequire.
Note-TheproceduresinthischapterusetheCheckPointDDoSProtectorWebinterface.
TheCheckPointDDoSProtectorWebinterfaceissupportedbythefollowingInternetbrowsers:MicrosoftInternetExplorerversion6whenusingWindowsoperatingsystemsMicrosoftInternetExplorerversion7and8MozillawhenusingLinuxoperatingsystemsFirefoxToopentheCheckPointDDoSProtectorWebinterface:EntertheIPaddressoftheCheckPointDDoSProtectordeviceintheaddressbarofyourbrowser.
Toviewtheconfigurationofanetworkclass:FromtheClassesmenu,selectViewActive>Networks.
Toconfigureanetworkclass:1.
FromtheClassesmenu,selectModify>Networks>Create.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionorRecommendedValueNameTheuser-definednetworkname.
SubIndexTheuniqueindexnumberofthesubnet.
Eachnetworkcanhaveseveralsubnets.
TheSubIndexesforthesubnetswithinthesamenetworkmustbeunique.
ModeValues:IPMask,IPRangeAddressTheIPaddressofthesubnet.
MaskThemaskaddressofthesubnet.
FromIPThefirstIPaddressintherangeofaddresses.
ToIPThelastIPaddressintherangeofaddresses.
ViewingandConfiguringApplication-Port-GroupClassesCheckPointDDoSProtectorGettingStartedGuide|46ViewingandConfiguringApplication-Port-GroupClassesApplication-port-groupclassesdefineapplicationsbasedonLayer4destinationports.
YoucanviewtheconfigurationofStaticApplication-Port-Groupclasses.
YoucanviewandconfigureyourownApplication-Port-Groupclasses,asyourequire.
Note-TheproceduresinthischapterusetheCheckPointDDoSProtectorWebinterface.
TheCheckPointDDoSProtectorWebinterfaceissupportedbythefollowingInternetbrowsers:MicrosoftInternetExplorerversion6whenusingWindowsoperatingsystemsMicrosoftInternetExplorerversion7and8MozillawhenusingLinuxoperatingsystemsFirefoxToopentheCheckPointDDoSProtectorWebinterface:EntertheIPaddressoftheCheckPointDDoSProtectordeviceintheaddressbarofyourbrowser.
Toviewtheconfigurationofanapplication-port-groupclass:FromtheClassesmenu,selectViewActive>Appl.
PortGroups.
Toconfigureanapplication-port-groupclass:1.
FromtheClassesmenu,selectModify>Appl.
PortGroups>Create.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionorRecommendedValueNameThenameofthegroup.
FromPortThefirstportintherange.
Todefineagroupwithasingleport,setthesamevaluefortheFromPortandToPortparameters.
Toassociateanumberofrangeswiththesameportgroup,usethesamegroupnameforalltherangesthatyouwanttoincludeinonegroup.
ToPortThelastportintherange.
ConfiguringServicesCheckPointDDoSProtectorGettingStartedGuide|47ConfiguringServicesNote-TheproceduresinthischapterusetheCheckPointDDoSProtectorWebinterface.
TheCheckPointDDoSProtectorWebinterfaceissupportedbythefollowingInternetbrowsers:MicrosoftInternetExplorerversion6whenusingWindowsoperatingsystemsMicrosoftInternetExplorerversion7and8MozillawhenusingLinuxoperatingsystemsFirefoxToopentheCheckPointDDoSProtectorWebinterface:EntertheIPaddressoftheCheckPointDDoSProtectordeviceintheaddressbarofyourbrowser.
ConfiguringSyslogReportingYoucangetreportofthesystemperformanceintheSyslogReportingwindow.
Thedeviceissuessyslogmessagesduringthesystemoperation.
Toenablesyslogmessages:1.
FromtheServicesmenu,selectSyslogReporting.
2.
Configurethefields.
3.
ClickSet.
FieldNameDescriptionorRecommendedValueProfileNameTheuser-definednamefortheprofile.
SyslogOperationEnablesordisablesSyslogreporting.
SyslogStationAddressTheIPaddressofthedevicerunningthesyslogservice(syslogd).
SyslogStationFacilityThetypeofthedeviceofthesender.
ThisissentwithSyslogmessages.
Default:LocalUse6SyslogDestinationPortSpecifiestheaddressfortheSyslogDestinationport.
SyslogSourcePortSetstheUDPportthatisusedbySyslogmessages.
Values:1025-65535Default:514ConfiguringBlackListsCheckPointDDoSProtectordropspacketsthatmatchanactiveBlackListpolicy.
Thedeviceblacklistspacketsifallthecriteriaforthepolicyevaluatetotrue.
YoucanuseBlackListpoliciestoblocktrafficthatyouknowtobemalicious.
ConfiguringBlackListsCheckPointDDoSProtectorGettingStartedGuide|48Note-TheproceduresinthischapterusetheCheckPointDDoSProtectorWebinterface.
TheCheckPointDDoSProtectorWebinterfaceissupportedbythefollowingInternetbrowsers:MicrosoftInternetExplorerversion6whenusingWindowsoperatingsystemsMicrosoftInternetExplorerversion7and8MozillawhenusingLinuxoperatingsystemsFirefoxToopentheCheckPointDDoSProtectorWebinterface:EntertheIPaddressoftheCheckPointDDoSProtectordeviceintheaddressbarofyourbrowser.
ToconfigureaBlackListpolicy:1.
FromtheDefensePromenu,selectBlackList>Create.
2.
Configurethefields.
3.
ClickSet.
4.
FromtheDefensePromenu,selectUpdatePolicies.
5.
ClickSet.
FieldNameDescriptionorRecommendedValueNameTheuser-definednameforthepolicy.
StateSpecifieswhetherthepolicyisactive.
Youcanselectinactivetodeactivatethepolicywithoutremovingitfromthelist.
Values:active,inactiveDefault:activeSrcNetworkThesourcenetworkorIPaddressforthepolicy.
Thenetworkmustbeconfiguredonthedevice.
Default:any-Thatis,trafficfromanysource.
DstNetworkThedestinationnetworkorIPaddressforthepolicy.
Thenetworkmustbeconfiguredonthedevice.
Default:any-any-Thatis,traffictoanydestinationnetwork.
SrcPortGroupThesource,portgroupforthepolicy.
TheportgroupmustbeconfiguredonthedeviceintheApplicationPortGrouptable.
ThisparameterisrelevantonlyforUDP,TCP,andSCTPtraffic.
YoucannotuseaportgroupforICMP,IGMP,orGRE.
DstPortGroupThedestination,portgroupforthepolicy.
TheportgroupmustbeconfiguredonthedeviceintheApplicationPortGrouptable.
ThisparameterisrelevantonlyforUDP,TCP,andSCTPtraffic.
YoucannotuseaportgroupforICMP,IGMP,orGRE.
PhysicalPortGroupThephysicalportgroupforthepolicy.
VLANTagTheVLANtaggroupthatyouwantforthepolicy.
ConfiguringBlackListsCheckPointDDoSProtectorGettingStartedGuide|49FieldNameDescriptionorRecommendedValueProtocolTheprotocolforthepolicy.
Values:AnyGREICMPICMPv6IGMPSCTPTCPUDPL2TPGTPIPinIPDefault:AnyDirectionThedirectionofpacketsforthepolicy.
ThisparameterrelatestoL4sessionsonly.
Values:One-direct-Theprotectionappliestosessionsoriginatingfromsourcestodestinationsthatmatchthenetworkdefinitionsofthepolicy.
Bi-direct-Theprotectionappliestosessionsthatmatchthenetworkdefinitionsofthepolicyregardlessoftheirdirection.
Default:one-directReportActionThereportactionthatthedevicetakeswhenitencountersapacketthatmatchesthepolicy.
Value:report-Thedeviceissuesatrapwhenitencountersablack-listedpacket.
no-report-Thedeviceissuesnotrapwhenitencountersablack-listedpacket.
Default:reportDescriptionTheuser-defineddescriptionforthepolicyupto19characters.
EntryExpirationTimer(Hours)TheExpirationTimercanbeusedonlywithdynamicBlackListrules.
TheExpirationTimerforastaticBlackListrulemustbesetto0(zerohoursandzerominutes).
Whentheruleexpires(thatis,whentheEntryExpirationTimerelapses),theruledisappearsfromtheBlackListPolicytablewhenthetablerefreshes.
ThemaximumExpirationTimeristwohours.
EntryExpirationTimer(Minutes)Specifiesthehoursremainingfortherule.
TheExpirationTimercanbeusedonlywithdynamicBlackListrules.
TheExpirationTimerforastaticBlackListrulemustbesetto0(zerohoursandConfiguringWhiteListsCheckPointDDoSProtectorGettingStartedGuide|50FieldNameDescriptionorRecommendedValuezerominutes).
Whentheruleexpires(thatis,whentheEntryExpirationTimerelapses),theruledisappearsfromtheBlackListPolicytablewhenthetablerefreshes.
DetectorAnIPaddressthatcanidentifytherootcauseoftheblacklistruleidentify.
ThisparameterhasnoaffectonCheckPointDDoSProtectoroperation.
DetectorSecurityModuleADDoSProtectorsecuritymodulethatcanidentifytherootcauseoftheblacklistrule.
ThisparameterhasnoaffectonCheckPointDDoSProtectoroperation.
DynamicSpecifieswhethertheruleimplementstheExpirationTimer.
Values:Yes,NoDefault:NoNote:Changingtheconfigurationofthisoptiontakeseffectonlyafteryouupdatepolicies.
BlackListPacketReportSelectdisable.
ConfiguringWhiteListsCheckPointDDoSProtectorexemptspacketsthatmatchanactiveWhiteListpolicyfromspecifiedinspectionprocesses.
Thedevicewhite-listspacketsifallthecriteriaforthepolicyevaluatetotrue.
Foreachprotection,youcansetthedirectionofthebypass.
Forinstance,sessionsinitiatedfromthewhitelistIPaddressarebypassed,whilesessionsinitiatedtowardtheIPaddressareinspectedasusual.
Caution-CheckPointDDoSProtectorcontinuestoblockpacketsfromasourceordestinationthatispartofanactiveattackevenafteryouaddthesourceordestinationtotheWhiteListperprotection.
Note-SinceIPaddressesbelongingtotheWhiteListarenotinspected,certainprotectionsarenotappliedfortheoppositedirection.
Forexample,withSYNProtection,thiscancauseserversnottobeaddedtoknowndestinationsduetoACKpacketsnotbeinginspected.
Note-TheproceduresinthischapterusetheCheckPointDDoSProtectorWebinterface.
TheCheckPointDDoSProtectorWebinterfaceissupportedbythefollowingInternetbrowsers:MicrosoftInternetExplorerversion6whenusingWindowsoperatingsystemsMicrosoftInternetExplorerversion7and8MozillawhenusingLinuxoperatingsystemsFirefoxToopentheCheckPointDDoSProtectorWebinterface:EntertheIPaddressoftheCheckPointDDoSProtectordeviceintheaddressbarofyourbrowser.
ToconfigureaWhiteListpolicy:1.
FromtheDefensePromenu,selectWhiteList.
2.
Configurethefields.
ConfiguringWhiteListsCheckPointDDoSProtectorGettingStartedGuide|513.
ClickSet.
4.
FromtheDefensePromenu,selectUpdatePolicies.
5.
ClickSet.
FieldNameDescriptionorRecommendedValueNameTheuser-definednameforthepolicy.
StateSpecifieswhetherthepolicyisactive.
Youcanselectinactivetodeactivatethepolicywithoutremovingitfromthelist.
Values:active,inactiveDefault:activeSrcNetworkThesourcenetworkorIPaddressforthepolicy.
Thenetworkmustbeconfiguredonthedevice.
Default:any-Thatis,trafficfromanysource.
DstNetworkThedestinationnetworkorIPaddressforthepolicy.
Thenetworkmustbeconfiguredonthedevice.
Default:any-Thatis,traffictoanydestinationnetworkSrcPortGroupThesource,portgroupforthepolicy.
TheportgroupmustbeconfiguredonthedeviceintheApplicationPortGrouptable.
ThisparameterisrelevantonlyforUDP,TCP,andSCTPtraffic.
YoucannotuseaportgroupforICMP,IGMP,orGRE.
DstPortGroupThedestination,portgroupforthepolicy.
TheportgroupmustbeconfiguredonthedeviceintheApplicationPortGrouptable.
ThisparameterisrelevantonlyforUDP,TCP,andSCTPtraffic.
YoucannotuseaportgroupforICMP,IGMP,orGRE.
PhysicalPortGroupThephysicalportgroupforthepolicy.
VLANTagTheVLANtaggroupthatyouwantforthepolicy.
ProtocolTheprotocolforthepolicy.
Values:AnyGREICMPICMPv6IGMPSCTPTCPUDPL2TPGTPIPinIPDefault:AnyConfiguringWhiteListsCheckPointDDoSProtectorGettingStartedGuide|52FieldNameDescriptionorRecommendedValueDirectionThedirectionofpacketsforthepolicy.
ThisparameterrelatestoL4sessionsonly.
Values:bi-direct,src,destDefault:srcReportActionThereportactionthatthedevicetakeswhenitencountersapacketthatmatchesthepolicy.
Value:no-report-Thedeviceissuesnotrapwhenitencountersawhite-listedpacket.
DescriptionTheuser-defineddescriptionforthepolicyupto19characters.
AllModulesBypassSpecifieswhetherthepacketsthatmatchthecriteriaforthepolicybypassallprotectionmodules(SYNProtection,StatefulInspection,Anti-Scanning,SignatureProtection,andHTTPMitigator).
Values:active,inactiveDefault:activeSignatureProtectionBypassSpecifieswhetherthepacketsthatmatchthecriteriaforthepolicybypasstheSignatureProtectionmodule.
Values:active,inactiveDefault:activeAnti-ScanningBypassSpecifieswhetherthepacketsthatmatchthecriteriaforthepolicybypasstheAnti-Scanningmodule.
Values:active,inactiveDefault:activeStatefulInspectionBypassSpecifieswhetherthepacketsthatmatchthecriteriaforthepolicybypasstheStatefulInspectionmodule.
Values:active,inactiveDefault:activeSYNProtectionBypassSpecifieswhetherthepacketsthatmatchthecriteriaforthepolicybypasstheStatefulInspectionmodule.
Values:active,inactiveDefault:activeHTTPMitigatorBypassSpecifieswhetherthepacketsthatmatchthecriteriaforthepolicybypasstheHTTPMitigatormodule.
Values:active,inactiveDefault:active