centurylink sd-wan security user guide · 2020-02-13 · provide great shortcuts, hints, and...

CenturyLink® Versa SD-WAN Security User Guide

v16.1R2

of 178

Services not available everywhere. CenturyLink may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2020 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product names are the property of CenturyLink. All other marks are the property of their respective owners.

General Disclaimer

Although CenturyLink has attempted to provide accurate information in this guide, CenturyLink does not warrant or guarantee the accuracy of the information provided herein. CenturyLink may change the programs or products mentioned at any time without prior notice. Mention of non-CenturyLink products or services is for information purposes only and constitutes neither an endorsement nor a recommendation of such products or services or of any company that develops or sells such products or services.

ALL INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED “AS IS,” WITH ALL FAULTS, AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED OR STATUTORY. CENTURYLINK AND ITS SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES RELATED TO THIS GUIDE AND THE INFORMATION CONTAINED HEREIN, WHETHER EXPRESSED OR IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

CENTURYLINK AND ITS SUPPLIERS SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR REVENUES, COSTS OF REPLACEMENT GOODS OR SERVICES, LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OF THE GUIDE OR ANY CENTURYLINK PRODUCT OR SERVICE, OR DAMAGES RESULTING FROM USE OF OR RELIANCE ON THE INFORMATION PROVIDED IN THIS GUIDE, EVEN IF CENTURYLINK OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and other information used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Many of the CenturyLink products and services identified in this guide are provided with, and subject to, written software licenses and limited warranties. Those licenses and warranties provide the purchasers of those products with certain rights. Nothing in this guide shall be deemed to expand, alter, or modify any warranty or license or any other agreement provided by CenturyLink with any CenturyLink product, or to create any new or additional warranties or licenses.

of 178


Table of Contents

General Disclaimer ................................................................................................................................................... 2

Preface ....................................................................................................................................................................... 4

Overview of Versa SD Security ............................................................................................................................... 7

Basic Configuration for Firewall Deployment Modes ........................................................................................... 9

Security Zones ........................................................................................................................................................ 45

Address Objects ..................................................................................................................................................... 52

Service Objects ....................................................................................................................................................... 55

Schedule Objects ................................................................................................................................................... 59

Stateful Firewall ...................................................................................................................................................... 61

Layer 7 Objects ....................................................................................................................................................... 67

NextGen Firewall .................................................................................................................................................... 77

URL Filtering ........................................................................................................................................................... 84

IP Filtering ............................................................................................................................................................. 102

SSL Inspection/Decryption and HTTP/HTTPS Proxy ........................................................................................ 111

User and Group Policy ......................................................................................................................................... 132

Unified Threat Management ................................................................................................................................ 147

Security Analytics ................................................................................................................................................ 161

of 178


Preface

Introduction

This guide explains the network and system configuration for Versa FlexVNF using Versa Director.

Audience

This document is for experienced network and system administrators who are responsible for configuring and managing public and private cloud infrastructure. It is presumed that admins are aware of virtualization concepts, technologies, and setup of network devices.

Document Conventions

Convention Description

Bold Represents UI elements.

Italics Values to enter in the text fields or values in drop down menus.

Monospace CLI or system code.

Notes contain incidental information about the subject and call attention to exceptions.

Caution indicates actions that can cause loss of data.

Tips provide great shortcuts, hints, and recommended settings/configurable values.

Glossary

Term Description/Full Form

Address Pool Address pool is the IP address list from which IP addresses are

dynamically allocated by the DHCP server to clients requesting an

IP address.

Aggregate interface An aggregate interface is a bundle of Ethernet interfaces.

ARP Address Resolution Protocol.

CFM CFM (Connectivity Fault Management) is a protocol to monitor the

health of network links. Depending on network events (blocked port,

blocked interface), an action is configured. This is done in an action

of 178



profile.

DHCP Dynamic Host Configuration Pool.

Dot IP Address A dot IP address (also known as a dotted quad address) refers

to the notation to write four-byte IP address as a sequence of

four decimal numbers separated by dots.

DSCP Differentiated Services Code Point (DSCP) refers to the value or

cost of the policy.

LEF Log Export Functionality (LEF) is used to generate logs on an

external device.

MPLS Multiprotocol Label Switching.

MTU Maximum transmission unit. The size in bytes of largest protocol

data unit that the port can receive or transmit.

RED Random Early Detection.

Router A router is a device that forwards data packets along networks. A router is connected to at least two networks and is located at gateways, the places where two or more networks connect.

Service Node Group A service node group is a logical grouping of network services, which include individual network services (for example, NAT, DHCP, and NTP). Additionally, various policies and quotas can be applied for the service node group (for example, elastic policy, traffic policing and shaping).

TTL Time to Live (TTL) Condition is the number of hops that a packet can travel before being discarded by a router. It indicates the lifespan of a data packet.

VNI Virtual Network Interface.

Versa Director VNF Manager for all controllers, SD-WAN hubs, and branch nodes. Versa Director is provisioned at one or more data centers with connectivity to management and control networks for the SD-WAN.

Versa Analytics The Versa Analytics node provides a pre-integrated solution to a full operational visibility into the SD-WAN topology. The Analytics node gathers IPFIX data from the controller, hub, and branch sites and archives and displays this data in readily accessible formats.

of 178



VRRP Virtual Router Redundancy Protocol.

of 178


Overview of Versa SD Security

Introduction

Versa Software Defined Security (SD-Security) solution provides a rich set of security capabilities at network level to defend threats ranging from basic to advanced. All Versa supported virtual network functions (VNFs), including the SD-Security features, are available in a single software image. You can use the SD-Security configuration to enable/disable features like the Next Generation Firewall, URL Filtering, Anti-Malware, and IDS/IPS on per tenant/per branch.

Versa SD-Security solution comprises of these components:

Versa Director—This is the configuration, management, and orchestration system to provision, configure, and manage the physical/virtual FlexVNF appliances, using Graphical User Interfaces (GUI) and/or Restful APIs.

Versa FlexVNF—This is the physical or virtual network appliance performing the SD-Security functions for the traffic traversing the Versa FlexVNF.

Versa Analytics—This is a big-data system that collects network/security logs from the various FlexVNF appliances in a deployment and displays advanced analytics, dashboards, and reports.

NOTE: Versa Analytics is an optional component and Versa recommends that is included in Versa SD-Security solution to provide additional value to your installation.

Versa’s Security Solution Tiers

Versa SD-Security uses one of these solution tiers:

Stateful Firewall (SFW)—This includes:

o Zone Protection.

o DDoS (Distributed Denial of Service).

o Stateful Firewall.

o Application Visibility.

o CGNAT (Carrier Grade Network Address Translation).

o Routing.

of 178


o QoS.

o IPSec VPN.

Next Generation Firewall (NGFW)

o Includes all SFW features.

o Application Control.

o URL Reputation and Filtering.

o User/Group Control.

o SSL Inspection.

Unified Threat Management (UTM).

o Includes all NGFW features.

o Anti-Virus.

o IP Reputation and Filtering.

o Intrusion Detection and Prevention System.

of 178


Basic Configuration for Firewall Deployment Modes

Overview of Firewall Deployment

An interface facilitates the entry and exit of traffic in any network. Versa Firewall provides a mechanism to implement security policies on traffic that enters and exits the firewall using the interface.

This chapter explains the various interface configurations and the Versa firewall deployment modes. You can deploy the Versa Firewall in these modes:

• Virtual-wire Deployment—Versa FlexVNF supports virtual wire, which is also referred to as bump in the

wire. A virtual wire on Versa FlexVNF is composed of two interfaces that are configured as an inline pair.

If traffic flows through a physical wire and the wire is snipped; two ends are created on the wire, where

the cut is made. You must plug these two ends of the physical wire into the two virtual interfaces

configured on the FlexVNF. In this case, Versa FlexVNF emulates a virtual wire that connects both ends

of the physical wire, where the traffic received on either end of the physical wire is forwarded to the other

interface of the virtual wire.

NOTE: The virtual wire interfaces are not assigned any IP addresses.

You can apply the Versa Firewall policies to virtual wire interfaces to enforce the security policies on all

the traffic received at both the ends of the physical wire that terminates on the virtual wire interface. The

traffic is forwarded on the physical wire only if the security policy allows the traffic to be forwarded.

Refer to Configuring Virtual Wire to deploy a VNF device in virtual-wire mode.

Layer2 Deployment—Versa FlexVNF supports VLAN based sub-interface. An interface that has its

name start with vni is a VLAN tagged traffic interface (for example, vni-0, vni-1, etc.).

Create a single sub-interface and set the VLAN tag value as 0 when the interface does not

require VLAN support.

Create multiple sub-interfaces, where each sub-interface maps to a specific VLAN ID when the

interface requires VLAN support.

For each tenant hosted on the FlexVNF the traffic is identified using one or more sub-interfaces. These

sub-interfaces map to the corresponding VLAN IDs.

Refer to Configuring VLAN-Based Sub-Interface to deploy a VNF device in layer 2 mode.

Layer3 Deployment—Versa FlexVNF supports routed or Layer 3 interfaces. Each PNIC/VNIC is

configured with an IP address. See Configuring Physical/Virtual NICs for more information to create a

Physical/Virtual NIC.

Based on the routing configuration the traffic from the tenant is forwarded to the interfaces on Versa

FlexVNF. Versa FlexVNF supports several routing instances or virtual routing functions (VRFs). Each

VRF is associated with one or more interfaces on Versa FlexVNF, which supports static routing, BGP

(Border Gateway Protocol), and OSPF (Open Shortest Path First).

The traffic of a tenant enters Versa FlexVNF because the IP address of the routed interface is the

next hop address for the tenant traffic’s final destination. You can apply Versa Firewall policies on

of 178


such traffic entering Versa FlexVNF and the traffic is routed to the next hop (based on routing

configuration), only if the security policy allows the traffic to be forwarded.

You can install Versa Firewall as a bare metal or a virtual machine (VM). The security policies are

applied to the traffic that enters Versa Firewall using either the physical network interface (PNICs) or the

virtual network interfaces (VNICs).

Versa Firewall is capable of natively recognizing VLAN tags for incoming traffic and also adding

appropriate VLAN tags to the outbound traffic.

Refer to Configuring Virtual Routers to deploy a VNF device in layer 3 mode.

The security policies are applied to the traffic that enters Versa Firewall using either the physical network interface (PNICs) or the virtual network interfaces (VNICs).

Select the Director Context > Config Templates > Networking > Interfaces

Physical NICs—You can deploy Versa Firewall on a bare metal to get traffic directly from a PNIC. You

will likely face one of these scenarios when configuring traffic on a PNIC:

Non-VLAN Traffic—Traffic that is not tagged with VLAN and enters the firewall using PNIC is

mapped to a single tenant.

VLAN Traffic—Traffic tagged with VLAN is mapped to one or more tenant. Versa FlexVNF

creates a unique sub-interface for each VLAN.

Use one or more VLAN to configure the traffic identification for each tenant hosted on the Versa FlexVNF.

Virtual NICs—You can deploy Versa Firewall on a virtual machine to get traffic directly from a

VNIC. Use a hypervisor like VMware ESXi or KVM to create a VNIC and map it to either:

- the PNIC on which the hypervisor is running, or

- to a specific VLAN for traffic tagged with VLAN that enter the network using PNIC. You

will likely face one of these scenarios when configuring traffic on a VNIC:

VLAN-Mapped VNIC— If the VNIC is mapped by the hypervisor to a specific VLAN of the traffic

that enters through the PNIC, then when the traffic enters the firewall through the VNIC, the

VLAN is already stripped by the hypervisor. Therefore, all the traffic that enters through the VNIC

is mapped to a single tenant. In this scenario, the traffic from multiple tenants cannot be

of 178


supported using a single VNIC.

PNIC-Mapped VNIC with Non-VLAN Traffic—When the hypervisor directly maps the VNIC with

the PNIC without any VLAN stripping and if the traffic that enters the firewall through the VNIC is

not VLAN tagged then all the traffic that enters through the VNIC us mapped to a single tenant.

PNIC-Mapped VNIC with VLAN Traffic—When the hypervisor directly maps the VNIC with the

PNIC without any VLAN stripping and if the traffic that enters the firewall through the VNIC is

VLAN tagged then the traffic that belongs to different VLANs gets mapped to one or more

tenants.

Create a unique sub-interface for each VLAN. You can configure the traffic identification

using one or more VLANs for each tenant hosted on the FlexVNF.

Configuring Physical/Virtual NICs

The Versa firewall allows you to configure single or multiple Layer 3 interfaces for untagged routed traffic. Connect the firewall to an adjacent device using a trunk to define a layer 3 subinterface for traffic with specific VLAN tag.

For every Ethernet port that you configure as a Layer 3 interface, you can define an additional logical Layer 3 interface (subinterface) for each VLAN tag. The subinterface is used on the traffic received by the port. Untagged layer 3 subinterfaces is used in multi-tenant environments where each tenant’s traffic leaves the firewall without VLAN tags.

Follow these steps to configure a physical network interface (PNIC) or a virtual network interface (VNIC):

1. In Director Context, select Config Templates > Networking.

2. Select a Staging Template from the list box that is just below the Director Context list box.

3. Select the Interfaces from the left panel. The dashboard on the right displays the Ethernet tab by default.

The other tabs in this dashboard are:

a. Tunnel

b. Loopback

c. Fabric

d. Management

4. Click to add an Ethernet interface. This opens the Add Ethernet Interface

window. This window has these tabs:

of 178


a. Ethernet

b. Aggregate Ethernet

5. Enter these details in the Ethernet tab:

Use this field… to …

Interface Enter the slot and port number of the PNIC.

Description Enter a brief description of the interface and its purpose.

Tags Specify a keyword or phrase that allows you to filter the

captive portal action. This is useful when you have many

policies and want to view those that are tagged with a

keyword. MTU Enter the maximum transmission unit size of a packet.

Virtual Wire Enable this to allow this interface to become part of the virtual

wire. See Configuring Virtual Wire for more information to

configure a Virtual Wire.

Promiscuous Select this to convert the interface as promiscuous.

NOTE: This is required only is certain virtual environments.

Configure only when recommended by the Versa support.

Bandwidth

Uplink (Kbps) Enter the data uplink limit in Kbps. The default differs based

on the type of Ethernet used. For example, a 1GB Ethernet

will support a max of 1GB data.

NOTE: Click to parameterize the value across all the devices

using this template.

Downlink (Kbps) Enter the data downlink limit in Kbps. The default differs

based on the type of Ethernet used. For example, a 1GB

Ethernet will support a max of 1GB data.

of 178


Uplink Threshold (Kbps) Enter the maximum camping uplink interface in Kbps.

NOTE: An alarm is raised when the bandwidth exceeds this limit.

Versa FlexVNF does not restrict the bandwidth that exceeds

this configuration.

Downlink Threshold (Kbps) Enter the lowest camping of downlink interface in Kbps.

Auto Configuration Select this to auto-configure the uplink/downlink threshold.

URI Enter the Uniform Resource Identifier (URI). This is a string

of characters used to identify a resource. Such identification

enables interaction with representations of the resource over

a network, typically the World Wide Web, using specific

protocols. Sub-interfaces Select this option to create VLAN based sub-interface.

See Configuring VLAN-Based Sub-Interfaces for information to

create a VLAN based sub-interface. Aggregate Member Select this option to add an Aggregate Member for this

interface.

Interface—Select an Interface from this list box to add it

as an aggregate member.

LACP Priority—Select the LACP Port Priority assigned

to each interface to determine which interfaces are

initially active and to determine the order in which

standby interfaces become active upon failover.

6. Click Aggregate Ethernet tab and enter details to create an aggregate ethernet. See Configuring

Aggregate Interfaces for information on creating an Aggregate Ethernet.

7. Click OK to add the interface to the PNIC/VNIC.

Configuring VLAN-Based Sub-Interface

The VLAN interfaces provide Layer 3 routing of VLAN traffic to non-VLAN destinations. You can define a VLAN interface for every ethernet port configured as layer 2 interface to allow routing of the VLAN traffic to Layer 3 destinations outside the VLAN.

Follow these steps to create a VLAN-based sub-interface:



3. Select the Interfaces from the left panel. The dashboard on the right displays the Ethernet tab by

default. The other tabs in this dashboard are:

a. Tunnel

b. Loopback

c. Fabric

d. Management

4. Click to add an Ethernet interface. This opens the Add Ethernet Interface window.

of 178


a. Select the Sub-interface option in the Ethernet tab and click .

b. This opens the Add Sub-Interface window.

5. Enter these details in the Add Sub-Interface window:

Use this field… to…

Unit Unit number of the sub-interface.

of 178


VLAN ID VLAN ID is the virtual LAN ID with a value of 0-4094.


data unit that the port can receive or transmit.

Description Explanation for this interface- a string of a maximum of 255 characters. FQDN Fully qualified domain name (FQDN) is the complete domain

name for the sub-interface

DHCPv4 Dynamic Host Configuration Protocol (DHCP-version 4) is a

standardized network protocol used on Internet Protocol (IP)

networks. Static Address IP address and subnet mask of the sub-interface.

Delegated Prefix Pool Indicates the name and IP address of the delegated prefix pool.

Disable Indicates whether to not activate this sub-interface after configuring it. IPv6 Interface Mode Select Router or Host as the IPv6 interface mode.

DHCPv6 Dynamic Host Configuration Protocol (DHCP-version 6) is a

standardized network protocol used on Internet Protocol (IP)

networks.

Client IA Type— Sets the DHCPv6 client identity association type.

Delegated Prefix Pool—Indicates the name and IP address of

the delegated prefix pool. DHCP management uses the pool

to assign IPv6 prefixes for DHCP clients.

a. Click Static ARP (Address Resolution Protocol) tab to configure static MAC address for a particular

IP address. Enter these details:


Subnet Address/Mask Provide static address.

Host IP Address Enter a value of this address. The host must be within the given subnet. MAC Address MAC address of the device.

b. Click VRRP tab and click . This opens the Add Sub-Interface > Add VRRP Group window.

This configure a VRRP master and VRRP slave device in the redundancy mode. This is the hidden HA (high availability) mode where the VRRP slave device takes over as the VRRP master device when the master device is down. This ensures an uninterrupted traffic flow.

Enter these details in the General tab of this window:


Group ID Enter the ID of the VRRP group.

Address Enter IP address of the VRRP group.

Priority Assign priority to the group. A higher priority indicates that the

VRRP device is a master device.

Inherit Configuration Select this to inherit the properties of another sub-interface

configuration. Enter these details:

Interface Name—Select an interface to inherit its properties.

VRRP Group Id—Select the VRRP Group ID for the

interface. All the other fields are disabled on selecting

Inherit Configuration.

of 178


Preempt Mode Select the preempt mode. These are the options:

Preempt—Indicates that the slave takes over when the

master device is down. The original master device will

takeover when it recovers from the failure.

No Preempt—Indicates that the slave takes over when the

master device is down. The original master will continue to

function as slave post if recovery from the failure.

Advertisements

Threshold The number of keep alive messages that are exchanged

between two VRRP devices (master and slave). Warmup Interval (Secs) Duration for which the sub-interface must wait to determine

which of the two VRRP devices is the master and slave,

respectively. Virtual Address The virtual address(es) to be assigned to the VRRP device. Fast Interval (msec) Frequency at which the keep alive messages are exchanged

between the master and slave VRRP devices. This is used in

VRRP version 3.

Accept Data Indicates whether this sub-interface accepts data when

received. Otherwise, the data is routed to another

interface. Enter these details in the Track tab of this window:


HA Slave Priority Cost Specify the Slave priority of the VRRP instance. The slave priority

must always be less than the cost configured for the master

device. Priority Hold Time Specify the hold time between the devices. The Slave device will

take over on expiry of the time configured for this field.

Interface tab

Name Select an interface that you want to add to the VRRP.

Priority Cost Specify the priority cost for the interface. 6. Click OK to save the changes and create a new VLAN based sub-interface for the PNIC/VNIC.

Configuring Aggregate Interfaces

On Versa FlexVNF, you can combine multiple interfaces to create a single logical aggregate ethernet. This aggregate ethernet interface comprises all the traffic of the mapped interfaces. You can apply the Versa Firewall policies to the aggregate interfaces to enforce security policies on traffic that belongs to any interface that is mapped to the aggregate interface.

Follow these steps to create a VLAN-based sub-interface:



3. Select the Interfaces from the left panel. The dashboard on the right displays the Ethernet tab by default.

The other tabs in this dashboard are:

a. Tunnel

of 178


b. Loopback

c. Fabric

d. Management

4. Click to add an aggregate interface. This opens the Add Ethernet Interface window.

a. Select the Aggregate Ethernet tab and enter these details:


Interface Enter the slot and port number of the PNIC.

System ID/MAC MAC address of the device.

Disable Disable (deactivate) this interface post its configuration.


Tags Specify a keyword or phrase that allows you to filter the captive

portal action. This is useful when you have many policies and want

to view those that are tagged with a keyword.

MTU Enter the maximum transmission unit size of a packet. It indicates

of 178


the size of largest protocol data unit the post can receive or

transmit in bytes.

Virtual Wire Enable this to allow this interface to become part of the virtual wire.

See Configuring Virtual Wire for more information to configure a

Virtual Wire.

Promiscuous Select this to convert the interface as promiscuous.

NOTE: This is required only is certain virtual environments. Configure only when recommended by the Versa support.

Sub Interface tab Select this option to create add sub interfaces.

LACP tab A LACP system priority is configured on each router running LACP. LACP uses the system priority with the router MAC address to form the system ID and also during negotiation with other systems. The LACP system ID is the combination of the LACP system priority value and the MAC address of the router.

5. Click OK to add the sub-interface as part of the aggregate ethernet. Repeat Step 3 to add multiple sub-

interfaces to the aggregate ethernet.

6. Click on the Ethernet tab in the Add Ethernet Interface window and select the Aggregate Member

option to specify the parent name and add the ethernet interface as part of the aggregate interface. Enter

these details:


Interface Select the name of the aggregate interface.

LACP Priority Enter the interfaces LACP priority number.

A LACP system priority is configured on each router running

LACP. LACP uses the system priority with the router MAC address

to form the system ID and also during negotiation with other

systems. The LACP system ID is the combination of the LACP

system priority value and the MAC address of the router.

7. Click OK to save the changes and create a new aggregate ethernet for the PNIC/VNIC.

Configuring Tunnel Interfaces

Versa FlexVNF supports tunnel interfaces for traffic that corresponds to VPN termination. It configures an IPSec tunnel and HA (High Availability) between two Versa FlexVNF devices. It supports either site-to-site VPN or SD-WAN.

In SD-WAN there are multiple tunnel interfaces to connect a branch with a controller. A tunnel interfaces name always starts with tvi thereby making it easy for all the other interfaces to identify it. For example, tvi-0, tvi-1 and so on.

You can apply the Versa Firewall policies to the tunnel interfaces to enforce security policies on traffic that is extracted/decrypted from the tunnel after VPN termination.

of 178


Follow these steps to configure a physical network interface (PNIC) or a virtual network interface (VNIC):

1. Select the Director Context > Config Templates > Networking to configure the PNIC/VNIC.


3. Select the Interfaces from the left panel. The Tunnel tab is displayed in the right panel.

4. Click to add a Tunnel interface. This opens the Add Tunnel Interface


a. Tunnel

b. Pseudo Tunnel

5. Enter these details in the Tunnel tab:


Interface Enter the slot and port number of the tunnel

interface. NOTE: A tunnel interface always has a

tvi prefix.

Disable Disable (deactivate) this interface post its configuration.

Description Enter a brief description of the tunnel interface and its purpose.


data that the port can receive or transmit.

Mode Select the mode of configuring the tunnel interface:

IPSec—For IPSec configuration.

Redundancy—For HA configuration.

Tunnel Type Select the type of tunnel for this interface from the list:

of 178


Point -to-multi-point GRE tunnel.

Point-to-multi-point IPsec tunnel.

Point -to-multi-point VXLAN tunnel.

Point -to-point IPsec tunnel.

Point -to-point GRE tunnel.

Point -to-point V6 GRE tunnel.

Ethernet Over GRE.

Paired.

Paired Interface The tvi address as a paired address. Traffic directed to a paired

interface is switched to the parent interface and vice-versa.

Sub-Interface Select the existing sub-interface and enter these parameters:

Unit—Unit number of the sub-interface. If the unit value is

0, VLAN ID is disabled. Else, enter the VLAN ID, which is

the virtual LAN ID of the sub-interface.

IP Address/Mask—IP address and subnet mask of the

sub-interface.

6. Click OK to save the configuration and create a tunnel interface.

Configuring Pseudo Tunnel Interface

Follow these steps to configure a pseudo tunnel interface:



3. Select the Interfaces from the left panel. The Tunnel tab is displayed in the right panel.

4. Click to add a Tunnel interface. This opens the Add Tunnel Interface


a. Tunnel

b. Pseudo Tunnel

5. Enter these details in the Pseudo Tunnel tab:


of 178


Name Enter a name for this pseudo tunnel interface.

NOTE: A pseudo tunnel interface always has a ptvi prefix.

Parent Interface Name of the parent interface.

Remote IP Address Remote address of the controller.

6. Click OK to save the configuration and create a pseudo interface.

Configuring Virtual Wire

A virtual wire binds two ethernet ports together allowing transparent installation of firewall in the network with minimum configuration. A virtual wire accepts all traffic or traffic with selected VLAN tags. It does not provide switching or routing services.

NOTE: A virtual wire does not require any changes to the neighboring network devices.

NOTE: It is important for the sub-interface in both the vni’s to have identical sub-interfaces.

Follow these steps to create a virtual wire:

1. Select Director Context > Config Templates > Networking.


3. Select the Interfaces from the left panel. The dashboard on the right displays the Ethernet tab by

default. The other tabs in this dashboard are:

a. Tunnel

b. Loopback

c. Fabric

d. Management

4. Click to add an Ethernet interface. This opens the Add Ethernet Interface


a. Ethernet

b. Aggregate Ethernet

5. Enter these details in the Ethernet tab to create a vni and configure it as a virtual wire:


Interface Enter the slot and port number of the VNIC.



captive portal action. This is useful when you have many

policies and want to view those that are tagged with a

particular keyword.

Virtual Wire Enable this to use this interface as part of the virtual wire.

of 178


Sub-interfaces Select this option to create VLAN based sub-interface.

See Configuring VLAN-Based Sub-Interfaces for information to

create a VLAN based sub-interface.

6. Click OK to create a virtual wire vni interface.

7. Follow the procedure mentioned in Step 5 to create another vni as a virtual wire.

8. Select Director Context > Config Templates > Networking > Virtual Wires to create a virtual wire.

9. Click to open the Add Virtual Wire window. Enter these details to create a virtual wire:


Name Enter a unique name for the virtual wire.

Interface 1 Select the vni virtual interface created in step 5.

Interface 2 Select the vni virtual interface created in step 6.

10. Click OK to create a virtual wire connecting the two vni interfaces.

Configuring Virtual Routers

The Versa FlexVNF firewall allows you to configure single or multiple Layer 3 interfaces for untagged routed traffic. The Versa FlexVNF firewall allows you to configure multiple routing instances which is analogous to VRF for untagged routed traffic. You can then specify Layer 3 subinterfaces for traffic with VLAN tags.

Follow these steps to configure a routed interface:



3. Select the Networking > Virtual Routers from the left panel.

of 178


4. Click to configure a virtual router. This opens the Configure Virtual Router window.

5. Enter these details in the Virtual Router Details section:


Instance Name Enter a unique name for the virtual router.


Instance Type Select an instance type for this virtual router. These are the two types:

Virtual Routing Instance—Configures a simple VPN. This

is the basic instance type.

Virtual Routing Forwarding Instance—Configures a router

for layer 3 VPN.

Usage Type Select the default management for the virtual router.

MPLS VPN Core This appears only when you select Virtual Routing Instance.

MPLS

Address

Local Router

This appears only when you select Virtual Routing Instance. This is

the router’s IP Address or ID.

Create

Tunnels

Dynamic

GRE Create a GRE Tunnel protocol for the virtual router.

Global VRF ID Assign a virtual router forward ID.

MPLS Transport Routing

Instance

This appears only when you select Virtual Routing Forwarding

Instance. It indicates that the virtual router is the core routing

instance. This is applicable in a MPLS protocol.

Router Distinguisher This appears only when you select Virtual Routing Forwarding Instance.

VRF Import Target Configure a routing instance as the core network.

of 178


VRF Export Target Configure a community string attached for importing routes

matched with this string.

VRF Both Target Configure a community string for exporting routes matched with

this string

Global VRF ID Assign a virtual router forward ID.

Interface/Networks Assign an Interface to the routing instance. There can be

multiple interfaces or networks assigned to a routing

instance.

6. Select the Static Routing section in the Configure Virtual Router window and click to open the

Add Static Route window.

Static routing occurs when a router uses a manually-configured routing. Static routes do

not change unlike dynamic routes. Enter these details:


Destination Assign the destination address or network.

Action

Nexthop Interface Select the Interface for the destination network.

Nexthop IP Address Select the IP address of the next network.

Next Routing Instance Select the next routing instance.

Discard Discard the static route in the routing table.

Reject Configure the static route and take no action.

No Install Indicate not to install the route in routing table.

Enable ICMP To enable the Internet Control Message Protocol (ICMP)

protocol. Enter these details:

Interval—Indicates the time interval between packets for ICMP.

Threshold—Indicates the threshold for ICMP. Metric Specify the cost to reach the destination network.

Preference Specify the preference of the static route. You can assign a preference for each route.

Tag specify the tag for the static route.

Enable BFD Indicate the link as down when the static route goes down.

Minimum Receive Interval—Specify the minimum time

interval to receive routes.

Multiplier—Specify the values used to calculate the final

minimum receive interval and minimum transmit interval.

Minimum Transmit Interval—Specify the time to retransmit the routers.

7. Select the OSPF section in the Configure Virtual Router window and click to open the Add

OSPF Instance window.

Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It

of 178


uses a link state routing (LSR) algorithm and falls into the group of interior routing

protocols, operating within a single autonomous system (AS). Enter these details:


Interface ID Specify the instance ID assigned to OSPF.

Router ID Enter the Router IP address related to the OSPF.

Internal Admin Distance Enter the distance of internal routes learnt within the routing domain.

External Admin Distance Enter the distance of external routes learnt from another routing

domain.

Domain VPN Tag Enter the MPLS VPN tag attached to OSPF routes in this domain.

Area Assign an area ID for the OSPF.

An OSPF network is divided into sub-domains called

areas. An area is a collection of OSPF networks, routers,

and links that have the same area ID.

Each area is assigned an ID. An area with zero as its

ID is a backbone or normal area. Areas with non-zero

IDs are

non-backbone areas. Each area must be connected to

the backbone area known as area 0.

Areas communicate with other areas through the

backbone area.

Type

Area ID Assign an ID to the area. A backbone area has an area ID of

0.0.0.0. Areas with non-zero IDs are non-backbone areas.

Type Select the area type:

Normal—For non-backbone area.

Backbone—Backbone area is normal area.

STUB—External routes are not advertised.

NSSA—NSSAs are more flexible than stub areas. It can

import external routes into the OSPF routing domain

and provide transit service to small routing domains that

are not part of the OSPF routing domain.

No Summaries Specify the router at the border of an area advertise the area

routers t allow exchange of traffic.

of 178


Selecting this restricts the traffic to the said area.

NOTE: This option is not applicable to the Normal area.

Network

Network IP Enter the IP address or name of the network.

Network Name Enter the name of the network.

Network Type Select one of these network types:

Broadcast Type

Loopback Type

Point to Point Type

Priority Specify the Router with a higher priority to propagate routes,

before other routers.

Helper Mode Policy Help a neighbor undergoing hitless restart on this interface

for a specified reason.

Maximum Grace Period Configure the maximum grace period for a neighbor.

Metric Select a route from the other configured routes.

It can be the path length, bandwidth, hop count, load, path cost,

MTU, and communication cost.

Passive Indicate whether the router is a passive listener or actively

propagates messages.

A passive router does not advertise itself.

Timer

Hello Interval Specify the interval after which router advertises itself by sending

messages.

Dead Interval Specify the time to wait before declaring a router dead. This

happens when the router does not advertise itself for the

specified number of seconds.

Re-transmit Interval Specify the time after which the router can transmit a message.

Transit Delay Specify the delay in retransmitting a message.

of 178


Authentication

Type Select a mode to authenticate the router traffic. Select from these:

Password—Password based authentication.

MD5—Encrypted authentication.

Key ID Specify the Key ID for MD5 type of authentication.

MD5 Auth Key Specify the authorization key for MD5 type of authentication.

Auth Key Specify the password for the password type authentication.

Enable BFD Mark the router down when the OSPF goes down.

Minimum Receive Interval Specify the time interval to receive messages.

Multiplier Compute the final minimum receive interval and minimum

transmit interval by multiplying their base values with the

multiplier.

Minimum Transmit Interval Specify the time interval to start message transmission.

Virtual Link

Neighbor ID Specify the IP address of the neighboring area.

Transit Area Specify the ID or IP address of the backbone area.

Passive Indicate whether the router is a passive listener or actively

propagates messages.

A passive router does not advertise itself.

Admin Up Indicates that the administrative status of the link is up.

Hello Interval Specify the interval after which router advertises itself by sending

messages.

Dead Interval Specify the time to wait before declaring a router dead. This

happens when the router does not advertise itself for the

specified number of seconds.

Retransmit Specifies the time after which the router can transmit a message.

Transmit Delay Specify the delay in retransmitting a message.

Authentication Type Select a mode to authenticate the router traffic. Select from these:

of 178


Password—Password based authentication.

MD5—Encrypted authentication.

Auth Key Specify the password for the password type authentication.

Key ID Specify the Key ID for MD5 type of authentication.

MD5 Auth key Specify the authorization key for MD5 type of authentication.

NOTE: When you merge networks, the non-backbone areas communicate with each

other through a virtual link.

8. Select the BGP section in the Configure Virtual Router window and click to open the Add BGP

Instance window.

BGP (Border Gateway Protocol) is a protocol for exchanging routing information between gateway

hosts in a network. BGP is often the protocol used between gateway hosts on the Internet.

a. Select the General tab and enter these details:



Instance ID Assign an ID for the BGP Instance. A router can have multiple

instances of BGP.

Router ID Specify the IP address of the router.

Local AS Specify the local Autonomous System number for the BGP.

Peer AS Specify the peer Autonomous System number for the BGP.

Local Address Specify the IP address of the BGP instance.

Hold Time Specify the hold time to negotiate with a peer.

TTL Specify the time to live. This configures the number of hops a

packet travel in a network.

Password Specify the password to authenticate the BGP instance.

Local Network Name Select the local area network to which the BGP instance

belongs. This field lists the names of user-defined networks.

IBGP Preference Specify the preference value given to the IBGP learnt routes.

EBGP Preference Specify the preference value given to the EGP learnt routes.

of 178


Passive Select this to enable the BGP to only accepts traffic and

not to transmit routes.

Remove All Private AS# Select this to advertise all the private autonomous system

numbers before transmitting routes.

Route Reflector Client Select this to enable the BGP router to functions as a route

reflector and broadcasts the routes of all the other routers in

the network, instead of each router broadcasting its own route.

NOTE: This parameter applies to an IBGP setup.

Family Select the type of protocol. These are the options:

Family—Select the type of protocol. These are the options:

IPv4 Unicast—Applicable to BGP.

IPv4 Versa Private—Applicable to SD-WAN.

IPv4 Layer 3 VPN Unicast—Applicable to Layer

3 VPN.


IPv6 VPN Unicast—Applicable to BGP.

Loop—This family is considered a loop if the number of

neighboring AS is more than this loop value.

Prefix Limit—Specifies the maximum number of prefixes

that a BGP instance can receive per session from its

peer. Click OK to save the General configuration.

b. Select the Advanced tab and enter these details:


Cluster ID Specify the cluster ID of the reflector clients.

Path Selection

Always Compare MED Select this to enable the router to send routes to another

router. A route with a lower MED (Multi Exit Discriminator) is

given priority.

Cisco-Nondeterministic Select this enable the routing of table path selection.

The active path is always first. All non-active, but eligible paths

follow the active path and are maintained in the order in which

they are received, with the most recent path first. Ineligible

paths remain at the end of the list.

of 178


When a new path is added to the routing table, path

comparisons are made without removing from consideration

those paths that should not be selected because those paths

lose the MED

tie-breaking rule.

Enable BFD Select this to mark the link as down whenever the BFD is down.

Minimum Receive Interval Specify the time interval, in milliseconds, to mark the link as

down if the routing updates are not received.

Multiplier Specify the value to compute the final minimum receive interval.

Minimum receive interval is multiplied with this value to get the

time interval.

Minimum Transmit Interval Specify the Time interval at which BGP instances

communicate with each other.

Route Flap Option

Free Max Time Specify the maximum time to remember an assigned penalty to

the router. A penalty is assigned to a router when its routes go

up and down.

Reuse Max Time Specify the time corresponding to the last reuse list.

Reuse Size Specify the number of reuse lists.

Reuse Array Size Specify the size of the reuse index arrays.

Enable Graceful Restart—Select this to allow the BGP to restart when it goes down.

Maximum Restart Time Specify the maximum time limit, in seconds, the BGP requires

to restart and come up.

Stalepath Time Specify the maximum time, in seconds, the BGP waits before

removing the stale routes from a neighbor after a restart of the

neighbor’s session.

Recovery Time Specify the estimated recovery time after a restart.

Defer Time Specify the maximum time, in seconds, for a BGP process to

wait performing a route session after a local restart.

Dynamic Peer Restart Time Specify a minimum time, in seconds, for the dynamic peers to

reconnect after the restart of the BGP process.

of 178


Family Enter these values:

Family—Select the type of protocol. These are the options:


IPv4 Versa Private—Applicable to SD-WAN.

IPv4 Layer 3 VPN Unicast—Applicable to Layer

3 VPN.


IPv6 VPN Unicast—Applicable to BGP.

Forwarding State Bit—Enable forwarding of routes. Click OK to save the Advanced configuration.

c. Select the Prefix List tab and click to open the Add BGP Instance > Add Prefix List window.

Enter these details:


Prefix List Name Specify the prefix list name.

Prefix lists are used in the peer group policy to change the

attributes of routes and allow or deny advertising routes to the

peer routers.

Click to open the Add BGP Instance > Add Prefix List > Add Sequence window. Enter these details:

Sequence Number Specify the order or sequence number of the prefix list.

Action Select one of these action on the routes:

Permit—Select this to allow routes on this prefix list.

Deny—Select this to deny routes on this prefix list.

Address Family Select the broadcast family protocol of the route. Select one

of these:

IPv4

IPv6

SAFI Select the sub-address family indicator.

IP Address Specify an IP address to group the routes used for with this prefix list.

IP Address/Mask—Specify the IP address of the route.

Min Prefix Length—Specify the minimum prefix length

to match; acceptable range is <25-32>.

of 178


Max Prefix Length—Specify the maximum prefix length

to match; acceptable range is <25-32>.

Click OK to configure Prefix List.

d. Select the Peer/Group Policy tab.

A peer/group policy is defined to manipulate routes defined in the prefix list. You can change

the route attributes and allow or deny advertising these routes to the peers.

Click to open the Add BGP Instance > Add Peer/Group Policy window and

enter these details.


Name Specify the peer/group policy name.

Click to open the Add BGP Instance > Add Peer/Group Policy > Add Term window and

enter these details.

Term Name Specify the policy term name. Term entities are executed in the

order they are listed in the Term Name table.

Match tab

Family Select the routes protocol family. Select one from these protocols:

IPv4 Family

IPv4 VPN Family

IPv6 Family

IPv6 VPN Family

Versa-Private Family

AS Path Specify the autonomous system (AS) path action.

Metric

NLRI Select the Network Layer Reachability Information (NLRI) of the

prefix list to be matched. It displays the user-defined prefix lists.

Source Address Select the source address of the prefix list to be matched. It

displays the user-defined prefix lists.

Next Hop Select the IP address of the prefix list to be used as the next hop.

It displays the user-defined prefix lists

Community Applicable to BGP protocol.

of 178


This identifies and segregates BGP routes to enable a smooth

traffic flow.

A BGP community is a group of destinations with a common

property. This is a path attribute in BGP update messages.

The attribute identifies community members and performs

actions at a group level, instead of an individual level.

Extended Community Applicable to BGP protocol.

This identifies label for BGP routes. You can group a larger

number of destinations as an extended community than in a

community.

Origin Select the source of the route. The options are:

Remote IGP

Local EGP

Unknown Heritage

Action tab

Accept/Reject Select to either accept or reject the route.

Origin Select the source of the route. These are the options:

Remote IGP

Local EGP

Unknown Heritage

Next Hop Specify the IP address of the next hop.

Local Preference Specify the BGP attribute used to choose the outbound external

BGP path.

AS Path Select a regular expression to match the AS-path for the route.

Select one of these:

No AS path action.

Prepend the local AS path the number of times

specified by local as prepend count.

Remove All AS numbers matched by match as-path.

Remove All AS numbers matched by match-as

path and prepend the local AS the number of times

specified by local-as-prepend-count.

of 178


Local AS Prepend Count Specify the number of times a local AS number is prepended to

the AS path.

AS Path Prepend Specify the AS number to an AS path.

Damping Specify the BGP routeflap damping parameter configuration.

Community Action Select the regular expression to use when matching the

community list for a route. These are the options:

Remove all communities from the route.

Remove all communities with the value of set community.

Remove all communities with the value of set

extended community.

Append the value of set community into the communities list.

Community Specify a value to help identify and segregate BGP routes,

enabling a smooth traffic flow.

A BGP community is a group of destinations with a

common property. This is a path attribute in BGP update

messages. The

attribute identifies community members and performs actions

at a group level, instead of an individual level.

Extended Community Action Select an expression to use when matching the extended

community list for a route:

Community field is ignored.

Remove all communities from the route.

Remove all communities with the value of set community.

Remove all communities with the value of set

extended community.

Append the value of set community into the communities list.

Extended Community Specify a value that acts like an identification label for BGP

routes. A larger number of destinations can be grouped as

an extended community than in a community.

of 178


Metric Action Select an action on the metric value. These are the options:

Set Value.

IGP.

Add.

Subtract.

Metric Specify the metric value for the route.

Slave Action tab—This is applicable in a high availability setup.

Slave AS Path Select the AS path action when the appliance is an inter-chassis

HA slave. These are the options:

No AS path action.

Prepend the local AS path the number of times

specified by local as prepend count.

Remove All AS numbers matched by match as-path.

Remove All AS numbers matched by match-as

path and prepend the local AS the number of times

specified by local-as-prepend-count.

Slave

Count

Local AS Prepend Specify the number of times a local AS number is prepended

to the AS path while the appliance is an inter-chassis HA

slave.

Slave AS Path Prepend Prepend the AS number to an AS path.

Slave Metric Action Select a metric action to perform. These are the options:

Set Value

IGP

Add

Subtract

Slave Metric Specify the metric value while the appliance is an inter-chassis

HA slave.

Slave Local Preference Specify the local preference associated with a route.

Click OK to configure Peer/Group Policy.

e. Select the Peer Group tab and click to open the Add BGP Instance > Add Peer Group

window to configure BGP peer groups.

There can be multiple BGP instances and these can be grouped. Enter these details to define the

peer instance attributes:

of 178



Name Specify the name of the peer group.


Type Select the peer group type. These are the options:

IBGP

EBGP

Peer AS Specify the peer autonomous system number in number format.

Local Address Specify the local end address of the BGP session.

Hold Time Specify the hold time used when negotiating with a peer.

TTL Specify the number of hops a packet can travel in a network.

Password Specify the MD5 password for this peer group.

Local Network Name Select the network to which the peer group belong. Specify the

network name or the local address of the peer group.

Local AS Specify the local autonomous system number.

General

Family Select the protocol family of the peer group. These are the options:

IPV4 Unicast. Applicable to BGP.

IPV4 Versa Private. Applicable to SDWAN.

IPV4 VPN Unicast. Applicable to Layer 3 VPN.

Loop Specify the number of times the local AS is allowed in the

received AS path.

For example, if loop is set to a value 5 then Versa FlexVNF

allows local AS in received AS path 5 times.

Prefix Limit Specify the maximum number of prefixes that a BGP instance

can receive per session from its peer.

Neighbors—Click to open the Add BGP Instance > Add Peer Group > Add Neighbor

window. Enter these details:

Neighbor IP Specify the neighbor peer group ID.

of 178


Peer AS Specify the autonomous system (AS) number in a number format.

Local Address Specify the local end address of the BGP session.

Hold Time Specify the hold time used when negotiating with a peer.

TTL Specify the number of hops a packet can travel in a network.

Password Specify the MD5 password for this neighbor.

Local Network Name Select the network to which the neighbor peer group belong.

Specify the network name or the local address of the peer group.

Local AS Specify the local autonomous system number.


Neighbors > General tab

Family Select the protocol family of the neighbor peer group. These are

the options:


IPv4 Versa Private— Applicable to SDWAN.

IPv4 VPN Unicast— Applicable to Layer 3 VPN.

Loop Specify the number of times the local AS is allowed in the

received AS path.

Prefix Limit Specify the maximum number of prefixes that a BGP instance

can receive per session from its peer.

Neighbor > Advanced tab.

Passive Enable BGP to accept traffic only and not to transmit any routes.

Remove All Private AS# Enable the AS to advertise all the private AS numbers before

transmitting routes.

Route Reflector Client Enable the router functions as a route reflector by broadcasting

the routes of all the other routers in the network.

The other routers are connected to the router, which broadcasts

the routes of all the routers, instead of each router broadcasting

its own route. This is applicable in an IBGP setup.

As Override Specify the AS numbers to be replaced in the AS Path to be sent

to neighbors.

of 178


Policy Import—The peer group policy applies updates to outgoing routes.

Export—The peer group policy applies updates to incoming routes.

Enable BFD Indicate the link as down when the peer group goes down.





Minimum Transmit Interval—Specify the time to at which

the BGP instance communicates with each other.

Allow—Use this tab to define the acceptable peer group routes.

All Select all the IP addresses as acceptable peer group routes.

IP Address/Mask Click to add IP address of the route that you want to allow.

Advanced

Passive Enable BGP to accept traffic only and not to transmit any routes.

Remove All Private AS# Enable the AS to advertise all the private AS numbers before

transmitting routes.

Route Reflector Client Enable the router functions as a route reflector by broadcasting

the routes of all the other routers in the network.

The other routers are connected to the router, which broadcasts

the routes of all the routers, instead of each router broadcasting

its own route. This is applicable in an IBGP setup.

Next Hop Self Enable the IP address of the prefix list as the next hop. It

displays the user-defined prefix list.

As Override Specify the AS numbers to be replaced in the AS Path to be sent

to neighbors.

Policy Import—The peer group policy applies updates to outgoing routes.

Export—The peer group policy applies updates to incoming routes.

Enable BFD Indicate the link as down when the peer group goes down.


of 178





Minimum Transmit Interval—Specify the time to at which

the BGP instance communicates with each other.

Click OK to configure the BGP Peer Group.

f. Select the Policy Options tab and click to open the Add BGP Instance > Add Damping

window to configure dampening policy. Enter these details:


Dampening Name Specify the name of the dampening policy.

Suppress Specify the cutoff threshold limit. Routes beyond this level are

suppressed.

Maximum Suppress Time (min)

Specify the maximum suppression time of a route.

Reuse Specify the reuse threshold of a suppressed route.

Half Life Ok (min) Specify the decay half life time, in minutes, to define the

stability of the route while it is still reachable.

Half Life Ng (min) Specify the decay half life time, in minutes, to define the

stability of the route while it is unreachable.

Maximum Time Ok (min) Specify the maximum time, in minutes, any memory of a

previous instability is retained for a reachable route.

Maximum TIme ng (min) Specify the maximum time, in minutes, any memory of a

previous instability is retained for an unreachable route.

Click OK to configure the dampening policy.

9. Select the Router Advertisement section in the Configure Virtual Router window and click to open

the Add Router Advertisement window. Enter these details:


Interface Name Specify the interface that was configured as mode router.

Life Time Specify the router lifetime in seconds.

Link MTU

of 178


Max

Advertisement

Interval

Specify the maximum time within which next RA must be advertised.

Min

Advertisement

Interval

Specify the minimum time within which next RA must be advertised.

Reachable Time Specify the reachable time to be used by the nodes on the LAN

which will use SLAAC.

Retransmit Timer Specify the retransmit time to be used by the nodes on the LAN

which will use SLAAC.

Managed Address

Configuration

Configures the host's request for DHC.

Other

Stateful

Configuration

Configures the host's request for other stateless information from

DHCP server other than IP address.

Prefix List tab—Click to open the Add Router Advertisement > Add Prefix List window.


Prefix Specify the prefix list name.

Prefix lists are used in the peer group policy to change the

attributes of routes and allow or deny advertising routes to the

peer routers.

Autonomous Flag This is set to true by default. If set to false, will make hosts on LAN not to perform SLAAC.

Preferred Lifetime Specify the preferred lifetime of the prefix used by hosts.

Valid Lifetime Specify the valid lifetime of the prefix used by hosts.

On Link Flag This is set to online as a default. If unset, this will configure an off link prefix.

NOTE: This is not supported for 16.1R1.

Delegated Prefix Pool tab—Click to open the Add Router Advertisement > Add Prefix List

window. Enter these details:

Delegated Prefix Pool Send the delegated prefix pool to be delegated to the

downstream neighbors.

of 178


NOTE: Relay is not supported yet for 16.1R1.

10. Select the Redistribution Policies section in the Configure Virtual Router window to configure a

redistribution policy.

Versa FlexVNF supports different types of routes like Static, OSPF, or BGP. Configure a

redistribution policy to send the route of a protocol from one network to another network that

uses different protocol.

For example, sending a static route to an OSPF route.

NOTE: Two networks using similar protocol do not require a redistribution policy.



Redistribution to OSPF Applicable policy to routes for redistribution to OSPF. It

redistributes based on policy applied to OSPF protocol.

Redistribution to OSPF 3 Applicable policy to routes for redistribution to OSPF 3. It

redistributes based on policy applied to OSPF3 protocol.

Redistribute to BGP Applicable policy to routes for redistribution to BGP. It

redistributes based on policy applied to BGP protocol.

Redistribute to BGP 6 Applicable policy to routes for redistribution to BGP 6. It

redistributes based on policy applied to BGP4++ protocol.

b. Click to open the Add Redistribution Policy window.


Name Specify the redistribution policy name.

Click to open the Add Redistribution Policy > Add Term window. Enter these details:

Term Name Specify the redistribution policy’s term name. The policy rule

always evaluates the instance based on its creation. For example,

the first instance is evaluated first.

Match tab.

Protocol Select the protocol for redistribution. These are the options:

BGP

DHCP

Direct

OSPF

of 178


SDWAN

STATIC

Address Specify the IP address of the route.

Next Hop Specify the IP address of the routes next hop.

Area This is applicable only for OSPF. It matches the area.

Address This is applicable only for OSPF. It matches the address.

This is not only applicable for OSPF.

It is applicable for static/direct/OSPF/BGP.

OSPF Tag This is applicable only for OSPF. It appends matching OSPF

domain vpn tags with this string.

Static Tag This is applicable only for OSPF. It matches the tags set to static

routes. Not for OSPF.

Community Applicable to BGP protocol.

This identifies and segregates BGP routes to enable a smooth

traffic flow.


property. This is a path attribute in BGP update messages. The

attribute identifies community members and performs actions at a

group level, instead of an individual level.

Extended Community Applicable to BGP protocol.

This identifies label for BGP routes. You can group a larger

number of destinations as an extended community than in a

community.

Action tab

Accept/Reject Select to either accept or reject the route.

Set

Community This is applicable for the BGP community only.

Specify a value to help identify and segregate BGP routes, enabling a

smooth traffic flow.


of 178


property. This is a path attribute in BGP update messages. The

attribute identifies community members and performs actions at

a group level, instead of an individual level.

Extended Community This is applicable for the BGP community only.

Specify a value that acts like an identification label for BGP

routes. A larger number of destinations can be grouped as

an extended community than in a community.

Local Preference Specify a BGP attribute to choose the outbound external BGP path.

MED Specify the multi exit discriminator (MED).

Origin Select the source of the BGP route. These are the options:

Local EGP

Remote IGP

Unknown heritage

OSPF Tag Specify the OSPF tag that is applicable to the OSPF protocol.

Metric Select a route to determine if whether you can use it over another route.

Metric Conversion Select the conversion factor for the metric value. These are the options:

Inverse

Scale Down

Scale Up

Set

Truncate

OSPF External Type Select and external OSPF.

Slave

Metric Specify the metric value to set while the appliance is an inter-

chassis HA slave.

Metric Conversion Select the conversion for metric value from a route during

redistribution. This is applicable when the appliance is an inter-

chassis HA slave (only applicable if inter-chassis redundancy is

enabled on the FlexVNF). These are the options:

Inverse

Scale Down

of 178


Scale Up

Set

Truncate

Click OK to configure the redistribution policies.

11. Select the Instance Import Policies section in the Configure Virtual Router window and click to

open the Add Import Policies window. Enter these details:


From Instance Specify fetching routes from other routing instance, usually from

a paired interface routing instance.

Family Select the family to which the instance belongs to.

Policy Name Select the policy name that the instance belongs to.

of 178


Security Zones

Overview

An interface facilitates the entry and exit of traffic in any network. In a network, many interfaces can share the same security requirement and at the same time many interfaces can also have different security requirements for inbound and outbound traffic. Versa SD-Security allows you to group together all the interfaces with identical security requirement into a single security zone.

The security zone provides a simple mechanism to define and associate the security policies. During security policy enforcement, the traffic is mapped from the security zone to the network interfaces that are associated with the zone automatically.

As the traffic enters each security zone via the network interfaces that are associated with the security zone, a basic level of defense mechanism is required to protect the zone against certain type of malicious traffic from entering the network. The Zone Protection Profile provides a mechanism to define the criteria to match malicious/unintended traffic and prevent the matching traffic from entering the network. Each security zone can be associated with one Zone protection profile.

The Zone Protection Profile provides a mechanism to detect and prevent these types of traffic:

Traffic flood of various protocols like TCP, UDP, ICMP, etc.

Reconnaissance. For example, port scan, host sweep, etc.

Malicious/Spoofed packets.

A security zone is a high-level abstraction of an area that is either the source or destination of the traffic that Versa FlexVNF processes. For example, security zones include:

Floors or parts of the floor that represent a logical group of network access points provided to end-users,

or

Certain Wi-Fi hotspots, etc.

The traffic associated with a security zone enters Versa FlexVNF through one or more interfaces. Versa FlexVNF configures each security zone to map the association between the traffic and one or more interfaces. You can associate each interface with a single security zone.

of 178


To define a security zone, you must:

1. Define a zone.

2. Associate logical interfaces and networks with the security zone.

3. Define permitted services and protocols destined to the device.

NOTE: Security zones are logical entities to which one or more interfaces are bound

and are the building blocks for access policies.

Configuring Security Zones

Use the Versa Director to configure a security zone on Versa FlexVNF. You can configure a security zone on a per-tenant basis. For a given tenant, each security zone must have a unique name.

NOTE: Different tenants hosted on the Versa FlexVNF can have security zones with the same name. Versa FlexVNF is designed to handle tenant level isolation.

Follow these steps to add a security zone in Versa FlexVNF:

Select Configuration > Templates > Service Templates to choose the firewall service template.

of 178


1. In Director context, select Configuration > Networking > Zones from the left panel.

2. Select an Appliance from the list box and click to configure a security zone for this appliance. This

opens the Add Zone window.

3. Enter these details in the Add Zone window:


Name Specify the name of the security zone.

Description Specify a brief description of the interface and its purpose.

Tags Specify a keyword or phrase that allows you to filter the Security Zone.

Zone Protection Profile Select a profile to protect the zones from spoof or junk data.

Log Profile Select the log profile for use with this protection profile. By default, the

of 178


alarms are logged in syslog. You can configure to add the alarms on an

external device too.

Interface and Networks Select this to add an interface and a network with the security zone.

In the Interface pane, click and select an interface from the

list.

In the Networks pane, click and select a network from the

list.

Routing Instance Select this to add a routing instance with the security zone.

In the Routing Instance pane, click and select an interface

from the list.

Organization Select this to add an organization with the security zone.

In the Organizations pane, click and select an interface from

the list.

4. Click OK to create a new zone for the appliance.

Associating an Interface/Network with a Security Zone

After configuring a security zone, you can configure one or more interface to it. Traffic entering Versa FlexVNF appliance through a specific interface is a part of the security zone that the interface is associated with.

If the interfaces are associated with network objects earlier in the configuration process, then add the network objects to the security zone. When a network object is added to the security zone all the interfaces that belong to the network object are added to the security zone.

Zone Protection

Versa SD-Security provides zone protection as one of the basic network functions on the Versa FlexVNF. You can configure a zone protection profile and associate it with a security zone to protect the security zone from malicious traffic.

The zone protection profile provides basic traffic profiling and reconnaissance detection when the traffic enters NICs if a tenant. Zone protection is applied only for the new flows (the first packet of the new flow).

Use Versa Director to configure multiple zone protection profiles for a given tenant. Each zone protection profile has a unique name and specifies the protection information.

Configuring Zone Protection Profile

Configure a zone protection profile to protect a security zone from malicious traffic and associate it with the security zone.

Follow these steps to configure a zone protection profile:

1. Select Configuration > Templates > Service Templates to choose the firewall service template.

of 178


2. In Director context, select Configuration > Networking > Zones Protection Profiles from the left

panel.

3. Click to configure a security zone protection profile for this appliance. This opens the Add Zone

Protection Profile window. This window has these tabs:

a. General

b. Flood

c. Scan

d. Packet Based Attack Protection

4. Select the General tab and enter these details:


Name Specify the name of the zone protection profile.

Description Specify a brief description of the interface and its purpose.

Tag Specify a keyword or phrase that allows you to filter the Zone Protection

Profile.

5. Select the Flood tab to configure the flood thresholds supported for this protection profile. Enter these

details:


of 178


Protocol This column displays various profiles available. These are the available

profiles:

TCP

UDP

ICMP

Other IP

SCTP

ICMPv6

Enable Select to enable the profile to which this checkbox is associated. This

enables an action (the last field in the row) for the profile.

Alarm Rate Packets/Sec Specify the packet rate to generate an alarm when the number of packets

received per second matches the value defined in this field.

Active Rate Packets/Sec Specify the packet rate to activate the RED (Random Early Drop).

Packets are randomly dropped when the number of packets received per

second matches the value defined in this field.

Maximum Rate

Packets/Sec

Specify the packet rate at which all the packets are dropped. This

happens when the number of packets received per second matches the

value defined in this field.

Drop Period Sec Specify the duration of the packet dropping.

Actions Select the action for data packet spoofing. The options are:

Random Early Detect.

Cookies.

6. Select the Scan tab to configure the scan protection this protection profile. Enter these details:


Scan This column displays various types of scans available. These are the

available profiles:

TCP

UDP

HostSweep

Enable Select to enable the scan type to which this checkbox is associated.

Actions Select the action to perform when an abnormal network scan is detected.

These are the options:

Allow—Allows to run the scan.

Alert—Generates an alert.

of 178


Interval (Sec) Specify the time interval at which the scan occurs.

Threshold(Events) Specify the threshold level, crossing which generates an alarm.

7. Select the Packet Based Attack Protection tab to protect the network from invalid data packets. Enter

these details:


UDP/TCP/IP/Discard Select the type of packet:

IP Frag—Select this to drop packets with a fragmented IP address.

IP Snoop—Select this to drop packets that are received on one

interface but has a different outgoing interface.

Reject Non-SYN TCP—Select this to drop packets in a session, if

the first packet has a Non-SYN flag.

UDP Malformed—Select this to drop packets in case of a checksum

error.

Select from these IP Options:

Security

Stream

Unknown

Malformed

Loose-source Routing

Strict-source Routing

Timestamp

Record Route

ICMP Select from these:

Ping Zero ID—Select to drop packets with Zero ID.

Fragment—Select this to drop packets received as fragments.

Large Packet (length > 1024 bytes) Malformed—Select this to drop

packets with a size larger than 1024.

Error Message—Select this to drop packets if error messages are

generated on a ping request.

Malformed Packet—Select this to drop malformed packets.

8. Click OK to save the configuration and create a zone protection profile for the security zone.

Associating Security Zone with a Zone Protection Profile

After configuring one or more protection profiles you can associate any zone protection profile with a given security zone. The flood protection, scan protection and traffic anomaly protection information that is specified in the zone protection profile is applied to all the traffic that enters the Security Zone through the interfaces associated with the security zone.

of 178


Address Objects

Overview

Traffic that enters Versa FlexVNF through the PNICs and/or VNICs is associated with a corresponding security zones. At the security zone an appropriate zone protection is applied and only clean traffic enters Versa FlexVNF. Versa SD-Security allows you to apply various types of security policies and profiles to the traffic, depending on multiple granular match criteria, after it crosses the security zone.

Versa FlexVNF supports these security policies—Stateful Firewall Policy, DDoS Policy, SD-WAN Policy, etc.

All types of security policies within Versa FlexVNF support match criteria based on source zone, destination zone, source address, destination address, geo-location, IP headers, service, and schedule.

Configure one or more of these objects to define a security policy:

Addresses

Addresses Group

Services

Schedules

Logging Profiles

NOTE: You can reuse these objects in multiple security policies.

Versa SD-Security allows you to define a security policy using:

1. Address Objects.

2. Address Group Objects.

Address Objects

An address object allows you to reuse the same object as a source or destination address across all the policy rule bases without having to add it manually each time. You can specify a match criteria based on the source IP address, destination address or a combination of both to define a rule in any policy that the Versa FlexVNF supports.

Select the address objects, address group objects, and/or address regions (based on geo-location) to specify the IP address match criteria.

NOTE: As a prerequisite, configure the address objects to define a policy rule that includes source and/or destination IP address match criteria.

Configuring Address Objects

Follow these steps to configure address objects in the Director context of Versa Director:


2. In Director context, select Configuration > Objects & Connectors > Objects > Address to

configure the address object.

of 178


3. Click to add an address. This opens the Add Address window.

4. Enter these details in the Add Address window:


Name Specify the name of the address object.

Description Specify a brief description of the address object and its purpose.

Tags Specify a keyword or phrase that allows you to filter the Address Object.

Type Select an IP address match criteria for this address from these:

IPv4—The address match is evaluated using any IP address within

the specified IPv4 prefix.

IPv4 Range—The address match is evaluated using any IP address

within the specified IPv4 address range.

IPv6 Address/Prefix—The address match is evaluated using any of

the IP addresses within the specified IPv6 address range.

Fully Qualified Domain Name (FQDN)—The address match is

evaluated using any IP address returned in the DNS query for

resolving the FQDN into IP address.

Dynamic Address—The dynamic address is a placeholder that

Versa Director dynamically reconfigures. The dynamic address

match type is useful when the IP address of the endpoint changes

dynamically. Use the Rest API to update the dynamic address

of 178


object when the changed/new IP address of the end point is

discovered.

5. Click OK to create a new address for the appliance.

Address Group Objects

Use address groups objects to specify the policy rule match criteria. An address group object groups addresses that require the same security settings. This simplifies the creation of security policies.

Use the address group object to include a set of address with many policy rules and to avoid enumerating individual address objects repeatedly. This assumes that the corresponding address objects are configured as members of the address group referenced.

Configuring Address Group Objects

Follow these steps to configure address group objects in the Director context of Versa Director:


2. In Director context, select Configuration > Objects & Connectors > Objects Address Groups

to configure the address object.

3. Click to add an address. This opens the Add Address Group window.

4. Enter these details in the Add Address Group window:


Name Specify the address group object with a unique name.

Description Specify a brief description of the address group object and its purpose.

Tags Specify a keyword or phrase that allows you to filter the captive portal

action. This is useful when you have many policies and want to view

those that are tagged with a particular keyword.

Address Configure the address group objects member IP address.

5. Click OK to create a new address group for the appliance.

of 178


Service Objects

Overview

A service object in Versa SD-Security represents a match criteria based on the IP protocol and/or port numbers. To define a security policy for specific applications you have to select one or more services in Versa FlexVNF to limit the number of ports the application can use. For example:

Define a FTP service as IP protocol TCP on port number 21.

Define a DNS service as IP protocol TCP or UDP and port number 53.

The Internet Assigned Numbers Authority (IANA) has defined well known services on reserved ports and protocols and has reserved port numbers in the 1 to 1024 range for these services. Versa SD-Security maps all the services defined by the IANA and these are included as predefined services in the Versa FlexVNF.

You can define security policy rules based on well-known services running on standard port numbers to avoid creating custom service objects.

You must create a custom service object when a well-known service runs on a non-standard port or if the port/protocol combination is missing in the Versa predefined services.

NOTE: The custom service objects are defined for a tenant and can be used only by that tenant.

The custom service objects are not visible to any other tenant hosted on Versa Director/Versa FlexVNF.

You can also combine services that are often assigned together to create a service group. This simplifies the creation of security policies.

Viewing Predefined Services

All the predefined services/object definitions are defined by Versa Security Research team. These predefined entities are like factory defaults. Use the Security package to update these predefined objects at any time, without any impact to the Versa Director or the Versa appliances.

Follow these steps to check the predefined services on the Versa FlexVNF:


2. In Director context, select Configuration > Objects & Connectors > Objects >Pre-defined >

Services to view the list of predefined service objects.

of 178


2. Click in the dashboard to restrict the columns that you want to see in the dashboard.

3. Click in the dashboard to filter the display by the protocol name, protocol value, source port or

destination port.

Configuring Custom Service Objects

Create a custom service object when a well-known service runs on a non-standard port or if the port/protocol combination is missing in the Versa predefined services.

Follow these steps to create a custom service object:


2. In Director context, select Configuration > Objects & Connectors > Objects > Custom Objects

> Services .

3. Click in the dashboard to add a new custom service. This opens the Add Service window.

of 178


4. Enter these details in the Add Service window:


Name Specify the name of the custom service object.

Description Specify a brief description of the custom service object and its purpose.

Tags

Protocol Select this option to define a protocol based custom service object.

Selecting this option enables the Protocol field below. Select one of

these protocol types to create your custom service object:

TCP

UDP

ICMP

ESP

AH

TCP_or_UDP

Protocol Value Select this option to define a protocol value based custom service

object.

Selecting this option enables the Protocol Value field below. Enter a value

that you want to assign for your custom defined protocol.

Port Select this to assign your custom service object to specific port. Selecting

this option enables the Port field below.

Enter the specific port number on which you want to assign your custom

service object.

Source/Destination Select this to assign your custom service object to specific source port

and/or destination port.

of 178


Selecting this option enables the Source Port and Destination Port

fields below.

Enter the specific source port number and destination port number on

which you want to assign your custom service object.

5. Click OK to create a custom service object.

of 178


Schedule Objects

Overview

Effectively the security policy rules work at all dates and times. You can define a schedule to limit a security policy to specific times and then apply them to the appropriate policies.

Versa FlexVNF policy objects support match criteria based on time of day. For example, you can define a policy rule that is effective only during certain times of the day such as lunch hours, after hours, etc.

Configure a schedule object to define a policy match criteria. The schedule object defined for one tenant is applicable for that tenant only and is not visible to other tenant in the system.

A schedule object configuration involves specifying a fixed date and time range or a recurring daily or weekly schedule.

Configuring Schedule Objects

Follow these steps to create a custom service object:


2. In Director context, select Configuration > Objects & Connectors > Objects > Schedules .

3. Click in the dashboard to add a new schedule. This opens the Add Schedule window.

of 178


4. Enter these details in the Add Schedule window:


Name Specify the name of the custom schedule object.

Description Specify a brief description of the custom schedule object and its purpose.

Tags Specify a keyword or phrase that allows you to filter the captive portal

action. This is useful when you have many policies and want to view

those that are tagged with a particular keyword.

Recurrence Select the type of schedule. These are the values:

Non-Recurring—Specify a start and end date and time. Click

Add to add another row.

Daily—Specify a start and end time in 24‐hour format

(HH:MM). Click Add another row.

Weekly—Select a day of the week, and specify the start and

end time in 24‐hour format (HH:MM). Click Add to add another row.

5. Click OK to create a custom schedule object.

of 178


Stateful Firewall

Overview

The stateful firewall provides a mechanism to enable full visibility of the traffic that traverses through the firewall and enforces very fine grain access control on the traffic.

To classify the traffic, the stateful firewall verifies its destination port and then tracks the state of the traffic and monitors every interaction of each connection until it is closed.

The stateful firewall grants or rejects access based not only on port and protocol but also on the packets history in the state table. When stateful firewall receives a packet it checks the state table for an established connection or for a request for the incoming packet from an internal host. If nothing is found then the packets access is subject to the access policy rule.

Configure a security access policies to classify traffic using a security access policy. A security access policy is required for the stateful firewall feature to work. A security access policy includes the stateful firewall rule that collates the defined objects and assigns an action to be taken based on the match conditions.

NOTE: Stateful firewall is limited to layer 2 through layer 4 only. This option is not visible in the Web UI if you have subscribed to the Next Generation Firewall.

The stateful firewall spends most of its cycles examining packet information in Layer 4 (transport) and lower. For more advanced inspection capabilities, it targets vital packets for Layer 7 (application) examination, such as the packet that initializes a connection. If the inspected packet matches an existing firewall rule that permits it, the packet is passed and an entry is added to the state table. From this point forward, because the packets in that particular communication session match an existing state table entry, they are allowed access without call for further application layer inspection. See Next Generation Firewall for more information on layer 7 based Next Generation Firewall.

These packets only need to have their Layer 3 and 4 information (IP address and TCP/UDP port number) verified against the information stored in the state table to confirm that they are indeed part of the current exchange. This method increases overall firewall performance because only initiating packets need to be unencapsulated the whole way to the application layer.

Each security access policy comprises of one or more rules and each rule consists of match criteria and

of 178


the enforcement action. Use one or more of these traffic attributes to specify the match criteria:

Source Zone

Destination Zone

Source Address

Destination Address

Domain Names

Source Geo-Location

Destination Geo-Location

IP Headers

Services (based on port/protocol)

Time of Day

A rule is considered a match when all match criteria defined in the rule matches. All rules in the security access policy are evaluated in a top-down order. The first rule that matches is selected and the corresponding security actions are enforced.

CenturyLink recommends you configure more specific rules before the generic rules in the security policy. The stateful firewall policy has these enforcement actions:

Logging

Start

End

Both

Never

Action

Allow—Allows the sessions matching the configured rule to pass.

Deny—Drops the sessions matching the rule.

Reject—Drops the session and sends the RST packet for a TCP session and ICMP port

unreachable packet for a UDP session.

NOTE: Versa FlexVNF also supports Application Layer Gateway (ALG). ALG is a communication protocol to connect Versa FlexVNF appliance with various services. For example, to send files through FTP and to establish calls with Versa using SIP, ALG is configured for a branch or a controller of a given tenant or organization. You can use ALG with CGNAT and without CGNAT (Stateful Firewall only. It is enabled by default when Versa Firewall or CGNAT service is active. Refer to Configuring ALG (Application Layer Gateway) in the Versa FlexVNF Network and System Guide for more information.

Configuring Security Access Policy

Enable Stateful Firewall in the configuration and create an access policy. You can define multiple security policies and isolate them on a per-tenant basis. Each security policy must have a unique name for a tenant. The security access policy comprises an ordered set of one or more policy rules.

When multiple security policies are defined then all rules of all the security access policies are evaluated in the order in which the security policies are configured.

of 178


Follow these steps to define and configure a security access policy:

1. Select Configuration > Templates > Service Templates to choose the firewall service

template.

2. In Director context, select Configuration > Services > Stateful Firewall > Security and

Access Policies tab in the dashboard.

3. Click in the dashboard to add a new security access policy. This opens the Add Access Policy window.

4. Enter these details in the Add Access Policy window:


Name Specify the access policy name.

Description Specify a brief description of the access policy and its purpose.

Tags Specify a keyword or phrase that allows you to filter the access

policy. This is useful when you have many policies and want to

view those that are tagged with a particular keyword.

5. Click OK to create a security access policy.

Configuring Security Access Policy Rules

The security access policy comprises of an ordered set of one or more policy rules. Each policy rule comprises a set of match criteria and the enforcement actions. The security access policy rules within the stateful firewall policy are matched based on Layer3/Layer4 information and/or time of day. These enforcement actions are supported—Allow, Deny, Reject, and Log Generation.

Follow these steps to define and configure a security access policy rule:


template.

2. In Director context, select Configuration > Services > Stateful Firewall > Security > Rule tab

of 178


in the dashboard.

3. Click in the dashboard to add a rule for the new security access policy. This opens the Add

Rule window.

4. Select the General tab and configure the name and description for the DoS protection policy rule.



Name Specify the access policy rule name.

Description Specify a brief description of the access policy rule and its

purpose.




5. Select the Source/Destination tab to define the source zone and the source address, and destination

zone and destination address of the incoming (source) and outgoing (destination) traffic to which the DoS

protection policy rule applies. Enter these details:


Source Zone Select the source zone to apply the rule to traffic coming from any

interface in the specified zone.

Click to add more source zones.

Destination Zone Select the destination zone to apply the DoS policy to traffic

coming from all interfaces into a given zone.

Click to add more destination zones.

Source Address Select and specify one or more source address to which the DoS

Protection policy rule applies.

Click to add more source addresses.

Destination Address Select and specify one or more destination address to apply the

DoS Protection policy rule to the traffic marked to specific

destination.

Source Address Negate Enable this to select any address except the configured

of 178


addresses.

Destination Address Negate Enable this to specify any address except the configured

addresses.

Routing Instance Select the routing instance of the incoming traffic.

Egress Routing Instance Select the destination routing instance of the traffic.

6. Select Header/Schedule tab to define the IP header, services and schedule to which the security access

rule applies. Enter these details:


IP

IP Version Specify the IP header to which the security access rule applies.

IP Flags For IPv4, select one of these IP flags:

Don’t Fragment.

More Fragment.

DSCP Specify a Differentiated Service Code Point (DSCP) value to

classify the way the IP packet is queued to get forward.

TTL

Condition Select the TTL condition of the IP packet that the security access

policy rule verifies. These are the options:

Greater than or equal to—The TTL value must be

greater than or equal to the specified value for the

security access rule to trigger.

Less than or equal to—The TTL value must be less

than or equal to the specified value for the security

access rule to trigger.

Equal to—The TTL value must be equal to the specified

value for the security access rule to trigger.

Value Specify the TTL value that is matched by the security access rule

with the TTL condition.

Others

Schedules Select a schedule to specify when the security access rule is in

effect.

Services

Service List Click to select one or more services to apply the security access

rule to the configured services.

7. Select Enforce tab to select the applications and URLs to which the security access rule applies. Enter

these details:


of 178


Log—Select the type of log that you want to archive. You can select Start to initiate a log at the start

of the session, select End to send a log at the end of a session, select Both to send log at the start

and end of the session, and select Never if you do not want to send a log.

Log Select the type of log that you want to archive. These are the

options:

Start—Sends a log at the start of the session.

End— Sends a log at the end of a session.

Both— Sends a log at the start and end of the session.

Never—Does not send a log.

LEF Profile Select the LEF profile that you want to associate with the policy

Action Specify the action that you want to impose on the traffic. The following are the options:

Allow—Allows the sessions matching the configured

rule to pass.


Reject—Drops the session and sends the RST packet

for a TCP session and ICMP port unreachable packet

for a UDP session.


of 178


Layer 7 Objects

Overview

Firewalls use IP address and port numbers for enforcing policies. This is based on the assumption that users connect to the network from fixed location and access particular resource using specific port numbers.

This assumption has changed with the advent of wireless networking and mobile devices. Today, a user connects to the network using multiple devices simultaneously and it is no more practical to identify a user, application or a device with a static IP address and port number.

Application identification provides an effective detection capability for evasive applications like Skype, WhatsApp, torrent, Facebook and similar applications. It identifies applications and protocols at different network layers using characteristics other that the IP address and port number. Applications are identified using the protocol bundle that contains application signatures and parsing information. You can use an application, predefined or custom, and attach it to the security policy.

Versa FlexVNF uses the application object to secure the applications on the network. It also uses URL filtering (see the URL Filtering chapter for Versas URL filtering solution). The application object has a broad spectrum of predefined application categories with risk and productivity scales.

Versa FlexVNF identifies the applications that are in its network. It verifies the traffic against the security policy and only then allows it on the network. Application signature is applied on the traffic that is allowed on the network to identify the application based on the unique application property and its transaction characteristic.

Versa FlexVNF supports security policies like the Next Generation Firewall Policy, SD_WAN policy, etc. that support match criteria based on Layer 7 information like the application and URL categories. To define these security policies you must first create configuration for one or more of the following objects to enable reuse in the Layer 7 security policies:

Custom Application Objects

Custom Application Group Objects

Custom Application Filter Objects

Predefined Application Objects with Customized Attributes

Custom URL Category Objects

NOTE: NGFW is limited to using layer 2 through layer 7 only.

Configuring Application Objects

You can either use the Versa FlexVNF predefined applications signature or create and configure your own custom defined application signature.

Predefined Applications

Versa FlexVNF currently supports more than 2600 applications. These applications are continuously updated through the Versa security package updates. You can define your own custom defined application signature if none of the predefined applications meet your requirements.

of 178


Select Configuration > Objects & Connectors > Objects > Predefined Objects > Applications

to view the application dashboard.

The application dashboard lists various attributes of each application definition, like the applications relative security risk and productivity rating, the tags that you can apply for each of the application by assigning a security type, SDWAN attribute and general attribute.

Refer to Configuring Security Access Policy Rules for more information on configuring a predefined/custom defined application signature.

Custom Applications

Versa FlexVNF supports creation and isolation of custom application signatures on a per-tenant basis. For example, multiple tenants can define an application object with the same application name, but with different signatures and vice versa.

You can reuse the custom application objects in the configuration. For example, when defining Application Group objects, Next Generation Firewall policy rules, etc.

When an application filter object is configured based on application attribute match information, the application filter matches both predefined and user-defined applications, based on the application attributes. Refer to Configuring Security Access Policy Rules for more information on configuring a predefined/custom defined application signature.

Creating a Custom Defined Application

Follow these steps to define your own custom defined application signature when none of the predefined applications meet your requirements:

1. Select Configuration > Objects & Connectors > Objects > Custom Objects > Applications.

2. Click in the dashboard to add a new Application. This opens the Add Application window.

3. Enter these details in the Add Application window:

of 178



Name Specify the application name.

Description Specify a brief description of the application and its purpose.

Precedence Specify a unique priority number when multiple applications match

the traffic.

A higher precedence value is matched first.

Application Timeout (sec) Specify the period of time (in seconds) for the application to

timeout because of inactivity.

App match IPs Select to enable the application match using IPS signature.

4. Select the Attributes tab and enter these application attribute details:


Family Select from the list of predefined family type of the application.

Sub-Family Select a sub-family in which the application is classified. Different

families have different sub-families associated with them.

Risk Select to assign a risk level to the application type selected using

Family and Sub-Family.

Productivity Select and assign a productivity value to the application type

selected using Family and Sub-Family.

of 178


Application Tags Select and assign a tag to the application for classification

purpose. You can select from these options:

Security

SD_WAN

General

5. Select the Match Information tab and click to specify the match criteria information for the application.

This opens the Add Match Information window. Enter these details:


Name Specify the match rule name for the custom application.

Host Pattern Specify the host pattern to detect.

Protocol Value Specify the applications protocol value to detect.

Source Address Specify the source IP address of the application on which the rule

is applicable.

Destination Address Specify the destination IP address of the application on which

the application rule is applicable.

Source Port Select this to enable and assign your custom source port

specific for the application.

Select Value to enable the Source Port Value field and

specify the application port on which the security policy

is applicable.

Select Range to enable the Low and High fields and

specify the low port number and high port number on

which the security policy is applicable.

Destination Port Select this to enable and assign your custom source port

specific for the application.

Select Value to enable the Destination Port Value field

and specify the application port on which the security

policy is applicable.

Select Range to enable the Low and High fields and

specify the low port number and high port number on

which the security policy is applicable.

6. Click OK to create a custom match information for the application signature.

Creating IPS Signature to Identify Custom Defined Application

Ensure these checklist rules are followed in the IPS signature to identify the custom defined application:

of 178


1. The signature must have an <classtype:aapid;>

2. The signature must have <pktnum:[<|>]<number>;> where:

a. pktnum argument has a format that is similar to the dsize keyword.

a. Use pktnum to restrict IPS to detect application in first few packets of the session.

1. The signature must have <appid:app_name;> keyword and the app_name must match the custom

application’s name.

For example: If the custom application name is enterprise-internal-1 then appid in configured as

appid:enterpriseinternal1.

Configuring Custom Application Group Objects

You can club applications that require the same security settings into an application group. This simplifies the creation of security policy.

Versa FlexVNF supports creation of custom application group objects on a per-tenant basis. You can associate the custom application group with one or more predefined/custom defined applications. After creating the custom application group, you can use it in the Next Generation Firewall policy rules to specify match criteria for Layer 7 based application matches.

Configuring a Custom Application Group

Follow these steps to create a custom defined application group:


template.

2. In Director context, select Configuration > Objects & Connectors > Objects > Custom Objects >

Application Group .

3. Click in the dashboard to add a new application group. This opens the Add Application Group window.

4. Enter these details in the Add Application Group window:


Name Specify the application group name. This name appears in the

application list when you define the security policy.

Description Specify a brief description of the application group and its purpose.

Tags Specify a keyword or phrase that allows you to filter the application

group.

Applications Click and select from the predefined/custom applications.

5. Click OK to create and configure an application group.

of 178


Configuring Custom Application Filter

Versa FlexVNF supports creating custom application filter objects on a per-tenant basis. The custom application filter can be associated with one or more filter conditions that match information based on the attributes of a predefined/user-defined application. After the custom application filter is created, you can use it in the Next Generation Firewall policy rules to specify match criteria for Layer 7 application matches.

Configuring Application Filter

Follow these steps to create a custom defined application filter:

1. Select Configuration > Objects & Connectors > Objects > Custom Objects > Application Filters

.

2. Click in the dashboard to add a new application filter. This opens the Add Application Filter window.

3. Enter these details in the Add Application Group window:

of 178



Name Specify the application filter name. This name appears in the

application list when you define the security policy.

Description Specify a brief description of the application filter and its purpose.

Family/Sub Family/Risks/Application

Tags

Select from the options provided

4. Click OK to create and configure an application filter.

Configuring Attributes of Predefined Application Objects

Versa security research team is responsible for creating predefined applications and associating attribute information to the predefined applications, such as Family, Subfamily, Risk, Productivity, and Tags. To customize the predefined attribute information in the deployment, Versa FlexVNF provides the flexibility to override the attribute information on a per-tenant basis. For example, on a given Versa FlexVNF appliance, the Skype application can be tagged as Business traffic for one tenant, and Non-Business traffic for another tenant.

Follow these steps to configure the attributes of a pre-defined application object:

1. Select Configuration > Objects & Connectors > Objects > Predefined Objects >

Applications to view the application dashboard.

2. Click on an application in the lower half of the dashboard to edit its configuration.

3. You can edit the Risk value, Productivity value, Application Tags and Timeout value to reconfigure

the application.

NOTE: The timeout configuration is applicable only for TCP session.

of 178


4. Click OK to configure the attributes of a predefined application object.

Configuring URL Category Objects

You can either use the Versa FlexVNF predefined URL categories or create and configure your own custom defined URL category.

Predefined URL Categories

Versa FlexVNF currently supports 83 predefined URL categories, which are continuously updated via Versa security package updates. You can create a configuration to define your own custom URL category, based on URL strings or pattern match, if none of the predefined URL categories meet your requirements.

Select Configuration > Objects & Connectors > Objects > Predefined Objects > URL

Categories to view the URL category dashboard.

Refer to Configuring Security Access Policy Rules for more information on configuring a predefined/custom defined URL category.

Custom Defined URL Categories

Versa FlexVNF supports creating custom URL category objects on a per-tenant basis. Each custom URL category is created with a unique URL category name and can include information on the URLs to be matched. For example, string match or pattern match. The category is associated with a URL reputation value.

Once the Custom URL Category is created, you can use it in the Next Generation Firewall policy rules to specify match criteria for Layer 7 based URL category. You can also specify custom URL categories in the category based action rules and reputation based action rules of a URL filtering profile.

Refer to Configuring Security Access Policy Rules for more information on configuring a predefined/custom defined URL category.

of 178


Configuring Custom Defined URL Category

You can define a custom URL category and use it with a URL filtering profile or as a match criteria in a policy rule. Follow these steps to configure a custom defined URL category:

1. Select Configuration > Objects & Connectors > Objects > Custom Objects > URL

Categories to view the URL category dashboard.

2. Click in the dashboard to add a new category. This opens the Add URL Category window.

3. Enter these details in the Add URL Category window:


Name Specify the URL Category name. This name is displayed in the

category list when defining the URL filtering policies and in the

match criteria for URL categories in policy rules.

Description Specify a brief description of the URL category and its purpose.




Confidence Specify a confidence value for each user-defined URL category.

The confidence values can range between 1 to 100 where 1 is

the lowest value and 100 the highest value. The confidence

value is used to break the tie when multiple URL category

matches a single URL. Higher confidence values get precedence

if a URL matches multiple URL categories.

URL FIle Select an URL files to add/upload multiple strings/patterns. Each

line in the file contains either a string or a regex pattern that is

used for the URL match and the URL reputation associated with

URLs that match the string or pattern.

The CSV file follows this pattern:

<string/pattern>,<URL>,<reputation>. For

example:

Using a string—

string,www.versanetworks.com/,high_risk

Using a regex—

pattern,.*versanetworks*,high_risk

4. Select the URL Patterns tab enter these details:


Pattern Specify a URL pattern. This is used to match and group the URLs.

For example, use the ww.news.com pattern or use a wildcard

of 178


like *.news.com.

NOTE: Versa FlexVNF supports regex pattern.

Reputation Select a predefined reputation from the list and assign it to the

URL match pattern.

Click to repeat the step and add multiple patterns.

5. Select the URL Strings tab enter these details:


String Specify a URL string that you want to group.

Reputation Select a predefined reputation from the list and assign it to the URL string.

6. Click OK to configure your own custom defined URL category.

of 178


NextGen Firewall

Overview

Versa FlexVNF supports the Next Generation Firewall (NGFW) feature. Enable NGFW in the configuration and create a security access policy. You can define multiple security policies and isolate them on a per-tenant basis. Each security policy needs a unique name per tenant. The security access policy comprises of an ordered set of one or more policy rules.

When multiple security policies are defined then all rules of all the security access policies are evaluated in the order they are configured.

The Next Generation Firewall (NGFW) policy includes all the match criteria of a Stateful Firewall policy in addition to Layer 7 match criteria like application and URL category and assign an action on them based on the match condition. The application for a session is automatically determined based on various identification methods like applying signatures, heuristics, statistical identification, etc.

Versa NGFW supports more than 2600 predefined applications and 83 predefined URL categories, as well as custom applications and custom URL categories. You can specify the NGFW policy rules based on predefined and/or custom application/URL categories.

Configuring Security Access Policy

Follow these steps to define and configure a security access policy:


template.

2. In Director context, select Configuration > Services > Next Gen Firewall > Security >

Policies and select Access Policies tab.

3. Click in the dashboard to add a new security access policy. This opens the Add Access Policy window.

4. Enter these details in the Add Access Policy window:


Name Specify the access policy name.

of 178


Description Specify a brief description of the access policy and its purpose.





Configuring Access Policy Rules

The security access policy comprises of an ordered set of one or more policy rules. Each policy rule comprises a set of match criteria and the enforcement actions. The policy rules within the Next Generation Firewall policy are capable of matching based on Layer3/Layer4/Layer7 information and/or time of day.

NGFW supports these actions:

Allow, Deny, Reject, Apply Security Profiles, Log generation, and Packet Capture. It filters the traffic based on:

Source Zone

Destination Zone

Source Address

Destination Address

IP Headers

It supports these TCP/UDP Services:

Applications, Application Groups and/or Application Filters.

URL Categories.

Schedule objects based on time of day. It enforces these:

Logging profile based on-Start, End, Both or Never.

Actions are Allow, Deny or Reject.

Applying security profiles- IP Filtering, URL Filtering, Anti-Virus, Vulnerability and IP Reputation.

Follow these steps to define and configure a security access policy rule:


template.


Policies and select Rules tab in the dashboard.

of 178


3. Click in the dashboard to add a new security access policy. This opens the Add Rule window.

3. Select the General tab and configure the name and description for the DoS protection policy rule.



Name Specify the access policy rule name.

Description Specify a brief description of the access policy rule and its

purpose.




4. Select the Source/Destination tab to define the source zone and the source address, and destination

zone and destination address of the incoming (source) and outgoing (destination) traffic to which the DoS

protection policy rule applies. Enter these details:


Source Zone Select the source zone to apply the rule to traffic coming from any

interface in the specified zone.

Click to add more source zones.

Destination Zone Select the destination zone to apply the DoS policy to traffic


Click to add more destination zones.

Source Site ID Select the unique source site ID to apply the rule to traffic

coming from any interface in the specified zone.

Click to add more source site based on its ID.

Use the CLI mode to manually access the source site ID.

Destination Site ID Select the unique destination site ID to apply the DoS policy to

traffic coming from all interfaces into a given zone.

Click to add more destination site based on its ID.

Use the CLI mode to manually access the destination site ID.

Source Address Select and specify one or more source address to which the DoS

Protection policy rule applies.

of 178





destination.


addresses.


addresses.

Routing Instance Select the routing instance of the incoming traffic.

Egress Routing Instance Select the destination routing instance of the traffic.

5. Select Header/Schedule tab to define the IP header, services and schedule to which the security access

rule applies. Enter these details:




Don’t Fragment.

More Fragment.



TTL













Others


effect.

You can also create and add a new schedule. Refer Schedule

Object for more information.

Services

of 178




6. Select Applications/URL tab to select the applications and URLs to which the security access rule

applies. This specifies the match criteria for the access rule. Enter these details:


Applications Click to select one or more predefined/custom application

signature and apply the security access rule to the application.

Refer Configuring Application Objects for more information on

predefined and custom applications.

URL Categories Click to select one or more predefined/custom URL categories

and apply the security access rule to the URL.

Refer to Configuring URL Category Objects for more information

on predefined and custom applications.

7. Select Users/Groups tab to select the applications and URLs to which the security access rule applies.

This specifies the match criteria for the access rule. Enter these details:


Match Users Select a user/group that you want to bind with the security policy.


Any

Known

Unknown

Selected

User Group Profile Select the user group profile associated with the matched user.

8. Select Enforce tab to select the applications and URLs to which the security access rule applies. Enter

these details:


Actions Specify the action that you want to impose on the traffic. The following are the options:

Allow—Allows the sessions matching the configured

rule to pass.


Reject—Drops the session and sends the RST packet

for a TCP session and ICMP port unreachable packet

for a UDP session.

Apply Security Profile— Applies security profile based on IP Filtering, IP Reputation, URL Filtering, Antivirus and vulnerability.

Profiles—This section is enabled when you select Apply Security Profile (as mentioned in Actions).

of 178


The security access policy is enforced to take the action selected.

IP Filtering Enable this and select from the predefined IP based filtering

profiles. These are the options:

Block DoS.

Block Bad Traffic.

Block Bots.

Block Scanners.

Block Spam.

Block Windows Exploits.

Web Protection.

URL Filtering Enable this and select from the predefined URL based filtering

profiles. these are the options:

allow_all.

block_all.

block_all_adult.

block_all_adult_and_ads.

block_all_adult_games_and_ads.

block_all_commuication.

block_all_mail.

block_mail_and_communication.

corporate.

Anti-Virus Enable this and select from the predefined anti-virus profile. These

are the options:

Scan Email traffic.

Scan Web traffic.

NOTE: Anti-Virus is a future CenturyLink feature to be

certified in late 2019.

Vulnerability Enable this and select from the predefined vulnerability of the

traffic. These are the options:

All Anomaly Rule.

All Attack Rules.

CAUTION: Do not enable the “ALL ATTACK RULE” if

you are using an appliance with 8GB RAM. An

appliance with 8GB RAM may end up consuming most

of the memory a thereby leaving very little memory for

sessions and other operations.

Client Protection.

Database Profile.

of 178


ICS Profile.

Linux OS Profile.

MAC OS Profile.

Malware Profile.

Server Protection.

Versa Recommended Profile.

Windows OS Profile.

User-Defined Profiles.

Predefined Vulnerability Profile Override

Enable this and select a override for the predefined vulnerability

profile.

NOTE: CenturyLink provides predefined vulnerability profiles via

security package updates.

Log

Events Select an option to log the data. These are the options:

Start—Logs data at the start of each session.

End—Logs data at the end of each session.

Both—Logs data at the start and end of each session.

Never—Never logs data.

LEF Profile—Select the LEF profile that you want to associate with the policy.

Packet Capture Enable this to select the application type to impose the security

profile. You can select from these broad categories:

All

Application List

User Defined Application List

Unknown Application

Each of these categories provide you with an option to select from

these options:

Predefined Applications—Click to select a Versa

predefined application.

User Defined Applications—Click to select a custom

defined application.

Per Session Specify the number of sessions allowed per log. The default is set

to 8 sessions per log.


of 178


URL Filtering

Overview

Versa URL filtering provides control over web-browsing activity based on the user who spends considerable time on the web surfing websites and checking emails or use web based applications for personal and business requirements. This uncontrolled use of internet exposes an organization to many security risks like propagation of threats, data loss, and lack of compliance.

URL filtering prevents the user from accessing unproductive sites, enable secure web access, and provide protection from sophisticated threats including malwares and phishing sites.

Versa URL filtering compliments the Application object and enables you to configure the NGFW to identify and control access to the web traffic (HTTP and HTTPS). Implement the URL filtering profile in security policies and use URL categories as a match criteria in access policies (captive portal, decryption, security and QoS) to gain visibility and control of the traffic that traverses the NGFW.

Versa URL filtering provides rich and flexible filtering solutions for web traffic. Versa FlexVNF categorizes more than 450 million URLs, which are continuously updated. Each URL is looked up in the local database, which results in associating the URL with a URL category and URL reputation.

You can restrict access to various websites based on the URL category and/or URL reputation of the URL. The URL filtering feature provides a mechanism to enforce policy actions for websites based on blacklists and whitelists of URLs.

Versa FlexVNF supports URL categorization based on either the Host or the Referrer field of HTTP request. Use the URL filtering setting to configure the basis for URL categorization (for example, Host or Referrer). For HTTPS traffic, the URL categorization is based on certain certificate attributes like common name, server name, and subject alternate name.

URL filtering performs real time cloud lookup of the URL to determine the URL category and URL reputation. The security policy action is enforced based on the URL lookup result returned by the cloud. The cloud lookup can have granular settings. However, when granular cloud settings are unavailable, the per-tenant URL filtering settings are used.

To enhance the end user experience, Versa URL filtering offers various types of captive portal pages that the user is redirected to as part of the policy enforcement (instead of the normal packet or session based actions).

Configuring URL Filtering Global Setting

Configure URL filtering settings globally to support URL categorization based on host or referrer. The cloud lookup configured here is applicable globally if it is not configured for a particular URL as mentioned in Configuring URL Filtering Profile.

Follow these steps to configure the global URL filter setting:


template.

2. In Director context, select Configuration > Services > Next Gen Firewall > Security Settings

> URL Filtering . The dashboard displays the URL Filtering settings.

of 178


3. Click in the dashboard to edit the URL filtering settings. This opens the Edit URL Filtering window.

4. Enter these details:


Cloud Lookup Mode Select the cloud lookup mode for searching the URL filter

classification over cloud. You can select from these options:

No predefined matches—Cloud lookup is performed

only when the URL does not match any predefined

URL category.

No user defined matches—Cloud lookup is performed

only when the URL does not match any user-defined

URL category.

No pre user defined matches—Cloud lookup is done


URL category.

Always—Perform a cloud lookup for this profile.

Never—Never perform a cloud lookup for this profile.

Match Type Select the URL categorization based on the HTTP request. These

are the options:

HTTP Host URI—URL categorization based on the

HTTP host.

HTTP Referer—URL categorization based on the HTTP

referer.

of 178


URL Length Specify the maximum URL length. The default is set to 256.

URL Parameter Select to enable URL query parameter logging in Versa

Analytics.

5. Click OK to configure the global URL filtering setting.

URL Category

Apart from the rules defined in the stateful firewall, the NGFW policy allows you to configure rules based on:

Predefined URL Categories.

User Defined URL Categories.

The URL filtering database assigns one of the 83 URL predefined category to each of the websites in its repository. A URL with a category assigned to it can filter an URL to apply a filter action on it. You can also use the URL category with NGFW as a match criteria in the security policy.

Looking up for a Predefined URL Category

Versa FlexVNF provides rich set of predefined URL categories that you can apply on different types of security policies and can also perform a URL category lookup in the predefined URL database. The predefined URL database lookup results in both the URL category and the URL reputation associated with the URL. The predefined URL database is updated (either daily or on a real time basis) via security-package updates.

Follow these steps to view the predefined URL categories:


template.

2. In Director context, select Configuration > Objects & Connectors > Objects > Predefined

Objects > URL Categories to view the URL category dashboard.

3. Click in the dashboard to lookup for the predefined URL category. This opens the Look Up URL

window.

of 178


4. Enter these details in the Look Up URL window:


Organization Select the Organization for which you want to define the URL

category.

URL Specify a URL that you want to look up its URL category. For

example, enter www.google.com.

5. Click Test to initiate a URL Category look up. The look up shows similar looking data.

6. Click Cancel to close the lookup URL window.

Configuring User-Defined URL Category

Versa FlexVNF provides support to create user-defined URL categories based on string matches and/or regex patterns. You can create user-defined URL category objects for certain URLs and override predefined URL categorization values. You must provide a confidence value for each user-defined URL category.

The confidence values can range between 1 to 100 where 1 is the lowest value and 100 the highest value. The confidence value is used to break the tie when multiple URL category matches a single URL. Higher confidence values get precedence if a URL matches multiple URL categories.

You can also upload URL files to add multiple strings/patterns. Each line in the file contains either a string or a regex pattern that is used for the URL match and the URL reputation associated with URLs that match the string or pattern.

Refer to Layer 7 Objects for more information for configuring custom defined category and reputation.

URL Reputation

URLs are assigned a reputation indicator. This helps in identifying and grouping applications based on their reputation. The lower the value, the higher the reputation of the URL.

Versa provides support for:

Predefined URL Reputation.

User Defined URL Reputation.

http://www.google.com/

of 178


Viewing Predefined URL Reputation

Versa supports five types of predefined URL reputation. You can use the URL reputation values as a basis for enforcing policy actions. The URL reputation lookup is performed in the database of the predefined URL reputations. The predefined URL database lookup results in both the URL category and the URL reputation getting associated with the URL. The predefined URL database is updated (either on a daily or real-time basis) via security-package updates.

Versa FlexVNF supports these predefined URL reputation types:

Trustworthy

Low Risk

Moderate Risk

Suspicious

High Risk

Undefined

Follow these steps to view the predefined URL categories:


template.

2. In Director context, select Configuration > Objects & Connectors > Objects > Predefined

Objects > URL Reputation to view the URL reputation dashboard.

3. Click in the dashboard to lookup for the predefined URL reputation. This opens the Look Up URL

window.

4. Enter these details in the Look Up URL window:


Organization Select the Organization for which you want to define the URL

category.

URL Specify a URL that you want to look up its URL category. For

example, enter www.google.com.

http://www.google.com/

of 178


5. Click Test to initiate an URL reputation look up. The look up shows a similar looking data.

6. Click Cancel to close the lookup URL window.

Configuring User-defined URL Reputation

To override the predefined URL reputation, map the predefined URLs to user defined URL reputation values and specify the URLs based on a string /pattern match to create the user defined URL category. The default URL reputation value is set as Undefined.

Refer to Layer 7 Objects for more information on configuring custom defined category and reputation.

URL Filtering Actions

Versa FlexVNF provides a set of predefined URL filtering actions that you can apply in URL-filtering profiles. A URL filtering profile consist of a collection of URL filtering controls that is applied to the security policy rule to enforce the security access policy. You can create custom defined URL filtering actions too.

Versa FlexVNF supports these action types:

Session/Packet Actions

Predefined Captive Portal Actions

User Defined Captive Portal Actions

Session/Packet Actions

When a user visits a webpage using a URL, you can enforce a policy action based on the URL category or URL reputation that is associated with the URL. Versa FlexVNF supports these session/packet actions:

Allow—Allows the URL without generating an entry log.

Drop-packet—The browser waits for a response from the server and drops the packets. There is no way

to differentiate if this is due to the delayed response from the server takes or if the firewall blocks access

to the website.

Drop-session—The browser waits for a response from the server and drops the session. There is no way

to differentiate if this is due to the delayed response from the server takes or if the firewall blocks access

of 178


to the website.

Alert—Allows the URL and generates a log entry in the URL filtering log.

Reject—The browser displays an alert and resets the connection to the server. There is no way to

differentiate if this is due to the delayed response from the server takes or if the firewall reset the access

to the website.

Block—Blocks the URL. You will not see a response page and cannot continue with the website. This

also generates a log in the URL filtering log.

Ask—The browser presents an information page that allows you to either cancel the operation by clicking

Cancel or continue with the operation after clicking OK for http/https.

Inform—The browser presents an information page that allows you to continue after clicking OK for

http/https.

Justify—The browser presents an information page that allows you to either cancel the operation by

clicking Cancel or continue with the operation after entering a justification message and clicking OK for

http/https.

Override—Specifies that a password is required to allow access to the website in the given category.

This generates a log in the URL filtering log.

Captive Portal

Versa captive portal runs as service on configured port. Versa FlexVNF sends captive portal pages for HTTP requests when it matches a captive portal actions of URL-filtering profiles. By default, it uses “Versa Default Pages”. You can upload your own set of pages for different actions.

NOTE: With the 16.1R1 releases, Versa FlexVNF supports captive portal over SSL connection too. Enable SSL decryption using decryption policies to enable SSL captive portal. You must create one decryption rule to decrypt captive portal traffic with evaluate-policy parameter set as false.

NOTE: If the SSL traffic is not decrypted then all the traffic that matches “action = inform“ is converted into “action = allow” and the other captive portal actions like block, ask, justify, override and custom redirection are converted into “action=Reset Client and Server”.

Follow this sequence to set up captive portal:

1. Enabling Captive Portal Actions

2. Configuring URL Filtering Profile

3. Configuring Security Access Policy Rules

Captive Portal Actions

Versa FlexVNF provides captive portal web pages which provides the user a better end user experience vis-a-vis the session/packet actions. As part of the security policy enforcement, you can redirect users to the captive portal pages when accessing certain web pages. On the captive portal web pages, customized message is displayed to the user, giving information about the web page and the policy enforcement.

By default, Versa-branded captive portal pages are displayed. However, you can upload your own set of captive portal pages for different actions, with your own branding. If there are no custom pages configured for a tenant, Versa FlexVNF checks the (Managed Security) provider for custom captive

of 178


portal pages. If the provider branded captive portal pages exist, then the user is shown the same. Otherwise, Versa branded pages are displayed to the user. Configure the provider tenant in the Captive Portal settings to enable provider branded pages.

When enforcing captive portal actions, if there are too many redirects when a user browses the web, it does not provide a good user experience. Hence, Versa FlexVNF caches the information that a user has already seen in the captive portal web page and uses that cached information to prevent repetitive redirects for the same web pages. As an administrator you can configure the caching behavior of the captive portal.

These configuration parameters are supported:

Expiration Time—The cache expiration time determines how often a user is redirected to the captive portal. The cache entry is created, the first time that the user is shown a captive portal page, and auto-expires after the cache expiration time. The captive portal action is not enforced if a cache entry is found. Using this mechanism, an administrator can enforce captive portal actions with various frequencies. For example, once a day, once every two days, etc. If not configured, the default expiration period is 30 minutes.

Track By Host—By default, the captive portal creates cached entries using the URL category, in addition to other criteria. So the cache expiration time applies to all URLs within the URL category. In some cases, an administrator might want to enforce the captive portal pages based on individual host/domain names within the URL category instead of the whole URL category. Here, an administrator can enable the Track By Host configuration setting.

Captive Portal Port Number— When redirecting to captive portal pages, as part of policy enforcement, the user is redirected to a URL with the same hostname, but a unique captive portal port number. The captive portal port number can be configured. However, the default value is 44990.

Routing Instance—The captive portal pages can be enabled on the configured captive portal port number for a specific routing instance (VRF). If not specified, the captive portal pages are only enabled on the global routing instance (VRF).

Provider Tenant—To enable provider branded pages, the provider tenant needs to be configured in the captive portal settings.

These captive portal actions are supported:

Block—Access to the web page is blocked.

Ask—Users are prompted to confirm if they want to visit the web page that they are browsing. If users confirm, they are redirected to the web page they are visiting -- else, the operation is canceled.

Inform—Users are redirected to an Information message, where a message is displayed. After reading the message, users are redirected to the actual web page.

Justify—Users are prompted to enter a justification message and click continue before they are allowed to go to the actual website. The justification message entered by the user is logged to Versa Analytics.

Override—Users are prompted to enter a 4- to 6-digit PIN. Users can access the actual web pages, only if a valid PIN is entered. Logs are sent to Versa Analytics when users attempt to enter the PIN and continue to the website.

Captive portal pages are not supported for SSL connections because SSL decryption capability is required to redirect to captive portal pages for SSL connections. Reset the SSL connection if the

of 178


configured captive portal action is set to Block, Ask, Justify, or Override. If the configured captive portal action is set to Inform, then the SSL connection is allowed.

Predefined Captive Portal Actions

Some of the captive portal actions are supported without any custom configuration from the user. However, other actions like Override or Inform do not support the action without customization. For example, override action with a default PIN causes security issues, as the default PIN is comprised easily. Therefore, only the following captive portal actions are supported as predefined captive portal actions:

Block

Ask

Justify

The default expiration time for the predefined captive portal actions is 30 minutes. When the user is redirected to a captive portal page that corresponds to a predefined captive portal action, the default message is displayed. If a different message needs to be displayed, an administrator needs to create a user-defined captive portal action of the appropriate type with the custom message.

Enabling Captive Portal Actions

Follow these steps to modify the captive portal settings:


template.

2. In Director context, select Configuration > Services > Next Gen Firewall > Security Settings

> Captive Portal . The dashboard displays the Captive Portal Settings.

3. Click in the dashboard to edit the captive portal settings. This opens the Edit Captive Portal

Settings window.

4. Enter these details in the Edit Captive Portal Settings window:


Redirect Post Specify the port that is used to redirect captive portal pages over

HTTP.

of 178


Expiration Time (min) Determine how often a user is redirected to the captive portal.

For example, once a day, once every two days, etc. If not

configured, the default expiration period is 30 minutes.

Track By Host Enable this to enforce the captive portal pages based on

individual host/domain names within the URL category instead of

the whole URL category.

By default, the captive portal creates cached entries using the

URL category, in addition to other criteria. The cache expiration

time applies to all URLs within the URL category.

Provider Organization Enable provider branded pages, the provider tenant needs to be

configured in the captive portal settings.

SSL Port Specify the port that is used to redirect captive portal pages over

SSL.

Authentication Profile Select the authentication profile used for authenticating with the

central auth server.

Virtual URL Specify the virtual URL used for authenticating transparent proxy

traffic with Kerberos.

PAC URL Specify the URL to download the proxy auto-config (PAC) files.

Cookie Auth URL Specify a URL that refers to the central auth server.

Routing Instance Enables the configured captive portal port number for a specific

routing instance (VRF). If not specified, the captive portal pages

are only enabled on the global routing instance (VRF).

SSL CA Certificate Select the CA certificate used for captive server portal over SSL.

Custom Redirect Parameters

Time Specifies the timestamp of the request.

Source IP Specifies the source IP address.

Action Specify the name of the action object used for redirection.

URL Specifies the original URL (host + URI) used for redirection.

URL Category Specifies the URL category used for the URL redirection.

URL Reputation Specifies the URL reputation used for the URL redirection.

URLF Profile Specifies the URL filtering profile used for the URL redirection.

Security Policy Rule Specifies the security profile rule name applied on the URL.

of 178


NOTE: You can redirect the request to different location based on different URL categories or URL reputation or URL whitelist/blacklist match criteria.

5. Click OK to complete the modification of the captive portal settings.

Viewing Predefined Captive Portal Actions

See Configuring URL Filtering Profile for more information on the predefined captive portal actions.

Creating Captive Portal Actions

Follow these steps to create captive portal actions that is used with the captive portal page redirection:


template.

2. In Director context, select Configuration > Objects & Connectors > Custom Objects >

User Defined Actions .

3. Click in the dashboard to add a new captive portal action. This opens the Add Action window.

4. Enter these details in the Add Action window:


Name Specify the captive portal action name.

Description Specify a brief description of the captive portal action and its

purpose.

Tags Specify a keyword or phrase that allows you to filter the captive

portal action. This is useful when you have many policies and

want to view those that are tagged with a particular keyword.

Action Type Select the type of action to impose when the page is redirected.

of 178


You can select from these options:

All

Decrypt

IPS

URLF

Action Select the action that you want to impose when the user is

redirected to a captive portal. Select from these options:

Allow

Drop Packet

Drop Session

Reset Client

Reset Server

Reset Client and Server

Block

Inform

Ask

Justify

Override

Custom Redirect

Log Select this to enable logging of the captive portal action logs.

Expiration Time (min) Determines how often a user is redirected to the captive portal.

Override PIN Specify a PIN that is used to override the default pin.

Redirection URL Specify the custom redirect URL. This is enabled only when you

select Custom Redirect action.

Decrypt-bypass Enables decryption bypass for this action.

Message Specify a custom message that you want to display to the user in

the captive portal page.

5. Click OK to create the captive portal action.

Enabling Captive Portal Custom Pages (Optional)

After enabling captive portal actions and creating captive portal actions, you must enable the captive portal custom page (if you prefer not to use Versa’s default captive page and use a customized captive portal page).

NOTE: This is an optional step.

of 178


Follow these steps to enable the captive custom pages:


template.

In Director context, select Configuration > Objects & Connectors > Objects > Custom Objects

> Captive Portal Custom Pages .

2. Select the Director tab in the dashboard and click to opens the Upload Custom Pages to Director

and upload the customized captive portal page.

a. Click Browse to select the custom captive portal page (in zipped format). NOTE: Ensure the main index file in the zip file (that contains the custom block page html files, CSS files and image files) is named—index.htm. You can replace the values of these variables in the index.htm file:

$message—Displays the message of the action.

$user—Displays the name of the end user.

$host—Displays the IP address of the client machine.

$url—Displays the URL to access.

$category—Displays the URL category.

$reputation—Displays the URL reputation.

a. Click OK to close the window.

2. Select the Appliance tab to associate the captive portal page and the action type for an appliance.

a. click to opens the Upload Custom Pages to Appliance and upload the customized captive

portal page.

a. Select an Action Type that you want to ask the user to access a URL. Select from these options:

i. Ask

ii. Block

iii. Cancel

iv. Inform

of 178


v. Justify

vi. Overdie

1. Select the Enable Custom Pages tab to enable the action types for the captive portal.

a. Click in the dashboard to enable the action types on the custom captive portal page. This

opens the Enable Custom Page window.

a. Select the checkbox associated with each action type to associate it with the custom captive

portal page.


1. You will see a message indicating the successful creation of the custom captive portal page.

User-defined Captive Portal Actions

An administrator can also create their own set of user-defined actions. The following fields of the captive portal action are customizable:

Message—The message that gets displayed on the page.

Expiration Time—Cache expiration time for captive portal pages already shown.

Override PIN—In case of override action, a 4- to 6-digit PIN can be provided.

Each user-defined captive portal action belongs to one of the supported captive portal types—Block, Inform, Ask, Justify, or Override. You can create multiple user-defined captive portal actions of any type with different messages, expiration times, etc. You can select any one action from the available predefined or user-defined captive portal actions to configure the security policy action for certain URLs based on URL category or URL reputation.

URL Filtering Profiles

Use the URL filtering profiles to control the web browsing activity efficiently. You can enforce various actions on HTTP flows based on the URL category, the URL reputation, whitelists and blacklists of URLs.

Versa FlexVNF supports both predefined and user-defined URL filtering. You can create a URL filtering profile and use it with several security policy rules. Traffic that matches a specific security policy rule that is configured with a URL filtering profile is processed by the URL filtering module. Any log generated is sent to the logging profile that is associated with the URL filtering profile.

Configure the URL filtering profile to enable or disable real-time cloud lookups for security policy enforcement. Use the default tenant setting for cloud lookup mode if it is not configured.

The URL filtering profile processes the enforceable actions for a session in this order:

Blacklisted URLs.

Whitelisted URLS.

Reputation Action Map.

Category Action Map.

If the action is not determined based on the above evaluation, then the default action that is configured for the URL filtering profile is enforced.

of 178


NOTE: For SSL traffic, admin can disable decryption for matching traffic by enabling 'decrypt-bypass' option. This will be helpful for enabling captive portal actions for SSL traffic without enabling decryption.

Blacklisted URLs

You can specify either fixed strings or regex patterns to match the blacklist URL. Specify the blacklist action that you want to enforce for all the matching HTTP flows. If the blacklist action is not configured, the default drop session action is enforced.

Whitelisted URLs

For whitelist URLs, you can specify either fix strings or PCRE patterns to match the whitelist URLs. The URLs that match the whitelist configuration are allowed without enforcing any security actions. Optionally, you can enable logging in the whitelist configuration to receive whitelisted URLs access log.

Reputation Action Map

The reputation action map is a set of rules that specify the URL filtering action that is enforced for each URL reputation that is associated with the URL. Within each rule, one or more URL reputation values can be specified. For all the URL reputation values specified in the rule, the action to be enforced can be chosen from the packet/session actions, predefined captive portal actions, or user-defined captive portal actions.

Category Action Map

The category action map is a set of rules that specify the URL filtering action to be enforced for each URL category that is associated with the URL. Within each rule, one or more URL categories can be specified. The URL categories can be predefined or user-defined. For all the URL categories specified in the rule, the action to be enforced can be chosen from the packet/session actions, predefined captive portal actions, or user-defined captive portal actions.

Configuring URL Filtering Profile

Follow these steps to configure a filter profile to control the web browsing activity efficiently:


template.

2. In Director context, select Configuration > Services > Next Gen Firewall > Security > Profiles

> URL Filtering and select an entity from the Organization list.

of 178


3. Click in the dashboard to add a new URL Filter. This opens the Add URL Filter window.

4. Enter these details in the Add URL Filter window:


Name Specify the URL filter name.

Description Specify a brief description of the URL filter and its purpose.

Tags Specify a keyword or phrase that allows you to filter the URL

filter. This is useful when you have many policies and want to

view those that are tagged with a keyword.

Default Action Select a default action that you want to impose on the URL filter.

Select from these options:

Alert

Allow

Drop Packet

Drop Session

Reject

Ask

Block

Justify

User-Defined Actions (if any)

Refer to Session/Packet Actions for detailed information of the

default action options.

Decrypt Bypass Select this to disable SSL decryption of the traffic that matches

the predefined action from this URL filtering profile.

of 178


Select a user defined action (Default action) and select Decrypt

Bypass to disable the decryption for the traffic for traffic matching

the user defined action.

Cloud Lookup Mode Select the cloud lookup mode for searching the URL filter

classification over cloud. You can select from these options:

No predefined matches—Cloud lookup is performed


URL category.

Always—Perform a cloud lookup for this profile.

Never—Never perform a cloud lookup for this profile.

LEF Profile Select a LEF-profile to register logs of this URL filter.

5. Select the Blacklist tab and enter these details:


Action Select an URL action when you encounter a blacklisted URL.



Pattern Click to block specific URLs. You can specify a fixed string or a

regex pattern to match the blacklist URL.

Strings Click to specify the complete URL string that you want to block.

Click OK to save the configuration.

6. Select the Whitelist tab and enter these details:


Enable Logging Select this to enable logging the whitelist configuration to receive

whitelisted URLs access log.

Pattern Click to allow specific URLs. You can specify a fixed string or a

regex pattern to match the whitelist URL.

Strings Click to specify the complete URL string that you want to allow.


7. Select the Category Based Action tab and click to add category based actions. This opens the Add

Category Based Action window. Enter these details:


Name Specify the name for the category based action that you want to

of 178


impose with the URL filter.




Predefined Categories Click to select from the list of predefined categories.

User-defined Categories Click to select from the list of user-defined categories.


8. Select the Reputation Based Action tab and click to add category based actions. This opens the Add

Reputation Based Action window. Enter these details:


Name Specify the name for the reputation based action that you want to

impose with the URL filter.




Predefined Reputations Click to select from the list of predefined reputation.

9. Click OK to create a URL filtering profile.

10. Enable URL filtering in the security access policy rule to enforce URL filtering. See Stateful Firewall and

refer to Security Access Policy Rule to enable URL filtering with the security policy.

of 178


IP Filtering

Overview

When traffic passes through the network there is a huge possibility of certain IP addresses are associated with bad reputation and may cause security risk to your network. Versa Firewall provides IP filtering to control IP traffic based on its attributes like IP reputation and geo-location. This ensures that the traffic that passes through the Versa Security gateway blocks all such bad reputation IP addresses as part of the IP filtering inspection and policy enforcement.

Versa provides a list of predefined IP reputation based on which you can block predetermined bad reputed IP traffic. For example, you can configure IP filtering profile to allow traffic originating from United States of America and drop all the other traffic. You must now associate this profile with the security policy to enforce the IP filtering rule.

Versa provides these options to filter and/or control traffic based on IP Addresses.

Security access policy enforcement based on Address objects of fully qualified domain name (FQDN).

The Versa FlexVNF provides capability to define Address Object, based on Fully Qualified Domain Name

(FQDN). Use this Address Objects as part of the match criteria for security policy rules, based on Source

and/or Destination IP addresses. The Versa FlexVNF queries the DNS server for the domain

names and keeps a cache of the resolved IP Addresses. When processing traffic, the matching

of IP addresses is performed using the resolved IP Addresses that are in the cache. This option

minimizes the performance/latency impact of the round-trip time associated with real time DNS

lookups while processing data traffic.

Refer to the Source Destination tab section in Configuring Security Access Policy Rules for more

information.

Security access policy enforcement based on Address objects of type dynamic address.

The Versa FlexVNF provides capability to define Address Object, based on Dynamic

Addresses. Use this Dynamic Address Objects as part of the match criteria for security policy

rules, based on Source and/or Destination IP addresses. The Versa FlexVNF does not perform

any operations on its own to resolve the Dynamic Address Objects to IP Addresses. Instead,

Versa FlexVNF depends on an external mechanism that pushes the most accurate IP Address

list that corresponds to the Dynamic Object to the Versa FlexVNF. The external mechanism to

update the IP Addresses of a Dynamic Address object makes a Rest API call to the Versa

Director, which in turn pushes the updates to the Versa FlexVNF. When processing traffic, the

matching of IP addresses is performed using the translated IP Addresses that are part of the

Dynamic Address object. This option minimizes the performance/latency impact of the round-

trip time associated with real time IP Address translation, while processing data traffic.

Refer to the Source Destination tab section in Configuring Security Access Policy Rules for

more information.

IP filtering based on reputation associated with IP address and its geolocation.

The Versa FlexVNF software provides capability to enforce filtering of traffic based on IP

Address metadata (Geo-Location) and IP Reputation. Versa provides IP Reputation feed

of 178


that is updated both daily, and real time. You can also additionally populate the IP Filtering

Profile with blacklists and/or whitelists of IP Addresses by the user, or by an automated

script that invokes Rest APIs on the Versa Director.

IP Attributes

Versa uses the IP filters based on these IP attributes:

IP Reputation—You can create IP filter profile using these predefined IP reputations:

BotNets

Denial of Service

Phishing

Proxy

Reputation

Scanners

Spam Sources

Web Attacks

Windows Exploits

Geo Location—Versa has a list of predefined regions that you can use create IP filter profile based on

geolocation.

Select

Director context > Configuration > Objects and Connectors > Objects > Pre-defined >

Regions to view the list of predefined regions.

IP Filtering Based on Reputation and Geolocation

Versa uses IP filtering profile to filter traffic based on the IP address attributes. Each IP filtering profile object comprises of these:

Blacklisted IP addresses.

Whitelisted IP addresses.

Rules for Geolocation based actions.

of 178


Rules for IP Reputation based actions.

You can match the IP address based on these match criteria:

Source IP address

Destination IP address

Source or Destination IP address

Source and Destination IP address

You can enforce any of these actions when an IP addresses of a session matches any of the criteria specified in the IP Filtering profile:

Allow

Alert

Drop Packet

Drop Session

Reset Connection

Viewing Predefined IP Reputation

Follow these steps to view the list of Versa’s predefined IP reputations.


template.

2. In Director context, select Configuration > Objects and Connectors > Objects > Pre-defined

> IP Reputations to view the list of predefined regions.

3. Refer to this table for the IP reputation description:


BotNets This category includes Botnet C&C channels, and infected zombie

machines controlled by Bot master.

Denial of Service This category includes DOS, DDOS, anomalous sync flood, and

anomalous traffic detection.

of 178


Network (DEPRECATED) This is now deprecated and is visible only for

backward compatibility.

Phishing This category includes IP addresses hosting phishing sites and other

kinds of fraud activities such as ad click fraud or gaming fraud.

Proxy This category includes IP addresses providing proxy services.

Reputation This category denies access from IP addresses currently known to be

infected with malware. This category also includes IPs with average

low Webroot Reputation Index score. Enabling this category will

prevent access from sources identified to contact malware distribution

points.

Scanners This category includes all reconnaissance such as probes, host scan,

domain scan, and password brute force attack.

Spam Sources This category includes tunneling spam messages through a proxy,

anomalous SMTP activities, and forum spam activities.

Web Attacks This category includes cross site scripting, iFrame injection, SQL

injection, cross domain injection, or domain password brute force

attack.

Windows Exploits This category includes active IP addresses offering or distributing

malware, shell code, rootkits, worms or viruses.

Viewing Predefined IP Filters

Follow these steps to view the list of Versa’ predefined IP filtering profiles:


template.

2. In Director context, select Configuration > Objects and Connectors > Objects > Pre-defined

> IP Filtering Profile to view the list of predefined regions.

3. Refer to this table for the predefined IP filtering profile description:

of 178



Block DoS Apply reputation based action for BotNets, Denial of Service,

Network, Reputation, and Scanners.

Block Bad Traffic Apply reputation based action for BotNets, Denial of Service, Network,

Phishing, Proxy, Reputation, Scanners, Spam Sources, Web Attacks,

and Windows Exploits.

Block Bots Apply reputation based action BotNets, Denial of Service, Network,

Reputation, and Scanners.

Block Scanners Apply reputation based action for Scanners.

Block Spam Apply reputation based action for Spam Sources.

Block Window Exploits Apply reputation based action for Windows Exploits.

Web Protection Apply reputation based action for BotNets, Denial of Service,

Phishing, Reputation, Spam Sources, and Web Attacks.

Creating User Defined IP Filtering Profile

Versa lets you to create user defined IP filtering profiles to address scenarios that cannot be addressed using the predefined IP filtering profiles. Follow these steps to create a user defined IP filtering profile:


template.

2. In Director context, select Configuration > Services >Next Gen Firewall > Security >

Profiles > IP Filtering and click in the dashboard to add a new user defined IP filter.

3. Enter these details in the Add IP Filter window.


Name Specify the IP filter profile name.

Description Specify a brief description of the IP filter profile and its purpose.

of 178


Tags Specify a keyword or phrase that allows you to filter the Kerberos

Default Action Select the default action for this profile. This action is enforced when

you do not configure any blacklist, whitelist, geo IP based action, or

reputation-based action.


Allow

Alert

Drop Packet

Drop Session

Reset Connection

LEF Profile Select a LEF-profile to register ssllogs of this IP filtering profile.

3. Select Blacklist tab and enter these details:


Blacklist Actions Select the action that you want to enforce when the IP filter

profile encounters an IP address/IP address group that is with

bad reputation.


Allow

Alert

Drop Packet

Drop Session

Reject

Match Type Select the match criteria for the IP address. You can match the IP

address based on these:

Source IP address




IP Address Select this to enforce this action on an individual IP address.

Click to add an IP address.

IP Address Group Select this to enforce this action on a group of IP addresses.

Click to add a group of IP addresses.


4. Select Whitelist tab and enter these details:

of 178



Enable Logging Select this to enable LEF logging of the whitelisted IP addresses.



Source IP address




IP Address Select this to enforce this action on an individual IP address.

Click to add an IP address.

IP Address Group Select this to enforce this action on a group of IP addresses.

Click to add a group of IP addresses.


5. Select Geo IP based Actions tab and click to add actions for IP reputation based IP filter. This opens

the Add Reputation Based Action window and enter these details:


Name Specify the IP reputation based IP filter profile name.

Action Select the action that you want to enforce when the IP filter


bad reputation.


Allow

Alert

Drop Packet

Drop Session

Reject



Source IP address




of 178


Reputations Click to select and add a reputation. These are the options:

BotNets

Denial of Service

Phishing

Proxy

Reputation

Scanners

Spam Sources

Web Attacks

Windows Exploits


6. Select Reputation Based Actions tab and click in this tab to add actions for IP reputation based IP

filter. This opens the Add Reputation Based Action window.


Name Specify the IP reputation based IP filter profile name.

Action Select the action that you want to enforce when the IP filter


bad reputation.


Allow

Alert

Drop Packet

Drop Session

Reject



Source IP address




Reputations Click to select and add a reputation. These are the options:

BotNets

Denial of Service

Phishing

Proxy

of 178


Reputation

Scanners

Spam Sources

Web Attacks

Windows Exploits


7. Click OK to create an IP filtering profile.

8. Enable IP filtering in the security access policy rule to enforce URL filtering. See Stateful Firewall and

refer to Security Access Policy Rule to enable URL filtering with the security policy.

of 178


SSL Inspection/Decryption and HTTP/HTTPS Proxy

Overview

Versa FlexVNF inspects the HTTPS traffic without decrypting the connections. Even though the HTTP content of an HTTPS session is encrypted, the SSL certificate is transmitted without encryption. Versa FlexVNF provides the ability to inspect the various attributes of the SSL certificate and enforce policy based on the inspection.

Follow these to configure an SSL Inspection/Decryption:

1. Creating CA Certificate Key

2. Creating a Certificate on Appliance

3. Configuring SSL Decryption Profile

4. Configuring SSL Decryption Policy

5. Configuring SSL Decryption Policy Rule

6. Configuring SSL Inspection

7. Uploading a Trusted CA DB

8. Uploading a CA Certificate

SSL Inspection

For SSL inspection, you must have a decryption policy and at least one decryption profile configured. The decryption policy is like the Next Generation Firewall Policy and can be configured with one or more decryption policy rules.

For example, you can enforce a decryption profile with decrypt/ no-decrypt action in decryption policy. This requires a certificate.

For each decryption policy, a decryption profile can be specified. The decryption profile is applied to the traffic that matches a decryption policy rule. One or more decryption profiles can be configured for each tenant. The decryption profile can be configured with the SSL Inspection and policy enforcement information.

The policy action can be configured for SSL certificates based on the following:

Sites with Expired SSL Certificates

Sites with Untrusted Issuers

Restrict Certificate Extensions

of 178


Unsupported Ciphers

Unsupported Key Lengths

Unsupported Versions

Any of the following policy actions can be specified for any of the above inspection results:

Alert

Allow

Drop Packet

Drop Session

Reject

SSL Decryption

Versa FLexVNF uses decryption policy to specify traffic decryption for security policies. The decryption policy specifies the URL categories for the traffic that you want to decrypt. Currently Versa FlexVNF supports only HTTPS.

An encrypted traffic is generally not blocked and shaped accordingly to the security settings. Decryption enforces security policies on encrypted traffic. It prevents malicious content from entering the network and also protects sensitive data from leaving your network disguised as an encrypted traffic.

Creating CA Certificate Key

A key is required to access secured traffic at the appliance using a certificate. You can either use a self-signed CA certificate on the appliance or use a trusted CA certificate to secure the traffic on the appliance. Versa FlexVNF supports both self signed and Trusted CA certificates.

Follow these steps to create a key for CA certificate:


template.

2. In Director context, select Configuration > Others > System > Key and select an entity from

the Organization list.

3. Select the Appliance tab and click in the dashboard to generate a certificate key on the appliance.

This opens the Generate Key On Appliance window.

of 178


4. Enter these details in the Generate Key On Appliance window:


Name Specify a name for the certificate key.

Type Select the encryption type used for encoding and decoding the

information securely. The options is—RSA.

Size Specify the RSA key size.

Pass Phrase Specify the passphrase key used to encrypt the file that

contains the RSA key.

4. Click OK to generate a key for CA certificate.

Creating a Certificate on Appliance

Create a certificate on the appliance and associate the key to it for encoding/decoding the information. Follow these steps to create a certificate:


template.

2. In Director context, select Configuration > Others > System > Certificates and select

an entity from the Organization list.

3. Select the Appliance tab and click in the dashboard to generate a certificate on the appliance.

This opens the Generate Certificate On Appliance window.

of 178


4. Enter these details in the Generate Certificate On Appliance window:


Certificate Name Specify the certificate name.

Validity (days) Specify the validity period of this certificate.

Certificate Attributes

CA Certificate Select true to make this certificate as a trusted CA certificate.

Serial # Specify a serial number for this certificate.

Signature Algorithm Select the signature algorithm used with this certificate. The

options are:

SHA1

SHA256

SHA384

MD5

Common Name Specify a common name for this certificate.

Email ID Specify email ID to which the certificate is send.

Country Name Specify the country where the appliance is located

State or Province Specify the state/province where the appliance is located.

Locality Specify the locality where this appliance is located.

Organization Specify the organization/entity to which the appliance belongs.

of 178


Organization Unit Specify the organization unit to which the appliance belongs.

Private Key Name Select the key for this certificate.

5. Click OK to generate a key for CA certificate. Use this certificate to Uploading a CA Certificate.

Configuring SSL Decryption Profile

Create a SSL decryption profile and associate it to the decryption policy rule to decrypt or inspect some traffic parameters. The decryption profile is enforced on traffic that matches the configured decryption rule. Follow these steps to configure a decryption profile:


template.

In

Director context, select Configuration > Services > Next Gen Firewall > Decryption >

Profiles and select an entity from the Organization list.

2. Click in the dashboard to add a new decryption profile. This opens the Add Decryption Profile window.

3. Enter these details in the Add Decryption Profile window:

of 178



Name Specify the decryption profile name.

Description Specify a brief description of the decryption profile and its purpose.


decryption profile. This is useful when you have many profiles

and want to view those that are tagged with a particular keyword.

LEF Profile Select a LEF-profile to register ssllogs of this decryption profile.

CA Certificate Select the Certificate Authority (CA) that issues server certificate

for decryption.

CA is an entity that issues digital certificates to verify the

ownership of a public key. This allows the relying parties to trust

the signature that is made by a private key that corresponds to

the certified public key.

Decryption Type Select the decryption type used with this profile. These are the

options:

SSL Forward Proxy—This is a transparent proxy that

can decrypt and encrypt the SSL/TLS traffic between

the client and the server. This is a transparent proxy

and neither the client nor the server would know about

the proxy’s presence. The Proxy acts as server towards

the client and as a client towards the server.

Whether to decrypt or not can be controlled through the

decryption policy. When the client initiates a SSL/TLS

handshake towards the server, proxy applies the

decryption policy to determine if the traffic needs to be

decrypted, if the policy action is to decrypt, it uses the

matching SSL profile to initiate the SSL Handshake

towards the server, it inspects the server certificate and

the other SSL attributes from the SSL handshake

stream, if the inspection is successful it completes the

SSL handshake with server and generates a server

certificate signed with the public key available in the

SSL proxy profile and resumes the SSL handshake

towards the client. Once the SSL handshake is

complete between the client and the proxy, the proxy

will be able to decrypt the application traffic that the

client sends, which then can be examined by the rest of

the services in the firewall service chain before

encrypting it and sending it to the server.

SSL Full Proxy—This proxy works in two modes:

Explicit—This processes the SSL/TLS traffic

destined to a particular IP address and a port.

You must configure the clients with the proxy IP

of 178


and the port.

- The Client connects to the configured

proxy IP and port and sends HTTP

CONNECT request.

The SSL full proxy parses the received HTTP CONNECT and extracts the domain that the client wants to connect to. It uses that along with relevant L3/L4 parameters to find a decryption policy, if it finds a decryption policy, based on the action set in that policy the SSL connection will either be decrypted or bypassed. If there is no policy configured then, the decryption will be bypassed.

- The SSL full proxy responds with 200

OK to the CONNECT and waits to the

Client Hello. Upon receiving the Client

Hello, if the policy decision was to

decrypt, the SSL proxy will respond

with Server Hello and the rest of the

handshake message get exchanged

between the client and the proxy.

- After the handshake is complete, the

client does a GET or a POST on that

connection.

- The proxy parses the HTTP request

and extracts the domain name and port

from the URL and does DNS resolution

of that domain and opens a connection

towards the resolved IP, it uses the

source IP and port from the configured

SNAT pool from the HTTPs proxy

profile.

- Once the connection is successful, the

proxy initiates the SSL handshake with

the server, after that it forwards the

HTTP request to the server.

- All the other services in the service

chain like IPS/IDS, AV get to examine

the decrypted stream for any threats

and may drop the packet based on the

outcome of their examination.

See Configuring Explicit Proxy to

configure an explicit proxy using GUI.

Transparent—This processes the SSL/TLS

traffic designated to any IP but to a particular

port. The DNS resolution happens at the client

and the client opens the connection to the

of 178


actual server IP. The same steps as explained

above for the explicit proxy are applicable to

transparent proxy as well, except for the DNS

resolution. Since the destination IP is that of the

actual server, the proxy skips the DNS

resolution. It just does the source NAT using the

configured SNAT pool in the HTTPS proxy

profile.

- See Configuring Transparent Proxy to

configure a transparent proxy using

GUI.

Trusted Certificate Database Select the trusted certificate database that verifies and confirms

authority of the server certificate.

Transparent Select this to imply the decryption is applied transparently on the

entire traffic.

Explicit Select this to imply the decryption originating from a particular IP

address. This enables the IP address field (explained below) for

explicit decryption.

IP Address Specify the IP address for Explicit decryption.

Port Specify the port number for explicit or transparent decryption of

traffic originating from a particular port.

Routing Instance Specify the port number for explicit or transparent decryption of

traffic originating from a particular routing instance.

Min Supported Key Length Specify the minimum RSA key length. The default is set to 1024

bits.

This value is used for unsupported key length field in the

Unsupported Mode Checks section.

Evaluate Policy Select this to apply decryption without policy evaluation.

Support Session Ticket Select this to enable a session that was created in earlier.

SSL Inspection

Server Certificate Checks

Action for Expired Certificate Select the action to imply when the Server certificate expires.


alert

allow

drop- packet

drop-session

of 178


reject

Action for Untrusted Issuers Select the action to imply when the certificate is from an untrusted

issuer. These are the options:

alert

allow

drop- packet

drop-session

reject

Restrict Certificate Extension Select this to restrict certificate extension. Use one of these

certificate key use extensions:

- Digital Signature or Key Encipherment

Unsupported Mode Checks

Action for Unsupported Cipher Select the action to imply when the decryption encounters

unsupported cipher.

Action for Unsupported Key Length Select the action to imply when the decryption encounters

unsupported key length.

Action for Unsupported Version Select the action to imply when the decryption encounters

unsupported CA version.

6. Click OK to configure and create a decryption profile.

Configuring SSL Decryption Policy

Follow these steps to configure a SSL decryption policy to specify traffic that you want to decrypt:


template.

2. In Director context, select Configuration > Services > Next Gen Firewall > Decryption >

Policies and select an entity from the Organization list.

3. Select Decryption Policies tab and click in the dashboard to add a new decryption policy. This

opens the Add Decryption Policy window.

of 178


4. Enter these details in the Add Decryption Policy window:


Name Specify the decryption policy name.

Description Specify a brief description of the decryption rule and its purpose.




5. Click OK to create a decryption policy.

Configuring SSL Decryption Policy Rule

Create a decryption policy rule to manage traffic that you want the policy to decrypt, or decrypt and inspect, or to only inspect.

Follow these steps to configure a SSL decryption policy to specify traffic that you want to decrypt:


template.

2. In Director context, select Configuration > Services > Next Gen Firewall > Decryption

> Policies and select an entity from the Organization list.

3. Select the Rules tab and click in the dashboard to add a new decryption policy. This opens the

Add Decryption Rule window.

of 178


4. Select the General tab and configure the name and description for the decryption policy rule. Enter

these details:


Name Specify the access decryption policy rule name.

Description Specify a brief description of the decryption policy rule and its

purpose.


decryption policy. This is useful when you have many policies


4. Select the Source/Destination tab to define the source zone and the source address, and

destination zone and destination address of the incoming (source) and outgoing (destination) traffic

to which the decryption policy rule applies. Enter these details:


Source Zone Select the source zone to apply the rule to traffic coming from

any interface in the specified zone.

Click to add more security zones.

Destination Zone Select the destination zone to apply the decryption policy to traffic



Source Address Select and specify one or more source address to which the

DoS Protection policy rule applies.




destination.

Click to add more destination addresses.

NOTE: In case of explicit proxy, the destination address is

the address on which the explicit proxy is configured. Configuring

this option with explicit proxy is not effective.


addresses.


addresses.

NOTE: In case of explicit proxy, the destination address is

the address on which the explicit proxy is configured. Configuring

this option with explicit proxy is not effective.

5. Select the Header/Schedule tab to define the IP header, services and schedule to which the

decryption rule applies. Enter these details:

of 178



IP Version Specify the IP header to which the decryption rule applies.

IP Flag For IPv4, select one of these IP flags:

Don’t Fragment.

More Fragment.



TTL

Condition Select the TTL condition of the IP packet that the decryption policy

rule verifies. These are the options:









Value Specify the TTL value that is matched by the decryption

rule with the TTL condition.

Others

Schedules Select a schedule to specify when the decryption rule is in

effect.

Services

Service List Click to select one or more services to apply the

decryption rule to the configured services.

6. Select the URL tab and enter these details:


URL Category Click to select one or more predefined/custom URL

categories and apply the security access rule to the URL.

Refer to Configuring URL Category Objects for more information

on predefined and custom applications.

7. Select the Users/Groups tab and enter these details:


Match Users Select a user/group that you want to bind with the decryption

policy. These are the options:

Any

of 178


Known

Unknown

Selected

User Group Profile Select the user group profile associated with the matched user.

Users Click to select one or more users to apply the decryption

rule.

Groups Click to select one or more groups to apply the decryption

rule.

8. Select the Enforce tab to select the applications and URIs to which the decryption rule applies.



Action Select the action that you want to impose on the traffic. These are

the options:

decrypt

no-decrypt

Decryption Profile Select the decryption profile. See Configuring SSL Decryption

Profile for more information.

9. Click OK to create the decryption policy rule for the security policy.

Configuring SSL Inspection

Versa FlexVNF allows you to enforce the action configured in the decryption profile in the decryption rule. Refer enforce tab related step in Configuring SSL Decryption Policy Rule for information of decryption actions. SSL inspection is configured while creating the decryption profile. Refer SSL Inspection section in Configuring SSL Decryption Profile for more information.

Uploading a Trusted CA DB

Upload a trusted CA DB that verifies and confirms authority of the server certificate. This is mapped in the decryption profile. Follow these steps to upload a CA DB:


template.

2. In Director context, select Configuration > Objects & Connectors > Connectors > CA Chains .

3. Select the Director tab in the dashboard and click to opens the Upload Trusted CA DB to Director

of 178


and upload the certificate authority database.

a. Click Browse to select the certificate authority database.


1. Select the Appliance tab to associate the certificate authority database for an appliance.

a. click to opens the Upload Trusted CA DB to Appliance and upload the certificate authority

database.


Uploading a CA Certificate

The server (CA) issues a certificate on request from Versa FlexVNF. This certificate is then uploaded in the CA DB for verification. CA is an entity that issues digital certificates to verify the ownership of a public key. This allows the relying parties to trust the signature that is made by a private key that corresponds to the certified public key.

NOTE: You can upload the CA Certificate either as a bundle (zipped certificate and key), upload an existing CA file directly on the appliance or generate a new CA certificate on the appliance.

Follow these steps to upload a CA certificate:


template.

2. In Director context, select Configuration > Objects & Connectors > Connectors > CA

Certificate .

3. Select the Director tab in the dashboard and click to opens the Upload CA Certificate to Director

and upload the certificate.

a. Click Browse to select the certificate authority database.


1. Select the Appliance tab to associate the certificate for an appliance.

a. click to opens the Upload CA Certificate to Appliance and upload the certificate authority

database.


Exporting CA Certificate to a File

Follow these steps to export a CA certificate to a file:


of 178


template.

2. In Director context, select Configuration > Objects & Connectors > Connectors > CA

Certificate .

3. Select the Appliance tab and:

a. Select a Certificate from the list displayed.

a. Click to export the CA file to the appliance.

1. Click OK to close the window.

Secure Web Proxy

You can configure the Versa FlexVNF as a HTTP and/or HTTPS proxy. Depending on the configuration, either all or only the matching HTTP/HTTPS request are subjected to the proxy. This section provides information to configure HTTP/HTTPS proxy for the request it receives.

Configuring Explicit Proxy

An explicit proxy is used to process the SSL/TLS traffic destined to a particular IP Address and a port. You much configure the client (browser) with the proxy IP and port details. Follow these steps to configure an explicit HTTPS proxy:


template.


> Profiles to create an explicit full proxy configuration.

a. Click in the dashboard to add a new decryption profile and select explicit full proxy in the

Add Decryption Profile window.

of 178


a. Select SSL Full Proxy from the Decryption Type list box.

b. Select the Explicit option.

c. Specify an IP Address.

d. Specify the port for full proxy. For example, specify 3128 as the Port for full proxy.

See Configuring SSL Decryption Profile for more information on other configurable

parameters in the decryption profile window.


> Policies > Rules tab to associate the decryption profile with a decryption rule.

See Configuring SSL Decryption Policy Rule to get more information on configuring a decryption rule.

3. In Director context, select Configuration > Services > Next Gen Firewall > Secure Web

Proxy and select an entity from the Organization list.

a. Click in the dashboard to add a new HTTP/HTTPs Proxy. This opens the Add

HTTP/HTTPS Proxy window.

of 178


b. Enter these details in the Add HTTP/HTTPS Proxy window:


Name Specify the HTTP or HTTP proxy name.

Description Specify a brief description of the HTTP/HTTPS Proxy and its

purpose.

Mode Select explicit as the HTTP/HTTPS proxy mode.

Refer to Decryption Type in the Configuring SSL Decryption

Profile section for complete understanding of the explicit

decryption mode.

IP Address Specify an IP address for explicit HTTP/HTTPS proxy.

Port Specify 3128 as the port for the explicit HTTP/HTTPS proxy.

NOTE: 3128 is the most commonly used port to configure both

HTTP and HTTPS proxy. You can change this as per your

requirement too.

Routing Instance Select the routing instance for the incoming traffic.

Source NAT Pool Select the NAT Pool that the explicit HTTP/HTTPS proxy will use.

LEF Profile Select a LEF-profile to register ssllogs of this explicit

HTTP/HTTPS proxy.

Provider Organization Select the organization to which the explicit HTTP/HTTPS proxy

belongs.

Parse Response Enables/Disables HTTP/HTTPS parsing response. This is also

of 178


available as a counter in the VFP profile statistics (Refer Step 3c)

c. In Director context, select Monitor > Provider ORG in the left hand menu > Services tab and

click NGFW to view the HTTP/HTTPS Proxy settings statistics.

4. Configure your browser and set the HTTP/HTTPS proxy port as configured in the decryption profile

(Step 1).

Configuring Transparent Proxy

A transparent proxy is used to process the SSL/TLS traffic destined to any particular IP Address but to a particular port. The DNS resolution happens at the client (browser) and the client (browser) opens the connection to the actual server IP address.

Follow these steps to configure a transparent explicit HTTPS proxy:


template.


> Profiles to create an explicit full proxy configuration.

a. Click in the dashboard to add a new decryption profile and select explicit full proxy in the

Add Decryption Profile window.

of 178


a. Select SSL Full Proxy from the Decryption Type list box.

a. Select the Transparent option.

a. Specify an IP Address.

a. Specify the port and HTTP proxy. For example, specify 80 as the Port for HTTP proxy or 443

for HTTPS proxy

See Configuring SSL Decryption Profile for more information on other configurable

parameters in the decryption profile window.


> Policies > Rules tab to associate the decryption profile with a decryption rule.

See Configuring SSL Decryption Policy Rule to get more information on configuring a decryption rule.

2. In Director context, select Configuration > Services > Next Gen Firewall > Secure Web

Proxy and select an entity from the Organization list.

a. Click in the dashboard to add a new HTTP/HTTPs Proxy. This opens the Add

HTTP/HTTPS Proxy window.

of 178


b. Enter these details in the Add HTTP/HTTPS Proxy window:


Name Specify the HTTP or HTTP proxy name.

Description Specify a brief description of the HTTP/HTTPS Proxy and its

purpose.

Mode Select transparent as the HTTP/HTTPS proxy mode.

Refer to Decryption Type in the Configuring SSL Decryption

Profile section for complete understanding of the transparent

decryption mode.

IP Address Specify an IP address for explicit HTTP/HTTPS proxy.

Port Specify the port number for transparent proxy.

For example, specify 80 as the port for the transparent

HTTP proxy.

For example, specify 443 as the port for transparent

HTTPS proxy.

Routing Instance Select the routing instance that the transparent HTTP/HTTPS

proxy will use for routing the traffic.

Source NAT Pool Select the NAT Pool that the transparent HTTP/HTTPS proxy will

use.

LEF Profile Select a LEF-profile to register ssllogs of this

transparent HTTP/HTTPS proxy.

Provider Organization Select the organization to which the transparent HTTP/HTTPS

proxy belongs.

of 178


Parse Response Enables/Disables HTTP/HTTPS parsing response.

3. Configure your browser and set the HTTP/HTTPS proxy port as configured in the decryption profile

(Step 1).

of 178


User and Group Policy

Overview

The user and group security policy is created to detect users who are using application on your network. This helps in identifying all the users on your network who may have transmitted a threat or is transferring a file.

User/Group policy helps in identifying a user with his name/role rather than using his IP address and only helps in improving the effectiveness of the Versa NGFW.

The user group policy provides an improved information of the users and their application usage in the network. Whenever a strange or suspect application is found in the network, the user group policy helps in identifying the user and the source and destination of this strange/suspect application and any threats it carries along. You can also enforce security policies on a certain set of users/groups to prevent threats on the network.

Creating a user and group policy simplifies firewall administration and you do not have to update the rules whenever a group membership changes.

Configuring LDAP Server Profile

Configure a LDAP server profile to define how the Versa NGFW connects and authenticates to the active directory server and how it searches the active directory and retrieves the group list and associated list members.

NOTE: You might need to consult the LDAP administrator to get the information needed to connect to the LDAP server.

Follow these steps to configure LDAP Server for active directory authentication:


template.

2. In Director context, select Configuration > Objects and Connectors > Connectors

> Users/Groups > LDAP to configure the LDAP active directory for

authentication.

3. Select the LDAP Server Profile tab and click in the dashboard to add a new LDAP server profile.

This opens the Add LDAP Server Profile window.

of 178


4. Enter these details in the Add LDAP Server Profile window:


Name Specify the LDAP server profile name. This enables the Versa

NGFW to connect to the LDAP directory and retrieve group

mapping information and select the usernames and group names

for the policy.

Description Specify a brief description of the LDAP server profile and its

purpose.

Tags Specify a keyword or phrase that allows you to filter the LDAP

server profile. This is useful when you have many profiles and


Server Type Select Active Directory as the location of the LDAP Server. This

allows the Versa NGFW to populate the LDAP attributes in the

group mapping settings.

State Select the state of the LDAP Server profile. The options are

either enable or disable.

Use SSL Select to enable or disable the usage of SSL on the group

mapping information.

Bind DN Specify the administrator provided Bind Distinguished Name (DN)

authentication credentials for binding to the LDAP tree.

of 178


Bind Password Specify the administrator provided Bind password.

Bind Timeout Specify the bind timeout period in seconds.

Domain Name Specify the administrator provided MS Windows domain name

(for Active Directory).

Base DN Specify the Base DN of the LDAP tree location for the Versa

NGFW initiate a search for user and group information.

Search Timeout Specify the search timeout period in seconds.

SSL Mode Select the SSL mode used for the LDAP server profile. These are

the options:

LDAPS

START TLS

This field is operational only when you enable the Use SSL field.

Servers—Click to add LDAP servers

Name Specify the hostname of the machine hosting the LDAP directory

service.

IP Address Specify the IP address of the LDAP Server.

Port Specify the listening port number for the LDAP Server. This is the

port number to communicate with the LDAP directory service.

Routing Instance Select the routing instance for the LDAP Server. These are the

options:

Customer1-Control-VR

Customer1-LAN-VR

Customer 2-Control-VR

Customer 3-Control-VR

Provider-Control-VR

Broadband-Transport-VR

4. Click OK to add a new LDAP server.

5. Click OK to complete the LDAP server profile.

Configuring User/Group Mapping Profile

Follow these steps to configure user/group mapping profile for Active Directory authentication:


template.

of 178


2. In Director context, select Configuration > Objects and Connectors > Connectors >

Users/Groups > LDAP and select User/Group Profile tab to configure the User/Group profile

active directory for authentication.

3. Click in the dashboard to add a new User/Group profile. This opens the Add User/Group

Profile window.

4. Enter these details in the Add User/Group Profile window:


Name Specify the User/Group profile name.

Description Specify a brief description of the user/group profile and its

purpose.


user/group profile. This is useful when you have many profiles


Group Object Class Specify the administrator provided group object class.

Group Name Specify the administrator provided group name.

Group Member specify the administrator provided group member.

User Object Class Specify the administrator provided user object class.

User Name Specify the format of the user name. For example, User Principal

Name.

Refresh Interval Specify the time period in seconds to refresh the profile details.

State Select to either enable or disable the user/group profile.

of 178


4. Click OK to add a new user/group profile. .

Defining Kerberos for User/Group Authentication

Versa NGFW uses Kerberos or LDAP for user/group authentication. Kerberos provides a strong authentication and uses secret key cryptography. It never transmits the actuals user credentials over the network.

The client authenticates itself to the Authentication Server which forwards the username to the Key Distribution Center (KDC). The KDC issues a ticket-granting ticket (TGT) with a timestamp and encrypts it using the ticket granting service (TGS) secret key and returns the encrypted result to the user. After verifying the validity of the TGT, the user is granted access to the requested service. The TGS issues a service ticket and a session key to the client. The client then sends the ticket to the Service server along with its service request.

Uploading Kerberos Keytab

The Kerberos keytab file contains pairs of Kerberos principals and encrypted keys. These are derived from the Kerberos password. Use the Kerberos keytab file to authenticate various systems that use Kerberos without entering the password.

NOTE: You must recreate all your keytabs when you change your Kerberos password.

Follow these steps to upload a kerberos keytab:


template.


> Users/Groups > Kerberos Keytab.

of 178


3. Select the Director tab and click to upload the Kerberos keytab file. This opens the Upload

Kerberos Keytab Files to Director window.

4. Click Browse button and select the keytab file.

5. Click OK to upload the keytab file to the Versa Director.

6. Select the Appliance tab and click map the Kerberos keytab file with the appliance. This opens

the Upload Kerberos Keytab Files to Appliance window.

a. Select the Kerberos keytab file from the File Name listbox.

a. The Appliance field is populated by default.

a. Click OK to map the Kerberos keytab file with the appliance.

Creating Kerberos Profile

Follow these steps to define a Kerberos profile for authenticating the user/group.


template.


> Users/Groups > Kerberos Profile.

of 178


3. Click in the dashboard to add a new kerberos profile. This opens the Add Kerberos Profile window.

4. Enter these details in the Add Kerberos Profile window:


Name Specify the kerberos profile name.

Description Specify a brief description of the LDAP server profile and its

purpose.

Tags Specify a keyword or phrase that allows you to filter the kerberos

profile. This is useful when you have many profiles and want to


Keytab File Select the keytab file uploaded in the earlier section (Uploading

Kerberos Keytab).

SPN Specify the Service Principal Name value.

4. Click OK to add a kerberos profile.

Configuring Local Database

Versa NGFW allows you to store the user/group details locally on the appliance. The appliance uses this local database to authenticate, search and retrieve the group membership.

NOTE: Use the Local Database only on small set of users/groups of size 50 to 100. For a larger set, CenturyLink recommends you use the third party user authentication solution like LDAP/Kerberos.

of 178


Configuring Local Database Users

Follow these steps to create local database users:


template.


> Users/Groups > Local Database to configure the local database on the

appliance for authentication.

3. Select Users tab and click in the dashboard to add a new database for users. This opens the Add

User window.

4. Enter these details in the Add User window:


Name Specify the local users name.

Description Specify a brief description of the user and its purpose.

Password Specify a password to authenticate this user.

Group Name Select the group to which this user belongs.

4. Click OK to add the user to the local database.

Configuring Local Database Group

Follow these steps to create local database users:


template.


of 178


> Users/Groups > Local Database to configure the local database on the

appliance for authentication.

3. Select Groups tab and click in the dashboard to add a new database for users. This opens the

Add User window.

4. Enter these details in the Add User window:


Name Specify the local group name.

Description Specify a brief description of the group and its purpose.

5. Click OK to add the group to the local database.

Configuring Authentication Profile

Follow these steps to define an authentication profile that is used in the authentication policy of the user/group.


template.

2. In Director context, select Configurations > Services > Next Gen Firewall > Authentication

> Profiles.

3. Click in the dashboard to add a new kerberos profile. This opens the Add Authentication

Profile window.

of 178


4. Enter these details in the Add Authentication Profile window:


Name Specify the authentication profile name.

Description Specify a brief description of the authentication profile and its

purpose.


authentication profile. This is useful when you have many profiles


Local Database Select this to use local database for storing the user/group

authentication information in the local server.

Kerberos Profile Select the Kerberos profile created earlier. Refer to Creating

Kerberos Profile for more information.

NOTE: Versa recommends using Local Database for a user/group of size 50 to 100 only.

LDAP Profile Select the LDAP profile created earlier. Refer to Configuring

LDAP Server Profile for more information.

Caching Mode Select the caching mode. These are the options:

IP Based—This maps the users with their IP address as

the key.

Cookie Based—This sets the cookie in the users

browser and does not store the user information in the

appliance.

Caching Expiration (mins) Specify the time period in minutes when the caching mode

expires.

of 178


LEF Profile Select a LEF-profile to register logs of this vulnerability profile.

5. Click OK to add an authentication profile.

Configuring Authentication Policies

Follow these steps to create an authentication policy for authenticating the user/group.


template.


> Policies.

3. Select Authentication Policies tab and click in the dashboard to add a new authentication policy.

This opens the Add Policies window.

4. Enter these details in the Add Policies window:


Name Specify the authentication policy name.

Description Specify a brief description of the authentication policy and its

purpose.


authentication policy. This is useful when you have many profiles


4. Click OK to add an authentication policy.

Configuring Rules for Authentication Policies

Follow these steps to create an authentication policy for authenticating the user/group.


template.


> Policies.

3. Select Rules tab and click in the dashboard to add a new authentication policy. This opens the

Add Rules window.

of 178


4. Select the General tab and configure the name and description for the authentication policy rule.


Use this field… to…

Name Specify the authentication policy rule name.

Description Specify a brief description of the authentication policy rule and its

purpose.


authentication policy. This is useful when you have many policies


4. Select the Source/Destination tab to define the source zone and the source address, and

destination zone and destination address of the incoming (source) and outgoing (destination) traffic

to which the authentication policy rule applies. Enter these details:


Source Zone Select the source zone to apply the rule to traffic coming from

any interface in the specified zone.


Destination Zone Select the destination zone to apply the decryption policy to traffic



Source Address Select and specify one or more source address to which the

DoS Protection policy rule applies.




destination.

Click to add more destination addresses.

NOTE: In case of explicit proxy, the destination address is the

address on which the explicit proxy is configured. Configuring this

option with explicit proxy is not effective.


of 178


addresses.


addresses.

NOTE: In case of explicit proxy, the destination address is the

address on which the explicit proxy is configured. Configuring this

option with explicit proxy is not effective.

5. Select Application/URL tab to select the applications and URLs to which the security access rule

applies. This specifies the match criteria for the access rule. Enter these details:


Applications Click to select one or more predefined/custom application

signature and apply the authentication policy rule to the

application.

Refer Configuring Application Objects for more information on


URL Categories Click to select one or more predefined/custom URL categories

and apply the authentication policy rule to the URL. Refer to

Configuring URL Category Objects for more information on


6. Select Header/Schedule tab to define the IP header, services and schedule to which the authentication

policy rule applies. Enter these details:




Don’t Fragment.

More Fragment.



TTL












of 178



Others


effect.

You can also create and add a new schedule. Refer Schedule

Object for more information.

Services



7. Select Enforce tab to select the applications and URLs to which the authentication policy rule applies.



Actions Specify the action that you want to impose on the traffic. Following are the options:

Do Not Authenticate—Select this if you do not want to

authenticate the profile.

Authenticate using Profile—Select this option and

then select an authentication profile from the list box.

Log Select an option to log the data. These are the options:

Do not log—Select this to avoid logging the

authentication profile details.

Log using Profile—Select this option and then select an

LEF profile from the list box.

8. Click OK to create an authentication policy rule.

Matching User/Group with Access Policy

Follow these steps to match the users and groups to access the network in the security policy.


template.

2. In Director context, select Configuration > Services > NextGen Firewall > Security >

Policies .

of 178


3. Select the Rules tab and click on the relevant security rule to make changes to it. This opens the Edit

Rule window.

4. Select the User/Group tab in the Edit Rule window to and enter these details:


Match Users Select the user to match with the access policy. These are the

options:

Any

Known

Unknown

Selected

User Group Profile Select the user group profile to access the network in the security

policy.

NOTE: This option is available on when you match using Selected

users.

Local Database Select this to use local database for storing the user/group

authentication information in the local server.

NOTE: Versa recommends using Local Database for a user/group

of size 50 to 100 only.

9. Click OK to match the users/groups with the access policy.

of 178


Unified Threat Management

Overview

Versa FlexVNF includes unified threat management capabilities, which can be turned on by configuring the threat profiles in the Next Generation Firewall (NGFW) policy rules. FlexVNF supports the following threat profiles:

Vulnerability (IDS/IPS)

Vulnerability (IDS/IPS)

The pace at which new technology is getting developed and deployed leads to the unintended side effect of having a number of software and hardware products with vulnerabilities that can be exploited for malicious purposes. Each year there are over 10000 vulnerabilities that are either disclosed by the product vendors or by the community of ethical hackers, who discover the vulnerabilities using various methods. Versa FlexVNF provides the IDS/IPS feature to defend against these vulnerabilities.

Vulnerability Profile

Configure one or more vulnerability profiles to enable the IDS/IPS. Each vulnerability profile specifies the list of vulnerabilities for which the IDS/IPS scans the network traffic for vulnerabilities. The IDS/IPS enforces the security action specified by the vulnerability profile when a vulnerability is detected.

Versa FlexVNF supports multiple vulnerability profiles based on a per-tenant basis. The vulnerability profiles that is configured for a particular tenant can only be used by that tenant and is not available to other tenants on the system. The Versa security research team provides predefined vulnerability profiles via security package updates. The predefined vulnerability profiles are available for all tenants to configure and use.

Even though a vulnerability profile is configured on the system, it is not activated unless it is configured in a NGFW policy rule. If a vulnerability profile is configured for a NGFW policy rule, then that vulnerability profile is enforced only for the traffic that matches that rule. The scope of the vulnerability profile is confined to the rule(s) in which it is enabled. See Configuring Custom IPS Signatures for more information to activate a vulnerability profile.

Vulnerability Rule

You can configure multiple vulnerability rules for every vulnerability profile. Similarly, you can also configure multiple criteria and actions for each vulnerability rule.

For a given vulnerability profile, select the vulnerabilities based on these criteria:

Year

Rule Set

Severity

Reference

Confidence

Classification Type

Rule Type

of 178


Rule Default Action

Direction

CVSS Score

OS

OS Version

Product

Product Version

Application

These enforcement actions are supported for a vulnerability profile:

Rule default action

Allow

Alert

Drop Packet

Drop Session

Reject

Reset Client

Reset Server

Packet Capture

Predefined Vulnerability Profile

As on date, Versa FlexVNF supports these predefined vulnerability profiles:

All Anomaly Rules—This profile loads all the anomaly signatures.

All Attack Rules— This profile loads all attack signatures.

Client Protection— This profile loads all client-side attack detections.

Database Profile—This profile loads the oracle database server vulnerability signatures.

ICS Profile—This profile loads the Industrial Control System (ICS) vulnerability signatures.

Linux OS Profile—This profile detects all attacks specific to Linux OS.

MAC OS Profile—This profile detects all attacks specific to MAC OS.

Malware Profile—This profile detects all antivirus attacks.

Server Protection—This profile detects server side attack detections.

Windows OS Profile—This profile detects attacks specific to all windows OS.

Versa Recommended Profile

NOTE: Versa recommends you use the Versa Recommended Profile if the predefined list does not meet your requirement.

Refer to Viewing Predefined/User Defined Vulnerability Profiles for information to access the predefined/user defined vulnerability profiles.

Add this vulnerability profile to the security access policy to include it as part of the firewall apparatus.

of 178


Refer Applying Predefined Vulnerability Profile on Access Policy Rule for more information.

Follow this sequence to configure a vulnerability profile:

1. Applying Predefined Vulnerability Profile on Access Policy Rule

2. Overriding the Predefined Vulnerability Profile

3. Applying Configured Override Profile

Applying Predefined Vulnerability Profile on Access Policy Rule

Follow these steps to apply the predefined vulnerability profile on the security access policy:


template.


Policies and select an entity from the Organization list.

3. Select the Rules tab to view the security policies access rules.

4. Select and click on an access policy rule from the dashboard on which you wish to apply the

vulnerability profile. This opens the Edit Rule window.

5. Select Enforce tab:

of 178


a. Select Apply Security Profile in the Actions section. This enables the Profiles section under it.

a. Enable the Vulnerability checkbox and select the vulnerability profile for this security

access policy rule.

1. Click OK to configure and close the security access policy rule window.

Overriding the Predefined Vulnerability Profile

Versa FlexVNF provides you an option to make changes to the predefined vulnerability profile parameters. Follow these steps to override the predefined vulnerability profile configuration:


template.

2. In Director context, select Configuration > Services > Next Gen Firewall > Security

> Predefined Vulnerability Profile Override and select an entity from the Organization list.

3. Select and click on a predefined IPS profile override from the dashboard for which you want to make

the changes. This opens the Edit Predefined Vulnerability Profile Override window.

4. Enter these details in the Edit Predefined Vulnerability Profile Override window.


of 178


Name Specify the antivirus profile name.

Description Specify a brief description of the URL filter and its purpose.


predefined vulnerability override action. This is useful when you

have many policies and want to view those that are tagged with a

keyword.


Rule tab

Action Select either the default or one of the predefined actions to

override/change the predefined action.

Packet Capture Select Packet Capture to change the pre-window and pot

window packet capture configuration.

Exceptions tab—Click to edit the exceptions. This opens the Add Exception window.

a. Enter these details in the Add Exception window:


Threat ID Specify the threat ID.

Description Specify a brief description of the threat ID and its purpose.

of 178


Tags Specify a keyword or phrase that allows you to filter the threat

exception action. This is useful when you have many policies and



Signatures tab—Enable the vulnerability signatures that you wish to have in the vulnerability profiles

exception rule.

Exception Details tab

Exempt IP Address Click to Specify IP addresses that you want to exempt from

the vulnerability rule.

Threshold Select the threshold application on the exempted IP

address. The options are:

Track By—Select the threshold tracking based on

either Source, Destination, or Source and

Destination.

Interval—Specify an interval (seconds)

Threshold—Specify the number of hits per interval

based on direction of traffic.

Packet Capture Select this to enable packet capture. Specify the pre-window

and post-window packet capture sessions.

Pre-window—Specify the number of packets

immediately preceding the attacked packet for which

that needs to be captured.

Post-window—Specify the number of packets

immediately after the attacked packet for which that

needs to be captured.

5. Click OK to override a predefined vulnerability profile and close the window.

Applying Configured Override Profile

Re-apply the vulnerability profile to the security access policy rule after you have overwritten the predefined vulnerability profile. Follow the procedure mentioned in Applying Predefined Vulnerability Profile on Access Policy Rule to apply the reconfigured IPS override profile.

Viewing Predefined/User Defined Vulnerability Profiles

Select Configuration > Objects & Connectors > Objects > Predefined Objects > Vulnerability

to view the list of predefined vulnerability profile dashboard.

of 178


Creating a User Defined Vulnerability Profiles

Follow these steps to configure a user defined vulnerability profile:


template.


Profiles > Vulnerability and select an entity from the Organization list.

3. Click in the dashboard to add a new vulnerability profile. This opens the Add Vulnerability

Profile window.

4. Enter these details in the Add Vulnerability Profile window:


Name Specify the vulnerability profile name.

Description Specify a brief description of the vulnerability profile and its

purpose.


vulnerability profile. This is useful when you have many profiles

and want to view those that are tagged with a keyword.

of 178


LEF Profile Select a lef-profile to register logs of this vulnerability profile.

Rules Use this tab to configure the vulnerability rules. See Configuring

Vulnerability Profile Rule for more information.

Exception Use this tab to configure the vulnerability rules. See Configuring

Vulnerability Profile Exceptions for more information.

Configuring Vulnerability Profile Rule

Follow these steps to configure a user defined rule for vulnerability profile:


template.


> Vulnerability and select an entity from the Organization list.

3. Click in the dashboard to add a new vulnerability profile. This opens the Add Vulnerability

Profile window. Enter the vulnerability profile details as mentioned in Vulnerability Profile.

of 178


4. Select the Rules tab to configure the vulnerability profile rule. Click and enter these details in the

Add Rule window:


Name Specify the vulnerability profile rule name.

Description Specify a brief description of the vulnerability profile and its

purpose.


vulnerability profile. This is useful when you have many profiles


CVE Year Click and select the Common Vulnerabilities and Exposures

year (CVE) from the list box. This matches the signature in the

database and identifies the attacks. For example, elect 2016 to

block attacks based on 2016.

Signature-set Click and select either predefined, user defined or both types of

signatures.

Enable Select this to enable or disable this vulnerability profile rule.

of 178


General

Confidence Click and select signature(s) whose confidence level are equal

to or above the selected level.

Class Type Click and select signatures that match a specific class-type.

Direction Click and select the traffic direction where the signatures for

this rule needs to be applied. The options are:

both

client

server

Rule Type Click and select the signature(s) that match a specific rule

type. The options are:

Signature rules.

Anomaly rules.

All rules.

Action Filter Click and select signature(s) whose action is equal to:

alert

drop-session

reject

CVSS Score Click and select signatures that match a specific CVSS score.

OS/Product

OS Name Click and select signature(s) that match a specific operating

system.

Product Name Click and select signature(s) that match a specific product.

Application

Applications Click and select signatures that match specific application

(protocol/port).

Reference/Severity

Reference Type Select and use signatures that match a specific reference type

and reference value as specified in the database. Click to

add more reference types to this rule.

Severity Select and limit signatures that match specific a severity type for

this reference. The options are:

Any

Critical

of 178


High

Medium

Unspecified

Enforce

Action Select an action for this rule.

Packet Capture Select this to enable packet capture. Specify the pre-window and

post-window packet capture sessions.







4. Click OK to create the vulnerability profile rule for the security policy.

Configuring Vulnerability Profile Exceptions

Follow these steps to configure a user defined vulnerability profile:


template.


> Vulnerability and select an entity from the Organization list.

3. Click in the dashboard to add a new vulnerability profile. Enter the vulnerability profile details

as mentioned in Vulnerability Profile.

4. Select the Exception tab and click to configure the vulnerability profiles exception rule. This opens

the Add Exception window:

of 178


4. Select the Signatures tab and enable the vulnerability signatures that you wish to have in the

vulnerability profiles exception rule.

5. Select Exception Details and enter these details:


Exempt IP Address Specify IP addresses that you want to exempt from the

vulnerability rule.

Threshold

Track By Select the threshold application on the exempted IP

address. The options are:

Source

Destination

Source and Destination

Interval Specify an interval (seconds).

Threshold Specify the number of hits per interval based on direction of

traffic.

Packet Capture Select this to enable packet capture. Specify the pre-window and

post-window packet capture sessions.


of 178







5. Click OK to create the vulnerability profile rule exemption for the security policy.

Custom IPS Signature

Versa FlexVNF consists of a predefined set of IPS signatures that are defined and updated by the Versa security research team through security package updates. You can also import your own custom IPS signatures into Versa FlexVNF. You can configure a vulnerability with both predefined and user-defined signatures. Versa FlexVNF scans the network traffic for both predefined and user-defined vulnerabilities and enforces the configured security action if a match is found.

NOTE: The custom signatures should be in the snort rule format. Refer to www.snort.org for more information about Snort IDS/IPS.

To use custom IPS signatures, upload the signatures to Versa Director to push the IDS signatures to any of Versa FlexVNF appliances managed by Versa Director. You can enable and configure the vulnerability profile with the custom IPS signature after applying them to FlexVNF.

Configuring Custom IPS Signature

Follow these steps to configure a custom IPS signature:


template.

2. In Director context, select Configuration > Objects & Connectors > Objects > Custom Objects

> Vulnerability Rules .

3. Select the Director tab in the dashboard and click to opens the Upload Custom Vulnerability Rules

File to Director and upload the custom IPS signature for user defined vulnerability.

a. Click Browse to select the custom captive portal page (in zipped format).


1. Select the Appliance tab to associate the custom vulnerability rule and the action type for an appliance.

http://www.snort.org/

of 178


a. click to opens the Upload Custom Vulnerability Rules File to Appliance and select a

Custom Rule for the custom IPS signature.

2. Select Enable Rules tab to enable the custom IPS signature for a user defined vulnerability on a tenant.

a. Click in the dashboard to enable the action types on the custom IPS signature. This opens

the Enable Rules window.

a. Select the checkbox to enable a rule for the custom IPS signature.


1. Click OK to complete the activation of custom IPS signature for user defined vulnerability.

Deactivating Custom IPS Signatures for User Defined Vulnerability

Follow these steps to deactivate a custom IPS signature for user defined vulnerability:

1. Select Configuration > Objects & Connectors > Objects > Custom Objects >

Vulnerability Rules .

2. Select Enable Rules tab to enable the custom IPS signature for a user defined vulnerability on a tenant.

a. Click in the dashboard to enable the action types on the custom IPS signature. This opens the

Enable Rules window.

b. Unselect the checkbox to deactivate a rule for the custom IPS signature.

c. Click OK to close the window.

3. Click OK to complete the deactivation of custom IPS signature for user defined vulnerability.

of 178


Security Analytics

Security Analytics Dashboard

Versa FlexVNF security solution uses Versa Analytics to provide visibility and analytics of the traffic. Policy rules are configured on Versa FlexVNF appliances to send traffic logs for specific traffic of interest to Versa Analytics.

Versa’s Security Analytics has built-in dashboards for:

• Application Visibility

• Web Visibility

• Firewall

• Threat filtering and detection

Select Analytics > Home > Security to view the security analytics dashboard. For releases before 16.1R2 you have to first select the Director Context and an appliance in the Versa Director Web UI and then select Analytics > Home > Security. The dashboard provides a summary of security features in a tiled format. It displays these tiles:

• Top Applications Top URL Categories

• Top Bandwidth Consuming Applications Top Rules

• Top Destination Addresses Top Source Addresses

• Top Zone Firewall actions Top Threat Types

These images show cases the Security Analytics Dashboard displaying the top data for each of the security parameters:

of 178


Application Visibility

An application is determined based on deep packet inspection (DPI). The firewall uses IP address and port numbers for enforcing policies. This assumes users connect to the network from a fixed location and access particular resource using specific port numbers.

Versa supports more than 2600 applications that are automatically recognized based on application signatures. Each application is associated with attributes, like Family, Subfamily and Tags. Additionally, Versa supports user-defined applications, application groups and dynamic application filters. The Versa Analytics shows the visibility of the applications based on predefined and user- defined applications, application groups and dynamic application filters.

Follow these steps to view the application analytics:

Select the Director Context and an appliance in the Versa Director Web UI and then select Analytics > Home > Security > Applications to view the dashboard.

The dashboard has these tabs:

Applications

Risk

Productivity

of 178


Families

Sub Families

Select the default Application tab to view analytical statistics for:

Top applications by session—Displays information of top applications by session.

Application usage over time by bandwidth—Displays information of application usage over different hours of the day by bandwidth.

Application—Displays the summary details of the application by session and bandwidth and other session related information like volume received (bytes) and volume transmitted (bytes) per session, average duration of each session (milliseconds), and bandwidth received and transmitted (bps) per session.

Select the Risk tab to view traffic usage per risk level. Drilldown for a risk will provide top applications with the risk value.

of 178


Select the Productivity tab to view traffic usage for a productivity level. Drilldown for a productivity will provide top applications with the productivity value.

Select the Families tab to view traffic usage per predefined application family. Drilldown on a specific family value will provide top applications for that family.

of 178


Select the Sub Families tab to view traffic usage per predefined sub family. Drilldown on a specific subfamily value will provide top applications for that subfamily.

Web Visibility

Follow these steps to view the Web traffic visibility:

Select the Director Context and an appliance in the Versa Director Web UI and then select Analytics > Home > Security > Web to view the dashboard.


URL Categories

URL Reputation

Select the URL Categories tab to view traffic usage per URL category.

URL Category Usage over time by bandwidth—Displays the bandwidth consumption of the traffic that matches the URL category configured in the security access policy rules. Click on each legend to view individual category specific data.

• URL Category Usage—Displays the detailed log for each URL category and its bandwidth consumption and other related details.

of 178


Select the URL Reputation tab to view traffic usage per URL reputation.

URL Reputation usage over time by bandwidth—Displays the bandwidth consumption of the traffic that matches the URL reputation configured in the security access policy rules.

• URL Reputation usage—Displays the detailed log for each URL reputation and its bandwidth consumption and other related details.

of 178


Firewall

To view the firewall reports:

Select Analytics > Home > Security > Firewall to view the dashboard.

For releases prior to 16.1R2 select the Director Context and an appliance in the Versa Director Web UI and then select Analytics > Home > Security > Firewall to view the dashboard.


Rules Tab

Source Tab

Destination Tab

Zone Tab

Forwarding Class Tab

Rule usage over time by bandwidth—Displays the bandwidth consumption of the traffic that matches the security access policy rules.

of 178


Source usage over time by bandwidth—Displays the bandwidth consumption of the traffic based on source location.

of 178


Destination usage over time by bandwidth—Displays the bandwidth consumption of the traffic based on destination.

of 178


Zone usage over time by bandwidth—Displays the bandwidth consumption of the traffic that matches the security access policy rules based on zones.

of 178


Select the Forwarding Class tab to view analytical statistics of the security policy rule based on the forwarding class. The data is displayed for:

FC usage over time by bandwidth—Displays the bandwidth consumption of the traffic that matches the security access policy rules based on forwarding class.

• FC usage—Displays the detailed log for each forwarding class and its bandwidth consumption and other related details.

of 178


Threat Monitoring

Versa’s threat monitoring solution offers these set of security capabilities, in addition to all the security features of a Next Generation Firewall (NGFW):

To view Threat Monitoring reports:

Select Analytics > Home > Security > Threats to view the dashboard.

For releases prior to 16.1R2 select the Director Context and an appliance in the Versa Director Web UI and then select Analytics > Home > Security > Threats to view the dashboard.


Web Filtering

IP Filtering

Malware

Vulnerabilities

DDoS

Summary

of 178


Select the default Web tab to view reports for URL Filtering using the NGFW and URL Filtering profiles. It displays these tiles: Top URL Categories. Top URL Reputation. Top URL Filtering Profiles. Top URL Filtering Source.

Drilldown provides detailed view of the URL filtering events matching the drill key.

Select the IP tab to view IP filtering report. It displays these tiles:

Top IP Filtering Action Top IP Filtering Profiles

Top Filtering Destination Reputation Top IP Filtering Source

of 178


Drilldown provides detailed view of the IP filtering events matching the drill key.

of 178


Select the Malware tab to view antivirus scan reports. It displays these tiles:

NOTE: CenturyLink Anti-Virus is not yet a supported feature. These charts will show “No data to display” if AV is not enabled. AV is on CenturyLink roadmap for support in late 2019.

Top Anti-Virus Malwares

Top infected Applications

Top Victims

Top Attackers

of 178


Select the Vulnerabilities tab to view IDP threat reports. It displays these tiles:

Top Threats

Top Signature ID

Top Source

Top Destination

of 178


Select the DDOS tab to view DOS threat reports. It displays the Top DDoS Threads information.

of 178


Select the Summary tab to view the threat reports. The tiles display the summary of:

Top Appliances with Threats

Top Threat Types

centurylink sd-wan security user guide · 2020-02-13 · provide great shortcuts, hints, and...

Documents