Example API Configuration¶
The following example shows a possible configuration of an TCP Template and DDoS Zone using the aXAPI. The workflow consists of the following steps:
- Configure TCP Template - configure a TCP Template for SYN authentication.
- Configure DDoS DST Zone - configure DDoS DST Zone and port.
- View Your Configuration - confirm the TCP Template and DDoS DST Zone configuration is correct.
- Edit Your Configuration - use the UUID to make configuration changes.
Note
For this example, the ACOS device will have an IP address of 10.10.10.10. To configure your own ACOS device, you must change the IP address in the following example cURL calls to the IP address or hostname configured on your ACOS device.
Configure TCP Template¶
The following aXAPI example configures a TCP template for SYN authentication with action to drop malicious TCP traffic:
curl -X POST https://10.10.10.10/axapi/v3/ddos/zone-template/tcp/
-H "Authorization: A10 618c9ac5f73f8a8643bb750f8ff892"
-k -H "Content-type: application/json" --data @filename1
{
"tcp-list": [
{
"name":"tcp-template1",
"syn-authentication": {
"syn-auth-fail-action":"drop"
}
}
]
}
The HTTP response to the above request will contain the following payload:
{
"tcp": {
"name":"tcp-template1",
"age":2,
"syn-cookie":0,
"create-conn-on-syn-only":0,
"per-conn-rate-interval":"1sec",
"dst": {
"rate-limit": {
"syn-rate-limit": {
"dst-syn-rate-action":"drop"
}
}
},
"src": {
"rate-limit": {
"syn-rate-limit": {
"src-syn-rate-action":"drop"
}
}
},
"allow-syn-otherflags":0,
"allow-tcp-tfo":0,
"conn-rate-limit-on-syn-only":0,
"known-resp-src-port-cfg": {
"known-resp-src-port":0
},
"syn-authentication": {
"syn-auth-rto":0,
"syn-auth-fail-action":"drop"
},
"ack-authentication": {
"ack-auth-only":0,
"ack-auth-rto":0
},
"uuid":"53da8834-014b-11ea-b664-525400054d0e",
"a10-url":"/axapi/v3/ddos/zone-template/tcp/tcp-template1"
}
}
Take note of the UUID if you want to use it for subsequent calls regarding server1. See `Edit the Configuration`_ for further details.
Configure DDoS DST Zone¶
The following aXAPI example configures DDoS DST zone (z15), an IP subnet address, TCP port 80, UDP port 53, applies the TCP template (tcp-template1), and sets the TPS to monitor mode to mitigate traffic:
curl -X POST https://10.10.10.10/axapi/v3/ddos/dst/zone/
-H "Authorization: A10 618050c80ddab905aa9b3b10ae555d"
-k -H "Content-type: application/json" --data @filename2
{
"zone": {
"zone-name":"z15",
"ip": [
{
"subnet-ip-addr":"10.10.15.0/24"
}
],
"port": {
"zone-service-list": [
{
"port-num":53,
"protocol":"udp"
},
{
"port-num":80,
"protocol":"tcp",
"level-list": [
{
"level-num":"0",
"zone-template": {
"tcp":"tcp-template1"
}
}
]
}
]
}
}
}
The body of the response will look like this:
{
"zone": {
"zone-name":"z15",
"operational-mode":"idle",
"force-operational-mode":0,
"ip": [
{
"subnet-ip-addr":"10.10.15.0/24"
}
],
"drop-frag-pkt":0,
"sflow-common":0,
"advertised-enable":0,
"telemetry-enable":0,
"reporting-disabled":0,
"log-enable":0,
"log-high-frequency":0,
"uuid":"7809c058-014b-11ea-b664-525400054d0e",
"port": {
"zone-service-list": [
{
"port-num":53,
"protocol":"udp",
"manual-mode-enable":0,
"deny":0,
"stateful":0,
"sflow-common":0,
"enable-class-list-overflow":0,
"enable-top-k":0,
"uuid":"780b805a-014b-11ea-b664-525400054d0e",
"ips": {
"uuid":"780bb39a-014b-11ea-b664-525400054d0e",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/53+udp/ips"
},
"port-ind": {
"uuid":"780ba670-014b-11ea-b664-525400054d0e",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/53+udp/port-ind"
},
"topk-sources": {
"uuid":"780bae36-014b-11ea-b664-525400054d0e",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/53+udp/topk-sources"
},
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/53+udp"
},
{
"port-num":80,
"protocol":"tcp",
"manual-mode-enable":0,
"deny":0,
"sflow-common":0,
"enable-class-list-overflow":0,
"enable-top-k":0,
"uuid":"780bb7aa-014b-11ea-b664-525400054d0e",
"level-list": [
{
"level-num":"0",
"zone-template": {
"tcp":"tcp-template1"
},
"start-pattern-recognition":0,
"apply-extracted-filters":0,
"uuid":"780c1844-014b-11ea-b664-525400054d0e",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/80+tcp/level/0"
}
],
"ips": {
"uuid":"780c159c-014b-11ea-b664-525400054d0e",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/80+tcp/ips"
},
"port-ind": {
"uuid":"780c0818-014b-11ea-b664-525400054d0e",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/80+tcp/port-ind"
},
"topk-sources": {
"uuid":"780c102e-014b-11ea-b664-525400054d0e",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/80+tcp/topk-sources"
},
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/80+tcp"
}
],
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port"
},
"web-gui": {
"status":"newly",
"activated-after-learning":0,
"sensitivity":"3",
"uuid":"780a5a0e-014b-11ea-b664-525400054d0e",
"learning": {
"duration":"6hour",
"uuid":"780a6b7a-014b-11ea-b664-525400054d0e",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/web-gui/learning"
},
"a10-url":"/axapi/v3/ddos/dst/zone/z15/web-gui"
},
"a10-url":"/axapi/v3/ddos/dst/zone/z15"
}
}
Confirm the TCP Template Configuration¶
To view the configuration of zone z15 you can perform a GET request to verify the configuration. In addition, you can obtain the UUID or object key which allows you to modify the configuration. Use the following aXAPI GET request to view DDoS DST zone z15. The UUID or object key for zone z15 is highlighted in the output below:
Curl -k https://10.10.10.10/axapi/v3/ddos/dst/zone/z15 \
-H "Content-Type:application/json" \
-H "Authorization: A10 613656af4369508b96bcff8855cb1c"
If everything has been configured correctly, this request will return the following response payload:
{
"zone": {
"zone-name":"z15",
"operational-mode":"monitor",
"force-operational-mode":0,
"ip": [
{
"subnet-ip-addr":"10.10.15.0/24"
}
],
"drop-frag-pkt":0,
"sflow-common":0,
"advertised-enable":0,
"telemetry-enable":0,
"reporting-disabled":0,
"log-enable":0,
"log-high-frequency":0,
"uuid":"6d6e167c-fc5e-11e9-9b53-000c290fd53a",
"port": {
"zone-service-list": [
{
"port-num":53,
"protocol":"udp",
"manual-mode-enable":0,
"deny":0,
"stateful":0,
"sflow-common":0,
"enable-class-list-overflow":0,
"enable-top-k":0,
"uuid":"6d6e4156-fc5e-11e9-9b53-000c290fd53a",
"ips": {
"uuid":"6d6e5ff6-fc5e-11e9-9b53-000c290fd53a",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/53+udp/ips"
},
"port-ind": {
"uuid":"6d6e5574-fc5e-11e9-9b53-000c290fd53a",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/53+udp/port-ind"
},
"topk-sources": {
"uuid":"6d6e5c7c-fc5e-11e9-9b53-000c290fd53a",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/53+udp/topk-sources"
},
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/53+udp"
},
{
"port-num":80,
"protocol":"tcp",
"manual-mode-enable":0,
"deny":0,
"sflow-common":0,
"enable-class-list-overflow":0,
"enable-top-k":0,
"uuid":"6d6e63a2-fc5e-11e9-9b53-000c290fd53a",
"level-list": [
{
"level-num":"0",
"zone-template": {
"tcp":"tcp-template"
},
"start-signature-extraction":0,
"apply-extracted-filters":0,
"uuid":"6d6e8224-fc5e-11e9-9b53-000c290fd53a",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/80+tcp/level/0"
}
],
"ips": {
"uuid":"6d6e7e96-fc5e-11e9-9b53-000c290fd53a",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/80+tcp/ips"
},
"port-ind": {
"uuid":"6d6e7338-fc5e-11e9-9b53-000c290fd53a",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/80+tcp/port-ind"
},
"topk-sources": {
"uuid":"6d6e79f0-fc5e-11e9-9b53-000c290fd53a",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/80+tcp/topk-sources"
},
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port/zone-service/80+tcp"
}
],
"a10-url":"/axapi/v3/ddos/dst/zone/z15/port"
},
"web-gui": {
"status":"newly",
"activated-after-learning":0,
"sensitivity":"3",
"uuid":"6d6e2f4a-fc5e-11e9-9b53-000c290fd53a",
"learning": {
"duration":"6hour",
"uuid":"6d6e3300-fc5e-11e9-9b53-000c290fd53a",
"a10-url":"/axapi/v3/ddos/dst/zone/z15/web-gui/learning"
},
"a10-url":"/axapi/v3/ddos/dst/zone/z15/web-gui"
},
"a10-url":"/axapi/v3/ddos/dst/zone/z15"
}
}
Edit your Configuration¶
Delete a zone entry using the UUID for zone z15 from the previous GET request:
curl -k -i -X DELETE https://10.10.10.10/axapi/v3/uuid/6d6e167c-fc5e-11e9-9b53-000c290fd53a \
-H "Content-Type:application/json" \
-H "Authorization: A10 61eb9556a7a9d9a83bfce34aaa15a5"
This request will return the following response payload:
{
"response": {
"status": "OK"
}
}