fw ddos-protection¶

Configure FW DDoS Protection

ddos-protection Specification¶

Parameter Value

Type Configuration Resource

Element Name ddos-protection

Element URI /axapi/v3/fw/ddos-protection

Element Attributes ddos-protection_attributes

Partition Visibility shared

Statistics Data URI /axapi/v3/fw/ddos-protection/stats

Operational Data URI /axapi/v3/fw/ddos-protection/oper

Schema ddos-protection schema

Operations Allowed:

Operation	Method	URI	Payload
Create Object	POST	/axapi/v3/fw/ddos-protection	ddos-protection attributes
POST /axapi/v3/fw/ddos-protection Payload: { "ddos-protection": { "dynamic-blacklist": { "dynamic-blacklist-action": "enable", "dir": "inbound", "timeout": 1 } } }
Get Object	GET	/axapi/v3/fw/ddos-protection	ddos-protection attributes
GET /axapi/v3/fw/ddos-protection Reponse: { "ddos-protection": { "dynamic-blacklist": { "dynamic-blacklist-action": "enable", "dir": "inbound", "timeout": 1 }, "logging": { "logging-action": "enable", "enable-action": "local" }, "action": { "action-type": "drop", "expiration-route": 60 }, "uuid": "db25808a-6612-11d9-9a27-692335d4f00d", "a10-url": "/axapi/v3/fw/ddos-protection" } }
Modify Object	POST	/axapi/v3/fw/ddos-protection	ddos-protection attributes
Delete Object	DELETE	/axapi/v3/fw/ddos-protection	ddos-protection attributes
DELETE /axapi/v3/fw/ddos-protection Reponse: { "response": { "http-status": 200, "status": "OK", "msg": "Success" } }

ddos-protection attributes¶

action

Description: action is a JSON Block. Please see below for action

Type: Object

dynamic-blacklist

Description: dynamic-blacklist is a JSON Block. Please see below for dynamic-blacklist

Type: Object

logging

Description: logging is a JSON Block. Please see below for logging

Type: Object

sampling-enable

Type: List

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

action¶

Specification Value

Type object

action-type

Description ‘drop’: Log, and drop all packets (default); ‘redistribute-route’: Log, Drop, and Notify upstream router to reroute the packets;

Type: string

Supported Values: drop, redistribute-route

Default: drop

expiration

Description To specify time in minutes to revert the action (Expiration time, in minutes (default is 5 mins))

Type: number

Range: 2-144000

Default: 5

expiration-route

Description To specify time in minutes to revert the action (Expiration time, in minutes (default is 60 mins))

Type: number

Range: 2-144000

Default: 60

remove-wait-timer

Description Max time to wait before removing IP from blackhole (Max value in seconds (default 300))

Type: number

Range: 0-300

Default: 300

route-map

Description Route map name

Type: string

Maximum Length: 128 characters

Maximum Length: 1 characters

timer-multiply-max

Description To specify max value of timer multiplier for attacks lasted long time (Max value of timer multiplier (default is 6))

Type: number

Range: 1-100

Default: 6

logging¶

Specification Value

Type object

enable-action

Description ‘local’: Enable local logs only; ‘remote’: Enable logging to remote server & IPFIX; ‘both’: Enable both local & remote logs;

Type: string

Supported Values: local, remote, both

Default: local

logging-action

Description ‘enable’: enable FW DDoS protection logging; ‘disable’: Disable both local & remote FW DDoS protection logging;

Type: string

Supported Values: enable, disable

Default: enable

sampling-enable¶

Specification Value

Type list

Block object keys

counters1

Description ‘all’: all; ‘ddos_entries_too_many’: Too many DDOS entries; ‘ddos_entry_added’: DDOS entry added; ‘ddos_entry_removed’: DDOS entry removed; ‘ddos_entry_added_to_bgp’: DDoS Entry added to BGP; ‘ddos_entry_removed_from_bgp’: DDoS Entry Removed from BGP; ‘ddos_entry_add_to_bgp_failure’: DDoS Entry BGP add failures; ‘ddos_entry_remove_from_bgp_failure’: DDOS entry BGP remove failures; ‘ddos_packet_dropped’: DDOS Packet Drop;

Type: string

Supported Values: all, ddos_entries_too_many, ddos_entry_added, ddos_entry_removed, ddos_entry_added_to_bgp, ddos_entry_removed_from_bgp, ddos_entry_add_to_bgp_failure, ddos_entry_remove_from_bgp_failure, ddos_packet_dropped

dynamic-blacklist¶

Specification Value

Type object

cpu-threshold

Description Core-level CPU usage threshold for dynamic blacklist creation (Core-level CPU usage threshold for dynamic blacklist creation (default is 60))

Type: number

Range: 0-80

Default: 60

dir

Description ‘inbound’: enable in inbound direction; ‘outbound’: enable in outbound direction; ‘both’: enable in both directions;

Type: string

Supported Values: inbound, outbound, both

Default: both

dynamic-blacklist-action

Description ‘enable’: Enable protection against volumetric attacks using dynamic blacklist; ‘disable’: Disable protection against volumetric attacks using dynamic blacklist;

Type: string

Supported Values: enable, disable

Default: disable

timeout

Description Timeout value (in seconds) for dynamic blacklist (Timeout value (in seconds) for dynamic blacklist(default is 5 seconds))

Type: number

Range: 1-30

Default: 5