APSolute Vision Administrator Guide

APSolute Vision Administrator GuideSoftware Version 1.07February, 2011Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator Guide2 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideImportant NoticesThe following important notices are presented in English, French, and German.Important NoticesThis guide is delivered subject to the following conditions and restrictions:Copyright Radware Ltd. 2006–2011. All rights reserved.The copyright and all other intellectual property rights and trade secrets included in this guide areowned by Radware Ltd.The guide is provided to Radware customers for the sole purpose of obtaining information withrespect to the installation and use of the Radware products described in this document, and may notbe used for any other purpose.The information contained in this guide is proprietary to Radware and must be kept in strictconfidence.It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof withoutthe prior written consent of Radware.Notice importanteCe guide est sujet aux conditions et restrictions suivantes : Copyright Radware Ltd. 2006–2011.Tous droits réservés.Le copyright ainsi que tout autre droit lié à la propriété intellectuelle et aux secrets industrielscontenus dans ce guide sont la propriété de Radware Ltd.Ce guide d'informations est fourni à nos clients dans le cadre de l'installation et de l'usage desproduits de Radware décrits dans ce document et ne pourra être utilisé dans un but autre que celuipour lequel il a été conçu.Les informations répertoriées dans ce document restent la propriété de Radware et doivent êtreconservées de manière confidentielle.Il est strictement interdit de copier, reproduire ou divulguer des informations contenues dans cemanuel sans avoir obtenu le consentement préalable écrit de Radware.Wichtige AnmerkungDieses Handbuch wird vorbehaltlich folgender Bedingungen und Einschränkungen ausgeliefert:Copyright Radware Ltd. 2006–2011. Alle Rechte vorbehalten.Das Urheberrecht und alle anderen in diesem Handbuch enthaltenen Eigentumsrechte undGeschäftsgeheimnisse sind Eigentum von Radware Ltd.Dieses Handbuch wird Kunden von Radware mit dem ausschließlichen Zweck ausgehändigt,Informationen zu Montage und Benutzung der in diesem Dokument beschriebene Produkte vonRadware bereitzustellen. Es darf für keinen anderen Zweck verwendet werden.Die in diesem Handbuch enthaltenen Informationen sind Eigentum von Radware und müssen strengvertraulich behandelt werden.Es ist streng verboten, dieses Handbuch oder Teile daraus ohne vorherige schriftliche Zustimmungvon Radware zu kopieren, vervielfältigen, reproduzieren oder offen zu legen.Document ID: RDWR-APSV-V107_AG1101 3

APSolute Vision Administrator GuideCopyright NoticesThe following copyright notices are presented in English, French, and German.Copyright NoticesThis product contains code developed by the OpenSSL ProjectThis product includes software developed by the OpenSSL Project. For use in the OpenSSL Toolkit.(http://www.openssl.org/).Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.This product contains the Rijndael cipherThe Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the publicdomain and distributed with the following license:@version 3.0 (December 2000)Optimized ANSI C code for the Rijndael cipher (now AES)@author Vincent Rijmen @author Antoon Bosselaers @author Paulo Barreto The OnDemand Switch may use software components licensed under the GNU General PublicLicense Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. Thesource code of the LinuxBios and Filo is available from Radware upon request. A copy of the licensecan be viewed at:http://www.gnu.org/licenses/old-licenses/gpl-2.0.htmlThis code is hereby placed in the public domain.This product contains code developed by the OpenBSD ProjectCopyright (c) 1983, 1990, 1992, 1993, 1995The Regents of the University of California. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permittedprovided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice, this list of conditions andthe following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list of conditionsand the following disclaimer in the documentation and/or other materials provided with thedistribution.3. Neither the name of the University nor the names of its contributors may be used to endorse orpromote products derived from this software without specific prior written permission.This product includes software developed by Markus FriedlThis product includes software developed by Theo de RaadtThis product includes software developed by Niels ProvosThis product includes software developed by Dug SongThis product includes software developed by Aaron CampbellThis product includes software developed by Damien MillerThis product includes software developed by Kevin StevesThis product includes software developed by Daniel KourilThis product includes software developed by Wesley GriffinThis product includes software developed by Per AllanssonThis product includes software developed by Nils NordmanThis product includes software developed by Simon Wilkinson4 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideRedistribution and use in source and binary forms, with or without modification, are permittedprovided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice, this list of conditions andthe following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list of conditionsand the following disclaimer in the documentation and/or other materials provided with thedistribution.ALL THE SOFTWARE MENTIONED ABOVE IS PROVIDED BY THE AUTHOR “AS IS” AND ANY EXPRESSOR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESSINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUTOF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.Notice traitant du copyrightCe produit renferme des codes développés dans le cadre du projet OpenSSL.Ce produit inclut un logiciel développé dans le cadre du projet OpenSSL. Pour un usage dans la boîteà outils OpenSSL (http://www.openssl.org/).Copyright (c) 1998-2005 Le projet OpenSSL. Tous droits réservés. Ce produit inclut la catégorie dechiffre Rijndael.L'implémentation de Rijindael par Vincent Rijmen, Antoon Bosselaers et Paulo Barreto est dudomaine public et distribuée sous les termes de la licence suivante :@version 3.0 (Décembre 2000)Code ANSI C code pour Rijndael (actuellement AES)@author Vincent Rijmen @author Antoon Bosselaers @author Paulo Barreto .Le commutateur OnDemand peut utiliser les composants logiciels sous licence, en vertu des termesde la licence GNU General Public License Agreement Version 2 (GPL v.2), y compris les projets àsource ouverte LinuxBios et Filo. Le code source de LinuxBios et Filo est disponible sur demandeauprès de Radware. Une copie de la licence est répertoriée sur:http://www.gnu.org/licenses/old-licenses/gpl-2.0.htmlCe code est également placé dans le domaine public.Ce produit renferme des codes développés dans le cadre du projet OpenSSL.Copyright (c) 1983, 1990, 1992, 1993, 1995Les membres du conseil de l'Université de Californie. Tous droits réservés.La distribution et l'usage sous une forme source et binaire, avec ou sans modifications, est autoriséepour autant que les conditions suivantes soient remplies :1. La distribution d'un code source doit inclure la notice de copyright mentionnée ci-dessus, cetteliste de conditions et l'avis de non-responsabilité suivant.2. La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans toutautre matériel fourni la notice de copyright mentionnée ci-dessus, cette liste de conditions etl'avis de non-responsabilité suivant.3. Le nom de l'université, ainsi que le nom des contributeurs ne seront en aucun cas utilisés pourapprouver ou promouvoir un produit dérivé de ce programme sans l'obtention préalable d'uneautorisation écrite.Ce produit inclut un logiciel développé par Markus FriedlDocument ID: RDWR-APSV-V107_AG1101 5

APSolute Vision Administrator GuideCe produit inclut un logiciel développé par Theo de Raadt Ce produit inclut un logiciel développé parNiels ProvosCe produit inclut un logiciel développé par Dug SongCe produit inclut un logiciel développé par Aaron Campbell Ce produit inclut un logiciel développépar Damien MillerCe produit inclut un logiciel développé par Kevin StevesCe produit inclut un logiciel développé par Daniel KourilCe produit inclut un logiciel développé par Wesley GriffinCe produit inclut un logiciel développé par Per AllanssonCe produit inclut un logiciel développé par Nils NordmanCe produit inclut un logiciel développé par Simon Wilkinson.La distribution et l'usage sous une forme source et binaire, avec ou sans modifications, est autoriséepour autant que les conditions suivantes soient remplies :1. La distribution d'un code source doit inclure la notice de copyright mentionnée ci-dessus, cetteliste de conditions et l'avis de non-responsabilité suivant.2. La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans toutautre matériel fourni la notice de copyright mentionnée ci-dessus, cette liste de conditions etl'avis de non-responsabilité suivant.LE LOGICIEL MENTIONNÉ CI-DESSUS EST FOURNI TEL QUEL PAR LE DÉVELOPPEUR ET TOUTEGARANTIE, EXPLICITE OU IMPLICITE, Y COMPRIS, MAIS SANS S'Y LIMITER, TOUTE GARANTIEIMPLICITE DE QUALITÉ MARCHANDE ET D'ADÉQUATION À UN USAGE PARTICULIER EST EXCLUE.EN AUCUN CAS L'AUTEUR NE POURRA ÊTRE TENU RESPONSABLE DES DOMMAGES DIRECTS,INDIRECTS, ACCESSOIRES, SPÉCIAUX, EXEMPLAIRES OU CONSÉCUTIFS (Y COMPRIS, MAIS SANSS'Y LIMITER, L'ACQUISITION DE BIENS OU DE SERVICES DE REMPLACEMENT, LA PERTE D'USAGE,DE DONNÉES OU DE PROFITS OU L'INTERRUPTION DES AFFAIRES), QUELLE QU'EN SOIT LA CAUSEET LA THÉORIE DE RESPONSABILITÉ, QU'IL S'AGISSE D'UN CONTRAT, DE RESPONSABILITÉSTRICTE OU D'UN ACTE DOMMAGEABLE (Y COMPRIS LA NÉGLIGENCE OU AUTRE), DÉCOULANT DEQUELLE QUE FAÇON QUE CE SOIT DE L'USAGE DE CE LOGICIEL, MÊME S'IL A ÉTÉ AVERTI DE LAPOSSIBILITÉ D'UN TEL DOMMAGE.CopyrightvermerkeDieses Produkt enthält einen vom OpenSSL-Projekt entwickelten CodeDieses Produkt enthält vom OpenSSL-Projekt entwickelte Software. Zur Verwendung im OpenSSLToolkit. (http://www.openssl.org/).Copyright (c) 1998-2005 The OpenSSL Project. Alle Rechte vorbehalten. Dieses Produkt enthält dieRijndael cipherDie Rijndael-Implementierung von Vincent Rijndael, Anton Bosselaers und Paulo Barreto istöffentlich zugänglich und wird unter folgender Lizenz vertrieben:@version 3.0 (December 2000)Optimierter ANSI C Code für den Rijndael cipher (jetzt AES)@author Vincent Rijmen @author Antoon Bosselaers @author Paulo Barreto Der OnDemand Switch verwendet möglicherweise Software, die im Rahmen der DNU AllgemeineÖffentliche Lizenzvereinbarung Version 2 (GPL v.2) lizensiert sind, einschließlich LinuxBios und FiloOpen Source-Projekte. Der Quellcode von LinuxBios und Filo ist bei Radware auf Anfrage erhältlich.Eine Kopie dieser Lizenz kann eingesehen werden unter:http://www.gnu.org/licenses/old-licenses/gpl-2.0.htmlDieser Code wird hiermit allgemein zugänglich gemacht.Dieses Produkt enthält einen vom OpenBSD-Projekt entwickelten Code6 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideCopyright (c) 1983, 1990, 1992, 1993, 1995The Regents of the University of California. Alle Rechte vorbehalten.Die Verbreitung und Verwendung in Quell- und binärem Format, mit oder ohne Veränderungen, sindunter folgenden Bedingungen erlaubt:1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste vonBedingungen und den folgenden Haftungsausschluss beibehalten.2. Die Verbreitung in binärem Format muss den voranstehenden Copyrightvermerk, diese Liste vonBedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andereMaterialien, die mit verteilt werden, reproduzieren.3. Weder der Name der Universität noch die Namen der Beitragenden dürfen ohne ausdrücklichevorherige schriftliche Genehmigung verwendet werden, um von dieser Software abgeleiteteProdukte zu empfehlen oder zu bewerben.Dieses Produkt enthält von Markus Friedl entwickelte Software Dieses Produkt enthält von Theo deRaadt entwickelte Software Dieses Produkt enthält von Niels Provos entwickelte Software DiesesProdukt enthält von Dug Song entwickelte SoftwareDieses Produkt enthält von Aaron Campbell entwickelte Software Dieses Produkt enthält von DamienMiller entwickelte Software Dieses Produkt enthält von Kevin Steves entwickelte Software DiesesProdukt enthält von Daniel Kouril entwickelte Software Dieses Produkt enthält von Wesley Griffinentwickelte Software Dieses Produkt enthält von Per Allansson entwickelte Software Dieses Produktenthält von Nils Nordman entwickelte SoftwareDieses Produkt enthält von Simon Wilkinson entwickelte SoftwareDie Verbreitung und Verwendung in Quell- und binärem Format, mit oder ohne Veränderungen, sindunter folgenden Bedingungen erlaubt:1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste vonBedingungen und den folgenden Haftungsausschluss beibehalten.2. Die Verbreitung in binärem Format muss den voranstehenden Copyrightvermerk, diese Liste vonBedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andereMaterialien, die mit verteilt werden, reproduzieren.SÄMTLICHE VORGENANNTE SOFTWARE WIRD VOM AUTOR IM IST-ZUSTAND ("AS IS")BEREITGESTELLT. JEGLICHE AUSDRÜCKLICHEN ODER IMPLIZITEN GARANTIEN, EINSCHLIESSLICH,DOCH NICHT BESCHRÄNKT AUF DIE IMPLIZIERTEN GARANTIEN DER MARKTGÄNGIGKEIT UND DERANWENDBARKEIT FÜR EINEN BESTIMMTEN ZWECK, SIND AUSGESCHLOSSEN.UNTER KEINEN UMSTÄNDEN HAFTET DER AUTOR FÜR DIREKTE ODER INDIREKTE SCHÄDEN, FÜRBEI VERTRAGSERFÜLLUNG ENTSTANDENE SCHÄDEN, FÜR BESONDERE SCHÄDEN, FÜRSCHADENSERSATZ MIT STRAFCHARAKTER, ODER FÜR FOLGESCHÄDEN EINSCHLIESSLICH, DOCHNICHT BESCHRÄNKT AUF, ERWERB VON ERSATZGÜTERN ODER ERSATZLEISTUNGEN; VERLUST ANNUTZUNG, DATEN ODER GEWINN; ODER GESCHÄFTSUNTERBRECHUNGEN) GLEICH, WIE SIEENTSTANDEN SIND, UND FÜR JEGLICHE ART VON HAFTUNG, SEI ES VERTRÄGE,GEFÄHRDUNGSHAFTUNG, ODER DELIKTISCHE HAFTUNG (EINSCHLIESSLICH FAHRLÄSSIGKEITODER ANDERE), DIE IN JEGLICHER FORM FOLGE DER BENUTZUNG DIESER SOFTWARE IST, SELBSTWENN AUF DIE MÖGLICHKEIT EINES SOLCHEN SCHADENS HINGEWIESEN WURDE.Safety InstructionsThe following safety instructions are presented in English, French, and German.Safety InstructionsCAUTIONA readily accessible disconnect device shall be incorporated in the building installation wiring.Document ID: RDWR-APSV-V107_AG1101 7

APSolute Vision Administrator GuideDue to the risks of electrical shock, and energy, mechanical, and fire hazards, any procedures thatinvolve opening panels or changing components must be performed by qualified service personnelonly.To reduce the risk of fire and electrical shock, disconnect the device from the power line beforeremoving cover or panels.The following figure shows the caution label that is attached to Radware platforms with dual powersupplies.Figure 1: Electrical Shock Hazard LabelDUAL-POWER-SUPPLY-SYSTEM SAFETY WARNING IN CHINESEThe following figure is the warning for Radware platforms with dual power supplies.Figure 2: Dual-Power-Supply-System Safety Warning in ChineseTranslation of Figure 2 - Dual-Power-Supply-System Safety Warning in Chinese, page 8:This unit has more than one power supply. Disconnect all power supplies before maintenance toavoid electric shock.SERVICINGDo not perform any servicing other than that contained in the operating instructions unless you arequalified to do so. There are no serviceable parts inside the unit.HIGH VOLTAGEAny adjustment, maintenance, and repair of the opened instrument under voltage must be avoidedas much as possible and, when inevitable, must be carried out only by a skilled person who is awareof the hazard involved.Capacitors inside the instrument may still be charged even if the instrument has been disconnectedfrom its source of supply.GROUNDINGBefore connecting this device to the power line, the protective earth terminal screws of this devicemust be connected to the protective earth in the building installation.LASERThis equipment is a Class 1 Laser Product in accordance with IEC60825 - 1: 1993 + A1:1997 +A2:2001 Standard.8 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideFUSESMake sure that only fuses with the required rated current and of the specified type are used forreplacement. The use of repaired fuses and the short-circuiting of fuse holders must be avoided.Whenever it is likely that the protection offered by fuses has been impaired, the instrument must bemade inoperative and be secured against any unintended operation.LINE VOLTAGEBefore connecting this instrument to the power line, make sure the voltage of the power sourcematches the requirements of the instrument. Refer to the Specifications for information about thecorrect power rating for the device.48V DC-powered platforms have an input tolerance of 36-72V DC.SPECIFICATION CHANGESSpecifications are subject to change without notice.Note:This equipment has been tested and found to comply with the limits for a Class A digitaldevice pursuant to Part 15B of the FCC Rules and EN55022 Class A, EN 55024; EN61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8 and IEC 61000-4-11For CE MARK Compliance. These limits are designed to provide reasonable protectionagainst harmful interference when the equipment is operated in a commercialenvironment. This equipment generates, uses and can radiate radio frequency energyand, if not installed and used in accordance with the instruction manual, may causeharmful interference to radio communications. Operation of this equipment in aresidential area is likely to cause harmful interference in which case the user is requiredto correct the interference at his own expense.VCCI ELECTROMAGNETIC-INTERFERENCE STATEMENTSFigure 3: Statment for Class A VCCI-certified EquipmentTranslation of Figure 3 - Statment for Class A VCCI-certified Equipment, page 9:This is a Class A product based on the standard of the Voluntary Control Council for Interference byInformation Technology Equipment (VCCI). If this equipment is used in a domestic environment,radio disturbance may occur, in which case, the user may be required to take corrective action.Figure 4: Statment for Class B VCCI-certified EquipmentDocument ID: RDWR-APSV-V107_AG1101 9

APSolute Vision Administrator GuideTranslation of Figure 4 - Statment for Class B VCCI-certified Equipment, page 9:This is a Class B product based on the standard of the Voluntary Control Council for Interference byInformation Technology Equipment (VCCI). If this is used near a radio or television receiver in adomestic environment, it may cause radio interference.Install and use the equipment according to the instruction manual.SPECIAL NOTICE FOR NORTH AMERICAN USERSFor North American power connection, select a power supply cord that is UL Listed and CSA Certified3 - conductor, [18 AWG], terminated in a molded on plug cap rated 125 V, [5 A], with a minimumlength of 1.5m [six feet] but no longer than 4.5m...For European connection, select a power supplycord that is internationally harmonized and marked “”, 3 - conductor, 0,75 mm2 minimummm2 wire, rated 300 V, with a PVC insulated jacket. The cord must have a molded on plug cap rated250 V, 3 A.”.RESTRICT AREA ACCESSThe DC powered equipment should only be installed in a Restricted Access Area.INSTALLATION CODESThis device must be installed according to country national electrical codes. For North America,equipment must be installed in accordance with the US National Electrical Code, Articles 110 - 16,110 -17, and 110 -18 and the Canadian Electrical Code, Section 12.INTERCONNECTION OF UNITSCables for connecting to the unit RS232 and Ethernet Interfaces must be UL certified type DP-1 orDP-2. (Note- when residing in non LPS circuit)OVERCURRENT PROTECTIONA readily accessible listed branch-circuit over current protective device rated 15 A must beincorporated in the building wiring for each power input.REPLACEABLE BATTERIESIf equipment is provided with a replaceable battery, and is replaced by an incorrect battery type,then an explosion may occur. This is the case for some Lithium batteries and the following isapplicable:• If the battery is placed in an Operator Access Area, there is a marking close to the battery ora statement in both the operating and service instructions.• If the battery is placed elsewhere in the equipment, there is a marking close to the battery or astatement in the service instructions.This marking or statement includes the following text warning:CAUTIONRISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT BATTERY TYPE.DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.Caution – To Reduce the Risk of Electrical Shock and Fire1. This equipment is designed to permit connection between the earthed conductor of the DCsupply circuit and the earthing conductor equipment. See Installation Instructions.2. All servicing must be undertaken only by qualified service personnel. There are not userserviceable parts inside the unit.3. DO NOT plug in, turn on or attempt to operate an obviously damaged unit.4. Ensure that the chassis ventilation openings in the unit are NOT BLOCKED.5. Replace a blown fuse ONLY with the same type and rating as is marked on the safety labeladjacent to the power inlet, housing the fuse.6. Do not operate the device in a location where the maximum ambient temperature exceeds40°C/104°F.10 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator Guide7. Be sure to unplug the power supply cord from the wall socket BEFORE attempting to removeand/or check the main power fuse.CLASS 1 LASER PRODUCT AND REFERENCE TO THE MOST RECENT LASER STANDARDS IEC 60825-1:1993 + A1:1997 + A2:2001 AND EN 60825-1:1994+A1:1996+ A2:2001AC units for Denmark, Finland, Norway, Sweden (marked on product):• Denmark - “Unit is class I - unit to be used with an AC cord set suitable with Denmarkdeviations. The cord includes an earthing conductor. The Unit is to be plugged into a wall socketoutlet which is connected to a protective earth. Socket outlets which are not connected to earthare not to be used!”• Finland - (Marking label and in manual) - “Laite on liitettävä suojamaadoituskoskettimillavarustettuun pistorasiaan”• Norway (Marking label and in manual) - “Apparatet må tilkoples jordet stikkontakt”• Unit is intended for connection to IT power systems for Norway only.• Sweden (Marking label and in manual) - “Apparaten skall anslutas till jordat uttag.”To connect the power connection:1. Connect the power cable to the main socket, located on the rear panel of the device.2. Connect the power cable to the grounded AC outlet.CAUTIONRisk of electric shock and energy hazard. Disconnecting one power supply disconnects only onepower supply module. To isolate the unit completely, disconnect all power supplies.Instructions de sécuritéAVERTISSEMENTUn dispositif de déconnexion facilement accessible sera incorporé au câblage du bâtiment.En raison des risques de chocs électriques et des dangers énergétiques, mécaniques et d'incendie,chaque procédure impliquant l'ouverture des panneaux ou le remplacement de composants seraexécutée par du personnel qualifié.Pour réduire les risques d'incendie et de chocs électriques, déconnectez le dispositif du blocd'alimentation avant de retirer le couvercle ou les panneaux.La figure suivante montre l'étiquette d'avertissement apposée sur les plateformes Radware dotéesde plus d'une source d'alimentation électrique.Figure 1 : Étiquette d'avertissement de danger de chocs électriquesFigure 5: Étiquette d'avertissement de danger de chocs électriquesAVERTISSEMENT DE SÉCURITÉ POUR LES SYSTÈMES DOTÉS DE DEUX SOURCES D'ALIMENTATIONÉLECTRIQUE (EN CHINOIS)La figure suivante représente l'étiquette d'avertissement pour les plateformes Radware dotées dedeux sources d'alimentation électrique.Document ID: RDWR-APSV-V107_AG1101 11

APSolute Vision Administrator GuideFigure 6: Avertissement de sécurité pour les systèmes dotes de deux sources d'alimentationélectrique (en chinois)Traduction de la Figure 6 - Avertissement de sécurité pour les systèmes dotes de deux sourcesd'alimentation électrique (en chinois), page 12:Cette unité est dotée de plus d'une source d'alimentation électrique. Déconnectez toutes les sourcesd'alimentation électrique avant d'entretenir l'appareil ceci pour éviter tout choc électrique.ENTRETIENN'effectuez aucun entretien autre que ceux répertoriés dans le manuel d'instructions, à moins d'êtrequalifié en la matière. Aucune pièce à l'intérieur de l'unité ne peut être remplacée ou réparée.HAUTE TENSIONTout réglage, opération d'entretien et réparation de l'instrument ouvert sous tension doit être évité.Si cela s'avère indispensable, confiez cette opération à une personne qualifiée et consciente desdangers impliqués.Les condensateurs au sein de l'unité risquent d'être chargés même si l'unité a été déconnectée de lasource d'alimentation électrique.MISE A LA TERREAvant de connecter ce dispositif à la ligne électrique, les vis de protection de la borne de terre decette unité doivent être reliées au système de mise à la terre du bâtiment.LASERCet équipement est un produit laser de classe 1, conforme à la norme IEC60825 - 1 : 1993 + A1:1997 + A2 :2001.FUSIBLESAssurez-vous que, seuls les fusibles à courant nominal requis et de type spécifié sont utilisés enremplacement. L'usage de fusibles réparés et le court-circuitage des porte-fusibles doivent êtreévités. Lorsqu'il est pratiquement certain que la protection offerte par les fusibles a été détériorée,l'instrument doit être désactivé et sécurisé contre toute opération involontaire.TENSION DE LIGNEAvant de connecter cet instrument à la ligne électrique, vérifiez que la tension de la sourced'alimentation correspond aux exigences de l'instrument. Consultez les spécifications propres àl'alimentation nominale correcte du dispositif.Les plateformes alimentées en 48 CC ont une tolérance d'entrée comprise entre 36 et 72 V CC.MODIFICATIONS DES SPÉCIFICATIONSLes spécifications sont sujettes à changement sans notice préalable.Remarque: Cet équipement a été testé et déclaré conforme aux limites définies pour un appareilnumérique de classe A, conformément au paragraphe 15B de la réglementation FCC et EN55022Classe A, EN 55024, EN 61000-3-2 ; EN 61000-3-3 ; IEC 61000 4-2 to 4-6, IEC 61000 4-8 and IEC61000-4-11, pour la marque de conformité de la CE. Ces limites sont fixées pour fournir uneprotection raisonnable contre les interférences nuisibles, lorsque l'équipement est utilisé dans unenvironnement commercial. Cet équipement génère, utilise et peut émettre des fréquences radio et,s'il n'est pas installé et utilisé conformément au manuel d'instructions, peut entraîner desinterférences nuisibles aux communications radio. Le fonctionnement de cet équipement dans unezone résidentielle est susceptible de provoquer des interférences nuisibles, auquel cas l'utilisateurdevra corriger le problème à ses propres frais.DÉCLARATIONS SUR LES INTERFÉRENCES ÉLECTROMAGNÉTIQUES VCCI12 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideFigure 7: Déclaration pour l'équipement de classe A certifié VCCITraduction de la Figure 7 - Déclaration pour l'équipement de classe A certifié VCCI, page 13:Il s'agit d'un produit de classe A, basé sur la norme du Voluntary Control Council for Interference byInformation Technology Equipment (VCCI). Si cet équipement est utilisé dans un environnementdomestique, des perturbations radioélectriques sont susceptibles d'apparaître. Si tel est le cas,l'utilisateur sera tenu de prendre des mesures correctives.Figure 8: Déclaration pour l'équipement de classe B certifié VCCITraduction de la Figure 8 - Déclaration pour l'équipement de classe B certifié VCCI, page 13:Il s'agit d'un produit de classe B, basé sur la norme du Voluntary Control Council for Interference byInformation Technology Equipment (VCCI). S'il est utilisé à proximité d'un poste de radio ou d'unetélévision dans un environnement domestique, il peut entraîner des interférences radio.Installez et utilisez l'équipement selon le manuel d'instructions.NOTICE SPÉCIALE POUR LES UTILISATEURS NORD-AMÉRICAINSPour un raccordement électrique en Amérique du Nord, sélectionnez un cordon d'alimentationhomologué UL et certifié CSA 3 - conducteur, [18 AWG], muni d'une prise moulée à son extrémité,de 125 V, [5 A], d'une longueur minimale de 1,5 m [six pieds] et maximale de 4,5m...Pour laconnexion européenne, choisissez un cordon d'alimentation mondialement homologué et marqué"", 3 - conducteur, câble de 0,75 mm2 minimum, de 300 V, avec une gaine en PVC isolée. Laprise à l'extrémité du cordon, sera dotée d'un sceau moulé indiquant: 250 V, 3 A.".ZONE A ACCÈS RESTREINTL'équipement alimenté en CC ne pourra être installé que dans une zone à accès restreint. CODESD'INSTALLATIONCe dispositif doit être installé en conformité avec les codes électriques nationaux. En Amérique duNord, l'équipement sera installé en conformité avec le code électrique national américain, articles110-16, 110 -17, et 110 -18 et le code électrique canadien, Section 12. INTERCONNEXION DESUNÎTES.Les câbles de connexion à l'unité RS232 et aux interfaces Ethernet seront certifiés UL, type DP-1 ouDP-2. (Remarque- s'ils ne résident pas dans un circuit LPS) PROTECTION CONTRE LESSURCHARGES.Un circuit de dérivation, facilement accessible, sur le dispositif de protection du courant de 15 A doitêtre intégré au câblage du bâtiment pour chaque puissance consommée.BATTERIES REMPLAÇABLESDocument ID: RDWR-APSV-V107_AG1101 13

APSolute Vision Administrator GuideSi l'équipement est fourni avec une batterie, et qu'elle est remplacée par un type de batterieincorrect, elle est susceptible d'exploser. C'est le cas pour certaines batteries au lithium, leséléments suivants sont donc applicables :• Si la batterie est placée dans une zone d'accès opérateur, une marque est indiquée sur labatterie ou une remarque est insérée, aussi bien dans les instructions d'exploitation qued'entretien.• Si la batterie est placée ailleurs dans l'équipement, une marque est indiquée sur la batterie ouune remarque est insérée dans les instructions d'entretien.Cette marque ou remarque inclut l'avertissement textuel suivant : AVERTISSEMENTRISQUE D'EXPLOSION SI LA BATTERIE EST REMPLACÉE PAR UN MODÈLE INCORRECT. METTRE AUREBUT LES BATTERIES CONFORMÉMENT AUX INSTRUCTIONS.Attention - Pour réduire les risques de chocs électriques et d'incendie1. Cet équipement est conçu pour permettre la connexion entre le conducteur de mise à la terre ducircuit électrique CC et l'équipement de mise à la terre. Voir les instructions d'installation.2. Tout entretien sera entrepris par du personnel qualifié. Aucune pièce à l'intérieur de l'unité nepeut être remplacée ou réparée.3. NE branchez pas, n'allumez pas ou n'essayez pas d'utiliser une unité manifestementendommagée.4. Vérifiez que l'orifice de ventilation du châssis dans l'unité n'est PAS OBSTRUE.5. Remplacez le fusible endommagé par un modèle similaire de même puissance, tel qu'indiqué surl'étiquette de sécurité adjacente à l'arrivée électrique hébergeant le fusible.6. Ne faites pas fonctionner l'appareil dans un endroit, où la température ambiante dépasse lavaleur maximale autorisée. 40°C/104°F.7. Débranchez le cordon électrique de la prise murale AVANT d'essayer de retirer et/ou de vérifierle fusible d'alimentation principal.PRODUIT LASER DE CLASSE 1 ET RÉFÉRENCE AUX NORMES LASER LES PLUS RÉCENTES : IEC 60825-1:1993 + A1 :1997 + A2 :2001 ET EN 60825-1:1994+A1 :1996+ A2 :2001Unités à CA pour le Danemark, la Finlande, la Norvège, la Suède (indiqué sur le produit) :• Danemark - Unité de classe 1 - qui doit être utilisée avec un cordon CA compatible avec lesdéviations du Danemark. Le cordon inclut un conducteur de mise à la terre. L'unité serabranchée à une prise murale, mise à la terre. Les prises non-mises à la terre ne seront pasutilisées !• Finlande - (Étiquette et inscription dans le manuel) - Laite on liitettäväsuojamaadoituskoskettimilla varustettuun pistorasiaan"• Norvège (Étiquette et inscription dans le manuel) - "Apparatet må tilkoples jordet stikkontakt"• L'unité peut être connectée à un système électrique IT (en Norvège uniquement).• Suède (Étiquette et inscription dans le manuel) - "Apparaten skall anslutas till jordat uttag."Pour brancher à l'alimentation électrique :1. Branchez le câble d'alimentation à la prise principale, située sur le panneau arrière de l'unité.2. Connectez le câble d'alimentation à la prise CA mise à la terre. AVERTISSEMENTRisque de choc électrique et danger énergétique. La déconnexion d'une source d'alimentationélectrique ne débranche qu'un seul module électrique. Pour isoler complètement l'unité, débrancheztoutes les sources d'alimentation électrique.ATTENTIONRisque de choc et de danger électriques. Le débranchement d'une seule alimentation stabilisée nedébranche qu'un module "Alimentation Stabilisée". Pour Isoler complètement le module en cause, ilfaut débrancher toutes les alimentations stabilisées.14 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideAttention: Pour Réduire Les Risques d'Électrocution et d'Incendie1. Toutes les opérations d'entretien seront effectuées UNIQUEMENT par du personnel d'entretienqualifié. Aucun composant ne peut être entretenu ou remplacée par l'utilisateur.2. NE PAS connecter, mettre sous tension ou essayer d'utiliser une unité visiblement défectueuse.3. Assurez-vous que les ouvertures de ventilation du châssis NE SONT PAS OBSTRUÉES.4. Remplacez un fusible qui a sauté SEULEMENT par un fusible du même type et de mêmecapacité, comme indiqué sur l'étiquette de sécurité proche de l'entrée de l'alimentation quicontient le fusible.5. NE PAS UTILISER l'équipement dans des locaux dont la température maximale dépasse 40degrés Centigrades.6. Assurez vous que le cordon d'alimentation a été déconnecté AVANT d'essayer de l'enlever et/ouvérifier le fusible de l'alimentation générale.SicherheitsanweisungenVORSICHTDie Elektroinstallation des Gebäudes muss ein unverzüglich zugängliches Stromunterbrechungsgerätintegrieren.Aufgrund des Stromschlagrisikos und der Energie-, mechanische und Feuergefahr dürfen Vorgänge,in deren Verlauf Abdeckungen entfernt oder Elemente ausgetauscht werden, ausschließlich vonqualifiziertem Servicepersonal durchgeführt werden.Zur Reduzierung der Feuer- und Stromschlaggefahr muss das Gerät vor der Entfernung derAbdeckung oder der Paneele von der Stromversorgung getrennt werden.Folgende Abbildung zeigt das VORSICHT-Etikett, das auf die Radware-Plattformen mitDoppelspeisung angebracht ist.Figure 9: Warnetikett StromschlaggefahrSICHERHEITSHINWEIS IN CHINESISCHER SPRACHE FÜR SYSTEME MIT DOPPELSPEISUNGDie folgende Abbildung ist die Warnung für Radware-Plattformen mit Doppelspeisung.Figure 10: Sicherheitshinweis in chinesischer Sprache für Systeme mit DoppelspeisungÜbersetzung von Figure 10 - Sicherheitshinweis in chinesischer Sprache für Systeme mitDoppelspeisung, page 15:Document ID: RDWR-APSV-V107_AG1101 15

APSolute Vision Administrator GuideDie Einheit verfügt über mehr als eine Stromversorgungsquelle. Ziehen Sie zur Verhinderung vonStromschlag vor Wartungsarbeiten sämtliche Stromversorgungsleitungen ab.WARTUNGFühren Sie keinerlei Wartungsarbeiten aus, die nicht in der Betriebsanleitung angeführt sind, es seidenn, Sie sind dafür qualifiziert. Es gibt innerhalb des Gerätes keine wartungsfähigen Teile.HOCHSPANNUNGJegliche Einstellungs-, Instandhaltungs- und Reparaturarbeiten am geöffneten Gerät unterSpannung müssen so weit wie möglich vermieden werden. Sind sie nicht vermeidbar, dürfen sieausschließlich von qualifizierten Personen ausgeführt werden, die sich der Gefahr bewusst sind.Innerhalb des Gerätes befindliche Kondensatoren können auch dann noch Ladung enthalten, wenndas Gerät von der Stromversorgung abgeschnitten wurde.ERDUNGBevor das Gerät an die Stromversorgung angeschlossen wird, müssen die Schrauben derErdungsleitung des Gerätes an die Erdung der Gebäudeverkabelung angeschlossen werden.LASERDieses Gerät ist ein Laser-Produkt der Klasse 1 in Übereinstimmung mit IEC60825 - 1: 1993 +A1:1997 + A2:2001 Standard.SICHERUNGENVergewissern Sie sich, dass nur Sicherungen mit der erforderlichen Stromstärke und derangeführten Art verwendet werden. Die Verwendung reparierter Sicherungen sowie dieKurzschließung von Sicherungsfassungen muss vermieden werden. In Fällen, in denenwahrscheinlich ist, dass der von den Sicherungen gebotene Schutz beeinträchtigt ist, muss dasGerät abgeschaltet und gegen unbeabsichtigten Betrieb gesichert werden.LEITUNGSSPANNUNGVor Anschluss dieses Gerätes an die Stromversorgung ist zu gewährleisten, dass die Spannung derStromquelle den Anforderungen des Gerätes entspricht. Beachten Sie die technischen Angabenbezüglich der korrekten elektrischen Werte des Gerätes.Plattformen mit 48 V DC verfügen über eine Eingangstoleranz von 36-72 V DC. ÄNDERUNGEN DERTECHNISCHEN ANGABENÄnderungen der technischen Spezifikationen bleiben vorbehalten.Hinweis: Dieses Gerät wurde geprüft und entspricht den Beschränkungen von digitalen Geräten derKlasse 1 gemäß Teil 15B FCC-Vorschriften und EN55022 Klasse A, EN55024; EN 61000-3-2; EN; IEC61000 4-2 to 4-6, IEC 61000 4-8 und IEC 61000-4- 11 für Konformität mit der CE-Bezeichnung.Diese Beschränkungen dienen dem angemessenen Schutz vor schädlichen Interferenzen bei Betriebdes Gerätes in kommerziellem Umfeld. Dieses Gerät erzeugt, verwendet und strahltelektromagnetische Hochfrequenzstrahlung aus. Wird es nicht entsprechend den Anweisungen imHandbuch montiert und benutzt, könnte es mit dem Funkverkehr interferieren und ihnbeeinträchtigen. Der Betrieb dieses Gerätes in Wohnbereichen wird höchstwahrscheinlich zuschädlichen Interferenzen führen. In einem solchen Fall wäre der Benutzer verpflichtet, dieseInterferenzen auf eigene Kosten zu korrigieren.ERKLÄRUNG DER VCCI ZU ELEKTROMAGNETISCHER INTERFERENZFigure 11: Erklärung zu VCCI-zertifizierten Geräten der Klasse A16 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideÜbersetzung von Figure 11 - Erklärung zu VCCI-zertifizierten Geräten der Klasse A, page 16:Dies ist ein Produkt der Klasse A gemäß den Normen des Voluntary Control Council for Interferenceby Information Technology Equipment (VCCI). Wird dieses Gerät in einem Wohnbereich benutzt,können elektromagnetische Störungen auftreten. In einem solchen Fall wäre der Benutzerverpflichtet, korrigierend einzugreifen.Figure 12: Erklärung zu VCCI-zertifizierte Geräte der Klasse BÜbersetzung von Figure 12 - Erklärung zu VCCI-zertifizierte Geräte der Klasse B, page 17:Dies ist ein Produkt der Klasse B gemäß den Normen des Voluntary Control Council for Interferenceby Information Technology Equipment (VCCI). Wird dieses Gerät in einem Wohnbereich benutzt,können elektromagnetische Störungen auftreten.Montieren und benutzen Sie das Gerät laut Anweisungen im Benutzerhandbuch.BESONDERER HINWEIS FÜR BENUTZER IN NORDAMERIKAWählen Sie für den Netzstromanschluss in Nordamerika ein Stromkabel, das in der UL aufgeführtund CSA-zertifiziert ist 3 Leiter, [18 AWG], endend in einem gegossenen Stecker, für 125 V, [5 A],mit einer Mindestlänge von 1,5 m [sechs Fuß], doch nicht länger als 4,5 m. Für europäischeAnschlüsse verwenden Sie ein international harmonisiertes, mit "" markiertes Stromkabel,mit 3 Leitern von mindestens 0,75 mm2, für 300 V, mit PVC-Umkleidung. Das Kabel muss in einemgegossenen Stecker für 250 V, 3 A enden.BEREICH MIT EINGESCHRÄNKTEM ZUGANGDas mit Gleichstrom betriebene Gerät darf nur in einem Bereich mit eingeschränktem Zugangmontiert werden.INSTALLATIONSCODESDieses Gerät muss gemäß der landesspezifischen elektrischen Codes montiert werden. InNordamerika müssen Geräte entsprechend dem US National Electrical Code, Artikel 110 - 16, 110 -17 und 110 - 18, sowie dem Canadian Electrical Code, Abschnitt 12, montiert werden.VERKOPPLUNG VON GERÄTEN Kabel für die Verbindung des Gerätes mit RS232- und EthernetmüssenUL-zertifiziert und vom Typ DP-1 oder DP-2 sein. (Anmerkung: bei Aufenthalt in einemnicht-LPS-Stromkreis)ÜBERSTROMSCHUTZEin gut zugänglicher aufgeführter Überstromschutz mit Abzweigstromkreis und 15 A Stärke muss fürjede Stromeingabe in der Gebäudeverkabelung integriert sein.AUSTAUSCHBARE BATTERIENWird ein Gerät mit einer austauschbaren Batterie geliefert und für diese Batterie durch einenfalschen Batterietyp ersetzt, könnte dies zu einer Explosion führen. Dies trifft zu für manche Artenvon Lithiumsbatterien zu, und das folgende gilt es zu beachten:• Wird die Batterie in einem Bereich für Bediener eingesetzt, findet sich in der Nähe der Batterieeine Markierung oder Erklärung sowohl im Betriebshandbuch als auch in der Wartungsanleitung.• Ist die Batterie an einer anderen Stelle im Gerät eingesetzt, findet sich in der Nähe der Batterieeine Markierung oder einer Erklärung in der Wartungsanleitung.Diese Markierung oder Erklärung enthält den folgenden Warntext: VORSICHTDocument ID: RDWR-APSV-V107_AG1101 17

APSolute Vision Administrator GuideEXPLOSIONSGEFAHR, FALLS BATTERIE DURCH EINEN FALSCHEN BATTERIETYP ERSETZT WIRD.GEBRAUCHTE BATTERIEN DEN ANWEISUNGEN ENTSPRECHEND ENTSORGEN.• Denmark - "Unit is class I - mit Wechselstromkabel benutzen, dass für die Abweichungen inDänemark eingestellt ist. Das Kabel ist mit einem Erdungsdraht versehen. Das Kabel wird in einegeerdete Wandsteckdose angeschlossen. Keine Steckdosen ohne Erdungsleitung verwenden!"• Finland - (Markierungsetikett und im Handbuch) - "Laite on liitettäväsuojamaadoituskoskettimilla varustettuun pistorasiaan• Norway - (Markierungsetikett und im Handbuch) - "Apparatet må tilkoples jordet stikkontaktAusschließlich für Anschluss an IT-Netzstromsysteme in Norwegen vorgesehen• Sweden - (Markierungsetikett und im Handbuch) - "Apparaten skall anslutas till jordat uttag."Anschluss des Stromkabels:1. Schließen Sie das Stromkabel an den Hauptanschluss auf der Rückseite des Gerätes an.2. Schließen Sie das Stromkabel an den geerdeten Wechselstromanschluss an.VORSICHTStromschlag- und Energiegefahr Die Trennung einer Stromquelle trennt nur einStromversorgungsmodul von der Stromversorgung. Um das Gerät komplett zu isolieren, muss esvon der gesamten Stromversorgung getrennt werden.Vorsicht - Zur Reduzierung der Stromschlag- und Feuergefahr1. Dieses Gerät ist dazu ausgelegt, die Verbindung zwischen der geerdeten Leitung desGleichstromkreises und dem Erdungsleiter des Gerätes zu ermöglichen. SieheMontageanleitung.2. Wartungsarbeiten jeglicher Art dürfen nur von qualifiziertem Servicepersonal ausgeführtwerden. Es gibt innerhalb des Gerätes keine vom Benutzer zu wartenden Teile.3. Versuchen Sie nicht, ein offensichtlich beschädigtes Gerät an den Stromkreis anzuschließen,einzuschalten oder zu betreiben.4. Vergewissern Sie sich, dass sie Lüftungsöffnungen im Gehäuse des Gerätes NICHT BLOCKIERTSIND.5. Ersetzen Sie eine durchgebrannte Sicherung ausschließlich mit dem selben Typ und von derselben Stärke, die auf dem Sicherheitsetikett angeführt sind, das sich neben demStromkabelanschluss, am Sicherungsgehäuse.6. Betreiben Sie das Gerät nicht an einem Standort, an dem die Höchsttemperatur der Umgebung40 °C überschreitet.7. Vergewissern Sie sich, das Stromkabel aus dem Wandstecker zu ziehen, BEVOR Sie dieHauptsicherung entfernen und/oder prüfen.18 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideDocument ConventionsThe following describes the conventions and symbols that this guide uses:Item Description Description (French) Beschreibung (German)An example scenario Un scénario d'exemple Ein BeispielszenariumExampleCaution:Possible damage toequipment, software, ordataAdditional informationEndommagementpossible de l'équipement,des données ou dulogicielInformationscomplémentairesMögliche Schäden anGerät, Software oderDatenZusätzlicheInformationenNote:A statement andinstructionsRéférences etinstructionsEine Erklärung undAnweisungenToTip:A suggestion orworkaroundPossible physical harm tothe operatorUne suggestion ousolutionBlessure possible del'opérateurEin Vorschlag oder eineUmgehungVerletzungsgefahr desBedienersWarning:Document ID: RDWR-APSV-V107_AG1101 19

APSolute Vision Administrator Guide20 Document ID: RDWR-APSV-V107_AG1101

Table of ContentsAPSolute Vision Administrator GuideTable of ContentsImportant Notices .......................................................................................................... 3Copyright Notices .......................................................................................................... 4Safety Instructions ......................................................................................................... 7Document Conventions ............................................................................................... 19Chapter 1 – Introduction to APSolute Vision ....................................................... 25What is APSolute Vision? ............................................................................................ 25APSolute Vision Three-Tier Architecture ..................................................................... 26Overview of APSolute Vision Features ........................................................................ 27Online Device Configuration ................................................................................................ 27Monitoring of Managed Devices and Services .................................................................... 28Operation Control and Maintenance .................................................................................... 28Scheduling ........................................................................................................................... 28Auditing and Alerts ............................................................................................................... 28User Management and Role-based Access Control (RBAC) .............................................. 29APSolute Vision Platform Security ....................................................................................... 29APSolute Vision Platform Management ............................................................................... 29Real-time Security Reporting for DefensePro ...................................................................... 29Historical Security Reporting—APSolute Vision Reporter for DefensePro ......................... 29APSolute Vision Interface Navigation .......................................................................... 30Configuration Perspective .................................................................................................... 30Monitoring & Control Perspective ........................................................................................ 33User Management Perspective ........................................................................................... 36Real-Time Monitoring Perspective ....................................................................................... 37APSolute Vision Sites .......................................................................................................... 38Chapter 2 – Getting Started with APSolute Vision............................................... 39Logging into APSolute Vision ...................................................................................... 39Changing Password for Local Users ........................................................................... 40Configuring the APSolute Vision Server ...................................................................... 41Configuring Server Connections .......................................................................................... 41Configuring Settings for the Alerts Pane .............................................................................. 43Configuring Monitoring Settings ........................................................................................... 44Configuring Database Settings ............................................................................................ 46Configuring Warning Thresholds ......................................................................................... 46Configuring Security Reporter Server Settings .................................................................... 47Configuring RADIUS Server Connections ........................................................................... 48Configuring APSolute Vision Server Advanced Parameters ............................................... 51Document ID: RDWR-APSV-V107_AG1101 21

APSolute Vision Administrator GuideTable of ContentsConfiguring Client Preferences ................................................................................... 52Configuring the Default Perspective .................................................................................... 52Configuring Default Client Settings for the Alerts Pane ....................................................... 53Configuring Default Display Settings for Monitoring and Reports ....................................... 53Updating the Attack Description File .......................................................................... 54After Initial Configuration ............................................................................................ 55Chapter 3 – Managing APSolute Vision Users..................................................... 57Logging In as the Default Administrator User—radware User ................................... 57Role-Based Access Control (RBAC) .......................................................................... 58Configuring User Roles for RBAC .............................................................................. 60Configuring Local Users ............................................................................................. 60Adding and Editing Users .................................................................................................... 61Deleting Users ..................................................................................................................... 63Releasing User Lockout ...................................................................................................... 63Resetting User Passwords to the Default ............................................................................ 63Resetting the radware Administrator Password .................................................................. 64Revoking and Enabling Users ............................................................................................. 64Exporting User Information .................................................................................................. 65Viewing User Statistics ............................................................................................... 65Configuring Global User Management Settings ......................................................... 66APSolute Vision Password Requirements .................................................................. 67Chapter 4 – Setting Up Your Network................................................................... 69Introducing APSolute Vision Sites .............................................................................. 69System Tree Structure ........................................................................................................ 69System Tree Organization ................................................................................................... 70Default Site and Device Names .......................................................................................... 70Configuring Sites ........................................................................................................ 71Adding and Removing Devices .................................................................................. 71Locking and Unlocking a Device ................................................................................ 74Creating AppDirector Clusters for High Availability .................................................... 74Creating DefensePro Clusters for High Availability .................................................... 75Finding Site Nodes ..................................................................................................... 77Next Steps .................................................................................................................. 77Chapter 5 – APSolute Vision CLI Commands ...................................................... 79Command Syntax Conventions .................................................................................. 79Accessing APSolute Vision CLI .................................................................................. 80Main CLI Menu ........................................................................................................... 80General CLI Commands ............................................................................................. 8122 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideTable of ContentsNetwork Configuration Commands .............................................................................. 83DNS Commands .................................................................................................................. 84Network Interface Commands ............................................................................................. 85Physical Interface Commands ............................................................................................. 86Routing Commands ............................................................................................................. 86System Commands ..................................................................................................... 88Backup and Restore Commands ......................................................................................... 89Database Commands .......................................................................................................... 89Date Commands .................................................................................................................. 90Network Time Protocol Commands ..................................................................................... 90TCP Capture Commands .................................................................................................... 91Time Zone Commands ........................................................................................................ 92APSolute Vision Server Commands .................................................................................... 92Additional System Commands ............................................................................................. 93Document ID: RDWR-APSV-V107_AG1101 23

APSolute Vision Administrator GuideTable of Contents24 Document ID: RDWR-APSV-V107_AG1101

Chapter 1 – Introduction to APSolute VisionThis guide is intended for administrators of APSolute Vision. The guide describes the relevantaspects of APSolute Vision and how to use it.Notes:>> For information about installing the APSolute Vision server and client, initial settings onthe APSolute Vision platform, and connecting the client to the server, see the RadwareInstallation and Maintenance Guide.>> For information about general-user operations, see the APSolute Vision User Guide.>> For information about the required workflows for configuring application delivery withAppDirector, see the AppDirector User Guide.>> For information about the required workflows for configuring network security withDefensePro, see the DefensePro User Guide.>> For information about APSolute Vision Reporter and how to use it, see its online help andthe APSolute Vision Reporter User Guide.The following topics introduce APSolute Vision:• What is APSolute Vision?, page 25• APSolute Vision Three-Tier Architecture, page 26• Overview of APSolute Vision Features, page 27• APSolute Vision Interface Navigation, page 30What is APSolute Vision?APSolute Vision is Radware’s next-generation management system. APSolute Vision simplifies andstandardizes the management of Radware application delivery control (ADC) and security solutions.Use APSolute Vision to manage and track Radware hardware devices and software components inIP-based enterprise networks.APSolute Vision provides:• Online configuration per device.• Monitoring and control of multiple devices, including enabling and disabling entities within adevice. APSolute Vision can monitor multiple devices in a single view.• Reporting and statistics at the device level, and on logical entities within a device. For real-timeand historical security reporting, APSolute Vision can also provide site and network-level reportsfor immediate problem isolation, convenient attack and status visibility and information drilldown.• A highly customized Role-Based Access Control system that allows granular control andmonitoring of various security aspects for different users.• Management capabilities, including:— Scheduling device control and maintenance tasks, such as, backup and restore, and so on.— Auditing— Alert browser (Alerts pane)— Device software managementDocument ID: RDWR-APSV-V107_AG1101 25

APSolute Vision Administrator GuideIntroduction to APSolute VisionAPSolute Vision includes a database for administrative, operational, and security events to facilitatethe creation of long and short-term reports.APSolute Vision provides stability, capacity, and usability, due to its:• Scalable, three-tier architecture• Optimized device access• Reduced client-to-server traffic• Operational use cases focusFigure 13: APSolute Vision Solution ModelAPSolute Vision clientsEmail/CRM/NMSManagement planeLAN/WANNorthboundSSLFirewallAPSolute Vision ServerCustomer Management NetworkSNMP V1/V2c/V3IRP – real-time statisticsHTTP(S)/TFTPDefensePro devicesAppDirector devicesAPSolute Vision Three-Tier ArchitectureAPSolute Vision is a three-tier management system with client, server and device tiers.The client tier does not connect to devices directly.The client tier does the following:• Runs as a Windows application on a PC and provides a Windows-based graphical user interfacewith separate perspectives for configuration, monitoring and control, and reports.• Transmits user requests to the server tier and displays the results in the APSolute Visioninterface in an intuitive and easy-to-read format.26 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideIntroduction to APSolute VisionThe server tier does the following:• Runs on the APSolute Vision platform• Processes user commands• Transmits and stores data from other tiers• Makes logical decisions and performs calculations• Performs user authentication and authorization• Collects statistics and generates reports• Collects alerts from the devices• Communicates with the managed devicesThe network physical device tier enables management of the collection of network elementsconnected to APSolute Vision. This includes AppDirector and DefensePro devices, which provideserver load-balancing, security, intrusion prevention and denial-of-service (DoS) protection.Overview of APSolute Vision FeaturesThis section provides an overview of APSolute Vision’s main features:• Online Device Configuration, page 27• Monitoring of Managed Devices and Services, page 28• Operation Control and Maintenance, page 28• Scheduling, page 28• Auditing and Alerts, page 28• User Management and Role-based Access Control (RBAC), page 29• APSolute Vision Platform Security, page 29• APSolute Vision Platform Management, page 29• Real-time Security Reporting for DefensePro, page 29• Historical Security Reporting—APSolute Vision Reporter for DefensePro, page 29Online Device ConfigurationOnline device configuration supports the following:• Easy access for all device configuration topics• Hierarchical logical element grouping• Cross-reference data entry• Graphical change notation• Drill-down configuration topics• Inline filteringDocument ID: RDWR-APSV-V107_AG1101 27

APSolute Vision Administrator GuideIntroduction to APSolute VisionMonitoring of Managed Devices and ServicesMonitoring of managed devices and services in APSolute Vision supports the following:• Easy access for all device monitoring topics• Logical-element grouping• Hierarchical browsing• Properties—status, management IP address, software version, hardware platform, licenseinformation, and the time of the last configuration change• Routing table• IP Statistics—received and discarded• Information on ports, VLANs, and trunks, such as:— General status— Statistics— Presents device statistics tables for device level and logical levelOperation Control and MaintenanceControl and maintenance operations include:• Enabling and disabling all relevant entities on a device.• Performing file transfers• Configuration backups• Device reboot• Configuring AppDirector pair clusters in APSolute Vision and synchronizing their configurations.SchedulingScheduling in APSolute Vision supports various operations for the APSolute Vision server andmanaged devices, which enable you to automate the tasks and to run repeated tasks.Scheduled tasks run according to the time as configured on the APSolute Vision client.Auditing and AlertsAuditing and alerts in APSolute Vision logs all alerts and actions for APSolute Vision and, optionally,for the managed devices. You can view auditing information and other alerts in the APSolute VisionAlerts pane.APSolute Vision’s Alerts pane provides fault management by supporting the following system andaudit alarms:• APSolute Vision server alarms• General device alarms (fan, CPU, and so on)• Audit trail messagesAlerts are created with the time at which the APSolute Vision server processed them, but the timedisplayed in the Alerts pane is the time of the APSolute Vision client with the proper time offset.APSolute Vision provides the audit trail for system messages and modifications to the configurationof managed devices.APSolute Vision can forward alarms and notifications. System Alarms can be forwarded via APSoluteVision. Security service alarms can be forwarded via APSolute Vision Reporter. E-mail notificationscan be sent via SMTP. Notifications can be sent to a syslog server.28 Document ID: RDWR-APSV-V107_AG1101

User Management and Role-based Access Control (RBAC)APSolute Vision Administrator GuideIntroduction to APSolute VisionThe APSolute Vision server enables multi-user access and provides role-based access control(RBAC).RBAC supports the following:• Predefined basic roles and permissions• Customized roles per user and permissions per role and device• Access-control configuration and management in a local user table or using an external RADIUSserver (using RADIUS vendor attributes)APSolute Vision Platform SecurityAPSolute Vision supports user security with user-account options for the following parameters:• Password expiration—specified in days• Inactivity timeout—auto logout• Forbidding use of old passwords• Password challenge configuration• Password constraints• Administrative actions to create users, reset user passwords, and locking out users.• Tracking user statistics for successful logins, failed logins, account locks, and so on.APSolute Vision Platform ManagementThe APSolute Vision Server supports the following management interfaces:• CLI shell commands for installation, first-time configuration, and special maintenance activities.• APSolute Vision client—for APSolute Vision server options, such as, timeouts, connectivity,event forwarding, and so on, and for server monitoring.Real-time Security Reporting for DefenseProAPSolute Vision provides real-time attack views and security service alarms for DefensePro devices.Historical Security Reporting—APSolute Vision Reporter for DefenseProAPSolute Vision supports the APSolute Vision Reporter for DefensePro.APSolute Vision Reporter is a historical security reporting engine, which provides the following:• Customizable dashboards, reports, and notifications• Advanced incident handling for security operating centers (SOCs) and network operating centers(NOCs)• Standard security reports• In-depth forensics capabilities• Ticket workflow managementDocument ID: RDWR-APSV-V107_AG1101 29

APSolute Vision Administrator GuideIntroduction to APSolute VisionAPSolute Vision Interface NavigationThe APSolute Vision interface follows a consistent hierarchical structure, organized functionally toenable easy access to options. You start at a high functional level and drill down to a specificmodule, function, or object.Each high-level function, such as device configuration, monitoring and control, viewing real-time orhistorical reports, is accessible from a separate perspective.APSolute Vision supports the following perspectives:• Configuration Perspective, page 30• Monitoring & Control Perspective, page 33• User Management Perspective, page 36• Real-Time Monitoring Perspective, page 37By default, all perspectives, except the Real-Time Monitoring perspective, include the Alerts Browserpane. This pane displays alerts raised by APSolute Vision and/or the managed devices.Note:You can configure which perspective is displayed by default when you start an APSoluteVision client session.Configuration PerspectiveUse the Configuration perspective to configure Radware devices and the APSolute Vision server. Youchoose the device to configure in the Configuration perspective navigation pane System tab. You canview and modify device settings in the content pane tabs, which have their own navigation panes foreasier navigation through configuration tasks.The Configuration perspective also includes a Properties pane, which displays information about thecurrently selected device.30 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideIntroduction to APSolute VisionFigure 14: Configuration Perspective—AppDirectorNavigation pane System tab—includes Vision Server node,site tree, configured sites, andconfigured devicesNavigation pane for the tabConfiguration button—opensthe Configuration perspectiveContent areaAlerts pane—alert browserProperties paneDocument ID: RDWR-APSV-V107_AG1101 31

APSolute Vision Administrator GuideIntroduction to APSolute VisionFigure 15: Configuration Perspective—DefenseProNavigation pane System tab—includes Vision Server node,site tree, configured sites, andconfigured devicesButton that opensthe APSoluteVision Reporter forDefense ProContent areaConfiguration button—opensthe Configuration perspectiveNavigation pane for the tabAlerts pane—alert browserProperties pane32 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideIntroduction to APSolute VisionThe following points apply to all configuration tasks in the Configuration perspective:• To configure a device, you must lock it. For more information, see Locking and Unlocking aDevice, page 74.• When you change a field value, the field label is displayed in italics.• Mandatory fields are displayed in red. You must enter data, or select an option in these fields.After setting a mandatory field, the field label changes to black.• By default, tables display up to 20 rows per table page. You can change the number of rows pertable up to a maximum of 100 rows.• You can perform one or more of the following operations on table entries:— Add a new entry to the table, and define its parameters.— Edit one or more parameters of an existing table entry.— Delete a table entry.• Device configuration information is saved only on the managed device, not in the APSoluteVision database. To commit information to the device, you must do the following:— Click OK when you modify settings in a configuration dialog box.— Click (Commit) when you modify settings in a configuration page.— Some configuration changes require an immediate device reboot. When you commit theconfiguration change the device will automatically reboot immediately.— Some configuration changes require a device reboot to take effect, but you can save thechange without an immediate reboot. When you commit a change without a reboot, theProperties pane displays a “Reboot Required” notification until you reboot the device.— Click Update Policies to implement policy-configuration changes. Policy-configurationchanges for a device are saved on the managed device, but are not applied until youperform a device configuration update.Example Device selection in Configuration perspectiveThe following example shows the selections you would make to view or change configurationparameters for a Radware device:1. Open the Configuration perspective by clicking at the top of the window.2. Select the required device in the System pane by drilling down through the sites and subsites.3. Right-click the device name, and select Lock Device.4. Select the required configuration tab in the content pane.Each tab displays a tab navigation pane and configuration options.5. Select an option in the navigation pane.6. You can now view and change configuration parameters.Monitoring & Control PerspectiveIn the Monitoring & Control perspective, you can monitor physical devices and interfaces, and logicalobjects, such as farms and servers. The Monitoring & Control perspective navigation pane containstwo navigation tabs. The System tab contains the physical devices and interfaces. The ApplicationDelivery tab contains the logical entities for AppDirector. The content pane for each type of entitycontains tabs in which you can view different types of information. Some tabs contain a navigationpane.Document ID: RDWR-APSV-V107_AG1101 33

APSolute Vision Administrator GuideIntroduction to APSolute VisionFigure 16: Monitoring & Control Perspective—AppDirectorNavigation pane System tab—includes Vision Server node, sitetree, configured sites, configureddevices, and device entitiesNavigation pane for tabContent areaMonitoring & Control button—opensMonitoring & Control perspectiveProperties paneAlerts pane—alert browser34 Document ID: RDWR-APSV-V107_AG1101

Figure 17: Monitoring & Control Perspective—DefenseProNavigation pane System tab—includes Vision Server node, sitetree, configured sites, configureddevices, and device entitiesNavigation pane for tabContent areaAPSolute Vision Administrator GuideIntroduction to APSolute VisionMonitoring & Control button—opensMonitoring & Control perspectiveProperties paneAlerts pane—alert browserDocument ID: RDWR-APSV-V107_AG1101 35

APSolute Vision Administrator GuideIntroduction to APSolute VisionUser Management PerspectiveIn the User Management perspective, you can manage and monitor multiple users who, in turn, canmanage multiple devices concurrently.Using APSolute Vision RBAC, you can allow the users various access control levels on devices. RBACprovides a set of pre-defined roles, which can be customized and assigned per user and per workingscope (device or group of devices). RBAC definition is supported both internally (in APSolute Vision)and through remote authentication (via RADIUS).Figure 18: User Management Perspective36 Document ID: RDWR-APSV-V107_AG1101

Real-Time Monitoring PerspectiveAPSolute Vision Administrator GuideIntroduction to APSolute VisionIn the Real-Time Monitoring perspective, you can access a collection of real-time monitoring toolsthat provide visibility regarding current attacks that DefensePro has detected.The Real-Time Monitoring perspective includes the following tabs:• Security Dashboard—A graphical summary view of all current active attacks in the network withcolor-coded attack-category identification, graphical threat-level indication, and instant drilldownto attack details.• Current Attacks—A view of the current attacks in a tabular format with graphical notations ofattack categories, threat-level indication, drill-down to attack details, and easy access to theprotecting rules for immediate fine-tuning.• Traffic Monitoring—A real-time graph and table displaying network information, with the attacktraffic and legitimate traffic filtered according to specified traffic direction and protocol.• Geo Map—A graphical map view that displays threats by origin with hierarchical drill-down to IPlevel.• BDoS Monitoring—Real-time graphs and tables with statistics on rules, protections according tospecified traffic direction and protocol, along with learned traffic baselines.• HTTP Reports—Real-time graphs and tables with statistics on rules, protections according tospecified traffic direction and protocol, along with learned traffic baselines.Figure 19: Real-Time Monitoring PerspectiveDocument ID: RDWR-APSV-V107_AG1101 37

APSolute Vision Administrator GuideIntroduction to APSolute VisionAPSolute Vision SitesThe site tree in the navigation pane System tab presents a logical representation of a physicalnetwork. You can organize the devices according to sites. A site is a group of devices. Devicesrepresent physical Radware devices. These devices have common properties, such as, physicallocation, services, device type, and so on. Sites can be nested, and each site can contain subsitesand devices. In the context of RBAC, sites enable administrators to define the scope of each user.38 Document ID: RDWR-APSV-V107_AG1101

Chapter 2 – Getting Started with APSoluteVisionThe following topics describe how to get started and set up APSolute Vision before configuring andmonitoring your Radware devices:• Logging into APSolute Vision, page 39• Changing Password for Local Users, page 40• Configuring the APSolute Vision Server, page 41• Configuring Client Preferences, page 52• Updating the Attack Description File, page 54• After Initial Configuration, page 55Note:For information about installing the APSolute Vision server and client, initial settings onthe APSolute Vision platform, and connecting the client to the server, see the RadwareInstallation and Maintenance Guide and APSolute Vision CLI Commands, page 79.Logging into APSolute VisionTo start working with APSolute Vision, the user logs into the APSolute Vision client.After successfully logging in with a username and authenticated password, the APSolute Vision clientapplication opens. The APSolute Vision client connects to the specified APSolute Vision server. Theuser always works online with APSolute Vision and its managed network elements.Up to 10 users can access the APSolute Vision server simultaneously.APSolute Vision supports role-based access control (RBAC) to manage user privileges. Usercredentials and privileges can be managed through RADIUS or through the local APSolute Visionuser database.For RBAC users, after successful authentication of username and password, the user’s role isdetermined together with the devices that the user is authorized to manage. The assigned roleremains fixed throughout the user session, and the user can access only the content panes, menus,and operations that the role allows.If a user enters the credentials incorrectly, the user is prompted to re-enter the information. After aglobally defined number of consecutive failures, the user is locked out of the system. If the useruses local user credentials, an administrator can release the lockout by resetting the password tothe global default password (see Releasing User Lockout, page 63). If the user uses RADIUScredentials, you must contact the RADIUS administrator.There are special properties and procedures for the user who first logs into the APSolute Visionserver. For more information, see Managing APSolute Vision Users, page 57.Document ID: RDWR-APSV-V107_AG1101 39

APSolute Vision Administrator GuideGetting Started with APSolute VisionTo log into APSolute Vision as an existing user1. Click the APSolute Vision Client program icon.2. In the login dialog box, specify the following:— User Name—The name of the user.— Password—The password for the user. Depending on the configuration of the server, youmay be required to change your password immediately. Default: radware.— Vision Server—The name or IP address of the APSolute Vision server. This parameter isdisplayed if you click Options. Otherwise, the login procedure automatically tries to connectto the APSolute Vision server that was specified previously.— Authentication—The method to authenticate the user: Local or RADIUS. That is, selectwhether to use the credential stored in the APSolute Vision server or the credentialsmanaged by the specified RADIUS Authentication server (see Configuring RADIUS ServerConnections, page 48). This parameter is displayed if you click Options. Otherwise, thelogin procedure automatically tries to connect to the APSolute Vision server using theauthentication method that was specified previously.3. Click OK.Changing Password for Local UsersIf your user credentials are managed through the local APSolute Vision Users table (not RADIUS),you can change your user password at the login. For information about password requirements, seeAPSolute Vision Password Requirements, page 67.To change a local user password1. Click the APSolute Vision Client program icon.2. Click Options.3. Click Change Password.4. In the Change Password dialog box, enter your username, old password, new password, andconfirm the new password.5. Click OK. Your new password is saved and the APSolute Vision dialog box is displayed.40 Document ID: RDWR-APSV-V107_AG1101

Configuring the APSolute Vision ServerAPSolute Vision Administrator GuideGetting Started with APSolute VisionBefore you start to configure Radware devices using APSolute Vision, you can change the APSoluteVision server configuration settings:• Configuring Server Connections, page 41• Configuring Settings for the Alerts Pane, page 43• Configuring Monitoring Settings, page 44• Configuring Database Settings, page 46• Configuring Warning Thresholds, page 46• Configuring Security Reporter Server Settings, page 47• Configuring RADIUS Server Connections, page 48• Configuring APSolute Vision Server Advanced Parameters, page 51Note:Mandatory settings are displayed in red.Configuring Server ConnectionsThese settings define how the APSolute Vision server communicates with the APSolute Vision client,external servers, and Radware devices.To configure the connections to and from the APSolute Vision server1. In the Configuration perspective navigation pane System tab, select Vision Server.2. Select the Connection tab in the content pane.3. Configure the parameters; and then, click (Commit) to commit the changes.Table 1: APSolute Vision Connection ParametersParameter DescriptionSNMP Parameters towards DevicesThese settings are for SNMP connections between APSolute Vision and other Radware devices. Allfields in this section are mandatory.Time OutNumber of RetriesThe time, in seconds, that APSolute Vision waits for a reply before retrying toconnect. If the device does not respond after the configured number ofretries, APSolute Vision notifies the user that the connection failed.Values: 1–180Default: 3The number of connection retries to the device, when the device does notrespond.Values: 1–100Default: 3Document ID: RDWR-APSV-V107_AG1101 41

APSolute Vision Administrator GuideGetting Started with APSolute VisionParameterPortThe port used to communicate with Radware devices.Values: 1–65,535Default: 161HTTP Parameters towards DevicesThese settings are for HTTP connections between APSolute Vision and other Radware devices.PortThe port used to communicate with Radware devices.Values: 1–65,535Default: 80HTTPS Parameters towards DevicesThese settings are for HTTPS connections between APSolute Vision and other Radware devices.PortThe port used to communicate with Radware devices.Values: 1–65,535Default: 443Proxy Server ParametersThese connection settings are for the proxy server that the APSolute Vision server uses todownload files from Radware.com. The Alerts pane displays a success or failure notification andwhether the operation was performed using a proxy server.Enable Proxy ServerIPPortUse AuthenticationUsernamePasswordVerify PasswordSpecifies whether the APSolute Vision server uses a proxy server todownload files from Radware.com.The IP address of the proxy server.The port of the proxy server.Specifies whether authentication is required for a successful connectionbetween the APSolute Vision server and the proxy server.The user name for the proxy server.The password for the proxy-server user.The password for the proxy-server user.APSolute Vision Client to ServerThese settings define when to close the connection between the server and client if there is noactivity on either side.Note: The client polls the server at regular intervals. If the server does not receive a poll fromthe client within 30 seconds, the server automatically closes the connection to the client.Enable SessionInactivity TimeoutSession InactivityTimeoutNo Server ReplyTimeoutTable 1: APSolute Vision Connection ParametersDescriptionThe default is selected, which means that the connection between the clientand user is closed after the specified timeout periods.The time, in minutes, of session inactivity after which the server logs theuser out. This field is available only when session inactivity timeout isenabled.Values: 1–60Default: 20The number of minutes the client waits for a server reply before closing theconnection to the server. Using this feature lets the user know when theserver has gone down.42 Document ID: RDWR-APSV-V107_AG1101

Configuring Settings for the Alerts PaneAPSolute Vision Administrator GuideGetting Started with APSolute VisionAPSolute Vision automatically displays alerts for APSolute Vision and all the managed Radwaredevices. The Alerts pane is available in all APSolute Vision perspectives. All alert information is savedin the APSolute Vision database. You can configure Alerts-pane settings to send alert reports to asyslog server and via e-mail to defined recipients. You can also configure default settings for theAlerts pane per client (see the procedure To change default Alerts-pane settings, page 53).For more information about the Alerts pane, see Managing Auditing and Alerts, page 47.To configure Alerts-pane settings1. In the Configuration perspective navigation pane System tab, select Vision Server.2. Select the Alert Browser tab in the content pane.3. Configure the parameters; and then, click (Commit) to commit the changes.Table 2: Alert Browser ParametersParameter DescriptionGeneral ParametersThese settings configure when to purge alerts information from the Alerts table in the APSoluteVision databasePurge Old RecordsEveryEnsure that atLeast % of Table isFreeThe time, in minutes, between purges of old records from the Alerts table inthe APSolute Vision database.Values: 5–1440Default: 10The percentage of the Alerts table that must always be free. If thepercentage falls below the defined value, old records will be purged.Values: 1–50 percentDefault: 10Syslog ReportingThese settings configure how APSolute Vision reports and logs events from the Alerts pane to asyslog server.EnableSelect to enable APSolute Vision to send reports and logs to a syslog server.Default: DisabledReportSelect whether to report all messages received by the Alerts pane or onlyaudit messages.Default: all messages.Syslog Server The IP address of the device running the syslog service.AddressL4 Source Port Values: 1–65,535Default: 514L4 Destination Port Values: 1–65,535Default: 514Syslog FacilityThe facility for all APSolute Vision syslog reporting. The list includes facilitiesas defined in the RFC 3164. The default is Log Audit. Change the default ifthe syslog server uses this facility for reports from another system.Document ID: RDWR-APSV-V107_AG1101 43

APSolute Vision Administrator GuideGetting Started with APSolute VisionParameterAlert Level to SyslogSeverity MappingMaps the APSolute Vision alert levels to syslog alert levels. For moreinformation, see Managing Auditing and Alerts, page 47.Note: The Minor alert level is used only by APSolute Vision, and not byother Radware devices.Email Reporting ConfigurationThese settings configure how APSolute Vision sends events from the Alerts pane via e-mail todefined recipients.EnableSMTP ServerAddressSMTP User NameSubject HeaderFrom HeaderRecipient EmailAddressEmail SendingIntervalNumber of Alerts PerEmailSelect to enable APSolute Vision to send reports and logs via e-mail.Default: DisabledThe name or IP address of the SMTP e-mail server.The account name used to send e-mail notifications; for example,Vision@MyCompany.com.The text that appears in the Subject header of the e-mail.Default: Alert Notification Message.The text that appears in the From header of the e-mail.Default: APSolute VisionThe e-mail addresses of the intended recipients. When there are multiple e-mail addresses, use comma (,) or semi-colon (;) separators.The interval, in seconds, between successive e-mail messages.Values: 1–60Default: 10The maximum number of alerts to include in an e-mail message. When thereare more than the maximum number of alerts, multiple e-mail messages aresent.Values: 1–100Default: 30Sending RuleThese settings configure which alerts to include in e-mail messages.Select DevicesSelect All DevicesSeverityModuleDescriptionTable 2: Alert Browser ParametersClick to select a subset of managed devices for which to send alerts.In the Select Devices dialog box, move the required devices from theAvailable list to the Selected list.When selected, alerts for all devices are sent.Alerts of the selected severities are sent.Alerts for the selected modules are sent.Configuring Monitoring SettingsAPSolute Vision can perform online monitoring of all the managed Radware devices. It also collectsinformation for online security reports for DefensePro. You can configure general global settingsabout how APSolute Vision obtains data for online monitoring and reports.For information about enabling and disabling APSolute Vision monitoring for a specific device, seeEnabling and Disabling APSolute Vision Monitoring, page 196.44 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideGetting Started with APSolute VisionTo configure APSolute Vision monitoring settings1. In the Configuration perspective navigation pane System tab, select Vision Server.2. Select the Monitoring tab in the content pane.3. Configure the parameters; and then, click (Commit) to commit the changes.Table 3: APSolute Vision Monitoring ParametersParameter DescriptionOn-line MonitoringThese settings configure APSolute Vision online monitoring for all managed devices.Monitoring Intervalfor On-lineMonitoringEnable On-lineMonitoring Pre-fetchInactivity Timer forPre-fetchPeriod to RefreshConfigurationDevice Status PollingIntervalNumber of seconds between data collections for monitoring. A shorterinterval provides more up-to-date data, but uses more network and deviceresources.Values: 5–3600Default: 15When selected, APSolute Vision starts to bring in data from a selected devicebefore a specific device element is selected in the Monitoring & Controlperspective. This option enables APSolute Vision to present data morequickly once the device element is selected, although it uses more networkresources to do so.Default: EnabledThe maximum time, in minutes, that APSolute Vision waits between deviceselection and device-element selection before it stops collecting deviceinformation.Default: 5The interval, in minutes, at which APSolute Vision refreshes the device treedisplay in the Monitoring & Control perspective navigation pane System tab.A smaller interval provides more up-to-date information at the expense ofnetwork resources.Default: 60Note: This synchronization is in addition to the periodic real-time updatesof the device tree display.The number of seconds between polls of the device to determine the Up orDown status of the device and its elements.Values: 10–3600Default: 30Document ID: RDWR-APSV-V107_AG1101 45

APSolute Vision Administrator GuideGetting Started with APSolute VisionParameterReportsThese settings configure APSolute Vision monitoring for real-time reports for DefensePro.Monitoring Intervalfor ReportsHistory Depth forReportsTable 3: APSolute Vision Monitoring ParametersDescriptionThe time, in seconds, between data collections for reports. A smaller intervalprovides more up-to-date information at the expense of network resources.Values: 15–3600Default: 15The time, in hours, that real-time reports are saved. For example, the value24 specifies that you can view real-time reports that were collected duringthe last 24 hours.Values: 1–168Default: 24Configuring Database SettingsYou can configure the maximum size of tables in the APSolute Vision database.To configure APSolute Vision server database settings1. In the Configuration perspective navigation pane System tab, select Vision Server.2. Select the Database tab in the content pane. The default maximum sizes displayed are thegreatest maximum allowed.3. For each type of database in the table, you can change the maximum number of records and themaximum history in days up to the greatest maximum allowed.4. Click (Commit) to commit the changes.Configuring Warning ThresholdsYou can configure the following warning thresholds for specific alarms:• Two threshold values for rising alarms to issue warning and error alerts respectively. The risingwarning threshold value must always be lower than the rising error threshold. When theparameter value exceeds the rising warning threshold value but is less than the error thresholdvalue, a warning alert is issued. When the parameter value exceeds the rising error threshold,an error alert is issued.• Two threshold values for falling alarms to clear warning and error alerts respectively. The fallingalarm values must be less than their respective rising alarm values.Note:For the CPU alert, since CPU measurements vary rapidly, APSolute Vision determinesthreshold limits based on a moving average calculation.For more information about alerts and alarms, see Managing Auditing and Alerts, page 47.46 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideGetting Started with APSolute VisionTo configure APSolute Vision server warning thresholds1. In the Configuration perspective navigation pane System tab, select Vision Server.2. Select the Warning Threshold tab in the content pane. The table displays warning thresholds forparameters.3. To edit the warning thresholds for a specific parameter, double-click the parameter name, orright-click and select Edit Warning Threshold Entry.4. Set warning threshold parameters and click OK to save changes.ParameterParameterEnabledDescriptionTable 4: Warning Threshold Parameters(Read-only) Parameter name.When enabled, the warning threshold parameter is used for thecorresponding alarm.Default: EnabledRisingConfigure rising alarms to issue warning and error alerts respectively.WarningThe rising warning threshold value must always be lower than the risingerror threshold. When the parameter value exceeds the rising warningthreshold value but is less than the error threshold value, a warning alert isissued.ErrorThe rising error threshold value must always be greater than the risingwarning threshold value. When the parameter value exceeds the rising errorthreshold, an error alert is issued.FallingConfigure falling alarms to clear warning and error alerts respectively.WarningThe falling warning alarm value must be less than the rising warning alarmvalue.ErrorThe falling error alarm value must be less than the rising error alarm value.Configuring Security Reporter Server SettingsYou can view historical security reports from DefensePro through the APSolute Vision Reporter. Bydefault, the interval for polling security attack data is 5 minutes. You can change the defaultconfiguration.To configure security reporting server settings1. In the Configuration perspective navigation pane System tab, select Vision Server.2. Select the Security Reporting Server tab in the content pane.3. Change the attack polling interval, if required.Document ID: RDWR-APSV-V107_AG1101 47

APSolute Vision Administrator GuideGetting Started with APSolute Vision4. You can upload a logo to display on security reports. Enter the name of the file to upload.5. Click (Commit) to commit the changes.Note:To open the Security Reporting window, click the Security Reporting icon in theAPSolute Vision toolbar.Configuring RADIUS Server ConnectionsWhen role-based access control (RBAC) is implemented for APSolute Vision users, you can useRemote Authentication Dial In User Service (RADIUS) for user authentication.Authentication Process with RADIUSIf the APSolute Vision server is configured to use RADIUS for authentication, the user-authenticationprocess is as follows:1. The user starts the APSolute Vision client, enters the username and password given by theRADIUS administrator, and chooses RADIUS (instead of Local) from the Authentication dropdownlist.2. The APSolute Vision server sends the authentication request to the specified port of the RADIUSserver.3. If the RADIUS server recognizes and authorizes the APSolute Vision server, the RADIUS serverprocesses the request for the user and password.Note:If a RADIUS server does not recognize a request source (in this case, the APSoluteVision server), the RADIUS server ignores the request.4. If the RADIUS server authenticates the user, the RADIUS server returns an Access-Acceptmessage with the user name and its associated IDM-string–scope combination to the APSoluteVision server. If the RADIUS server does not authenticate the user, the RADIUS server sends anAccess-Reject message.Note:The identity-management (IDM) string defines the role of user. For more informationon roles, IDM strings, and scopes, see Role-Based Access Control (RBAC), page 58and Configuring User Roles for RBAC, page 60.5. If the user is authenticated, the APSolute Vision server grants access according to the user’sIDM string and scope. If the user is rejected, the APSolute Vision server does not grant access.48 Document ID: RDWR-APSV-V107_AG1101

RADIUS Server RequirementsAPSolute Vision Administrator GuideGetting Started with APSolute VisionEach RADIUS server (primary and secondary) for APSolute Vision user authentication requires thefollowing:• The RADIUS server must use the port specified on the APSolute Vision server.• The RADIUS server must authorize the APSolute Vision server.• The RADIUS server must use the authentication type (for example, PAP) that is specified in theAPSolute Vision server.• The RADIUS server Access-Accept response must include an IDM-string–scope combination inthe following format::Example: ADMINISTRATOR:[ALL]Example: ADC_OPERATOR:MyADCSiteNotes:>> The identity-management (IDM) string defines the role of user. For more information onroles, IDM strings, and scopes, see Role-Based Access Control (RBAC), page 58 andConfiguring User Roles for RBAC, page 60.>> The list of the available RADIUS attribute IDs and corresponding attribute names isavailable athttp://www.iana.org/assignments/radius-types/radius-types.xhtml.Tip: To use the default settings, the configuration of your RADIUS server and/or RADIUSAuthentication system can use the following:• Attribute ID 26—to specify a Vendor-Specific Attribute (VSA).• Vendor ID 89—to specify Radware (as assigned by Internet Assigned NumbersAuthority, IANA). Vendor ID 89 will need to be configured on the RADIUS server.• Vendor Attribute ID 100—to specify the Radware-Role attribute. The RADIUS server canuse this attribute to return the IDM-string–scope combination to the APSolute Visionserer.• Vendor Attribute ID 100 will need to be configured on the RADIUS server.Configuring the RADIUS Server ConnectionsTo configure a RADIUS server connection1. In the Configuration perspective navigation pane System tab, select Vision Server.2. Select the RADIUS Configuration tab in the content pane.3. Configure the parameters; and then, click (Commit) to commit the changes.Document ID: RDWR-APSV-V107_AG1101 49

APSolute Vision Administrator GuideGetting Started with APSolute VisionParameterIPAuthenticate PortShared SecretVerify Shared SecretIPAuthenticate PortShared SecretVerify Shared SecretTimeoutRetriesAttribute IDVendor IDVendor Attribute IDTable 5: RADIUS Configuration ParametersDescriptionPrimary RADIUSThe IP address of the primary RADIUS server for authentication.The Layer 4 port on the primary RADIUS server.Values: 1812, 1645Default: 1812The RADIUS shared secret used for communication between the primaryRADIUS server and APSolute Vision. You can enter up to 64 characters.The RADIUS shared secret used for communication between the primaryRADIUS server and APSolute Vision. You can enter up to 64 characters.Secondary RADIUSThe IP address of the secondary RADIUS server for authentication.The Layer 4 port on the secondary RADIUS server.Values: 1812, 1645Default: 1812The shared secret used for communication between the secondaryRADIUS server and APSolute Vision. You can enter up to 64 characters.The shared secret used for communication between the secondaryRADIUS server and APSolute Vision. You can enter up to 64 characters.Shared ParametersThe time, in seconds, between retransmissions to the RADIUS servers.Values: 1–100Default: 5The number of authentication retries before a second RADIUS server (ifconfigured) is contacted.Values: 1–10Default: 3The RADIUS attribute used in the RADIUS profile.Values: 1–255Default: 26The vendor ID for the vendor-specific attribute (VSAs).Default: 89—Specifies Radware (as assigned by IANA)Note: This parameter is displayed only if the specified Attribute ID is26.The vendor-specific-attribute ID to hold the :values.Default: 100Note: This parameter is displayed only if the specified Attribute ID is26.50 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideGetting Started with APSolute VisionParameterAuthentication TypeTable 5: RADIUS Configuration ParametersDescriptionThe method of authentication to be used.Values:• PAP• CHAP• EAP-MD5• EAP-MSCHAP v1• MSCHAP v1• MSCHAP v2Default: PAPConfiguring APSolute Vision Server Advanced ParametersYou can configure additional advanced parameters for the APSolute Vision server.To configure advanced parameters for the APSolute Vision server1. In the Configuration perspective navigation pane System tab, select Vision Server.2. Select the Advanced Parameters tab in the content pane.3. Configure the parameters; and then, click (Commit) to commit the changes.ParameterMax. Number ofConfigurationFiles Per DeviceDescriptionTable 6: APSolute Vision Advanced ParametersThe maximum number of configuration files per managed device that you canstore on the APSolute Vision server for backup. When the limit is reached, youare prompted to delete the oldest file.For more information, see Managing Stored Device Configuration Files, page 45.Values: 1–10Default: 5Note: If you change the maximum value to less than the number of existingconfiguration files, none of the existing files will be deleted. Forexample, the configured maximum value is 10 and there are 8configuration files, if you then change the configured maximum value to4, no files are deleted.Document ID: RDWR-APSV-V107_AG1101 51

APSolute Vision Administrator GuideGetting Started with APSolute VisionParameterMinimal LogLevelDescriptionTable 6: APSolute Vision Advanced ParametersThe lowest level of messages that will be logged for debugging purposes.Values:• Errors—Critical and Fatal errors will be logged.• Warnings—Warnings, and Critical and Fatal errors will be logged.• Info—All messages will be logged including Trace, Debug, Info, Warnings,and Critical and Fatal errors.Default: WarningsDevice LockTimeoutCaution: Radware recommends that you contact Radware Technical Supportbefore you change the value for this parameter.The time, in minutes, that a device remains locked. If you have the appropriatepermissions to configure a device, you can lock the device so that other usercannot configure the device at the same time.Values: 5–180Default: 10Results per Page The number of rows that are displayed per table page.If you change this setting after retrieving information into a table in the currentsession, the table information will be lost and APSolute Vision will need to obtainthe device information again. Radware recommends changing this setting at thebeginning of a session before obtaining information from a managed device.Values: 10–100Default: 20Configuring Client PreferencesYou can configure the following preferences for an individual client installation:• Configuring Default Client Settings for the Alerts Pane, page 53• Configuring the Default Perspective, page 52• Configuring Default Display Settings for Monitoring and Reports, page 53Configuring the Default PerspectiveBy default, the Configuration perspective is displayed when you log in to the APSolute Vision client.You can change the default perspective.To change the default perspective1. In the main menu bar, choose Options > Preferences. The Preferences dialog box is displayed.2. In the left pane, select Perspectives. The predefined default is the Configuration perspective.52 Document ID: RDWR-APSV-V107_AG1101

3. Do one of the following:APSolute Vision Administrator GuideGetting Started with APSolute Vision— To change the default, select the perspective that you always want to appear when you loginto APSolute Vision; then click Apply or OK.— To restore the default settings, click Restore Defaults.Configuring Default Client Settings for the Alerts PaneThe default settings for the Alerts pane define how often the client polls the server for alertinformation, and the number of critical alerts that are displayed in the Alerts pane.To change default Alerts-pane settings1. In the main menu bar, choose Options > Preferences. The Preferences dialog box is displayed.2. In the left pane, select Alert Browser.3. To restore the default settings, click Restore Defaults.4. To change the settings, set the parameters and click Apply or OK.ParameterLatest Critical Alerts DisplayedTable Refresh RateTable 7: Default Alert Browser SettingsDescriptionThe number of critical alerts to display.Values: 0–20Default: 10The interval, in seconds, at which the client polls the server foralert information.Values: 2–2,147,483,647Default: 5Configuring Default Display Settings for Monitoring and ReportsThese default settings define how often the client polls the server for monitoring and reports andother display settings for real-time monitoring.To change default settings for monitoring and reports1. In the main menu bar, choose Options > Preferences. The Preferences dialog box is displayed.2. Select Statistics Settings in the left pane.3. To restore the default settings, click Restore Defaults.4. To change the settings, set the parameters and click Apply or OK.Document ID: RDWR-APSV-V107_AG1101 53

APSolute Vision Administrator GuideGetting Started with APSolute VisionParameterStatistics Refresh Interval for MonitoringControlStatistics Refresh Interval for Real TimeReportsNumber of Records for Top ReportsDuration to keep Attack in View (Min)Table 8: Default Display SettingsDescriptionThe interval, in seconds, at which the client polls theserver for monitoring and control information.Default: 15The interval, in seconds, at which the client polls theserver for real-time report information.Default: 15The number of reports included in a “Top N reports”category. For example, a value of 10 will yield thetop 10 items.Values: 1–100Default: 10The time, in minutes, to continue displaying anattack in real-time reports after the attack hasended or been terminated.Values: 1–30.Default: 10Note: The attack is displayed automatically allthe time that it continues.Updating the Attack Description FileThe Attack Description file contains descriptions of all the different attacks. You can view a specificdescription by entering the attack name. When you first configure APSolute Vision, you shoulddownload the latest Attack Description file to the APSolute Vision server. The file is used for realtimeand historical reports to show attack descriptions for attacks coming from DefensePro devices.The file versions on APSolute Vision and on the DefensePro devices should be identical; Radwarerecommends synchronizing regular updates of the file at regular intervals on APSolute Vision and onthe individual devices.When you update the Attack Description file, APSolute Vision downloads the file from directly fromRadware.com or from the enabled proxy file server.You can schedule Attack Description file updates in the APSolute Vision scheduler. For moreinformation, see Configuring Tasks in the Scheduler, page 207.To update the Attack Description file1. In the Monitoring & Control perspective navigation pane System tab, right-click Vision Server.2. Select Update Attack Description file.54 Document ID: RDWR-APSV-V107_AG1101

3. Do one of the following:APSolute Vision Administrator GuideGetting Started with APSolute Vision— To update the Attack Description file from Radware, select the Radware.com radio button.— To update the files from the APSolute Vision client host:a. Select the Client radio button.b. In the File Name text box, enter the file path of the Attack Description file or clickBrowse to navigate to and select the file.4. Click Send and OK.5. The Alerts pane displays a success or failure notification and whether the operation wasperformed using a proxy server.After Initial ConfigurationAfter initial configuration of the APSolute Vision server and APSolute Vision client preferences,continue with the following:• If required, configure local APSolute Vision users and global user settings in the UserManagement perspective. Only the Admin user can access this perspective. For moreinformation, see Managing APSolute Vision Users, page 57.• Set up your network in the Configuration perspective navigation pane System tab. Add theAppDirector and DefensePro devices that you want to manage using APSolute Vision. For moreinformation, see Setting Up Your Network, page 69.• Configure your managed Radware devices using APSolute Vision.For more information about configuring a device’s basic setup and security settings, see theAPSolute Vision User Guide.For information about configuring application delivery on AppDirector, and server and networksecurity on DefensePro, see the APSolute Vision online help.• Manage device operations and maintenance. For more information, see the APSolute Vision UserGuide.• Monitor the managed devices using APSolute Vision. For more information, see the APSoluteVision online help.For more information about AppDirector and DefensePro, see the relevant product user guides.Document ID: RDWR-APSV-V107_AG1101 55

APSolute Vision Administrator GuideGetting Started with APSolute Vision56 Document ID: RDWR-APSV-V107_AG1101

Chapter 3 – Managing APSolute Vision UsersAPSolute Vision supports concurrent access to up to 10 users. Each user has individual credentialsand privileges. APSolute Vision supports role-based access control (RBAC) to manage userprivileges. RBAC users can be defined and managed in the local APSolute Vision user database orthrough a RADIUS server.Note:RBAC does not apply to APSolute Vision CLI users.All user credentials for local users are encrypted and stored in the APSolute Vision database. Allactions and events on local users are stored in the Audit log.Users with the appropriate privileges can lock a device on an APSolute Vision server and modify itsconfiguration. Locking the device prevents other users from performing configuration tasks on thatdevice at the same time.The following topics describe role-based access control, and how to configure and monitor localAPSolute Vision users:• Logging In as the Default Administrator User—radware User, page 57• Role-Based Access Control (RBAC), page 58• Configuring User Roles for RBAC, page 60• Configuring Local Users, page 60• Viewing User Statistics, page 65• Configuring Global User Management Settings, page 66• APSolute Vision Password Requirements, page 67Logging In as the Default Administrator User—radwareUserA new APSolute Vision server (one that no one has yet logged into) contains a single predefinedAdministrator user, which is called radware. This user is defined with the role of Administrator role.The radware user can then create and manage additional local users and their individual and globaluser settings, except for personal, local-user passwords.You cannot delete the radware user.Caution: The password for the radware user never needs to change, but Radware recommendsdoing so.If you are the radware user and you forget the password for it, you must follow a special procedureto reset the password to the default. For more information, see Resetting the radware AdministratorPassword, page 64.Document ID: RDWR-APSV-V107_AG1101 57

APSolute Vision Administrator GuideManaging APSolute Vision UsersTo log into APSolute Vision for the first time as the default administrator user radware1. Click the APSolute Vision Client program icon.2. In the login dialog box, specify the following:— User Name—The name of the user, radware.— Password—The password for the user, radware.— Vision Server—The name or IP address of the APSolute Vision server.— Authentication—The method to authenticate the user: Local or RADIUS. That is, selectwhether to use the credential stored in the APSolute Vision server or the credentialsmanaged by the specified RADIUS Authentication server.Note:For information on using a RADIUS Authentication server, see Configuring RADIUSServer Connections, page 48.3. Click OK.Role-Based Access Control (RBAC)You can determine the functionality and managed devices available to each user in APSolute Visionby using RBAC to associate users with roles and scopes of devices.A user administrator with the Administrator or User Administrator role can create, edit, and managelocal APSolute Vision users. User management includes assigning scopes, which define the devicesthat the user can access, and roles, which define the set of permissions for the corresponding scope:• Scopes of devices correspond to the hierarchy in the navigation pane System tab. A scope cancontain an individual device or all the devices in a site (and its subsites). Scopes are namedaccording to the corresponding site or device name. In addition:— The Default scope contains all devices under the root site.— The All scope contains all devices and the APSolute Vision Server.• All roles, except the System Administrator and Users Administrator, must be assigned a scope.• APSolute Vision contains a set of predefined roles, each defining a set of privileges. The useradministrator can create additional roles based on combinations of up to three predefined roles.• Only unused, user-defined roles can be deleted.RBAC users can also be defined and managed through a RADIUS server.58 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideManaging APSolute Vision UsersAPSolute Vision provides the following predefined roles, which you cannot delete or modify:RoleADC AdministratorADC OperatorAdministratorDevice AdministratorDevice ConfiguratorDevice ViewerSecurity AdministratorSecurity MonitorUser AdministratorVision ReporterDescriptionTable 9: Predefined RolesHas full control over ADC configuration, can configure and managefarms, traffic redirection, and health checks.Can perform all Monitoring & Control pane right-click functions of thedevices for which the user has credentials.Has full control to disable farms and server, and switch the logicalserverstate from regular to backup, and so on. Has read-onlypermission on the configuration of ADC devices and general devicecontrol.Can perform all actions and access all functionality.Has full control over devices for which the user has credentials.Can access all Configuration-perspective panes and Monitoring &Control-perspective panes and has full control over the Setup,Networking, Device security and Advanced parameter tabs of theConfiguration pane of the devices for which the user has credentials.Can perform all Configuration and Monitoring & Control pane rightclickfunctions of the devices for which the user has credentials.Can access all devices for which the user has credentials.Can configure and manage network and server security, ACL policies,and so on.Has full control over Real-time Monitoring and APSolute VisionReporter.Can create and manage users and roles.Has full control over APSolute Vision Reporter.A user sees the APSolute Vision GUI displayed according to that user’s role:• When a user has full read and write permissions, all Add, Edit, and Delete buttons are displayed.• When a user has update permissions only, Add buttons are not displayed.• When a user does not have any configuration permissions, Add, Delete, and Commit buttons arenot displayed.• The User Management perspective is not accessible to users who do not have user administratorprivileges.• The tree in the main navigation pane System tab displays only those devices that belong toscope associated with the user.• The Real-Time Monitoring perspective displays visible attacks only of those devices that belongto scope associated with the user.All users can see the Alerts browser, but the alerts displayed are limited according to devicepermissions.Document ID: RDWR-APSV-V107_AG1101 59

APSolute Vision Administrator GuideManaging APSolute Vision UsersConfiguring User Roles for RBACAPSolute Vision contains a set of predefined roles and the Administrator can create customized rolesbased on combinations of up to three predefined roles. You associate a user with a single role todetermine the user’s permissions.For information about the predefined roles, see Role-Based Access Control (RBAC), page 58.To create a customized role1. In the User Management perspective, select the Roles tab.2. In the tab toolbar, click the (Add) button.3. In the Add New Role dialog box:a. In the Name field, enter a name for the new role.b. Move up to three roles from the Available Roles list to the Selected Roles list.c. Click OK.The new role, which is a combination of the selected predefined roles, is displayed in the Rolestable.You can now associate users with the new role.Table 10: Role ParametersParameterNameRole DefinitionDefined ByIDM StringDescriptionThe name of the roleA description of the role. For user-defined roles, the names of theindividual roles that are included are displayed.Whether the role is predefined by the system, or user-defined.When you create a custom role, the identity-management server (IDM)creates a unique string. When a user logs in, this string is transmitted tothe authenticator to assign the relevant roles and scopes to the user.Configuring Local UsersA user administrator can set and change the following individual local APSolute Vision userconfigurations:• Add, edit, and delete users• Revoke and enable users• Release user lockout and reset user passwordsFor information about setting global user configurations, see Configuring Global User ManagementSettings, page 66.60 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideManaging APSolute Vision UsersTo set individual user configurations1. In the User Management perspective, select the Local Users tab. The Users table displaysinformation for all currently defined users.2. From the Users table you can perform the following:— Adding and Editing Users, page 61— Deleting Users, page 63— Releasing User Lockout, page 63— Resetting User Passwords to the Default, page 63— Resetting the radware Administrator Password, page 64— Revoking and Enabling Users, page 64— Exporting User Information, page 65ParameterUser NameFull NameScopeRoleContact InformationPassword Expiration DateEnabled StateLockedCreated OnLast Password ChangeLast LockoutTable 11: User Table ParametersDescriptionThe username used for login.The user’s full name.Scopes of devices organized according to the site tree in the mainnavigation pane System tab. A scope can contain an individualdevice or all the devices in a site. The Default scope contains alldevices under the root site. The All scope contains all devices andthe APSolute Vision Server.The displayed scopes for each user represent the devices that theuser can access. Each scope in the list is associated with acorresponding role that defines the permissions for the user onthose devices.The roles with which the user is associated. Each role defines a setof actions the user can perform through APSolute Vision. Each rolein the list applies to its corresponding scope of devices.The user’s contact information—organization, address, and phonenumber.The date on which the current password expires.Whether the user is currently enabled. If the checkbox is cleared,the user is currently suspended and cannot log in.Whether the user is currently locked out.The date on which the user was created.The date on which the user password was last changed.The date on which the user was last locked out.Adding and Editing UsersWhen you add a user, you associate the user with role and scope pairs to define the user’s privilegesand the managed devices to which the privileges apply. Scopes represent the devices for which theuser has credentials. The corresponding role for each scope in the list defines the permissions forthe user on those devices.Document ID: RDWR-APSV-V107_AG1101 61

APSolute Vision Administrator GuideManaging APSolute Vision UsersWhen you modify the role and/or scope assignment for a user who is logged into APSolute Vision,the user must log out and log in again for the changes to take effect.By default, a new user is not associated with any scope or role.You can only add a scope once for each user. You cannot add a scope that contains devices that arealready in a scope associated with the user.To add or edit a user1. In the User Management perspective, select the Local Users tab.2. Do one of the following:— To add a user, click the (Add) button in the tab toolbar.— To edit a user, double-click the user name.3. Set the user parameters including the user’s role and scope assignments, and click OK.To add or modify a role-scope pair1. In the Permissions table, right-click and select Add New User Role Group Pair or Edit UserRole Group Pair.2. Do the following:— From the Scope list, select the scope containing the devices that the user can access.— From the Role list, select the role for the selected scope.3. Click OK.ParameterUser NameFull NameScopeRoleOrganizationAddressPone NumberDescriptionTable 4: User ParametersIdentificationThe username used for login. This field is mandatory.The user’s full name. This field is optional.PermissionsThe device or devices for which the user has credentials.The role for the user on those devices.Contact InformationThese fields are optional.The user’s organization.The user’s address.The user’s phone number.Note:The Administrator user does not define a personal password for a new user. At initiallogin, a new user enters the global default password and is then prompted to create anew password. Users can always change their own passwords at login. For moreinformation, see Changing Password for Local Users, page 40.62 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideManaging APSolute Vision UsersDeleting UsersDeleting a user removes the user from the Users table.Notes:>> The Administrator user cannot be deleted.>> You can suspend a user without removing the user from the table. For more information,see Revoking and Enabling Users, page 64.To delete a user1. In the User Management perspective, select the Local Users tab.2. In the Users table, select the user name and click the (Delete) button in the tab toolbar.3. Click Continue in the confirmation box.Releasing User LockoutWhen a user performs more than the permitted number of unsuccessful logins as defined in theGlobal User Settings page, the user is locked out and cannot log in again until the user administratorreleases the lock, and resets the password.Note:If the Administrator user is locked out for any reason, see Resetting the radwareAdministrator Password, page 64.To release a user lockout1. In the User Management perspective, select the Local Users tab.2. In the Users table, right-click the user name that you want to unlock, and select Unlock User.3. Reset the user password to the default, see Resetting User Passwords to the Default, page 63.Resetting User Passwords to the DefaultFollowing a user lockout, a user administrator can reset a local user’s password to the default userpassword. When the user next logs into APSolute Vision, that user will be prompted to change thedefault password according to APSolute Vision Password Requirements, page 67.Note:You cannot reset the default administrator password. If the Administrator user is lockedout for any reason, contact Radware Technical Support to release the lockout.Document ID: RDWR-APSV-V107_AG1101 63

APSolute Vision Administrator GuideManaging APSolute Vision UsersTo reset a user’s password to the default1. In the User Management perspective, select the Local Users tab.2. In the Users table, right-click the username whose password you want to reset, and selectReset User Password.Resetting the radware Administrator PasswordTo reset the password for the radware user1. Click the APSolute Vision Client program icon.2. Click Options.3. In the User Name text box, type radware.4. Click the (Reset Password) button.5. From the Vision Identifier text box, copy the value, which is the Vision identifier code.6. Send the Vision identifier code to Radware Technical Support and identify yourself using yourcompany name and Vision Identifier. After your credentials have been approved, RadwareTechnical Support will send you the necessary password-reset file.7. When you receive the password-reset file, save it to your local computer.8. In the Select Password Reset File text box, enter the path to the password-reset file or clickBrowse to navigate to the file and click Open. The password resets to the default; radware.9. In the Enter New Password dialog box, enter your new password in the New Password andConfirm New Password fields and click OK.10. In the initial login dialog box, enter your user name and new password.11. Click OK.Revoking and Enabling UsersRevoking a user suspends the user, but does not delete the user from the Users table. To delete auser from the Users table, see Deleting Users, page 63.To revoke and enable a user1. In the User Management perspective, select the Local Users tab.2. To revoke a user, in the Users table, right-click the user name, and select Revoke User. Thestate of the user in the Users table changes from Enabled to Disabled.3. To enable a revoked user, right-click the user name, and select Enable. The state of the user inthe Users table changes from Disabled to Enabled.64 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideManaging APSolute Vision UsersExporting User InformationYou can export the information in the Users table to a CSV file.Note:User passwords are not exposed or exported.To export the information in the Users table1. In the User Management perspective, select the Local Users tab.2. In the tab toolbar, click the (Export to CSV) button.3. Save the file in the desired location.Viewing User StatisticsYou can view and save the following user statistics broken down by user and date:• Number of successful logins• Number of failed login attempts• Number of password changes• Number of lockoutsTo display user statistics1. In the User Management perspective, select the User Statistics tab. By default, the UserStatistics table displays information for all users for the current day.2. To display statistics for a specific user, select a user name from the User Name list, and clickGo.3. To display statistics for a specific date range, set the Start Date and End Date, and click Go.To export the displayed user statistics1. In the User Statistics tab toolbar, click the (Export to CSV) button.2. Save the file in the desired location.Document ID: RDWR-APSV-V107_AG1101 65

APSolute Vision Administrator GuideManaging APSolute Vision UsersConfiguring Global User Management SettingsThe Administrator user can change global user management settings.Note:Radware recommends that the Administrator user changes the default Administratorpassword after initial login.To configure global user settings1. In the User Management perspective, select the Global Settings tab.2. Configure the parameters; and then, click (Commit) to commit the changes.ParameterNumber of Password ChallengesDefault Password for AdministratorVerify Default Password forAdministratorDefault Password for Other UsersVerify Default Password for OtherUsersDays to Password ExpirationDays to Statistics Records DeletionTable 5: Global User Management ParametersDescriptionThe number of consecutive unsuccessful password entriesbefore a user is locked out.Values: 0–100Default: 3The password that the Administrator user enters on initiallogin or after password reset. The Administrator user canchange it at any time or on expiration.When you change the default password, re-enter thepassword for verification.The password that new users enter on initial login or afterpassword reset. The Administrator user can change it at anytime or on expiration.When you change the default password, re-enter thepassword for verification.The number of days from password creation until thatpassword expires. When you change this value, the new valueis applied to any subsequently created passwords; currentpasswords are not affected by the change.Default: 30The number of days until the current user statisticsinformation is deleted.Default: 3066 Document ID: RDWR-APSV-V107_AG1101

ParameterNumber of Last Passwords SavedUser must change password on 1stloginTable 5: Global User Management ParametersDescriptionA user cannot reuse a saved password.Default: 3APSolute Vision Administrator GuideManaging APSolute Vision UsersSpecifies whether all users must change their password whenlogging in for the first time to the APSolute Vision server.Note: The value for this parameter applies to when theuser is created, and does not change. For example, ifthe value for this parameter is true when the user iscreated, and then the value changes to false—butthe user has not yet logged in, the user will berequired to change his/her password when he/shefirst logs in.APSolute Vision Password RequirementsAll personal and default passwords required by the Administrator user and other local users to loginto APSolute Vision must contain:• Between eight and 12 characters.• At least two non-alphabetic characters.For information about changing individual and default passwords, see:• Changing Password for Local Users, page 40• Configuring Global User Management Settings, page 66Document ID: RDWR-APSV-V107_AG1101 67

APSolute Vision Administrator GuideManaging APSolute Vision Users68 Document ID: RDWR-APSV-V107_AG1101

Chapter 4 – Setting Up Your NetworkBefore you can configure managed devices through APSolute Vision, you configure the sites andtheir devices to the APSolute Vision sever configuration. The sites and devices are displayed in theSystem tab.The following topics describe how to set up your network of managed Radware devices:• Introducing APSolute Vision Sites, page 69• Configuring Sites, page 71• Adding and Removing Devices, page 71• Locking and Unlocking a Device, page 74• Creating AppDirector Clusters for High Availability, page 74• Creating DefensePro Clusters for High Availability, page 75• Finding Site Nodes, page 77• Next Steps, page 77Introducing APSolute Vision SitesYou can define your network in APSolute Vision as a physical or logical representation of groups ofmanaged Radware devices. You can organize the devices to be managed in logical groups, referredto as sites. For example, a site can be based on a geographical location, an administrative function,device type, and so on. Each site can contain nested sites and devices. You can create clusters ofdevices for high availability. You can also display real-time reports for multiple devices according tosites.Note:You cannot perform configuration operations simultaneously on multiple devices in sites.These topics describe:• System Tree Structure, page 69• System Tree Organization, page 70• Default Site and Device Names, page 70System Tree StructureThe System tree can contain sites and devices:• A System tree node can represent a logical site or a device.• A site can contain nested sites, devices, or both.• Nodes are organized alphabetically in the System tree within each level. For example, a sitecalled AppDirectors will appear before a site at the same level called DefensePros. All nestedsites will appear before devices at the same level, regardless of their alphanumerical order.• All node names in the System tree must be unique. For example, you cannot give a site and adevice the same name, and you cannot give devices in different sites the same name. Nodenames are case-sensitive.Document ID: RDWR-APSV-V107_AG1101 69

APSolute Vision Administrator GuideSetting Up Your NetworkSystem Tree OrganizationThe following figure shows an example of the organization of a global system.Figure 20: Global System Tree OrganizationIn this example, the global site for the network has been organized primarily according togeographic location. Each network location contains nested sites, organized according to devicetype. In a large network, you might require a further set of location subsites, or you might want toorganize devices in a specific location according to administrative functions.You add sites, subsites, and devices in the Configuration perspective. After you add devices, you canconfigure and monitor each device through APSolute Vision.Default Site and Device NamesThe default name of a new node depends on the node type, Site, AppDirector, or DefensePro. Thefirst instance of a node type is given the default name node_type. If you do not change the defaultnames, subsequent new nodes will be given the default name node_type(n), where n is the firstavailable number for nodes of the same type.For example:• The first site that you create will be given the default name Site.• The next site will be given the default name Site(2).• If you rename the first site to MySite, the third site that you create will be given the defaultname Site.• The next site will be given the default name Site(3).70 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideSetting Up Your NetworkConfiguring SitesBy default, the root site is called Default. You can rename this site, and add nested sites anddevices.You can add, rename, and delete sites. When you delete a site, you must first remove all its subsitesand devices.Notes:>> To move a device between sites, you must first delete the device from the sites tree andthen add it in the required target site.>> A site cannot have the same name as a device, and sites nested under different parentsites cannot have the same name.>> You cannot delete the Default site.To add a new site1. In the Configuration perspective main navigation pane System tab, right-click the site name inwhich you want to create a new site, and choose New > Site. A new site is displayed in the treewith a default name.2. Rename the new site, if required, and press Enter.To rename a site1. In the Configuration perspective main navigation pane System tab, right-click the site name,and choose Rename “”.2. Rename the site, and press Enter.To delete a site1. In the Configuration perspective main navigation pane System tab, right-click the site name,and choose Delete “”.2. Click OK in the confirmation box.Adding and Removing DevicesBefore you can manage AppDirector and DefensePro devices in APSolute Vision, you must add thedevices to the site tree in the main navigation pane System tab. You can organize the devices inlogical sites. When you add a device, it is given a default name, which you can change. You providedevice connection information, including authentication parameters (credentials) for communicationbetween the device and the APSolute Vision server (the ports of communication are defined underAPSolute Vision server setup configuration).Document ID: RDWR-APSV-V107_AG1101 71

APSolute Vision Administrator GuideSetting Up Your NetworkAfter submitting device connection information, APSolute Vision verifies that it can connect to thedevice, and retrieves the device information, including licensing information, which is then stored onthe APSolute Vision server.You can modify the connection information and configure the device, after the connection has beenestablished.After adding AppDirector devices, you can create clusters of the main and backup devices, or theprimary and secondary devices (as appropriate to the type of managed device).Notes:>> A device cannot have the same name as a site.>> Devices in different sites cannot have the same name.>> To move a device between sites, you must first delete the device from the sites tree andthen add it in the required target site.>> If you replace a device with a new device to which you want to assign the samemanagement IP, you must delete the device from the site and then recreate it for thereplacement.>> When you delete a device, you can no longer view historical reports for that device.To add a new device1. In the Configuration perspective main navigation pane System tab, right-click the site name inwhich you want to add a device, and select New > AppDirector or New > DefensePro. A newdevice node is displayed with a default name.2. In the Edit Device Connection Information dialog box, set the device name and connectionparameters, and click OK.After APSolute Vision connects to the device, basic device information is displayed in the contentpane, and device properties information is displayed in the Properties pane below the mainnavigation pane.ParameterNameManagement IPSNMP VersionSNMP CommunityVerify SNMP CommunityTable 6: Device Connection ParametersDescriptionThe name of the device. You can change the default.SNMPThe management IP as it is defined on the managed device.The SNMP version used for the connection.SNMPv1 or SNMPv2The default is publicRe-enter the community string when defining the connection.SNMPv3User Name The user name for the SNMP connection. You can enter up to 18characters.Use AuthenticationWhen selected, the device authenticates the user for a successfulconnection. The default is not selected. The following authenticationfields are available only when this option is enabled.72 Document ID: RDWR-APSV-V107_AG1101

ParameterAuthentication Protocol(Use Authentication enabled)Authentication Password(Use Authentication enabled)Verify AuthenticationPassword(Use Authentication enabled)Use Privacy(Use Authentication enabled)Privacy Password(Use Privacy enabled)Verify Privacy Password(Use Privacy enabled)Table 6: Device Connection ParametersDescriptionAPSolute Vision Administrator GuideSetting Up Your NetworkThe protocol used for authentication,MD5 or SHA. The default isMD5.The password used for authentication.Re-enter the authentication password when defining the connection.When selected, SNMPv3 traffic is encrypted for additional security.The default is not selected. This option is available only when UserAuthentication is selected. The following options are available onlywhen this option is enabled.The password used for the Privacy facility.Re-enter the privacy password when defining the connection.HTTPHTTP Username The username for the HTTP connection. You can enter up to 18characters.HTTP PasswordThe password used for HTTP connectivity.Verify HTTP Password Re-enter the HTTP password when defining the connection.HTTPSHTTPS Username The username for the HTTPS connection. You can enter up to 18characters.HTTPS PasswordThe password used for HTTPS connectivity.Verify HTTPS Password Re-enter the HTTPS password when defining the connection.To edit device connection information1. In the Configuration perspective main navigation pane System tab, right-click the device name,and select Edit Device Connection Information.2. Modify connection parameters as described in Device Connection Parameters, page 72.To delete a device1. In the Configuration perspective main navigation pane System tab, right-click the device name,and select Delete “”.2. Click OK in the confirmation box. The device is deleted from the list of managed devices.Document ID: RDWR-APSV-V107_AG1101 73

APSolute Vision Administrator GuideSetting Up Your NetworkLocking and Unlocking a DeviceWhen you have permissions to perform device configuration on a specific device, you must lock thedevice before you can configure it. Locking the device ensures that other users cannot makeconfiguration changes at the same time. The device remains locked until you unlock the device, youdisconnect, until the Device Lock Timeout elapses, or an An Administrator unlocks it. Locking adevice applies only to the device on the specific Vision server. Locking a device does not apply to thesame device that is configured on another APSolute Vision server, using WBM, or using CLI.Note:Only one APSolute Vision server should manage any one Radware device.While the device is locked:• The device icon in the main navigation pane System tab includes a small lock symbol— forAppDirector, for DefensePro.• Configuration panes are displayed in read-only mode to other users with configurationpermissions for the device.• If applicable, the (Commit) button is displayed.• If applicable, the (Add) button is displayed.To lock a deviceIn the Configuration perspective main navigation pane System tab, right-click the device name,and select Lock Device.To unlock a deviceIn the Configuration perspective main navigation pane System tab, right-click the device name,and select Unlock Device.Creating AppDirector Clusters for High AvailabilityAfter you add AppDirector devices in the sites tree, you can create AppDirector device clusters togroup a main AppDirector with its backup devices. In each cluster, APSolute Vision automaticallyindicates which device is the main and which devices are the backup devices.When AppDirector devices are organized in a cluster, you can synchronize the active deviceconfiguration on the main device with backup devices in the cluster.Note:For successful synchronization, all the AppDirector devices in a cluster must be of thesame platform, version, and license.74 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideSetting Up Your NetworkTo create an AppDirector cluster1. In the Configuration perspective main navigation pane System tab, select an AppDirectordevice.2. To select additional AppDirector devices for the cluster, press Ctrl and click the required devices.3. Right-click a selected device and select Group to Cluster.4. Enter the cluster name and press Enter. A new cluster node is displayed containing the selecteddevices.To ungroup an AppDirector clusterIn the Configuration perspective main navigation pane System tab, right-click the cluster nameand select Ungroup Cluster.The cluster node is removed from the tree, and the AppDirector devices are displayed under thecluster’s parent node.To rename an AppDirector cluster1. In the Configuration perspective main navigation pane System tab, right-click the cluster name,and select Rename “”.2. Rename the cluster, and press Enter.To delete an empty cluster1. In the Configuration perspective main navigation pane System tab, right-click the cluster name,and select Delete “”.2. Click OK in the confirmation box. The cluster node is deleted from the tree.Creating DefensePro Clusters for High AvailabilityThis feature is available on DefensePro 5.10 and later.After you add DefensePro devices to the sites tree, you can create two-node clusters of compatibleDefensePro devices. To be compatible, both cluster members must be of the same platform,software version, and software license, bandwidth license, and Radware signature file.A cluster consists of a primary DefensePro device and a secondary device.You can configure only the basic parameters of a high-availability cluster in the System pane(Cluster Name, Primary Device, and Associated Management Ports).Document ID: RDWR-APSV-V107_AG1101 75

APSolute Vision Administrator GuideSetting Up Your NetworkTo configure the primary device of the cluster, the failover parameters, and the advancedparameters, use the High Availability pane (Configuration perspective > Setup > HighAvailability).Note:Before you can configure a cluster, the devices must be locked.To create a DefensePro high-availability cluster1. In the Configuration perspective main navigation pane System tab.2. Select a DefensePro device.3. Press Ctrl and click the other device for the cluster.4. Right-click one of the selected devices and select Create Cluster.5. Configure the parameters; and then click OK.Cluster Setup ParametersParameterCluster NamePrimary DeviceAssociated Management PortsDescriptionThe name for the cluster (up to 32 characters).Specifies which of the cluster members is the primary device.Specifies the management (MNG) port or ports through which theprimary and secondary devices communicate.Values: MNG1, MNG2, MNG1+2Note: You cannot change the value if the currently specifiedmanagement port is being used by the cluster. Forexample, if the cluster is configured with MNG1+2, andMNG1 is in use, you cannot change the value to MNG2.To break a DefensePro high-availability clusterIn the Configuration perspective main navigation pane System tab, right-click the cluster nodeand select Break Cluster.After your confirmation, the cluster node is removed from the tree, and the DefensePro devicesare displayed under the parent node.To rename an DefensePro high-availability cluster1. In the Configuration perspective main navigation pane System tab, right-click the cluster node,and select Rename “”.2. Rename the cluster (up to 32 characters); and then, click outside the cluster node.76 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideSetting Up Your NetworkTo change the associated management ports of a DefensePro high-availability cluster1. In the Configuration perspective main navigation pane System tab, select the cluster node andclick Edit Cluster.2. Configure the parameters; and then click OK.Note:You cannot change the value if the currently specified management port is beingused by the cluster. For example, if the cluster is configured with MNG1+2, andMNG1 is in use, you cannot change the value to MNG2.Finding Site NodesYou can perform simple searches for site nodes. All nodes that contain the search string will behighlighted. If the first match is within a collapsed node, the node opens to display the matchingnode name. Subsequent matches in collapsed nodes remain hidden; however when you open thenode, the matching node name will appear highlighted.To find a site node1. In the Configuration perspective main navigation pane System tab, in the Find field above thesite tree, enter the name or part of the name that you want to find.2. Click Go. All matching node names are highlighted.Next StepsAfter you set up your network of managed devices, and establish a connection to the devices,APSolute Vision obtains the network configuration and displays the settings in the deviceconfiguration tabs.You can then do the following:• Set and change the device configuration through APSolute Vision.For information about configuring a device’s basic setup and security settings, see Basic DeviceConfiguration, page 55.For information about configuring AppDirector’s and DefensePro’s associated services, see theAPSolute Vision online help.• Perform administration and maintenance tasks on managed devices; such as, scheduling tasks,making backups, and so on. For more information, see Managing Device Operations andMaintenance, page 195.• Monitor managed devices through APSolute Vision.For more information, see the APSolute Vision online help.Document ID: RDWR-APSV-V107_AG1101 77

APSolute Vision Administrator GuideSetting Up Your Network78 Document ID: RDWR-APSV-V107_AG1101

Chapter 5 – APSolute Vision CLI CommandsUse APSolute Vision CLI commands to manage the APSolute Vision server. APSolute Vision CLIincludes the following capabilities:• Consistent, logically structured and intuitive command syntax.• Command completion using the TAB key.• Paging and selection commands.• Command history.• Short and long help for every menu and command.Note:For the initial setup of the APSolute Vision server, see the Radware Installation andMaintenance Guide.All configuration changes that are made using CLI commands are sent to the APSolute Vision serveraudit log.This chapter contains the following sections:• Command Syntax Conventions, page 79• Accessing APSolute Vision CLI, page 80• Main CLI Menu, page 80• General CLI Commands, page 81• Network Configuration Commands, page 83• System Commands, page 88Command Syntax ConventionsThe following table describes the command syntax conventions used in this chapter.SyntaxConventionBoldAngleBrackets ()DescriptionBold text designates information that must be enteredon the command line exactly as shown. This applies tocommand names and non-variable options.The information enclosed in brackets () is variableand must be replaced by whatever it represents. In theexample shown, you must replace with thename of the specific file.Examplenet dns getDocument ID: RDWR-APSV-V107_AG1101 79

APSolute Vision Administrator GuideAPSolute Vision CLI CommandsSyntaxConventionBrackets ([ ]) The information enclosed in square brackets ([ ]) isoptional. Anything not enclosed in brackets must bespecified.Curly bracketscontainingvertical bar(s)({ | })DescriptionCurly brackets, also called braces ({ }) identify a set ofmutually exclusive options, which are separated by avertical bar ( | ). You can enter only one of the optionsin a single use of the command. Each option within thebraces can be optional or required, and variable ornon-variable.In the example shown, you can specify a value forvariable , or use the non-variable option,default.Example[-s ]{|default}Accessing APSolute Vision CLIAccess the APSolute Vision CLI using a serial cable and terminal emulation application, or from anSSH client.Terminal settings for the APSolute Vision server are as follows:• Bits per second: 19200 Alteon is• Data bits: 8• Parity: None• Stop bits: 1• Flow control: NoneNote:When connecting from an SSH client, APSolute Vision CLI has a default timeout of fiveminutes for idle connections. If an SSH connection is idle for five minutes, APSoluteVision automatically terminates the session.The default username/password for the APSolute Vision CLI is radware/radware. You can change thepassword using the change-password command. For more information, see system user changepassword,page 93.Main CLI MenuThe following table describes the main CLI menu commands:CommandexithelphistoryDescriptionLogs out of the APSolute Vision CLI session. For more information, see exit,page 81.Displays help for menus and commands. You can also use the ? key. For moreinformation, see help, page 81.Displays a history of previously run commands. For more information, seehistory, page 82.80 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideAPSolute Vision CLI CommandsCommandnetpingrebootshutdownsystem|grepDescriptionCommands to display and configure network interface settings and IP routing.For more information, see Network Configuration Commands, page 83.Pings a host on the network to test its availability. For more information, seeping, page 82.Stops all processes and then reboots the APSolute Vision server. For moreinformation, see reboot, page 82.Stops all processes and then shuts down the APSolute Vision server. For moreinformation, see shutdown, page 82.System commands for the APSolute Vision server. For more information, seeSystem Commands, page 88.Selects lines containing a match for the specified regular expression. For moreinformation, see grep, page 83.|more Paginates command output. For more information, see |more, page 83.General CLI CommandsThis section describes the following APSolute Vision CLI commands:• exit• help• history• ping• reboot• shutdown• grep• |moreexitLogs out of the APSolute Vision CLI session.SyntaxexithelpDisplays help for a command or menu. You can also use the ? key.ExamplesA net? displays help for the net menu.B net management-ip? displays help for the net management-ip command.Tip: To display the list of commands for a menu, enter the menu name and press Enter.Document ID: RDWR-APSV-V107_AG1101 81

APSolute Vision Administrator GuideAPSolute Vision CLI CommandshistoryDisplays a history of the previously run commands.Syntaxhistory [-]The number of previous commands to display, starting fromthe current command. The default is the last 50 commands.OptionalTip: To paginate results, use history | more.To view command history for specific commands or menus, use |grep.pingExamplehistory | grep sysdisplays the history of commands containing the string sys.Pings a host on the network to test its availability.Syntaxping IP address of the host to ping. RequiredNumber of packets to send.If N is 0, the device will ping indefinitely. Use Ctrl-C to stop.RequiredrebootStops all processes and then reboots the APSolute Vision server.SyntaxrebootshutdownStops all processes and then shuts down the APSolute Vision server.Syntaxshutdown82 Document ID: RDWR-APSV-V107_AG1101

grepAPSolute Vision Administrator GuideAPSolute Vision CLI CommandsSelects lines containing a match for the specified regular expression. You can use this commandonly concatenated to other commands that produce output.Syntax| grep The regular expression string to match. RequiredTip: Use this command with history and timezone list commands to filter output.|morePaginates command output. You can use this command only concatenated to other commandsthat produce output.Syntax| moreTip: Use this command with history and timezone list commands to paginate output.Network Configuration CommandsThe net menu includes the following commands to display and configure network interface settingsand IP routing:• net dns get• net dns set primary• net dns set secondary• net dns set tertiary• net dns delete primary• net dns delete secondary• net dns delete tertiary• net ip set• net ip delete• net ip get• net ip management set• net physical-interface get• net physical-interface set• net route set host• net route set net• net route set default• net route delete• net route getDocument ID: RDWR-APSV-V107_AG1101 83

APSolute Vision Administrator GuideAPSolute Vision CLI CommandsDNS CommandsUse net dns commands to display and configure DNS server settings.net dns getDisplays the IP address for each configured DNS server.Syntaxnet dns getnet dns set primaryAdds a primary DNS server to the DNS server table. If a primary DNS server already exists, thenew configuration overwrite the old one.Syntaxnet dns set primary The IP address of the primary DNS server. Requirednet dns set secondaryAdds a secondary DNS server to the DNS server table if there is an existing configuration of aprimary DNS server. If there is no primary DNS server, APSolute Vision defines the secondaryserver as the primary. If a secondary DNS server already exists, the new configuration overwritethe old one.Syntaxnet dns set secondary The IP address of the secondary DNS server. Requirednet dns set tertiaryAdds a tertiary DNS server to the DNS server table if there is an existing configuration of aprimary and secondary DNS server. If there is no primary and secondary DNS server, APSoluteVision defines the tertiary server as the next-higher-level server (primary or secondary). If atertiary DNS server already exists, the new configuration overwrite the old one.Syntaxnet dns set tertiary The IP address of the tertiary DNS server. Requirednet dns delete primaryDeletes the primary DNS server.Syntaxnet dns delete primarynet dns delete secondaryDeletes the secondary DNS server.Syntaxnet dns delete secondary84 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideAPSolute Vision CLI Commandsnet dns delete tertiaryDeletes the tertiary DNS server.Syntaxnet dns delete tertiaryNetwork Interface CommandsUse net ip commands to display and configure APSolute Vision server network-interface settingsand define the physical, management port (G1 or G2) on the APSolute Vision server. The physical,management port is not bound to the IP address.Note:After changing the configuration of a physical, management port (G1 or G2), you mustrestart the APSolute Vision server.net ip setConfigures an IP address for APSolute Vision server network interface on the physical port G1 orG2.Syntaxnet ip set {G1|G2} The IP address of the network interface. Required The subnet for the network interface. RequiredG1|G2 Specifies whether the interface is on G1 or G2. Requirednet ip deleteDeletes an IP address from a physical port on the APSolute Vision server.Syntaxnet ip delete {G1|G2}G1|G2 The physical port on the APSolute Vision server to delete. Requirednet ip getDisplays the MAC addresses for LAN1 and LAN2, and information about the configured networkinterfaces.Syntaxnet ip getnet ip management setSets the network interface to use for the management interface.Syntaxnet ip management set {G1|G2}G1|G2 The physical port on the APSolute Vision server. RequiredDocument ID: RDWR-APSV-V107_AG1101 85

APSolute Vision Administrator GuideAPSolute Vision CLI CommandsPhysical Interface CommandsUse net physical-interface commands to display and configure network physical interfacesettings on the APSolute Vision server.net physical-interface getDisplays speed and duplex mode for each accessible network physical interface on the APSoluteVision server. Displays whether a physical interface is down, and whether auto-negotiation modeis set.Syntaxnet physical-interface getnet physical-interface setConfigures speed and duplex mode for a network physical interface using manual settings or bysetting auto-negotiation. The speed and duplex arguments take precedence over theautonegotiation setting. That is, if you change the speed and/or duplex setting, APSolute Visionsets autonegotiation to OFF automatically.Syntaxnet physical-interface set {G1|G2} autoneg {on|off} speed {10|100|1000}duplex {half|full}G1|G2 The physical interface to configure, G1 or G2. Requiredautoneg {on|off}The autonegotiation mode. Enter autoneg on toset speed and duplex mode by auto-negotiation.Optionalspeed {10|100|1000} The speed setting (Mbps). Optionalduplex {half|full} The duplex-mode setting. OptionalExamplesA net physical-interface set G1 autoneg onB net physical-interface set G2 speed 1000 autoneg offC net physical-interface set G1 duplex half speed 10 autoneg offRouting CommandsUse net route commands to display and configure IP routing settings. APSolute Vision savesconfigured routes by retrieving them directly from the kernel’s active routing table. Routes are bedeleted when deleting an IP address from a specific device interface.net route set hostSets a route to a destination host.86 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideAPSolute Vision CLI CommandsSyntaxnet route set host [dev ]The IP address of the destination host to which the route isdefined.Required The IP address of the next hop towards the destination host. Required[dev ] The physical port on the APSolute Vision server. Optionalnet route set netSets a route to a destination network or subnet.Syntaxnet route set net [dev ]The IP address of the destination network to which the route isdefined.Required The destination subnet. RequiredThe IP address of the next hop towards the destinationnetwork.Required[dev ] The physical port on the APSolute Vision server. Optionalnet route set defaultSets a default gateway route.Syntaxnet route set default [dev ] The IP address of the default gateway (next hop). Required[dev ] The physical port on the APSolute Vision server. Optionalnet route deleteDeletes a route entry from the routing table.Syntaxnet route delete [dev ]To delete a network route, enter the IP address of thecorresponding destination network.Required The destination subnet. Required The IP address of the default gateway (next hop). Required[dev ] The physical port on the APSolute Vision server. OptionalDocument ID: RDWR-APSV-V107_AG1101 87

APSolute Vision Administrator GuideAPSolute Vision CLI Commandsnet route getDisplays routing information for active routes and statically-configured host routes, networkroutes, and default routes.Syntaxnet route getSystem CommandsThe system menu includes the following system commands for the APSolute Vision server:• system backup, page 89• system restore, page 89• system restore, page 89• system database clear, page 89• system database start, page 89• system database stop, page 89• system database status, page 89• system date get, page 90• system date set, page 90• system ntp add, page 90• system ntp delete, page 90• system ntp get, page 91• system ntp service, page 91• system ntp status, page 91• system tcpdump export, page 91• system tcpdump print, page 92• system timezone get, page 92• system timezone list, page 92• system vision-server start, page 92• system vision-server status, page 93• system vision-server stop, page 93• system hostname get, page 93• system statistics, page 93• system user change-password, page 93• system version, page 9388 Document ID: RDWR-APSV-V107_AG1101

APSolute Vision Administrator GuideAPSolute Vision CLI CommandsBackup and Restore CommandsUse the system backup and system restore commands to back up and restore the APSoluteVision database.system backupPerforms a backup of the APSolute Vision database to a file on the APSolute Vision server. Thebackup includes configuration tables, security reporting, and Alerts pane.The APSolute Vision server must be stopped to run the backup.Syntaxsystem backupsystem restoreRestores the APSolute Vision database from a backup file on the server that was created with asystem backup command.To see the backup file names, connect to the server via SFTP. The default user/password isradware/radware.Syntaxsystem restore The name of the backup file to restore. RequiredDatabase CommandsUse system database commands to manage the APSolute Vision database.system database clearClears and initializes the APSolute Vision database.Syntaxsystem database clearsystem database startRestarts the APSolute Vision database, making it available for access.Syntaxsystem database startsystem database stopStops the APSolute Vision database, making it unavailable for access.Syntaxsystem database stopsystem database statusShows the database status. For example, the output:MySQL running (2688) [OK]shows the database is up and running with process ID 2688.Syntaxsystem database statusDocument ID: RDWR-APSV-V107_AG1101 89

APSolute Vision Administrator GuideAPSolute Vision CLI CommandsDate CommandsUse system date commands to display and set date and time on the APSolute Vision server.system date getDisplays the APSolute Vision server date and time.Syntaxsystem date getsystem date setSets the date and time on the APSolute Vision server.Syntaxsystem date set The date and time in the format YYYY/MM/DD hh:mm:ss,where:YYYY represents the year, MM the month, DD the day, hh thehour, mm the minutes, ss the seconds.RequiredExamplesystem date set 2010/05/23 13:56:00 sets date and time to 23/05/2010 13:56.Network Time Protocol CommandsUse system ntp commands to manage Network Time Protocol (NTP) settings to synchronize timeand date across the network.system ntp addAdds the specified NTP server to the list of NTP servers.Syntaxsystem ntp add [] The IP address of the NTP server. RequiredThe interval, in seconds, between time query messages sentto the NTP server.Optionalsystem ntp deleteRemoves the specified NTP server from the list.Syntaxsystem ntp delete The IP address of the NTP server to remove. Required90 Document ID: RDWR-APSV-V107_AG1101

system ntp getDisplays the list of NTP servers used for time and date synchronization.Syntaxsystem ntp getsystem ntp serviceStarts and stops the NTP service (ntpd).Syntaxsystem ntp service {start | stop | status}APSolute Vision Administrator GuideAPSolute Vision CLI Commandsstart | stop |statusUse one of the following commands:• start: Starts the NTP service, which starts to send querymessages to the external NTP servers to synchronize timeand date.• stop: Stops the NTP service.• status: Displays the status of the NTP service, ntpd isrunning or ntpd is stopped.Requiredsystem ntp statusMonitors the operation of the NTP daemon (ntpdc command) and displays the output at theconsole. There is no output when the NTP daemon is not running.Syntaxsystem ntp statusTCP Capture CommandsUse system tcpdump commands to dump a TCP capture for debugging.system tcpdump exportExports the TCP capture file by SSH. The file, dump.cap, is initially created locally, on the server.After entering the system tcpdump export command, you are prompted to enter a filter. Youshould insert a valid tcpdump filter and press Enter or press Enter with an empty expression toget the entire dump.When the TCP capture ends, you are prompted to copy the dump.cap file using SFTP. Thedump.cap file is deleted from the server after the command ends.Syntaxsystem tcpdump export [-t ] [-c ] [-s ]-t The timeout in seconds. Enter 0 for no timeout.Default: 60 seconds-c The maximum number of packets. Enter 0 for no maximum.Default: 10000-s The size to truncate packets to.Default: 0—Specifies no truncationOptionalOptionalOptionalDocument ID: RDWR-APSV-V107_AG1101 91

APSolute Vision Administrator GuideAPSolute Vision CLI Commandssystem tcpdump printDumps a TCP capture directly to the console.After entering the system tcpdump print command, you are prompted to enter a filter. Youshould insert a valid tcpdump filter and press Enter or press Enter with an empty expression toget the entire dump.Syntaxsystem tcpdump print [-t ] [-c ] [-s ]-t The timeout in seconds. Enter 0 for no timeout.Default: 60-c The maximum number of packets. Enter 0 for no maximum.Default: 10000-s The size to truncate packets to.Default: 0—Specifies no truncationOptionalOptionalOptionalTime Zone CommandsUse system timezone commands to display the time zone, with or without daylight saving time,on the APSolute Vision server.system timezone getDisplays the time zone set on the APSolute Vision server.Syntaxsystem timezone getsystem timezone listLists the time zones that are supported on the APSolute Vision server.Syntaxsystem timezone listTip:— To paginate output, use system timezone list | more.— To find a specific time zone, use |grep. For example, to find the time zone for London, usesystem timezone list | grep Lon to display all time-zone names containing Lon.APSolute Vision Server CommandsUse system vision-server commands to manage the APSolute Vision server.system vision-server startStarts the APSolute Vision server.Syntaxsystem vision-server start92 Document ID: RDWR-APSV-V107_AG1101

system vision-server statusAPSolute Vision Administrator GuideAPSolute Vision CLI CommandsShows the status of the APSolute Vision server, Server running or Server stopped.Syntaxsystem vision-server statussystem vision-server stopStops the APSolute Vision server.Syntaxsystem vision-server stopAdditional System Commandssystem hostname getDisplays the hostname of the APSolute Vision server.Syntaxsystem hostname getsystem statisticsDisplays system resources statistics, including CPU utilization, uptime, system disk usage,database disk usage, RAM utilization, and network throughput.Syntaxsystem statisticssystem user change-passwordChanges the user password for access to the APSolute Vision CLI. (The default password forusername radware is radware.)When you use this command, you will be prompted to enter a new password at the New UNIXPassword prompt; then, retype the password for verification.Syntaxsystem user change-passwordsystem versionShows the version of the APSolute Vision server software.Syntaxsystem versionsystem vision-web-password setRuns a script to set a new password for Web access to the APSolute Vision server. The scriptprompts you for the new password. For security reasons, the characters of the password are notdisplayed. The default password is radware.Syntaxsystem vision-web-password setDocument ID: RDWR-APSV-V107_AG1101 93