Pravail APS 2.

0 Certification Training
Unit 4
Configuration

Pravail
Objectives

At the conclusion of this unit you should be able to:

• Explain the purpose of each Web User Interface
page-top control
• Set the Pravail APS deployment mode and global
protection level
• Configure general settings
• Upload, download, and delete local files
• Load custom SSL certificates and a custom banner
logo
• Configure new user accounts
• Configure the ATLAS Intelligence Feed
• Configure notification delivery

Page 2 - Company Confidential

Configuration

• Web UI Overview
• Administration Menu

Page 3 - Company Confidential

Summary View
First Page at Login

Page 4 - Company Confidential

 Arbor Smart Bar
Page-Top Controls

View deployment mode

Customizable logo Protection choices

Navigation menu

Download PDF of page Who am I?

Email page as attachment Log out

Context sensitive
documentation

Page 5 - Company Confidential

Navigation Menus

Administration is done
via submenu navigation

Protection Group navigation

is embedded in page options,
so there are no submenus

Summary is a fixed page,

so there are no submenus

Page 6 - Company Confidential

Global Protection Levels

Click to change
protection level

• Protection levels allow easy risk / benefit choices

– Low: Normal conditions. Low-risk protection and
blocking is done. No tolerance for false positives
– Medium: Significant attack. Stricter prevention settings.
Unusual good traffic may be dropped
– High: Heavy attack. Aggressive prevention. More
legitimate traffic may be blocked but most is passed
• Changing the Protection Level affects all Protection
Groups
• Protection Level can only be changed in Web UI

Page 7 - Company Confidential

Deployment Modes

Shows deployment
sub-mode

Shows deployment mode

• Inline deployment mode forwards traffic

– All traffic is forwarded in both direction unless
blocked according to protection group settings
– Sub-mode selection box appears between
deployment mode and protection level selection
• Monitor deployment mode never forwards traffic
– No sub-mode box is displayed
Page 8 - Company Confidential
Deployment Modes (Cont.)
Inline Mode

Click to change
deployment sub-mode

Inline deployment mode

• Inline deployment mode provides two sub-modes:

– Active à blocks malicious traffic according to
protection group settings for this protection level
• Blocking is done only for incoming traffic on protection
interfaces, not outgoing
– Inactive à forwards all traffic and reports the traffic
that it would block if in Active sub-mode
• A test mode for prevention settings
Page 9 - Company Confidential
Deployment Modes (Cont.)
Monitor Mode

Monitor deployment mode

• Monitor deployment mode has no sub-modes

– Sub-mode selection is not shown
• Monitor deployment mode never forwards traffic
– Traffic blocking is reported the same as Inline mode
– Monitor mode and Inline Inactive sub-mode are the
same except that monitor mode does no forwarding

Page 10 - Company Confidential

User Group Privilege Levels

• Administrators designated using system_admin

group …
– Can see all displayed information
– Can change anything
• Other users designated using system_user group …
– Can see all displayed operational information
– Can see only selected administration settings
– Cannot change anything
• Users in custom user groups are governed by
group’s authorization key configuration

Page 11 - Company Confidential

User Group Privilege Levels (Cont.)
Menu Bar View

Menu bar for Pravail administrators

Click to change inline Click to change

deployment sub-mode protection level

Menu bar for other Pravail users

View Settings only

Page 12 - Company Confidential

Configuration

• Web UI Overview
• Administration Menu

Page 13 - Company Confidential

Administration Menu

• Administration menu is a good guide to what needs

configuration
– Most of the “set and forget” settings

Page 14 - Company Confidential

Administration > General

Page 15 - Company Confidential

General Settings
Administration > General

Page 16 - Company Confidential

General Settings (Cont.)
Administration > General

Basic servers To monitor Pravail

For alert notifications

and emailed reports

Page 17 - Company Confidential

Data Retention
Administration > General

• Organizations with policies against long term

storage of network data can set data lifetime here
– Data is culled daily

Page 18 - Company Confidential

Time and Date Format
Administration > General

• Change Web UI display of date and time to local

preference
• Cannot set time or timezone here
– Must use CLI

Page 19 - Company Confidential

Administration > Files

Page 20 - Company Confidential

File Management
Administration > Files

Page 21 - Company Confidential

Upload a File
Administration > Files

Page 22 - Company Confidential

File Upload Popup
Administration > Files

Page 23 - Company Confidential

File Download
Administration > Files

Click here to get browser download dialog

Page 24 - Company Confidential

File Delete Selection
Administration > Files

Page 25 - Company Confidential

File Delete Popup
Administration > Files

Page 26 - Company Confidential

Custom Banner Logo
Administration > Files

Default Arbor banner logo

shown in upload section

Button for upload

of custom logo

• You may replace the Arbor Pravail logo above the

menu bar with your own logo image

Page 27 - Company Confidential

Custom Banner Logo Upload Dialog
Administration > Files

Page 28 - Company Confidential

Custom Banner Logo Upload Complete
Administration > Files

Current banner logo

shown in upload section

Upload another custom logo

over previous custom logo

Restore default logo

• Full page reload is required for new logo to appear

Page 29 - Company Confidential

Upload PKI or Custom SSL Certificate
Administration > Files

Upload new UI
SSL certificate

• Customers can upload a Web UI SSL certificate

signed via PKI or their own Certificate Authority
– Client sessions such as AIF will continue to use
embedded Arbor certificate

Page 30 - Company Confidential

Upload PKI or Custom SSL Certificate (Cont.)
Administration > Files

• SSL certificate must always be uploaded with a CA certificate

– Error results from upload attempt with only one certificate

Error after
“Upload” click

CA certificate
not specified

Page 31 - Company Confidential

 Upload PKI or Custom SSL Certificate (Cont.)
Administration > Files

• Certificates must be
concatenated in a text file
with Private Key
• Must be encoded in
Privacy Enhanced Mail
format (.pem file extension)

Page 32 - Company Confidential

PKI or Custom SSL Certificate Upload Dialog
Administration > Files

Both certificates
are specified

Page 33 - Company Confidential

PKI or Custom SSL Certificate Upload Complete
Administration > Files

• Pravail warns after upload button click that change

of SSL certificate will disrupt UI session
– Full browser reload is often not needed, but may be
easiest to explain to customers

Page 34 - Company Confidential

PKI or Custom SSL Certificate Upload Complete (Cont.)
Administration > Files

• Most browsers will immediately show an error due

to mid-session change in SSL certificate
– A reload attempt on a secure browser will bring up a
security warning exception dialog
• A page reload and browser acceptance of the new
certificate will restore access to the Web UI
– You might even not lose the login session

Page 35 - Company Confidential

PKI or Custom SSL Certificate Upload Complete (Cont.)
Administration > Files

Restore default
certificate
Update certificate
directly

Page 36 - Company Confidential

Download Client-Side Server Credentials
Administration > Files

Download Web UI
and CLI credentials

• Customers can download Pravail APS CA

certificate and SSH public key for use in client-side
identity authentication

Page 37 - Company Confidential

Download SNMP MIB Files
Administration > Files

Download MIB files

• Customers can download Pravail MIB and Arbor

SMI MIB for use with SNMP queries and SNMP
notification traps

Page 38 - Company Confidential

Administration > User Accounts

Page 39 - Company Confidential

User Accounts
Administration > User Accounts

• User Accounts define users’ login credentials,

contact information, and level of system access

Delete user account

Edit user account Add new user

Page 40 - Company Confidential

User Groups

• Users are assigned to a user group

– User groups define user privileges
• Pravail APS has three predefined user groups:
system_admin à has full privileges
system_user à has read-only privileges to see most
anything but to change almost nothing
system_none à disables account login
• Custom user groups may be configured in the CLI
– Privileges assigned via authorization keys
– When adding a new user account in Web UI, Group
selection box will show both predefined and custom
user groups

Page 41 - Company Confidential

Add a New User Account
Administration > User Accounts

Username is
not editable

• User accounts can be added only by a user in group

‘system_admin’ or another group with admin privileges

Page 42 - Company Confidential

Account Edit Errors
Administration > User Accounts

Errors
appear here

• Pravail enforces basic password security

– Must be least 7 characters but no more than 35 characters long
– Cannot be all digits or all lower-case letters
– Cannot include spaces
Page 43 - Company Confidential
Non-privileged User Limitations
Administration > User Accounts

Username is User group is

not editable not shown

• A user in group “system_user” or other group with

no admin privileges can edit only their own account

Page 44 - Company Confidential

User Authentication Methods

• Three user authentication methods are supported:

– Local
– TACACS+
– RADIUS
• Authentication method(s) are configured in CLI
– Use / services aaa commands
– Local method is default
– TACACS+ and RADIUS do not appear anywhere in
the Web UI

Page 45 - Company Confidential

Administration > ATLAS Intelligence Feed

Page 46 - Company Confidential

AIF Configuration
Administration > ATLAS Intelligence Feed

Manual AIF
updates

Automatic
AIF updates

Adjustable
update interval

• AIF update can be manual or automatic or both

– Interval for automatic updates defaults to 24 hours
from previous update

Page 47 - Company Confidential

AIF Configuration (Cont.)
Administration > ATLAS Intelligence Feed

Status of most
recent update

HTTPS proxy
service

Proxy user and

password optional

• AIF server at Arbor is preconfigured and immutbable

– Uses Arbor domain name: aif.arbor.net
• Proxy Server configuration is also used for Cloud
Signaling proxy
– Configuring either configures the other
Page 48 - Company Confidential
AIF Operation
Administration > ATLAS Intelligence Feed

Update button
was clicked

AIF Update
In progress

• It’s good practice to test AIF with a manual update

before relying on automatic updates

Page 49 - Company Confidential

AIF Operation (Cont.)
Administration > ATLAS Intelligence Feed

Status and time of

most recent update

Manual update was successful

so auto updates are enabled

• It’s good practice to test AIF with a manual update

before relying on automatic updates

Page 50 - Company Confidential

AIF Operation (Cont.)
Administration > ATLAS Intelligence Feed

• If an AIF update fails, an error message appears at

top of the AIF page to explain the problem

Page 51 - Company Confidential

Administration > Notifications

Page 52 - Company Confidential

Administration > Notifications (Cont.)

• All of the following notification methods are

supported:
– SMTP email
– SNMP traps
– Syslog export
• Simultaneous notifications by multiple methods
• Multiple export destinations per method
• Four notification event classes
– Enabled or disabled separately for each destination

Page 53 - Company Confidential

Notification Event Classes

• System
– System status changes and system errors
• Anything notified as a system event is also recorded
in the change log
• Cloud
– Cloud Signaling status change
• Both Pravail-initiated and SP-initiated status changes
• Protect
– Global protection level change
• Deploy
– Changes between active and inactive inline
deployment modes

Page 54 - Company Confidential

Notification Settings
Administration > Notifications

• Notifications settings page has separate sections

for each notification method
– Each destination is listed separately in its section

Page 55 - Company Confidential

Adding Destinations
Administration > Notifications

• Click ‘Add Notification’ to create a new notification

destination entry
• Select the notification method from the dropdown menu for a
configuration window

Page 56 - Company Confidential

Adding Email Destinations
Administration > Notifications

• Each mail notification destination is configured with

both a “To” address and a “From” address
– “From” is per destination, not a global setting

Page 57 - Company Confidential

Adding SNMP Destinations
Administration > Notifications

SNMP traps notifications

• SNMP version choice
(v2c or v3) changes
authentication fields
shown

Page 58 - Company Confidential

Adding Syslog Destinations
Administration > Notifications

• Syslog export messages are sent with the facility

and severity that is set in the notification settings

Page 59 - Company Confidential

Selecting Notification Events
Administration > Notifications

• Notification event classes are enabled and disabled

for a destination directly from the destinations lists

Page 60 - Company Confidential

Editing Destination Settings
Administration > Notifications

• Click on a destination to edit its settings

– Configuration window that was used to add the
destination originally will reappear

Page 61 - Company Confidential

Page 62 - Company Confidential