Central Management

As the infrastructure grows big, it becomes more and more difficult to keep the configuration up-to-date on distributed devices. Debugging issues arising because of out-of-sync device are very difficult to troubleshoot. The entire effort is a complete waste of time.

A10 HarmonyTM Controller simplifies the process and allows Thunder device administrators to push the changes using CLI configuration snippets or aFlex templates from the central location by selecting a group of devices. In case of Lightning ADC, administrators specify the per-app configuration policies and the controller automatically pushes it to right set of devices.

This brings more than 80% efficiency in the entire process and eliminates and error.

A10 Lightning ADC

A10 Lightning ADC is the cloud-native ADC product line of A10 Networks. This is pure software, can be installed in any environment. A10 Lightning ADC instances are stateless and are fully managed by A10 HarmonyTM Controller. This is purpose built for web applications implementing micro-services architecture and deployed in cloud or containerized environment. However, it works equally well for traditional applications deployed in data centers.

A10 Lightning ADC instances are deployed in active-active cluster i.e. all the members of a cluster are always active and share the load. Having stateless instances, a cluster is elastic in nature - new instances can added any time or existing instances can be shut down without significantly impacting the running traffic.

Deploying A10 Lightning ADC Cluster

The A10 Lightning ADC cluster can either be deployed manually and associated with an A10 Lightning ADC cluster or allow the A10 HarmonyTM Controller to launch A10 Lightning ADC automatically. However, it also depends on cloud infrastructure user selects. The configuration page also provides user multiple options to deploy A10 Lightning ADC. Deploying A10 Lightning ADC depends on the underlying cloud infrastructure. At the very basic it is about setting up a virtual machine with the A10 Lightning ADC software.

Deploying in AWS Cloud

A10 Networks releases pre-built Amazon Machine Image (AMI) of A10 Lightning ADC for quick set-up. A10 HarmonyTM Controller is capable of launching A10 Lightning ADC in users AWS account if the user is comfortable providing permission to the system for the same. Else, a user can launch A10 Lightning ADC manually using a Cloud Formation Template (CFT), or from the Amazon marketplace.

Automatic Launch of A10 Lightning ADC Cluster by System

To automatically launch A10 Lightning ADC cluster, choose the option Automatic cluster type in Create Cluster screen. For the auto launch of A10 Lightning ADC cluster, an AWS credentials to be provided in the form of ARN by the user for the system to access various AWS resources of users AWS account.

See also

For more information on different user account authorization, please refer ARN Policy section in Infracredential configuration page.

With the above set of information, the user also needs to provide the exact location regarding AWS region, network, and subnets where the A10 Lightning ADC should be launched, and the scale up/down policy for the cluster in accordance with higher/lower CPU usage. When the required configuration is saved, the A10 Lightning ADC instances are launched and automatically registered with the system into the specified cluster. List of all AWS resources created during the process as well as their status is shown on the cluster page.

Follow the steps below to auto launch A10 Lightning ADC cluster by the system:

  1. Click + to add a new cluster, provide the cluster name and then select the cloud credentials if already created. By default cluster type would be set to Auto.
_images/image5.1.png
_images/image5.1345.png
  1. Once the above step is completed, select the Region and then select the Subnet(s) to launch the cluster, set the Min/Max Instances in the cluster. And then save the cluster, wait for the cluster to launch.
_images/image5.2.png
  1. Wait for the status to change to Launch Successful as shown.
_images/image5.3.png

Launching A10 Lightning ADC Cluster Manually using AWS CFT

The A10 Lightning ADC cluster is launched manually when the user is not comfortable authorising the system to launch the instances and other resources to accesses users AWS account. And, if the user decides to use a Cloud Formation Template (CFT), all the steps are completely automated.

Follow the steps below to auto launch A10 Lightning ADC cluster by using CFT (Cloud Formation Template):

  1. Click + to add a new cluster, provide the cluster name and then select cluster type as Manual. Save the settings.
_images/image5.4.png
  1. Provide information about placement and scaling, but the system would not save this information.
_images/image5.5.png
  1. Generate a CFT by clicking Export CFT button using the above information, select the AWS platform; and then download the CFT and save it.
_images/image5.47.png
_images/image5.6.png
  1. Upload the CFT to S3 bucket of AWS. Click Services > S3 > Create Bucket > Bucket Name > Region > Create > Double click CFT created > Upload > Add/Upload CFT > Double click CFT Properties > Copy the Link address > Goto Services > Cloud Formation > Launch CloudFormer > Paste the Link address in the field Specify an Amazon S3 template URL> Next > Provide Key and Value > Review > Create.
_images/image5.7.png
_images/image5.8.png
_images/image5.9.png
_images/image5.10.png
_images/image5.11.png
_images/image5.12.png
_images/image5.13.png
_images/image5.14.png
_images/image5.15.png
_images/image5.16.png
_images/image5.17.png
_images/image5.18.png
_images/image5.19.png
_images/image5.20.png

A10 Lightning ADC instances launched using a system provided CFT is automatically registered with the system into the specified cluster.

Launching A10 Lightning ADC Cluster Manually from AWS Marketplace

To launch the A10 Lightning ADC cluster manually from AWS Marketplace, use the A10 Lightning ADC AMI available in the AWS Marketplace. Follow the same process to launch A10 Lightning ADC cluster in EC2-Classic as well. By manually launching the A10 Lightning ADC instance, the user has the liberty to choose the placement of instances, but scaling and security implementation required to be configured manually by the user.

Follow the steps below to launch A10 Lightning ADC cluster in AWS Marketplace:

  1. Login to the A10 Lightning ADS and Click + to add a new cluster, provide the cluster name and then select cluster type as Manual. Save the settings as shown.
name
name
  1. Click this link https://aws.amazon.com/marketplace/ to access AWS Marketplace and search for A10 Lightning ADC or A10 Lightning ADC and click on A10 Lightning ADC.
name
  1. Click Continue on this screen.
name
  1. Click Manual Launch and select the region to launch A10 Lightning ADC close to your App server.
name
  1. Click Next: Configure details.
name
  1. In this screen, you are configuring the instance details as shown, after providing the basic configuration details click Advanced Details and here click the As text radio button and provide the information such as Cluster ID, Edge IP, and API Server URL as shown in the example below. Copy the below JSON code in the User data field and change only the Cluster ID rest all remains the same.

User data JSON:

{
  "cluster_id": "Cluster-ID_from_UI",
  "edge_ip": ["https://<harmony-controller-address>/api/v2"],
  "api_svr_url": ["https://<harmony-controller-address>:8443/api/v2"]
}
name
  1. Click Add Storage provide the storage requirements or leave it default.
name
  1. Click Add Tags provide the Name and Value.

    name
  2. Click Next: Configure Security Group > Select an existing security group > Review and Launch

name
  1. Click Launch
name
  1. Select a Key pair and click Launch Instance.
name
  1. Check the Launch Status.
name
  1. Verify the cluster association with A10 HarmonyTM Controller in the cluster information page.
name

Launching A10 Lightning ADC cluster in ASG (Auto Scaling Group) from AWS Marketplace

  1. Follow step 2 to 5 from the “Launching A10 Lightning ADC Cluster Manually from AWS Marketplace” before we proceed to next step.

  2. On this screen click Launch into Auto Scaling Group

    name
  3. Click Create Launch Configuration provide the Name, and then click Advanced Details and copy the below JSON code in the User data field and copy the Cluster ID from the cluster creation page as shown in step 6 above, and then click Add Storage.

User data JSON:

{
"cluster_id": "Cluster-ID_from_UI",
"edge_ip": ["https://<harmony-controller-address>/api/v2"],
"api_svr_url": ["https://<harmony-controller-address>:8443/api/v2"]
}

name
name
  1. Click Next: Configure Security Group > Select an existing security group > Review > Create Launch Configuration
_images/image5.28.png
_images/image5.29.png
_images/image5.30.png
  1. Choose an existing key pair and click Create Launch Configuration
_images/image5.31.png
  1. Provide the scaling group details, and then click Next: Configure Scaling Policies
_images/image5.33.png
  1. Choose the option Use scaling policies to adjust the capacity of this group provide all the details and then click Next: Configure Notifications
_images/image5.34.png
_images/image5.35.png
_images/image5.36.png
  1. Click Add Notifications
_images/image5.37.png
_images/image5.38.png
  1. Select a notification endpoint from the list if already created. Else, select create topic and follow step 10 to create a new notification endpoint.
_images/image5.39.png
  1. Steps to create a new topic (notification endpoint)
_images/image5.40.png
_images/image5.41.png
_images/image5.42.png
  1. Select the new notification endpoint created, as described in step 9, and then click Next: Configure Tags to reach the below screen. Provide the Key and Value and click Review
_images/image5.43.png
  1. Review the configuration and click Create Auto Scaling group
_images/image5.44.png
_images/image5.45.png
  1. Below message is displayed, on successful creation of Auto Scaling group
_images/image5.46.png
  1. Review the Autoscaling group created.
name
  1. Verify the cluster association with A10 HarmonyTM Controller in the cluster information screen.
name

Upgrading A10 Lightning ADC version in AWS Marketplace

The below steps are for the existing A10 HarmonyTM Controller customer’s who already have their A10 Lightning ADC instance(s)running in AWS account and want to upgrade it to the new version. For that, the user needs to have the cluster ID of the existing A10 Lightning ADC instance(s) running in AWS account and then follow the below steps.

Upgrading A10 Lightning ADC Manually in AWS Marketplace

  1. Login to A10 HarmonyTM Controller and look for the A10 Lightning ADC Cluster which has the A10 Lightning ADC instance already running in AWS account, then copy the Cluster ID as shown below.
name
  1. Go to AWS console click EC2 > Launch Instance > AWS Marketplace > search |LADC| > Select
name
name
name
name
  1. Click Configure Instance Details
name
  1. Click Advanced Details and copy the JSON code as shown below, and copy the Cluster ID of the existing A10 Lightning ADC.

Note

The JSON code format is changed, do not use the old format to input the User data. Use the below one.

User data Snippet:

{
  "cluster_id": "Cluster-ID_from_UI",
  "edge_ip": ["https://<harmony-controller-address>/api/v2"],
  "api_svr_url": ["https://<harmony-controller-address>:8443/api/v2"]
}
name
  1. Click Add Storage > Add Tag

    name
  2. Click Next: Configure Security Group > Select an existing security group > Review and Launch

name
  1. Click Launch
name
  1. Select a Key pair and click Launch Instance.
name
  1. Check the Launch Status.
name
  1. Verify the cluster association with A10 HarmonyTM Controller in the cluster Information screen. Delete the old A10 Lightning ADC instance once the new A10 Lightning ADC instance Association is displayed on the screen.

Auto Upgrading A10 Lightning ADC in AWS Marketplace

To upgrade the A10 Lightning ADC version in Auto Scaling Group(ASG) of AWS account. Follow the steps below.

  1. Login to A10 HarmonyTM Controller and search for the A10 Lightning ADC which is already in ASG of AWS.
  2. Look for the launch configuration information in the Cluster information screen.
  3. Click Launch Configuration in the AWS screen and search for the launch configuration which you found in Cluster screen.
name
  1. Select the A10 Lightning ADC and click Actions > Copy launch configuration
name
  1. From the Copy launch configuration screen click Edit AMI and then click AWS Marketplace search A10 Lightning ADC and select the radio button Yes, I want to continue with this AMI.
name
name
  1. Click Next: Configure details
name
  1. In the Configure details screen click next.
name
name
  1. Select the existing security group for the A10 Lightning ADC instance running and click Review.
name
  1. Click Create launch configuration
name
  1. Select the existing key pair or create a new key pair.
name
  1. Check for status.
name
  1. Click Auto Scaling Group choose the existing A10 Lightning ADC instance and in the Details increase the desired instance (for example, if it is “1” change it to “2”) and wait for it to launch the new instance.
name
name
name
  1. Now we have two A10 Lightning ADC instances, the old and the updated in the cluster page.
name
  1. Check for CPU stats for the new A10 Lightning ADC instance, for analytics.
name
name
  1. In the AWS we have both the old and the updated A10 Lightning ADC instances running.
name
  1. Hence, to make the updated A10 Lightning ADC instance(s) active delete the old instance(s) by reducing the desired instance (for example, if it is “2” change it to “1”) in “Auto Scaling Group” screen and the old instance is automatically deleted by AWS.
name
  1. The old instance is terminated as shown.
name
  1. The cluster screen now shows only the updated A10 Lightning ADC instance.
name

Deploying in Google Cloud Platform (GCP)

Automatic Launch of A10 Lightning ADC Cluster by System in GCP

To automatically launch A10 Lightning ADC cluster, choose the option Auto(Launched by System) in the Add New Cluster page. For the Auto launch of A10 Lightning ADC cluster, an GCP credentials has to be provided for the system to access various GCP launch resources of users GCP account. User is also required to select the appropriate Project to associate the cluster.

See also

For more information on creating GCP Credentials, refer Onboarding an Application section in the document.

With the above set of information, the user also needs to provide the exact location regarding GCP region, network, and subnets where the A10 Lightning ADC should be launched, and the scale up/down policy for the cluster in accordance with higher/lower CPU usage. When the required configuration is saved, the A10 Lightning ADC instances are launched and automatically registered with the system into the specified cluster. List of all GCP resources created during the process as well as their status is shown on the cluster page.

Note

Please ensure that TCP port 5666 is open on your A10 Lightning ADC node. As a part of A10 Lightning ADC image creation, we install NRPE (Nagios Remote Plugin Executor) plugin which allows cloud team to monitor A10 Lightning ADC’s remotely. Services using NRPE daemon binds to port 5666 by default. This will allow us to alert your team in the occurrence of any events. If you have to monitor in place, you can decide NOT to open TCP port 5666. This holds good for both manual and auto launch of A10 Lightning ADC.

Follow the steps below to auto launch A10 Lightning ADC cluster by the system:

  1. Click + to add a new cluster, provide the cluster name and then attach the cloud credential, and select the appropriate Project as shown. By default cluster type would be set to Auto.
_images/image5.53.png
_images/image5.67.png
  1. Once the above step is completed, select the Region and then select the Subnet(s) to launch the cluster, set the Min/Max Instances in the cluster. And then save the cluster, wait for the cluster to launch.
_images/image5.2.png
  1. Wait for the status to change to Launch Successful as shown.
_images/image5.3.png

Launching A10 Lightning ADC Cluster Manually in GCP

The A10 Lightning ADC cluster is launched manually when the user is not comfortable authorising the system to launch the instances and other resources to accesses users GCP account.

Follow the steps below to launch A10 Lightning ADC cluster manually in GCP:

  1. Click + to add a new cluster, provide the cluster name and then select cluster type as Manual. Save the settings.
_images/image5.4.png
  1. The View/Edit Cluster screen provides the user the metadata information like Cluster ID and API server URL which is used to associate the cluster with GCP.
_images/image5.5.png
  1. Login to the GCP using the Google account credentials.
_images/image5.56.png
  1. Click Product and Services on the left top corner, and from the drop-down select Compute Engine > Instance Templates > CREATE INSTANCE TEMPLATE.
_images/image5.57.png
  1. Input the instance name and keep other fields as default, expand [Management, disk, networking, SSH keys] and then provide the metadata information(cluster ID and API server URL or Edge IP) exactly as shown in the figure below.
name
name
name
name
  1. Create an Instance group and associate the Instance template with the Instance group as shown. Keep all the fields set as default. Select an existing instance or select an instance template. And then, click Create.
name
name
name
name
  1. View the status of the A10 Lightning ADC cluster instance.
name

Deploying in Azure Infrastructure

To launch the A10 Lightning ADC cluster in Azure account, use the Azure machine image provided by A10 Networks in Azure Marketplace. By manually launching the Lightning ADC instance the user has the liberty to choose the placement of instances. But, scaling and security implementation required to be configured manually by the user.

Steps to launch A10 Lightning ADC Cluster manually in Azure Marketplace

  1. Click + to add a new cluster, provide the cluster name and then select cluster type as Manual. Save the settings.
name
  1. Login to Azure Marketplace and search for A10 Lightning ADC, from the search results select A10 Lightning ADC-BYOL to launch VM as shown.
name
name
name
name
name
  1. After the successful launch of A10 Lightning ADC, SSH to A10 Lightning ADC instance with the user-defined username and password.

  2. Run the below command to gain required privileges:

    sudo su
    

5.Run register-cli command to register A10 Lightning ADC to cluster as shown, and then follow the steps in the example below to launch A10 Lightning ADC successfully:

register-cli

Example:

Welcome to A10 LADC Shell
It is advised to change the default password
Do you want to change password([Y]es/No) : No
Password not changed.Continuing with registration
--------------------------------------------------
Do you want to register LADC([Y]es/No): Yes
Register your A10 Lightning ADC with the Controller using
Cluster ID and API Server URL. You can get them by logging into
A10 Lightning ADS and selecting the cluster name from the left
pane.
-------------------------------------------------------------
Input the API server URL and Cluster ID that is obtained from
the A10 Lightning ADS UI
Please enter API server URL: https://<harmony-controller-address>/api/v2
Please enter the cluster id: ofvrgvdj6i
API Server URL: https://<harmony-controller-address>/api/v2
Cluster ID: ofvrgvdj6i
Is this information correct([Y]es/No) : Yes
Applying changes
Waiting for the proxy to get registered.
Trying to connect to API server
Starting registration
Updated cluster id
Updated API Server
Restarting services
Services restarted
Congratulations!
LADC activation is completed successfully.!
  1. After successful registration of Lightning ADC in Azure Marketplace, go back to the A10 Lightning ADS Cluster page and refresh the page to view the association of A10 Lightning ADC with A10 Harmony Controller.

Upgrading A10 Lightning ADC Cluster in Azure Infrastructure

This section of the document provides the steps to upgrade the A10 Lightning ADC version in the Azure Infrastructure.

  1. Copy the cluster ID from the running A10 Lightning ADC cluster and keep it ready.
name
  1. Login to Azure Marketplace and search for A10 Lightning ADC, from the search results select A10 Lightning ADC-BYOL to launch VM as shown.
name
  1. After the successful launch of A10 Lightning ADC, SSH to A10 Lightning ADC instance with username and password.

  2. Run the below command to gain required privileges:

    sudo su
    

5.Run register-cli command to register A10 Lightning ADC to cluster as shown:

register-cli

When the above command is executed it prompts for the cluster ID, the user can provide the cluster ID of the running A10 Lightning ADC.

name
  1. After successful registration of Lightning ADC in Azure Marketplace, go back to the A10 Lightning ADS Cluster page and refresh the page to view the association of A10 Lightning ADC with A10 Harmony Controller.
name
  1. Once the upgraded A10 Lightning ADC associated with the A10 Harmony Controller, the user can delete the old A10 Lightning ADC.
name
  1. On successful deletion of the old A10 Lightning ADC cluster, the cluster page displays only the upgraded A10 Lightning ADC cluster.
name

Deploying in Docker Environment

Docker containers are based on open standards, enabling containers to run on all major Linux distributions and on Microsoft Windows and on top of any infrastructure.

A10 HarmonyTM Controller user can deploy A10 Lightning ADC instances in Docker container. This makes the deployment independent of underlying infrastructure and Lightning ADC can be deployed near to application servers where ever servers are deployed.

The user is expected to have the Docker engine installed, before starting the A10 Lightning ADC deployment. Also, the user should have the Lightning ADC cluster configured in A10 HarmonyTM Controller to obtain a cluster ID and API server URL.

Steps to configure a new cluster in A10 HarmonyTM Controller to obtain clusterID and API server URL:

  1. Login to A10 HarmonyTM Controller and click Add New Cluster provide the cluster name and select cluster type as Manual and then click Save.
_images/image5.4.png
  1. Copy the cluster ID and API server URL from this page.
_images/image5.5.png

Command to launch Lightning ADC in Docker

Syntax

Single Port Mapping between host and container:

Command:

docker run -tdi -e ladc_api_svr_url="<api-server-url>" -e ladc_cluster_id="<cluster_id>" --net=host --restart=always a10networks/ladc

Example:

docker run -tdi -e ladc_api_svr_url="https://api.example.com:8443/api/v2" -e ladc_cluster_id=jsptxcvs --net=host --restart=always a10networks/ladc

Because of –net=host switch, host networking will be fully mapped to the container networking. Any port that is opened on container because of application configuration will automatically opened and mapped on host. Similarly, because of –restart=always switch the container will be started automatically with the start of host machine.

In cases where Host firewall rules (example: firewalld) require an explicit ingress allow rule to access an open port, A10 Lightning ADC can be started as a privileged container (add –privileged command line option to docker run) to create the required ingress allow rules.

Please refer to Docker Run Manual and Docker Run Reference for details.

Below is the example output of docker run command:

a10networks@a10networks-Vostro-2520:~/Documents$  docker run -
tdi -e ladc_api_svr_url=https://<harmony-controller-address>/api/v2 -e
ladc_cluster_id=pn446dtg7r -p 9001:9001 a10networks/ladc
Unable to find image 'a10networks/ladc:latest' locally
latest: Pulling from a10networks/ladc

45a2e645736c: Pull complete
56be6eca40c3: Pull complete
d6c162c01b87: Pull complete
2540ad4ea6ad: Pull complete
f9b8f9143c3e: Pull complete
2b591b61a96b: Pull complete
7a2396516d24: Pull complete
c54b1d1b3aef: Pull complete
20878495513c: Pull complete
545071a7d8d2: Pull complete
f375f2caa368: Pull complete
18d8f7e70311: Pull complete
Digest:sha256:c73976c943b0a9389cd56b9fc4b56ca37c2f1625e6cbcf18bceb3         257e372901f
Status: Downloaded newer image for a10networks/ladc:latest
ac240d887d4c1d7fca850acb5d0db93ff601ed5a1833da6d682c6fc0c29caf73

On-boarding an Application

An Application includes configurations that are required for Application delivery and allows the user to add many more complex policies as needed. To save an application, provide at least name of the application and traffic endpoint for the application. A user can add more configuration once the application is created. To activate an Application, the user must provide details of application servers which are serving application traffic and associate a valid A10 Lightning ADC cluster which has A10 Lightning ADCs launched and running.

To On-board a new Application follows the below sequence in A10 HarmonyTM Controller:

  1. Add Credentials or Use the existing.
  2. Add A10 Lightning ADC Clusters or Use the existing.
  3. Add a new Applications.

Adding a New Credential

Creating a AWS credential

Perform the steps below to add a new AWS Credential in A10 HarmonyTM Controller:

  1. Click + to add a new Credential.
_images/add_new_credential.png
_images/image4.0.png
  1. Select the Credential Type as Infrastructure Credentials.
  2. Enter the Name.
  3. Select the cloud type as AWS. Check the box Use same ARN for DNS (Route53) credential to provide the AWS account access for A10 Networks to manage Application configuration on the cloud.
  4. Input the ARN Role. Click View steps to get Role ARN, and follow the on-screen instructions to get the ARN role.

The following video explains how to create an ARN Role:

_images/image4.15.png

Creating a GCP credential

Perform the steps below to add a new GCP Credential in A10 HarmonyTM Controller:

  1. Click + to add a new Credential.
_images/add_new_credential.png
_images/image4.1.png
  1. Select the Credential Type as Infrastructure Credentials.
  2. Enter the Name.
  3. Select the cloud type as GCP.
  4. Click View steps to get Service Account Credential, and follow the on-screen instructions to get the service account credentials.

Adding a New Cluster

Creating a AWS Cluster

Perform the below steps to create a new AWS Cluster in A10 HarmonyTM Controller:

  1. Click + to add a new Cluster.
_images/image5.1345.png
  1. Under Cluster Information, provide the Cluster name and select the Cluster Type as Auto.
  2. Under Infrastructure Information, select the Cloud type as AWS and select the Cloud Credential which is already created. If not created, then click Add Credential button to create one. And then, Save the configuration.

The following video explains how to create a New Cluster:

_images/image4.15.png

Creating a GCP Cluster

Perform the below steps to create a new GCP Cluster in A10 HarmonyTM Controller:

  1. Click + to add a new Cluster.
_images/image5.53.png
  1. Under Cluster Information, provide the Cluster name and select the Cluster Type as either Auto.
  2. Under Infrastructure Information, select the Cloud type as GCP and select the existing GCP cloud credential. If not created, then click Add Credential button to create one. And then, Save the configuration.
  3. After selecting the GCP cloud credentials, select the appropriate project.
_images/image4.17.png
  1. Fill-in all the fields under A10 Lightning ADC Launch Information and click Save and Launch.
  2. View the A10 Lightning ADC launch status on this screen.

Adding New Application

Perform the steps below to add a new Application in A10 HarmonyTM Controller:

  1. Click + to add a new Application.
_images/image4.8.png
  1. Under Application Information, provide the Application Name, Application Endpoint (application URL), and then choose the product type as Basic or Pro
  2. Under Application Server Information, choose the Discover App Server Using option from the list; whichever is appropriate.
  3. Under A10 Lightning ADC Cluster Information, select the A10 Lightning ADC cluster which is already created. If not created, then click Add Cluster button to create one. And then, Save the configuration.

You can watch application creation in the following video

name

Discover Application Server Using ELB

The steps below are to add a new application in A10 Lightning ADS and discovering application server using AWS ELB.

Assuming the customer is using the CNAME of ELB to load balance the traffic and wants to switch to A10 Lightning ADC DNS, in this case first do a nslookup and see what the endpoint name resolves to:

nslookup ezelb.greatco.org

Non-authoritative answer:
ezelb.greatco.org canonical name = ez-elbdemo-1915081478.us-east
-1.elb.amazonaws.com.
Name:    ez-elbdemo-1915081478.us-east-1.elb.amazonaws.com
Address: 34.202.89.44
Name:    ez-elbdemo-1915081478.us-east-1.elb.amazonaws.com
Address: 52.206.237.86

In the above nslookup output, application endpoint resolves to CNAME of ELB. Now, in the further steps, we can see how to change the DNS from CNAME of ELB to A10 Lightning ADC DNS.

  1. Click + to add a new application and provide all the information such as application name, application endpoint and so on. Then, in the Application Server Information section select AWS in the App Server Hosted With field and provide credentials and then, select ELB in the Discover App Server Using field as shown.
name
  1. On selecting ELB in the Discover App Server Using field, the ELB name and app server IP is discovered by A10 Harmony Controller.
name
  1. In this step, we can see the DNS is not updated yet and the application is still using the CNAME of ELB for load balancing the traffic.
name
  1. Update the DNS credentials as shown, click Edit and update, and then select the DNS server and then click Update DNS. Updating the DNS will start routing the traffic through A10 Lightning ADC.
  2. On updating DNS credential, click Change DNS.
  3. On successful completion, the message is displayed.

Once the DNS is changed, run the nslookup again to confirm the changes as shown:

nslookup ezelb.greatco.org
Server:        8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
ezelb.greatco.org    canonical name =
cafenode.10h4stkre2.stage.ladc.a10networks.com.
Name:    cafenode.10h4stkre2.stage.ladc.a10networks.com
Address: 52.206.216.180

Now, the nslookup output resolves to |LADC| DNS, which is to confirm that the traffic is routed through the A10 Lightning ADC DNS.

Reviewing Generated Configuration

Once the above steps are performed, verify the Application profile by reviewing the generated configuration from Configuration > Application

_images/image4.12.png

Traffic Management Configuration

A10 HarmonyTM Controller offers comprehensive load balancing functionalities such as elastic, secure, and centralized management of cloud applications. However, its main advantage comes from its use of cloud infrastructure to dramatically improve application deliveries in the cloud and data centre environments. The figure below shows the deployment of the Application Delivery System (ADS) on a full scale.

_images/image_ADS_Deployment.png

A10 HarmonyTM Controller uniquely enables the following load balancing capabilities of cloud application:

  • Layer 4 to Layer 7 advanced load balancing with auto-scale

Extends the traditional load balancing services with content switching and session persistence.

  • Policy-based traffic management

Specifies policies to optimally fulfil user requests.

  • Close-loop application delivery

Offers real-time application analytics, also provides adjustments for loading balancing policies.

In the case, where your organization is migrating its legacy applications from the data center, or building a new container based micro service applications in the cloud. The A10 HarmonyTM Controller load balancer deploys in minutes through an application-intimate proxy in your availability zone.

The A10 HarmonyTM Controller Elastic Load Balancing(ELB) service enhances the cloud application capacity, flexibility, and visibility without any changes to application code.

Application Domain

A10 HarmonyTM Controller accepts the client requests for the domain names configured as application domains. When you on-board A10 HarmonyTM Controller, it creates an application domain by default (based on your application endpoint).

Adding and Removing a Domain

Adding a Domain

Follow the steps below for configuring an application domain in A10 HarmonyTM Controller:

  1. In A10 HarmonyTM Controller goto Tenant > Tenant Name > Edit Configuration > Application > Settings screen.
_images/image1.0.png
  1. Select Add a Domain, enter the domain name (For example, www.example.com), and then click Save to add an application domain.
_images/image1.2.png

Adding Multiple Application Domains

You can add as many Fully Qualified Domain Names (FQDNs) as application domains, using the Add a Domain option. Wildcard (*) may be used for specifying all the sub domains of a domain.

Deleting a Domain

If you have multiple domains, you can delete a domain by simply clicking Delete button, and then clicking the Delete Domain button.

Application DNS

Application DNS refers to the DNS name of A10 Lightning ADC. If you are using a third-party DNS provider, then when you choose the option Other while adding your application, you need to change the DNS record of your Application Domain in the DNS Provider such that it points to Application DNS. And then, manually replace the CNAME record in your DNS provider with the Application DNS URL in this field. If you choose Route 53 as your DNS provider, this step is automated.

_images/image1.5.png

Note

You need a public DNS entry (For example, www.example.com or app.example.com) with DNS service provider of your choice for enabling users to access your application. Typically, the DNS entry is a ‘CNAME’ record or an ‘A’ record in your application domain’s hosted zone file.

Changing DNS Entry for Enabling Traffic Flow

Once you have completed required configurations, select Change DNS on the Settings Page. A message pop-up is displayed asking if you want to update the DNS information.

When Change DNS button is selected, the traffic from the application domain is routed through the A10 Lightning ADC. The A10 Lightning ADCs deployed, are your application Front End at this step. Note, that until you enable A10 HarmonyTM Controller, traffic does not pass through the A10 Lightning ADC.

_images/image1.6.png

The above steps complete the on-boarding process in A10 HarmonyTM Controller.

Ports

Adding a Port

A10 HarmonyTM Controller listens for application traffic on the listening ports. To add a port(s)in the settings screen click on ADD PORT/LISTNER option. You can even add multiple listening ports if required.

_images/image1.7.png

Note

Before adding any HTTP2 or SSL ports make sure SSL is enabled.

Removing a Port

If you have multiple ports, you can delete a port by simply clicking Delete button, and then clicking the Delete option.

Note

Disabling SSL will also disable HTTP2

SSL Termination

Configuring SSL for a Domain

Each Application Domain with Fully Qualified Domain Names (FQDNs) requires its SSL settings if SSL is enabled on A10 HarmonyTM Controller. When you add a new application domain and want to copy the SSL settings of an existing domain to the new one, use the Copy SSL Settings option.

SSL Certificates (also called digital certificates) is enabled to establish a secure encrypted connection between A10 HarmonyTM Controller and Application Servers. The SSL connection protects sensitive data exchanged during each session.

To enable SSL, you need to have a valid SSL Certificate that identifies you and install it on the application server. A padlock icon is used to indicate the usage of SSL certificate in a web browser. However, it can also be shown by a green address bar. Once SSL installation is complete, you can access A10 HarmonyTM Controller securely by changing the URL from Http:// to Https://. When an SSL certificate is installed on the application server, you can be sure that the information you enter is secure.

_images/image1.10.png

When you enable SSL in A10 HarmonyTM Controller, the below options are displayed. Click on the relevant help buttons to get more information on these options.

  • Validate Certificate using server certificate chain/server key
  • Option to choose SSL Versions
  • Option to choose Ciphers
  • Option to choose Client Authentication

Copying SSL Properties to Multiple Domains

If SSL is already configured in a domain, we can copy the same config to newly added domains. Click on the Copy SSL settings and select the domain to copy SSL settings from in the left section. Select the domain to copy SSL settings to in the right section and click on Copy as shown in the figure below.

_images/image1.29.png

Http2

HTTP/2 is the next-generation protocol for transferring information on the web, improving upon HTTP/1.1 with more features leading to better performance. It manipulates HTTP traffic, with particular goals of reducing web page load latency and improves the web security. This policy can only be enabled with SSL.

Services

A service is identified by a traffic condition and a set of servers that serve traffic for client requests that match the traffic condition.

Default Service

When we configure an application a default service is created with the servers discovered/specified while onboarding an application.

Creating a Service

A new service is created under the following conditions:

  • When the traffic is served from a different set of servers.
  • When the traffic is served from various ports of the same set of servers.

Ordering of Services

If there are multiple services, they can be reordered using the up/down arrow icons based on which service the traffic should pass through.

_images/image1.31.png

Service Condition

When you add a service, you can configure traffic conditions within the service, and when there are client requests that match these service conditions they are served by the application servers.

_images/image_ServiceCondition.png

You can configure logical conditions for a service, using the following options:

  • URL Path: Enter the URL path value.
  • Header: Enter the header parameter name and value.
  • Cookie: Enter the header parameter name and value.
  • Query Parameter: Enter the query parameter name and value to present in the query string in a GET request.
  • Scheme: Select the scheme as Http or Https.
  • Method: The Http method on which this request is made. There are 4 Http methods; they are GET, POST, PUT, and DELETE.
  • Port: Enter the port value.
  • POST Body Parameter: Enter the POST Body Parameter value in the POST Request.
  • Country: The country code for the client network. This code is a two letter or three letter code or full name of the country.
  • Network: Network IP Address of the client network.

Use the logical operators AND and OR to combine multiple conditions and form a single final service condition. Once you have created a service, you can edit the service configurations later if required, using the pencil icon.

Servers

The Application Servers configured within the service are displayed in the Servers section. These servers provide/serve traffic that matches the conditions specified in the service. You can edit the application server configuration using the adjacent pencil icon (View/Edit Server Group).

_images/image1.31.png

The Edit Servers window is displayed where you can modify the application server information.

_images/image1.12.png

Load Balancing

Load balancing distributes client requests across multiple servers to optimize resource utilization. In a scenario where a limited number of servers provide service to a large number of clients, a server can become overloaded degrading server performance. Load balancing is used to prevent bottlenecks by forwarding the client requests to the servers best suited to handle them, thus balancing the load.

Load balancing uses algorithms called load balancing methods, to determine how the load is distributed among the servers.

In A10 HarmonyTM Controller, you can select any of these load balancing methods:

  • Least Connections
  • Round Robin
  • IP Hash
  • IP Port Hashing
  • Least Connections

When a load balancer is configured to use the least connection method, it selects the server with the least number of active connections to ensure that the load of the active requests is balanced on the services. This method is the default load balancing method because it provides the best performance.

This method is used when you do not want to overload a busy server and distribute the load to other servers which are relatively less loaded.

Round-Robin

Round-robin load balancing is one of the simplest methods for distributing client requests across a group of servers. In this mode of load balancing, the load balancer passes each new connection request to the next server in line, eventually distributing connections evenly across the array of machines being load balanced. When it reaches the end of the list, the load balancer loops back and goes down the list again (sends the next request to the first listed server, the one after that to the second server, and so on).

When configuring a service in A10 HarmonyTM Controller, choose the round-robin load balancing method if there are enough number of client requests and when they need to be processed almost equally and fast enough among the available servers. Also, note that round-robin method should be used when application servers are stateless and sessions are managed centrally at the back-end.

IP Hash

In the IP Hash load balancing, the client’s IP address is used as a hashing key to select the server (from the server group) to which the client’s requests are directed. This load balancing method ensures that the requests from the same client are always directed to this server, except when the server is unavailable.

This mode is particularly useful when you want to direct requests from the same client to the same server always. The IP hash method is useful when your application servers are stateful.

IP Port Hashing

In the IP Port Hash load balancing, the client’s IP address and Port number are used to calculate the hashing key to select the application server (from the server group) to which the client’s request is directed. As long as the IP address and the port number remain the same, the client’s requests are directed to the same server. But if the port number changes (but the IP address remains the same), the client’s requests are directed to a different server. Also, when the port number varies on the same client machine, the client’s requests are redirected to a different server.

In A10 HarmonyTM Controller, load balancing is always enabled and defaults to ‘Least Connections’ even if the checkbox is unchecked. You can choose ‘Round Robin’ or ‘IP Hash’ by selecting the corresponding radio button.

Session Persistence

Session persistence refers to directing a client’s requests to the same back-end web or application server for the duration of a “session” or the time it takes to complete a task or transaction. Also, we can redirect the same client to the same server, using the session persistence.

Note

A session is defined as a series of transactions between a client and a server, over some finite period of time– ranging from several minutes to hours.

When you enable Session Persistence in a service in A10 HarmonyTM Controller, the following options are displayed:

Query Parameter

The query parameter in the HTTP GET request. For example, in the HTTP request http:// www.abc.com/w/index.php?title=Main_page&action=raw, the query parameter name is the title.

Location Affinity

Location Affinity provides the capabilities to load balance the inter-zone traffic, distributing the traffic evenly across the application servers with location aware load balancing.

Location Affinity supports Affinity Only and Affinity Weight options which give the user the flexibility to load balance the traffic more precisely within the Zone.

Note

The Location Affinity is supported only in AWS.

Note

When Location Affinity is enabled, it is recommended to disable the Session Persistence to avoid any interoperability issues.

Affinity Only: When this option is enabled Lightning ADC will only use Application Servers with the same zone as itself. Other Application Servers will only be used in case all local Application Servers are out of service.

Note

When Affinity Only is enabled, Affinity Weight option is ignored.

Affinity Weight: When this option has been enabled the weight of the zone local server is multiplied by the Affinity Weight specified in the filed.

For example, Assume these are the servers configured along with their weights.

  • 190.168.128.31 - Weight 1
  • 190.168.128.32 - Weight 1

When Affinity Weight is set to 2 and assuming 190.168.128.31 is the zone local server, configuration will be written out as

  • 190.168.128.31 - Weight 2 (1 * 2)
  • 190.168.128.32 - Weight 1

For every 3 requests, A10 Lightning ADC will push 2 requests to 190.168.128.31 and 1 request to 190.168.128.32. By adjusting Affinity Weight, the user can keep more requests within the same zone as Lightning ADC.

Configuring Location Affinity

The Location Affinity is configurable both in the existing default service and also in the new service after on-boarding.

To configure Location Affinity in the default service, click View/Edit Server Group and enable the Location Affinity as shown. Note, by default the Location Affinity feature is disabled.

_images/image1.31.png
_images/image1.12.png

To configure Location Affinity for a New service in A10 Lightning ADC goto Services > Add New Service > Server Information > Location Affinity.

Select the AWS in the server field.

When Affinity Only is enabled the Affinity Weight is disabled and the Affinity Weight is enabled since Affinity Only is disabled.

Server Monitoring

When adding a new service in A10 HarmonyTM Controller, you can configure out-of-band monitoring of application servers where A10 HarmonyTM Controller probes actively whether the application servers are active or not. You need to specify the monitoring protocol (TCP/HTTP, or secure TCP/HTTP connections), monitoring interval, and timeout.

Note

You can monitor the Application Server Health from the Dashboard.

Description of Fields

  • Monitor Protocol: You can set the protocol over which A10 HarmonyTM Controller provides application server monitoring. The protocol can be TCP or Http. For secure monitoring, use SSL over TCP or Http options.
  • Monitor URL: When you select the monitor protocol such as Http or Https, you must also specify the Monitor URL. In this case, A10 HarmonyTM Controller probes the monitor URL specified. Note that this field is visible only when you select Http or Https.
  • Monitor Interval: The time (in seconds) for which the application server is probed and monitored.
  • Monitor Timeout: The time (in seconds) after which the monitoring probe should timeout, within the monitoring interval.

Server Limits

When you configure a new service in A10 HarmonyTM Controller, you can specify the required timeouts when requesting information from the application server or when getting a response from the application server.

Description of Fields

  • Close connection to server if cannot read for(seconds):

Here you can specify the time within which you want to close the connection to the application server if you cannot read the required information from the server within this specified time.

For example, suppose you have set this timeout value to 300 seconds. If you want to download information from the server, and if the task takes more than 300 seconds (say 500 seconds), your connection to the server closes in 300 seconds as the timeout value is 300 seconds. So you may increase this timeout value to 500 seconds so that your download is complete.

  • Close connection to the server if cannot write for(seconds):

Here you can specify the time within which you want to close the connection to the application server if you cannot write the required information on the server within this specified time.

For example, suppose you have set this timeout value to 300 seconds. If you want to upload information to the server, and if the task takes more than 300 seconds (say 500 seconds), your connection to the server closes in 300 seconds as the timeout value is 300 seconds. So you may increase this timeout value to 500 seconds so that your upload is complete.

SSL between Proxy and Server

Secure Sockets Layer (SSL) Certificates (also called digital certificates) can be enabled to establish a secure encrypted connection between A10 Harmony Controller and Application Servers. The SSL connection protects sensitive data exchanged during each session.

To enable SSL, you need to get an SSL Certificate that identifies you and install it on the application server. The use of an SSL certificate is usually indicated by a padlock icon in web browsers, but it can also be shown by a green address bar. Once you have done the SSL installation, you can access A10 Harmony Controller securely by changing the URL from Http:// to Https://. When an SSL certificate is installed on the application server, you can be sure that the information you enter is secure.

When you enable SSL in A10 Harmony Controller, following options are displayed. Click on the relevant help buttons to get more information on these options.

  • Validate Certificate
  • Option to choose SSL Versions
  • Option to choose Ciphers

Service Down Condition

When all the servers configured in a service are down (not functioning), the service is said to be down. A10 HarmonyTM Controller provides you three different options to account for this downtime:

Select the option to configure fall-back if all servers go down. To enable the options, do the following.

  • Use this service

Choose an existing service to which you can redirect the traffic when your service is down.

  • Send static content

Provide the response code and URL to which you can re-direct the traffic when your service is down.

  • Redirect to

Provide the redirect URL to which you can redirect the traffic when your service is down.

Backend Server Surge Protection

The Backend Server Surge Protection policy prevents the backend server from getting overloaded with indefinite traffic, which may cause the server to perform inefficiently. With this policy, the user can limit the traffic flow to the server and limit the keep alive time for a connection based on the values set. The two fields which are Connection Keepalive Timeout and Maximum Number of Request Per Connection allows the user to set the connection keepalive time and maximum request allowed in a connection. It is recommended to set the connection keepalive timeout value as “4”, which means if the connection is ideal with no requests coming in for 4 seconds the connection is closed. Similarly, the user can set the maximum number of requests allowed per connection.

Activating and Deactivating a Service

Once you create a service, you need to activate the service so those | ADS| passes traffic through the application servers configured within the service.

Default service is activated once the cluster association is completed. New services, when created, has to be activated for the traffic to pass through. A service can be deactivated using the disable icon

Activating a New Service

Follow the steps below to Add a New Service and Activate the Service:

  1. Form the Services Screen click on ADD NEW SERVICE and in the next screen configure a new service.
_images/image1.13.png
  1. Click on Activate button to enable the Service.

Deactivating a Service

To deactivate a service, click on De-activate button and then select De-activate option.

Smart Flow

Default SmartFlow

When you create a new service, a default SmartFlow is created with the traffic condition(s) defined in the service.

Adding a SmartFlow

New smart flow is created when policy configuration is required for a different smart flow condition. In this case, a request from the client will hit the smart flow if the condition matches. When multiple smart flows are created, it can be reordered as required.

SmartFlow Configuration

Follow the below steps to configure a SmartFlow:

  1. Click Tenant > Tenant Name > Edit Configuration > Application > Services
_images/image1.31.png
  1. Click Add a SmartFlow and provide the Smartflow Service details as below.
_images/image1.37.png
  1. Set the Smartflow conditions in the respective fields.

SmartFlow Conditions

List below describes the SmartFlow conditions:

  • URL Path: Enter the URL path value.
  • Header: Enter the header parameter name and value.
  • Cookie: Enter the header parameter name and value.
  • Query Parameter: Enter the query parameter name and value to present in the query string in a GET request.
  • Scheme: Select the scheme as Http or Https.
  • Method: The Http method on which this request is made. There are 4 Http methods; they are GET, POST, PUT, and DELETE.
  • Port: Enter the port value.
  • POST Body Parameter: Enter the POST Body Parameter value in the POST Request.
  • Country: The country code for the client network. This code is a two letter or three letter code or full name of the country.
  • Network: Network IP Address of the client network.
  • Allow Traffic - If the smart flow condition matches, the policies configured will be applied if this is enabled
  • Redirect Traffic to - If the smart flow condition matches, the traffic will be redirected [temporarily or permanently] to the URL specified
  • Deny all Traffic - If the smart flow condition matches, all the requests will be denied with no response or the desired message entered by the user
  • Device Type - User can select from the device types available in the drop-down as logical conditions and configure policies accordingly to create a new smart flow.
  • Client OS - User can select from the available OS in the drop-down as logical conditions and configure policies accordingly to create a new smart flow.
  • Browser - Users can select the browsers available in the drop-down and set policies to create a new smart flow.
  • Browser Version - User can enter the browser version as condition and set policies to create a new smart flow. Logical Operators AND OR can also be used to combine multiple conditions such as browser AND browser version and form a single final service condition.
  • Client Authentication -

SmartFlow Actions

Configuring Action Policy Rules

In the action policy rules, you can do these tasks:

You can specify rules or action policies that return custom content to the user (For example, an alias response code), for the response codes coming from the application server. This enhances the user experience, For example, if you want to hide a particular response code from the user, you can specify an alias code in the action policy configured in the A10 Lightning ADC, so that the user sees the alias code instead of the response code that you want to hide. In the action policy rules, you can do these tasks:

  • Set up alias response codes or alias response URLs that the A10 Lightning Application Delivery Controller should provide the user, for the response codes coming from the Application server.
  • Redirect the user to a redirect URL

Activating and Deactivating a SmartFlow

Whenever a new smart flow is created, it needs to be activated [using the enable/disable button]. In the case of multiple smart flows, if one is deactivated the traffic will hit the one which is below in order.

Traffic Manipulation Policies

URL Rewrite

The URL Rewrite policy helps you to rewrite complex URLs into user-friendly and search-friendly URLs without changing the page structure.

Configuring URL Rewrite Policy

After rewriting the URL, do the following; Choose an option from After Rewrite drop-down box. These options are used to apply specific rules to re-written URLs. Enable the policy using the Enable button. Finally, enable the Case Insensitive button, this allows the server to ignore cases in rewritten URLs.

_images/image1.17.png

Response Body Rewrite

You can control the display of text, headers and error code to web page visitors by using Body Rewrites function.

Configuring Body Rewrites Policy

Enter the Regex or String value in the field named Match. Enter a new string value or Regex in the Replace With field, and click Enable button. Enable Case Insensitive button, this is optional.

_images/image1.18.png

Header Rewrite

HTTP rewriting is the technique which allows the proxy to change content on the fly while .We can Add/Delete/rewrite request and response headers. The following header requests are configured by default in the smart flows-

  • X-Forwarded-For adds the server IP
  • X-Forwarded-Proto adds the scheme
  • X-Forwarded-Port adds the server port
_images/image1.19.png

Cross-Origin Resource Sharing(CORS)

In A10 HarmonyTM Controller, you can specify a Cross-Origin Resource Sharing (CORS) policy which includes Http headers to allow communication between pages from different origins. You may want to enable CORS policy only if you have such a use case.

_images/image1.20.png

Specifying Allowed Domains

Here, you need to define the domains allowed to share resources with your servers. You should specify this using base URL where wildcard (*) denotes all subdomains. Only GET and POST methods are allowed. For example, specifying https://.example.com in the policy allows any page from any sub­domain of example.com to share a resource with your server over Https. You can specify more than one base URL by pressing the **+* Add More option.

Returning custom response

You can specify rules or action policies that return custom content to the user (For example, an alias response code), for the response codes coming from the application server. For instance, if you want to hide a particular response code from the user, you can specify an alias code in the action policy configured in the A10 Lightning ADC, so that the user sees the alias code instead of the response code that you want to hide. However, when Allow merging of Rules option is enabled then the Return custom content security policies set at the Application level is merged with the Action policies settings, if Allow merging of Rules option is disabled then policies set under Action policies holds good for Smartflow traffic. And, if Action policies are disabled, then by default Return custom content settings holds good for application traffic.

_images/image1.21.png

Traffic Optimisation Policies

Compression

The compression policy is used to deliver content or data faster by reducing the amount of data that is transferred. The speed of data transfer increases with data compression. While defining the compression policy, you just need to provide the minimum size you want to compress and the type of content to be compressed. The minimum compression size is an integer value measured in bytes, and the type of content that to be compressed can be plain text/HTML or just plain text.

Follow the steps below to configure a compression policy in A10 HarmonyTM Controller:

  1. In A10 HarmonyTM Controller window click Tenant > Tenant Name > Edit Configuration > Services > Add a Smart Flow.
  2. Select Performance under Policies and then select Compression. Enter a number in the Min Compressible Size (bytes) box. This number specifies the minimum file size for compression. Compress any text or application content by choosing any one of the options as listed in Content types.
  • text/html
  • text/plain
  • text/css
  • application/json
  • application/xml
  • application/javascript
_images/image1.23.png

Viewing the Compression Policy Metrics

You can use Analytics > Metrics menu to see the compression policy metrics for a selected service. Browse through the charts to see the Compression policy-related metrics.

_images/compression-policy.png

Caching

Caching reuses information stored earlier to respond to a client request, to reduce data traversing on a network and decreases response times.

Note

HTML pages are cached automatically, hence, activating this function will not impact transmission of such pages.

Viewing the Caching Policy Metrics

You can use Analytics > Metrics menu to see the Caching policy metrics for a selected service. Browse through the charts to see the Caching policy-related metrics.

_images/caching-metrics.png

PageSpeed

Page Speed policy accelerates delivery of both HMTL and non-HTML pages.

Note

HTML pages are delivered faster even without Page Speed because of Caching.

The surge queue trend graph is viewed from Analytics > Metrics menu.

_images/image63.png

This chart shows the pending requests from clients (queued within the surge queue) plotted against the number of claims or request count.

Blue/Green Deployments

A popular DevOps use case for A10 HarmonyTM Controller is automating Blue/Green deployments to enable continuous delivery with zero downtime. Use A10 HarmonyTM Controller to set traffic steering policies for inbound traffic across old (blue) and new (green) deployments while both environments remain online. Monitor blue and green server behavior and health metrics to adjust traffic steering rules in real-time. A10 HarmonyTM Controller improves productivity by providing a unified view of the entire Blue/Green deployment process.

_images/image_Blue-GreenDeploymentDiagram_NEW.png

A10 HarmonyTM Controller supports Blue/Green deployments and precise traffic steering between the different releases. Blue/Green deployment is a powerful technique for directing traffic between old (blue) and new (green)deployments while both environments remain online.

A10 HarmonyTM Controller allows its customers to define and manage a split traffic rule for their Blue/Green deployments. That is, customers can specify the IP addresses for their blue and green versions and control what portion of the live production traffic should be directed to which deployment. You can choose a simple percentage split or create a split rule based on anything in HTTP request object, such as a geographic region.

Another advantage is that the A10 HarmonyTM Controller customers gain precisely targeted phased rollouts without any effort on the development side, using Blue/Green deployment. Set and change the traffic split rule from the A10 HarmonyTM Controller user interface, where you can also monitor health and success metrics for both deployments. Drive more traffic to the green implementation when the confidence in the green release increases. If problems arise, direct all the traffic back to the blue release.

Here is the workflow for a typical Blue/Green deployment:

_images/image52.png

Configuring Blue-Green deployment in A10 HarmonyTM Controller

Follow the below steps to configure Blue/Green deployment in A10 HarmonyTM Controller:

  1. From A10 HarmonyTM Controller screen Select Tenant > Tenant Name > Edit Configuration > Blue/Green. The following settings screen is displayed, select Configure a Blue/Green Deployment.
_images/image1.24.png
  1. Choose an existing service; this is marked as Blue service. At the same time, a clone is created which is characterized as Green service.
_images/image1.25.png
  1. Select Next configure Green Service. The screen to configure Green service deployment is displayed.

Enter the following details in the screen below:

  • Service name: Enter the blue-green service name with a maximum of 30 characters.
  • Description: Enter a description for the service.
  • Direct a set percentage traffic to Green Service: Enter the integer value of the percentage of traffic that you want to direct to Blue Service and Green Service.
  • Mirror Traffic (Only GET requests): All the requests that hit green will be mirrored to blue service.
  • Direct traffic to Green service based on condition: Enter a service condition, and based on this condition the traffic will be redirected to the Green service.
_images/image1.26.png
  1. Select Next select servers for Green. The Add Servers for Green Service screen is displayed.

You can add the servers manually by entering the IP Address and Port number.

_images/image1.27.png

(Or) choose the servers from Blue service.

Select Save Blue/Green deployment, this saves the deployment. The blue-green service is visible from the Tenant > Tenant Name > Edit Configuration>Services tab. You can also edit the service from this tab.

Security Configuration

Cloud security breaches are becoming an increasing threat with the unprecedented pace at which Cloud Service Delivery Model is getting adapted by businesses and governments. Although shifting to cloud technologies is affordable and fast, businesses are increasingly vulnerable to security breaches and are ill-equipped to counter the sophisticated security threats that can bring the infrastructure down and expose business critical and sensitive data to threats. Hence, it becomes increasingly important for organizations to have real-time insights into application traffic and have strong security policies and controls in place to counter these attacks.

This diagram shows the major concerns in cloud security-Data Privacy and Data Loss.

_images/image810.png

The Security Policies in A10 HarmonyTM Controller provides you with advanced techniques to control server response, prevent threats, and protect sensitive information. You can configure the application security policies and configurations in A10 HarmonyTM Controller from the Security tab in the Settings page, and the Security Policies tab in a SmartFlow.

Application Layer Data Theft Protection (WAF)

A10 HarmonyTM Controller Web Application Firewall (WAF) is an elastic service for application security with pre-configured rule sets and one-click provisioning. WAF helps defend against malicious activity, web attacks, and application attacks.

Inbound and Outbound Traffic Inspection by WAF

The figure below explains how WAF is deployed in the network traffic to perform inbound and outbound traffic inspection. Some of the attacks detected (For example, malware, web shells, backdoor, and so on) are detected at the response traffic, and the rest of the attacks (For example, application attacks) are detected at the request traffic.

_images/WAF.png

The cloud-specific WAF configured in the Lightning Application Delivery Controller provides real-time protection against application vulnerability attacks on a per application basis.

The A10 HarmonyTM Controller architecture provides the added advantage that when new A10 Lightning ADCs come up in your application infrastructure, the A10 Lightning ADCs can share the same WAF configurations. The elastic WAF service scales to ensure that sufficient resources are available to process the incoming traffic. Hence you need not re-configure WAF for each new A10 Lightning ADC added to the deployment. The application security policies (including the WAF policy) scales up as the application infrastructure expands.

The single pass integrated execution for WAF, load balancing, and other application delivery directives minimizes latency across the data plane. In A10 HarmonyTM Controller, security policies can be quickly enabled in the Cloud Services Controller (CSC) and changes are propagated to all A10 Lightning ADCs in an A10 Lightning ADC cluster. This way, an attack can be quickly mitigated.

The figure below shows a typical WAF deployment scenario in the A10 Lightning ADCs. WAF inspects incoming traffic and lets legitimate traffic flow through it.

_images/image276.png

Note

When configured in the Active mode, WAF blocks all malicious traffic based on the generic or application protection configurations. In Passive mode, WAF provides a warning to the user and lets all traffic (including malicious traffic) pass through it. See Configuring Web Application Firewall for more information.

One-Click Provisioning

Web Application Firewall (WAF) provides simpler provisioning of application-specific rules for modern web applications and safeguards cloud applications with higher levels of security and compliance. Provisioning and Updating security rules for the broad range of applications used by enterprises are incredibly complex and pose an ongoing challenge for IT teams. A10 HarmonyTM Controller significantly decreases the time required to a provision by providing a one-click rule set which instantly deploys thousands of preconfigured rules to secure popular applications against known threats immediately.

A10 HarmonyTM Controller WAF includes preconfigured rule sets that protect against top common vulnerabilities (such as SQL injection and Cross-site scripting), and specific attack vectors in popular Web Applications like Microsoft SharePoint, Outlook Web Access, WordPress, Joomla, and others. This capability takes the guesswork out of determining what security controls are essential for each application, reduces false positives, and reduces the time for deploying application security to seconds.

Note

See Configuring Web Application Firewall and Configuring Application Security WAF Policy for more information on WAF configuration.

Additionally, provides daily automatic ruleset updates, reducing the risks from emerging attack vectors, and minimizing the occurrence of false-positive vulnerability reports.

Inheriting WAF Security Policy

The WAF security policies can be applied both at Global/Application level as well as Smartflow level. When applied at Application level the same policies can be inherited at Smartflow Application Security. At the Smartflow level, the user gets to choose three application security policy setting options; those are Inherited, Enable, and Disable. To inherit the security policies same as the Global level user can choose an Inherited option. If the user prefers to customize the security policies at Smartflow Application Security level, then can select Enable option. Choose Disable option to disable the policy.

The below figure shows the Security policy option available at Application level:

_images/image2.31.png

The below figure shows the Security policy options available at Smartflow level:

_images/image2.30.png

WAF Operation Modes

WAF has two exclusive modes of operation:

Active mode: In Active Mode, WAF prevents common threats from reaching the application server based on the configurations in this mode.

To know more about how to configure WAF in active mode, you can check out the following video

Passive mode: In Passive Mode, WAF allows malicious traffic to pass through but with a warning to the IT administrator. In other words, in this mode, WAF raises alerts when threats are detected but do not block the threats.

_images/image1231.png

To know more about how to configure WAF in passive mode, you can check out the following video

You can create custom alerts using Harmony Controller alert functionality. You can find more details in the following video

Configuring WAF Operation Modes

Follow the below steps to configure WAF policies in Generic Protection Mode in A10 HarmonyTM Controller:

  1. In the A10 HarmonyTM Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow
_images/image2.0.png
  1. In the edit SmartFlow screen, under policies click Security Tab > Application Security. And then, select an option to Enable, Disable, or to Inherit the policies at SmartFlow level.
  • Enable: Enables the Application Security at SmartFlow level.
  • Disable: Disables the Application Security at SmartFlow level.
  • Inherited: Inherits the default security policies set at the Application level for the SmartFlow traffic.
_images/image2.1.png
  1. Set the WAF policies for Generic Protection Mode.
_images/image2.2.png

WAF Protection Modes

There are the two types of WAF protection modes.

  1. Generic Protection Mode

Most common forms of threats, such as SQL Injection and Cross-Site Scripting, are prevented in this protection mode.

  1. Application Protection Mode

Specific application types with known vulnerabilities are protected. There is also an option to disable the protection mode in WAF.

Generic Protection Mode

Perform the steps below to configure WAF policies in A10 HarmonyTM Controller in the Generic Protection Mode:

  1. In the A10 HarmonyTM Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. Enable Application Security policy by clicking the Enable button. Select Active WAF Mode by choosing Active radio button.
_images/image2.2.png

Select the Protection Mode as Generic. Here, you can select the generic attack categories that should be identified and blocked from the generic attack categories listed on the screen.

  • SQL Injection: Hackers inject SQL commands to access or delete database information.
  • Cross-Site Scripting (XSS): Attackers introduce client-side scripts in web pages to bypass access controls and bring down applications and websites.
  • Remote Command Execution: Attackers, use a breached application to execute random commands on the host’s operating system.
  • Remote File Inclusion (RFI): This involves using remote files located on the server to launch an attack.
  • Local File Inclusion(LFI): This involves using local files located on the server to launch an attack, instead of remote files.
  • Broken Session Management: By default Cross-Site Scripting and SQL Injection attacks are seen selected. You can select multiple categories using the Ctrl key or select all groups using Ctrl + A key combination.

Application Protection Mode

Perform the steps below to configure WAF policies in A10 HarmonyTM Controller in the Application Protection Mode:

  1. In the A10 HarmonyTM Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. Enable Application Security policy by clicking the Enable button. Select Active WAF mode by choosing Active radio button.
_images/image2.3.png

Select the Protection Mode as Application. The Application Types are listed on the screen. Select the Application Types that should be protected from threats using WAF.

IP Reputation

IP Reputation-based Traffic Filtering To prevent geographically distributed DoS attacks which can span multiple networks, A10 HarmonyTM Controller WAF provides the IP Reputation-based filter which can apply to applications in different geographic regions or collection of regions.

IP addresses can be filtered based on the following categories:

TOR Exit Nodes: The IP addresses that are identified as TOR nodes. Malicious Attack Sources Identified from Web Honeypots: Filter IP addresses of malicious sources identified from web honeypots. When malicious IP addresses are identified with the IP Reputation-based filter, WAF blocks these attacks and records attack-related information in the logs.

Configuring IP Reputation

Perform the steps below to configure IP Reputation-based traffic filtering in A10 HarmonyTM Controller:

  1. In the A10 HarmonyTM Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow (the Pencil icon)
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. To enable IP Reputation, check the box next to it, as shown on the screen. And then, save the security policy.
_images/image2.4.png

Block Sensitive Data

When Block Sensitive Data WAF policy is enabled it allows A10 HarmonyTM Controller to block certain patterns from being captured by the intruders who are trying to attack or capture such data. For now, this policy is designed to block sensitive data such as credit card or debit card number to be exposed to the outsiders.

Webshell/Backdoor Detection and Prevention

There are many methods attackers employ to upload Web shell backdoor code onto compromised web servers including Remote File Inclusion (RFI), WordPress Tim Thumb Plugin and even non-web attack vectors such as Stolen FTP Credentials. Web shells can be written in any language that a server supports and some of the most common are PHP and.NET languages. These shells can be extremely small, needing only a single line of code or can be fully featured with thousands of lines. Some are self-sufficient and contain all required functionality while others require external actions or a “Command and Control”9D (C&C) client for interaction. When the shell is installed, it will have the same permissions and abilities as the user who put it on the server. A10 HarmonyTM Controller can identify if a client is accessing a web shell/backdoor resource on your website/application by inspecting outbound HTTP data.

A10 HarmonyTM Controller implementation included access to thousands of captured web shells and developed custom detection rules including detections for:

  • C99 Shell
  • R57 Shell
  • WSO
  • PHP Shell
  • Stun Shell
  • JCE File Upload Shell
  • Basic File Uploader

A10 HarmonyTM Controller can detect and block any web shell/backdoor’s to your application.

Configuring Web shell

Perform the steps below to configure Web shell/Backdoor Detection in A10 HarmonyTM Controller:

  1. In the A10 HarmonyTM Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow (the Pencil icon)
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. To enable Web shell, check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.5.png

Botnet Attack Detection and Protection

Attackers build networks of infected computers, known as botnets, by spreading malicious software through emails, websites, and social media. Once infected, these machines can be controlled remotely, without their owner’s knowledge, and used as an army to launch an attack against any target. Botnet attacks attempt to execute botnet code on the server to spread infection.

Botnets can generate huge floods of traffic to overwhelm a target. These floods can be produced in multiple ways, such as sending more connection requests than a server can handle or having computers send the victim massive amounts of random data to use up the target’s bandwidth.

Enabling Botnet Protection at Layer 7 (Application Layer)

Perform the steps below to enable Botnet Protection in A10 HarmonyTM Controller:

  1. In the A10 HarmonyTM Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow (the Pencil icon)
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. To enable Botnet, check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.6.png

BOT Protection

A bot attack is an unwanted request or set of requests originating from a bad BOT client to your network. Bad bots consume bandwidth, slow down your server, steal your content and look for vulnerability to compromise your server.

An Internet Relay Chat (IRC) bot is a set of scripts or an independent program that connects IRC as a client and so appears to other IRC users as another user. An IRC bot differs from a regular client in that instead of providing interactive access to IRC for a human user; it performs automated functions. A10 HarmonyTM Controller can detect and alert on standard attacks originating from IRC Bot clients.

A10 HarmonyTM Controller looks at URL, parameters, user agent, and request body in some cases, to detect a botnet attack. In particular, |ADS|checks the following categories to detect a dangerous Bot attack:

  • Common IRC Botnet attack command string
  • Common types of Remote File Inclusion (RFI) attack methods
  • URL Contains an IP Address
  • The PHP “include()”9D Function
  • RFI Data Ends with Question Mark(s) (?)
  • PHP Injection attack
  • RPC PHP Injection attack
  • SQL Injection attack
  • Local File Inclusion ENV Attack in User-Agent
  • e107 PHP Injection attack
  • XML-RPC PHP Injection attack
  • OsCommerce File Upload attack
  • Oscommerce File Disclosure and Admin ByPass
  • Zen Cart local file disclosure vulnerability
  • Opencart Remote File Upload Vulnerability
  • e107 Plugin my_gallery Exploit
  • Configuring protection against bad BOTs
  • Local File Inclusion attack

https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

A10 HarmonyTM Controller subscribes to the IP reputation list as well as user-agent reputation list for identifying known bad BOTs. Eliminates the traffic from bad BOTs; hence, enhancing the performance of your application servers.

Analytics on BOT Protection

You can use the dashboard (Analytics > Dashboard) to get more insights on BOT Protection.

For example, you can view the percentage of BOTs in the total number of threats detected in the Top Threats pie diagram in the Dashboard.

_images/image80.png

Note

See Application Security Analytics and Insights section for more information.

Malware Protection

Web-based Malware is a growing threat to today’s Internet security. Attacks of these types are very prevalent in a cloud and lead to serious security consequences. Millions of malicious URLs are used as distribution channels to propagate malware all over the Web. After being infected, victim systems fall in control of attackers, who can utilize them for various cyber crimes such as stealing credentials, spamming, and distributed denial-of-service attacks. Moreover, it has been observed that traditional security technologies such as firewalls and intrusion detection systems have only limited capability to mitigate this issue.

A10 HarmonyTM Controller provides Web-based Malware detection by inspecting HTTP response. The Malware Detection checks the response data for malicious code aimed at attacking clients.

Payloads are matched against:

Location Response Headers that redirect users to malware sites, and Response Body Payloads that may contain off-site links (scripts and iframes) or full payloads.

A10 HarmonyTM Controller identifies Web-based Malware in many categories including:

  • Drive-by-Download URLs
  • Malicious Redirect URLs
  • Malicious JS Payloads
Configuring Web-based Malware Detection

Perform the steps below to enable Web-based Malware Detection in A10 HarmonyTM Controller:

  1. In the A10 HarmonyTM Controller screen click on Tenant > Tenant Name > Edit Configuration > Services > Edit SmartFlow (the Pencil icon)
  2. In the edit SmartFlow screen, under policies click Security Tab > Application Security. To enable Web-based Malware Detection, Check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.7.png

Cross-Site Request Forgery(CSRF)

Cross Site Request Forgery (CSRF) is one of the most common web application attacks. CSRF occurs when a malicious website, email, blog, or any other program which causes the user’s to perform an undesired function on a trusted site for which the user is currently authenticated. The request from the browser includes any information associated with the browser session or website, such as a cookie, passwords, and so on. A Cross Site Request Forgery (CSRF) attack occurs when the user is authenticated to the site, or when the user clicks on a malicious link, button or any malicious HTML element.

Hence, to overcome such attacks A10 HarmonyTM Controller implements a defense mechanism against CSRF by including a hash element in the form submitted by a user. Now, if the attacker wants to access the form submitted, he will need to know the unique key used to create the hash. To add more protection, the hash key generated is made unique for each user sessions. Hence, making it difficult for the attacker to predict its value, avoiding CSRF attacks. The CSRF security feature can be enabled either at the Application level or SmartFlow level by inheriting the default security policies set at the Application level or by enabling the Application security at SmartFlow only.

While enabling the CSRF, the form action URLs that need to be protected is an input parameter. A10 Lightning ADC looks at the responses and adds a hash to all the forms for which the action URL matches with the configured URL. It inspects the requests, and if the request URL matches with the configured form action URL, it verifies the hash value in the request. If the value is not present or is incorrect, then the request is blocked.

Configuring Cross Site Request Forgery (CSRF)

Perform the steps below to enable CSRF in A10 HarmonyTM Controller at the Application level:

  1. In the A10 HarmonyTM Controller screen click on Tenant > Tenant Name > Edit Configuration > Application > Security > Application Security
  2. In the Application Security screen. To enable CSRF, check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.28.png

Function Level Access Control

The Function level access control attacks could result from the inadequate security of sensitive request handlers within an application. An application may only hide access to sensitive actions, fail to enforce sufficient authorization for certain activities, or inadvertently expose an action through a user-controlled request parameter. These attacks could be much more complex and be the result of subtle edge-cases in the underlying application logic.

A10s Function Level Access Control feature eliminates such attacks by adding a sign in all the links we get in Href, Form action, Iframe source, Frame Source, Location Response Header. If a sign mismatch is identified then the request is not allowed to proceed, thus eliminating Function Level Access Control attacks.

While enabling the Function Level Access Control, the form action URLs that need to be protected is an input parameter. A10 Lightning ADC looks at the responses and adds a hash to all the forms for which the action URL matches with the configured URL. It inspects the requests, and if the request URL matches with the configured form action URL, it verifies the hash value in the request. If the value is not present or is incorrect, then the request is blocked.

Configuring Function Level Access Control

Perform the steps below to enable Function Level Access Control in A10 HarmonyTM Controller at the Application level:

  1. In the A10 HarmonyTM Controller screen click on Tenant > Tenant Name > Edit Configuration > Application > Security > Application Security
  2. In the Application Security screen. To enable Function Level Access Control, check the box next to it, as shown in this screen. And then, save the security policy.
_images/image2.29.png

Dealing with False Alarms

The A10 HarmonyTM Controller Application Security Exceptions feature allows a user to create an exception for application security rules to handle false positives (an attack detected by the application security, but not one). These false positives are blocked based on the conditions defined in the rules and many other parameters. In some cases, if the user wants such false positives to be allowed even if it looks like a threat or attack but not one, then exceptions are created to overwrite few conditions defined in rule and allow such false positives. The Application Security and Application Security Exceptions are two different policies. However, the exception policies can overlook the security policies set in A10 HarmonyTM Controller.

Creating Exception Rules

Follow the steps below to create an Application Security Exceptions:

  1. Click on Tenant > Tenant Name > Edit Configuration > Security > Application Security Exception
_images/image2.8.png
  1. Click Add Rule > Select Rule Type > Select a URL condition form the list > Select a Parameter from the list > Select a Apply Rule On condition**
_images/image2.9.png

However, these exceptions can also be set up from Analytics > Logs, or from Analytics > App Dashboard > Blocked Request > Logs screen. The Application Security and Application Security Exceptions are two different policies. However, the exception policies can take precedence over the security policies set in A10 HarmonyTM Controller.

Creation of exceptions can be seen in the following recording

SSL Termination

Secure Socket Layers (SSL) provides your visitors and businesses with an additional layer of security in deployment scenarios.

Elastic SSL refers to auto-scaling of SSL operations (handshake plus bulk encryption/decryption) based on SSL traffic. A10 HarmonyTM Controller provides elastic SSL that ensures autoscaling of SSL resources with the increase in the user traffic to the site.

A10 HarmonyTM Controller offloads resource-intensive SSL encryption and decryption tasks to autoscaling Cloud Services Proxy servers that are adjacent but separate from your dedicated application servers. This efficient architecture enables consistently high throughput at any traffic level providing processing efficiency and cost savings.

In a typical A10 HarmonyTM Controller deployment, the Lightning Application Delivery Controller is delivered as an elastic, highly available, resilient cluster. The cluster autoscale to support variable workloads.

Use A10 HarmonyTM Controller’s elastic infrastructure to extend SSL capacity without changing your application code or web servers. Gain visibility into SSL traffic, behavior and potential attacks with A10 HarmonyTM Controller’s comprehensive application delivery analytics dashboards.

SSL between Client and Proxy

SSL Settings for an Application Domain

A10 HarmonyTM Controller accepts client requests for the domain names configured as application domains. When you onboard an application in A10 HarmonyTM Controller, an application domain is created by default (based on your application endpoint).

Follow the steps below to configure the SSL settings for an Application Domain(s):

  1. Click Tenant > Tenant Name > Edit Configuration on the A10 HarmonyTM Controller screen, from the drop-down list click Application.
  2. Click SSL Settings from the application settings screen.
_images/image2.10.png
  1. For each Application Domain (FQDN) provide the SSL Settings inputs if SSL is enabled on the A10 HarmonyTM Controller.
_images/image2.11.png

When you enable SSL in A10 HarmonyTM Controller, the following options are displayed:

Server Certificate Chain

For an SSL certificate to be trusted, the certificate issued must be by Certificate Authority(CA) that is included in the trusted store of the connecting device. If a trusted CA does not issue the certificate, the connecting device (For example, the web browser) displays an error. However, if the issued certificate is from a trusted source, then the connecting device establishes a secure and reliable connection. The list of certificates from the root certificate to the end-user certificate represents the SSL server certificate chain.

While entering the server certificate chain in the SSL settings for your application domain, you must link your server certificate chain of your CA to ensure that you are providing the complete server certificate chain.

Server key

The private key of the application server which is required to validate the SSL Certificate.

Choosing an SSL Versions

A10 HarmonyTM Controller uses TLS (Transport Layer Security), and SSL (Secure Sockets Layer) protocols for secure transmission of data between the A10 HarmonyTM Controller and Application servers.

You can select one or more TLS/SSL versions from this list.

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers in scenarios where the data is sent across an insecure network.

Note

That the terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is, in fact, the predecessor of the other SSL 3.0 served as the basis for TLS 1.0.

Choosing a Ciphers

A cipher is an algorithm used to encrypt and decrypt data. When a client initiates an SSL connection with a server, the client and server must agree on a cipher to use to encrypt information. In any two-way encryption process, both parties must use the same cipher. The cipher used depends on the current order of the cipher list kept by the server. The server chooses the first cipher presented by the client that matches a cipher in its list.

You can choose the supported cipher algorithms from the list for secure SSL connection between A10 HarmonyTM Controller and the application server.

Configuring SSL while adding Listening Ports

The application traffic is listened by A10 HarmonyTM Controller on the listening port. Note that, before adding any Http2 or SSL ports as a listener port make sure the SSL is enabled.

To enable the listener port to go to Application Settings screen and click Add Port/Listner. Here, enter the listening port number and choose SSL or Http2, and then, click Save button.

_images/image2.12.png

SSL between Proxy and Server

Secure Sockets Layer (SSL) Certificates (also called digital certificates) allows establishing a secure encrypted connection between A10 Harmony Controller and application servers. Hence, protecting the sensitive data exchanged during each session.

SSL certificate provided must be from a trusted source for an application server to install and enable SSL connection. The SSL certificate is indicated by a padlock icon in web browsers, but it is also indicated by a green address bar. On completion of SSL installation, A10 Harmony Controller can be accessed securely by changing the URL from Http:// to Https:// ensuring that the information you enter is secure over this session.

Follow the steps below to add a Service in A10 HarmonyTM Controller:

  1. Click Tenant > Tenant Name > Edit Configuration on the A10 HarmonyTM Controller screen, from the drop-down list click Services.
  2. Click ADD NEW SERVICE from the Services settings screen.
_images/image2.10.png
  1. The Add New Service window displays the following SSL settings.
_images/image2.14.png

Click on the relevant help buttons to get more information on these options; these options are displayed in the Add Service window if SSL is enabled.

Validate Certificate

Mark the check-box, if you want to enable SSL certificate validation.

The value of SSL is protected by a standard two-point validation process:

  1. Verify that the applicant owns, or has the legal right to use, the domain name featured in the application.
  2. Verify that the applicant is a legitimate and legally accountable entity.

Exposure Reduction

Header Rewrite

HTTP header rewrite helps to rewrite HTTP request or response headers of the content exchanged between a client and a server. It is often used to keep compatibility between old and new URLs, to turn user-friendly URLs into one’s CMS friendly, and so on. It is also used to mask the information leaked by the application servers in the HTTP headers. Attackers may use this leaked information to identify potential vulnerabilities and launch an attack.

Configuring Header Rewrite Policy

Follow the steps below to configure a rewrite policy for an HTTP header rule in A10 HarmonyTM Controller: To edit the default Smart Flow:

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smart flow > Edit Smart Flow
_images/image2.10.png
  1. Click on Security > Header Rewrites
_images/image2.16.png
  1. Enable the access policy using the Enable button. By default, the screen displays three X-Forwarded header screens.
_images/image2.17.png

Enter the header name for the required X-Forwarded header screen. Enter the variable names for Header Value.

For example, for X-Forwarded For screen, enter these variables: $http_x_forwarded_for

Enter the variable corresponding to the client IP address here. $remote_addr

Enter the variable corresponding to the proxy through which the request passes. Select the header rewrite Action. Enable the rules and save the policy. Save the SmartFlow.

The Action tab displays the following actions:

_images/image74.png

Returning Custom Content

Action Policies (Alias Response code or Redirect URL)

Action policies allow you to configure rules or action policies which specify a custom content return to the user (For example, an alias response code) for the response codes coming from an application server(s). The action policies enhance the user experienceE2f (For example, if you want to hide a particular response code from the user you can specify an alias code in the action policy configured in the A10 Lightning ADC so that the user sees the alias code instead of the response code that you want to hide).

Configuring Action Policy Rules

Follow the steps below to configure the Action policy in A10 HarmonyTM Controller:

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smart flow > Edit Smart Flow
_images/image2.10.png
  1. Under Policies> Traffic > Action > Enable to view the Action policy configuration screen.
_images/image2.18.png

In the action policy rules, you can do the following:

  • Set up alias response codes or alias response URLs that A10 Lightning ADC should provide the user for response codes coming from the Application server.
  • Redirect the user to a redirect URL.
  • Add more than one action policy rule.
  • Configure Action policy rules from the Security tab (Path: Configuration> Security)by enabling Allow merging of rules.

Mask Policy

Masking allows you to control how servers respond to a user, thereby, increasing application security.

Configuring Mask Policy

Follow the steps below to configure the Mask policy in A10 HarmonyTM Controller:

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > ADD SMARTFLOW > Edit SmartFlow
_images/image2.10.png
  1. Under Policies> Security > Mask > Enable to view the Mask policy configuration screen.
_images/image2.19.png

The Mask policy configuration has three options:

  • Remove Server Header from Response: Turn on this option to prevent users from knowing what type of web server is used in your operations.
  • Remove ETag Header from Response: Activate this option to avoid unethical users from knowing about your website hosting on multiple servers.
  • Return HTTP 404 if the server returns HTTP 5xx: Enable this option to ensure users receive friendlier error messages, rather than having to read complicated error messages.

Sensitive Data Exposure

Access Control

IP Access Policy

Access Policies (Whitelists and Blacklists)

Access Policies allow you can define access policies by specifying allow or deny rules for traffic from IP addresses. Specify the IP address from which traffic should be allowed or denied. Hence, providing the mechanism to build whitelist (allow rules) and blacklists (deny rules) which allows requests based on the IP address or denies unwanted traffic.

_images/image2.21.png

Whitelist helps in preventing DDoS by allowing traffic only from trusted sources. Blacklist helps in preventing DDoS attacks by restricting traffic from known attackers.

Order of rules

User can specify network address instead of just IP The importance of the keyword ‘all’. An example displaying combination of allowing/deny rules using individual IP, network address, and ‘all’

Configuring Allow Rule

Perform the steps below to configure an Allow rule in A10 HarmonyTM Controller.

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smartflow> Edit SmartFlow
  2. Under Policies> Security > Access > Enable to view the Allow Rule configuration screen.
  3. Add an Allow rule by entering the IP address and enable the rule or Enter the value all in the allow rule. Note, that all is the default value.
_images/image2.21.png

You can add multiple allow rules using the Add Rule button.

  • Save the Rule and policy.
  • Save the SmartFlow.
  • Send request to the Lightning Application Delivery Controller from the IP which is allowed.

Expected Results

When a request is made from the Application server specified by the IP address in the Allow rule in the Access Policy, 200 OK response code is displayed along with the content in the reply. When you specify the option all in the Access policy, the user receives an appropriate response if he sends requests from any client IP addresses.

Configuring Deny Rule

Perform the steps below to configure a deny rule in A10 HarmonyTM Controller:

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smartflow> Edit SmartFlow
  2. Under Policies> Security > Access > Deny > Enable to disable the Allow Rule configuration.

Add a Deny Rule

Enter the IP address (For example, 54.186.134.82). Disable the rule, save the rule and policy; save the SmartFlow. And then send a request to the Application Delivery Controller from the IP which is denied.

Add multiple deny rules as required, using the Add Rule button.

  • Save the rules and policy.
  • Save the Smart Flow.
  • Send request to the Application Delivery Controller from the IP addresses specified in the Deny rules.

Expected Results

When requests are made from the IP addresses specified by Deny rules, a 403 Forbidden response is displayed.

Disable Rule Feature

Perform the step below to disable a rule in A10 HarmonyTM Controller:

Select Tenant > Tenant Name > Edit Configuration> Services> default-smartflow> Edit SmartFlow to edit the default Smart Flow. Choose Security > Access and then disable the Access policy using the Disable option.

Geographic Access Control

Controlling Access based on any information in HTTP request.

Protection against DDoS Attacks

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. A DDoS attack can cripple your network and take your servers offline, by flooding the network with malicious traffic leaving no room for legitimate traffic.

A10 HarmonyTM Controller monitors traffic patterns to identify and protect your business from application-layer Distributed Denial of Service (DDoS) attacks. Clean user traffic is allowed through while the system identifies and drops malicious traffic before it can impact app server resources and availability. A10 HarmonyTM Controller detects and mitigates application layer threats such as SlowLoris, Slow Post, HashDoS, and GET Floods.

_images/ddos1.png

Application availability is maximized using A10 HarmonyTM Controller DDoS protection even during attacks. The elastic infrastructure allows mitigation to keep pace with application traffic and keep latency to a minimum. The comprehensive traffic and security metrics in the A10 HarmonyTM Controller web interface helps you to learn about specific attacks and patterns in attack detection. A10 HarmonyTM Controller Blacklists and Whitelists and customized Web Application Firewall (WAF) rules help mitigate these attacks.

A10 HarmonyTM Controller Mitigation Mechanisms for DDoS Attacks A10 HarmonyTM Controller provides different mitigation mechanisms to thwart Layer 4 network level attacks.

_images/image393.png

Types of Attacks

  • Mitigation Mechanisms
  • Volumetric/Flood Attacks
  • IP protection, Rate limiting, and Throttling
  • Session attacks
  • SSL termination and SSL re-negotiation validation

Elastic SSL with Auto-Scaling

Application Attacks, Blacklist and Whitelist support, Full proxy for HTTP, Anomaly detection, Web Application Firewall (WAF) A10 HarmonyTM Controller mitigates different types of DDoS attacks with security policies and features, as explained here:

By default, the mitigation mechanisms in A10 HarmonyTM Controller include connection pooling, surge protection, request queueing, and auto-scaling capabilities. These can absorb any small to medium intensity attacks. If the attack is planned to exploit HTTP 1.1 protocol limits and is made in the form of SlowLoris, SlowPost or other similar “low and slow”9D attacks, the aggressively configured restrictions in the `Surge Protection policy helps to mitigate the attack. Limiting the total number of user sessions and rate limiting traffic within a session using `Session Tracking policy prevents the attacker from creating junk connections and hogging server resources. If the attack is done using a tool or IP network that is known for bad BOT traffic, the attack is prevented by the configuration setting in A10 HarmonyTM Controller that prevents dangerous BOT attacks. Getting the IP addresses of attackers and create whitelists and blacklists (access/deny rules) or Access Policy rules prevents attacks from known IP addresses.

Connection Timeouts

Surge Protection Policy

Surge Protection policy is the security policy in A10 HarmonyTM Controller that protects your infrastructure from external network traffic surges caused by DDoS attacks which exploit conditions/parameters such as connection time, connection requests, or provisions of the HTTP protocol such as requests and responses. This policy allows you to specify the limits and timeouts for handling traffic surges present in the network or created by attacks, by aggressively closing the connections based on the policy configuration.

You can configure these functions in the Surge Protection policy screen in A10 HarmonyTM Controller:

  • Specify limits or timeouts for traffic surges by aggressively closing connections causing surges.
  • Prevent specific DDoS attacks such as SlowLoris and SlowPost by closing idle connections, or specifying limits for slow connections.
  • In attacks that exploit provisions of HTTP protocol, you can specify limits for the HTTP request body length or the maximum number of requests to process on a connection.
Configuring Surge Protection Policy

Perform the steps below to configure Surge Protection policy in A10 HarmonyTM Controller:

  1. Click on Tenant > Tenant Name > Edit Configuration> Security tab > Surge Protection menu. Enable Surge Protection policy by clicking on the Enable button.
  2. The Surge Protection policy screen displays with these fields:
_images/image2.25.png

** Surge Protection limits can be set on these parameters:**

  • Maximum allowed Request Body (bytes) Size: You can set a limit on the HTTP request body length that can be accepted by the HTTP Provider Service to protect your system from malicious Denial-of-Service (DoS) attacks. The system controls this limit by inspecting the Content-Length header of the request or monitoring the chunked request body (in case chunked encoding is applied to the message). If the value of the Content-Length header exceeds the maximum request body length, then the HTTP Provider Service rejects the request with a 413 “Request Entity Too Large”9D error response.
  • The maximum number of requests to process on a connection: You can limit the number of HTTP requests per source IP address, on a connection from the client to the application server. The limit can be an integer value between 0 and 65536.
  • Close idle connection after (seconds): Some attacks involve malicious clients that linger on with partial requests and responses, and indulge in minimum interaction to prevent server idle times from expiring. The attacks slow down applications by consuming system resources, leading eventually to an inability to handle server traffic. These are the “low and slow”9D attacks, as a relatively small number of clients can DoS the server stealthily and slowly, without consuming any significant bandwidth on the network.

In A10 HarmonyTM Controller, this field allows setting the time within which the system should close idle connections so that low and slow attacks are prevented.

Protection against SlowLoris

Slow Loris is an attack tool that holds HTTP connections open by sending partial HTTP requests. The headers are sent at regular intervals to occupy the application stack and keep connections from closing. This keeps the server threads and network resources from being released, eventually leading to collapse. The web server quickly reaches its maximum application stack capacity and becomes unavailable for new connections by legitimate users. From a protocol compliance perspective, this appears to be normal traffic which the signature or blacklist-based devices do not detect.

  1. Click on Tenant > Tenant Name > Edit Configuration > Services > default-smartflow> Edit SmartFlow
  2. Under Policies> Performance > Compressions
_images/image2.26.png

In A10 HarmonyTM Controller, this field allows you to protect against SlowLoris attacks by closing HTTP connections when the headers are not received within the specified time interval (in seconds). The default allowed time is 60 seconds.

Close connection if all headers are not received in (seconds)- Protection Against SlowLoris: Set the time (in seconds) to close connections if HTTP headers are not received within the specified period.

Protection against SlowPost

SlowPost is an attack tool which brings down a web server by creating long form field submissions. This is done by iteratively injecting one byte into a web application post field followed by a sleep period. The result is that application threads become stuck because they are occupied with these one-byte POST fragments.

_images/image63.png

In A10 HarmonyTM Controller, this field allows you to protect against SlowLoris attacks by closing HTTP connections if the request body is not received within the specified time interval (in seconds). The default allowed time is 60 seconds.

Close connection if it goes idle while receiving request body for seconds)- Protection against SlowPost Set the time (in seconds) to close idle connections while receiving HTTP request body.

Terminate Connection after every request When you enable this button, a new connection is opened for every new request.(That is, the session is terminated after a request.)

Volumetric Traffic Limits

Session Tracking Policy

A session is a series of related browser requests that come from the same client during a period. Session tracking is a mechanism to track a customer session and enforce traffic management policies on sessions. During a session, a series of continuous web requests and responses from the same client to the server can cause traffic congestion and inadequate network bandwidth. This is because HTTP is a stateless protocol and the server does not store the incoming client information. Session tracking enables you to track a user’s progress over multiple servlets or HTML pages during a session. Session tracking mechanisms are required so that Volume-based DDoS attacks caused by large traffic generation from a single client, or a lot of connections created for a short duration from multiple clients can be detected and mitigated.

Session Timeout You can specify an interval of time after which HTTP sessions expire. When a session expires, all data stored in the session is discarded. The session timeout is 30 minutes as per industry standards.

Session Tracking Policy in A10 HarmonyTM Controller

Session Tracking policy in A10 HarmonyTM Controller allows you to track user sessions and then limit usage of resources by those sessions. The A10 HarmonyTM Controller performs session tracking to apply rate limits on incoming web requests from clients to servers.

_images/image64.png

You can set these parameters in the session tracking policy in A10 HarmonyTM Controller: - Number of simultaneous user sessions for an application.

Some simultaneous requests within a session. The rate of request per session. The rate of session creation per application.

Note

See Step 3 of Configuring Session Tracking Policy in A10 HarmonyTM Controller for more information.

Configuring Session Tracking Policy

Perform the step below to configure the session tracking policy in A10 HarmonyTM Controller:

Click on Tenant > Tenant Name > Edit Configuration > Security tab > Session Tracking to access the Session Tracking screen.

_images/image2.27.png

Configure the Session Tracking Mechanism. A10 HarmonyTM Controller provides these mechanisms for session tracking:

|LADC| cookie: This session tracking mechanism uses cookies to track sessions. A10 HarmonyTM Controller inserts its cookie to track a session. A unique cookie identifies each session. This should be utilized when the traffic is expected from web clients supporting cookie’s typical example is a web browser.

Client IP: This session tracking mechanism is based on tracking the sessions originating from a customer IP address to the application server. A session is identified by the IP address of the web client. This should be used when clients do not support cookies (For example, mobile apps) but are expected to have different public IP addresses.

Configure the following parameters for session tracking:

Maximum concurrent sessions: The maximum number of concurrent users accessing the application.You can set any integer value in this field.

Session create rate The rate at which users access the application. This parameter is measured in per second rate. Maximum concurrent requests per sessions. The highest number of concurrent requests per user session. This field is particularly useful in browser sessions (when users access the application through browsers). This parameter is measured in per second rate.

Maximum concurrent requests per session: The maximum number of concurrent requests in a user session.

Request rate per session The number of requests in a user session. This field is particularly useful in API-based sessions. This parameter is measured in per second rate.

Note

Session Tracking can also be configured at the Smart Flow level.

Session Tracking Trend Graphs

You can view trend graphs and analytics of your session tracking policy from Analytics> Dashboard > Blocked Requests menu.

_images/image2.32.png

Exporting and Importing Application Configuration from A10 Lightning Controller

This section discusses in detail the ways to import and export application configuration to and from A10 Lightning Controller.

The export function stores the logical configuration of an application from the A10 Lightning Controller to a user specified location. The import function uploads the logical configuration from local storage and creates a logical entity for the application on the A10 Lightning Controller. The export and import can be done in two ways - unencrypted export/import and encrypted export/import.

When the configuration is exported without any password, it is an unencrypted export and the returned content is plain text. Where as, when we specify a password during export, the configuration returned is encrypted with the password. When such encrypted file is imported the controller uses the password provided by the user to decrypt the configuration file and create the logical entity. Both the import and export operations are performed using the APIs.

APIs to Export/Import Application Configuration

The export API exports the configuration for a specific or all the applications for a tenant. The API generates a JSON file and returns it to user with or without encryption. The user can store this file as a configuration backup and use it if there is a need to restore the application.

Note: There are two names for a tenant one being the display name and other being the tenant name. In the below mentioned APIs, only name should be used for tenant and not the display name.

To get the name of the tenant, invoke the following API:

API : GET /providers/{provider:.+}/tenants

@Header provider:<provider>

1.Export a specific application configuration for a tenant:

GET http://<edge-ip>/api/v2/systems/configuration/<app-id>/_exportconf

**Parameters**

- String password: Password, if provided then the returned configuration is encrypted.
- Boolean excludeServers: If true, back-end servers are excluded from the exported application configurations.
- App ID : Application Id of the application to be exported.
- Tenant: Tenant name to which this application belongs.
- Provider: Provider name to which the tenant belongs.

2. Export all the application configuration for a tenant:

 GET http://<edge-ip>/api/v2/systems/configuration/_exportconf

 **Parameters**

- String password: Password, if provided then the returned configuration is encrypted.
- Boolean excludeServers: If true, back-end servers are excluded from the exported application configurations.

3. Import the application configuration(s) for a tenant:

POST http://<edge-ip>/api/v2/systems/configuration/_importconf

**Parameters**

- @FormDataParam InputStream file: Encrypted or plain configuration file.
- @FormDataParam String clusters: Optional, comma separated list of clusters name corresponding to applications to be associated with.
- String password: Optional, password to be used for decryption, when provided input file is encrypted.
- String infraCredential: Infra-credential in the current tenant. If provided, then infra-credential available in the exported file is replaced by this.
- String dnsCredential: Dns-credential in the current tenant. If provided, then dns-credential available in the exported file is replaced by this.
- Boolean excludServers: If true, applications are imported excluding the back-end servers (even if exported configuration file has it).

**Note**: 1. If user tries to import an application that already exists, the conflict is returned and user needs to delete the existing application and then can import the conflicted application.
                      2. While importing multiple applications, even if failure happens for a single application, no application is imported.

A10 Lightning ADC Use Case Scenarios

This section of the document briefly discusses the various configuration scenarios which a user can implement using the features offered by A10 HarmonyTM Controller. These use cases help users to understand the A10 HarmonyTM Controller features better, and how these features can be effectively used to address various scenarios. For example, If a user wants to block his network for a specific country. In this case, a user can use the SmartFlow feature in A10 HarmonyTM Controller to create a service condition to block traffic for a specific country. Similarly, there are many other use case scenarios discussed in this section of the document.

Traffic Management Use Cases

In an ideal scenario when you enter a URL (http://www.example.com) in your web browser, this sends an HTTP command to the Web server to fetch and transfer the requested web page. Here, your web browser is your client and your website host as a server. Sometimes, the clients may be exchanging private information with a server, which needs to be secured for preventing some hacking issue. For this reason, we are redirecting the traffic from HTTP to HTTPS using Smartflow feature in A10 HarmonyTM Controller. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.

In order to redirect the traffic from HTTP to HTTPS in A10 HarmonyTM Controller user can use the SmartFlow feature in the A10 HarmonyTM Controller to create a smart flow condition for a particular service(s) so that any data exchange through A10 HarmonyTM Controller is secure. Rather creating a smart flow condition for each URL request, the user can use https://$host$request_uri as the input in the Redirect URL field and set the condition as Redirect the traffic which will redirect all the URL requests.

In this case, a request from the client hits the smart flow and if the condition matches, then the traffic is redirected from HTTP:// to HTTPS:// [temporarily or permanently] for the requested URL.

Steps to configure a Smartflow policy to redirect traffic:

  1. Login to the A10 HarmonyTM Controller.
  2. Click Configuration > Services > Smartflow
  3. Click Add a new Smartflow and set the conditions and then save.
_images/image10.0.png

See also

Adding a Smartflow section under Traffic Management Configuration, for more information on Smartflow configuration.

The video below demonstrates the steps to configure the redirect traffic policy:

A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (For example, a botnet) flooding the targeted system with traffic. In this use case, we are discussing the Surge protection feature in A10 HarmonyTM Controller which is designed to prevent such attacks.

If the attack is made in the form of SlowLoris, SlowPost or other similar low and slow attacks, the aggressively configured restrictions in the Surge Protection policy helps to mitigate such attacks. Thus, limiting the total number of user sessions and rate limiting traffic within a session using Session Tracking policy preventing the attacker from creating junk connections and consuming server resources.

See also

Protection against DDoS Attacks section under Security Configuration for more information on Surge Protection policies, and how to configure them.

The video below demonstrates the steps to configure Surge protection policy and Session tracking policy:

This video is about how to check for SlowPost attacks in the application.

This use case discusses the effort to estimate the Rate Limit configuration values considering the analytics of various other parameters.

Based on the session tracking and the per request analytic values combined together user can estimate the values for Rate Limit configuration.

A session is defined as a single user agent such as a browser or an API client. Each session has an idle expiry time that defaults to 30 minutes (this cannot be changed currently). A session can be tracked in two ways.

  1. LADC Cookie- Cookies are maintained by LADCs and are returned with every response. Each user agent is uniquely identified by the combination of source IP and port.
  2. Client IP- Only the source IP of the client is used to identify a user agent uniquely.

Based on the values obtained from these four parameters as discussed below, the user can estimate the values to configure the Rate Limiting.

1. A number of Concurrent Sessions- The a maximum number of sessions (or user agents) that can be accepted at any given point in time. Suppose, it is set to a value of 100; then approximately a maximum of 100 user agents can be served at any point in time. Any more user agents will get a 403 forbidden response. This value can be retrieved from the “active sessions” value in the session tracking graphs (under App Dashboard > Blocked requests)

2. A number of Concurrent Requests per Session- The maximum number of open requests (for which a response has not been received yet) that can be accepted at any given point in time. This value can be derived from a total number of requests that can be served at any given point in time and the number of concurrent sessions. Number of concurrent requests per session = Total number of requests/Number of concurrent sessions. Let suppose that it is known from the app server infrastructure/health that they can support a maximum of 10000 outstanding requests at any point in time and the maximum number of concurrent sessions (as seen from the graphs) is 1000. Therefore the number of concurrent requests per session can be set to 10.

  1. Session Rate- The maximum number of sessions that can be accepted per second. In other words, this implies the maximum number of user agents that can be served per second. This can be used to block too many new user agents served by the App server infrastructure per second.
  2. Request Rate per Session- The maximum number of requests per second that can be made over a session. This will block user agents to send too may request/per second over a session.

When there is a requirement for a user to test the new version of the application with zero downtime. In this case, the user can use the Blue/Green feature in A10 HarmonyTM Controller to set the traffic steering policies for inbound traffic across old (blue) and new (green) deployments while both environments remain online. The user can monitor blue and green server behaviour and health metrics to adjust traffic steering rules in real-time.

The following use case helps the user to understand how to configure the Blue/Green deployment feature in A10 HarmonyTM Controller to steer traffic to a specific user domain, whenever there are any new additions to the application or to release a new version of the application.

In this use case, we are discussing four different Blue/Green deployment scenarios such as specific user, specific browser, specific country, and specific device. Basically, the Blue/Green policy steers the inbound traffic across old (blue) and new (green) deployments while both environments remain online based on the policy configured.

See also

Traffic Management Configuration for more information on Blue/Green deployment.

Configuring Blue/Green Policy

  1. Click Configuration > Blue/Green
  2. Click Configure a Blue/Green Deployment
_images/image9.8.png
  1. Select the Blue Service from the drop-down.
_images/image9.9.png
  1. Configure the condition(s) to direct the Green traffic based on requirement.
_images/image9.10.png

The first four steps remain same for all the policy configuration only we are changing the conditions as shown below.

Specific User

To filter the User specific traffic set the conditions as shown below, here If condition can be Header, Cookie, or Query Parameter.

_images/image9.11.png

Specific Browser

To filter the Browser specific traffic set the conditions as shown below.

_images/image9.12.png

Specific Country

To filter the Country specific traffic set the conditions as shown below, and the value used should be the country code (For example, US).

_images/image9.13.png

Specific Device

To filter the Device specific traffic set the conditions as shown below.

_images/image9.14.png

Security Configuration Use Cases

The following use case addresses the user requirement for blocking the traffic from a specific country. For example, the user is required to block traffic from a specific country in order to prevent any malicious attacks to the network, in such case user can create a security policy in A10 HarmonyTM Controller and make the network much secure.

The security configuration policies in A10 HarmonyTM Controller allows a business to build a policy that enables blocking off traffic for a specific country based on various parameters. This policy can be enabled for an existing service(s) or for a new service profile. In this example, we are creating a new service and then enabling a smart flow condition to block the traffic for a specific Country.

Configuration steps:

  1. Click Add New Service > Provide Name, Description, IP and Port Number as shown in the video.
  2. Set the Service conditions as shown and then Save. Here, US is the country code for the United States.
_images/image9.0.png
  1. Activate the Service.
  2. Click Add SmartFlow > Set SmartFlow conditions > Save. As shown in the video.
_images/image9.1.png

The video below explains how to configure the policy to block traffic for a specific Country:

Your network is always vulnerable to all kind of threats and attacks. The attack may happen from a known source of network or from an unknown network. In order to prevent such attacks, we need to block such networks. This use case demonstrates the steps to block traffic from such networks using the traffic blocking policy in A10 HarmonyTM Controller.

The security configuration policies in A10 HarmonyTM Controller allows a business to build a policy that enables blocking off traffic for a specific Network using the IP address of the client network. This policy can be enabled for an existing service(s) or for a new service profile. In this example, we are creating a new service and then enabling a smart flow condition to block the traffic for a specific Network.

Configuration steps:

  1. Click Add New Service > Provide Name, Description, IP, and Port Number as shown in the video.
  2. Set the Service conditions as shown and then Save. Here, the value is the IP address of the network for which the traffic is blocked.
_images/image9.2.png
  1. Activate the Service.
  2. Click Add SmartFlow > Set SmartFlow conditions > Save. As shown in the video.
_images/image9.3.png

The video below explains how to configure the policy to block traffic for a specific Network:

Sometimes it is required for a user to block traffic from a specific browser, in order to stop requests from a specific browser which the user application may not support or for many other reasons. For example, let’s say there is a request from Mozilla hits the server; and the application is not so compatible with Mozilla, in such case, the server may not respond to the request and there may be unnecessary space eaten up by such requests and may cause some downtime.

As a solution to overcome such issues the A10 HarmonyTM Controller allows a business to build a policy that enables blocking traffic for a specific browser based on conditions like header type, match if, case, and value. This policy can be enabled for an existing service(s) or for a new service profile. In this example, we are creating a new service and then enabling a smart flow condition to block the traffic for a specific browser.

Configuration steps:

  1. Click Add New Service > Provide Name, Description, IP, and Port Number as shown in the video.
  2. Set the Service conditions as shown and then Save. Here, define Header name as User-Agent and value as the name of the Browser (For example, Mozilla in this case).
_images/image9.4.png
  1. Activate the Service.
  2. Click Add SmartFlow > Set SmartFlow conditions > Save. As shown in the video.
_images/image9.5.png

The video below explains how to configure the policy to block traffic for a specific Browser:

The following use case is very much similar to the use case to block traffic from a specific browser, the difference here is we are blocking traffic from a specific device.

The security configuration policies in A10 HarmonyTM Controller allows a business to build a policy that enables blocking traffic for a specific device based on service policy conditions. This policy can be enabled for an existing service(s) or for a new service profile. In this example, we are creating a new service and then enabling a smart flow condition to block the traffic for a specific device.

Configuration steps:

  1. Click Add New Service > Provide Name, Description, IP, and Port Number as shown in the video.
  2. Set the Service conditions as shown and then Save. Here, define Header name as User-Agent and value as the name of the Device (For example, Macintosh in this case).
_images/image9.6.png
  1. Activate the Service.
  2. Click Add SmartFlow > Set SmartFlow conditions > Save. As shown in the video.
_images/image9.7.png

The video below explains how to configure the policy to block traffic for a specific Device:

A10 Thunder ADC

Thunder ADC is a traditional ADC product from A10 Networks. It is available as a hardware appliance as well as virtual appliance. This is built to support all types of applications deployed in data centres. However, it works well in various cloud environments.

Like all traditional ADCs, Thunder ADC has the management function within the box and can be accessed through web User interface and CLI. While it is great for ADC functionality, it typically lacks in providing visibility and analytics of traffic flowing through it.

Thunder ADC can be connected to A10 HarmonyTM Controller for strengthening the utility. Connecting to A10 HarmonyTM Controller adds capabilities like rich analytics, central management, self-service through Provider-Tenant model, and so on.

Thunder Devices Cluster and Device

_images/cluster.png

The Thunder device connecting to the A10 HarmonyTM Controller may be Single, part of a HA pair or part of a VCS cluster. On connecting, a Device Cluster is created within the Provider account in the Harmony Controller. When the next device of the cluster joins, it automatically joins the device cluster.

Partitions and Logical Clusters

Thunder devices typically have multiple partitions. The first one is management partition and is used for device administration. Other partitions can only be used for running application services. When Thunder devices are in HA or VCS, the partition structure of the devices is exactly same. Group of same partitions from all the devices make a logical cluster that hosts application services for the servers. When Thunder devices connects to the Harmony Controller for the first time, a tenant account is created under the provider for each logical cluster and the logical cluster is placed under this tenant. However, there is provision to add more than one logical cluster or Lightning ADC cluster in a tenant account.

_images/logical-cluster.png

Users

Users from the devices are synchronized from devices to the A10 HarmonyTM Controller. Users on shared partition are provider administrator and continue to have access to device management. Users on the individual partition are tenant administrator for the tenant created for that partition. Any user created on the device after the first connection of device to A10 HarmonyTM Controller are also synchronized with A10 HarmonyTM Controller.

Connecting Thunder Device to A10 HarmonyTM Controller

First step in connecting Thunder device to A10 HarmonyTM Controller is to register Thunder with A10 HarmonyTM Controller. On registration, configuration of the Thunder Device is synchronized with A10 HarmonyTM Controller. This includes all partition information, and VIPs Configured for ADC service.

Thunder registration can be done in one of the following ways:

  1. Using Thunder CLI
  2. Using Thunder UI
  3. Using Thunder Device Manager

Registration occurs in the following sequence of steps:

Register using A10 HarmonyTM Controller information

  1. Authenticate the device using the provider’s credentials so that the device is registered for the provider.
  2. Configure the A10 HarmonyTM Controller profile in the Thunder device with the host and provider details.

A registration message contains a list of partitions, users, roles, privileges and the encrypted passwords. A10 HarmonyTM Controller creates the partitions and its associated users or roles and privileges in the database. As a part of registration, Thunder ADC configures the account ID map for each partition. A10 HarmonyTM Controller creates a different tenant for each partition that is registered. This helps in mapping the telemetry information to the correct partition and the applications.

API call to A10 HarmonyTM Controller

The Thunder device sends API calls to A10 HarmonyTM Controller for registering each object. After the object is registered, A10 HarmonyTM Controller creates a object tree for each partition.

Registration using Thunder CLI

Pre-requisite:

You need to have Thunder device upgraded to firmware appropriate version.

  1. Login to the Thunder device using your username and password credentials.

  2. Enter the config prompt.

  3. Configure the A10 HarmonyTM Controller profile as shown in the video.

    A sample is shown below:

    harmony-controller profile
    host controller.example.com use-mgmt-port
    thunder-mgmt-ip 13.78.173.250
    provider root
    user-name user@a10networks.com
    password *****
    region India
    availability-zone Bangalore
    metrics-export-interval 60
    log-rate 10
    
  • host - Host name or IP address of Harmony Controller.
  • thunder-mgmt-ip - IP address of management port of the Thunder device as accessible from Harmony Controller.
  • provider - Name of the provider account in Harmony Controller.
  • user-name - User name of root provider admin of Harmony Controller.
  • password - Password for the user name provided of Harmony Controller.
  • region/availability-zone - Geographical location or data center where the Thunder device is deployed.
  • metrics-export-interval - Interval at which Thunder device sends aggregated metrics data to Harmony Controller.
  • log-rate - Maximum rate at which traffic logs are sent by the device per second to the Harmony Controller.
  1. Verify whether the A10 HarmonyTM Controller profile is created:

    show run
    
  2. Register the device:

    register
    

Note: Use deregister command to de-register the Thunder device from controller.

  1. Verify the status:

    show harmony-controller status
    
    heartbeat-status : ACTIVE
    registration-status : PASS
    registration-status-code : 200
    kafka-broker-state : Up
    

To know more about device registration, you can check out the following video:

Registration using the Thunder UI

  1. Login to the Thunder device using your username and password credentials.
  2. From the System drop-down list, select Admin.
  3. Click the Controller tab to view the Harmony Controller Settings page.
  4. Enter the A10 HarmonyTM Controller information as shown in the video.
  5. Select Use Management Port.
  6. Click Register Device.

Registration using Thunder Device Manager

  1. Login to A10 HarmonyTM Controller using your credentials.

  2. On the Provider Admin Management page, click View in Device Manager.

  3. From the Devices drop-down menu, select Device List.

  4. Click +Add Devices.

  5. In the Add Device dialog box, enter the following:

    Device IP Address
    User Name
    Password
    
  6. Click Submit to add the device to the Device List.

  7. Select the device and click the HC button.

  8. Enter the A10 HarmonyTM Controller information as shown in the video.

9. Select Use Management Port. 10.Click Submit to register the device.

Single Sign-On and Authorization

When a user logs in to A10 HarmonyTM Controller assumes role of provider administrator or tenant administrator. Based on the role they are able to view the content. When the user wants to get into a device for editing configuration, they need not login again to the device due to single sign-on feature. However, the permissions to the user on that particular device are still be honoured. In this way, administrator of one device is able to change configuration of other device in-spite of being the administrator in A10 HarmonyTM Controller until they get the authorization on the device.

Configuration Synchronization

Any configuration change done on the device even if it is done through device User Interface, device CLI or through A10 HarmonyTM Controller is automatically synchronized with A10 HarmonyTM Controller. If for any reason, connection between Thunder device and A10 HarmonyTM Controller breaks, the application services on Thunder device continues to work. During this time users are able to login to device User Interface or CLI directly for configuration update. Such configuration changes are synchronized with A10 HarmonyTM Controller when the link restores.

Devices

Thunder Device Manager is a micro-service of A10 Harmony Controller. As the name suggests, it allows users to centrally manage all the A10 Thunder devices from the Harmony Portal. If the number of devices increase, then it becomes more and more difficult to keep the inventory and keep device configuration on the devices up-to-date. Upgrading devices or pushing any small change in application configuration becomes a very time consuming task.

Thunder device manager allows users to create logical groups of devices so that configuration can be pushed to set of devices in easy manner without logging into each device. It also allows to schedule upgrade of devices, and automatically abort the upgrade chain in case upgrade fails on a device.

While device manager displaces basic information about device as part of inventory, detailed analytics of the device and applications is available in Harmony Portal dashboard.

Device List

The Devices page displays a list of ACOS devices that are currently being managed by the Thunder Device Manager. From this page, you can add a device, delete a device, or create a backup configuration file for a device, as well as performing other tasks.

In the current release, Thunder Device Manager supports the ability to manage the following types of A10 Networks devices running on ACOS 4.1.x:

  • AX Series
  • Thunder Series
  • vThunder (formerly known as “SoftAX”)

To access the Thunder Device Manager’s Devices page, navigate as follows:

  1. Select Devices >> Device List.

    _images/device-list.png

Description of the column headings in the Device List:

  • Status - Indicates the status of the device:
    • (Green, arrow up) – Both ping and http/https are running.
    • (Orange, arrow up) – Ping is running.
    • (Red, arrow down) – Neither ping nor http/https are running.
  • Name - Name of the device. Click on name link to view Device Detail information.
  • IP Address - Displays the IPv4 or IPv6 address of the managed device.
  • Model - Shows the model of the device.
  • Partitions - Displays the number of partitions for each device.
  • SW Info - Shows the software version and build number.
  • Memory - Displays the memory usage percentage.
  • CPU - Shows the Control and Data usage. Hover over the field for more details.
  • Uptime - Displays the uptime for the device in days, hours and minutes.
  • Device Groups - Displays the Device Group associated with the device.
  • Actions - Click on the drop-down list in the Actions column:
    • Rescan - Updates all fields for device.
    • Save Config - Save the current configuration on device.
    • Reboot - Reboot the device.
    • Show User - Displays the Device User.

The following buttons appear at the top right of this window:

  • Refresh - Refreshes the current listing by retrieving a list of devices from database.
  • Delete - Delete one or more devices that have been selected, using check boxes in the Devices page.
  • Add Devices - Displays a a dialog panel that can be used to discover a one or more devices. Click this button to discover network devices to be managed. (The current Thunder Device Manager release does not support discovery of devices other than through Thunder Device Manager management interface (eth0).

Advanced Settings - Clicking on the Advanced button allows configuration of the sampling interval for both metrics and logs.

  • Backup Config - Shows a device configuration backup dialog panel that can be used to perform configuration backups on devices that have been selected, using check boxes in the Devices page.
Backing up a Configuration
  1. Select the check box for the device which you want to perform a a backup configuration.

  2. Click the Backup Config button to display a window similar to that shown below:

    _images/device-configuration-backup.png
  3. To create a Device Configuration Backup, configure the following options:

  • Schedule Type - Select whether you want to perform an immediate backup, or schedule a backup at a recurring time.

    If you select Schedule, the following additional fields are displayed: - Start Datetime - Schedule Option

  • Start Datetime - If scheduling the backup for a future time, then enter the desired time in the field to specify the date and time when the backup should begin. Enter the date/time in the following format:

    mm/dd/yyyy hh:mm AM/PM

  • Schedule Option - Click the drop-down menu and select the interval at which the backup configuration snapshots will be taken. Options include:

    • One Time – The backup config file will be created at the time entered in the ‘Start Datetime’ field.
    • Every 6 Hours – The backup will be done automatically, on a 6-hour basis, starting at the time entered in the ‘Start Datetime’ field.
    • Every 12 Hours – The backup will be done automatically, on a 12-hour basis, starting at the time entered in the ‘Start Datetime’ field.
    • Daily – The backup will be done automatically, on an hourly basis, starting at the time entered in the ‘Start Datetime’ field. The Interval time can range from 1-6 days.
    • Weekly – The backup will be automatically done every week, starting at the day of week entered in the ‘Start Datetime’ field.
    • Bi-weekly – The backup will be automatically done every other week, starting at the day of week entered in the ‘Start Datetime’ field.
    • Monthly – Select a number ranging from 1–12 in the Interval field. The backup will be done automatically, on a monthly basis, starting from the date entered in the ‘Start Datetime’ field.
  • Save Config Before Backup - Select Yes or No to save a device configuration prior to this backup operation.

  • Description - Text description for the backup job.

  • Remote - De-select this check box if you wish to save the backup config file on the Thunder Device Manager.

Select this check box to specify a remote destination for the backup job.

NOTE: If this option is used, configuration backups will not be shown in the Thunder Device Manager Configuration Backup listing.

Selecting this check box reveals the following additional fields:

  • Backup Method - Select scp, ftp or tftp. Selecting tftp prompts only the Host and File Name fields that are required to fill in.
  • Username – User name used to log on to the remote device.
  • Password – Password needed to access the remote device.
  • Host – IP address of the remote device.
  • File Location – Absolute path to the directory where you want to store your backup.
  • File Name - Name of the Device Configuration Backup File.
Steps to Create a Report/Report Schedule
  1. Click the Report button at the upper right.

  2. From the Type drop-down list, select the type of report you wish to create.

    • Inventory Report
  3. For the Schedule Type options, select Immediate or Schedule.

  4. If Schedule is selected, enter the Start Datetime in the following format: mm/dd/yyyy HH:MM AM/PM

  5. Select a schedule option from the Schedule Option drop-down list.

  6. The PDF and CSV check boxes indicate the file format of the report. Select a check box to generate a report of your format preference.

  7. In the Email field, enter the email addresses to whom the reports should be sent to. Use a comma to separate email addresses when configuring.

  8. In the Description field, enter a description about the created report generation.

  9. Click OK when done.

Device List Summary Report fields:

  • Device Name - The name of the device.
  • Serial Number - The serial number of the device.
  • Model - The device model.
  • Management IP - The management IP address of the device.
  • Image - The version running on the device.
  • Date in service - The service date of the device.
  • License Renewal Date - The date for license renewal.
  • Location - The location information of the device.
  • Notes - Any notes made about a device is included in the report.

Harmony Controller - Register or de-register a device with the Harmony Controller. Enter the required information to add a device. Device information can also be edited, or the device can be removed from Harmony’s management.

Device Groups

The Device Groups page displays a list of device groups. From this page, you can create a new device group, delete a device group, or add devices to an existing device group. The benefit of adding managed devices to a device group is that you can streamline the configuration process. For example, you could push a config file to all devices in a group at once.

To access the device groups page, navigate as follows:

  1. Select Devices >> Device Groups.

    _images/device-group.png

Description of the Column Headings in the Device Groups:

  • Group Name - Displays the Group Name of the Device Group.
  • Devices - Lists the devices in the Device Group. Hover over the specific field to see list of devices and their IP that is associated with group.
  • Description - Displays the text from the Device Group Description.
  • Actions - Click the Edit hyperlink to modify the membership of the devices in a group.

From this page, you can select one of the following buttons at the top right of this window:

  • Click Refresh to update the list of device groups.
  • Click Delete to delete one or more selected device groups from the list.
  • Click Create to create a new device group. Enter a Group Name, select one or more devices, enter the description, and click Submit.

Alternatively, you can select one of the following options under the Actions column of the table:

  • Click the Edit hyperlink. From here, you can modify the membership of the devices in a group.

Default Credentials

The Default Credentials page allows you to specify the default device credentials Thunder Device Manager can use when discovering devices. These default credentials should be used to try accessing devices if no other credentials have been provided for the managed devices. From this page, you can add or delete the default credentials Thunder Device Manager will use when attempting to discover a device via HTTPS or CLI.

To access the Default Credentials page, navigate as follows:

  1. Select Devices >> Default Credentials.

    _images/default-credentials.png

From this page, you can select one of the following buttons along the upper right-most corner of the page:

  • Click Refresh to update the list of default device credentials.

  • Click Delete to delete one or more selected default device credentials from the list.

  • Click Create to open a Default Credentials window. In Credentials For, HTTPS and CLI are available.

  • Select HTTPS in Default Credential Window to enter a new set of default device credentials to be used to access the device via HTTPS.

  • Click Submit.

    _images/create-https.png

From this modal window, configure the options:

  • Username - Enter the default administrative username needed to access the managed device.
  • Password - Enter the default password for the administrative user needed to access the managed device.
  • Confirm Password - Confirm the default password for the administrative user needed to access the managed device.
  • Timeout - Enter the timeout period. This is the number of minutes the CLI session can be idle before it times out and is terminated.
  • Retries - Enter the number of attempts Thunder Device Manager can repeatedly attempt to establish a connection if the first try fails.

Or

  • Select CLI in the Default Credential Window to enter a new set of default device credentials to be used to access the device via CLI.

  • Click Submit.

    _images/create-cli.png

From this modal window, configure the options:

  • Username - Enter the default administrative username needed to access the managed device.
  • Password - Enter the default password for the administrative user needed to access the managed device.
  • Confirm Password - Confirm the default password for the administrative user needed to access the managed device.
  • Enable User Name - Enter the default administrative username needed to access Privileged EXEC level for the managed device. This level is also called the “enable” level because the enable command is used to gain access. Privileged EXEC level can be password secured.
  • Enable Password - Enter the default password associated with the administrative username needed to access Privileged EXEC level for the managed device.
  • Confirm Enable Password - Confirm the default password associated with the administrative username needed to access Privileged EXEC level for the managed device.
  • Timeout - Enter the timeout period. This is the number of minutes the CLI session can be idle before it times out and is terminated.
  • Retries - Enter the number of attempts Thunder Device Manager can repeatedly attempt to establish a connection if the first try fails.

Credential Devices configurations can be edited by clicking Edit in the Action column for the default device credentials.

Device Upgrade

The Device Upgrade feature allows you to transfer software release images from a remote server onto the Thunder Device Manager using SCP, and then perform a device image upgrade by deploying a device upgrade job against a device.

  1. Select Devices >> Device Upgrade from the main menu.

    A table appears, which lists the upgrade images that have been copied to Thunder Device Manager. These files can be used to upgrade the Thunder Device Manager managed devices. If the table is empty, you must upload image upgrades from a remote server. In this release, you can upload an image into Thunder Device Manager by specifying the SCP information for which the ACOS image can be downloaded from.

  2. If no images are displayed in the table, you can copy an image from a server by selecting Load Image at the upper right-most corner of the page.

A pop-up modal window appears, prompting you to enter information about the server from which the image will be transferred to the Thunder Device Manager.

Enter values in the following fields:

  • SCP File Name – enter the name of the image you want to upload.
  • SCP File Path – enter the image store path. This has to be the exact path starting from the server root.
  • SCP Host Name – enter the IP address for the server from which the image will be uploaded.
  • SCP User Name – enter the username for the server from which the image will be uploaded.
  • SCP Password – enter the authenticated password associated with the username for the server from which the image will be uploaded. For protection purposes, this field is not displayed in plain text.
  • Description – enter a description for the image.
  1. After entering the image information, click Submit.
  2. Thunder Device Manager will attempt to access the image on the remote server using the information you provided.
  • If successful, a confirmation message appears at the top of the screen and the image is added to the table.
  • If unsuccessful, an error message appears at the top of the screen, and the image is not added to the table.

Description of columns in the Device Upgrade page:

  • File Name - Displays the name of the image file.

  • Created - Displays the date and time that the image file was created.

  • Description - Displays the description information entered when the image file was copied to Thunder Device Manager.

  • Size - Displays the size of the image file.

  • Actions - Displays the available actions that can be performed with the image file:

    • Edit – click the edit button to edit the information associated with this image.
    • Upgrade – To upgrade one or more of the managed devices using this image, click the upgrade link. A pop-up window appears, containing device upgrade information. Select the target device that you wish to upgrade from the drop-down menu.
Upgrading Your Devices

Once you have loaded upgrade images onto your Thunder Device Manager, you can push the upgrade images out to your managed devices.

  1. Click on the Upgrade link in the Actions column of the desired upgrade image. The Device Upgrade window will appear.
  2. Select the device or configured device group you wish to upgrade from the corresponding fields.
  3. Select your schedule type. You can chose to upgrade your device immediately or at a later date. If you wish to schedule the upgrade at a later date, select the Schedule option and the Start Datetime field will appear for you to selected when the upgrade will take place from the drop-down calendar. You will also need to enter a specific time on your selected date for when the upgrade will take place.
  4. Select where the upgrade image will be stored using the Primary/Secondary radio buttons.
  5. Select whether to save the configuration prior to the upgrade.
  6. Indicate whether you wish to reboot your selected device/device group after the upgrade is successful.
  7. If you wish to add a description of the upgrade you can do so in the corresponding field.
  8. Click Submit. Click Confirm if the task is configured correctly.

Note: For device upgrade and backup configuration to work in Thunder Device Manager, you need to set the password authentication to Yes in Harmony Controller host’s /etc/ssh/sshd_config and restart the sshd service.

Reports

The Reports feature consists of two tabs, Report Scheduler and Reports.

Reports Tab

The Reports page allows you to view existing inventory reports through the Reports tab. By clicking on Report on the Device List page, an inventory report can be created. The following buttons appear on this page:

Refresh - Refreshes the current listing.

Delete - Delete one or more reports that have been selected, using check boxes in the Reports page.

Email - Email a report to the email address(es).

Note: Select the report(s) to email prior to clicking on Email.

Available Reports:

  • Name - The filename of the report is displayed.
  • Type - The report type information is displayed.
  • Creation Time - The date and time the report was created is displayed.
  • Description - The description provided during report creation appears here.
  • Actions - Allows you to email or download an existing report.
    • Email - Email an existing report
    • Download - Download an existing report
Report Scheduler Tab

The Report Scheduler page allows you to view existing report schedule information, and allow you to create report schedules or a single report.

The following buttons appear on this page:

  • Refresh - Refreshes the current listing.
  • Unschedule - Delete one or more schedules that have been selected, using check boxes in the Report Scheduler page. This only works for active schedules.
  • Create - Create a schedule for report generation, or create a report.
Steps to Create a Report or Report Schedule
  1. Click the Create button at upper right.
  2. From the Type drop-down list, select the type of report you wish to create.
  • Inventory Report
  1. For the Schedule Type options, select Immediate or Schedule.
  2. If Schedule is selected, enter the Start Datetime in the following format: mm/dd/yyyy HH:MM AM/PM.
  3. Select a schedule option from the Schedule Option drop-down list.
  4. The PDF and CSV check boxes indicate the file format of the report. Select a check box to generate a report of your format preference.
  5. In the Email field, enter the email addresses to whom the reports should be sent to. Use a comma to separate email addresses when configuring.
  6. In the Description field, enter a description about the created report generation.
  7. Click OK

Report Scheduler:

  • Status - Displays if a schedule is still active or finished.

  • Schedule Name - Displays the name of the schedule.

  • Report Type - Displays the report generation type.

  • Creation Time - The date and time the report or schedule generation occurred is displayed.

  • Description - The description provided during report creation appears here.

  • Start Time - Displays the time when the first report generation will occur from a configured schedule.

  • Next Run Time - Displays the time when the next report generation will occur from a configured schedule.

  • Actions - Allows you to email or download an existing report.

    • Edit - Modify an existing active report schedule.
    • Reports - Move to the Reports page.

Settings

The Settings option offers the following features:

  • Connection
  • Device Rescan
  • Health Monitor
Connection

Connection allows you to enter the basic parameters that will define the sessions when Thunder Device Manager is attempting to discover managed devices. You can modify the properties for CLI, SNMP, or HTTPS sessions, and you can indicate which protocol port should be used, the duration of the idle timeout value, and the number of retry attempts.

  1. Select Devices >> Settings from the main menu.

  2. Select Connection tab.

    _images/connection.png
  3. To modify the Connection properties for the CLI, do as follows:

  1. Enter the port number Thunder Device Manager should use when attempting to establish a CLI session with a managed device. For example, to use SSH enter port 22.
  2. Type the value in the field to specify the idle Timeout period for the CLI session.
  3. Type the value in the field to specify the Retry Attempts for the CLI session. This will specify how many times Thunder Device Manager should attempt to establish a CLI session with a managed device before giving up.
  4. Click Save to store your changes.
  1. To modify the Discovery properties for SNMP, do as follows:
  1. Enter the port number Thunder Device Manager should use when attempting to use SNMP to communicate with a managed device. For example, to use the standard SNMP port, enter a value of 161.
  2. Type the value in the field to specify the idle Timeout period for the SNMP session.
  3. Type the value in the field to specify the number of Retry Attempts. This will specify how many times Thunder Device Manager should attempt to establish an SNMP session with a managed device before giving up.
  4. Click Save to store your changes.
  1. To modify the Discovery properties for HTTPS, do as follows:
  1. Enter the port number Thunder Device Manager should use when attempting to use HTTPS to communicate with a managed device. For example, to use the standard HTTPS port, enter a value of 443.
  2. Type the value in the field to specify the idle Timeout period for the HTTPS session.
  3. Type the value in the field to specify the number of Retry Attempts. This is the number of times Thunder Device Manager should attempt to establish an HTTPS session with a managed device before giving up.
  4. Click Save to store your changes.
Device Rescan

The Device Rescan page allows you to set up periodic rescans from Thunder Device Manager. When a device rescan job has been created, the job can be viewed from the Scheduler (System>>Scheduler), and past jobs can be viewed from Job Execution Log.

  1. Navigate to Devices >> Settings and click on the Device Rescan tab.
  2. In the Start Datetime field, enter the scheduled time for the device rescan in the following format: mm/dd/yyyy hh:mm AM/PM
  3. In the Schedule Option drop-down list, select a time interval.
  4. In the Description field, enter any information you wish to include regarding this action.
  5. Click Save to finish.
Health Monitor

The Health Monitors page allows you to configure basic Thunder Device Manager health monitors, which Thunder Device Manager uses to poll for devices under its management. In the current release, the following health monitors are supported:

  • PING
  • HTTPS
  1. Select Devices >> Settings >> Health Monitor.

    _images/health-monitor.png
  2. To modify the properties for the PING health monitor, do as follows:

  1. In the Retry Attempts field, enter the number of times Thunder Device Manager should attempt to PING a managed device before determining that the device has failed the health check. The up and down arrows may be used to increase or decrease the value in this field by 1.
  2. In the Timeout (In seconds) field, enter the number of seconds Thunder Device Manager should wait after sending a PING to a managed device before determining that the device has failed the health check. The up and down arrows may be used to increase or decrease the value in this field by 1.
  3. Click Save to store your changes.
  1. To modify the properties for the HTTPS health monitor, do as follows:
  • Although HTTPS health checks are supported, their properties (such as Retry Attempts and Timeout value) cannot be modified in the current release.
  1. (Optional) You can modify the Interval, which is the period at which the health monitor will repeat the check. By default, the interval is set to 30 seconds.
  2. Click Save to store your changes.
Statistics Display

The Statistics Display page allows you to set up an automatic refresh for the index table and statistics that are displayed in the Thunder Device Manager GUI.

If desired, you can change the automatic refresh rate of index tables and stats by doing the following:

  1. Navigate to Devices >> Settings and click on the Statistics Display tab.

    _images/statistics-display.png
  2. To configure the Index Table automatic refresh rate interval, enter the interval rate in the Index Table field. The number of repeated attempts ranges from 5-30 seconds.

  3. To configure the Statistics automatic refresh rate interval, enter the interval rate in the Stats field. The range is 5-30 seconds.

  4. Click Save to save any changes.

Configurations

Config Backups

This section covers the process of creating a backup configuration file for a managed device, viewing previously saved backup config files, modifying the contents of a backup config file, restoring an Thunder Device Manager-managed device using a previously saved backup config file, or deleting all configurations.

Note: The backup and restore process applies to start up configurations, not running configurations.

Creating a Backup Configuration File for a Managed Device

You can create a backup configuration for your Thunder Device Manager-managed devices. The configuration file for the device can be saved on the Thunder Device Manager or on a remote server, and from there, it can be modified locally on Thunder Device Manager or pushed to other devices. To create a backup configuration file:

  1. Access the backup function from the Thunder Device Manager GUI by navigating to Configurations >> Config Backups.

Note: A similar function also exists from Devices >> Device List.

  1. Click the Backup Config button at the upper, right-most corner.

  2. After clicking the Backup Config button, the Device Configuration Backup page appears.

    _images/hourly-schedule.png
  3. From the Device Configuration Backup window, after selecting the devices and/or device groups, you can continue with the device configuration backup by filling out the rest of the field.

  4. When finished configuring the options in the Device Configuration Backup Page, click Submit to send the device configuration backup request.

If the backup is set to occur immediately, a confirmation message will appear, indicating whether the backup was successful.

Remote Restore

If you wish to remotely restore a configuration onto a device, perform the following steps:

  1. Click the Remote Restore button to display the Remote Restore Configuration window.
  2. To remotely restore a configuration, configure the following options:
  • Device - Select the device from the drop-down list.
  • Schedule Type - Select whether you want to perform an immediate remote restore backup, or schedule a remote restore backup at a recurring time.

If you select Schedule, the following additional fields are displayed:

  • Start Datetime
  • Schedule Option

The following fields are displayed for both immediate remote restore backup and schedule a remote restore backup:

  • Description
  • Restore Methods
  • Start Datetime - If scheduling the remote restore backup for a future time, then enter the desired time in the field to specify the date and time when the remote restore backup should begin. Enter the date/time in the following format:
    mm/dd/yyyy hh:mm AM/PM
  • Schedule Option - Click the drop-down menu and select the interval at which the remote restore backup configuration snapshots will be taken. Options are:
    • One Time – The remote restore will be done at the time entered in the ‘Start Datetime’ field.
  • Description - Text description for the remote restore job.
  • Restore Methods - Select from the available methods: scp, ftp or tftp. Enter the following information:
    • Username – User name on the remote server. (Appears for scp and ftp)
    • Password – Password for the account used to access the remote server. (Appears for scp and ftp)
    • Host – IP address where the remote server is running.
    • File Path – File path on the remote server where the backup file is located.
  1. Click Submit.
Deleting all Configurations

If you wish to delete all configurations, click on the “v” check box to expand and then click on “Delete all Configurations”.

Viewing Saved Configuration Backup Files

When you have finished saving backup configuration files for one or more managed devices, you can view the inventory of backup files from the Configuration Backups page.

To view the previously saved Backup Configuration files, navigate as follows:

  1. Select Configurations >> Config Backups.

    _images/config-backups.png

Description of the columns in the Configuration Backups:

  • Backup ID - Displays the auto-generated name of the backup config file. This identifier is a combination of the device model number and the timestamp associated with the backup config file.

  • Device - Displays the host name of the managed device.

  • Source IP - Displays the IP address of the managed device.

  • Description - Displays the description information entered when the image file was copied to Thunder Device Manager.

    Note: A default configuration backup file is automatically created when a managed device is first discovered by Thunder Device Manager. The Description field for this default file is, “Auto Config Backup”. An example appears in the figure above.

  • Created Time - Displays the date and time that the backup config file is created.

  • Actions - Displays the available actions that can be performed with the backup config file:

    • Contents – Click the Contents link to modify the contents of a backup config file.
    • Restore – Click the Restore link to restore a managed device using a saved config file.
Restoring a Device from a Backup Configuration File

You can use a previously-saved backup configuration file to restore an Thunder Device Manager-managed device to a previous state. This may be helpful if, for example, you need to roll back recent changes to a configuration file.

To restore a managed device using a previously-saved backup configuration file, navigate to the Thunder Device Manager GUI’s Configuration Backup page as follows:

  1. Select Configurations >> Config Backups.

    The inventory of backup configuration files appears in the Config Backups table.

  2. Click the Restore link in the far-right Actions column, for the config file you wish to use to restore the managed device.

    _images/restore-config.png
  3. The devices field list is populated with the IP of the managed device for which you selected the Restore hyperlink.

  4. For the Schedule Type, select the Immediate radio button.

  5. Enter a description in the Description field.

  6. When finished configuring the options in the Restore Configuration window, click Submit to send the device restore request.

Navigate to System >> Job Execution Results to see if the restore operation has succeeded or failed. If it has succeeded, an ACOS device reboot without a saving the configuration is needed to allow the restored configuration to take effect.

Additional Notes about the Configuration Backups table:

  • The most recent Backup Config files appear near the top of the Backups table.
  • Instead of creating a configuration backup from the Device List page, you can also create a configuration backup file from this page by clicking Backup Config at the upper, right-most corner of the page. A pop-up modal window appears, but you must choose the devices or device group you want to back up from the list of currently-available devices.

Device Configs

The Device Configs page has an inventory of the most recent backup configuration files. From this page, you can edit portions of a backup configuration file, then save it locally to Thunder Device Manager, and push it to a managed device.

Note: To see all available configuration backup files of a specific device, navigate to Configurations >> Config Backups, and click Contents for that device.

To edit portions or snippets of a backup configuration file, navigate as follows:

  1. Select Configurations >> Config Backups.

  2. Click the Contents hyperlink under the Actions column.

    _images/CLI-configs-tab.png

Columns in Configuration Backups Contents:

  • Name - Displays the name of this portion of the config file.

  • Partition - Displays the partition (shared or private) of this portion of the config file.

  • Size - Displays the size (in bytes) of this portion of the config file.

  • Actions - The Action column displays the available actions that can be performed with this portion of the config file.

    • Save As – click the Save As link to modify this portion of the configuration backup file.
  1. Select one of the tabs under the menu bar to specify which portion of the config file to work on, for example: CLI Configs, aFleX Scripts, or Class-Lists.
  • To view a non-editable version of the “chunk” of the config file, click the hyperlinked name of the config file from the Name column of the table.

  • To view an editable version of the “chunk” of the config file, click Save As link from the Actions column of the table.

    _images/CLI-config-startup.png

NOTE: When naming a file to be saved as a Local Config, do not enter special characters, (such as ‘?’,’#’, ‘*’, and so on) in the File Name, as this can cause issues when attempting to push the file to other devices.

  1. (Optional) You can enter a modified name for the config portion in the File Name field.
  2. Edit the configuration that appears in the Content area.
  3. Click Save.

The modified section of the config file (such as the CLI sample shown above), is saved locally on the Thunder Device Manager.

To delete a device configuration file, navigate as follows:

  1. Select Configurations >> Device Configs.
  2. Select the aFlex Scripts, WAF Policies (ADC only), BW-Lists (ADC Only) or Class-Lists tab and click Delete.

Local Configs

The Local Configs page has an inventory of the chunks or portions of the backup config files that you modified. These are saved locally on the Thunder Device Manager, and from this Local Configs page, you can push the chunks or snippets of the configuration file (that you just modified) to other managed devices.

Description of columns in Local Configs:

  • Name - Name of the system file.
  • Last Modified Time - Shows the date and time when the file was last modified.
  • Type - For Class-Lists, indicates the class list type: IPv4, IPv6, Aho-Corasick, DNS, String, String Caseinsensitive.
  • Actions:
    • Edit - Allows you to edit the content of the selected configuration file.
    • Push - Allows you to push the configuration to a managed device or device group.

To push portions or snippets of a backup configuration file, navigate as follows:

  1. Select Configurations >> Local Configs.

    _images/local-configs.png
  2. (Optional) From the Local Configs page, you can further edit portions of the config file by clicking the Edit link under the Actions column. (For information about editing a CLI Config Snippet, or another portion of a config file.)

  3. When you are finished modifying the portion of the configuration backup file, you can push that portion of the config to another device by clicking the Push link, which appears in the right-most Actions column.

Note: The Push action for CLI Config Snippets applies when you wish to put a running configuration onto a device or device group.

CAUTION: When pushing a CLI config snippet, make sure your CLI snippet is not device specific! Some commands cannot be pushed as CLI config snippets. Refer to the “known issues” section of the Release Notes for a list of restricted CLI commands.

  1. Select one or more devices to choose where the CLI snippet (or other portion of the config file) will get pushed.
  2. Select one or more device groups from the Device Groups section of the page to choose the group(s) to push the CLI snippet.
  3. Click the Partitions drop-down menu and select Shared or the name of the private partition. This selection will determine where on the target device (i.e. which partition) the configuration snippet will be pushed. Note that the configuration snippet will be pushed to this same partition across all of the selected target devices (if multiple devices are selected).
  4. Configure the Schedule Type by selecting Immediate, if not already selected.
  5. Configure the Interval, and any other mandatory options in the Push Configuration window.
  6. When finished configuring the Push Device Configuration window, click Submit.

The process of pushing other portions of the Config file (e.g., aFleX script, or Class-List) to managed devices is virtually the same as the procedure shown above. However, when pushing a CLI configuration snippet, that small snippet is merged with the running config on the target device, whereas when pushing an aFleX script, or Class-List, then the whole file is pushed to the target device, overwriting any existing files on the target device.

Creating a Configuration

Perform the following steps based on the configuration you wish to create:

  • CLI Config Snippet, aFleX Script, WAF Policies, BW-Lists, Class-Lists
  • Enter the name in the Name field.
  • Enter the Content in the Content field.
  • Click Submit.

SSL Management Local Config

The SSL Management Local Config page has an inventory of the SSL files that you have saved locally on Thunder Device Manager. From this page, you can push the files to other managed devices.

Description of columns in Local Configs:

  • Name - Name of the system file.

  • Last Modified Time - Shows the date and time when the file was last modified.

  • Expiration Date - Indicates the expiration date of the certification or key.

  • Type - For SSL certs, indicates if certificate or key is selected.

  • Actions - • Edit - Allows you to edit the content of the selected SSL file.

    • Push - Allows you to push the file to a managed device or device group.
Editing an SSL file

From the Local Config tab, click the Edit link under the Actions column for the file you wish to edit.

Pushing an SSL file

From the Local Config tab, click the Push link under the Actions column for the file you wish to push.

_images/push.png
  1. Select one or more devices to determine where the file will get pushed.
  2. Select the group from the Device Groups section of the page.
  3. Configure the Schedule Type by selecting Immediate, if not already selected.
  4. Configure the Interval, and any other mandatory options in the Push Configuration window.
  5. When finished configuring the Push Device Configuration window, click Submit.
Creating an SSL Cert
  1. Click on the SSL Cert type: Certificate, Key
  2. Enter the name in the Name field.
  3. Enter the Content in the Content field.
  4. Click Submit.
Import an SSL Cert
  1. Click on the SSL Cert type: Certificate, Key, CA-Certificate, CSR, CRL.
  2. Enter the name in the Name field.
  3. In File Upload, click Choose File and select the file to import.
  4. Click Submit.

SSL Management Device Config

The SSL Management Device Config page has an inventory of the most recent SSL files. From this page, you can edit an SSL file, then save it locally to Thunder Device Manager.

To edit an SSL file, navigate as follows:

  1. Select Configurations >> SSL Management >> Device SSL Certs.

  2. Click the Save As hyperlink under the Actions column, at far-right.

  3. Click Save.

    _images/device-ssl-certs.png

To delete a device’s SSL certificate, key, or CRL file, navigate as follows:

  1. Select Configurations >> SSL Management.
  2. Click on the Device SSL Certs tab.

From here, select the checkbox next to the SSL related file you wish to delete from a device and click on Delete.

Columns in Configuration Backups Contents:

  • Name - Displays the name of this file.
  • Device - Displays the name of the device.
  • Partition - Displays the partition (shared or private) where the file is located.
  • Expiration Date - Displays the expiration date of an SSL certificate.
  • Size - Displays the size (in bytes) of this file.
  • Actions - The Action column displays the available actions that can be performed with this portion of the config file.
  • Save As – Click the Save As link to modify an SSL file.

System

Events

The Events page enables you to view activities that have transpired on the Thunder Device Manager as it operates. Each tracked activity includes the time, type, severity level of the specific action, and managed device involved. Most tracked events will be device management activities in addition to external device SNMP traps.

To access to the Thunder Device Manager Events page, navigate as follows:

  1. Select System >> Events.
  • The “Unacknowledged Events” list is displayed by default. However, you can toggle back and forth between the “Unacknowledged Events” and “Acknowledged Events” pages by clicking the appropriate Events tab.
  • You can use filters to reduce this list of events such that only events containing a particular word or phrase are displayed. To do so, simply enter a string in the Search field at upper left and then click the drop-down menu and specify which field should be searched. Choices include the following:
    • Type
    • Device IP
    • Description

Action buttons appear across the right-most side of this Unacknowledged Events:

  • Refresh – Refreshes the current events page by retrieving a list of events from the database.
  • Acknowledge/Unacknowledge – You can acknowledge an event so that it is moved to the “Acknowledged Events” to indicate that the event has been looked at, or “acknowledged.” An acknowledged event can similarly be “unacknowledged” to move it back to the “Unacknowledged Events” if you wish to flag it for later review. Click on the v icon next to Acknowledge, and click on Acknowledge All Events to acknowledge all events.

Description of the Column Headings in the Events page:

  • Created Time - Indicates the date and time when the event was created.

  • Type - Indicates the type of the event. This is an internal definition.

  • Severity - Indicates the severity of the event. This can include:

    • Critical – An event that threatens to take down numerous network devices. Requires immediate action.
    • Major – An event that has taken down at least one network device. Requires action.
    • Minor – An event associated with partial failure of a device. The device requires attention.
    • Warning – An event that may require action. Non-urgent.
    • Normal – An event that has occurred but does not warrant action. Used for information purposes only.
    • Cleared – An event which occurred but for which the underlying cause has been addressed.
    • Unknown – An event for which the severity level cannot be determined by Thunder Device Manager.
  • Source IP - Indicates the IP address of the internal or external machine that triggered the event.

  • Description - This is a free-form text field.

  • Event data - Hover over the View link to display a pop-up window containing additional details about an event. Click View to view in an expanded window.

Audit Logs

The Thunder Device Manager Audit Logs page displays actions that Thunder Device Manager has taken or noticed as it handles device management providing information on what component was involved, the severity of the action, and user. For example, this page displays information on logins, logging out of users and modifications to configurations, and actions such as deleting a backup device configuration.

Note that this page displays logs associated with events on the Thunder Device Manager, and this page does not display logs associated with the managed devices (to learn about logs associated with the managed devices.

To access the Thunder Device Manager Logs page, navigate as follows:

  1. Select System >> Audit Logs.

  2. Click the Component drop-down menu and select an item to filter.

  3. Click the Severity drop-down menu to filter which logs are displayed based on the severity of the associated event. Severity levels are standard for SYSLOG and include the following:

    • All Severity
    • DEBUG
    • INFO
    • NOTICE
    • WARNING
    • ERROR
    • CRITICAL
    • ALERT
    • EMERGENCY
  4. You can further filter the logs displayed by entering a date and time in the Start Time and End Time fields.

  5. Click the Search button to run the search and filter down the list, or click Reset Filters to start again.

Alerts

The Alerts page displays issues of high severity where administrators can configure what alerts are shown based on the type and severity through the Configure Alerts feature.

To access the Alerts page, navigate as follows:

  1. Select System >> Alerts.
  2. You can reduce the list of alerts displayed by entering a string in the Search field at upper left and/or use the additional drop-down menu for further filtering options.

Action buttons appear across the right-most side of this page:

  • Configure Alerts - Configure the notification severity of SNMP, syslog and internal Thunder Device Manager alerts.

    1. Click on Configure Alerts.

      _images/configure-alerts.png
    2. Click on the SNMP check box for to enable or disable SNMP alerts. Choose the severity of the alert from the drop-down menu.

    3. Click on the Syslog check box for to enable or disable Syslog alerts. Choose the severity of the alert from the drop-down menu.

    4. Click on the Device Manager Internal check box for to enable or disable Thunder Device Manager Internal alerts. Choose the severity of the alert from the drop-down menu.

    5. Click Submit.

NOTE: Alert severities greater than the one chosen from the drop-down menu will be shown as well. Severity from highest to lowest is as follows: EMERGENY, ALERT, CRITICAL and ERROR. So if you select “ERROR”, then alerts would be displayed for ERROR, CRITICAL, ALERT and EMERGENCY.

  • Refresh – Refreshes the Alerts page by retrieving a list of alerts from the database.

Scheduler

The Scheduler page displays a list of all of the jobs that Thunder Device Manager has scheduled for its managed devices. For example, if you configured Thunder Device Manager to create a backup configuration for a particular ACOS device at a future time, then the task will appear in the schedule list.

From the Scheduler page, you can perform the following tasks:

  • Viewing scheduled tasks – For example, you can view details associated with scheduled tasks, such as the name of the task, when it is scheduled to run, and when the job was first created. In addition to displaying future tasks, the Schedule page also includes past tasks that have already been triggered.
  • Scheduling a task to be added to the scheduler – The Scheduler page appears anytime you begin a workflow to perform a task (such as creating a device configuration backup or performing a device upgrade) at a future time.
Viewing scheduled tasks

To access the Scheduler page and view the tasks that have been scheduled, navigate as follows:

  1. Select System >> Scheduler.

Note that this page just displays jobs you already scheduled elsewhere in the GUI, and you cannot initiate the process of scheduling a job or task from this window.

_images/scheduler.png
  1. (Optional) To remove a yet-to-be-fired job from the schedule, select the check box next to the job and then click the Unschedule button at the upper right corner of the page.

Column Headings in the Scheduler List:

  • Status - Indicates status of a scheduled job.
  • Name - Name of the scheduled task.
  • Created Time - Indicates the date and time when the scheduled task was originally created.
  • Executor - Process that scheduled the job.
  • Description - Optional user-configured description of scheduled job.
  • Details - Clicking and hovering over the View link will give you more details on about the job, including the managed device ID and IP address.
  • Scheduled - Indicates the date and time when the task is scheduled to be fired.
  • Start Time - Indicates that the task is scheduled to run at future time, but is not fired.
  • Next Run Time - Indicates the time and date that this task will run in the future.
Scheduling a Task
  1. Navigate to the relevant link for the task you would like to schedule.

  2. Configure the following options:

    • Schedule Type - Schedules a backup job to be taken immediately or at a later scheduled time and date.

      • Immediate - Schedules a backup job to be taken immediately.
      • Schedule - Schedules a backup job to be run in the future. The parameters for a Schedule type of back up is displayed.
    • Start Datetime - The starting date/time of the job.

    • Schedule Option - One Time, Every 6 Hours, Every 12 Hours, Daily, Weekly, Bi-weekly, or Monthly.

    • Description - A free-form textual description for the job.

    • Remote - If checked, allows user to specify an external destination for the backup job. Note that if this option is used, configuration backups will not be shown in Thunder Device Manager’s Device Configuration Backup listing.

Job Execution Results

The Job Execution Results page displays a listing of the job executions and their results.

A job is simply a common task performed by the Thunder Device Manager for one of its managed devices, such as creating a backup config file. The Job Execution Results page displays information about the status of that task, as well as whether it has completed, and whether or not is was successful.

Note that a job can be composed of multiple results. For example, if Thunder Device Manager is scheduled to perform a device backup job that includes two or more devices, the backup operation could succeed for one device while failing for the other.

To access the Job Execution Results page, navigate as follows:

  1. Select System >> Job Execution Results from the main menu.

    _images/job-execution-results.png

Column Headings in the Job Execution Result list:

  • Name - Name of the scheduled job.
  • Created Time - Indicates the date and time when the job was originally created.
  • Trigger Time - Indicates the date and time when the job is scheduled to actually occur.
  • Results Summary - This column lists the total number of jobs scheduled in that selected log, and divides those jobs into Successes, Failures, Exceptions, and Pending executions.
  • Description - Free form text field that describes the job.
  • Task Executor - Specifies the page there the job was configured.

Click the “+” icon next to a Name of the job to expand it and show the following additional fields.

  • Data - Lists the administrator who set up the job, host IP, and encrypted password.

  • Finish Time - Indicates the date and time when the job was finished.

  • Result Status - Indicates the status of the job. A job result can be in one of the following states:

    • Job has started, but the results have not yet been recorded because the job has just started and is in progress.
    • Job has completed, with successful results (Result Status = 1).
    • Job has completed, with error results (Result Status = 2).
Tech Support

The Tech Support page allows you to quickly provide Tech Support with information to help assist with any issues that are encountered.

To compile log information that may assist in problem solving an issue, navigate as follows:

  1. Select System >> Tech Support from the main menu.

    _images/tech-support.png
  2. Click on Create Download. A “Please Wait” message will momentarily appear.

  3. Click on Download Tech Support Archive in the Action column to download a tar file containing various log information that can be provided to technical support.

To know more about device manager, you can check out the following video: