Radware DefensePro VA, Installation And Maintenance Manual

Page 1: ...DefensePro VA INSTALLATION AND MAINTENANCE GUIDE Document ID RDWR DPVA_IG2005 May 2020...

Page 2: ...DefensePro VA Installation and Maintenance Guide 2 Document ID RDWR DPVA_IG2005...

Page 3: ...s guide or any part thereof without the prior written consent of Radware Notice importante Ce guide est sujet aux conditions et restrictions suivantes Les applications AppShape Script Files fournies p...

Page 4: ...uch enthaltenen Informationen sind Eigentum von Radware und m ssen streng vertraulich behandelt werden Es ist streng verboten dieses Handbuch oder Teile daraus ohne vorherige schriftliche Zustimmung v...

Page 5: ...h or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following...

Page 6: ...ogiciel d velopp par Dug Song Ce produit inclut un logiciel d velopp par Aaron Campbell Ce produit inclut un logiciel d velopp par Damien Miller Ce produit inclut un logiciel d velopp par Kevin Steves...

Page 7: ...lt einen vom OpenBSD Projekt entwickelten Code Copyright 1983 1990 1992 1993 1995 The Regents of the University of California Alle Rechte vorbehalten Die Verbreitung und Verwendung in Quell und bin re...

Page 8: ...ranted against defects in material and workmanship for a period of one year from date of shipment Radware software carries a standard warranty that provides bug fixes for up to 90 days after date of p...

Page 9: ...egen Material und Verarbeitungsfehler f r einen Zeitraum von einem Jahr ab Lieferdatum Radware Software verf gt ber eine Standard Garantie zur Fehlerbereinigung f r einen Zeitraum von bis zu 90 Tagen...

Page 10: ...EE COMME LIMITATIVE TOUS DOMMAGES DIRECTS INDIRECTS ACCIDENTELS SPECIAUX EXEMPLAIRES OU ACCESSOIRES INCLUANT MAIS SANS S Y RESTREINDRE LA FOURNITURE DE PRODUITS OU DE SERVICES DE REMPLACEMENT LA PERTE...

Page 11: ...1 Electrical Shock Hazard Label DUAL POWER SUPPLY SYSTEM SAFETY WARNING IN CHINESE The following figure is the warning for Radware platforms with dual power supplies Figure 2 Dual Power Supply System...

Page 12: ...nterference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruc...

Page 13: ...abel adjacent to the power inlet housing the fuse 6 Do not operate the device in a location where the maximum ambient temperature exceeds 40 C 104 F 7 Be sure to unplug the power supply cord from the...

Page 14: ...curit pour les syst mes dotes de deux sources d alimentation lectrique en chinois Traduction de la Avertissement de s curit pour les syst mes dotes de deux sources d alimentation lectrique en chinois...

Page 15: ...utilise et peut mettre des fr quences radio et s il n est pas install et utilis conform ment au manuel d instructions peut entra ner des interf rences nuisibles aux communications radio Le fonctionnem...

Page 16: ...d le similaire de m me puissance tel qu indiqu sur l tiquette de s curit adjacente l arriv e lectrique h bergeant le fusible 6 Ne faites pas fonctionner l appareil dans un endroit o la temp rature amb...

Page 17: ...pacit comme indiqu sur l tiquette de s curit proche de l entr e de l alimentation qui contient le fusible 5 NE PAS UTILISER l quipement dans des locaux dont la temp rature maximale d passe 40 degr s C...

Page 18: ...ICHERUNGEN Vergewissern Sie sich dass nur Sicherungen mit der erforderlichen Stromst rke und der angef hrten Art verwendet werden Die Verwendung reparierter Sicherungen sowie die Kurzschlie ung von Si...

Page 19: ...p ersetzt k nnte dies zu einer Explosion f hren Dies trifft zu f r manche Arten von Lithiumsbatterien zu und das folgende gilt es zu beachten Wird die Batterie in einem Bereich f r Bediener eingesetzt...

Page 20: ...tements are presented in English French and German Electromagnetic Interference Statements SPECIFICATION CHANGES Specifications are subject to change without notice Note This equipment has been tested...

Page 21: ...ke adequate measures D clarations sur les Interf rences lectromagn tiques MODIFICATIONS DES SP CIFICATIONS Les sp cifications sont sujettes changement sans notice pr alable Remarque Cet quipement a t...

Page 22: ...commission des communications de Cor e pour les equipements de radiodiffusion et communication Figure 13 D claration pour l quipement de classe A certifi KCC en langue cor enne Translation de la D cla...

Page 23: ...e Interferenzen auf eigene Kosten zu korrigieren ERKL RUNG DER VCCI ZU ELEKTROMAGNETISCHER INTERFERENZ Figure 15 Erkl rung zu VCCI zertifizierten Ger ten der Klasse A bersetzung von Erkl rung zu VCCI...

Page 24: ...u BSMI zertifizierten Ger ten der Klasse A Dies ist ein Class A Produkt bei Gebrauch in einer Wohnumgebung kann es zu Funkst rungen kommen in diesem Fall ist der Benutzer verpflichtet angemessene Ma n...

Page 25: ...n an Ger t Software oder Daten Note Additional information Informations compl mentaires Zus tzliche Informationen To A statement and instructions R f rences et instructions Eine Erkl rung und Anweisun...

Page 26: ...DefensePro VA Installation and Maintenance Guide 26 Document ID RDWR DPVA_IG2005...

Page 27: ...lation and Configuration 32 Prerequisites 32 DefensePro VA for KVM Deployment 32 Optimizing the VM for Best DefensePro VA Performance 37 Configuring DefensePro VA for KVM 37 DefensePro VA for VMware I...

Page 28: ...ation Files 69 Upgrading DefensePro VA 69 Downloading the Software Image File 70 CHAPTER 4 DEFENSEPRO VA RECOVERY AND LICENSE MIGRATION PROCEDURE 71 Recovery and License Migration Procedure over a KVM...

Page 29: ...tualization concepts and the process of network appliance installations How This Book Is Organized This book contains the following chapters and appendixes DefensePro VA Installation and Configuration...

Page 30: ...DefensePro VA Installation and Maintenance Guide Preface 30 Document ID RDWR DPVA_IG2005...

Page 31: ...tion and Configuration page 32 DefensePro VA for VMware Installation and Configuration for Passthrough Mode page 38 DefensePro VA for VMware Installation and Configuration for VirtIO Mode page 53 Obta...

Page 32: ...ePro VA for KVM Deployment page 32 Optimizing the VM for Best DefensePro VA Performance page 37 Configuring DefensePro VA for KVM page 37 Prerequisites DefensePro VA supports PCI passthrough mode only...

Page 33: ...ownload and extract the installation file for example DefensePro_VA_8_17_00 tgz into a local directory on the host where the hypervisor is located 2 Locate the folder to where the installation file wa...

Page 34: ..._IG2005 6 Select the directory to where DefensePro VA is to be installed default var lib libvirt images 7 Set the name or accept the default name of DefensePro VA 8 From the list shown select two prev...

Page 35: ...GbE or Intel Ethernet Controller XL710 40 GbE For the best performance if the vCPU fits into a single NUMA if the number of vCPUs are less than or equal to the number of cores in a single NUMA Radware...

Page 36: ...Note When DefensePro VA for KVM is installed through a libvirt virsh deployment a virtual serial line or virsh console to the serial line is used instead of the usual TTY Therefore you should switch t...

Page 37: ...itecture Radware recommends assigning all DefensePro VA vCPUs to cores hyperthreads on the same NUMA node You should also be aware of the of PCI slots to NUMA nodes mapping on such a host machine Use...

Page 38: ...age page 44 Configuring the DefensePro VA VM Settings page 48 Core Pinning page 52 Prerequisites For passthrough mode you should first associate the physical ports of the host server PCI addresses wit...

Page 39: ...intenance Guide DefensePro VA Installation and Configuration Document ID RDWR DPVA_IG2005 39 3 Select Virtual Machine and click Next 4 Select Create a vSphere standard switch and select one of the ava...

Page 40: ...DefensePro VA Installation and Maintenance Guide DefensePro VA Installation and Configuration 40 Document ID RDWR DPVA_IG2005 5 Add Network Label Name and click Next 6 Click Finish...

Page 41: ...dge on the vSwitch 7 Repeat the process to create a second bridge For the second bridge used internally by DefensePro VA create a vSphere switch step 4 without selecting a connection Selecting Network...

Page 42: ...R DPVA_IG2005 To set the NICs for passthrough 1 Open the vSphere client and select the node of the host machine 2 In the Configuration tab select Hardware Advanced Settings A list of all the available...

Page 43: ...r VMs and to prevent the hypervisor from moving them Memory over subscription is discouraged In a hyperthreaded environment it is best to configure an even number of DefensePro engines and allocate wh...

Page 44: ...the DefensePro VA OVA Package To deploy the DefensePro VA OVA 1 Log into the VMware vSphere client 2 Deploy the OVA package by selecting File Deploy OVF Template The Deployment OVF Template wizard di...

Page 45: ...nstallation and Maintenance Guide DefensePro VA Installation and Configuration Document ID RDWR DPVA_IG2005 45 4 In the End User Agreement dialog box click Accept to accept the end user license agreem...

Page 46: ...ment ID RDWR DPVA_IG2005 5 In the Name and Location dialog box provide a name and location for the deployed template The name can contain up to 80 characters and must be unique within the inventory fo...

Page 47: ...d and then click Finish Note Ensure that the option Power on after deployment is not selected Configuring the Network Adapters 1 From the Home Inventory drop down menu select Templates and VMs 2 In th...

Page 48: ...u have to resize the VM by setting the vCPUs disk and RAM size enable huge page assign the PCI passthrough NICs for data ports and add a serial connection for console To configure the VM settings 1 Ac...

Page 49: ...guration Document ID RDWR DPVA_IG2005 49 4 Press OK Assign the PCI passthrough NIC designated in the prerequisites stage to the DefensePro VA VM 5 From the navigation tree right click on the Virtual M...

Page 50: ...ation and Maintenance Guide DefensePro VA Installation and Configuration 50 Document ID RDWR DPVA_IG2005 8 Click Next and Finish Do this for the two interface ports 9 Select the PCI NIC to attach to t...

Page 51: ...llation and Maintenance Guide DefensePro VA Installation and Configuration Document ID RDWR DPVA_IG2005 51 10 Click Finish 11 Repeat steps 1 through 5 to attach all the NICs to the VM The VM settings...

Page 52: ...Telnet port 20XX for example setup 29 will be 2029 Core Pinning In order to optimize performance it is suggested to set core pinning in VMware To set core pinning 1 In the virtual machine go to the R...

Page 53: ...m Nodes and select 1 Core pining is now configured DefensePro VA for VMware Installation and Configuration for VirtIO Mode This procedure details the steps and prerequisite procedures required for ins...

Page 54: ...are infrastructure including A VMware ESX server versions 5 5 6 0 An installed vSphere client The DefensePro VA OVA package For console support VMware requires an Enterprise license Creating a vSwitch...

Page 55: ...intenance Guide DefensePro VA Installation and Configuration Document ID RDWR DPVA_IG2005 55 4 Select Create a vSphere standard switch and select one of the available connections and click Next 5 Add...

Page 56: ...ePro VA Installation and Maintenance Guide DefensePro VA Installation and Configuration 56 Document ID RDWR DPVA_IG2005 6 Click Finish This creates a vSwitch 7 Repeat the process to create a second vS...

Page 57: ...re switch step 4 without selecting a connection Note Make sure you set both data vSwitches to Promiscuous Mode Accept as shown below Deploying the DefensePro VA OVA Package DefensePro VA for ESXi OS c...

Page 58: ...5 3 In the Deploy OVF Template dialog box for Deploy from a file click Browse to select the DefensePro VA OVA file and click Next 4 In the Name and Location dialog box provide a name and location for...

Page 59: ...ment ID RDWR DPVA_IG2005 59 5 In the Host Cluster screen select a server to add the DefensePro VM to 6 Click Next until you get to the Network Mapping screen Two interfaces are shown one is for manage...

Page 60: ...fensePro VA from the list and then select Edit Settings Note If no virtual machines are displayed verify that Show VMs in Inventory is selected in the Vsphere client View menu option 3 Assign each net...

Page 61: ...t ID RDWR DPVA_IG2005 61 To configure the VM settings 1 Access the vSphere client 2 Right click on the DefensePro VA VM and select Edit Settings 3 Enter the number of virtual sockets as 1 and the numb...

Page 62: ...tenance Guide DefensePro VA Installation and Configuration 62 Document ID RDWR DPVA_IG2005 5 Select the relevant data vSwitch for the setup Do this step twice once for the client and once for the serv...

Page 63: ...igure an even number of DefensePro engines and allocate whole physical cores both hyperthreads on each physical core for DefensePro VA and not mix them with other VMs On a host with multiple CPUs usin...

Page 64: ...DefensePro VA Installation and Maintenance Guide DefensePro VA Installation and Configuration 64 Document ID RDWR DPVA_IG2005 e Select Advanced Memory f Select Use Memory from Nodes and select 1...

Page 65: ...Configuration Document ID RDWR DPVA_IG2005 65 6 At the end of the process the VM settings should look as follows 7 Power on the Virtual machine 8 Log in to the VM console Connect to the servers IP for...

Page 66: ...hroughput and 2 vCPUs After 60 days traffic will be bypassed and you are required to purchase permanent DefensePro VA throughput and vCPU licenses DefensePro VA throughput license options include 200M...

Page 67: ...new license 1 In the Radware portal in the Software License Generator screen https portals radware com Customer Home Tools LicenseGeneratorSW enter the MAC or IP address your name and product select...

Page 68: ...DefensePro VA Installation and Maintenance Guide DefensePro VA Installation and Configuration 68 Document ID RDWR DPVA_IG2005...

Page 69: ...Managing Configuration Files To ensure off device configuration backup you should always save existing configurations of each DefensePro VA instance You can save the configuration file using APSolute...

Page 70: ...hardware appliance For more information see the DefensePro Installation and Maintenance Guide An upgrade password is required when you upgrade to a major version For example an upgrade from version 8...

Page 71: ...e is started before the Linux UDEV sub system recognizes the new MAC addresses and creates a new rule file if you later change the MAC addresses and start the system again the UDEV will add the new MA...

Page 72: ...nt ID RDWR DPVA_IG2005 3 Enter the command virsh edit domain_name to open the KVM domain VM XML definition file 4 Find the MAC address in the XML definition file as shown in the example below and manu...

Page 73: ...ro VA Installation and Maintenance Guide DefensePro VA Recovery and License Migration Procedure Document ID RDWR DPVA_IG2005 73 5 Re install the original licenses by running the command oper swkey lic...

Page 74: ...DefensePro VA Installation and Maintenance Guide DefensePro VA Recovery and License Migration Procedure 74 Document ID RDWR DPVA_IG2005...

Page 75: ...ge 77 Validating the PCI Slots 1 When you insert the PCI NICs into the host server write down the slot number 2 For performance optimization when more than one NIC is used Radware recommends that you...

Page 76: ...ates a file PCImapping txt which includes the PCI mapping of the host see the example in Figure 20 PCImapping txt Example page 77 2 In the PCImapping txt file search for the string Physical Slot 5 for...

Page 77: ...Imapping txt Example Association of the NIC ports After you have all the PCI addresses written down continue with the installation detailed in DefensePro VA for KVM Installation and Configuration page...

Page 78: ...DefensePro VA Installation and Maintenance Guide Configuring DefensePro VA in PCI Passthrough Mode 78 Document ID RDWR DPVA_IG2005...

Page 79: ...E PACKAGE CONTAINING RADWARE S PRODUCT OR BEFORE DOWNLOADING INSTALLING COPYING OR OTHERWISE USING RADWARE S STANDALONE SOFTWARE AS APPLICABLE THE SOFTWARE IS LICENSED NOT SOLD BY OPENING THE PACKAGE...

Page 80: ...u agree to pay Radware any amounts due for any applicable license fees at Radware s then current list prices 3 Lab Development License Notwithstanding anything to the contrary in this License Agreemen...

Page 81: ...acknowledge and agree that the Software is a proprietary product of Radware and or its licensors and is protected under applicable copyright law 8 No Warranty The Software and any and all accompanyin...

Page 82: ...rmination This License Agreement is effective upon the first to occur of your opening the package of the Product purchasing downloading installing copying or using the Software or any portion thereof...

Page 83: ...e entitled to injunction relief This License Agreement constitutes the entire agreement between the parties hereto and supersedes all prior agreements between the parties hereto with respect to the su...