Version v25.02

Info

Description of version v25.02 is still in development. It may change and update.

Warning

Follow the special instructions to update MITIGATOR to v25.02.

Version v25.02 adds: DNAT countermeasure, test drop via sFlow, working with multiple LOGANs, support for ISN operation behind NAT, lightweight backup, manual soft start in countermeasures, the ability to change the Web Challenger configuration, support for domain names in named lists.
Enhanced functionality of countermeasures WL, WL6, BL, TBL, TBL6, ACL, ACL6, FTLS, and also Incidents, PCAP, PCAP6, Collector and TAP interface. JA3 countermeasure renamed to FTLS.

Changes in v25.02

Policy. Added new actions for bulk changes to protection policies.

Added actions:

  • enable protection policies;
  • disable protection policies;
  • enable autodetection in policy countermeasures;
  • disable autodetection in policy countermeasures;
  • enable autodetection in protection policy;
  • disable autodetection in protection policy.

Policy. Added information about group membership to the RAM usage dump.

The CSV file with information about RAM consumption, downloaded on the Policy Settings tab of the Protection Policy page and the Resources tab of the System State page, now contains information about the number and name of the group to which the policy belongs.

Detect. Removed default incident thresholds.

Previously, when creating a protection policy, the Incidents.Drop* thresholds were always set to zero. This resulted in incidents being registered even if there was a single drop. Now, the Incidents.Drop* thresholds with zero values ​​have been removed from all protection policies.

Detect. Added control over the shutdown factor for acceleration thresholds.

Now you can set the traffic rate factor to disable Diff thresholds using .Xxx.Diff.OffFactor. For more details, see the built-in documentation on autodetection.

PCAP. Added filter for JA4 fingerprints.

You can now set a filter by JA4 fingerprint in packet capture for general protection and policy.

PCAP. Added indication of capture points.

PCAP now stores information about the points at which the capture was performed.

PCAP. Added hints for ACL filters in PCAP.
PCAP6. Added the ability to specify IP address ranges for src and dst in filtering rules.
PCAP6. Added indication of capture points.
PCAP6. Added hints for ACL filters in PCAP.
Softstart. Added manual Soft Start trigger.

Now, in all countermeasures that support Soft Start, the mode can be activated manually by pressing the “Start” button, if the countermeasure is enabled.

DNAT. Added new DNAT countermeasure.

To solve the problem of redirecting certain traffic to a third-party L7 filtering device, a new countermeasure, “Destination Network Address Translation”, has been added to the protection policy. The description of traffic that should be translated from the policy is performed using ACL-like rules.

WL. Added the ability to pass traffic from certain countries.

Now, if GeoIP databases for countries are loaded, in the WL of general protection and policies you can specify which countries’ traffic should be passed by the countermeasure without processing. Countermeasure-by-countermeasure bypass is supported, allowing you to pass traffic from specified countries bypassing the specified countermeasures.

Also added the ability to pass all traffic from unspecified countries without processing, both by all countermeasures and only by selected ones.

WL. Added support for Cyrillic domain names.
WL6. Added the ability to pass traffic from certain countries.
BL. Added support for Cyrillic domain names.
TBL. Added check for prefix inclusion in block lists.

Now you can export TBL contents with prefix filter.

TBL6. Added check for prefix inclusion in block lists.
ACL. Added support for Cyrillic domain names.
ACL6. Added the ability to specify IP address ranges for src and dst in filtering rules.
FTLS. JA3 countermeasure renamed to FTLS.

Countermeasure JA3 “JA3 Fingerprint Filter” has been renamed to FTLS “TLS Fingerprint Filter”.

FTLS. Added support for JA4 fingerprints.

Now you can specify both JA3 and JA4 fingerprints in filtering rules.

GAME. Added the "Connection Monitoring" function usage.
Deploy. Added the ability to forcefully relinquish VRRP master status on an instance.

Now you can force the VRRP master status change. A new master is selected according to the specified priority values.

Deploy. TAP interface control has been moved to a separate sub-item of the settings.

Deploy. Added traffic mirroring mode to TAP interface.

Added an operating mode in which incoming traffic from external and internal networks can be mirrored to the TAP interface.

Deploy. Added limitation of traffic coming to the TAP interface.
TACACS+. Added selection of user verification mode when integrating with TACACS+.

In the “Authentication” mode, only user authentication is performed using TACACS+. Users who do not yet have accounts in MITIGATOR will not be able to log in, even if they have a TACACS+ account. A MITIGATOR account for them must be created manually by the system administrator, with subsequent transfer of the authentication function to the TACACS+ service.

If the “Authentication and Authorization” mode is selected, then the first attempt at authentication for a user without an account in MITIGATOR, but with a TACACS+ account, will be automatically created in MITIGATOR with the set of rights specified in the TACACS+ service settings.

Web challenger. Added Web challenger availability via mgmt check.

Added periodic polling of challengers to check for availability via mgmt. If fails, the HCA will not route traffic to the Web challenger.

Web challenger. Added the ability to make changes to the nginx configuration on Web challenger.

Now, using the http and server fields, you can make changes to the nginx configuration, which allows you to extend the functionality of Web challenger using standard nginx tools.

The information specified in the http field applies to all protected domains. The information specified in the server field applies only to the specific domain.

Application examples:

  1. To send logs from Web challenger, fort example to Logan.

If you set the log format

log_format myformat '$remote_addr - $remote_user [$time_local] "$request" $request_time $status $body_bytes_sent "$http_referer" "$http_user_agent"';

and sending parameters,

access_log syslog:server=10.8.3.1:7201,tag=123456789abcdefg myformat;

then Web-challenger will send logs in combined format to 10.8.3.1:7201 with token 123456789abcdefg.

  1. Transferring the original client IP address when working through balancers and proxies

The server field specifies settings for the ngx_http_realip_module.

real_ip_header X-Forwarded-For;
set_real_ip_from 192.168.1.0/24;
real_ip_recursive on;

In this case, if a request is received from the 192.168.1.0/24 subnet, then Web-challenger authenticates not the IP address that was specified in src_ip, but the one specified in the X-Forwarded-For http header.

Web challenger. Added challenge mode selection for each protected resource.

Now, on the TLS Certificates tab, you can specify which challenge mode should be used for a specific protected domain.

Collector. The list of widgets in Flow Analysis has been expanded.
Collector. Added downloading of statistics in Flow Analysis by IP addresses of exporters.
Collector. Added statuses for receiving interface numbers via SNMP.

Now you can see which interfaces received from Flow have SNMP information.

LOGAN. Added the ability to use multiple LOGANs.

Now MITIGATOR can work with several LOGANs simultaneously. LOGAN settings have been moved to a separate item “Log Analyzers” in the settings.

In the protection policy, on the “Log Analysis” tab, you can now select which LOGAN to show statistics for. If the “All instances” option is selected, then statistics are displayed for each connected LOGAN instance in separate blocks, placed one under the other, and separated by a header with the instance name.

LOGAN. Added a graph of average request processing time.

A graph showing the average request processing time has been added to the Request Time policy graph tab in Log Analysis.

IPList. Added support for domain names in named IP address lists.

You can now specify domain names in named IP address lists.

IPList. Added support for Cyrillic domain names.
sFlow. Added sending sflow on test mode drops.

The packet processor can now send sFlow on test drops.

ISN agent. Added support for ISN operation behind NAT.

Previously, protection scenarios using ISN synchronization had problems when the protected server was behind NAT. In the “Session parameters synchronization” panel in the translation table, you can now match public and local IP addresses and ports of protected services.

Multi. Added load balancing for metrics databases in cluster installations.

To improve the responsiveness of the interface, requests for rendering graphs can now be distributed across servers storing metrics. To enable balancing, you need to make changes to the configuration files according to special instructions.

Incidents. Added incident counter.

The list of incidents now displays the number of incidents in the selected time interval.

Incidents. Added a method selection for receiving the exported report.

Now when you click the “Export” button to receive an incident report, you can select the method of receiving it:

  • download report file;
  • send a file with a report to the email specified in the user profile;
  • send a file with a report to Telegram chat with the ID specified in the user profile;
  • load to file server.

Incidents. Added a limit on the size of the exported report.

Now it is not possible to export a report for more than 100 incidents to a file. To download a large number of incidents, other methods of obtaining should be used.

Reports. Added statistics on maximum and average drop rates for each countermeasure.

A table of average and maximum traffic dropped by each countermeasure during the incident has been added to the exported incident report.

Reports. Added loading of regular report to file server.
Backup. Added the ability to create a lightweight backup.

Added the ability to create a lightweight backup of cluster data. A lightweight backup does not contain:

  • Event log;
  • Incidents and advanced statistics on Flow;
  • Authenticated IP addresses logs;
  • Host protection activation log (HPD);
  • Blacklist change log (TBL);
  • Target activation log (TCP);
  • Target activation log (SPLI);
  • IP address blocking log (ATLS);
  • IP address blocking log (DTLS);
  • IP address blocking log (logan);
  • Scanners record log (SCAN);
  • Trigger log (DLIM);
  • Trigger log (PLIM);
  • Trigger log (PLIM6);
  • Trigger log (TLIM).

Backup instructions updated.

UX. Added automatic selection of the first token from the list in Log Analysis.

Now, on the Statistics tab in Log Analysis, the first token from the list is automatically selected.

UX. Added selection of IP protocol version to Top Policies.

Now on the “Top Policies” tab of the “Dashboard” page you can view the tops for IPv4 and IPv6 traffic independently. Display of graphs is controlled by the IPv4 and IPv6 buttons.

UX. The display of controls on the Flow Analysis page has been changed.

The buttons for selecting the IP protocol version have been brought to the same appearance as on the “Top Policies” tab of the “Dashboard” page. Headers have been added for groups of controls.

UX. Added filters reset on the protection policy list page.

Each filter field on the protection policy list page now has an icon for resetting applied filters.

UX. Added the ability to edit the interval when downloading a log in TBL.

Previously, when selecting a preset time interval in the log datepicker, the dialog box would close. Now the selected interval is applied only after confirmation, which makes it possible to adjust the interval boundaries.

UX. Added grouping of fields in the user profile into thematic groups.