Version v26.04

Now the Host Activation Log stores not only the fact of activation of the mechanism for a specific IP address, but also the reason for activation and the rule, if present.

instance_id,instance_name,created_at,action,dst_ip,reason,rule
1,Mitigator0,2022-09-02 10:44:31.53622 +0000 UTC,added,10.0.2.254,LimitBps,BITS 200 ACL udp
1,Mitigator0,2022-09-02 10:44:41.51245 +0000 UTC,added,10.0.2.254,UntrustedSource,

Automatic packet capture has been added to General Protection IPv4 and IPv6, similar to auto-capture in protection policies.

Now when checking SYN+ACK packets, you can select processing mode without taking Timestamp into account.

Since not all servers send Timestamp, the check can be disabled by setting the flag “No timestamp” in the session parameter synchronization settings for a specific server. The parameter applies to all servers listed in the line. If you need to apply it to only one server, you need to move it to a separate entry. If the synchronization agent is used in multiple protection policies, and in at least one of them the “No timestamp” parameter is set, it will be applied in all policies.

Now on protection policy graphs you can see curves for traffic from internal network, associated with this policy.

Enabling counting of traffic from internal network for display on graphs is done on the “Common Settings” page in system settings and affects all protection policies.

VLAN ID functions have been removed from the public API of BPF programs. If these functions were used in your BPF programs, when rebuilding them with the new mitigator_bpf.h header, you need to add these functions to the program source code:

#define VLAN_ID_MASK 0x0fff

/** @brief Get VLAN ID from 802.1q header. */
LOCAL uint16_t
vlan_get_id(const struct VlanHeader* vlan) {
    return bswap16(vlan->control) & VLAN_ID_MASK;
}

/**
 * @brief Set VLAN ID in 802.1q header.
 *
 * If you don't need to keep rarely used DEI and PRI, a faster alternative is:
 * @code
 * vlan->control = bswap16(id);
 * @endcode
 */
LOCAL void
vlan_set_id(struct VlanHeader* vlan, uint16_t id) {
    uint16_t bits = vlan->control & ~bswap16(VLAN_ID_MASK);
    vlan->control = bswap16(bswap16(bits) | id);
}

Now the countermeasure graphs display the number of sessions observed both inside and outside the recent session ignore depth window:

• USF Allowed sessions — number of tracked sessions that were observed outside the recent session ignore depth window;

• USF Ignored sessions — number of tracked sessions that were observed only inside the recent session ignore depth window.

Now you can set different sFlow sampling values for different traffic rates. When the set rate threshold is exceeded, the sampling value changes automatically. You can set up to four sampling values for different traffic rate ranges.

A “Flow/SNMP Ratio” tab has been added to the “Flow Exporters” page, displaying traffic statistics on all source interfaces obtained via Flow and SNMP.

The tab also sets the “Reliability threshold”, which determines the acceptable deviation in the ratio of average traffic rate obtained via Flow to that obtained via SNMP. For example, with a reliability threshold of 90%, a Flow/SNMP metric value ratio from 0.9 to 1.1 is considered normal.

If the ratio of average traffic rate values obtained via Flow to those obtained via SNMP does not match the reliability threshold, this may mean that the system is configured incorrectly, or data is not being received. For such interfaces, appropriate indication appears in the row.

Now in the “Status” column of the Flow source interfaces table, the interface displays one of three statuses based on SNMP data:

• interface status UP;
• interface status DOWN;
• interface status unknown.

When activating the “GRE Tunnel with External Service” function in instance settings, GRE traffic processing is by default performed on a single CPU core. If the flag is set, balancing across all cores will be performed. The setting is applicable only when using Mellanox network cards, for other network cards the setting is ignored.

Previously tabs were sorted alphabetically, now by clicking the “Change tab order” button, you can move tabs.

To improve convenience of setting thresholds and simplify perception of already set ones, the ability to change decimal prefixes when specifying values has been added.

As an experiment, currently the functionality has been added to HPD, BPF and TAP interface, we plan to extend this change to all other mechanisms and countermeasures in the future.