Version v26.06

Version v26.06 adds: changed mechanism for determining country affiliation of IP addresses, transfer of protection policy settings between clusters via clipboard, graphs of traffic bypassed by WL and TWL countermeasures, handling of host field values in Logan rules, PSG service connection settings, separate permissions for accessing monitoring objects sections, MAX messenger support, widget category for building graphs on passed traffic in flow analysis.

The functionality of FRB and FTLS countermeasures has been expanded.

Changes in v26.06

Dashboard

Added graph areas for tops by WL and TWL bypassed traffic
On the “Top Policies” tab of the “Dashboard” page, graph areas “WL + TWL Bypass Top IPv4, pps” and “WL + TWL Bypass Top IPv4, bps” have been added, which display the top of protection policies with the highest traffic bypass by WL and TWL countermeasures.

"Flow Analysis" Page

Added widget category for building graphs on passed traffic

Added widget category “Pass”. Widgets in this category display sFlow from MITIGATOR on passed traffic.

General Protection

Added graphs of traffic bypassed by WL and TWL countermeasures
  • General WL + TWL Bypass – rate of traffic bypassed to system output by WL and TWL countermeasures in General Protection;
  • All Policies WL + TWL Bypass – total rate of traffic bypassed to output of all protection policies by WL and TWL countermeasures.

Protection Policy

Added transfer of protection policy settings between clusters via clipboard

A button for copying policy settings via clipboard has been added to the “Settings” tab in the protection policy.

When copying, the scope is selected. You can copy:

  • countermeasure parameters;
  • countermeasure parameters and autodetection settings;
  • all policy parameters and settings.

Settings are saved to clipboard in JSON format and can be applied to another protection policy, for example, on another MITIGATOR cluster. Application will completely replace all current protection policy settings with new ones.

Note

Since different MITIGATOR versions may have different sets of settings, transfer of protection policy settings should be performed between clusters with the same version. Correctness of applying settings when transferring between clusters of different versions is not guaranteed.

Countermeasures

FRB. Added PASS action for rules

Added PASS action that allows excluding traffic matching the filter from countermeasure processing. For such rules, specifying a limit and period is not required.

Example:

# this set of rules will drop all traffic from an IP address if more than
# 10 packets arrive from it within 3 seconds via TCP on port 80,
# containing the string `\sLOGIN\s[^\n]{100}`, unless it's traffic from IP address 175.180.90.0.

PASS ACL src 175.180.90.0 dport 80
PACKETS 10 PERIOD 3 ACL tcp dport 80 REX \sLOGIN\s[^\n]{100}
FTLS. Added PASS action for rules

Added PASS action that allows excluding traffic matching the specified TLS fingerprint from countermeasure processing.

For example, if the following rule is set:

PASS JA3 771,4866-4867-4865-49191-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2

and the checkbox “Apply thresholds for other JA3/JA4” is set with a threshold of 10 packets per second, then when receiving more than 10 ClientHello per second, the FTLS countermeasure will block any ClientHello except those matching the JA3 fingerprint from the PASS rule.

Logan

Added handling of host field values in Logan rules

Now for rules with block and alert actions you can check the value of the $host field.

Regular expressions are supported, which allows describing a pattern that values in the field should (host) or should not (not host) match.

Also added the keyword host-ip, which allows responding to specification of an IP address in the $host field.

Examples:

# Block IP address for 300 seconds where the value in the $host field
# matches the pattern `^api\.example\.com$`:

block 300 host ^api\.example\.com$

# Block IP address for 120 seconds where the value in the $host field
# does not match the pattern `^internal\.example\.com$`:

block 120 not host ^internal\.example\.com$

# Create entry in event log when receiving from IP address
# two or more requests within 10 seconds containing an IP address in the $host field:

alert host-ip limit 2 period 10

Roles and Permissions

Added separate permissions for accessing object monitoring sections

Delivery Channels

Added MAX messenger support

Added support for sending to MAX messenger:

  • system event notifications;
  • packet capture files;
  • incident reports;
  • regular reports.

PSG

Added PSG service connection settings

A new page “PSG Service” has been added to System Settings, where you can set connection parameters to the service and define access level to service functions for groups.

Core

Changed mechanism for determining country affiliation of IP addresses

The change optimizes resource consumption by the packet handler when there are many protection policies with activated geo-filtering.

Note

In the current implementation, this change affects filtering by autonomous system numbers in the GEO countermeasure. Specifying an autonomous system number in the GEO countermeasure may lead to broader association of IP addresses to the specified AS than the AS actually contains.

If you need to bypass traffic of certain autonomous systems around the GEO countermeasure, use countermeasure bypass in the WL countermeasure, specifying the autonomous system number.

To drop traffic of specified autonomous systems, use the BL countermeasure.

If filtering by autonomous system numbers directly in the GEO countermeasure is critically important for you, do not update to version v26.06. In future versions, correctness of filtering by AS numbers will be restored.