2019-6

Radware Ltd.

Deploy Guide for Huawei Cloud

版本 V1

Writer Date Version

Bill Chen 2019/6 Base Alteon 32.2

Includes the basic network, the opening of WAF business and the corresponding

configuration of Huawei cloud.

目录

1. Introduction ............................................................................................................................................... 4

2. Deployment Topology ............................................................................................................................ 4

2.1 VA Resource Requirements ........................................................................................................... 5

2.2 Standalone Deployment Topology.............................................................................................. 5

2.3 Extended Deployment Topology (Recommendation) ............................................................ 5

3. Configuration guide ................................................................................................................................ 6

3.1. Purchase ECS ..................................................................................................................................... 6

3.2. Alteon Basic Configuration............................................................................................................ 9

3.3. Alteon Application Configuration ............................................................................................... 9

3.3.1. Interface and gateway configuration ................................................................................. 9

3.3.2. Create VIP and connect to Web Server ............................................................................ 11

3.3.3. Enable WAF Service ............................................................................................................... 14

3.3.4. Connect VIP to Alteon VA .................................................................................................... 16

1. Introduction Radware's Ateon Virtual Device (VA), a market-leading application delivery controller,

ensures that applications are always available, responsive and secure. Alteon VA provides all

standard ADC functions - high-level 4-7 local server load balancing, global server load

balancing, SSL unloading and compression, and advanced services such as WAF, WEB front-

end acceleration and application performance monitoring services. Providing protection for

web applications is the core of Radware security products. Through ICSA Lab Certified Web

Application Firewall - AppWall - and its enterprise cloud WAF service, Radware provides

complete Web security protection, including OWASP top 10 coverage, advanced attack

protection and zero-day attack protection, which can automatically adjust your protection to

adapt to changing threats.

Agility: Customize the required application delivery service packages through Alteon VA's On

Demand Architecture

Embedded Next Generation Services: Application Performance Monitoring, Web Application

Firewall and Web Performance Acceleration

Automation: Advanced ADC services can be launched and maintained using operator

toolbox's personalized wizard by simply pressing the Next button

2. Deployment Topology Radware Alteon Appwall VA Accessing to VPC in reverse proxy mode, VA by default

requires an out-of-band management interface and at least one business interface ，

Deployment requires at least the following IP addresses

MAN IP MAN Port Physical IP Proxy IP Virtual IP/Port Server IP/Port

192.168.1.100 443/22 192.168.2.100 192.168.2.80 192.168.2.80/80 192.168.2.10/80

Note: 1. Out-of-band management interface is completely isolated from service interface, and

different subnets can be separated by using the same segment address.

2. Virtual IP is WAF service address. It is necessary to create virtual IP on VPC and bind it to

business interface network card.

3. Proxy IP is the source address used by the VA access server and can be shared with virtual

IP.

2.1 VA Resource Requirements

Configuration vCPU GB RAM GB Disk Space Notes

Alteon AppWall VA 4 8/16 40

2.2 Standalone Deployment Topology

In stand-alone deployment mode, EIP is directly bound to virtual IP addresses.

2.3 Extended Deployment Topology (Recommendation)

Extended deployment mode, WAF service performance can be scaled horizontally by

deploying ELB, while preventing single point failure of Alteon Appwall. At this point EIP

is bound to ELB's virtual IP。

3. Configuration guide

3.1. Purchase ECS

Select S3.xlarge.2 or s3.xlarge.4

Adding extended network cards and assigning security groups, security groups need

to open ports 22 and 443 to provide out-of-band management access.

Allocate EIP for out-of-band management interfaces

Password here is useless, but you have to set it as requirement.

3.2. Login Alteon Appwall

Login Alteon AppWall via WebUI or SSH.

Default username: admin

Default Password：admin

If you Login via SSH, Alteon will ask you to change the default password for the first

login.

From Menu : Configuration-System-License check license MAC address，Provide Radware

with the Mac address and apply for a license.

Input the License and click Set License

License Example:

Throughput license：100Mbps-w3IIKRy1

Feature license：aas-secure-cookie

3.3. Alteon Basic Configuration

The basic configuration includes time, time zone, log server, NTP server and so on. It is

not introduced here. Please contact Radware Engineer for configuration guidance.

Alteon configuration requires clicking "Apply Required" before it takes effect

Click "Save Required" to save the configuration, otherwise the VA restart will lose the

configuration.

3.4. Alteon Application Configuration

3.4.1. Interface and gateway configuration

Click on the Alteon VA to see the interface address assigned by another interface, as shown in

the following figure

Click menu Configuration-Network-Layer3-IP interfaces，click“+”create interface ip address

Note：Interface ID : 1~256,

VLAN : If only one interface is allocated ， the interface is belong to VLAN1

Confirm VPS gateway address

Create Alteon VA default GW

Menu Configuration-Network-Layer3-Gateways，Click “+”

Note：Gateway ID must set to 1

3.4.2. Create VIP and connect to Web Server

❖ Apply VIP in VPC

❖ Define Web Server

Click Configuration-Application Delivery-Server Resources-Real server，Create web“+”

server with click “+”

❖ Create group connect to Web Server

Configuration-Application Delivery-Server Resources-Server Group，Click right“+”

❖ Create VIP connect to group

Menu Configuration-Application Delivery-Virtual Services ， Click right “ + ”，

Configure the virtual IP applied in VPC to Virtual Server

Create a virtual service association protection server group by clicking ‘+’under

virtual services

Note: Application must choose http, otherwise WAF service cannot be opened.

Real server port serves the real server port

❖ Config Proxy IP

Click on the PIP menu, and NAT mode selects Address/subnet. Proxy IP can be shared

with VIP.

3.4.3. Enable WAF Service

❖ Configuring WAF services for virtual services

❖ Under the virtual service menu, click HTTP, and after Secured Web Application, click the

"+"

Create WAF Service name

注：Operation Mode Include Out-Of-Path and Inline

Out-Of-Path ：Bypass deployment mode, only monitoring and attack warning

Inline: Real-time protection and attack warning

❖ Enable WAF（license need）

Configuration-Security-Web Security, Click ”Enable AppWall”

So far, the Web server has included the protection function of the basic WAF, and the

advanced configuration can be clicked on the figure above.

3.4.4. Connect VIP to Alteon VA

Enter the network console, click on the virtual private cloud, find the location of the

virtual IP, and click on the binding server.

Binding Alteon VA Application port

Click on Binding Elastic Public Network IP to Bind Elastic Public Network IP to VIP。At

this point, users of the extranet can access the Web server under the protection of

Alteon Appwall.