AX Series™ Advanced Traffic Manager Graphical User Interface Reference

P e r f o r m a n c e
b y
D e s i g n
AX Series Advanced Traffic Manager
Graphical User Interface

Reference
Document No.: D-030-01-00-0002
Ver. 2.4.3 6/21/2010
Headquarters
A10 Networks, Inc.
2309 Bering Dr.
San Jose, CA 95131-1125 USA
Tel: +1-408-325-8668 (main)
Tel: +1-408-325-8676 (support - worldwide)
Tel: +1-888-822-7210 (support - toll-free in USA)
Fax: +1-408-325-8666
www.a10networks.com
A10 Networks, Inc. 6/21/2010 - All Rights Reserved
Information in this document is subject to change without notice.

Trademarks:
A10 Networks, the A10 logo, ACOS, aFleX, aXAPI, IDaccess, IDsentrie, IP-to-ID,
SoftAX, Virtual Chassis, and VirtualN are trademarks or registered trademarks of
A10 Networks, Inc. All other trademarks are property of their respective owners.
Patents Protection:
A10 Networks products including all AX Series products are protected by one or
more of the following US patents and patents pending: 7716378, 7675854, 7647635,
7552126, 20090049537, 20080229418, 20080040789, 20070283429, 20070271598,
20070180101
A10 Networks Inc. software license and end users agreement
Software for all AX Series products contains trade secrets of A10 Networks and its
subsidiaries and Customer agrees to treat Software as confidential information.
Anyone who uses the Software does so only in compliance with the terms of this
Agreement. Customer shall not:
1) reverse engineer, reverse compile, reverse de-assemble or otherwise translate the
Software by any means
2) sublicense, rent or lease the Software.
Disclaimer
The information presented in this document describes the specific products noted
and does not imply nor grant a guarantee of any technical performance nor does it
provide cause for any eventual claims resulting from the use or misuse of the products described herein or errors and/or omissions. A10 Networks, Inc. reserves the
right to make technical and other changes to their products and documents at any
time and without prior notification.
No warranty is expressed or implied; including and not limited to warranties of noninfringement, regarding programs, circuitry, descriptions and illustrations herein.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of
electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and
pricing, contact your nearest A10 Networks, Inc. location which can be found by visiting www.a10networks.com.
AX Series - Graphical User Interface - Reference

About This Document
Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid A10
Networks Regular and Technical Support service contracts, the A10 Networks Technical Assistance Center provides support services online and
over the phone.
Corporate Headquarters
A10 Networks, Inc.
2309 Bering Dr.
Tel: +1-408-325-8668 (main)
Tel: +1-888-822-7210 (support toll-free in USA)
Tel: +1-408-325-8676 (support direct dial)
Fax: +1-408-325-8666
www.a10networks.com
Collecting System Information

The AX device provides a simple method to collect configuration and status
information for Technical Support to use when diagnosing system issues.
To collect system information, use either of the following methods.
USING THE GUI (RECOMMENDED)

1.
2.
3.
4.
5.
6.
7.
b y
Log into the GUI.

Select Monitor > System > Logging.
On the menu bar, click Show Tech.
Click Export. The File Download dialog appears.
Click Save. The Save As dialog appears.
Navigate to the location where you want to save the file, and click Save.
Email the file as an attachment to support@A10Networks.com.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
3 of 276

About This Document
USING THE CLI

1. Log into the CLI.
2. Enable logging in your terminal emulation application, to capture output generated by the CLI.
3. Enter the enable command to access the Privileged EXEC mode of the
CLI. Enter your enable password at the Password prompt.
4. Enter the show techsupport command.
5. After the command output finishes, save the output in a file.
6. Email the file as an attachment to support@A10Networks.com.
Note:
As an alternative to saving the output in a log file captured by your terminal emulation application, you can export the output from the CLI using
the following command:
show techsupport export [use-mgmt-port] url
(For syntax information, see the AX Series CLI Reference.)
4 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

About This Document
About This Document

This document describes the graphical user interface (GUI) of the A10 Networks AX Series Advanced Traffic Manager. All of the displays and configuration pages are described.
Note:
This document focuses on the GUI itself and does not provide extensive
descriptions of AX features. Use this document along with the AX Series
Configuration Guide when configuring the AX device.
Additional information is available for AX Series systems in the following
documents. These documents are included on the documentation CD
shipped with your AX Series system, and also are available on the A10 Networks support site:
AX Series Installation Guide
AX Series Configuration Guide
AX Series CLI Reference
AX Series aFleX Reference
AX Series MIB Reference
AX Series aXAPI Reference
System Description The AX Series

FIGURE 1
The AX Series Advanced Traffic Manager
The AX Series is the industrys best performing traffic manager that helps
organizations scale and maximize availability through the worlds most
advanced delivery platform. The AX Series Advanced Core Operating System (ACOS) accelerates and secures critical business applications, provides
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
5 of 276

About This Document
the highest performance and reliability, and establishes a new industry-leading price/performance
6 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Contents
Obtaining Technical Assistance
Collecting System Information...............................................................................................................3
About This Document
System Description The AX Series .....................................................................................................5
Introduction
13
Login.......................................................................................................................................................13
Redirection of HTTP To HTTPS ....................................................................................................16
GUI Features ..........................................................................................................................................16
Mode Tabs and Module Buttons ..................................................................................................16
Menus .............................................................................................................................................18
Main Display Area ..........................................................................................................................18
Global Buttons ...............................................................................................................................19
Save .............................................................................................................................................19
Logout ..........................................................................................................................................19
Help ..............................................................................................................................................19
HA ................................................................................................................................................19
Action Buttons ...............................................................................................................................20
Tabular Displays ............................................................................................................................20
Action Buttons ..............................................................................................................................21
Navigation Controls ......................................................................................................................21
Display Filters ...............................................................................................................................22
Configuration Pages ......................................................................................................................23
Graph Display Options ..................................................................................................................25
Data Refresh ................................................................................................................................25
Time Span ....................................................................................................................................26
Web Timeout ..........................................................................................................................................27
System Partitions ..................................................................................................................................27
Monitor Mode
29
Monitor Modules ....................................................................................................................................29

Monitor Menu Tree.................................................................................................................................30
Monitor > Overview ...............................................................................................................................31
Monitor > Overview > Summary ...................................................................................................31
System Information ......................................................................................................................32
Device Information .......................................................................................................................32
Feature Configuration ...................................................................................................................33
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
7 of 276

Contents
CPU Usage Chart ........................................................................................................................ 34

Memory Usage Chart ................................................................................................................... 34
Monitor > Overview > Status ........................................................................................................ 35
Virtual Server Status .................................................................................................................... 35
System Log .................................................................................................................................. 37
Monitor > Overview > Statistics ................................................................................................... 37
Monitor > Overview > Performance ............................................................................................. 38
Monitor > Overview > Performance > Summary .......................................................................... 38
Monitor > Overview > Performance > Overview .......................................................................... 39
Monitor > Overview > Performance > Connection ....................................................................... 39
Monitor > Overview > Performance > Attack Prevention ............................................................. 39
Monitor > Service .................................................................................................................................. 40
Monitor > Service > SLB ............................................................................................................... 40
SLB Graphs ................................................................................................................................. 41
Monitor > Service > SLB > Virtual Server .................................................................................... 42
Monitor > Service > SLB > Service Group ................................................................................... 43
Monitor > Service > SLB > Server ............................................................................................... 44
Monitor > Service > Health Monitor ............................................................................................. 45
Monitor > Service > Firewall ......................................................................................................... 45
FWLB Graphs .............................................................................................................................. 45
Monitor > Service > Firewall > Firewall Group ............................................................................. 46
Monitor > Service > Firewall > Firewall Virtual Server ................................................................. 46
Monitor > Service > Firewall > Firewall Node .............................................................................. 47
Monitor > Service > PBSLB .......................................................................................................... 48
Monitor > Service > PBSLB > Statistics ....................................................................................... 48
Monitor > Service > PBSLB > Client Query ................................................................................. 49
Monitor > Service > PBSLB > Blacklist/Whitelist ......................................................................... 49
Monitor > Service > GSLB ............................................................................................................ 50
Monitor > Service > GSLB > Site ................................................................................................. 50
Monitor > Service > GSLB > Zone ............................................................................................... 50
Monitor > Service > GSLB > Protocol .......................................................................................... 51
Monitor > Service > aFleX ............................................................................................................. 51
Monitor > Service > IP Source NAT ............................................................................................. 52
Monitor > Service > IP Source NAT > Pool .................................................................................. 52
Monitor > Service > IP Source NAT > Static NAT ........................................................................ 52
Monitor > Service > Application ................................................................................................... 53
Monitor > Service > Application > Proxy > Fast-HTTP ................................................................ 53
Monitor > Service > Application > Proxy > HTTP ......................................................................... 54
Monitor > Service > Application > Proxy > SMTP ........................................................................ 55
Monitor > Service > Application > Proxy > SSL ........................................................................... 56
Monitor > Service > Application > Proxy > TCP ........................................................................... 57
Monitor > Service > Application > Proxy > DNS Cache ............................................................... 58
Monitor > Service > Application > Connection Reuse .................................................................. 59
8 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Contents
Monitor > Service > Application > Persistent ................................................................................59

Monitor > Service > Application > SSL .........................................................................................60
Monitor > Service > Application > RAM Caching > Details ..........................................................61
Monitor > Service > Application > RAM Caching > Objects .........................................................63
Monitor > Service > Application > RAM Caching > Replacement ................................................64
Monitor > Service > Application > RAM Caching > Memory Usage .............................................64
Monitor > Service > Application > FTP .........................................................................................65
Monitor > Service > Application > Net ..........................................................................................65
Monitor > Service > Application > ICMP .......................................................................................67
Monitor > Service > Application > Switch .....................................................................................67
Monitor > Network .................................................................................................................................69
Monitor > Network > Interface > LAN ...........................................................................................69
Statistics Table .............................................................................................................................70
Statistics Graphs ..........................................................................................................................70
Changing the Date and Time Span of the Statistics .....................................................................71
Refreshing Statistics .....................................................................................................................71
Clearing Statistics .........................................................................................................................71
Monitor > Network > Trunk > Trunk .............................................................................................72
Monitor > Network > VLAN > VLAN .............................................................................................72
Monitor > Network > ACL > IPv4 ACL ..........................................................................................72
Monitor > Network > ACL > IPv6 ACL ..........................................................................................73
Monitor > Network > ARP > IPv4 ARP .........................................................................................73
Monitor > Network > ARP > IPv6 Neighbor .................................................................................74
Monitor > Network > Route > IPv4 Route Table ..........................................................................74
Monitor > Network > Route > IPv4 Forwarding ...........................................................................75
Monitor > Network > Route > IPv6 Forwarding ...........................................................................75
Monitor > System...................................................................................................................................76
Monitor > System > Admin ...........................................................................................................76
Monitor > System > Admin > Admin Session ...............................................................................76
Monitor > System > Admin > Admin Locked ................................................................................77
Monitor > System > Logging ........................................................................................................78
Monitor > System > Logging > Logging ........................................................................................78
Monitor > System > Logging > Show Tech ..................................................................................79
Monitor > HA ..........................................................................................................................................79
Monitor > HA > Group ...................................................................................................................79
Monitor > HA > Status ...................................................................................................................80
Config Mode
83
Config Modules......................................................................................................................................83
Config Menu Tree...................................................................................................................................84
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
9 of 276

Contents
Config > Get Started.............................................................................................................................. 86

Config Mode > Get Started > Basic System ................................................................................ 86
Config > Service .................................................................................................................................... 87
Config > Service > SLB ................................................................................................................. 87
Config > Service > SLB > Virtual Server ...................................................................................... 87
Config > Service > SLB > Service Group ..................................................................................... 96
Config > Service > SLB > Server ............................................................................................... 100
Config > Service > SLB > Template ........................................................................................... 105
Config > Service > SLB > Class List .......................................................................................... 118
Config > Service > SLB > LID .................................................................................................... 122
Config > Service > SLB > Global ............................................................................................... 124
Config > Service > Template ...................................................................................................... 129
Config > Service > Template > Application > HTTP .................................................................. 129
Config > Service > Template > Application > PBSLB Policy ...................................................... 135
Config > Service > Template > Application > RAM Caching ...................................................... 138
Config > Service > Template > Application > SMTP .................................................................. 140
Config > Service > Template > Application > SIP ...................................................................... 142
Config > Service > Template > Application > RTSP .................................................................. 145
Config > Service > Template > Application > DNS .................................................................... 146
Config > Service > Template > Connection Reuse .................................................................... 147
Config > Service > Template > L4 > TCP .................................................................................. 148
Config > Service > Template > L4 > UDP .................................................................................. 149
Config > Service > Template > Persistent > Cookie Persistence .............................................. 150
Config > Service > Template > Persistent > Destination IP Persistence ................................... 152
Config > Service > Template > Persistent > Source IP Persistence .......................................... 155
Config > Service > Template > Persistent > SSL Session ID Persistence ................................ 157
Config > Service > Template > SSL > Client SSL ...................................................................... 157
Config > Service > Template > SSL > Server SSL .................................................................... 160
Config > Service > Template > TCP Proxy ................................................................................ 161
Config > Service > Health Monitor ............................................................................................. 162
Config > Service > Health Monitor > Health Monitor .................................................................. 163
Config > Service > Health Monitor > External Program ............................................................. 172
Config > Service > Health Monitor > Data File ........................................................................... 173
Config > Service > Health Monitor > Global ............................................................................... 173
Config > Service > PBSLB .......................................................................................................... 174
Config > Service > Firewall ......................................................................................................... 175
Config > Service > Firewall > Firewall Group ............................................................................. 175
Config > Service > Firewall > Firewall Virtual Server ................................................................. 177
Config > Service > Firewall > Firewall Node .............................................................................. 179
Config > Service > GSLB ............................................................................................................ 180
Config > Service > GSLB > DNS Proxy ..................................................................................... 180
Config > Service > GSLB > Geo-location .................................................................................. 182
Config > Service > GSLB > Policy ............................................................................................. 183
10 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Contents
Config > Service > GSLB > Service IP .......................................................................................190

Config > Service > GSLB > Site .................................................................................................192
Config > Service > GSLB > Zone ...............................................................................................196
Config > Service > GSLB > Global .............................................................................................201
Config > Service > aFleX .............................................................................................................203
Config > Service > IP Source NAT .............................................................................................203
Config > Service > IP Source NAT > IPv4 Pool .........................................................................205
Config > Service > IP Source NAT > IPv6 Pool .........................................................................205
Config > Service > IP Source NAT > Group ...............................................................................206
Config > Service > IP Source NAT > Binding .............................................................................207
Config > Service > IP Source NAT > Interface ...........................................................................207
Config > Service > IP Source NAT > NAT Range ......................................................................207
Config > Service > IP Source NAT > Static NAT ........................................................................208
Config > Service > IP Source NAT > Global ..............................................................................208
Config > Service > SSL Management ........................................................................................210
Config > Service > SSL Management > Certificate ....................................................................210
Config > Service > SSL Management > Cert Revocation List ....................................................214
Config > Network .................................................................................................................................215
Config > Network > Interface ......................................................................................................215
Config > Network > Interface > LAN ...........................................................................................215
Config > Network > Interface > Management .............................................................................220
Config > Network > Interface > Transparent ..............................................................................222
Config > Network > Interface > Virtual .......................................................................................222
Config > Network > Interface > Global .......................................................................................224
Config > Network > Trunk ...........................................................................................................224
Config > Network > VLAN ...........................................................................................................225
Config > Network > VLAN > VLAN .............................................................................................226
Config > Network > VLAN > MAC ..............................................................................................227
Config > Network > VLAN > Global ............................................................................................227
Config > Network > ACL ..............................................................................................................228
Config > Service > ACL > Standard ...........................................................................................229
Config > Service > ACL > Extended ...........................................................................................230
Config > Service > ACL > IPv6 ...................................................................................................232
Config > Network > ARP .............................................................................................................234
Config > Network > ARP > IPv4 ARP .........................................................................................234
Config > Network > ARP > IPv6 Neighbor .................................................................................234
Config > Network > ARP > Global ..............................................................................................235
Config > Network > Route ...........................................................................................................235
Config > Network > Route > IPv4 Static .....................................................................................235
Config > Network > Route > IPv6 Static .....................................................................................236
Config > Network > DNS .............................................................................................................236
Config > Network > ICMP Rate Limiting ....................................................................................237
Config > Network > BPDU-Fwd-Group ......................................................................................237
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
11 of 276

Contents
Config > System .................................................................................................................................. 238

Config > System > Settings ........................................................................................................ 238
Config > System > Settings > Web ............................................................................................ 238
Config > System > Settings > Terminal > CLI ............................................................................ 239
Config > System > Settings > Terminal > Banner ...................................................................... 241
Config > System > Settings > Log ............................................................................................. 242
Config > System > Settings > General ....................................................................................... 245
Config > System > Settings > Boot ............................................................................................ 248
Config > System > Settings > Action ......................................................................................... 249
Config > System > Admin ........................................................................................................... 249
Config > System > Admin > Administrator ................................................................................. 249
Config > System > Admin > Partition ......................................................................................... 251
Config > System > Admin > Lockout Policy ............................................................................... 252
Config > System > Admin > External Authentication ................................................................. 253
Config > System > Admin > Change Password ......................................................................... 256
Config > System > Access Control ............................................................................................ 256
Config > System > Time .............................................................................................................. 258
Config > System > SNMP ............................................................................................................ 260
Config > System > Maintenance ................................................................................................ 265
Config > System > Maintenance > Upgrade .............................................................................. 265
Config > System > Maintenance > Backup ................................................................................ 267
Config > System > Maintenance > Restore ............................................................................... 267
Config > HA.......................................................................................................................................... 268
Config > HA > Setting ................................................................................................................. 268
Config > HA > Setting > HA Global ............................................................................................ 268
Config > HA > Setting > HA Inline Mode .................................................................................... 270
Config > HA > Setting > HA Interface ........................................................................................ 271
Config > HA > Config Sync ......................................................................................................... 273
12 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Introduction - Login
Introduction
The AX Series GUI enables you to manage the device with a Web browser.
The GUI runs as a Web server on the AX device.
Table 1 lists the browser versions supported by the AX management GUI in
AX Release 2.4.
TABLE 1
GUI Browser Support

Platform
Browser
IE 6.0-8.0
Firefox 2.x-3.x
Safari 3.0
Chrome
Windows
Supported
Supported
Not Supported
Not Supported
Linux
N/A
Supported
N/A
N/A
MAC
N/A
N/A
Supported
N/A
The browser used to access the AX GUI must support encryption keys of
128 bits or longer. Beginning in AX Release 2.4.2, shorter encryption keys
(for example, 40 bits) are not supported. The browser also must support
SSLv3 or TLS 1.0. Browsers that support only SSLv2 are not supported.
A screen resolution of at least 1024x768 is recommended.
After upgrading an AX device from a previous release, clear your browser
cache to ensure proper display of the GUI.
Login
To access the GUI:
1. In a Web browser, enter https://ip-addr, where ip-addr is the IP address
of the AX device.
A login dialog appears, as shown in Figure 2.
2. Enter a valid user name and password and click OK.
Default user name: admin
Default password: a10
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
13 of 276

FIGURE 2
Note:
Login
The AX device has a default admin user name and password. A10 Networks recommends that you change the admin name and password when
you first deploy the switch.
After successful login, the Summary screen is displayed, as shown in
Figure 3. The Summary screen provides a high-level view of the AX configuration and status.
14 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

FIGURE 3
Monitor > Overview > Summary
The GUI consists of the following main components:

Mode tabs Monitor Mode and Config Mode
Module buttons use to select a feature area (module) on the AX device
Menus move the mouse over a menu to view its commands
Main display area where monitoring and configuration is performed
and where management information is displayed

Global buttons Save, Logout and Help are always available
These components are described further in GUI Features on page 16.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
15 of 276

Introduction - GUI Features
Redirection of HTTP To HTTPS

By default, redirection of HTTP to HTTPS is enabled for access to the management GUI. As a result, even if both HTTP and HTTPS web access are
enabled on an AX interface, HTTP requests sent to the interface will be
redirected to HTTPS.
To disable redirection of HTTP to HTTPS, enter the following command at
the global configuration level of the CLI:
no web-service auto-redir
If you are already logged into the GUI and want to change the setting for the
next login, you can disable redirection from within the GUI:
1. Select Config > System > Settings.
2. In the Web section of the page, click on the Re-direct HTTP to HTTPS
checkbox to deselect the option.
3. Click OK.
GUI Features
This section describes the display and configuration controls of the GUI.
Mode Tabs and Module Buttons

The left panel of the GUI has two Mode tabs (Monitor and Config) and
large module buttons for selecting the functional modules, as shown in
Figure 4. Depending on the privilege level configured for the admin who
logs in, some modules may not be available.
16 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

FIGURE 4
Modes Monitor (left) and Config (right)
Module buttons are available on the following two Mode tabs:

Monitor Mode described in detail in Monitor Mode on page 29
Config Mode described in detail in Config Mode on page 83
After you click a mode tab, it darkens to indicate it is active. The inactive
mode is light. The available module buttons are listed on the left. The active
module shows the down arrow
and its available sub-modules in light
blue beneath its down arrow.
Click sub-module hyperlinks to display information or input fields for that
sub-module. The hyperlink for the selected module is highlighted in red.
Selecting a module button does not automatically select a sub-module
available under the module. The display area continues to contain the
information for the previously selected sub-module until you select a new
sub-module.
Note:
In this document and other AX documents, to indicate the path you use to
navigate to a specific module, sub-module, and menu option, the selection
sequences are shown as follows:
Mode > Module > Sub-Module > Menu
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
17 of 276

For example, to navigate to the SLB real server table as shown in Figure 5,
use the following path:
Config > Service > SLB > Server
FIGURE 5
Config Mode > Service > SLB > Server
Menus
The top panel contains the menu bar, to the right of the mode tabs. Menus
change depending on which module and sub-module are currently selected.
Some displays include tables or configuration pages. Others display dropdown menus of actions or of additional options. The active menu bar item is
highlighted in yellow.
Figure 5 on page 18 shows the menu bar for Config > Service > SLB. In this
example, the Server menu option is selected.
Main Display Area

This is where monitoring and configuration is performed and where management information is displayed.
18 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Global Buttons
The banner at the top of the GUI displays the Save, Logout and Help buttons, which are always available from anywhere in the GUI.
FIGURE 6
Save, Logout, and Help Options
Save
The Save button saves configuration changes that are in the running configuration to the startup configuration file. When the running configuration
currently has unsaved changes, this button flashes red. Click it to save
changes that have been made since the last save.
Logout
Logout ends the current GUI session. Your login name is shown in parentheses. In this example, the login name is admin.
Help
Clicking the Help button displays context-sensitive online help.
HA
Indicates the current High Availability (HA) status of the AX device:
Active
Standby
Not Configured
If HA is configured, the status of configuration synchronization between the

AX devices is also shown:
Sync
Not-Sync
Clicking on the status provides a shortcut to display HA statistics, and is

equivalent to selecting Monitor > HA > Group.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
19 of 276

Action Buttons
Some lists of configuration items, such as the list of real servers, have the
following buttons:
Add Displays a page containing configuration fields for creating a new
item.
Delete Deletes the selected items. Select the checkbox next to each
item to be deleted, then click Delete.

Edit In most cases, displays a page that allows you to change specific
common parameters for all the selected items.

Enable Enables the selected items.
Disable Disables the selected items.
Note:
Some pages have checkboxes to select individual items, as well as a

checkbox to select all items. The checkbox for selecting all items selects a
maximum of 500 items.
Most configuration pages have the following action buttons:
OK Adds the new item to the AX devices running configuration (run-
ning-config) and re-displays the table that lists the configured items.
Note:
This action does not save configuration changes. To save changes, you
must write them to the startup configuration file. Select the Save option in
the upper right corner of the AX GUI window. (See Save on page 19.)
Cancel Cancels configuration of the new item and re-displays the table
that lists the configured items.
Tabular Displays
Data and configured items are displayed in tables such as the ones shown in
Figure 5 and Figure 7.
20 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

FIGURE 7
Example Tabular Display Monitor > Service > SLB List
Generally, Monitor displays show statistics whereas Config displays show

configuration information. Some Monitor displays also have a Statistics column, which contains icons you can click on to display graphs of the statistics. (See Graph Display Options on page 25.)
Each tabular display has columns that list the names of the configuration
items. In some of the Config tabular displays, the names of the configuration items are hyperlinks. You can click on the name of a configuration item
to display a configuration page for the item. You also can perform actions
on configuration items by selecting the checkboxes next to the item names,
then clicking an action button. (See Figure 5 on page 18.)
Action Buttons
Most tabular displays for configuration items have the following action buttons:
Add Displays a configuration page to add a new item. (Figure 11 on
page 24 shows an example.)

Delete Deletes the selected configuration items. To perform this
action, click on the checkboxes next to the items you want to delete,
then click Delete.
These buttons are located under the table.
A few displays have other action buttons. These are described where applicable in the operational procedures in the AX Series Configuration Guide.
Navigation Controls
If a table has more items than can be displayed in a single page, the GUI
displays page navigation controls.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
21 of 276

FIGURE 8
Page Navigation Controls
The summary buttons (the arrow buttons; start, left, right, and end) provide
browser-like navigation through the pages of table rows.
The numbers in brackets indicate the entry numbers displayed on the current page. The number following the forward slash indicates the total number of entries that match the display criteria (display filters).
The drop-down list specifies how many rows to display on a single page.
You can select one of the following: 50, 10, 20, 100, or Show All. The
default is 50.
Display Filters
Many tables also provide options to filter the display to show only the
entries you want to see. For example, the SLB real server table (shown in
Figure 5 on page 18) allows you to filter based on name, description, or
both. To filter the display:
1. Select the column by which to filter.
2. Enter a search string.
3. Click Find.
To find multiple, similar entries, you can enter the part of the name that is
common for all entries. For example, to display all servers that have rs in
the name, make the selections shown in Figure 9.
FIGURE 9
22 of 276
Display Filter Example
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Configuration Pages
Configuration pages enable you to enter configuration information. In some
cases, a configuration page is displayed when you select a menu option. For
example, selecting Config > Network > DNS > DNS displays the configuration page shown in Figure 10.
FIGURE 10
Example Configuration page - Config > Network > DNS
In other cases, the menu option displays a list of configured items, such as
the list of configured real servers shown in Figure 5 on page 18. To configure a new server, click the Add button, located under the list of servers. The
server configuration page appears, as shown in Figure 11.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
23 of 276

FIGURE 11
Server
24 of 276
Example Configuration page Config > Service > SLB >
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Graph Display Options

Statistics are available in both tabular and graph displays.
You can modify the data refresh rate and the time span for statistics.
Caution:
Setting a GUI window to automatically refresh its data will prevent

the web session from timing out. If you set a GUI page to automatically refresh data, do not leave the session unattended if the PC is in
an unsecure location.
You also can disable or re-enable display of individual graphs. To disable
display of a graph, click the check box next to the graph name to clear the
checkbox. For example, to disable display of the Bytes graph in Figure 7 on
page 21, click the Bytes checkbox to clear it.
The other display options are described in the following sections.
Data Refresh
Statistics counters start incrementing from 0 after the most recent reboot or
the most recent clear performed by an administrator.
To refresh the display with the latest counter values, click Refresh.
You also can enable automatic refresh.
For system statistics (Monitor > Overview > Statistics), you can select
to refresh at one of the following intervals:

1 minute
5 minutes
10 minutes
30 minutes
For performance statistics (Monitor > Overview > Performance), you
can enter a refresh rate from 5-120 seconds.

By default, automatic refresh is disabled.
To clear the counters, click Clear.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
25 of 276

Time Span
The horizontal (x) axis of each graph shows the time span of the data in the
graph. The same time span is used for all four graphs.
To change the time span, do one of the following:
Select a new span from the pull-down list to the left of the Start Time
field. The spans you can select range from the most recent 30 minutes to
the most recent 30 days.
Use the calendars to select specific start and end dates and times.
To select a date and time using the calendars:

1. Click the calendar icon next to Start Time or End Time.
(They must be selected separately.)
2. Select the month and year.
To scroll through years, click double brackets (<< or >>).
To scroll through months, click a single bracket (< or >).
3. Select the day of the month.
To change the day of the week that starts each week, click the day (Mon,
Tue, and so on).
4. Select the time. Place the cursor over the hours or minutes counter and
do one of the following:
To select a later time, click on the hours or minutes counter to scroll
forward.
To select an earlier time, hold Shift and click on the hours or minutes counter to scroll backward.
5. Click x in the upper right corner of the calendar to save the settings and
close the calendar.
The date and time you selected appear in the Start Time or End Time
field.
6. Click Go to redraw the graphs using the new time span.
26 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Introduction - Web Timeout
Web Timeout
Web Timeout is used to prevent blockage of admin access caused by users
who do not log off. The timeout counter indicates the amount of time
remaining before the session is automatically closed.
Select Config > System > Settings > Web to view or set the Web Timeout
value in minutes.
Clicking any AX GUI button or menu option also resets the timer.
One minute before a session times out, a timer appears on the left side of the
GUI window, under the Monitor and Config links. You can click the Reset
button under the timer to reset the timer for your GUI session. If you do not
click Reset or another button or menu option before the timer reaches 0, the
session is terminated.
Caution:
After the Web timer expires, the AX device ends the GUI session. No
warning or confirmation message appears. If you are entering configuration information but have not yet clicked OK, the configuration
information is lost.
System Partitions
Role-Based Administration (RBA) allows the AX device to be segmented
into multiple administrative domains called partitions. If RBA is configured, the resources accessible to you in the GUI depend on the privilege
level for the admin account you use to log in:
If you are logged in with an admin account that has Root, Read-Write,
or Read-Only privileges, the resources in the shared partition and all private partitions are displayed by default.
If you are logged in with an admin account that has Partition Write
Admin or Partition Read Admin privileges, the GUI presents only the
resources in the devices shared partition and in your private partition. In
this case, you can view the objects in the shared partition but you cannot
configure them. Depending on your admin privilege level, you can view
only or view and configure the resources in your shared partition.
Resources in other partitions are not accessible.
If you are logged in with an admin account that has Partition RS Opera-
tor privileges, you can view service port statistics for real servers in the
partition, and disable or re-enable real servers and service ports in the
partition. Admins with this access level can not view additional
resources and can not change the view to another partition.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
27 of 276

Introduction - System Partitions
Admins with Root, Read-write, or Read-only privileges can select the partition to view. To change the view to another partition:
1. On the title bar, select the private partition from the Partition drop-down
list.
A dialog appears, asking you to confirm your partition selection.

2. Click Yes.
3. Click the Refresh button next to the Partition drop-down list. You must
refresh the page in order for the view change to take effect.
System administration tasks such as saving the configuration and HA configuration synchronization apply only to the currently selected partition.
Note:
28 of 276
For more information about this feature, see the Role-Based Administration chapter in the AX Series Configuration Guide.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Monitor Mode - Monitor Modules
Monitor Mode
The Monitor Mode enables you to monitor systems and activities controlled
by the AX device.
Monitor Modules
The Monitor Mode offers the following sub-modules for observing
AX Series network and performance settings and operations.
Overview
Service
Network
System
HA
FIGURE 12
b y
Monitor Mode
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
29 of 276

Monitor Mode - Monitor Menu Tree
Monitor Menu Tree

The Monitor module has the following sub-modules and menu options.
Monitor Mode > Overview
Summary
Status
Monitor Mode > Service

SLB
Interface
Virtual Server
Service Group
Statistics
Performance
Connection
Attack Prevention
LAN
Trunk
Server
VLAN
Health Monitor
Summary
Overview
Monitor Mode > Network
ACL
Firewall
IPv4 ACL
Firewall Group
IPv6 ACL
Firewall Virtual Server

Firewall Node
ARP
IPv4 ARP
PBSLB
IPv6 Neighbor
Statistics
Client Query
Blacklist/Whitelist
Route
IPv4 Route Table
IPv4 Forwarding
GSLB
IPv6 Forwarding
Site
Zone
Monitor > System
Protocol
Admin
aFleX
Admin Session
IP Source NAT
Admin Locked
Pool
Logging
Static NAT
Logging
Show Tech
Application
Proxy
Connection Reuse
Monitor > HA
Persistent
Group
SSL
Status
RAM Caching
FTP
Net
ICMP
Switch
30 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Monitor Mode - Monitor > Overview
Monitor > Overview

The Monitor sub-modules show basic status and configuration information
for the AX device.
Monitor > Overview > Summary

This page is the first page displayed when you log onto the GUI. The page
shows configuration and status information for the device.
The graphical representation of the AX device shows the following information:
Link status of the Ethernet data interfaces:
1-Gigabit interface is up.

1-Gigabit interface is down.
10-Gigabit copper interface is up.
10-Gigabit copper interface is down.
10-Gigabit fiber interface is up.
10-Gigabit fiber interface is down.
Status of the hard disk:

Green The disk is active.
Red The disk is inactive.
To display the interface type and IP address for a port, move the mouse
pointer over the ports icon.
Likewise, to display the status of a hard disk, move the mouse pointer over
the icon of the disk.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
31 of 276

System Information
Table 2 describes the types of information shown in this section.
TABLE 2
Monitor > Overview > Summary - System Information
Field
Serial Number
Current Time
Startup Mode
Software
Version
Advanced Core
OS
On Hard Disk
Description
Serial number of the AX device.
Current system time when the page was displayed.
Image area from which the system image and startup-config
were loaded after the most recent reboot.
System image version that is currently running.
Labels the image location for the system images listed
below.
Software image versions installed on the hard disk.
The image listed on the left is in the primary image area of
the hard disk. The image listed on the right is in the secondary image area.
Software image versions installed on the compact flash.
On Compact
Flash
Firmware
Version
aFleX Engine
Version
Last Config
Saved At
Technical
Support
The image listed on the left is in the primary image area of

the compact flash. The image listed on the right is in the secondary image area.
Firmware version running on the device.
Version of the aFleX processing engine running on the
device.
System time when the running-config was most recently
saved to the startup-config.
Web link to access the A10 Networks support site.
Device Information
TABLE 3
Monitor > Overview > Summary - Device Information
Field
CPU
Count / Status
CPU
Temperature
32 of 276
Description
Count shows the number of CPUs in the system. The count
includes the Control CPU and the Data CPUs.
Status shows the aggregate status of the CPUs.
Current temperature inside the chassis.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 3
Monitor > Overview > Summary - Device Information (Continued)
Field
Disk Usage
Fan Status
Power Supply
Description
Size of the dual hard disk and the amount that contains data.
Operational status of the system fans, and the rotations per
minute (RPMs) of each fan.
Status of the power supplies.
Feature Configuration
TABLE 4
Monitor > Overview > Summary - Feature Configuration
Field
Service Groups
Description
Number of Server Load Balancing (SLB) service groups
configured on the device.
Virtual Servers
A service group is a set of real servers and service ports.

Number of Server Load Balancing (SLB) virtual servers
Servers
Firewall Group
A virtual server is the server to which clients send requests.

The AX device selects real servers from the service group
bound to the virtual server to fulfill the client requests.
Number of SLB real servers configured on the device.
Number of Firewall Load Balancing (FWLB) groups configured on the device.
Number of Firewall Load Balancing (FWMB) virtual servers
Firewall Virtual
Servers
FWLB load balances traffic across multiple firewalls.
Firewall Nodes
GSLB Sites
GSLB Zones
b y
Note: The configuration contains one firewall virtual server

by default that cannot be deleted. However, this server has
no effect unless you configure FWLB. The firewall virtual
server is not itself a security feature. (It is not a firewall.) It is
a configuration element for load balancing traffic through
firewalls (other devices).
Number of firewalls configured for FWLB.
Number of Global Server Load Balancing (GSLB) sites configured on the device.
GSLB extends SLB load balancing to global geographic
scale, by modifying DNS query replies to clients so that clients are directed to the best site.
Number of GSLB zones configured on the device. A GSLB
zone is the domain managed by GSLB.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
33 of 276

TABLE 4
Field
PBSLBs
aFleX
SSL
Acceleration
High
Availability
Connection
Mirror
Monitor > Overview > Summary - Feature Configuration

Description
Number of black/white lists imported for use by PolicyBased SLB.
PBSLB allows you to "black list" or "white list" individual
clients or client subnets. For clients that you allow, you can
specify the SLB service group to use. You also can specify
the action to perform (drop or reset) on new connections that
exceed the configured connection threshold for the client
address.
Number of aFleX policies imported onto the AX device.
aFleX policies are scripts written using an A10 Networks
Tcl-like scripting language. You can configure aFleX policies to perform custom SLB tasks not supported by the AX
standard features. For more information, see the AX Series
aFleX Scripting Language Reference.
State of the SSL Acceleration module on the AX device.
State of the High Availability (HA) feature.
HA provides system-level redundancy, using a pair of AX
devices. If one AX device becomes unavailable, the other
AX device takes over to continue servicing clients.
State of the connection mirroring feature (also called session synchronization).
Connection mirroring is an optional part of HA configuration. When configured, this feature enables the AX devices
to share information about active client sessions. If a failover
occurs, client sessions continue uninterrupted.
CPU Usage Chart

The CPU Usage chart shows CPU usage statistics for the most recent 90
seconds. Click on a line in the chart for more information about the data
portrayed by the line.
For a larger graph showing a longer timespan, select Monitor > Overview >
Statistics.
Memory Usage Chart

The Memory Usage chart shows memory usage statistics for the most recent
90 seconds. Click on a line in the chart for more information about the data
portrayed by the line.
34 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

For a larger graph showing a longer timespan, select Monitor > Overview >
Statistics.
Monitor > Overview > Status

This page shows status information for all virtual servers configured on the
device. It also shows Syslog entries for all areas of the system.
Virtual Server Status

Virtual server status is displayed at the top of the page. The virtual server
names in the Name column are hyperlinks. You can click on a virtual server
name to display status information for the individual virtual service ports
configured on the virtual server.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
35 of 276

Table 5 describes the columns in this display.
TABLE 5
Field
Name
Monitor > Service > SLB > Virtual Server

Description
Name of the virtual server.
Click on a virtual server name to display statistics for the individual virtual service ports on the virtual server.
The icon to the left of the virtual server or individual virtual
port indicates its status:
Shows the state of the virtual server.
Running. All virtual ports on the virtual server are Running.
Functional Running. Some of the virtual ports are Running or Functional Running, but at least one of them is not Running.
Partial Running. At least one virtual port is Running or
Functional Running, but at least one other virtual port is Down.
Down. All the virtual ports are Down.
Disabled. The virtual server has been administratively
disabled.
If you click on a virtual server name, the individual virtual ports
are listed. The state of a virtual port is shown as follows:
Running. All members (real servers and ports) in all
service groups bound to the virtual port are up.
Functional Running. At least one member in a service
group bound to the virtual port is up, but not all members are
up.
Down. All members in all service groups bound to the
virtual port are down.
Current
Connections
Total
Connections
Packets RX
36 of 276
Disabled. The virtual port has been administratively disabled.

Current number of connections to the virtual server.
Total number of connections to the virtual server since the last
time statistics were cleared.
Total number of packets received on the virtual server since the
last time statistics were cleared.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 5
Monitor > Service > SLB > Virtual Server (Continued)
Field
Packets TX
Bytes RX
Bytes TX
Description
Total number of packets sent to the firewall virtual server since
the last time statistics were cleared.
Total number of bytes received on the firewall virtual server
since the last time statistics were cleared.
Total number of bytes sent to the firewall virtual server since
the last time statistics were cleared.
System Log
System log entries are displayed at the bottom of the page. By default, the
100 most recent messages can be viewed on this page. All message levels
are displayed by default and the list is refreshed every 10 seconds by
default. The messages are color-coded to indicate the message level.
To change any of these settings:
1. Select Configure > System > Settings.
2. Select Log on the menu bar.
3. Click Status.
4. Change settings, then click OK.
Monitor > Overview > Statistics

This page shows graphs for the following system statistics:
Memory Usage
Disk Usage
CPU Usage
By default, statistics for the last 30 minutes are shown.

To display statistics for a longer time span, select the time span from the
drop-down list located above the Dropped column of the statistics table.
To export a copy of the statistics as a tar.gz file:
1. Click Export.
2. Navigate to the save location.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
37 of 276

3. Optionally, edit the filename too.
4. Click Save.
Monitor > Overview > Performance

The Monitor > Overview > Performance options display feature performance statistics.
Statistics Time Span
drop-down list located next to the Go button.
To display statistics for a specific time span:
1. Select the Start Time:
a. Click the calendar icon at the end of the Start Time field. A calendar
is displayed.
b. Select the date or leave the date set to the current date.
c. Edit the time or use the time value shown (the current system time
when you open the calendar).
Note:
To move the calendar popup, click on the bottom row of the calendar and
drag it.
2. Select the End Time using the calendar at the end of the End Time field.
Note:
Statistics are available for only the most recent 30 days.

3. Click Go.
Statistics Refresh
To automatically refresh statistics, select the refresh period from the dropdown list at the right of the drop-down list for the data period. By default,
automatic refresh is disabled.
Monitor > Overview > Performance > Summary

This option displays summary performance statistics for Layer 4-7 features.
Graphs are available for some groups of statistics. To display graphs, click
on the link at the top of the group of statistics or click on the
icon.
CPU and memory usage are displayed at the top of the page.
38 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Monitor > Overview > Performance > Overview

This option displays graphs for the following performance statistics:
Throughput
Current Connections
New Connections
L7 Requests
You also can display these graphs by clicking on Performance or the

graphics link at the top of the group of performance statistics on the Summary page.
Monitor > Overview > Performance > Connection

This option displays graphs for the following connection-reuse statistics:
HTTP Proxy Connections
Connection Reuse
You also can display these graphs by clicking on Connection Reuse or the
graphics link at the top of the group of connection reuse statistics on the
Summary page.
Monitor > Overview > Performance > Attack Prevention

This option displays a graph of SYN cookie statistics.
You also can display this graph by clicking on Attack Prevention or the
graphics link at the top of the group of attack prevention statistics on the
Summary page.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
39 of 276

Monitor Mode - Monitor > Service
Monitor > Service

The Monitor > Service options display status information and statistics for
Layer 4-7 features.
Monitor > Service > SLB

The pages in this sub-module display Server Load Balancing (SLB) statistics. Each page shows statistics counters for connections, packets, and
bytes.
Virtual Server Displays a row of statistics for each virtual server. Click
on a virtual server name to display statistics for the individual virtual

service ports on the virtual server.
Service Group Displays a row of statistics for each service group.
Click on a service group name to display statistics for the individual real
service ports in the service group.
Server Displays a row of statistics for each real server. Click on a real
server name to display statistics for the individual real service ports on
the server.
Each page provides the following display control links, located under the
table and above the graph display area:
Select All selects all the rows in the table
Unselect All deselects all the rows in the table
Expand All Expands each row to show its constituents. For example,
clicking this link on the Virtual Server page expands the table to also
show all of the virtual ports on each VIP.
Collapse All Collapses all rows in the table to show only the top-level
items (for example, VIPs)

The following checkboxes appear between the table and the graph display
area. Clicking one of these checkboxes toggles display of the corresponding
column in the table.
Connections
Packets
Bytes
Description
Request
40 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

SLB Graphs
If statistical data collection is enabled for an SLB resource, the following
graphs are available for that resource:
Throughput In Bits
Current Connections
To display the graphs, click on the

icon in the rightmost column for
the resource. The graphs appear below the table.
The icon is available only if statistical data collection is enabled for the
SLB resource. Statistical data collection is disabled by default. To enable
it, select Enabled next to Stats Data on the configuration page for the
resource.
Note:
To clear statistics, select the checkboxes next to the items for which you
want to clear the statistics, then click Clear.
Statistics Scope
By default, all configuration items within the selected item are averaged.
For example, if you click on the
icon next to a virtual server name,
graphs that are displayed show the statistics for all virtual service ports in
the virtual server.
To display graphs for an individual configuration item, click on
the
icon next to that item.
Statistics Time Span

drop-down list located next to the Go button.
is displayed.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
41 of 276

Note:
drag it.
Note:

3. Click Go.
Statistics Refresh
To automatically refresh statistics, select the refresh period from the dropdown list at the right of the drop-down list for the data period. By default,
automatic refresh is disabled.

The page shows SLB statistics for virtual servers.
TABLE 6
Field
Name
Description
Name of the virtual server.
Click on this row to display statistics for individual service
ports.
Current
Connections
Total
Connections
Packets Forward
Packets Reverse
Bytes Forward
Bytes Reverse
42 of 276
The icon to the left of the server name or service port number
indicates its status. (For descriptions, see Table 5 on
page 36.)
Current number of connections to the virtual server or individual service.
Total number of connections to the virtual server or individual service since the last time statistics were cleared.
Total number of packets that the virtual server or individual
virtual service received from the client and forwarded to the
server since the last time statistics were cleared.
Total number of packets that the virtual server or individual
virtual service received from the server and reverse-forwarded to the client since the last time statistics were cleared.
Total number of bytes that the virtual server or individual
virtual service received from the client and forwarded to the
Total number of bytes that the virtual server or individual
virtual service received from the server and reverse-forwarded to the client since the last time statistics were cleared.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 6
Monitor > Service > SLB > Virtual Server (Continued)
Field
Statistics
Description
Provides access to statistics. (See SLB Graphs on
page 41.)
(unlabeled)
Monitor > Service > SLB > Service Group

The page shows SLB statistics for service groups.
TABLE 7
Monitor > Service > SLB > Service Group
Field
Name
Description
Name of the service group.
ports.
The icon to the left of the service group name or service port
number indicates its status:
The service group or service is up.
Type
Current
Connections
Total
Connections
Packets Forward
Packets Reverse
Bytes Forward
Bytes Reverse
Statistics
(unlabeled)
b y
The service group or service is down.

Layer 4 transport protocol used by services in the service
group, TCP or UDP.
Current number of connections to the service group or individual service.
Total number of connections to the service group or individual service since the last time statistics were cleared.
Total number of packets forwarded to the service group or
individual service member since the last time statistics were
cleared.
Total number of packets reverse-forwarded from the service
group or individual service member since the last time statistics were cleared.
Total number of bytes forwarded to the service group or individual service member since the last time statistics were
cleared.
Total number of bytes reverse-forwarded from the service
page 41.)
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
43 of 276

Monitor > Service > SLB > Server

The page shows SLB statistics for real servers.
TABLE 8
Monitor > Service > SLB > Server
Field
Name
Description
Name of the real server.
ports.
The icon to the left of the server name or service port number
indicates its status:
The server or service is up.
Current
Connections
Total
Connections
Packets Forward
Packets Reverse
Bytes Forward
Bytes Reverse
Statistics
(unlabeled)
Note:
44 of 276
The server or service is down.

Current number of connections to the real server or individual service.
Total number of connections to the real server or individual
service since the last time statistics were cleared.
Total number of packets forwarded to the real server or individual server port since the last time statistics were cleared.
Total number of packets reverse-forwarded from the real
server or individual server port since the last time statistics
were cleared.
Total number of bytes forwarded to the real server or individual server port since the last time statistics were cleared.
Total number of bytes reverse-forwarded from the real server
or individual server port since the last time statistics were
cleared.
page 41.)
For dynamically created real servers, this page shows only the first
dynamically created server. To display all dynamically created servers,
use the show slb server command in the CLI.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Monitor > Service > Health Monitor

The page enables you to send on-demand health checks to servers and individual services. To perform an on-demand health check:
1. Enter the IP address of the server to be tested in the IP Address field.
2. Select the IP version, IPv4 or IPv6.
3. Select the health monitor to use from the Health Monitor drop-down list.
4. To test a specific service, enter the protocol port number for the service
in the Port field.
5. Click Start.
The status of the server or service appears in the Status message area.
If an override IP address and protocol port are set in the health monitor
configuration, the AX device will use the override address and port
instead of the address and port you specify here.
Note:
Monitor > Service > Firewall

The pages in this sub-module display Firewall Load Balancing (FWLB) statistics. Each page shows statistics counters for connections, packets, and
bytes.
Firewall Group Displays a row of statistics for each firewall group.
Click on a firewall group name to display statistics for the individual

firewalls in the group.
Firewall Virtual Server Displays a row of statistics for the firewall vir-
tual server. Click on the firewall virtual server name to display statistics
for the individual virtual firewall ports on the firewall virtual server.
Firewall Node Displays a row of statistics for each firewall. Click on a
firewall name to display statistics for the individual service ports configured on the firewall, if this option was configured.
FWLB Graphs
The following graphs are available on each page:
Throughput In Bits
Current Connections
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
45 of 276

The graph controls and the types of information displayed by the graphs are
the same as those for SLB graphs. See SLB Graphs on page 41.
Monitor > Service > Firewall > Firewall Group

The page shows FWLB statistics for firewall groups.
TABLE 9
Monitor > Service > Firewall > Firewall Group
Field
Name
Description
Name of the firewall group.
Current
Connections
Total
Connections
Packets Forward
Packets Reverse
Bytes Forward
Bytes Reverse
Click on the firewall group name to display statistics for the

individual firewalls or firewall service ports in the firewall
group.
Current number of connections through the firewalls in the
firewall group.
Total number of connections through firewalls in the firewall
service group since the last time statistics were cleared.
Total number of packets forwarded to the firewall service
Total number of packets reverse-forwarded from the firewall
service group or individual service member since the last
Total number of bytes forwarded to the firewall service
Total number of bytes reverse-forwarded from the firewall
service group or individual service member since the last
Monitor > Service > Firewall > Firewall Virtual Server

The page shows FWLB statistics for the firewall virtual server.
46 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 10 Monitor > Service > Firewall > Firewall Virtual Server
Field
Name
Current
Connections
Total
Connections
Packets Forward
Packets Reverse
Bytes Forward
Bytes Reverse
Description
Name of the firewall virtual server.
Click on the firewall virtual server name to display statistics
for the individual virtual firewall ports on the firewall virtual
server.
Current number of connections to the firewall virtual server.
Total number of connections to the firewall virtual server
since the last time statistics were cleared.
Total number of packets that the firewall virtual server or
individual virtual service received from the client and forwarded to the server since the last time statistics were
cleared.
Total number of packets that the firewall virtual server or
individual virtual service received from the server and
reverse-forwarded to the client since the last time statistics
were cleared.
Total number of bytes that the firewall virtual server or individual virtual service received from the client and forwarded
to the server since the last time statistics were cleared.
Total number of bytes that the firewall virtual server or individual virtual service received from the server and reverseforwarded to the client since the last time statistics were
cleared.
Monitor > Service > Firewall > Firewall Node

The page shows FWLB statistics for individual firewalls (firewall nodes).
TABLE 11 Monitor > Service > Firewall > Firewall Node
Field
Name
Current
Connections
Total
Connections
b y
Description
Name of the firewall.
Click on a firewall name to display statistics for the individual service ports on the firewall, if this option was configured.
Current number of connections to the firewall.
Total number of connections to the firewall since the last
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
47 of 276

TABLE 11 Monitor > Service > Firewall > Firewall Node (Continued)
Field
Packets Forward
Packets Reverse
Bytes Forward
Bytes Reverse
Description
Total number of packets forwarded to the firewall or individual port since the last time statistics were cleared.
Total number of packets reverse-forwarded from the firewall
or individual port since the last time statistics were cleared.
Total number of bytes forwarded to the firewall or individual
Total number of bytes reverse-forwarded from the firewall or
individual port since the last time statistics were cleared.
Monitor > Service > PBSLB

The pages in this sub-module display information for Policy-Based SLB
(PBSLB).
Monitor > Service > PBSLB > Statistics

The page shows statistics for Policy-Based SLB (PBSLB).
By default, statistics are shown for all virtual servers and black/white lists.
To filter the display for a specific virtual server or black/white list, select it
from the drop-down list.
TABLE 12 Monitor > PBSLB > Statistics
Field
GID
Established
Reset(A)
Dropped(A)
Reset(COL)
Dropped(COL)
Server Select
Failures
48 of 276
Description
Group ID.
Number of client connections established to the black/whitelist group and protocol port.
Number of client connections reset due to the Reset action in
a PBSLB policy.
Number of client connections that were dropped due to the
Drop action in a PBSLB policy.
Number of client connections reset because they were over
the connection limit specified in a PBSLB policy.
Number of client connections that were dropped because
they were over the connection limit specified in a PBSLB
policy.
Number of times selection of a real server failed.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Monitor > Service > PBSLB > Client Query

The page allows you to query PBSLB information. You can query based on
the following parameters:
Black/white-list name
Client IP address
Select the black/white list, specify the IP host or subnet address, and click
Find.
TABLE 13 Monitor > PBSLB > Client Query
Field
IP Address
Service Group
Connections
Limit
Connections
Current
Description
Client IP address.
Service group ID.
Maximum number of new connections allowed.
Current number of active connections.
Monitor > Service > PBSLB > Blacklist/Whitelist

The page shows information for the black/white lists used by PBSLB.
TABLE 14 Monitor > PBSLB > Blacklist/Whitelist
Field
Name
URL
Size
Last Updated
Download Times
b y
Description
Name of the black/white list.
Location of the black/white list.
Size of the black/white list.
System time when the black/white list was last updated on
the AX device.
Date and time when the black/white list was downloaded
onto the AX device.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
49 of 276

Monitor > Service > GSLB

The pages in this sub-module display information for Global Server Load
Balancing (GSLB).
Monitor > Service > GSLB > Site

This page shows information for GSLB sites.
TABLE 15 Monitor > GSLB > Site
Field
Site
SLB-Device
Server
Usage
Service Status
Description
GSLB site name.
IP address of the SLB device that is managing the real servers at the site.
IP address of the GSLB service.
Number of times the service IP was selected.
GSLB service port state.
Monitor > Service > GSLB > Zone

This page shows information for GSLB zones.
TABLE 16 Monitor > Service > GSLB > Zone
Field
Zone
Service
Received
Queries
Sent Responses
Proxy
Cache
Server
50 of 276
Description
Zone name.
Service type and service name.
Number of DNS queries received for the service.
Number of DNS replies sent to clients for the service.
Number of DNS replies sent to clients by the AX device as a
DNS proxy for the service.
Number of cached DNS replies sent to clients by the AX
device for the service. (This statistic applies only if the DNS
cache option is enabled in the policy.)
Number of DNS replies sent to clients by the AX device as a
DNS server for the service. (This statistic applies only if the
DNS server option is enabled in the policy.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 16 Monitor > Service > GSLB > Zone (Continued)
Field
Sticky
Description
Number of DNS replies sent to clients by the AX device to
keep the clients on the same site. (This statistic applies only
if the DNS sticky option is enabled in the policy.)
Monitor > Service > GSLB > Protocol

This page shows statistics for the GSLB protocol running on this AX
device.
Monitor > Service > aFleX

This page shows statistics for aFleX policies used on the AX device.
Table 17 describes the fields on this page.
TABLE 17 Monitor > Service > aFleX
Field
Name
Event Type
Total Executions
Failures
Aborts
Description
Name of the aFleX policy.
Type of event used in the aFleX policy.
Total number of times the aFleX policy has been triggered
by the event.
Total number of times the aFleX policy was triggered by the
event by failed.
Total number of times the aFleX policy was triggered by the
event by was aborted.
An aFleX policy can appear in multiple rows in the table. Each row shows
counters for a different event type.
To clear counters for all events listed for an aFleX policy, select at least one
row for the aFleX policy, then click Clear.
To clear counters only for specific events, select the rows for those events,
then click Clear Event.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
51 of 276

Monitor > Service > IP Source NAT

The pages in this sub-module display statistics for IP source NAT.
Monitor > Service > IP Source NAT > Pool

This page shows statistics for dynamic IP source NAT.
TABLE 18 Monitor > Service > IP Source NAT > Pool
Field
Pool
Start IP Address
End IP Address
ACL
Port Usage
Total Used
Total Freed
Failed
Description
IP pool name.
First IP address in the pool.
Last IP address in the pool.
ACLs bound to the pool, and the number of times traffic
matched the ACLs.
To display the ACL list, click on the plus sign.
Number of sessions currently being NATted for the address.
Each session counted here uses a unique TCP or UDP protocol port. ICMP traffic does not cause this counter to increment.
Total number of sessions that have been NATted for the
source address.
Number of NATted sessions that have been terminated, thus
freeing up a port for another session.
Number of dynamic NAT attempts that failed.
Monitor > Service > IP Source NAT > Static NAT

This page shows statistics for static IP source NAT.
TABLE 19 Monitor > Service > IP Source NAT > Static NAT
Field
Source Address
Port Usage
52 of 276
Description
Source address bound to a NAT address.
Number of sessions currently being NATted for the address.
Each session counted here uses a unique TCP or UDP protocol port. ICMP traffic does not cause this counter to increment.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 19 Monitor > Service > IP Source NAT > Static NAT (Continued)
Field
Total Used
Total Freed
Description
Total number of sessions that have been NATted for the
source address.
Number of NATted sessions that have been terminated, thus
freeing up a port for another session.
Monitor > Service > Application

The pages in this sub-module display detailed statistics for SLB services.
Monitor > Service > Application > Proxy > Fast-HTTP

This page shows SLB statistics for the Fast-HTTP service type. Statistics
are listed separately for each of the AX devices CPUs.
TABLE 20 Monitor > Service > Application > Proxy > Fast-HTTP
Field
Curr Proxy
Conns
Total Proxy
Conns
HTTP Requests
HTTP
Requests(succ)
No Proxy Error
Client RST
Server RST
No Tuple Error
Parse Req Fail
Server Selection
Fail
Fwd Req Fail
Fwd Req Data
Fail
Req Retransmit
Req Pkt Out-ofOrder
b y
Description
Number of currently active connections using the fast-HTTP
proxy.
Total number of connections that have used the fast-HTTP
proxy.
Number of HTTP requests received by the fast-HTTP proxy.
Number of HTTP requests successfully fulfilled (by establishing a connection to a real server).
Number of proxy errors.
Number of times TCP connections with clients were reset.
Number of times TCP connections with servers were reset.
Number of tuple errors.
Number of times the HTTP parser failed to parse a received
HTTP request.
Number of forward request failures.
Number of forward request data failures.
Number of retransmitted requests.
Number of request packets received from clients out of
sequence.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
53 of 276

TABLE 20 Monitor > Service > Application > Proxy > Fast-HTTP (Continued)
Field
Server
Reselection
Server Premature
Close
Server Conn
Made
Source NAT
Failure
Description
Number of times initial selection of a real server for an
HTTP request failed (for example, due to a TCP Reset sent
by the server).
Number of times the connection with a server closed prematurely.
Number of connections made with servers.
Number of source NAT failures.
Monitor > Service > Application > Proxy > HTTP

This page shows SLB statistics for the HTTP service type. Statistics are
listed separately for each of the AX devices CPUs.
TABLE 21 Monitor > Service > Application > Proxy > HTTP
Field
Curr Proxy
Conns
Total Proxy
Conns
HTTP Requests
HTTP
Requests(succ)
No Proxy Error
Client RST
Server RST
No Tuple Error
Parse Req Fail
Server Selection
Fail
Fwd Req Fail
Fwd Req Data
Fail
Req Retransmit
Req Pkt
Out-of-Order
54 of 276
Description
Number of currently active HTTP connections using the
AX Series device as an HTTP proxy.
Total number of HTTP connections that have used the
AX Series device as an HTTP proxy.
Total number of HTTP requests received by the HTTP
proxy.
Number of HTTP requests received by the HTTP proxy that
were successfully fulfilled (by connection to a real server).
Number of times the HTTP parser failed to parse a received
HTTP request.
sequence.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 21 Monitor > Service > Application > Proxy > HTTP (Continued)
Field
Server
Reselection
Server Premature
Close
Server Conn
Made
Source NAT
Failure
Data Before
Compression
Data After
Compression
Description
Number of times initial selection of a real server for an
HTTP request failed (for example, due to a TCP Reset sent
by the server).
These counters show statistics for HTTP compression, in
bytes.
Monitor > Service > Application > Proxy > SMTP

This page shows SLB statistics for the SMTP service type. Statistics are
listed separately for each of the AX devices CPUs.
TABLE 22 Monitor > Service > Application > Proxy > SMTP
Field
Current Proxy
Conns
Total Proxy
Conns
SMTP Requests
SMTP
Requests(succ)
No Proxy Error
Client RST
Server RST
No Tuple Error
Parse Req Fail
Server Selection
Fail
Fwd Req Fail
Fwd Req Data
Fail
b y
Description
Number of currently active SMTP connections using the
AX Series device as an SMTP proxy.
Total number of SMTP connections that have used the
AX Series device as an SMTP proxy.
Total number of SMTP requests received by the SMTP
proxy.
Number of SMTP requests received by the AX Series device
that were successfully fulfilled (by connection to a real
server).
Number of times parsing of an SMTP request failed.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
55 of 276

TABLE 22 Monitor > Service > Application > Proxy > SMTP (Continued)
Field
Req Retransmit
Req Pkt
Out-of-Order
Server
Reselection
Server Premature
Close
Server Conn
Made
Source NAT
Failure
Description
sequence.
Number of times a request was forwarded to another server
because the current server was failing.
Monitor > Service > Application > Proxy > SSL

This page shows SLB statistics for the SSL-Proxy service type.
TABLE 23 Monitor > Service > Application > Proxy > SSL
Field
Current Proxy
Conns
Total of Proxy
Conns
Client Error
Server Error
Session
Not-Found
No Route
Server Selection
Fail
Source NAT
Failure
56 of 276
Description
Number of currently active connections using the AX device
as an SSL proxy.
Total number of connections that have used the AX device as
an SSL proxy.
Number of client errors.
Number of server errors.
Number of times a session was not found.
Number of times no route was available.
Number of times selection or a real server failed.
Number of occurrences of source NAT failure.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Monitor > Service > Application > Proxy > TCP

This page shows SLB TCP-Proxy statistics. Statistics are listed separately
for each of the AX devices CPUs.
TABLE 24 Monitor > Service > Application > Proxy > TCP
Field
Currently EST
Conns
Active Open
Conns
Passive Open
Conns
Connect Attempt
Failures
Total in TCP
Packets
Total out TCP
Packets
Retransmitted
Packets
Resets Rcvd on
EST Conn
Reset Sent
Input Errors
Sockets
Allocated
Orphan Sockets
Memory Alloc
Total Rx Buffer
Total Tx Buffer
TCP in
SYN-SNT State
TCP in
SYN-RCV State
TCP in FIN-W1
State
TCP FIN-W2
State
TCP TimeW
State
TCP in Close
State
b y
Description
Current number of established TCP connections being handled by the proxy.
Number of connections opened actively.
Number of connections opened passively.
Number of TCP connection attempts that failed.
Total number of TCP packets received by the TCP proxy.
Total number of TCP packets sent by the TCP proxy.
Number of TCP packets retransmitted by the TCP proxy.
Number of TCP Resets received for established connections.
Number of TCP Resets sent by the AX device.
Number of invalid TCP packets received by the AX device.
Number of TCP sockets currently allocated.
Current number of orphan sockets.
Total memory allocated for TCP.
Total RX buffers allocated for TCP.
Total TX buffers occupied by TCP.
Current number of TCP connections in the SYN-SNT state.
Current number of TCP connections in the SYN-RCV state.
Current number of TCP connections in the Fin-Wait-1 state.
Current number of TCP connections in the Fin-Wait-2 state.
Current number of TCP connections in the Time Wait state.
Current number of TCP connections in the Close state.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
57 of 276

TABLE 24 Monitor > Service > Application > Proxy > TCP (Continued)
Field
TCP in CloseW
State
TCP in LastACK
State
TCP in Listen
State
TCP in Closing
State
Description
Current number of TCP connections in the Close-Wait state.
Current number of TCP connections in the Last-ACK state.
Current number of TCP connections in the Listening state.
Current number of TCP connections in the Closing state.
Monitor > Service > Application > Proxy > DNS Cache
This page shows proxy statistics for DNS caching.
TABLE 25 Monitor > Service > Application > Proxy > DNS Cache
Field
Total Query
Total Server
Response
Total Cache Hit
Query Not
Passed
Response Not
Passed
Query Encoded
Response
Encoded
Query With
Multiple
Questions
Response With
Multiple
Questions
Total Aged Out
58 of 276
Description
Total number of DNS queries received by the AX device.
Total number of responses form DNS servers received by the
AX device.
Total number of times the AX device was able to use a
cached reply in response to a query.
Number of queries that did not pass a packet sanity check.
Number of responses that did not pass a packet sanity check.
The AX device checks the DNS header and question in the
packet, but does not parse the entire packet.
Number of queries that were not cached because the domain
name in the question was encoded in the DNS query packet.
Number of queries that were not cached because the domain
name in the question was encoded in the DNS response
packet.
Number of queries that were not cached because they contained multiple questions.
Number of responses that were not cached because they contained answers for multiple questions.
Total number of DNS cache entries that have aged out of the
cache.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Monitor > Service > Application > Connection Reuse

This page shows SLB connection reuse statistics. Statistics are listed separately for each of the AX devices CPUs.
TABLE 26 Monitor > Service > Application > Connection Reuse
Field
Open Persistent
Active Persistent
Total Established
Total Terminated
Total Bound
Total Unbound
Total Delayed
Unbound
Total Long
Response
Total Missed
Response
Description
Number of new client connections directed to the same
server as previous connections by the persistence feature.
Number of currently active connections that were sent to the
same real server by the persistence feature.
Total number of established connections.
Total number of terminated connections.
Total number of bound connections.
Total number of unbound connections.
Number of connections whose unbinding was delayed.
Number of responses that took too long.
Number of missed responses to HTTP requests.
Monitor > Service > Application > Persistent

This page shows SLB persistence statistics. Statistics are listed separately
for each of the AX devices CPUs.
TABLE 27 Monitor > Service > Application > Persistent
Field
URL Hash
Persistent
OK(primary)
URL Hash
Persistent
OK(secondary)
URL Hash
Persistent Fails
b y
Description
Number of requests successfully sent to the primary server
selected by URL hashing. The primary server is the one that
was initially selected and then re-used based on the hash
value.
Number of requests that were sent to another server (a secondary server) because the primary server selected by URL
hashing was unavailable.
Number of requests that could not be fulfilled using URL
hashing.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
59 of 276

TABLE 27 Monitor > Service > Application > Persistent (Continued)
Field
Source IP
Persistent OK
Description
Number of requests successfully sent to the same server as
previous requests from the same client, based on source-IP
persistence.
Number of requests that could not be fulfilled by the same
server as previous requests from the same client, based on
source-IP persistence.
previous requests with the same SSL session ID.
server as previous requests with the same SSL session ID.
previous requests with the same persistence cookie.
server as previous requests with the same persistence cookie.
Number of requests in which a persistence cookie was not
found.
Source IP
Persistent Fails
SSL SID
Persistent OK
SSL SID
Persistent Fails
Cookie
Persistent OK
Cookie
Persistent Fails
Persistent
Cookie Not
Found
Monitor > Service > Application > SSL

This page shows statistics for the AX devices SSL processing module.
TABLE 28 Monitor > Service > Application > SSL
Field
Number of SSL
modules
Current SSL
Connections
Total SSL
Connections
Failed SSL
Handshakes
Failed Crypto
operations
SSL Memory
Usage
SSL fail CA
verification
60 of 276
Description
Total number of SSL processing modules on the device.
Number of currently active SSL sessions.
Total number of SSL sessions since the last time statistics
were cleared.
Number of SSL sessions in which the SSL security handshake failed.
Number of times an encryption/decryption failure occurred
for an SSL record.
Amount of memory in use by the SSL processing module.
Number of times an SSL session was terminated due to a
certificate verification failure.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 28 Monitor > Service > Application > SSL (Continued)
Field
No HW Context
Memory
HW ring full
SSL module n
Number of
Enabled Crypto
Engines
Number of
Available Crypto
Engines
Description
Number of times the encryption processor was unable to
allocate memory.
Number of times the AX software was unable to enqueue an
SSL record to the SSL processor for encryption/decryption.
(Number of times the processor reached its performance
limit.)
ID number of the SSL module to which the following statistics apply.
Number of SSL encryption/decryption processing engines
that are enabled.
Number of SSL encryption/decryption processing engines
that are available on the device.
Monitor > Service > Application > RAM Caching > Details
This page shows statistics for the RAM caching feature.
TABLE 29 Monitor > Service > Application > RAM Caching > Details
Field
Cache Hits
Cache Misses
Memory Used
Bytes Served
Entries Cached
Entries Replaced
Entries Aged Out
Entries Cleaned
Total Requests
Cacheable
Requests
b y
Description
Number of times a requested page was found in the cache
and served from the cache.
Number of times a requested page was not found in the
cache.
Amount of RAM currently used by cached content.
Total number of bytes served from the cache.
Number of objects currently in the cache.
Number of cached items that were removed to make room
for newer entries, per the replacement policy.
Number of entries that were removed because they are older
than their expiration time.
Number of cached objects that have aged out and therefore
been removed from the cache.
Total number of requests received on all virtual server ports
on which caching is configured.
Number of requests that are potentially cacheable.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
61 of 276

Field
No-cache
Requests
No-cache
Responses
IMS Requests
Description
Number of requests with no-cache header directives.
Number of responses with no-cache header directives.
304 Responses
Revalidation
Successes
Revalidation
Failures
Policy URI
nocache
Policy URI
cache
Policy URI
invalidate
Content Too Big
Content Too
Small
Srvr Resp - Cont
Len
Srvr Resp - Chnk
Enc
Srvr Resp - 304
Status
Srvr Resp Other
Cache Resp - No
Comp
Cache Resp Gzip
Cache Resp Deflate
Number of requests that contained an If-Modified-Since

header.
Number of 304 Not Modified responses sent to clients.
Number of entries that were successfully revalidated by the
server.
Number of times revalidation failed.
Number of times requested content was not cached due to a
URI policy.
Number of times a request was cached due to a URI policy.
Number of times a request was invalidated due to a URI policy.
Number of cacheable items that were not cached because the
file size was larger than the configured maximum content
size.
Number of cacheable items that were not cached because the
file size was smaller than the configured minimum content
size.
Number of responses that contained Content-Length headers.
Number of responses that were chunk encoded.
Number of responses that had status code 304.
Number of responses that were of other types.
Number of objects received from the content server that
were uncompressed.
were compressed using gzip.
Gzip is an encoding format produced by the file compression
program gzip (GNU zip) as described in RFC 1952 (Lempel-Ziv coding [LZ77] with a 32 bit CRC).
were compressed using deflate.
Deflate is the zlib format defined in RFC 1950 in combination with the deflate compression mechanism described
in RFC 1951.
62 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Field
Cache Resp Other
Entry create
failures
Description
were compressed using compress.
Compress is the encoding format produced by the common
UNIX file compression program compress (adaptive Lempel-Ziv-Welch coding [LZW]).
Counter used by A10 technical support for troubleshooting.
Monitor > Service > Application > RAM Caching > Objects
This page displays information about cached objects.
TABLE 30 Monitor > Service > Application > RAM Caching > Objects
Field
Host
Object URL
Bytes
Type
Description
Virtual port number on which RAM caching is enabled.
URL from which the cached object was obtained by the AX
device.
Length of the cached object.
Indicates whether the cached object has a Content-Length
header, is compressed, or is chunk-encoded:
CL Content-Length header
CP Compressed
Status
CE Chunk-encoded
Status of the entry:
FR Fresh
ST Stale
IN Incomplete
FA Failed
UN Unknown
Expires in
b y
R The entry must be revalidated.

Number of seconds the object can remain unused before it
ages out.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
63 of 276

Monitor > Service > Application > RAM Caching > Replacement
This page displays the distribution of requests for cached objects. Distribution is shown for only one RAM caching virtual port at a time. To display
request distribution for a different virtual port, select the virtual server and
port from the Virtual Server and Port drop-down lists.
TABLE 31 Monitor > Service > Application > RAM Caching > Replacement
Field
Frequency
Total
Description
Shows the frequency of requests. Entries listed for 1/256
(one in 256 requests) are the least requested, whereas entries
listed for 128 are the most requested.
Shows the total number of objects for the request frequency.
Monitor > Service > Application > RAM Caching > Memory Usage
This page shows memory-usage statistics for RAM caching.
TABLE 32 Monitor > Service > Application > RAM Caching > Memory Usage
Field
VIP
Port
Memory
Configured
Memory Used
Percent Used
64 of 276
Description
Virtual server name.
Virtual port number.
Size of the RAM cache as specified in the RAM caching
template.
Amount of memory currently in use to store cached objects.
Percentage of the RAM cache that currently contains cached
objects.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Monitor > Service > Application > FTP

This page shows SLB statistics for the FTP service type.
TABLE 33 Monitor > Service > Application > FTP
Field
Total Control
Sessions
Total ALG
Packets
ALG Packets
Rexmitted
Out of
Connections
Total Data
Sessions
Out of
Connections
Description
Total number of FTP control sessions load-balanced by the
AX Series device.
Total number of Application Layer Gateway (ALG) packets.
Number of ALG packets that have been retransmitted.
Number of times an FTP control session could not be established because none of the real servers had available connections.
Total number of FTP data sessions load-balanced by the
AX Series device.
Number of times an FTP data session could not be established because none of the real servers had available connections.
Monitor > Service > Application > Net

This page shows Layer 4 SLB statistics. Statistics are listed separately for
each of the AX devices CPUs.
TABLE 34 Monitor > Service > Application > Net
Field
IP Out Noroute
TCP Out RST
TCP Out RST no
SYN
TCP Out RST L4
proxy
TCP Out RST
ACK attack
TCP Out RST
aFleX
b y
Description
Number of IP packets that could not be routed.
Number of TCP Resets sent.
Number of Resets sent for which there was no SYN.
Number of TCP Reset packets the AX device has sent as a
Layer 4 proxy.
Number of TCP Resets sent in response to a TCP ACK
attack.
Number of TCP Reset packets the AX device has sent due to
an aFleX.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
65 of 276

TABLE 34 Monitor > Service > Application > Net (Continued)
Field
TCP Out RST
stale sess
TCP Out RST
TCP proxy
TCP SYN
Received
TCP SYN
Cookie Sent
TCP SYN
Cookie Failed
TCP received
UDP received
Server sel failure
Source NAT
Failure
TCP SYN cookie
failed
No vport drops
No SYN pkt
drops
No SYN pkt
drops - FIN
No SYN pkt
drops - RST
No SYN pkt
drops - ACK
Conn Limit
drops
Conn Limit
resets
Proxy no sock
drops
aFleX drops
Sessions aged
out
TCP No SLB
UDP No SLB
SYN Throttle
66 of 276
Description
Number of TCP Reset packets the AX device has sent due to
stale TCP sessions.
Number of TCP Reset packets the AX device has sent as a
TCP proxy.
Number of TCP SYN packets received.
Number of TCP SYN cookies sent.
Number of TCP SYN cookie send attempts that failed.
Number of TCP packets received.
Number of UDP packets received.
Number of times a source NAT failure occurred.
Number of times a TCP SYN cookie failure occurred.
Number of times traffic was dropped because the requested
virtual port was not available.
Number of SYN packets dropped.
Number of SYN packets dropped due to a TCP FIN.
Number of SYN packets dropped due to a TCP Reset.
Number of SYN packets dropped due to an ACK.
Number of packets dropped because the server connection
limit has been reached.
Number of connections reset because the server connection
limit had been reached.
Number of packets dropped because the proxy did not have
an available socket.
Number of packets dropped due to an aFleX policy.
Number of sessions that have aged out.
Number of non-SLB TCP packets received by the AX
device.
Number of non-SLB UDP packets received by the AX
device.
Number of SYN packets that have been throttled.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Monitor > Service > Application > ICMP

This page shows ICMP rate-limiting statistics.
TABLE 35 Monitor > Service > Application > ICMP
Field
Global Rate
Limit Drops
Interfaces Rate
Limit Drops
Virtual Server
Rate Limit Drops
Total Rate Limit
Drops
Description
Number of packets dropped by global ICMP rate limiting.
Number of packets dropped by ICMP rate limiting enabled
on individual interfaces.
Number of packets dropped by ICMP rate limiting enabled
on individual virtual servers.
Total number of packets dropped by ICMP rate limiting.
Monitor > Service > Application > Switch

This page shows SLB switching statistics. Statistics are listed separately for
each of the AX devices CPUs.
TABLE 36 Monitor > Service > Application > Switch
Field
L2 Forward
L3 IP Forward
IPv4 No Route
Drop
L3 IPv6 Forward
IPv6 No Route
Drop
L4 Process
Incorrect Length
Drop
Protocol Down
Drop
Unknown
Protocol Drop
TTL Exceeded
Drop
b y
Description
Number of packets that have been Layer 2 switched.
Number of packets that have been Layer 3 routed.
Number of IPv4 packets that were dropped due to routing
failures.
Number of IPv6 packets that have been Layer 3 routed.
Number of IPv6 packets that were dropped due to routing
failures.
Number of packets that went to a VIP or NAT for processing.
Number of packets dropped due to incorrect protocol length.
Note: A high value for this counter can indicate a packet
length attack.
Number of packets dropped because the corresponding protocol was disabled.
Number of packets dropped because the protocol was
unknown.
Number of packets dropped due to TTL expiration.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
67 of 276

TABLE 36 Monitor > Service > Application > Switch (Continued)
Field
Link Down Drop
SRC Port
Suppresion
VLAN Flood
IP Fragment
Received
ARP Request
Received
ARP Response
Received
Forward Kernel
Number of packets that have been broadcast to a VLAN.

Number of IPv4 fragments that have been received.
Number of ARP requests that have been received.
Number of ARP responses that have been received.
IP(TCP)
Fragment
Received
IP Fragment
Overlap
IP Fragment
Overload Drops
IP Fragment
Reasm OKs
IP Fragment
Reasm Fails
Anomaly LAN
Attack Drops
Anomaly IP
Option Drops
Anomaly Pingof-Death Drops
Anomaly All
Frag Drops
Anomaly TCP
No Flag Drops
Anomaly SYN
Frag Drops
Anomaly TCP
SYN Fin Drops
Anomaly Any
Drops
68 of 276
Description
Number of packets dropped because the outgoing link was
down.
Packet drops because of source port suppression.
Number of packets received by the kernel from data interfaces.

Number of IP TCP fragments received.
Number of overlapping fragments received.

Number of fragments dropped due to overload.
Number of successfully reassembled IP fragments.
Number of fragment reassembly failures.
Number of packets dropped by an IP land attack filter.
Note: This statistic and the other Anomaly statistics show
how many packets were dropped by DDoS protection filters.
For the AX device to drop these packets, the corresponding
DDoS protection options must be enabled. (See Config >
Service > SLB > Global > DDoS Protection on page 127.)
Number of packets dropped by an IP option filter.
Number of packets dropped by a ping-of-death filter.
Number of packets dropped by a frag filter.
Number of packets dropped by a tcp-no-flag filter.
Number of packets dropped by a tcp-syn-frag filter.
Number of packets dropped by a tcp-syn-fin filter.
Number of packets dropped by any type of hardware-based
DDoS protection filter.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Monitor Mode - Monitor > Network
TABLE 36 Monitor > Service > Application > Switch (Continued)
Field
BPDUs
Received
BPDUs Sent
ACL Denys
SYN rate
exceeded Drop
Packet Error
Drops
IPv6 Frag Reasm
OKs
IPv6 Frag Reasm
Fails
IPv6 Frag
Invalid Pkts
Bad Pkt Drop
IP Frag Exceed
Drop
Description
Number of Bridge Protocol Data Units (BPDUs) received.
Number of Bridge Protocol Data Units (BPDUs) sent.
Number of times traffic was not forwarded due to a deny rule
in an Access Control List (ACL).
This counter also includes traffic dropped due to the l3-vlanfwd-disable action in ACL rules.
Number of packets dropped because the TCP SYN threshold
had been exceeded.
Number of packets dropped due to a packet error.
Number of successfully reassembled IPv6 fragments.
Number of IPv6 fragment reassembly failures.
Number of IPv6 fragments that were invalid.
Number of bad packets dropped.
Number of fragmented IP packets that were dropped because
they exceeded the allowed maximum.
Monitor > Network

The Monitor > Network options display status information and statistics for
Layer 2 and Layer 3 features.
Monitor > Network > Interface > LAN

This page shows configuration information and statistics for the AX
devices Ethernet interfaces. The upper half of the page shows statistics in a
table. The lower half shows graphs for the same statistics.
Note:
b y
Information is shown for the data interfaces only, not the out-of-band
management interface.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
69 of 276

Statistics Table
Table 37 describes the columns in the table in the upper half of the page.
TABLE 37 Monitor > Network > Interface
Column
IP Address
Speed
Packets
Bytes
Errors
Other Errors
Description
IP address configured on the interface.
Note: If the AX device is deployed in transparent mode, the
individual interface addresses are all 0.0.0.0/0.
Speed and mode (full-duplex or half-duplex) configured on
the interface.
Number of packets received (RX) and transmitted (TX) on
the interface.
Number of bytes received (RX) and transmitted (TX) on the
interface.
Number of receive (RX) or transmission (TX) errors on the
interface.
Number of errors that were not counted in the Error column.
Statistics Graphs
By default, the following graphs are shown in the lower half of the page:
Packet send and receive statistics
Bits per second send and receive statistics
RX and TX error statistics
Other error statistics
The graphs are for the currently selected interface only (by default,
Ethernet 1). To display graphs for a different interface, click on the row of
information for that interface in the table.
You can hide one or more of the graphs by deselecting the checkbox for the
graph. As soon as you deselect or reselect a graph, the GUI refreshes the
page to hide or redisplay the graph.
These selection fields do not affect the display of statistics in the table.
70 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Changing the Date and Time Span of the Statistics

drop-down list located above the Dropped column of the statistics table.
is displayed.
drag it.
Note:
Note:
3. Click Go.
Refreshing Statistics
To manually refresh the statistics, click Refresh. To set them to be refreshed
automatically, select the refresh rate from the drop-down list next to the
Refresh button.
Clearing Statistics
To clear statistics, click Clear. The counters are returned to 0 and begin
incrementing again.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
71 of 276

Monitor > Network > Trunk > Trunk

The page show status information for the trunk interfaces configured on the
AX device.
TABLE 38 Monitor > Network > Trunk
Column
Trunk ID
Status
Member List
Description
ID assigned to the trunk by the admin who configured it.
Operation status of the trunk, Up or Down.
Ethernet interfaces that are members of the trunk, and the
status of each interface:
config Configuration status, either enabled (green
checkmark) or disabled (red X).
Ports Threshold
Ports Threshold
Timer
operation Operational status, either up (green up arrow)

or down (red down arrow).
Indicates the minimum number of ports that must be up in
order for the trunk to remain up.
If the number of up ports falls below the configured threshold, the AX automatically disables the trunks member ports.
The ports are disabled in the running-config. The AX device
also generates a log message and an SNMP trap, if these services are enabled.
Indicates how many seconds the AX device waits after a port
goes down before marking the trunk down, if the ports
threshold is exceeded.
Monitor > Network > VLAN > VLAN

This page lists the configured Virtual Local Area Networks (VLANs) on the
AX device.
Note:
This page is not fully implemented in the current release.
Monitor > Network > ACL > IPv4 ACL

This page lists the configured IPv4 ACLs. For each ACL, the Hits column
indicates how many times traffic has matched the ACL.
72 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

The ACL Hits counter is not applicable to ACLs applied to the management port.
Note:
Monitor > Network > ACL > IPv6 ACL

This page lists the configured IPv6 ACLs. For each ACL, the Hits column
indicates how many times traffic has matched the ACL.
The ACL Hits counter is not applicable to ACLs applied to the management port.
Note:
Monitor > Network > ARP > IPv4 ARP

This page displays the entries in the AX devices IPv4 Address Resolution
Protocol (ARP) table.
TABLE 39 Monitor > Network > ARP > IPv4 ARP
Column
IP Address
MAC Address
Type
Age
State
Description
IP address of the device.
MAC address of the device.
Indicates whether the entry is static or dynamic.
For dynamic entries, the number of seconds since the entry
was last used.
State of the ARP entry. The state can be one of the following:
Incomplete
Reachable
Stale
Delay
Probe
Failed
No ARP
Permanent
Interface
VLAN ID
b y
None
AX interface through which the device that has the displayed
MAC address and IP address can be reached.
VLAN through which the device that has the MAC address
can be reached.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
73 of 276

Monitor > Network > ARP > IPv6 Neighbor

This page displays the entries in the IPv6 Neighbor table.
TABLE 40 Monitor > Network > ARP > IPv6 Neighbor
Column
IPv6 Address
MAC Address
Type
Age
State
Description
IP address of the device.
MAC address of the device.
Indicates whether the entry is static or dynamic.
For dynamic entries, the number of seconds since the entry
was last used.
State of the ARP entry. The state can be one of the following:
Incomplete
Reachable
Stale
Delay
Probe
Failed
No ARP
Permanent
Interface
VLAN ID
None
AX interface through which the device that has the displayed
MAC address and IP address can be reached.
VLAN through which the device that has the MAC address
can be reached.
Monitor > Network > Route > IPv4 Route Table

This page lists the routes in the IPv4 route table.
By default, IP routes of all types are displayed. To filter the display, select a
route type from the drop-down list above the Destination IP field.
TABLE 41 Monitor > Network > Route > IPv4 Route Table
Column
Destination IP
Network Mask
74 of 276
Description
Subnet at the other end of the route.
Network mask for the subnet.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 41 Monitor > Network > Route > IPv4 Route Table (Continued)
Column
Next Hop
Interface
Type
Description
IP address of the router to which the AX device sends traffic
to reach the destination subnet.
AX interface through which traffic is sent to the next hop.
Origin of the route information:
Connected The route is to a directly connected subnet.
OSPF The route came from OSPF.
RIP The route came from RIP.
Static The route was manually configured by an AX
admin.
Monitor > Network > Route > IPv4 Forwarding

Displays the IPv4 Forwarding Information Base (FIB).
TABLE 42 Monitor > Network > Route > IPv4 Forwarding
Column
Prefix
Next Hop
Interface
Metric
Index
Description
Cost of using this entry.
Index number of this FIB entry.
Monitor > Network > Route > IPv6 Forwarding

Displays the IPv6 Forwarding Information Base (FIB).
TABLE 43 Monitor > Network > Route > IPv6 Forwarding
Column
Prefix
Next Hop
b y
Description
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
75 of 276

Monitor Mode - Monitor > System
TABLE 43 Monitor > Network > Route > IPv6 Forwarding (Continued)
Column
Interface
Metric
Index
Description
Cost of using this entry.
Index number of this FIB entry.
Monitor > System

The pages in the System sub-module allow you to manage admin sessions
and display the system log.
Monitor > System > Admin

This option has pages for managing admin sessions.
Monitor > System > Admin > Admin Session

This page lists the admin sessions that are currently active. Your session is
indicated by a blue dot next to the Start Time column.
The session that currently has write access is indicated by Yes in the Config
Mode column.
To clear a session, select the checkbox next to the session, and click Delete.
TABLE 44 Monitor > System > Admin > Admin Session
Column
Start Time
User Name
IP Address
Config Mode
Type
76 of 276
Description
System time when the management session started.
Name of the AX admin who opened this session.
IP address from which the admin logged in.
Indicates whether the admin currently has write access. Only
one admin can have write access at a time.
Indicates the management type the session is using: CLI,
Web (GUI), or aXAPI.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 44 Monitor > System > Admin > Admin Session (Continued)
Column
Partition
Description
Partition to which the admin is assigned.
For admins with Partition Write, Partition Read, or Partition
RS Operator privileges, the partition name is the name of the
private partition to which the admin is assigned.
For admins with Root, Read Write, or Read Only privileges,
the partition name is shared, unless the admin has changed
partitions. (See System Partitions on page 27.)
Monitor > System > Admin > Admin Locked

This page lists the admin accounts that have been locked due to excessive
invalid login attempts.
To unlock an admin account, select the checkbox next to the admin name,
and click Unlock.
TABLE 45 Monitor > System > Admin > Admin Locked
Column
Name
b y
Description
Name of the AX admin.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
77 of 276

TABLE 45 Monitor > System > Admin > Admin Locked (Continued)
Column
Role
Description
Privilege level for the account:
Root Allows access to all levels of the system. This is
the only account that can configure other admin accounts.
Super Admin Allows access to all levels of the system.
This account is not the Root account and can be deleted.
This account cannot configure other admin accounts.
Read Only Admin Allows monitoring access to the system but not configuration access. In the CLI, this account
can only access the User EXEC and Privileged EXEC levels, not the configuration levels. In the GUI, this account
cannot modify configuration information.
Partition Write Admin The admin has read-write privileges within the private partition to which the admin is
assigned. The admin has read-only privileges for the
shared partition.
Partition Read Admin The admin has read-only privileges within the private partition to which the admin is
assigned, and read-only privileges for the shared partition.
Partition RS Operator The admin is assigned to a private
partition but has permission only to view service port statistics for real servers in the partition, and to disable or reenable the real servers and their service ports.
Current Partition
Trusted Host
Lockout Time
Scheduled
Unlock
The Partition roles apply to Role-Based Administration

(RBA). For information about this feature, see the RoleBased Administration chapter in the AX Series Configuration Guide.
System partition the admin is locked out of.
IP host or subnet address from which the admin must log in.
If the account is locked, indicates how long the account has
been locked.
Indicates how long the account will continue to be locked.
Monitor > System > Logging

Monitor > System > Logging > Logging
This page displays the system log (syslog). Messages in the AX devices
local log buffer are displayed.
By default, messages of all log levels are displayed. To filter the display to
show messages of a specific level, select the message level from the dropdown list above the Date/Time field.
78 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Monitor Mode - Monitor > HA
To export a copy of the log as a tar.gz file:
1. Click Export.
3. Optionally, edit the filename too.
4. Click Save.
To clear the entries from the log, click Clear.
Monitor > System > Logging > Show Tech

This page enables you to export system information into a file that can be
used by A10 technical support to help resolve system issues. To export the
system information, click Export.
Monitor > HA
The HA sub-module displays High Availability (HA) information for the
AX device.
Monitor > HA > Group

This page displays High Availability (HA) status information for the AX
device.
TABLE 46 Monitor > HA > Virtual Group
Column
HA Group ID
Local Status
Local Priority
b y
Description
ID of the HA group.
Indicates whether this AX device is in Active or Standby
mode.
Priority value assigned to this HA group on this AX device.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
79 of 276

TABLE 46 Monitor > HA > Virtual Group (Continued)
Column
Peer Status
Description
Indicates whether the other AX device in the HA pair is in
Active or Standby mode.
Note: If the status is Incompatible Version, the AX devices
are running different software versions and the HA feature is
not compatible between the two versions. This message is
normal during upgrade, after one of the AX devices has been
upgraded and before the other device is upgraded. If the
devices are not being upgraded, it is recommended to
upgrade one of the devices so that they both are running the
same software version.
Priority value assigned to this HA group on the other AX
device.
Peer Priority
Monitor > HA > Status

This page displays High Availability (HA) statistics for the AX device.
TABLE 47 Monitor > HA > Status
Column
Connectivity
Server Ports
Connectivity
Router Ports
HA Packets Sent
HA Packets
Received
HA Config Sync
Sent
HA Config Sync
Received
80 of 276
Description
Shows the number of HA interfaces designated as server
interfaces that are currently up.
Shows the number of HA interfaces designated as router
interfaces that are currently up.
Shows the number of HA hello (heartbeat) packets sent by
this AX device.
Shows the number of HA hello packets received by this AX
device.
Shows the number of HA connection synchronization (session mirroring) packets sent by this AX device.
Shows the number of HA connection synchronization packets received by this AX device.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 47 Monitor > HA > Status (Continued)
Column
HA Errors
Description
Shows HA error statistics:
In Duplicated HA ID Number of incoming HA hello
(heartbeat) packets that had the same HA ID as the HA ID
of this AX device (the local AX device).
In Invalid Group Number of incoming HA hello packets
that had an invalid group ID.
Version Mismatch Number of incoming HA hello packets that had a packet version mismatch.
HA Set ID Mismatch Number of incoming HA hello
packets that had an HA set ID mismatch.
Missed Heartbeat Total number of heartbeat (hello)
packets expected from the peer HA device that were not
received.
HA Ports
Inaccurate Timer Number of times HA internal timers

detected a variance.
Shows statistics for each HA interface:
Sent Number of hello (heartbeat) messages sent on the
interface.
Received Number of hello messages received on the
interface.
Layer 2 Inline
mode
b y
Missed Heartbeat Number of hello messages that were

expected to be received on the interface but that did to
arrive.
(Inline mode only) Shows the interface number used to communicate with the peer HA device.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
81 of 276

82 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config Mode - Config Modules
Config Mode
The Config Mode is where you can view and change the configuration of
the AX device.
Config Modules
The Config Mode offers the following sub-modules for setting AX Series
network and performance parameters:
Get Started
Service
Network
System
HA
These configuration sub-modules have multiple unique menu selectable

functions within each for definition of system parameters. The following
section looks at each configuration sub-module, and included functions.
FIGURE 13
b y
Config Mode
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
83 of 276

Config Mode - Config Menu Tree
Config Menu Tree

The Config module has the following sub-modules and menu options.
Config Mode > Get Started
Basic System
Config Mode > Service

SLB
Template
Virtual Server
Firewall
Application
Firewall Group
Service Group
HTTP
Firewall Virtual Server
Server
PBSLB Policy
Firewall Node
Template
RAM Caching
Server
SMTP
Server Port
SIP
Virtual Server
RTSP
Virtual Server Port
DNS
DNS Proxy
Geo-location
Policy
Service IP
Class List
Connection Reuse
LID
L4
Global
Settings
DDoS Protection
Rate-Limit Log
GSLB
Site
Zone
TCP
Global
UDP
aFleX
Persistent
Cookie Persistence
Destination IP
Persistence
Source IP Persistence
SSL Session ID
Persistence
SSL
Client SSL
Server SSL
TCP Proxy
IP Source NAT
IPv4 Pool
IPv6 Pool
Group
Binding
Interface
NAT Range
Static NAT
Global
SSL Management
Health Monitor
Certificate
Health Monitor
Cert Revocation List
External Program
Data File
Global
PBSLB
84 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config Mode - Config Menu Tree
Config Mode > Network
Config Mode > System
Config Mode > HA
Interface
Settings
Setting
LAN
Web
HA Global
Management
Terminal
HA Inline Mode
Transparent
Log
HA Interface
Virtual
General
Global
Boot
Config Sync
Sync Operation
Action
Trunk
Admin
VLAN
Administrator
VLAN
Partition
MAC
Lockout Policy
Global
External Authentication
ACL
Change Password
Standard
Access Control
Extended
IPv6
Time
ARP
SNMP
IPv4 ARP
Maintenance
IPv6 Neighbor
Upgrade
Global
Backup
Route
Restore
IPv4 Static
IPv6 Static
DNS
ICMP Rate Limiting
BPDU-Fwd-Group
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
85 of 276

Config Mode - Config > Get Started
Config > Get Started

This option provides access to the Basic System page.
Config Mode > Get Started > Basic System

This page provides easy access to basic system settings. To expand display
of a section or change settings, click on the link above the settings. To
change a password, click on the
icon.
FIGURE 14
Config > Get Started > Basic System
For information about the system settings, see the following sections:
Management IP address and default gateway See Config > Net-
work > Interface > Management on page 220.

Admin and enable passwords See Config > System > Admin >
Administrator on page 249.

Time/Date settings See Config > System > Time on page 258.
DNS hostname, suffix, and servers See Config > Network > DNS
on page 236.
SNMP state, community string, and trap state See Config > Sys-
tem > SNMP on page 260.

External syslog server See Config > System > Settings > Log on
page 242.
Static route See Config > Network > Route on page 235.
86 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config Mode - Config > Service
Config > Service

Config > Service > SLB
The SLB pages enable you to configure SLB parameters.
Config > Service > SLB > Virtual Server

This page displays the configured virtual servers.
The following configuration sections are displayed when you click Add or
click on a virtual server name.
General
Virtual Server Port
The Health column indicates the health of the virtual servers. Place the
mouse cursor over a health icon for more information.
You can view or edit the configuration of a virtual port directly from the list
of virtual servers. Click on the Edit icon (
) next to the virtual server
name. Clicking on the icon displays a list of the virtual ports configured on
the virtual server. (See Figure 15.) To access the configuration page for a
virtual port, click on the port number.
FIGURE 15
Virtual Port Access from Virtual Server List
Disable and Enable

To disable virtual servers, select the checkbox next to each virtual server
you want to disable, then click Disable. Likewise, to re-enable virtual servers, select the checkbox next to each virtual server you want to enable, then
click Enable.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
87 of 276

HA Group Edit
To add multiple virtual servers to an HA group, select the checkbox next to
each of the virtual servers, then click Edit. The Group Edit page appears.
Select the HA group from the HA Group drop-down list and click OK.
Virtual Server Parameters
Table 48 lists the parameters you can configure on virtual servers.
TABLE 48 Virtual Server Parameters
Parameter
Description
Supported Values
General Section
Name
Name to identify the virtual server on the AX

device.
Wildcard
If you are configuring a wildcard VIP, select this

checkbox. The IP Address field is replaced by the
Access List drop-down list.
Virtual IP address(es) that clients will request.
IP address or
CIDR Subnet
or
Access List
To configure a single VIP, select the IP version

(IPv4 or IPv6), then enter the IP address. Leave
the Wildcard checkbox unselected.
String of 1-31 characters

Default: None configured
Enabled or disabled
Default: Disabled
IPv4 or IPv6 host address or subnet
address, or an ACL
To configure a contiguous range of VIPs, enter

the starting host address followed by the network
mask length: ipaddr/mask-length
Do not use a space before or after the forward
slash.
The ipaddr is the starting host address in the
range and must be a valid host address. (For
example, entering 192.168.1.0/24 is not valid.)
Leave the Wildcard checkbox unselected.
To configure a wildcard VIP:
1. Select the IP version (IPv4 or IPv6).
2. Select the Wildcard checkbox.
Status
ARP Status
Stats Data
3. Select the ACL that specifies the VIP

addresses that can use this VIP configuration.
State of the virtual server.
When selected, disables or re-enables ARP replies
from a virtual server.
Enables collection of statistics data for the VIP.
Note: Statistical data collection also must be enabled globally. See Config > Service > SLB >
Global > Settings on page 124.
88 of 276
Enabled or Disabled
Default: Enabled
Selected or deselected
Default: Deselected; ARP replies are
enabled.
Enabled or Disabled
Default: Enabled
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 48 Virtual Server Parameters (Continued)
Parameter
When-All-PortsDown
HA Group
Virtual Server
Template
PBSLB Policy
Template
Description
Description
Automatically disable the virtual server if all its service ports are down.
If OSPF redistribution of the VIP is enabled, this
option also withdraws the route to the VIP in addition to disabling the virtual server.
High Availability (HA) group ID to use for session
backup.
Note: If the HA Group drop-down list does not have
any group IDs, you still need to configure global
HA parameters. See Config > HA > Setting > HA
Global on page 268.
Binds a virtual server template to the virtual server.
Settings in the template are used to configure the
virtual server.
Some of the parameters that can be set using a virtual server template can also be set on the individual
virtual server. In this case, the setting in the template
has lower priority than the setting on the virtual
server.
Binds a PBSLB policy template to the virtual server.
Settings in the template are used to configure IP
limiting for the virtual server.
Note: You also can bind a PBSLB policy template
to individual virtual ports. IP limiting settings in
both templates take effect. Clients must comply
with all IP limiting rules.
Description of the virtual server.
Supported Values
Enabled or Disabled
Default: Disabled
Number of a configured HA group

Default: Not set
Configured virtual server template.

Default: default virtual server template.
Configured PBSLB policy template.

Default: None
String
Default: None
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
89 of 276

Parameter
Description
Supported Values
Virtual Server Port Page

Note: The fields that are available depend on the service type you are configuring. All supported fields are listed
below. However, the fields that are displayed and the order in which they are displayed depend on the service type
you select.
Type
Service type of the port.
One of the following:
Note: The AX device allocates processing resources
to HTTPS virtual ports when you bind them to an
SSL template. This results in increased CPU utilization, regardless of whether traffic is active on the
virtual port.
Fast-HTTP Streamlined Hypertext

Transfer Protocol (HTTP) service
FTP File Transfer Protocol
HTTP HTTP
HTTPS Secure HTTP (SSL)
MMS Microsoft Media Server
RTSP Real Time Streaming Protocol
SIP Session Initiation Protocol
over UDP
SIP-TCP SIP over TCP
SIP-TLS SIP over TCP/TLS
SMTP Simple Mail Transfer Protocol
SSL-Proxy SSL proxy service
TCP Transmission Control Protocol
UDP User Datagram Protocol
Others Wildcard port used for IP
protocol load balancing. (For more
information, see the IP Protocol
Load Balancing chapter of the
AX Series Configuration Guide.)
Port
Default: TCP
0-65535
Service port number.
Default: Depends on the service type
Service Group
Service group to use for the virtual service port. The

AX device uses real servers and ports in the service
group to fulfill requests for the virtual service port.
Note: Port 0 applies only to TCP, UDP,

and Others service types.
(See the IP Protocol Load Balancing
chapter of the AX Series Configuration
Guide.)
Name of a configured service group
Default: Not set
If the service group is not already configured, you

can select create to configure it. In this case, when
you click OK after configuring the service group,
you are returned to this page.
90 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Connection
Limit
Description
Number of concurrent connections allowed on the
virtual service port.
To specify the action to take for new connection
requests after the limit has been reached, select one
of the following:
Supported Values
0-8000000 (one million)
0 means no limit.
Default: Not set
Drop The AX device silently drops the connection and does not send a reset to the client.
Reset The AX device sends a connection reset
to the client.
Use default
server selection
when preferred
method fails
Logging Generates a log message when the

connection limit is exceeded.
Continues checking for an available server in other
service groups if all of the servers are down in the
first service group selected by SLB.
During SLB selection of the preferred server to use
for a client request, SLB checks the following configuration areas, in the order listed:
1.
Default: Selected
Layer 3-4 configuration items:

a. aFleX policies triggered by Layer 4 events
b. Policy-based SLB (black/white lists).
PBSLB is a Layer 3 configuration item
because it matches on IP addresses in
black/white lists.
2. Layer 7 configuration items:

a. Cookie switching
b. aFleX policies triggered by Layer 7 events
c. URL switching
d. Host switching
(cont.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
91 of 276

Parameter
Use default
server selection
when preferred
method fails
(cont.)
Use received hop

for response
Send client reset
when server
selection fails
Description
3. Default service group. If none of the items
above results in selection of a server, the
default service group is used.
If the configuration uses only one service
group, this is the default service group.
If the configuration uses multiple service
groups, the default service group is the
one that is used if none of the templates
used by the configuration selects another
service group instead.
The first configuration area that matches the client
or VIP (as applicable) is used, and the client request
is sent to a server in the service group that is applicable to that configuration area. For example, if the
client's IP address in a black/white list, the service
group specified by the list is used for the client
request.
Sends replies to clients back through the last hop on
which the request for the virtual port's service was
received.
Sends a TCP reset (RST) to clients if server selection fails. Server selection failure can occur as the
result of any of the following conditions:
Supported Values
Default: Selected
Default: Deselected
Enabled or Disabled
Default: Disabled
Server or port connection limit is reached

Server or port connection rate limit is reached
Client in a PBSLB black/white list reaches its
connection
The def-selection-if-pref-failed option is disabled
and SLB select a server for any reason
All servers are down
Status
Note: The TCP template Rest Receive option also

can be used to send a RST to clients. In AX Release
2.2.1 and earlier, the Rest Receive option would
send a RST in response to a server selection failure.
In AX Release 2.2.2 and later, this is no longer true.
This option (Send client reset when server selection
fails) must be used instead.
State of the virtual service port.
Enabled or Disabled
Default: Enabled
92 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
HA Connection
Mirror
Description
Backs up session information on the Standby AX
device in an HA configuration. When this option is
enabled, sessions remain up even following a
failover.
Supported Values
Enabled or Disabled
Default: Disabled
Note: Session synchronization does not apply to

DNS sessions. Since these sessions are typically
very short lived, there is no benefit to synchronizing
them. Likewise, session synchronization does not
apply to static NAT sessions. Synchronization of
these sessions is not needed since the newly Active
AX device will create a new flow for the session
following failover.
Note: This option also requires configuration of
system HA parameters. (See Config > HA > Setting on page 268.)
Direct Server
Return
Note: In HA deployments, HA session synchronization is required for persistent sessions (source-IP

persistence, and so on), and is therefore automatically enabled for these sessions by the AX device.
Persistent sessions are synchronized even if session
synchronization is disabled in the configuration.
Disables destination NAT, so that server responses
go directly to clients.
Note: In the current release, for IPv4 VIPs, DSR is
supported on virtual port types (service types) TCP,
UDP, FTP, and RTSP. For IPv6 VIPs, DSR is supported on virtual port types TCP, UDP, and RTSP.
SYN Cookie
Note: VIP redistribution is not supported for VIPs

on which destination NAT has been disabled. For
example, VIP redistribution is not supported for
VIPs that are configured for Direct Server Return
(DSR).
Protects against TCP SYN floods.
The SACK option enables clients to acknowledge
receipt of individual TCP/IP packets. Using this
information, a server does not need to resend an
entire segment of packets and can instead resend
only the missing packets. This option applies only
to the following virtual port types: TCP, FTP, MMS,
RTSP, and fast-HTTP.
Enabled or Disabled
Default: Disabled; destination NAT is
enabled.
Enabled or Disabled
Default: Disabled
The SACK option is also disabled by
default.
Note: If hardware-based SYN cookies are supported on the AX model you are configuring, use
that version of the feature instead. (See the Traffic
Security Features chapter of the AX Series Configuration Guide.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
93 of 276

Parameter
Stats Data
Source NAT
traffic against
VIP
Description
Enables collection of statistics data for the virtual
port.
Enables IP NAT support for the virtual port.
Source IP NAT can be configured on a virtual port
in the following ways:
Supported Values
Enabled or Disabled
Default: Enabled
Enabled or Disabled
Default: Disabled
ACL-SNAT Binding at the virtual port level

VIP source NAT at the global configuration level
aFleX policy bound to the virtual port
Source NAT Pool at the virtual port level
These methods are used in the order shown above.
For example, if IP source NAT is configured using
an ACL on the virtual port, and VIP source NAT is
also enabled globally, then a pool assigned by the
ACL is used for traffic that is permitted by the ACL.
For traffic that is not permitted by the ACL, the
globally configured VIP source NAT can be used
instead.
Virtual Server
Port Template
Note: The current release does not support source

IP NAT on FTP or RTSP virtual ports.
Binds a virtual server port template to the virtual
service port. Settings in the template are used to
configure the port.
Configured virtual port template.

Default: default virtual port template.
Some of the parameters that can be set using a virtual server port template can also be set on the individual virtual port. In this case, the setting in the
template has lower priority than the setting on the
virtual port.
Access List
Source NAT
Pool
94 of 276
If the same parameter is set in a virtual server template and a virtual server port template, both of them
apply.
Specifies an ACL to use for permitting or denying
traffic on the virtual server port.
Note: Selecting an ACL here permits or denies traffic on the virtual sport. If you are trying to configure
source NAT on the port, use the ACL-SNAT binding fields instead. (See the end of this table.)
IP address pool to use for IP source NAT.
Note: This option uses a single NAT pool for all
source addresses. To select a NAT pool based on
real server subnet, use the ACL-SNAT binding
fields instead. (See the end of this table.)
ID of a configured ACL
Default: Not set
Name of a configured IP address pool

Default: Not set
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
aFleX
Template
ACL-SNAT
Binding
Description
Name of an aFleX policy.
Template(s) to use.
Supported Values
Name of an aFleX policy that has been
imported onto the AX device
Default: Not set
Template type: One of the types
described in Config > Service > Template on page 129.
The types of templates that are available depend on

the service type. A separate drop-down list appears
for each type of template that is applicable to the
service type of the port.
Template name: Name of a configured

template.
If a template you want to use is not already configured, you can select create from the drop-down
list for the template type to configure a new template of that type. In this case, when you click OK
after configuring the template, you are returned to
the Virtual Server Port page.
Enables source NAT on the virtual port.
Default: The AX device has some

default templates, which are applied
automatically unless you apply a different template instead. (See the SLB
Parameters chapter of the AX Series
Configuration Guide.)
Default: Not configured
1. Select the ACL from the Access List drop-down

list.
2. Select the pool from the Source NAT Pool dropdown list.
3. Click Add.
Note: Use extended ACLs. In each ACL, the source
IP address must match on the client address or subnet (or any). The destination IP address must
match on the real server address or subnet. The
action must be permit.
The NAT pool is used only for traffic that matches
the ACL. This configuration allows the virtual port
to have multiple pools, and to select a pool based on
the traffic.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
95 of 276

Config > Service > SLB > Service Group

This option displays the configured service groups. To access the configuration page, click Add or click on a service group name.
Table 49 lists the parameters you can configure in service groups.
TABLE 49 Service Group Parameters
Parameter
Description
Supported Values
Service Group Section

Name
Name of the service group.
Type
Transport protocol used by service ports in the

group.
Algorithm
Algorithm used to select a real server and service

port to fulfil a clients request.
To use a weighted load-balancing method, assign
different weights to servers or ports, so that higher
weighted servers or ports are preferred over lowerweighted ones.
To use Weighted Round Robin or Weighted Least
Connection, assign weights on individual servers.
To use Weighted Least Connection on Service
Port, assign weights on individual ports.
Note: The Fastest Response Time algorithm takes
effect only if the traffic rate on the servers is at least
5 connections per second (per server). If the traffic
rate is lower, the first server in the service group
usually is selected.

TCP or UDP
Default: TCP
Round Robin Selects servers in
rotation.
Least Connection Selects the server
that currently has the fewest connections.
Service Least Connection Selects
the server port that currently has the
fewest connections. If there is a tie,
the port (among those tied) that has
the lowest number of request bytes
plus response bytes is selected. If
there is still a tie, a port is randomly
selected from among the ones that
are still tied.
Weighted Round Robin Selects
servers in rotation, biased by the
servers administratively assigned
weights.
If the weight value is the same on
each server, this load-balancing
method simply selects the servers in
rotation.
(cont.)
96 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 49 Service Group Parameters (Continued)
Parameter
Algorithm
Description
Supported Values
Weighted Least Connection
Selects a server based on a combination of the servers administratively
assigned weight and the number of
connections on the server.
(cont.)
Service Weighted Least Connection

Same as weighted-least-connection, but per service.
Fastest Response Time Selects the
server with the fastest SYN-ACK
response time.
Least Request Selects the real
server port for which the AX device
is currently processing the fewest
HTTP requests. This method is
applicable to HTTP load balancing.
Round Robin Strict Provides a
more exact round-robin method.
The standard, default round robin
method is optimized for high performance. Over time, this optimization
can result in a slight imbalance in
server selection. Server selection is
still basically round robin, but over
time some servers may be selected
slightly more often than others.
Stateless Source IP+Port Hash
Balances server load based on a
hash value calculated using the
source IP address and source TCP or
UDP port.
Stateless Destination IP+Port Hash
hash value calculated using the destination IP address and destination
TCP or UDP port.
Stateless Src and Dst IP+Port Hash
hash value calculated using both the
source and destination IP addresses
and TCP or UDP ports.
(cont.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
97 of 276

Parameter
Algorithm
Description
Supported Values
Stateless Source IP Only Hash
hash value calculated using the
source IP address only.
(cont.)
Stateless Per-Packet Round Robin

Balances server load by sending
each packet to a different server, in
rotation.
Note: The stateless load-balancing
methods balance traffic without creating session entries on the AX device.
Stateless SLB is suitable only for certain types of traffic. Before enabling a
Stateless option, see the Stateless
SLB chapter in the AX Series Configuration Guide.
Health Monitor
Min Active
Members
Assigns a health monitor to all members in the service group.

This option is useful in cases where the same server
provides content for multiple, independent sites.
When you use this feature, if a site is unavailable
(for example, is taken down for maintenance), the
server will fail the health check for that site, and clients will not be sent to the site. However, other sites
on the same server will pass their health checks, and
clients of those sites will be sent to the server.
Enables use of backup servers even if some primary
servers are still up. A backup server is one that has a
lower priority than other servers.
Default: Standard round robin (not

strict and not stateless)
Defaults: Not set
Defaults: Disabled. Backup servers are

used only if all primary servers are
unavailable.
In the field that appears next to Min Active Members, enter the minimum number of primary servers
that can still be active (available), before the backup
servers are used. You can specify 1-63. There is no
default.
Selecting the Min Active Members checkbox also
displays the Skip Priority Set checkbox. By default,
if a primary server becomes unavailable, any
remaining primary servers continue to be used. If
you enable the Skip Priority Set option, the AX
device stops using all primary servers if any of them
become unavailable.
98 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Send client reset
when server
selection fails
Description
Sends a TCP reset (RST) to clients if server selection fails. Server selection failure can occur as the
result of any of the following conditions:
Supported Values
Enabled or Disabled
Default: Disabled
Server or port connection limit is reached

Server or port connection rate limit is reached
Client in a PBSLB black/white list reaches its
connection
The def-selection-if-pref-failed option is disabled
and SLB select a server for any reason
All servers are down
Stats Data
Description
Note: The TCP template Rest Receive option also

can be used to send a RST to clients. In AX Release
2.2.1 and earlier, the Rest Receive option would
send a RST in response to a server selection failure.
In AX Release 2.2.2 and later, this is no longer true.
This option (Send client reset when server selection
fails) must be used instead.
Enables collection of statistics data for the service
group.
Description of the service group.
Enabled or Disabled
Default: Enabled
String
Default: None
Server Section
In the Server section, you can add, change, and delete service group members (servers and service ports). You also
can disable or re-enable service ports within the service group. Select the service ports, then click the button for the
action you want to take. For example, to disable a service port, click the checkbox next to the service port to select
the port, then click Disable.
Disabling or re-enabling a service port within a service group applies only to that service group and does not affect
the ports state in other service groups.
IPv4/IPv6
Selects the address type of the server IP address you Depends on the selection made on the
are planning to enter.
System > Settings > Web - Preference
page. (See Config > System > Settings > Web on page 238.)
Server
Adds a real server to the service group.
Name of a configured real server, or a
valid IP address.
You can select a configured server from the dropdown list or enter the server IP address to create a
new one.
Configure the additional settings described below,
and click Add.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
99 of 276

Parameter
Port
Server Port
Template
Description
Specifies the service port on the server.
Supported Values
Valid protocol port number, 0-65534.
Note: The port number you enter here must match

the service port number used in the real server configuration.
Note: If you are configuring IP protocol load balancing, specify 0 as the

service port number. For more information, see the IP Protocol Load Balancing chapter of the AX Series
Configuration Guide.
Configured port template.
Binds a server port template to the server, within

this service group. Settings in the template are used
to configure the server ports, but only when the
ports are used as members of this service group.
Default: default port template.
Some of the parameters that can be set using a port

template can also be set on the individual port. In
this case, the setting in the template has lower priority than the setting on the port.
Priority
Stats Data
Note: You also can bind a port template to the port

as part of the real server configuration. Binding the
port template to the port within this service group
instead allows finer control, since the templates settings apply to the port only when the port is used as
a member of this service group.
Preference for this server and port. The priority can
be 1-16. During server selection, a server and port
with a high priority are favored over a server and
port with a low priority, and are therefore more
often selected.
Enables collection of statistics data for the service
group member.
1-16
Default: 1
Enabled or Disabled
Default: Enabled
Config > Service > SLB > Server

This option displays the configured real servers.
click on a real server name.
General
Port
The Status column indicates whether the server is enabled.
100 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

The Health column indicates the health of the server. Place the mouse cursor
over the health icon for more information.
Enable and Disable
To disable servers, select the checkbox next to each server you want to disable, then click Disable. Likewise, to re-enable servers, select the checkbox
next to each server you want to enable, then click Enable.
Group Port Enable / Disable
To disable or re-enable ports on multiple servers, select the checkbox next
to each of the servers, then click Edit. The Group Edit page appears. Select
the ports and click Disable or Enable, then click OK.
Real Server Parameters
Table 50 lists the parameters you can configure on real servers.
TABLE 50 Real Server Parameters
Parameter
Description
Supported Values
Name
Name to identify the real server on the AX device.

IP Address/Host
The name is not required to be the hostname configured on the real server.
IP address or DNS hostname of the server.
IP address Specify the real IP address of the
server, not the VIP address to which clients will
send requests.
General Section
IPv4 or IPv6 address, or hostname
DNS hostname Specify the hostname known to

DNS. In this case, the AX device periodically
sends DNS queries for the IP address of the real
server, and dynamically creates the server based
on the reply. If the reply to a subsequent query
has a different IP address, an additional server is
dynamically created with the new address. (For
more information about dynamic real server creation using DNS, see the Dynamic Real Server
Creation Using DNS chapter in the AX Series
Note: The Monitor > Service > SLB > Server
page shows only the first dynamically created
server. To display all dynamically created servers,
use the show slb server command in the CLI.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
101 of 276

TABLE 50 Real Server Parameters (Continued)
Parameter
GSLB External
IP Address
Weight
Health Monitor
Description
Assigns an external IP address to the server. The
external IP address allows a service IP or server that
has an internal IP address to be reached over the
Internet.
Administrative weight of the server, used for
weighted load balancing.
Specifies the Layer 3 health monitor to use for
checking the server health.
Status
If the monitor you want to use is not already configured, you can select create to configure it. In this
case, when you click OK after configuring the monitor, you are returned to this section.
State of the real server.
Connection
Limit

real server.
Connection
Resume
The Logging option generates a log message when

the connection limit is exceeded.
Maximum number of connections the server can
have before the AX device resumes use of the
server. Use does not resume until the number of
connections reaches the configured maximum or
less.
Slow Start
Spoofing Cache
Enables slow-start. Slow start allows time for the

server to ramp up after the server is enabled or
comes online, by temporarily limiting the number of
new connections on the server.
The ramp-up parameters are the same as those for
slow-start configurable in server templates, but are
not configurable on individual servers. They have
the same values as the default ramp-up parameters
in server templates. (See Slow Start in Table 51
on page 106.)
For Transparent Cache Switching (TCS), enables
support for a spoofing cache server. A spoofing
cache server uses the clients IP address instead of
its own as the source address when obtaining content requested by the client.
Supported Values
IPv4 or IPv6 address
1-100
Default: 1
Name of a configured health monitor,
or blank (disabled)
Default: Enabled; ping (ICMP)
Enabled or Disabled
Default: Enabled
1-1000000 (one million) connections
Default: 1000000 (one million)
1-1000000 (one million) connections

Default: not set. The AX device is
allowed to start sending new connection requests to the server as soon as
the number of connections on the
server falls back below the connection
limit.
Disabled
Selected on unselected
Default: unselected (disabled)
Note: This option applies only to the TCS feature.

For more information, see the Transparent Cache
Switching chapter in the AX Series Configuration
Guide.
102 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Stats Data
Server Template
Description
Description
Enables collection of statistics data for the server.
Supported Values
Enabled or Disabled
Binds a server template to server. Settings in the
template are used to configure the server.
Default: Enabled
Some of the parameters that can be set using a

server template can also be set on the individual
server. In this case, the setting in the template has
lower priority than the setting on the server.
Description of the real server.
Configured server template.

Default: default server template.
String
Default: None
Port Section
In the Port section, you can add, change, and delete service ports. Select the service ports, then click the button for
the action you want to take. For example, to disable a service port, click the checkbox next to the service port to
select the port, then click Disable.
Disabling or re-enabling a service port affects all virtual servers that are bound to service groups that use the port.
Port
Protocol port number.
0-65534
Protocol
Note: If you are configuring IP protocol load balancing, specify port 0, which is a wildcard port. For
more information, see the IP Protocol Load Balancing chapter of the AX Series Configuration
Guide.
Layer 4 transport protocol used by the port.
Weight
Administrative weight assigned to the port.

The weight is used with the following load-balancing methods (algorithms):
Default: Not set
TCP or UDP
Default: TCP
1-100
Default: 1
Weighted Round Robin

Weighted Least Connection
No SSL
Weighted Least Connection on Service Port

Disables SSL for server-side connections. This
option is useful if a server-SSL template is bound to
the virtual port that uses this real port, and you want
to disable encryption on this real port.
Default: Disabled. SSL for server-side

connections is enabled.
Encryption is disabled by default, but it is enabled

for server-side connections when the real port is
used by a virtual port that is bound to a server-SSL
template.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
103 of 276

Parameter
Connection
Limit
Description
Maximum number of connections allowed to the
service port. If the connection limit is exceeded, the
AX device stops sending new connections to the
service port. The AX device does not resume sending connections to the service port until one of the
following occurs:
Supported Values
0-1000000
(0 means unlimited.)
If Connection Resume is set (see below), the AX

device is allowed to start sending new connection
requests to the service port only after the number
of connections on the port is at or below the Connection Resume threshold.
If Connection Resume is not set (the default), the
AX device is allowed to start sending new connection requests to the service port as soon as the
number of connections on the port falls back
below the Connection Limit.
The Logging option generates a log message when
the connection limit is exceeded.
Connection
Resume
Health Monitor
If the connection limit is set to 0, no connection limiting is performed.

If the Connection Limit is exceeded, Connection
Resume specifies the maximum number of connections the server can have before the AX device can
start sending new connections to the port.
Specifies the health monitor to use for checking the
service ports health.
Follow Port
104 of 276
Bases the ports health status on the health status of

another port on the same server. The other port must
be the same type, TCP or UDP.
1-1000000
Default: 0

or blank (disabled)
Default:
For TCP Every 5 seconds, the AX
device sends a connection request
(TCP SYN) to the specified TCP
port on the server. The port passes
the health check if the server replies
to the AX device by sending a TCP
ACK.
For UDP Every 5 seconds, the AX
device sends a packet with a valid
UDP header and a garbage payload
to the UDP port. The port passes the
health check if the server either does
not reply, or replies with any type of
packet except an ICMP Error message.
Default: Not set
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Server Port
Template
Description
Binds a server port template to the service port. Settings in the template are used to configure the port.
Supported Values
Configured port template.
Default: default port template.
Some of the parameters that can be set using a

server port template can also be set on the individual
port. In this case, the setting in the template has
lower priority than the setting on the port.
Stats Data
If the same parameter is set in a server template and

a server port template, both of them apply.
Enables collection of statistics data for the server
port.
Enabled or Disabled
Default: Enabled
Config > Service > SLB > Template

The Template pages enable you to display and configure configuration templates for real servers, real ports, virtual servers, and virtual ports.
Some of the parameters that can be set using a template can also be set or
changed on the individual server or port.
If a parameter is set (or changed from its default) in both a template and
on the individual server or port, the setting on the individual server or

port takes precedence.
If a parameter is set (or changed from its default) in a template but is not
set or changed from its default on the individual server or port, the setting in the template takes precedence.
To view and configure server and port templates, select the following
options:
Template > Server
Template > Server Port
Template > Virtual Server
Template > Virtual Server Port
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
105 of 276

Default Server and Service Port Templates
The AX device has a default template for each of these template types. The
default server and port templates are each named default.
If you do not explicitly bind a server or service port template to a server or
service port, the default template is automatically applied. For example,
when you create a real server, the parameter settings in the default real
server template are automatically applied to the new server, unless you bind
a different real server template to the server.
The default settings in the templates are the same as the default settings for
the parameters that can be set in the templates.
If you are upgrading an AX device that has a configuration saved under a
previous release, the default server and port templates are automatically
bound (applied to) the servers and ports in the configuration. This does not
change the configuration or operation of the servers and ports themselves,
since the default server and port templates use the default settings for all
parameters, unless overridden by parameter settings on the individual servers and ports.
Config > Service > SLB > Template > Server
The Server Template page lists the configured server templates. This page is
displayed when you click Add or click on a server template name.
Table 51 lists the server template parameters you can configure.
TABLE 51 Server Template Parameters
Parameter
Description and Syntax
Supported Values
Server Template Section

Name
Health Monitor
Name of the template.

Layer 3 health monitor to use for checking the
health of servers that use this template.

Configured health monitor that uses
the Ping method.
Default: The default ICMP health
monitor is used: an ICMP ping (echo
request) is sent every 3 seconds. If the
ping fails 2 times consecutively, the
AX device sets the server state to
DOWN.
106 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 51 Server Template Parameters (Continued)
Parameter
Connection
Limit Status

Limits the number of connections allowed on real
servers that use this template. When a real server
reaches its connection limit, the AX device stops
selecting the server for client requests.
When you select the Connection Limit Status
checkbox, the following configuration fields
appear:
Connection Limit Maximum of new connections allowed on a server.
Supported Values
State: Enabled or Disabled
Connection Limit 1-1048575 connections per second
Connection Resume 1-1048575 connections
Default: 8000000 (8 million) connections per second
Connection Resume Maximum number of connections the server can have before the AX
device resumes use of the server.
Connection Rate
Limit
Logging Generates a log message when a

server exceeds its connection limit.
Limits the rate of new connections the AX device is
allowed to send to servers that use this template.
When a real server reaches its connection rate limit,
the AX device stops selecting the server for client
requests.
When you select the Connection Rate Limit checkbox, an entry field appears. Enter the maximum of
new connections allowed on a server. You can specify 1-1048575 connections.

Connection rate limit 1-1048575
connections per second
Sampling Per 100ms or 1 second
Default: Disabled. When you enable
the feature, the default for Sampling
Per is 1 second.
The Sampling Per option specifies the sampling

rate:
100ms The connection rate limit applies to 100ms intervals.
1 second The connection rate limit applies to
one-second intervals.
server exceeds its connection rate limit.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
107 of 276

Parameter
Slow Start

Provides time for real servers that use the template
to ramp-up after TCP/UDP service is enabled, by
temporarily limiting the number of new connections
on the servers.
When you select the Slow Start checkbox, the following configuration fields appear:
From Maximum number of concurrent connections to allow on the server after it first comes up.
By Amount by which to increase the maximum
number of concurrent connections allowed. You
can use one of the following methods to specify
the increment:
Multiplying Number by which to multiply
the starting connection limit. For example, if
the scale factor is 2 and the starting connection
limit is 128, the AX device increases the connection limit to 256 after the first ramp-up
interval.
Supported Values
From 1-4095 new connections
By One of the following:
Multiplying 2-10
Adding 1-4095 new connections
Every 1-60 seconds
Till 1-65535
the feature, it has the following
defaults:
From 128 new connections
By Multiplying, 2
Every 10 seconds
Till 4096 concurrent connections
Adding As an alternative to specifying a

scale factor, you can instead specify how many
more concurrent connections to allow.
Every Number of seconds between each
increase of the number of concurrent connections
allowed. For example, if the ramp-up interval is
10 seconds, the number of concurrent connections to allow is increased every 10 seconds.
Till Maximum number of concurrent connections to allow during the final ramp-up interval.
After the final ramp-up interval, the slow start is
over and does not limit further connections to the
server.
Note: If a normal runtime Connection Limit is also
configured in the template or on the server, and the
normal connection limit is smaller than the slowstart ending connection limit, the AX device limits
slow-start connections to the maximum allowed by
the normal connection limit.
108 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
DNS Query
Interval
Minimum TTL
Ratio
Maximum
Dynamic Server
Number
Prefix of
Dynamic Server

Specifies the interval at which the AX device sends
DNS queries for the IP addresses of the dynamic
real servers.
Note: This option and the remaining options
(through Prefix of Dynamic Server) apply only to
servers that are created dynamically using DNS.
With this type of real server configuration, you enter
a DNS hostname instead of an IP address when you
configure the real server. (See the Dynamic Real
Server Creation Using DNS chapter in the
AX Series Configuration Guide.)
Specifies the minimum initial value for the TTL of
dynamic real servers. This option prevents dynamic
real servers from aging out too quickly due to a
small TTL value from the DNS server.
To calculate the minimum TTL value for a dynamic
real server, the AX device multiplies the DNS
Query Interval by the Minimum TTL Ratio. For
example, if the Minimum TTL Ratio is 2 and the
DNS Query Interval is 10 minutes (600 seconds),
then the minimum TTL for dynamic real servers is
1200.
Specifies the maximum number of real servers that
can be dynamically created for a given hostname.
After the maximum number of servers is created,
the AX device deletes the oldest servers, as determined by the time it was created, to make room for
new ones.
Specifies a short string to add to the front of the
name for each dynamically created real server.
Dynamically created servers are named using the
following format: prefix-ipaddr-hostname
Supported Values
1-1440 minutes (one day)
Default: 10 minutes
2-15
Default: 2
1-1023
Default: 255
The prefix can be a string of 1-3 characters.

Default: DRS, for Dynamic Real
Servers.
The prefix is the string added by the AX device.

The ipaddr is the IP address returned in the DNS
reply.
The hostname is the hostname you specify when
you create the server configuration.
Note: The maximum total length of a dynamic
server name is 32 bytes. If the name becomes longer
than 32 characters, the AX device truncates the
name to 32 bytes.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
109 of 276

Config > Service > SLB > Template > Server Port
The Server Port Template page lists the configured server port templates.
This page is displayed when you click Add or click on a server port template name.
Table 52 lists the server port template parameters you can configure.
TABLE 52 Server Port Template Parameters
Parameter
Supported Values
Name
Health Monitor

Health monitor to use for checking the health of
service ports that use this template.
Server Port Template Section

Configured health monitor.
Default: the default TCP or UDP
health monitor is used:
TCP Every 30 seconds, the AX
device sends a connection request
(TCP SYN) to the specified TCP
port on the server. The port passes
the health check if the server replies
to the AX device by sending a TCP
SYN ACK.
Weight
110 of 276
Load-balancing preference for ports that use this

template. A higher weight gives more favor to the
server and port relative to the other servers and
ports.
Note: This option applies only to the Weighted
Round Robin, Weighted Least Connection, and
Weighted Least Connection on Service Port loadbalancing methods.
UDP Every 30 seconds, the AX

device sends a packet with a valid
UDP header and a garbage payload
to the UDP port. The port passes the
health check if the server either does
not reply, or replies with any type of
packet except an ICMP Error message.
1-100
Default: 1
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 52 Server Port Template Parameters (Continued)
Parameter
Connection
Limit Status

Limits the number of connections allowed on real
ports that use this template. When a real port
selecting the port for client requests.
appear:
Connection Limit Maximum of new connections allowed on a port.
Supported Values
Connection Resume Maximum number of connections the port can have before the AX device
resumes use of the port.
Connection Rate
Limit
Logging Generates a log message when a port

exceeds its connection limit.
allowed to send to ports that use this template.
When a port reaches its connection rate limit, the
AX device stops selecting the port for client
requests.
new connections allowed on a port. You can specify
1-1048575 connections.

Per is 1 second.

rate:
server exceeds its connection rate limit.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
111 of 276

Parameter
Slow Start

Provides time for real servers that use the template
to ramp-up after TCP/UDP service is enabled, by
temporarily limiting the number of new connections
on the servers.
When you select the Slow Start checkbox, the following configuration fields appear:
From Maximum number of concurrent connections to allow on the port after it first comes up.
By Amount by which to increase the maximum
number of concurrent connections allowed. You
can use one of the following methods to specify
the increment:
Multiplying Number by which to multiply
the starting connection limit. For example, if
the scale factor is 2 and the starting connection
limit is 128, the AX device increases the connection limit to 256 after the first ramp-up
interval.
Supported Values
From 1-4095 new connections
By One of the following:
Multiplying 2-10
Adding 1-4095 new connections
Every 1-60 seconds
Till 1-65535
the feature, it has the following
defaults:
From 128 new connections
By Multiplying, 2
Every 10 seconds
Till 4096 concurrent connections
Adding As an alternative to specifying a

scale factor, you can instead specify how many
more concurrent connections to allow.
Every Number of seconds between each
increase of the number of concurrent connections
allowed. For example, if the ramp-up interval is
10 seconds, the number of concurrent connections to allow is increased every 10 seconds.
Till Maximum number of concurrent connections to allow during the final ramp-up interval.
After the final ramp-up interval, the slow start is
over and does not limit further connections to the
server.
Source NAT
Pool
112 of 276
Note: If a normal runtime Connection Limit is also

configured in the template or on the port, and the
normal connection limit is smaller than the slowstart ending connection limit, the AX device limits
slow-start connections to the maximum allowed by
the normal connection limit.
IP NAT pool to use for assigning source IP
addresses to client traffic sent to ports that use this
template. When the AX device performs NAT for a
port that is bound to the template, the device selects
an IP address from the pool.
Configured IP source NAT pool.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Direct Server
Return
DSCP
Inband Health
Check

Enables destination Network Address Translation
(NAT) on ports that use this template.
Destination NAT is enabled by default, but is automatically disabled in Direct Server Return (DSR)
configurations. You can re-enable destination NAT
on individual ports for deployment of mixed DSR
configurations, which use backup servers across
Layer 3 (in different subnets).
Note: DSR also requires configuration on the real
servers. See the Network Setup chapter of the
AX Series Configuration Guide.
Sets the differentiated services code point (DSCP)
value in the IP header of a client request before
sending the request to ports that use this template.
Enables in-band health checking. An in-band health
check assesses service port health based on clientserver traffic, and can very quickly send a clients
traffic to another server and port if necessary. An inband health check can also mark a port down.
Supported Values
Enabled or Disabled
Default: Enabled
1-63
Default: Not set
In-band health monitoring for services on TCP

watches client-server SYN handshake traffic, and
increments the following counters if the server does
not send a SYN ACK in reply to a SYN:
Retry counter Each client-server session has its
own retry counter. The AX device increments a
sessions retry counter each time a SYN ACK is
late. If the retry counter exceeds the configured
maximum number of retries allowed, the AX
device sends the next SYN for the session to a
different server. The AX device also resets the
retry counter to 0.
(cont.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
113 of 276

Parameter
Inband Health
Check
(cont.)

Reassign counter Each real port has its own
reassign counter. Each time the retry counter for
any session is exceeded, the AX device increments the reassign counter for the server port. If
the reassign counter exceeds the configured maximum number of reassignments allowed, the AX
device marks the port DOWN.
Supported Values
Retry counter: 0-7
Reassignments: 0-255
Default: Disabled. When you enable it,
the default number of retries is 2 and
the default number of reassignments
is 25.
In this case, the port remains DOWN until the

next time the port successfully passes a standard
health check. Once the port passes a standard
health check, the AX device starts using the port
again and resets the reassign counter to 0.
Dynamic
Member Priority
For more information about this feature, see the

In-Band Health Monitoring section of the Health
Monitoring chapter in the AX Series Configuration
Guide.
Sets the initial priority of dynamic service-group
members, and specifies how much to decrement
from the priority after each DNS query.
Within a service group, the priorities of the members determine which of those members can be used
to service client requests. Normally, only the highest
priority members can be used. Decrementing the
priorities of dynamic members provides a way to
ensure that the service group uses newer dynamically created members instead of older ones.
Initial priority 1-16

Delta 0-8
Default:
Initial priority 16
Delta 0
The priority value decrements only when the IP

address is not refreshed after a DNS query. For
example, assume a DNS query returns IP address
1.1.1.1, and the AX device creates a dynamic server
with priority 16. However, the latest DNS query
returns IP address 2.2.2.2 only. In this case, the priority of 1.1.1.1 is decremented by the delta value. If
a later DNS query returns 1.1.1.1 again, the priority
of server 1.1.1.1 is reset to 16.
If you leave the delta set to its default (0), servicegroup member priorities are not decremented.
Note: This option applies only to servers that are
created dynamically using DNS. With this type of
real server configuration, you enter a DNS hostname instead of an IP address when you configure
the real server. (See the Dynamic Real Server Creation Using DNS chapter in the AX Series Configuration Guide.)
114 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > Service > SLB > Template > Virtual Server
The Virtual Server Template page lists the configured virtual server templates. This page is displayed when you click Add or click on a virtual
server template name.
Table 53 lists the virtual server template parameters you can configure.
TABLE 53 Virtual Server Template Parameters
Parameter
Name
Connection
Limit

Limits the number of connections allowed on virtual
servers that use this template. When a virtual server
selecting the virtual server for client requests.
appear:
Supported Values
Virtual Server Template Section
Connection Limit Maximum of new connections allowed on a virtual server.

Drop or Reset Specifies the action to take for

connections that exceed the limit.
Connection Rate
Limit
Logging Generates a log message when a virtual server exceeds its connection limit.
allowed to send to servers that use this template.
When a real server reaches its connection rate limit,
the AX device stops selecting the server for client
requests.
new connections allowed on a server. You can specify 1-1048575 connections.

Per is 1 second.

rate:
The Drop or Reset option specifies the action to take
for connections that exceed the limit.
The Logging option specifies whether to generate a
log message when a virtual server exceeds its connection rate limit.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
115 of 276

TABLE 53 Virtual Server Template Parameters (Continued)
Parameter
ICMP Rate Limit
Status

Configures ICMP rate limiting for the virtual server,
to protect against denial-of-service (DoS) attacks.
When you select the ICMP Rate Limit Status checkbox, the following configuration fields appear:
Supported Values
Normal Rate 1-65535 packets per
second
Normal Rate Maximum number of ICMP packets allowed per second before the AX device
locks up ICMP traffic to the virtual server. When
ICMP traffic is locked up, all ICMP packets are
dropped until the lockup expires.
Lockup Period 1-16383 seconds
Lockup Status checkbox Selecting this checkbox displays the Lockup Rate and Lockup Period
fields.
Lockup Rate 1-16383 seconds
Default: Disabled
Specifying a maximum rate (lockup
rate) and lockup period is optional. If
you do not specify them, lockup does
not occur.
Lockup Rate Maximum number of ICMP

packets allowed per second before the AX
device locks up ICMP traffic. When ICMP
traffic is locked up, all ICMP packets are
Subnet
Gratuitous ARP
Lockup Period Number of seconds for which

the AX device drops all ICMP traffic, after the
maximum rate is exceeded.
Enable gratuitous ARPs for all VIPs in a subnet
VIP.
Note: This option applies only to VIPs that are created using a range of subnet IP addresses. The
option has no effect on VIPs created with a single IP
address.

Default: Disabled. the AX device
sends gratuitous ARPs for only the
first IP address in a subnet VIP.
Config > Service > SLB > Template > Virtual Server Port
The Virtual Server Port Template page lists the configured virtual server
port templates. This page is displayed when you click Add or click on a virtual server port template name.
Table 54 lists the virtual server port template parameters you can configure.
116 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 54 Virtual Server Port Template Parameters
Parameter
Supported Values
Virtual Server Port Template Section

Name
Connection
Limit

Limits the number of connections allowed on virtual
ports that use this template. When a virtual port
selecting the virtual port for client requests.
appear:
Connection Limit Maximum of new connections allowed on a virtual port.

Default: Disabled
Drop or Reset Specifies the action to take for

connections that exceed the limit.
Connection Rate
Limit
Logging Generates a log message when a virtual port exceeds its connection limit.
allowed to send to virtual ports that use this template. When a virtual port reaches its connection
rate limit, the AX device stops selecting the virtual
port for client requests.
new connections allowed on a virtual port. You can
specify 1-1048575 connections.

Default: 8000000 (8 million) connections per second. The default for Sampling Per is 1 second.

rate:
The Drop or Reset option specifies the action to take
for connections that exceed the limit.
The Logging option specifies whether to generate a
log message when a virtual port exceeds its connection rate limit.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
117 of 276

TABLE 54 Virtual Server Port Template Parameters (Continued)
Parameter
Reset Unknown
Connection

Enables sending of a TCP Reset (RST) in response
to a session mismatch. A session mismatch occurs
when the AX device receives a TCP packet for a
TCP session that does not exist on the AX device.
Supported Values
Enabled or disabled
Default: Disabled
This option is useful in cases where a session ages

out or is deleted on the AX device, but the client
does not receive a RST or FIN for the session. In
this case, without a RST, the session could remain
open on the client until the session ages out.
TCP packet with any flag other than SYN or RST
Send RST to sender of packet only.
TCP packet with SYN or RST flag Do not send
RST.
Note: This option does not apply to sessions that are
in the delete queue. If the AX device receives a
packet for a session that has been moved to the
delete queue, the AX device does not send a TCP
RST. Instead, the AX device reactivates the session
and allows it to age out normally.
Config > Service > SLB > Class List

Import or configure a class list for IP limiting. A class list is a set of IP host
or subnet addresses that are mapped to IP limiting rules.
IP limiting enables you to limit client traffic. Separate limits can be configured for each of the following:
Concurrent connections
Connection rate
Concurrent Layer 7 requests
Layer 7 request rate
Note:
In the current release, Layer 7 request limiting applies only to the HTTP,
HTTPS, and fast-HTTP virtual port types.
You can apply source IP limiting on a system-wide basis, on individual virtual servers, or on individual virtual ports.
Using class lists, you can configure different classes of clients, and apply a
separate set of IP limits to each class. You also can exempt specific clients
from being limited.
118 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

The AX device can support up to 255 class lists. Each class list can contain
up to 8 million host IP addresses and 64,000 subnets.
Class List Syntax
Each entry (row) in the class list defines a client class, and has the following
format:
ipaddr /network-mask [glid num | lid num] [; comment-string]
Each entry consists of the following:
ipaddr Specifies the host or subnet address of the client. The network-
mask specifies the network mask.

To configure a wildcard IP address, specify 0.0.0.0 /0. The wildcard
address matches on all addresses that do not match any entry in the class
list.
glid num | lid num Specifies the ID of the IP limiting rule to use for
matching clients. You can use a system-wide (global) IP limiting rule or

an IP limiting rule configured in a PBSLB policy template.
To use an IP limiting rule configured at the global configuration
level, use the glid num option.
To use an IP limiting rule configured at the same level (in the same
PBSLB policy template) as the class list, use the lid num option.
To exclude a host or subnet from being limited, do not specify an IP limiting rule.
; comment-string Contains a comment. Use a semi-colon ( ; ) in front
of the comment string.

The AX device discards the comment string when you save the class list.
Note:
IP Address Matching
By default, the AX device matches class-list entries based on the source IP
address of client traffic. Optionally, you can match based on one of the following instead:
Destination IP address Matches based on the destination IP address
instead of the source IP address.

IP address in HTTP request Matches based on the IP address in a
header in the HTTP request. You can specify the header when you
enable this option.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
119 of 276

Example Class Lists
Here is an example of a very simple class list. This list matches on all clients and uses an IP limiting rule configured at the global configuration
level:
0.0.0.0/0 glid 1
Here is an example with more options:

1.1.1.1 /32 lid 1
2.2.2.0 /24 lid 2 ; LID 2 applies to every single IP of this subnet
0.0.0.0 /0 lid 10 ; LID 10 applied to every undefined single IP
3.3.3.3 /32 glid 3 ; Use global LID 3
4.4.4.4 /32 ; No LID is applied (exception list)
The rows in the list specify the following:

For individual host 1.1.1.1, use IP limiting rule 1, which is configured in
a PBSLB policy template. (A PBSLB policy template can be applied

globally for system-wide IP limiting, or to an individual virtual server or
virtual port. This is described in more detail in a later section.)
For all hosts in subnet 2.2.2.0/24, use IP limiting rule 2, which is config-
ured in a PBSLB policy template.

For all hosts that do not match another entry in the class list, use IP lim-
iting rule 10, which is configured in a PBSLB policy template.

For individual host 3.3.3.3, use IP limiting rule 3, which is configured at
the global configuration level.

For individual host 4.4.4.4, do not use an IP limiting rule.
Importing a Class List onto the AX Device

1. Select Config > Service > SLB.
2. On the menu bar, select Class List.
3. Click Import. The Import page appears.
4. In the Name field, enter the filename to use for the imported class list.
5. Select the location of the file to be imported:
Local The file is on the PC you are using to run the GUI, or is on
another PC or server in the local network. Go to step 2.

Remote The file is on a remote server. Go to step 4.
6. Click Browse and navigate to the location of the class list.
120 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

7. Click Open. The path and filename appear in the Source field. Go to
step 9.
8. To use the management interface as the source interface for the connection to the remote device, select Use Management Port. Otherwise, the
AX device will attempt to reach the remote server through a data interface.
9. Select the file transfer protocol: FTP, TFTP, RCP, or SCP.
10. In the Host field, enter the directory path and filename.
11. If needed, change the protocol port number n the port field. By default,
the default port number for the selected file transfer protocol is used.
12. In the User and Password fields, enter the username and password
required for access to the remote server.
13. Click OK.
Configuring a Class List in the GUI
1. Select Config > Service > SLB.
2. On the menu bar, select Class List.
3. Click Create.
4. In the Name field, enter a name for the class list.
5. Select the system location in which to save the class list:
File The list is saved in a stand-alone file.
Config The list is saved in the startup-config.
If the class list contains 100 or more entries, it is recommended to use the
File option.
Note:
A class list can be exported only if you use the File option.
6. Configure the class list entries:
a. Enter the IP address and subnet mask.
For a host entry, use mask 255.255.255.255.
For a wildcard entry, enter IP address 0.0.0.0 and network mask
0.0.0.0.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
121 of 276

b. Specify the IP limiting rule to apply to the host or subnet address.
Select the system location of the IP limiting rule:
Local The IP limiting rule is configured in a PBSLB policy
template to be applied to a virtual server or virtual port.
Global The IP limiting rule is configured in a PBSLB policy
template to be applied at the system (global) level.
LSN The IP limiting rule is configured in a stand-alone, system level rule. (These are configured by navigating to Config > Service > SLB > LSN.)
Enter the rule number, 1-31.
Note:
Make sure to use the same number when you configure the IP limiting
rule.
c. Click Add.
d. Repeat for each entry.
7. Click OK.
Config > Service > SLB > LID

Configure global IP limiting rules. IP limiting rules specify connection and
request limits for clients.
Note:
To configure IP limiting rules for individual virtual servers or virtual

ports, use PBSLB policy templates instead. (See Config > Service >
Template > Application > PBSLB Policy on page 135.)
Each IP limiting rule has the following parameters:
Limit ID Number from 1-31 that identifies the rule.
Connection limit Maximum number of concurrent connections
allowed for a client. You can specify 1-1048575. There is no default.

Connection-rate limit Maximum number of new connections allowed
for a client within the limit period. You can specify 1-4294967295 connections. The limit period can be 100-6553500 milliseconds (ms), specified in increments of 100 ms. There is no default.
Request limit Maximum number of concurrent Layer 7 requests
allowed for a client. You can specify 1-1048575. There is no default.

Request-rate limit Maximum number of Layer 7 requests allowed for a
client within the limit period. You can specify 1-4294967295 connections. The limit period can be 100-6553500 milliseconds (ms), specified
in increments of 100 ms. There is no default.
122 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Over-limit action Action to take when a client exceeds one or more of
the limits. The action can be one of the following:

Drop The AX device drops that traffic. If logging is enabled, the
AX device also generates a log message. This is the default action.
Forward The AX device forwards the traffic. If logging is enabled,
the AX device also generates a log message.
Reset For TCP, the AX device sends a TCP RST to the client. If
logging is enabled, the AX device also generates a log message.
Lockout period Number of minutes during which to apply the over-
limit action after the client exceeds a limit. The lockout period is activated when a client exceeds any limit. The lockout period can be 1-1023
minutes. There is no default.
Logging Generates log messages when clients exceed a limit. Logging
is disabled by default. When you enable logging, a separate message is

generated for each over-limit occurrence, by default. You can specify a
logging period, in which case the AX device holds onto the repeated
messages for the specified period, then sends one message at the end of
the period for all instances that occurred within the period. The logging
period can be 0-255 minutes. The default is 0 (no wait period).
Match IP Address
By default, the AX device matches class-list entries based on the source IP
address of client traffic. Optionally, you can match based on one of the following instead:
Destination IP address matches based on the destination IP address in
packets from clients.

IP address in client packet header matches based on the IP address in
the specified header in packets from clients. If you do not specify a

header name, this option uses the IP address in the X-Forwarded-For
header.
Configuring IP Limiting Rules in a PBSLB Policy Template
1. Select Config > Service > Template.
2. On the menu bar, select Application > PBSLB Policy.
3. Click Add to create a new template (or click on the name of an existing
template). The PBSLB Policy section appears.
4. Enter a name for the template, if creating a new one.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
123 of 276

5. In the IP Limiting section, configure IP limiting.
a. Select the class list from the Class List drop-down list.
b. Configure the limiting rules to apply to the selected class list.
6. Leave the Destination IP and Overlap options disabled.
7. Click OK.
Config > Service > SLB > Global

These pages display the configurable system-wide SLB parameters.
Select one of the following menu options:
Global > Settings
Global > DDoS Protection
Global > Rate-Limit Log
Config > Service > SLB > Global > Settings

Table 55 lists the SLB parameters you can configure globally.
TABLE 55 Global SLB Parameters
Parameter
Supported Values
Settings Section
DSR Health
Check
Graceful
Shutdown
Max Session
Life
124 of 276
Enables health checking of virtual IP addresses in

Direct Server Return (DSR) configurations.
Note: You also must configure the Layer 3 health
monitors with the transparent option and with the
alias address set to the virtual IP address, and you
must enable DSR on the virtual ports.
Enables the AX device to wait for the specified
grace period before moving active sessions on a
deleted or disabled port or server to the delete
queue.
Maximum session life for client sessions. The maximum session life controls how long the AX device
maintains a session table entry for a client-server
session after the session ends.
The maximum session life allows time for retransmissions from clients or servers, which can occur if
there is an error in a transmission.
Enabled or Disabled
Default: Disabled
1-65535 seconds (about 18 hours)

Default: Not set. When you delete a
real or virtual service port, the AX
device places all the ports sessions in
the delete queue, and stops accepting
new sessions on the port.
1-40 seconds
Default: 2 seconds
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 55 Global SLB Parameters (Continued)
Parameter
SYN Cookie

Enables system-wide protection against TCP SYN
flood attacks. SYN cookies enable the AX device to
continue to serve legitimate clients during a TCP
SYN flood attack, without allowing illegitimate
traffic to consume system resources.
On Threshold Specifies the maximum number
of concurrent half-open TCP connections
allowed on the AX device, before SYN cookies
are enabled. If the number of halfopen TCP connections exceeds the on-threshold, the AX device
enables SYN cookies. You can specify 02147483647 half-open connections.
Off Threshold Specifies the minimum number
of concurrent half-open TCP connections for
which to keep SYN cookies enabled. If the number of half-open TCP connections falls below this
level, SYN cookies are disabled. You can specify
0-2147483647 halfopen connections.
Stats Data
Note: This option is supported only on models

AX 2200, AX 3100, AX 3200, AX 5100, and
AX 5200.
Globally disables or re-enables periodic collection
of statistical data for system resources, including the
following:
Supported Values
Disabled or Enabled
On Threshold 0-2147483647 halfopen connections
Off Threshold 0-2147483647 halfopen connections
Default: Disabled
Note: If you leave the On Threshold
and Off Threshold fields blank, SYN
cookies are enabled and are always on
regardless of the number of half-open
TCP connections present on the AX
device.
Enabled or Disabled
Default: Enabled
CPU
Memory
Disk
Interfaces
L7 Request
Accounting
Notes: You also can enable or disable statistical

data collection for SLB and FWLB load-balancing
resources, on an individual basis. Select Enabled or
Disabled next to Stats Data on the configuration
page for the resource.
Globally enables Layer 7 request accounting.
Compression
Block Size
Note: Layer 7 request accounting is automatically

enabled for service groups that use the least-request
load-balancing method.
Enables fast-path processing, wherein the AX
device does not perform a deep inspection of every
field within a packet.
Changes the default compression block size used for
SLB.
Maximum Size
aFleX
Changes the maximum size for aFleX script

files.
Fast Path
Processing
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
Enabled or Disabled
Default: Disabled
Enabled or Disabled
Default: Disabled
6000-32000 Bytes
Default: 16000
16-256 KB
Default: 32
125 of 276

Parameter
DNS Cache

Enables local caching of replies to DNS queries.
When DNS caching is enabled, the AX device sends
the first request for a given name (hostname, fullyqualified domain name, URL, and so on) to the
DNS server. The AX device caches the reply from
the DNS server, and sends the cached reply in
response to the next request for the same name.
Supported Values
Enabled or disabled
Default: Disabled
The AX device continues to use the cached DNS

reply until the reply times out. After the reply times
out, the AX devices sends the next request for the
URL to the DNS server, and caches the reply, and so
on.
DNS Cache Age
Source NAT
traffic against
VIP
Note: DNS caching applies only to DNS requests

sent to a UDP virtual port in a DNS SLB configuration. DNS caching is not supported for DNS
requests sent over TCP.
Specifies how long DNS replies are locally cached.
Note: A DNS reply begins aging as soon as it is
cached and continues aging even if the cached reply
is used after aging starts. Use of a cached reply does
not reset the age of that reply.
Globally enables IP NAT support for VIPs.
Source IP NAT can be configured on a virtual port
in the following ways:
1-1000000 seconds
Default: 300 seconds
Disabled or Enabled
Default: Disabled
ACL-SNAT Binding at the virtual port level

VIP source NAT at the global configuration level
aFleX policy bound to the virtual port
Source NAT Pool at the virtual port level
These methods are used in the order shown above.
For example, if IP source NAT is configured using
an ACL on the virtual port, and VIP source NAT is
also enabled globally, then a pool assigned by the
ACL is used for traffic that is permitted by the ACL.
For traffic that is not permitted by the ACL, the
globally configured VIP source NAT can be used
instead.
Note: The current release does not support source
IP NAT on FTP or RTSP virtual ports.
126 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Hardware
Compression

Enables the HTTP compression module.
When enabled, the module provides hardwarebased HTTP compression. Except for the compression level, the compression settings depend on the
HTTP template bound to the virtual port for which
compression is being provided. (See Config > Service > Template > Application > HTTP on
page 129.) The compression level is set in hardware
and can not be changed.
Supported Values
Disabled or Enabled
Default: Disabled
Note: This option is available only if the AX device

you are managing contains a hardware compression
module.
Application Buffer Threshold Section

Application Buffer Threshold
Enables configuration fields for SLB buffer queue
Selected or unselected
thresholds.
Default: unselected
Hardware Buffer
IO buffer threshold. For each CPU, if the number of

queued entries in the IO buffer reaches this threshold, fast aging is enabled and no more IO buffer
entries are allowed to be queued on the CPUs IO
buffer.
Threshold at which fast aging is disabled, to allow
IO buffer entries to be queued again.
Sets the following thresholds:
The supported values and defaults for

each parameter may differ depending
on the AX model.
Relief Threshold
System Buffer
From Threshold of queued system buffer

entries at which the AX begins refusing new
incoming connections.
To Threshold of queued system buffer entries at
which the AX device drops a connection whenever a packet is received for that connection.
Config > Service > SLB > Global > DDoS Protection
The options on this page enable protection against distributed denial-ofservice (DDoS) attacks.
Table 56 lists the DDoS protection options.
All options are supported for IPv4. All options except IP Option are supported for IPv6.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
127 of 276

TABLE 56 DDoS Protection Options
Parameter
Drop All
IP Option
Land Attack
Description
Enables all the DDoS protection options listed below.
Drops all packets that contain any IP options.
Drops spoofed SYN packets containing the same IP address
as the source and destination, which can be used to launch
an IP land attack.
Drops all jumbo IP packets longer than the maximum valid
IP packet size (65535 bytes), known as ping of death
packets.
Ping-of-Death
Frag
TCP No Flags
TCP SYN Fin
TCP SYN Frag
Out of Sequence
Zero Window
Bad Content
128 of 276
Note: On models AX 1000, AX 2000, AX 2100, AX 2500,

AX 2600, and AX 3000, the Ping-of-Death option drops all
IP packets longer than 32000 bytes. On models AX 2200,
AX 3100, AX 3200, AX 5100, and AX 5200, the option
drops IP packets longer than 65535 bytes.
Drops all IP fragments, which can be used to attack hosts
running IP stacks that have known vulnerabilities in their
fragment reassembly code.
Drops all TCP packets that do not have any TCP flags set.
Drops all TCP packets in which both the SYN and FIN flags
are set.
Drops incomplete (fragmented) TCP Syn packets, which
can be used to launch TCP Syn flood attacks.
Checks for out-of-sequence packets in new HTTP or
HTTPS connection requests from clients.
Note: This option and the following options apply only to
system-wide Policy-Based SLB. (See the Configuring System-Wide PBSLB section in the Traffic Security Features chapter of the AX Series Configuration Guide.)
Checks for a zero-length TCP window in new HTTP or
Checks for invalid HTTP or SSL payloads in new HTTP or
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > Service > SLB > Global > Rate-Limit Log
This page enables you to configure rate-limiting settings for logging.
Table 57 lists the parameters.
TABLE 57 Log Rate-Limiting Parameters
Parameter
Supported Values
Rate-Limit Log Section

Max Local
Logging
Maximum number of messages per second that can

be sent to the local log buffer.
Remote Local
Logging
Maximum number of messages per second that can

be sent to remote log servers.
Excluding
Excludes logging to the specified destination, Local

or Remote.
1-100
Default: 32
1-100000
Default: 15000
Local or Remote
Default: logging to both destinations is
enabled.
Config > Service > Template

The Template pages enable you to configure SLB templates. Select the template type from the menu bar. The configured templates of that type are
listed.
To create a new template, click Add.
To view or edit an existing template, click on the template name.
To delete a template, select it, then click Delete.
Config > Service > Template > Application > HTTP

This page displays the configured HTTP templates.
click on a template name.
HTTP
Header Erase
Header Insert
App Switching
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
129 of 276

Redirect Rewrite
Compression
Table 58 lists the parameters you can configure in HTTP templates.

TABLE 58 HTTP Template Parameters
Parameter
Description
Supported Values
Name
Failover URL

Fallback URL to send in an HTTP 302 response
when all real servers are down.
Strict
Transaction
Switching
Forces the AX device to perform the server selection process anew for every HTTP request. Without
this option, the AX device reselects the same server
for subsequent requests (assuming the same server
group is used), unless overridden by other template
options.
Inserts the clients source IP address into HTTP
headers. If you specify an HTTP header name, the
source address is inserted only into headers with
that name.
HTTP Section
Client IP header
insert
Retry HTTP
Request
Click the checkbox to active the input field.

Configures the AX device to retry sending a clients
request to a service port that replies with an HTTP
5xx status code, and reassign the request to another
server if the first server replies with a 5xx status
code.
on HTTP 5xx code Stops sending client
requests to a service port for 30 seconds following reassignment.

Valid URL
Default: Not set
Enabled or disabled
Default: Disabled

Default: Not set
1-3 retries
Default: Disabled. The AX device
sends the 5xx status code to the client.
When you enable this feature, the
default mode is on HTTP 5xx code,
and the default number of retries is 3.
on HTTP 5xx code for each Does not stop sending client requests to a service port following
reassignment.
Terminate HTTP
1.1 client when
request has
Connection:
close
130 of 276
Note: This option is supported only for virtual port

types HTTP and HTTPS. The option is not supported for fast-HTTP or any other virtual port type.
Enables the AX device to terminate HTTP 1.1 client
connections when the Connection: close header
exists in the HTTP request. This option is applicable
to connection-reuse deployments that have HTTP
1.1 clients that are not compliant with the HTTP 1.1
standard.
Enabled or disabled
Default: Disabled. Sessions for noncompliant HTTP 1.1. clients are not
terminated.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 58 HTTP Template Parameters (Continued)
Parameter
Description
Supported Values
Header Erase Section

Note: These options are not supported with the fast-http service type. The AX device does not allow an HTTP template with any of the header erase or header insert options to be bound to a fast-http virtual port. Likewise, the AX
device does not allow header options to be added to an HTTP template that is already bound to a fast-http virtual
port.
Request
Erases a header from HTTP requests. Enter the
Default: Not set
header name in the Name field and click Add.
Response
Erases a header from HTTP responses. Enter the
Default: Not set
header name in the Name field and click Add.
Header Insert Section

Note: These options are not supported with the fast-http service type. The AX device does not allow an HTTP template with any of the header erase or header insert options to be bound to a fast-http virtual port. Likewise, the AX
device does not allow header options to be added to an HTTP template that is already bound to a fast-http virtual
port.
Request
Inserts a header (field:value pair) into HTTP
Default: Not set
requests. Enter the header name and value in the
Name field and click Add.
By default, if a request already contains one or more
headers with the specified field name, the command
replaces the first header. You can select one of the
following options to change this behavior:
Insert Always Always inserts the field:value
pair. If the request already contains a header with
the same field name, the new field:value pair is
added after the existing field:value pair. Existing
headers are not replaced.
Response
Insert if Not Exist inserts the header only if the

request does not already contain a header with the
same field name.
Inserts a header (field:value pair) into HTTP
responses. Enter the header name and value in the
Name field and click Add.
Default: Not set
By default, if a request already contains one or more

headers with the specified field name, the command
replaces the first header. You can select one of the
following options to change this behavior:
Insert Always Always inserts the field:value
pair. If the request already contains a header with
the same field name, the new field:value pair is
added after the existing field:value pair. Existing
headers are not replaced.
Insert if Not Exist inserts the header only if the
request does not already contain a header with the
same field name.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
131 of 276

Parameter
Description
Supported Values
App Switching Section

By
Selects the type of application switching to perform:
URL or Host
URL Activates URL switching configuration

fields. (See below)
URL switching
Host Activates Host switching configuration

fields. (See below)
Selects a service group based on the URL string
requested by the client. The selection overrides the
service group configured on the virtual port.
Strings of 1-63 characters

Default: Not set
URL URL string to match on. If the URL-string

does not match, the service group configured on
the virtual port is used.
Service group Service group to use when there
is a match.
Match Type Selection is performed using the
following match filters:
Starts With matches only if the URL starts
with the value in the URL field.
Contains matches if the value in the URL
field appears anywhere within the URL.
Ends With matches only if the URL ends
with the value in the URL field.
The match options are always applied in the order
listed above, regardless of the order in which they
appear in the configuration. The service group for
the first match is used.
If a URL matches on more than one match filter of
the same type, the most specific match is used.
If you use the Starts With option with URL switching, use a slash in front of the URL string. For
example: /urlexample
Note: You can configure a maximum of 8 URL
switching rules in a template. If you need to use
more, use aFleX policies.
Note: If you plan to also use source IP persistence
or cookie persistence, you must enable the servicegroup option in the source IP persistence or cookie
persistence template.
132 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Host switching
Description
Selects a service group based on the value in the
Host field of the HTTP header. The selection overrides the service group configured on the virtual
port.
Host Host string to match on. If the host-name
does not match, the service group configured on
the virtual port is used.
Supported Values
Each host string can be all or part of an
IP address or host name.
Default: Not set
Service group Service group to use when there

is a match.
Match Type Selection is performed using the
following match filters:
Starts With matches only if the host name
starts with the value in the Host field.
Contains matches if the value in the Host
field appears anywhere within the hostname.
Ends With matches only if the hostname ends
with the value in the Host field.
The match options are always applied in the order
listed above, regardless of the order in which they
appear in the configuration. The service group for
the first match is used.
If a host name matches on more than one match filter of the same type, the most specific match is used.
URL Hash
Note: If you plan to also use source IP persistence

or cookie persistence, you must enable the servicegroup option in the source IP persistence or cookie
persistence template.
Selects a service group based on the hash value of
the first or last bytes of the URL string. The Bytes
field specifies how many bytes to use to calculate
the hash value.
First or Last
4-128 bytes
Default: Not set
Select the checkbox to activate the configuration

options.
Optionally, you can use URL hashing with either
URL switching or host switching. Without URL
switching or host switching configured, URL hash
switching uses the hash value to choose a server
within the default service group. If URL switching
or host switching is configured, for each HTTP
request, the AX device first selects a service group
based on the URL or host switching values, then
calculates the hash value and uses it to choose a
server within the selected service group.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
133 of 276

Parameter
Use Server
Status
Description
Enables server load awareness.
Note: This option applies only to URL hash switching. This option requires custom configuration on
the real servers. For information, see the AX Series
2.4.3 Release Notes.
Supported Values
Enabled or Disabled
Default: Disabled
Redirect Rewrite Section

Redirect Rewrite
HTTPS Rewrite
Modifies redirects sent by servers by rewriting the

matching URL string (Pattern) to the specified value
(Redirect To) before sending the redirects to clients.
Changes HTTP redirects sent by servers into
HTTPS redirects before sending the redirects to clients.
Strings of 1-256 characters

Default: Not set
Enable or Disable
Protocol port number from 1-65535
Default: Disable; port 443
Compression Section
Note: Compression is supported only for HTTP and HTTPS virtual ports. Compression is not supported for fastHTTP virtual ports.
Compression
Offloads Web servers from CPU-intensive HTTP
Enabled or Disabled
compression operations.
Default: Disabled
Keep Accept
Decoding
Allows the real server to perform the HTTP compression instead of the AX Series device.
Level
Specifies the compression level, 1-9. Each level

provides a higher compression ratio, beginning with
level 1, which provides the lowest compression
ratio.
A higher compression ratio results in a smaller file
size after compression. However, higher compression levels also require more CPU processing than
lower compression levels, so performance can be
affected.
Note: If you plan to use hardware-based compression, the compression module must be enabled. In
this case, the compression level is set in hardware
and can not be changed. Any level you select in the
template is ignored. The other compression settings
come from the HTTP template. (See Config > Service > SLB > Global on page 124.)
Specifies the minimum length (in bytes) a server
response can be in order to be compressed. The
length applies to the content only and does not
include the headers.
Specifies the type of content to compress, based on
a string in the content-type header of the HTTP
response.
Explicitly excludes the specified content type(s)
from being compressed.
Min Content
Length
Content Type
Exclude Content
Type
134 of 276
Enabled or Disabled
Default: Disabled
1-9
Default: 1
0-2147483647 bytes.
Default: 120 bytes
The content type can be a string 1-63

characters long.
The content type can be a string 1-63
characters long.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Exclude URI
Description
Explicitly excludes an individual URI from being
compressed.
Supported Values
The URI string can be 1-31 characters.
An HTTP template can exclude up to
10 URI strings.
Config > Service > Template > Application > PBSLB Policy
The PBSLB Policy page displays the configured Policy-Based Routing
(PBSLB) policy templates. This page is displayed when you click Add or
Table 59 lists the parameters you can configure in RAM Caching templates.
TABLE 59 PBSLB Policy Template Parameters
Parameter
Description
Supported Values
Name
PBSLB
Specifies the black/white list to use, and the settings

for groups within the list.
PBSLB Policy Section

Default: Not set
1. Select the black/white list from the drop-down

list or select create to create or import a new one.
(If you click create, see Config > Service >
PBSLB on page 174.)
2. Enter settings for the groups in the black/white
list:
a. Select the group from the Group ID drop-down
list.
b. Select one of the following from the Action
drop-down list.
Drop Drops connections for IP addresses that
are in the specified group.
Reset Resets connections for IP addresses
that are in the specified group.
service group name Sends clients to the SLB
service group associated with this group ID on
the AX device.
create This option displays the configuration
page for creating a new service group.
(cont.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
135 of 276

TABLE 59 PBSLB Policy Template Parameters (Continued)
Parameter
PBSLB
(cont.)
Description
c. Optionally, enable logging. To change the logging interval, edit the number in the Period field.
Logging generates messages to indicate that traffic matched the group ID.
d. To generate log messages only when there is a
failed attempt to reach a service group, select Log
Failures only.
e. Click Add. The group settings appear in the
PBSLB list.
f. Repeat the steps above for each group.
3. Select the action to take when traffic exceeds the
limit: Drop or Reset.
Supported Values
Name of a black/white list either created on or imported onto the AX
device. Default: none
Parameters for each group:
Group ID No default
Action Drop, Reset, or a service
group name. Default: Drop
Logging Default: disabled
Period 0-60 minutes. Default: 3
Log Failures Only Default: disabled
Over Limit Action Lockout or
Reset. Default: drop
IP Limiting
(Class List)
Note: If the Use default server selection when

preferred method fails option is enabled on the
virtual port, log messages will never be generated
for server-selection failures. To ensure that messages are generated to log server-selection failures,
disable the option on the virtual port. This limitation
does not affect failures that occur because a client is
over their PBSLB connection limit. These failures
are still logged.
Configures limits for client IP traffic. You can apply
a PBSLB template for IP limiting on a global basis,
to individual virtual servers, or to individual virtual
ports.
To configure IP limiting, specify the following
parameters:
Class list Class of clients to which to apply this
IP limiting rule. (See Config > Service > SLB >
Class List on page 118.)
Limit ID (LID) Number from 1-31 that identifies the rule.
Connection limit Maximum number of concurrent connections allowed for a client.
Connection-rate limit Maximum number of
new connections allowed for a client within the
limit period.
Over Limit Lockup Duration

1-127 minutes. Default: not set
Over Limit Log Interval 1-255
minutes. Default: not set
Timeout 1-127 minutes. Default: 5
Class list Name of a configured

class list.
Limit ID (LID) 1-31
Connection limit 1-1048575
Connection-rate limit
1-4294967295 connections. The
limit period can be 100-6553500
milliseconds (ms), specified in
increments of 100 ms.
Request limit 1-1048575
Request-rate limit 1-4294967295
connections. The limit period can be
100-6553500 milliseconds (ms),
specified in increments of 100 ms.
Over-limit action Drop, Forward,
or Reset
Lockout period 1-1023 minutes
(cont.)
136 of 276
Logging Enabled or disabled. The

logging period can be 0-255 minutes.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
IP Limiting
(Class List)
Description
Request limit Maximum number of concurrent
Layer 7 requests allowed for a client.
(cont.)
Request-rate limit Maximum number of Layer

7 requests allowed for a client within the limit
period.
Over-limit action Action to take when a client
exceeds one or more of the limits. The action can
be one of the following:
Drop The AX device drops that traffic. If
logging is enabled, the AX device also generates a log message.
Forward The AX device forwards the traffic.
If logging is enabled, the AX device also generates a log message.
Reset For TCP, the AX device sends a TCP
RST to the client. If logging is enabled, the AX
device also generates a log message.
Lockout period Number of minutes during
which to apply the over-limit action after the client exceeds a limit. The lockout period is activated when a client exceeds any limit.
Logging Generates log messages when clients
exceed a limit. When you enable logging, a separate message is generated for each over-limit
occurrence, by default. You can specify a logging
period, in which case the AX device holds onto
the repeated messages for the specified period,
then sends one message at the end of the period
for all instances that occurred within the period.
Supported Values
Client IP L3 Source IP, L3 Destination IP, or L7 Header Name. For
L7 Header Name, you can specify
the header name or use the default.
(See below.)
Defaults:
Class list None
Limit ID (LID) None
Connection limit None
Connection-rate limit None
Request limit None
Request-rate limit None
Over-limit action Drop
Lockout period None
Logging Disabled. When logging
is enabled, the default logging
period is 0 (no wait period).
Client IP L3 Source IP. If you
select L7 Header Name, the default
header name is X-Forwarded-For.
Client IP Specifies the IP address on which to

match:
L3 Source IP Matches class-list entries based
on the source IP address of client traffic.
L3 Destination IP Matches class-list entries
based on the destination IP address of client
traffic.
Use Destination
IP
L7 Header Name Matches class-list entries

based on the IP address in the specified client
packet header.
Matches destination traffic against the black/white
list, instead of source traffic.
Generally, this option is applicable when wildcard
VIPs are used.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
Enabled or disabled
Default: Disabled. Source traffic is
matched against the black/white list.
137 of 276

Parameter
Overlap
Description
Enables overlap matching mode. If there are overlapping addresses in the black/white-list, use this
option to enable the AX device to find the most precise match.
Supported Values
Enabled or disabled
Default: Disabled
Config > Service > Template > Application > RAM Caching
This option displays the configured RAM caching templates.
The RAM Caching and Policy sections are displayed when you click Add or
Table 60 lists the parameters you can configure in RAM Caching templates.
TABLE 60 RAM Caching Template Parameters
Parameter
Description
Supported Values
RAM Caching Section

Name
Age
Specifies how long a cached object can remain in

the AX RAM cache without being requested.
Max Cache Size
Specifies the size of the AX RAM cache.

The total size of all RAM caches combined can be
512 MB on systems with 2 GB of memory and 1024
MB on systems with 4 GB of memory.
Note: To display the amount of memory your system has, select Monitor > Overview > Summary.
Default: Not set

1-999999 seconds (about 11-1/2 days)
Default: 3600 seconds (1 hour)
The configurable values depend on
AX model:
On models AX 1000, AX 2000,
AX 2100, AX 2200, AX 3100, and
AX 3200, you can specify 1-512
MB.
On model AX 2500, you can specify 1-1024 MB.
On models AX 2600 and AX 3000,
you can specify 1-2048 MB.
On models AX 5100 and AX 5200,
you can specify 1-4096 MB.
Default: For all models, the default is
80 MB.
138 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 60 RAM Caching Template Parameters (Continued)
Parameter
Min Content
Size
Description
Specifies the minimum object size that can be
cached. The AX device will not cache objects
smaller than this size.
Max Content
Size
Specifies the maximum object size that can be

cached. The AX device will not cache objects larger
than this size.
Replacement
Policy
Specifies the policy used to make room for new

objects when the RAM cache is full.
Accept Reload
Request
The policy supported in the current release is Least

Frequently Used (LFU). When the RAM cache
becomes more than 90% full, the AX device discards the least-frequently used objects to ensure
there is sufficient room for new objects.
Enables support for the following Cache-Control
headers:
Supported Values
0-4194303 bytes (4 MB)
If you specify 0, all objects smaller
than or equal to the maximum content
size can be cached.
Default: 512 bytes
0-4194303 bytes (4 MB)
If you specify 0, no objects can be
cached.
Default: 81920 bytes (80 KB)
Least Frequently Used
Default: Least Frequently Used
Default: Disabled
Cache-Control: no-cache
Cache-Control: max-age=0
Verify Host
Default Policy
No-Cache
Insert Age
Insert Via
When support for these headers is enabled, either

header causes the AX device to reload the cached
object from the origin server.
Enables the AX device to cache the host name in
addition to the URI for cached content. Use this
option if a real server that contains cacheable content will host more than one host name (for example, www.abc.com and www.xyz.com).
Controls whether the default action is to cache
cacheable objects, or not cache them. If you change
the default action to nocache, the AX device can
cache only those objects that match a dynamic policy rule that has the cache action.
Disables insertion of Age headers into cached
responses.
Disables insertion of Via headers into cached
responses.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
Default: Disabled
Default: Disabled
(The default action is to cache cacheable objects.)
Default: Insertion of Age headers is

enabled by default.
Default: Insertion of Via headers is
enabled by default.
139 of 276

TABLE 60 RAM Caching Template Parameters (Continued)
Parameter
Description
Supported Values
Policy Section
This section enables you to configure policies for dynamic RAM caching. Dynamic RAM caching policies override and augment standard HTTP behavior.
To configure a cache policy:
1. In the URI field, enter the portion of the URI string to match on.
2. Select Cache from the Action drop-down list. The Duration field appears.
3. By default, the content is cached for the number of seconds specified in the Age field of the RAM Caching section. To override the aging period, specify the number of seconds in the Duration field.
4. Click Add.
To configure a no-cache policy:
2.Select No Cache from the Action drop-down list.
3. Click Add.
To configure an invalidate policy:
2. Select Invalidate from the Action drop-down list. The Pattern field appears. Enter the portion of the URL string
on which to match. For example, to invalidate /list objects when the URL contains /add, enter /add (without
the quotation marks).
Notes:
If a URI matches the pattern in more than one policy rule, the rule with the most specific match is used.
In the current release, matching is performed based on containment. All URIs that contain the pattern string
match the rule. For example, the following policy matches all URIs that contain the string .jpg and sets the
cache timeout for the matching objects to 7200 seconds: policy uri .jpg cache 7200
Wildcard characters (for example: ? and *) are not supported in RAM Caching policies. For example, if the
string pattern contains *, it is interpreted literally, as the * character.
Config > Service > Template > Application > SMTP

This option displays the configured SMTP templates.
SMTP
Client Domain Switching
140 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Table 61 lists the parameters you can configure in SMTP templates.
TABLE 61 SMTP Template Parameters
Parameter
Description
Name
Supported Values
SMTP Section
STARTTLS
Specifies whether use of STARTTLS by clients is

required.

Default: Not set
Disabled Clients cannot use STARTTLS. Use this option if you need to disable STARTTLS support but you do not
want to remove the configuration.
Optional Clients can use STARTTLS
but are not required to do so.
Enforced Before any mail transactions
are allowed, the client must issue the
STARTTLS command to establish a
secured session. If the client does not
issue the STARTTLS command, the AX
sends the following message to the client: "530 - Must issue a STARTTLS
command first
Command
Disabled
Server Domain
Service Ready
Message
Disables support of certain SMTP commands. If a

client tries to issue a disabled SMTP command, the
AX sends the following message to the client: 502
- Command not implemented
Email server domain. This is the domain for which
the AX Series device provides SMTP load balancing.
Text of the SMTP service-ready message sent to clients. The complete message sent to the client is constructed as follows:
Default: Disabled
Any of the following: VRFY, EXPN,
TURN
Default: VRFY, EXPN, and TURN are
enabled
String
Default: mail-server-domain
String
Default: ESMTP mail service ready
200 - smtp-domain service-ready-string
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
141 of 276

TABLE 61 SMTP Template Parameters (Continued)
Parameter
Description
Supported Values
Client Domain Switching Section

This section enables you to select service groups based on the domain of the client. You can specify all or part of
the client domain name.
This option is applicable when you have multiple SMTP service groups.
If the client domain does not match, the service group configured on the virtual port is used.
Client Domain Domain name to match on. If the domain name does not match, the service group configured
on the virtual port is used.
Service group Service group to use when there is a match.
Match Type Selection is performed using the following match filters:
Starts With matches only if the domain name starts with the value in the Client Domain field.
Contains matches if the value in the Client Domain field appears anywhere within the domain name.
Ends With matches only if the domain name ends with the value in the Client Domain field.
The match options are always applied in the order listed above, regardless of the order in which they appear in the
configuration. The service group for the first match is used.
If a domain name matches on more than one match filter of the same type, the most specific match is used.
By default, client domain switching is not set. All client domains match, and any service group can be used.
Config > Service > Template > Application > SIP

This option displays the configured SIP templates.
The SIP configuration section is displayed when you click Add or click on a
template name.
Table 62 lists the parameters you can configure in SIP templates.
TABLE 62 SIP Template Parameters
Parameter
Description
Name
Supported Values
SIP Section
Header Erase
Erases the specified SIP header from the SIP request

before sending it to a SIP Registrar.
Header Insert
Inserts the specified SIP header into the SIP request

Header Replace
Replaces the specified SIP header in the SIP request

142 of 276
Default: Not set

Default: None
Default: None
Default: None
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 62 SIP Template Parameters (Continued)
Parameter
Registrar
Service Group
Timeout
Description
Name of a configured service group of SIP Registrar servers.
Number of minutes a call can remain idle before the
device terminates it.
Pass Real Server

IP for ACL
Disables reverse NAT for traffic from servers, based

on IP address. This option is useful in cases where a
SIP server needs to reach another server, and the
traffic must pass through the AX device.
Supported Values
1-250 minutes
Default: 30 minutes
ID of an extended ACL.
Default: not set
Configure an extended ACL that matches on the SIP

server IP address or subnet as the source address,
and matches on the destination servers IP address
or subnet as the destination address. (See Config >
Service > ACL > Extended on page 230.)
Then select the ACL from this drop-down list.
Note: The fields below apply only to SIP over TCP/TLS.
Except for Name and Timeout, the fields above apply only to SIP over UDP.
Client
Enables the AX device to respond to SIP pings from Enabled or disabled
Keep-Alive
clients on behalf of SIP servers. When this option is Default: Disabled
enabled, the AX device responds to a SIP ping from
a client with a pong.
Server
Keep-Alive
Insert Client IP
Note: If connection reuse is configured, even if client keepalive is disabled, the AX device will
respond to a client SIP ping with a pong.
Specifies how often the AX device sends a SIP ping
on each reusable connection with the SIP server.
The AX device silently drops the servers pong
reply.
Note: For configurations that use a connectionreuse template, if the server does not reply to a SIP
ping within the timeout set in the connection-reuse
template, the AX device closes the connection. (The
connection-reuse timeout is configured by the
Timeout option in the connection-reuse template.)
Inserts an X-Forwarded-For: IP-address:port
header into SIP packets from the client to the SIP
server. The header contains the client IP address and
source protocol port number. The AX device uses
the header to identify the client when forwarding a
server reply.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
5-300 seconds
Default: 30
Name of an IP header that inserts a client IP address.

Default: Disabled
143 of 276

Parameter
Select Client Fail
Action
Description
Specifies the AX response when selection of a SIP
client fails.
Supported Values
The action can be one of the following:
When you select the checkbox, the following checkboxes appear:
Drop
Drop Drops the traffic.
Select Server
Fail Action
Drop Drops the traffic.
Exclude
Translation Start
Line
144 of 276
Send message
Default: Reset
Send Message Sends a message string to the

server. If the message string contains a blank, use
double quotation marks around the string.
Specifies the AX response when selection of a SIP
server fails.
When you select the checkbox, the following checkboxes appear:
Exclude
Translation Body
Reset
The action can be one of the following:

Reset
Drop
Send message
Default: Reset
Send Message Sends a message string to the

client. If the message string contains a blank, use
double quotation marks around the string.
Disables translation of the virtual IP address and
virtual port within the body of SIP messages.

virtual port within the start line of SIP messages.
Enabled or disabled
Default: Disabled. (The virtual IP
address and port are not excluded from
translation.)
Enabled or disabled
Default: Disabled. (The virtual IP
address and port are not excluded from
translation.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Exclude
Translation
Header
Description
virtual port within the header of SIP messages.
When you select the checkbox, the Header Name
field appears. Enter the name of the header to
exclude from translation, then click Add.
Note: The AX device will not translate server
addresses or protocol port numbers in the following
headers:
Call-ID header
X-Forwarded-For header
Via headers, except for the top Via header
Supported Values
Valid header name
Default: When a client sends a SIP
request, the request is addressed to the
virtual IP address (VIP) and protocol
port number configured on the AX
device for the SIP servers. The AX
device translates the destination IP
address and port of the request from
the VIP to the real IP address and port
of a SIP server. The AX device does
not change the client IP address or
source protocol port number.
Likewise, when the AX device
receives a SIP packet from a SIP
server, the AX device translates the
source IP address and port from the
servers real IP address and SIP port to
the VIP address and port, then sends
the packet to the client.
By default, the AX device also translates the client IP address and protocol
port number where they are used in
some other parts of the SIP packet.
Config > Service > Template > Application > RTSP

This option displays the configured RTSP templates.
The RTSP configuration section is displayed when you click Add or click
on a template name.
Table 63 lists the parameters you can configure in RTSP templates.
TABLE 63 RTSP Template Parameters
Parameter
Description
Supported Values
RTSP Section
Name

Default: Not set
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
145 of 276

TABLE 63 RTSP Template Parameters (Continued)
Parameter
URI
Description
Service group to which to send requests for a specific URI.
Supported Values
URI and name of a configured service
group
URI URI to match on.
Default: Requests are sent to the service group that is bound to the virtual
port.
Service group Service group to which to send

client requests that match the URI
Note: This option is supported only for Windows
Media Server.
Config > Service > Template > Application > DNS

This option displays the configured DNS templates.
The DNS configuration section is displayed when you click Add or click on
a template name.
Table 64 lists the parameters you can configure in DNS templates.
TABLE 64 DNS Template Parameters
Parameter
Description
Supported Values
DNS Section
Name
Malformed
Query
Provides security for DNS VIPs. DNS security

examines DNS queries addressed to a VIP to ensure
that the queries are formed properly (not malformed). If a malformed DNS query is detected, the
AX device takes one of the following actions:
Default: Not set

Default: Not set
When you enable the Malformed
Query option, the default action is
Drop.
Drop Drops the query

Forward to Service Group This option is useful
if you want to quarantine and examine the malformed queries, while still keeping them away
from the DNS server.
146 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > Service > Template > Connection Reuse

This option displays the configured connection-reuse templates.
The operation of connection reuse differs depending on whether it is used
for HTTP or for SIP over TCP:
HTTP The AX device does not free a connection after sending a cli-
ents request. Instead, the AX device frees the connection only after
receiving a response to the request.
SIP over TCP While the AX device is sending a client request on a
connection, the connection is in use. However, as soon as the request has

been sent, the AX device frees the connection to be used again. The connection can be used for the same client or another client. The AX device
does not wait for a reply to the clients request before freeing the connection.
The Connection Reuse section is displayed when you click Add or click on
a template name.
Table 65 lists the parameters you can configure in connection reuse templates.
TABLE 65 Connection Reuse Template Parameters
Parameter
Description
Supported Values
Name
Limit Per Server

Maximum number of reusable connections per
server port.
Smart Flow
Control
Enables surge protection for HTTP.
Connection Reuse Section
Timeout
This option queues HTTP packets from clients

when a server port reaches a configured connection
limit, instead of dropping them. The AX device then
monitors the port, and begins forwarding the queued
packets when connections become available again.
To prevent flooding of the port, the AX device forwards the queued packets at a steady rate.
Maximum number of seconds a connection can
remain idle before it times out.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

0-65535
For unlimited connections, specify 0.
Default: 1000
Enabled or disabled
Default: disabled
1-3600 seconds
Default: 2400 seconds (40 minutes)
147 of 276

TABLE 65 Connection Reuse Template Parameters (Continued)
Parameter
Keep Alive
Connections
Description
Specifies the number of new reusable connections
to open before beginning to reuse existing connections.
Supported Values
1-1024 connections
Default: 100
Note: This option is applicable only for SIP-overTCP sessions. The option is not applicable to other
types of sessions, such as HTTP sessions.
Due to the way the connection-reuse feature operates, backend sessions

with servers will not be reused in either of the following cases:
Note:
The Limit Per Server option is set to a very low value, lower than the
number of data CPUs on the AX device.

The Keep Alive Connections option is set to a lower value than the
limit-per-server option.
Config > Service > Template > L4 > TCP

This option displays the configured TCP templates.
The TCP section is displayed when you click Add or click on a template
name.
Table 66 lists the parameters you can configure in TCP templates.
TABLE 66 TCP Template Parameters
Parameter
Description
Supported Values
Name
Idle Timeout
Number of seconds a connection can remain idle

before the AX device terminates it.
Enter a value that is a multiple of 60 (60, 120, 1200,
and so on). If you enter a value that is not a multiple
of 60, the AX device rounds to the nearest multiple
of 60. For example, if you enter 70, the actual timeout is 60 seconds.
TCP Section
148 of 276

Default: Not set
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 66 TCP Template Parameters (Continued)
Parameter
Initial Window
Size
Reset Forward
Reset Receive
Description
Sets the initial TCP window size in SYN ACK
packets to clients. The TCP window size in a SYN
ACK or ACK packet specifies the amount of data
that a client can send before it needs to receive an
ACK.
Supported Values
You can set the initial TCP window
size to 1-65535 bytes.
The initial TCP window size applies only to the

SYN ACKs sent to the client. After the SYN ACK,
the AX device does not modify the TCP window
size for any other packets in the session.
If the virtual port is one of the service types that is proxied by the AX
device, initial TCP window size
applies to SYN ACKs generated by
the AX device and sent to clients.
By default, the AX device uses the
TCP window size in the clients
SYN. The following service types
are proxied by the AX device: http,
https, fast-http, ssl-proxy, and smtp
Sends a TCP RST to the real server after a session

times out.
Sends a TCP RST to the client after a session times
out.
Note: If the server is Down, this option immediately
sends the RST to the client and does not wait for the
session to time out.
Default: By default, the AX device

uses the TCP window size set by the
client or server.
If the virtual port is not one of the

service types that is proxied by the
AX device (for example, the tcp service type), initial TCP window size
servers and forwarded by the AX
device to clients. By default, the AX
device uses the TCP window size in
the servers SYN ACK.
Enabled or Disabled
Default: Disabled
Enabled or Disabled
Default: Disabled
Config > Service > Template > L4 > UDP

This option displays the configured UDP templates.
The UDP section is displayed when you click Add or click on a template
name.
Table 67 lists the parameters you can configure in UDP templates.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
149 of 276

TABLE 67 UDP Template Parameters
Parameter
Description
Supported Values
UDP Section
Name
Idle Timeout
Number of seconds a connection can remain idle

before the AX device terminates it.
Specifies how quickly sessions are terminated when
the request is received.
Aging

Default: Not set

Immediate
Short, with an aging period of 1-6
seconds
Immediate aging:
Response Received
Session is terminated within 1 second.
Default: Not set. The idle timeout

value in the template is used instead.
No Response Idle timeout value in UDP template is used.
If you enable short aging, the default

aging period is 3 seconds.
Short aging:
Response Received
Session is terminated within 1 second.
No Response Session is terminated after configured short aging period.
Select another
server if server is
down
Note: If you are configuring DNS load balancing,

A10 Networks recommends using the Immediate
option.
Configures the AX device to select another real
server if the server that is bound to an active connection goes down. Without this option, another
server is not selected.
Enabled or disabled
Default: Disabled
Config > Service > Template > Persistent > Cookie Persistence
This option displays the configured cookie persistence templates.
The Cookie Persistence section is displayed when you click Add or click on
a template name.
150 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Table 68 lists the parameters you can configure in cookie persistence templates.
TABLE 68 Cookie Persistence Template Parameters
Parameter
Description
Supported Values
Cookie Persistence Section

Name
Expiration
Number of seconds a cookie persists on a clients

PC before being deleted by the clients browser.
Default: Not set

0 to 31,536,000 seconds (one year)
If you specify 0, cookies persist only
for the current session.
Cookie Name
Click the checkbox to enable the configuration

field.
Specifies the name of the persistence cookie.
Domain
Adds the specified domain name to the cookie.
Path
Adds path information to the cookie, 1-31 characters.
Match Type

Default: sto-id
Default: Not set
Default: /
Specifies the granularity of persistence.

Port The cookie inserted into the HTTP header
of the server reply to a client ensures that subsequent requests from the client will be sent to the
same real port on the same real server.
Server The cookie inserted into the HTTP
header of the server reply to a client ensures that
subsequent requests from the client for the same
VIP are sent to the same real server. (This
assumes that all virtual ports of the VIP use the
same cookie persistence template with matchtype set to Server.)
(cont.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
151 of 276

TABLE 68 Cookie Persistence Template Parameters (Continued)
Parameter
Match Type
(cont.)
Description
If you select Server, the Scan All Members
checkbox appears. You can select this option to
scan all members bound to the template. This
option is useful in configurations where matchtype Server is used, and where some members
have different priorities or are disabled. For
example, without this option, if you occasionally
lower the priority of members to perform maintenance on them, it is possible that fast-path member selection (enabled when you select Server)
will select the members and send traffic to them
anyway. (For more information about this option,
see the Scan-All-Members Option in Persistence
Templates chapter in the AX Series Configuration Guide.)
Supported Values
You can select one of the following:
Port
Server
With either of these options, the Service Group option can be selected. The
Scan All Members option is valid only
if you select the Server option.
Default: Port, with Service Group and
Scan All Members options disabled
The Service Group checkbox enables support for

URL switching or host switching along with cookie
persistence. Without this option, URL switching or
host switching can be used only for the initial
request from the client. After the initial request, subsequent requests are always sent to the same service
group.
Insert Always
Dont Honor
Conn Rules
To use URL switching or host switching, you also

must configure an HTTP template with the Host
Switching or URL Switching option.
Specifies whether to insert a new persistence cookie
in every reply, even if the request already had a persistence cookie previously inserted by the AX
device.
Ignores connection limit settings configured on real

servers and real ports. This option is useful for
applications in which multiple sessions (connections) are likely to be used for the same persistent
cookie.
Enabled or disabled
inserts a persistence cookie only if the
client request does not already contain
a persistence cookie inserted by the
AX device, or if the server referenced
by the cookie is unavailable.
Enabled or disabled
Default: Disabled.
Config > Service > Template > Persistent > Destination IP Persistence
This option displays the configured destination-IP persistence templates.
The Destination IP Persistence section is displayed when you click Add or
152 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Table 69 lists the parameters you can configure in Destination-IP persistence templates.
TABLE 69 Destination-IP Persistence Template Parameters
Parameter
Description
Supported Values
Destination IP Persistence Section

Name

Default: Not set
Match Type
Granularity of persistence.
Port Traffic to the same destination IP address
and virtual port is always sent to the same real
port. This is the most granular setting.
Server Traffic to a given destination IP address
is always sent to the same real server, for any
service port.
Service Group This option is applicable if you
also plan to use URL switching or host switching.
If you use the Service-group option, URL or host
switching is used for every request to select a service group. The first time URL or host switching
selects a given service group, the load-balancing
method is used to select a real port within the service group. The next time URL or host switching
selects the same service group, the same real port
is used. Thus, service group selection is performed for every request, but once a service
group is selected for a request, the request goes to
the same real port that was selected the first time
that service group was selected.
(cont.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
153 of 276

TABLE 69 Destination-IP Persistence Template Parameters (Continued)
Parameter
Match Type
(cont.)
Timeout
Dont Honor
Conn Rules
Netmask
Description
If you select Server or Service Group, the Scan All
Members checkbox appears. You can select this
option to scan all members bound to the template.
This option is useful in configurations where matchtype Server or Service Group is used, and where
some members have different priorities or are disabled. For example, without this option, if you occasionally lower the priority of members to perform
maintenance on them, it is possible that fast-path
member selection (enabled when you select Server
or Service Group) will select the members and send
traffic to them anyway. (For more information about
this option, see the Scan-All-Members Option in
Persistence Templates chapter in the AX Series
Number of seconds the mapping of a client source
IP to a real server persists after the last time traffic
from the client is sent to the server.
destination IP address.
Specifies the granularity of IP address hashing for
initial server port selection.
You can specify an IPv4 network mask in dotted
decimal notation.
Supported Values
Port
Server
Service Group
The Scan All Members checkbox can
be selected with Server or Service
Group.
Default: Port
1-2000 minutes (about 33 hours)

Default: 5 minutes
Enabled or disabled
Default: Disabled.
Valid IPv4 network mask

Default: 255.255.255.255
To configure initial server port selection to occur

once per destination VIP subnet, configure the
network mask to indicate the subnet length. For
example, to select a server port once for all
requested VIPs within a subnet such as
10.10.10.x, 192.168.1.x, and so on (class C
subnets), use mask 255.255.255.0. SLB selects a
server port for the first request to the given VIP
subnet, the sends all other requests for the same
VIP subnet to the same port.
To configure initial server port selection to occur
independently for each requested VIP, use mask
255.255.255.255. (This is the default.)
154 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > Service > Template > Persistent > Source IP Persistence
This option displays the configured source-IP persistence templates.
The Source IP Persistence section is displayed when you click Add or click
on a template name.
Table 70 lists the parameters you can configure in Source-IP persistence
templates.
TABLE 70 Source-IP Persistence Template Parameters
Parameter
Description
Supported Values
Name
Source IP Persistence Section

Default: Not set
Match Type
Granularity of persistence.
Port Traffic from a given client to the same virtual port is always sent to the same real port. This
is the most granular setting.
Server Traffic from a given client to the same
VIP is always sent to the same real server, for any
service port requested by the client.
Service Group This option is applicable if you
also plan to use URL switching or host switching.
If you use the Service-group option, URL or host
switching is used for every request to select a service group. The first time URL or host switching
selects a given service group, the load-balancing
method is used to select a real port within the service group. The next time URL or host switching
selects the same service group, the same real port
is used. Thus, service group selection is performed for every request, but once a service
group is selected for a request, the request goes to
the same real port that was selected the first time
that service group was selected.
(cont.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
155 of 276

TABLE 70 Source-IP Persistence Template Parameters (Continued)
Parameter
Match Type
(cont.)
Timeout
Dont Honor
Conn Rules
Netmask
Description
If you select Server or Service Group, the Scan All
Members checkbox appears. You can select this
option to scan all members bound to the template.
This option is useful in configurations where matchtype Server or Service Group is used, and where
some members have different priorities or are disabled. For example, without this option, if you occasionally lower the priority of members to perform
maintenance on them, it is possible that fast-path
member selection (enabled when you select Server
or Service Group) will select the members and send
traffic to them anyway. (For more information about
this option, see the Scan-All-Members Option in
Persistence Templates chapter in the AX Series
Number of seconds the mapping of a client source
IP to a real server persists after the last time traffic
from the client is sent to the server.
Note: The timeout for a source-IP persistent session
will not be reset if the timeout in the source-IP persistence template is set to 1 minute. If the timeout is
set to 1 minute, sessions will always age out after 1
minute, even if they are active.
client source IP address.
Specifies the granularity of IP address hashing for
server port selection.
Supported Values
Port
Server
Service Group
The Scan All Members checkbox can
be selected with Server or Service
Group.
Default: Port
1-2000 minutes (about 33 hours)

Default: 5 minutes
Enabled or disabled
Default: Disabled.

Default: 255.255.255.255
You can specify an IPv4 network mask in dotted

decimal notation.
To configure server port selection to occur on a
per subnet basis, configure the network mask to
indicate the subnet length. For example, to send
all clients within a subnet such as 10.10.10.x,
192.168.1.x, and so on (class C subnets) to the
same server port, use mask 255.255.255.0. SLB
selects a server port for the first client in a given
subnet, the sends all other clients in the same subnet to the same port.
To configure server port selection to occur on a
per client basis, use mask 255.255.255.255. SLB
selects a server port for the first request from a
given client, the sends all other requests from the
same client to the same port. (This is the default.)
156 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > Service > Template > Persistent > SSL Session ID Persistence
This option displays the configured SSL session-ID persistence templates.
The SSL Session ID Persistence section is displayed when you click Add or
Table 71 lists the parameters you can configure in SSL session-ID persistence templates.
TABLE 71 SSL Session-ID Persistence Template Parameters
Parameter
Description
Supported Values
Name
SSL Session ID Persistence Section
Timeout
Dont Honor
Conn Rules
Number of minutes the mapping remains persistent

after the last time traffic with the SSL session ID is
sent to the server.
SSL session ID.

Default: Not set
1-250 minutes
Default: 5 minutes
Enabled or disabled
Default: Disabled.
Config > Service > Template > SSL > Client SSL
This option displays the configured Client SSL templates.
Client SSL
Client Certificate Check
SSL Cipher
Table 72 lists the parameters you can configure in client SSL templates.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
157 of 276

TABLE 72 Client SSL Template Parameters
Parameter
Description
Supported Values
Client SSL Section

Name
Certificate Name
Certificate to use for terminating or initiating SSL

connections with clients.
Default: Not set

Name of a certificate imported onto
the AX device
Chain Cert Name

Key Name
Cache Size
Pass Phrase
Note: To use the certificate, you must import it onto

the AX device. (See Config > Service > SSL Management on page 210.)
Chain of certificates to use for terminating or initiating SSL connections with clients.
Key for the certificate, and the passphrase used to
encrypt the key.
Maximum number of cached sessions for SSL session ID reuse.
Pass phrase for the certificate

Kay name: string of 1-31 characters
Passphrase: string of 1-16 characters
0-131072
Default: 0 (session ID reuse is disabled)
String
Confirm Pass
Phrase
Client Certificate Check Section

Mode
Action that the AX device takes in response to a clients connection request.

Note: If you plan to use a Certificate Revocation
List (CRL), you must set the Mode to Require.

Ignore The AX device does not
request the client to send its certificate.
Request The AX device requests
the client to send its certificate. With
this action, the SSL handshake proceeds even if either of the following
occurs:
The client sends a NULL certificate (one with zero length).
The certificate is invalid, causing
client verification to fail.
Use this option if you want the
request to trigger an aFleX policy
for further processing.
(cont.)
158 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 72 Client SSL Template Parameters (Continued)
Parameter
Mode
Description
Supported Values
Require The AX device requires
the client certificate. This action
requests the client to send its certificate. However, the SSL handshake
does not proceed (it fails) if the client sends a NULL certificate or the
certificate is invalid.
(cont.)
Close Notify
CA Cert Name
Cert-Revocation
List
Sends a close_notify message when an SSL transaction ends, before sending a FIN.
Default: Ignore
Enabled or disabled
Default: disabled
This behavior is required by certain types of clients

applications, including PHP cgi. For this type of client, if the AX device does not send a close_notify,
an error or warning appears on the client.
Name of the Certificate Authority (CA) certificate
to use for validating client certificates.
Name of a CA certificate imported

onto the AX device

Certificate Revocation List (CRL) to use for verifying that client certificates have not been revoked.
Name of a CRL imported onto the AX

device
Note: If you plan to use a CRL, you must set the

Mode to Require.
SSL Cipher Section

This section enables you to select a specific cipher suites to support for decrypting certificates from clients. You
can select one or more of the following:
SSL3_RSA_DES_192_CBC3_SHA
SSL3_RSA_DES_40_CBC_SHA
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_AES_128_SHA
TLS1_RSA_EXPORT1024_RC4_56_MD5
TLS1_RSA_EXPORT1024_RC4_56_SHA
By default, all the above are enabled.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
159 of 276

Config > Service > Template > SSL > Server SSL
This option displays the configured Server SSL templates.
Server SSL
SSL Cipher
Table 73 lists the parameters you can configure in Server SSL templates.
TABLE 73 Server SSL Template Parameters
Parameter
Description
Supported Values
Server SSL Section

Name
CA Cert Name
Name of the Certificate Authority (CA) certificate

to use for validating server certificates.
Default: Not set

Name of a CA certificate imported
onto the AX device

SSL Cipher Section

This section enables you to select a specific cipher suites to support for decrypting certificates from servers. You
can select one or more of the following:
SSL3_RSA_DES_192_CBC3_SHA
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_EXPORT1024_RC4_56_MD5
TLS1_RSA_EXPORT1024_RC4_56_SHA
By default, all the above are enabled.
160 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > Service > Template > TCP Proxy

This option displays the configured TCP-proxy templates.
The TCP Proxy section is displayed when you click Add or click on a template name.
Table 74 lists the parameters you can configure in TCP-proxy templates.
TABLE 74 TCP-Proxy Template Parameters
Parameter
Description
Supported Values
Name
FIN Timeout
Number of seconds that a connection can be in the

FIN-WAIT or CLOSING state before the AX Series
terminates the connection.
Number of seconds that a connection can be idle
before the AX Series terminates the connection.
Number of times the AX Series can retransmit a
data segment for which the AX Series does not
receive an ACK.
Number of times the AX Series can retransmit a
SYN for which the AX Series does not receive an
ACK.
Number of seconds that a connection can be in the
TIME-WAIT state before the AX Series transitions
it to the CLOSED state.
Maximum number of bytes addressed to the port
that the AX Series will buffer.
TCP Proxy Section
Idle Timeout
Retransmit
Retries
SYN Retries
Time Wait
Receive Buffer
Transmit Buffer
Number of bytes sent by the port that the AX Series

will buffer.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Default: Not set
1-60 seconds
Default: 5 seconds
1-20
Default: 3
1-20
Default: 5
1-60 seconds
Default: 5 seconds
1-2147483647 bytes
Default: 87380 bytes
1-2147483647 bytes
Default: 16384 bytes
161 of 276

TABLE 74 TCP-Proxy Template Parameters (Continued)
Parameter
Initial Window
Size
Nagle
Description
Sets the initial TCP window size in SYN ACK
packets to clients. The TCP window size in a SYN
ACK or ACK packet specifies the amount of data
that a client can send before it needs to receive an
ACK.
Supported Values
You can set the initial TCP window
size to 1-65535 bytes.
The initial TCP window size applies only to the

SYN ACKs sent to the client. After the SYN ACK,
the AX device does not modify the TCP window
size for any other packets in the session.
If the virtual port is one of the service types that is proxied by the AX
device, initial TCP window size
the AX device and sent to clients.
By default, the AX device uses the
TCP window size in the clients
SYN. The following service types
are proxied by the AX device: http,
https, fast-http, ssl-proxy, and smtp
Enables Nagle congestion compression (described

in RFC 896).
Default: By default, the AX device

uses the TCP window size set by the
client or server.
If the virtual port is not one of the

service types that is proxied by the
AX device (for example, the tcp service type), initial TCP window size
servers and forwarded by the AX
device to clients. By default, the AX
device uses the TCP window size in
the servers SYN ACK.
Enabled or Disabled
Default: Disabled
Config > Service > Health Monitor

The Health Monitor pages allow you to configure health methods.
You can configure health methods on the AX device by configuring settings
for the type of service you are monitoring. You also can configure health
monitors externally using Tcl scripts and import the monitors for use by the
AX device.
162 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > Service > Health Monitor > Health Monitor

This option displays the configured health monitors.
click on a health monitor name.
Health Monitor
Method
Table 75 lists the health monitor parameters you can configure.

Note:
In the Method section, you can select Internal or External. Leave the
method set to Internal if you want to configure a method using method
settings available on the AX device. In this case, select the service type
from the Type drop-down list.
To use an imported script as the method, click External.
TABLE 75 Health Monitor Parameters

Parameter
Description
Supported Values
Health Monitor Section

Name
Retry
Consec Pass
Reqd
Interval
Timeout
Name of the health monitor.

Specifies the maximum number of times the AX
device will resend the same health check to an unresponsive server or service before marking that
server or service as down.
Specifies the number of times the target device must
consecutively pass the same periodic health check
in order to pass the health check.
Specifies the number of seconds between each
check using the monitor.
Specifies the number of seconds the AX device
waits for a reply to a health check. If the AX device
does not receive reply by the end of the timeout, the
AX device either sends the health check again (if
there are retries left) or marks the server or service
down.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Default: Not set
1-5
Default: 3
1-10 consecutive passes

Default: 1
1-180 seconds
Default: 5 seconds
1-12 seconds
Default: 5 seconds
163 of 276

TABLE 75 Health Monitor Parameters (Continued)
Parameter
Strictly Retry
Description
Force the AX device to wait until all retries are
unsuccessful before marking a server or port Down.
This option is applicable only to some types of
health monitors, such as HTTP health monitors. For
example, this command applies to HTTP health
monitors that expect a string in the server reply. By
default, if the servers HTTP port does not reply to
the first health check attempt with the expected
string, the AX device immediately marks the port
Down.
Supported Values
Selected (enabled) or unselected (disabled)
Default: Disabled
Disable After
Down
Disables the target of a health check if the target fails the health check.

Default: Disabled
Method Section General Parameters

Override IPv4
Override IPv6
Override Port
Method
Sends the health check to the specified IPv4

address, instead of sending the health check to the
IP address of the real server or GSLB service IP
with which the health monitor is associated.
Sends the health check to the specified IPv6
address, instead of sending the health check to the
IP address of the real server or GSLB service IP
with which the health monitor is associated.
Sends the health check to the specified protocol port
number, instead of sending the health check to the
protocol port number configured for the health
method.
Specifies the health method:
Valid IPv4 address

Default: The health check is sent to the
IPv4 address of the real server or
GSLB service IP
Valid IPv6 address
IPv6 address of the real server or
GSLB service IP
0-65534
protocol port number configured for
the health method.
Internal or External
Internal The method is configured using

options on the AX device. See the following
descriptions for information about individual
internal methods.
External The method is configured by using a
script that is imported onto the AX device. See
Method Section External at the end of this
table.
164 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Type
Description
Internal method used for the health monitor.
Supported Values
ICMP
TCP
UDP
HTTP
HTTPS
FTP
SMTP
POP3
SNMP
DNS
RADIUS
LDAP
RTSP
SIP
NTP
Compound
Default: ICMP
Method Section ICMP

Mode
Specifies whether the monitor is Transparent.
Alias Address
Used with Transparent mode.

In DSR, the ipaddr specifies the virtual IP
address.
Not set or Transparent

Default: Not set
IPv4 or IPv6 address
In FWLB, the ipaddr specifies the IP address of

the AX device on the other side of the firewall, or
the floating IP address of the HA group on the
other side of the firewall.
Select the IP version of the address (IPv4 or IPv6).
Method Section TCP

Port
HalfOpen
Port to which the AX device sends a connection

request (TCP SYN).
The AX device Expects a TCP SYN ACK in reply.
Specifies whether to respond to the SYN ACK by
sending an ACK, which completes the connection
setup.
1-65534
Default: 80
False The AX device does respond to
the SYN ACK by sending an ACK.
True The AX device sends a RST
(Reset).
Default: False
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
165 of 276

Parameter
Description
Supported Values
Method Section UDP

Port
Port to which the AX device sends a UDP packet.
1-65534
The AX device sends a packet with a valid UDP

header and a garbage payload to the specified UDP
port on the server.
Default: 61
The AX device expects either of the following:

Server reply from the specified UDP port, with
any type of packet
Server does not reply at all
The server fails the health check only if the server
replies with an ICMP Error message.
Method Section HTTP

Port
Host
URL
Port to which the AX device sends an HTTP

request.
The AX device expects OK message (200).
Replaces the information in the Host field of the
request sent to the real server.
1-65534
Default: 80
String
Specifies the request type and the page to which to

send the request.
Default: The real servers IP address

Request type can be GET, HEAD, or
POST.
The request type can be GET, HEAD, or POST.
Page name can be a string.
If you select POST, the Post Data field appears.
Default: GET; default page is / , the

index.html page.
To specify a string, select String. In the postdata

string, use = between a field name and the
value you are posting to it. If you post to multiple
fields, use & between the fields. For example:
fieldname1=value&fieldname1=value
User
To specify a POST data file, select File. Select

the POST data file from the drop-down list. (The
file must be imported onto the AX device first. To
import a POST data file, see Config > Service >
Health Monitor > Data File on page 173.)
Username to log in.
String
Password
Password to log in.
Default: Not set

String
Expect
166 of 276
Specifies a response code or string expected from

the server, in which case this value is also expected.
To specify a range of response codes, use a dash ( - )
between the low and high numbers of the range. Use
commas to delimit individual code numbers or separate ranges. Select Code.
Default: Not set

String or response code(s)
Default: The AX device expects
response code 200 (OK).
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Maintenance
Code
Description
Specifies a response code that indicates the server
status should be changed to Maintenance.
When a servers health status is Maintenance, the
server will accept new requests on existing cookiepersistent or source-IP persistent connections, but
will not accept any other requests.
The Maintenance health status applies to server
ports and service-group members. When a ports
status changes to Maintenance, this change applies
to all service-group members that use the port.
Supported Values
Default: Not set
To leave maintenance mode, the server must do one

of the following:
Successfully reply to a health check, but without
including the maintenance code. In this case, the
servers health status changes to Up.
Fail a health check. In this case, the servers status changes to Down.
Note: This feature applies only to servers in cookiepersistence or source-IP persistence configurations,
and can be used only for HTTP and HTTPS ports.
Method Section HTTPS

Port
Host
URL
Port to which the AX device sends an HTTPS

request.
The AX device expects OK message (200).
Replaces the information in the Host field of the
request sent to the real server.
1-65534
Default: 443
String
Specifies the request type and the page to which to

send the request.
Default: The real servers IP address

Request type can be GET, HEAD, or
POST.
The request type can be GET, HEAD, or POST.
Page name can be a string.
If you select POST, the Post Data field appears.
Default: GET; default page is / , the

index.html page.
To specify a string, select String. In the postdata

string, use = between a field name and the
value you are posting to it. If you post to multiple
fields, use & between the fields. For example:
fieldname1=value&fieldname1=value
User
To specify a POST data file, select File. Select

the POST data file from the drop-down list. (The
file must be imported onto the AX device first. To
import a POST data file, see Config > Service >
Health Monitor > Data File on page 173.)
Username to log in.
String
Password
Password to log in.
Default: Not set

String
Default: Not set
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
167 of 276

Parameter
Expect
Maintenance
Code
Description
Specifies a response code or string expected from
the server, in which case this value is also expected.
To specify a range of response codes, use a dash ( - )
between the low and high numbers of the range. Use
commas to delimit individual code numbers or separate ranges. Select Code.
Specifies a response code that indicates the server
status should be changed to Maintenance.
When a servers health status is Maintenance, the
server will accept new requests on existing cookiepersistent or source-IP persistent connections, but
will not accept any other requests.
The Maintenance health status applies to server
ports and service-group members. When a ports
status changes to Maintenance, this change applies
to all service-group members that use the port.
Supported Values
Default: The AX device expects
response code 200 (OK).

Default: Not set
To leave maintenance mode, the server must do one

of the following:
Successfully reply to a health check, but without
including the maintenance code. In this case, the
servers health status changes to Up.
Fail a health check. In this case, the servers status changes to Down.
Note: This feature applies only to servers in cookiepersistence or source-IP persistence configurations,
and can be used only for HTTP and HTTPS ports.
Method Section FTP

Port
Port to which an FTP login request is sent.

The AX device expects an OK message, or Password message followed by an OK message.
1-65534
Default: 21
User
Unless you use anonymous login, the username and

password must be specified.
Username to log in.
String
Password
Password to log in.
Default: Not set

String
Default: Not set
Method Section SMTP

Port
Domain
168 of 276
Port to which the AX device sends an SMTP Hello

message on the specified server in the specified
domain.
The AX device expects a reply with an OK message
(reply code 250).
Domain to which the SMTP Hello message is sent.
1-65534
Default: 25
A10
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Description
Supported Values
Method Section POP3

Port
User
Password
Port to which the AX device sends a POP3 user

login request with the specified username and password.
The AX device expects reply with OK message.
Username to log in.
1-65534
Default: 110
String
Default: a10
String
Password to log in.
Default: a10
Method Section SNMP

Port
Operation
Port to which the AX device sends an SNMP Get or

Get Next request for the specified OID, from the
specified community.
The AX device expects a reply with the value of the
OID.
Type of request to send.
OID
OID requested.
Community
SNMP community used for the request.
1-65534
Default: 161
Get or Get Next

Default: Get
sysDescr, sysUpTime, sysName, or
another name in ASN.1 style
1.1.0
Method Section DNS

Port
Port to which a DNS lookup request is sent.

The AX device expects a reply with code 0.
Domain /
IP Address
radio button
Specifies whether to test based on a domain name,

or to test a specific DNS server.
To test a specific server, click IP Address and enter
the address in the IP Address field. Otherwise, to
test based on a domain name sent in the health
check, leave Domain selected and enter the domain
name in the Domain field.
Domain name requested from the DNS server.
Domain
IP Address
Specifies the IP address of the DNS server, and the

address type (IPv4 or IPv6).
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
1-65534
Default: 53
Domain or IP Address
Default: Domain
Validly formed domain name

Default: www.a10networks.com
Valid IP address
Default: Not set
169 of 276

Parameter
Type
Description
For health checks sent to a domain name, specifies
the record type the responding server is expected to
send in reply to health checks.
Supported Values
A IPv4 address record
CNAME Canonical name record
for a DNS alias
SOA Start of authority record
PTR Pointer record for a domain
name
MX Mail Exchanger record
TXT Text string
AAAA IPv6 address record
Recursion
Expect
Specifies whether the tested DNS server is allowed

to send the health checks request to another DNS
server if the tested server can not fulfill the request
using its own database. Recursion is enabled by
default.
List of response codes, in the range 0-15, that are
valid responses to a health check. If the tested DNS
server responds with any of the expected response
codes, the server passes the health check.
Default: A
Enabled or disabled
Default: Enabled
0-15
Default: The expect list is empty, in
which case the AX device expects status code 0 (No error condition).
To specify a range, use a dash. Separate the codes

(and code ranges) with commas. For example:
0-3,5.
Method Section RADIUS

Port
User
Port to which the AX device sends a Password

Authentication Protocol (PAP) request to authenticate the specified username.
The AX device expects an Access Accepted message (reply code 2).
Username for which authentication is requested.
Password
User password.
Default: a10
String
Shared secret required by the RADIUS server.
Default: a10
String
Secret
1-65534
Default: 1812
String
Default: a10
Method Section LDAP

Port
SSL
Port to which the AX device sends an LDAP Bind

request.
The AX device expects a reply containing result
code 0.
Uses SSL (TLS) for the health check.
1-65534
Default: 389
Default: unselected
170 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Distinguished
Name
Password
Description
Species the Distinguished Name.
Supported Values
String
Specifies the password for the Distinguished Name.
String
Method Section RTSP

Port
URL
Port to which the AX device sends a request for

information about the specified file.
The AX device expects a reply with information
about the specified file.
URL of the requested file.
1-65534
Default: 554
URL of the requested file

Default: /sample.mpg
Method Section SIP

Port
Register
TCP
Port to which the AX device sends a SIP request.

The AX device expects a 200 - OK message in
response.
The request is an OPTION request, unless you
select the Register checkbox.
When selected, send a REGISTER request instead
of a SIP request.
When selected, uses TCP instead of UDP to send
the health check. Select this option if the health
method will be used in a SIP-over-TCP configuration.
1-65534
Default: 5060
Default: unselected
Default: unselected
Method Section NTP

Port
Port to which the AX device sends an NTP request.

The AX device sends an NTP client message to and
expects a standard NTP 48-byte reply packet.
1-65534
Default: 123
Method Section External

Program
Arguments
Server Port
Name of an external program (for example, a Tcl

script) to run.
The AX device bases the health status of the server
or service on the outcome of the program.
Note: To use the program, you must import it onto
the AX device. (See Config > Service > Health
Monitor > External Program on page 172.)
Arguments to use with the program.
Port to which the AX device sends the health check.
External monitor imported onto the

AX device.
Strings
Default: Not set
1-65534
Default: 0
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
171 of 276

Parameter
Description
Supported Values
Method Section Compound

Boolean
Expression
Compound health monitor consisting of a set of

health monitors joined in a Boolean expression
(AND / OR / NOT).
Configured health monitors

Boolean operators: AND, OR, NOT
First, configure the individual health monitors, then

construct a Boolean expression using those monitors.
To enter a health monitor:
1. Click the radio button next to the list of health
monitors.
2. Select the monitor.
3. Click Add.
To enter an operator:
Click the radio button next to the list of operators.
2. Select the operator.
3. Click Add.
Note: Make sure to use Reverse Polish Notation.
Otherwise, the GUI will display an error message
when you click OK to complete the health monitor
configuration.
(For more information, see the Compound Health
Monitors section in the Health Monitoring chapter of the AX Series Configuration Guide.)
Config > Service > Health Monitor > External Program

This page allows you to create an external program for use as a health monitor.
Enter a name and description for the monitor, then copy and paste the script
into the Definition field and click OK. The name must end with .tcl.
Note:
172 of 276
To create an external program in a non-English language (for example,

Japanese), save it in Unicode UTF-8 format. To set the language in the
GUI to UTF-8, configure the browser so that you can view UTF-8 encoding. For example, in Internet Explorer, select View > Encoding > Unicode.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > Service > Health Monitor > Data File

This page allows you to import a file containing POST data to use with an
HTTP or HTTPS health check. Use this option if you need to use a POST
data payload longer than 255 bytes. An imported POST data file can contain
a payload of up to 2 Kbytes.
Importing a POST Data File
To import a POST data file:
Local The file is on the PC you are using to run the GUI, or is on
another PC or server in the local network. Go to step 2.
2. Click Browse and navigate to the location of the certificate.
step 9.
5. Select the file transfer protocol: FTP, TFTP, RCP, or SCP.
6. In the Host field, enter the directory path and filename.
9. Click OK.
Config > Service > Health Monitor > Global

This page enables you to globally change the default settings for health
monitor parameters.
Globally changing a health monitor parameter changes the default for that
parameter. For example, if you globally change the interval from 5 seconds
to 10 seconds, the default interval becomes 10 seconds.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
173 of 276

If a parameter is explicitly set on a health monitor, globally changing the
parameter does not affect the health monitor. For example, if the interval on
health monitor hm1 is explicitly set to 20 seconds, the interval remains 20
seconds on hm1 regardless of the global setting.
Note:
Global health monitor parameter changes automatically apply to all new

health monitors configured after the change. To apply a global health
monitor parameter change to health monitors that were configured before
the change, you must reboot the AX device.
Table 76 lists the health monitor parameters you can globally change.
TABLE 76 Global Health Monitor Parameters

Parameter
Retry
Consec Pass
Reqd
Interval
Timeout
Description
Specifies the Maximum number of times the AX
device will send the same health check to an unresponsive server before determining that the server is
down.
Number of consecutive times the device must pass
the same periodic health check, in order to be
marked Up.
Number of seconds between health check attempt.
A health check attempt consists of the AX device
sending a packet to the server. The packet type and
payload depend on the health monitor type. For
example, an HTTP health monitor might send an
HTTP GET request packet.
Number of seconds the AX Series waits for a reply
to a health check.
Note: This option is not applicable to external
health monitors.
Supported Values
1-5
Default: 3
1-10
Default: 1
1-180 seconds
Default: 5 seconds
1-12 seconds
Default: 5 seconds
Config > Service > PBSLB

This option allows you to import a black/white list for use with PolicyBased SLB (PBSLB).
The PBSLB section is displayed when you click Add or click on a
black/white list name.
Table 77 lists the PBSLB parameters you can configure.
174 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 77 PBSLB Parameters
Parameter
Description
Supported Values
PBSLB Section
Name
Name and location of the black/white list.

The location can be one of the following:
Name can be 1-31 characters

Local or Remote
Remote You are importing the list from an

external device.
Interval
(Remote only)
Use
Management
Port
Protocol
(Remote only)
Host
(Remote only)
Location
(Remote only)
Definition
Local You are importing the list by copying and

pasting it into the Definition field.
Specifies how often the AX device re-imports the
list to ensure that changes to the list are automatically replicated on the AX.
Uses the management interface as the source interface for the connection to the remote device.
60 86400 seconds
Enabled or disabled
Default: Disabled
The management route table is used to reach the

device. By default, the AX device attempts to use
the data route table to reach the remote device
through a data interface.
Note: For information about the data and management route tables, see the Using the Management
Interface as the Source for Management Traffic
chapter in the AX Series Configuration Guide.
File transfer protocol to use.
IP address or hostname of the device where the list
is located.
TFTP
Valid IP address or hostname
Path and filename of the list on the remote device.
Default: Not set

Valid pathname and filename
Text entry field for a black/white list.
Default: Not set

Black/white list
(Local only)
Default: None
Config > Service > Firewall

The Firewall pages enable you to configure SLB parameters.
Config > Service > Firewall > Firewall Group

This option displays the configured firewall groups.
The Firewall Group and Member sections are displayed when you click
Add or click on a firewall group name.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
175 of 276

Table 78 lists the firewall group parameters.
TABLE 78 Firewall Group Parameters
Parameter
Description
Supported Values
Firewall Group Section

Name
Algorithm
Name of the firewall group.
1-31 characters
Load-balancing method used to select a firewall for

a client request.

Round Robin Selects servers in
rotation.
Least Connection Selects the server
that currently has the fewest connections.
Health Monitor
Stats Data
Selects a health monitor for a firewall when you add

it to the service group.
Enables collection of statistics data for the firewall

group.
Default: Round Robin

Configured ICMP health monitor with
the transparent mode enabled
Note: If you have not already configured one, you can do so from this field
by selecting create. When you are
finished configuring the monitor and
you click OK, you are returned to this
section.
Enabled or Disabled
Default: Enabled
Member Section
In the Member section, you can add, change, and delete firewall nodes. Select the firewall nodes, then click the
button for the action you want to take. For example, to disable a firewall node, click the checkbox next to the firewall node to select it, then click Disable.
Firewall
Adds a firewall to the firewall service group.
Configured firewall node
Priority
176 of 276
1. Enter the firewall address in the Firewall field.

2. To change the priority, edit the number in the Priority field.
3. Click Add.

1-10
Default: 1
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > Service > Firewall > Firewall Virtual Server

This option displays the settings for the firewall virtual server.
The following configuration sections are displayed.
Default
Port
Table 79 lists the firewall virtual server parameters.

TABLE 79 Firewall Virtual Server Parameters
Parameter
Status
State of the firewall virtual server.
Supported Values
Firewall Virtual Server Section
HA Connection
Mirror
HA Group
Firewall Group
When enabled, synchronizes active sessions onto

the standby AX in the HA pair, to prevent the sessions from being interrupted if an HA failover
occurs.
Specifies the HA group to use for the virtual firewalls traffic.
Specifies the firewall group to use.
If the firewall group is not already configured, you
you click OK after configuring the firewall group,
you are returned to this section.
TCP Idle
Timeout
You also can specify a firewall group on individual

service ports. If you specify a firewall group at each
level, the firewall group specified for the individual
service port takes precedence.
Specifies the number of seconds a TCP session
through a firewall can remain idle before the AX
device terminates the session.
Enabled or Disabled
Default: Enabled
Enabled or Disabled
Default: Disabled
1 or 2
Default: not set
Name of a configured firewall group
Default: not set
60-15000 seconds
Note: The idle timeout applied to a session can

come from the idle timeout configured here, the idle
timeout configured on the virtual firewall port, or
the idle time configured in SLB. (See the TCP and
UDP Session Aging section in the "Firewall Load
Balancing" chapter of the AX Series Configuration
Guide.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
177 of 276

TABLE 79 Firewall Virtual Server Parameters (Continued)
Parameter
UDP Idle
Timeout
Source IP
Persistence
Template
Stats Data

Specifies the number of seconds a UDP session
through a firewall can remain idle before the AX
device terminates the session.
timeout configured on the virtual firewall port, or
the idle time configured in SLB. (See the TCP and
Guide.)
Sends all traffic from a given source address to the
same firewall.
You also can specify a source-IP persistence template on individual service ports. If you specify a
template at each level, the template specified for the
individual service port takes precedence.
Note: The match-type option of the template is not
applicable to FWLB. The match type for FWLB is
always server, which sets the granularity of sourceIP persistence to individual firewalls, not firewall
groups or individual service ports.
virtual server.
Supported Values
60-15000 seconds
Name of a configured source-IP persistence template

Default: not set
Enabled or Disabled
Default: Enabled
Port Section
To add a service port to the firewall virtual server, click Add. The Port section appears, where you can configure
the following parameters.
Port
1-65534
Type
Default: 80
Service type of the port.
TCP
UDP
Default: TCP
Name of a configured firewall group
Firewall Group
Specifies the firewall group to use.
Status
If you specify a firewall group at this level, the firewall group specified here takes precedence over the
firewall group specified at the firewall level.
State of the firewall virtual port.
Default: not set
Enabled or Disabled
Default: Enabled
178 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 79 Firewall Virtual Server Parameters (Continued)
Parameter
HA Connection
Mirror
Idle Timeout
Source IP
Persistence
Template
Stats Data

When enabled, synchronizes active sessions onto
the standby AX in the HA pair, to prevent the sessions from being interrupted if an HA failover
occurs.
Specifies the number of seconds a session through a
firewall on this service port can remain idle before
the AX device terminates the session.
timeout configured on the virtual firewall, or the
idle time configured in SLB. (See the TCP and
Guide.)
Sends all traffic from a given source address to the
same firewall.
If you specify a source-IP persistence template at
this level, the template specified here takes precedence over the template specified at the firewall
level.
virtual port.
Supported Values
Enabled or Disabled
Default: Disabled
60-15000 seconds
Name of a configured source-IP persistence template

Default: not set
Enabled or Disabled
Default: Enabled
Config > Service > Firewall > Firewall Node

This option displays the configured firewalls.
The Firewall Node configuration section is displayed when you click Add
or click on a firewall name.
Table 80 lists the firewall node parameters.
TABLE 80 Firewall Node Parameters
Parameter
Description
Supported Values
Name
IP Address
Name of the firewall.

IP address of the firewall.
Firewall Node Section
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

179 of 276

TABLE 80 Firewall Node Parameters (Continued)
Parameter
Health Monitor
Description
Applies a configured health monitor to the firewall.
Supported Values
Name of a configured health monitor
Default: The AX device attempts to
use the default Layer 3 method (ping).
However, this default method does not
use the transparent option.
Status
The only type of health monitor supported for

FWLB is Layer 3 ICMP with the transparent option
enabled. The transparent option sends health check
packets to the AX device or HA pair on the other
side of the firewall.
State of the firewall.
Stats Data

node.
Enabled or Disabled
Default: Enabled
Enabled or Disabled
Default: Enabled
Config > Service > GSLB

The GSLB pages enable you to configure Global Server Load Balancing
(GSLB).
Note:
If this AX device will be the GSLB controller, use all the configuration
pages. If this AX device will be only a site AX device, go to Config >
Service > GSLB > Global on page 201. Enable the Run GSLB as Site
SLB Device option and click OK. Do not configure any other GSLB
parameters.
Config > Service > GSLB > DNS Proxy

This option displays the configured DNS proxies.
click on a DNS proxy name.
Proxy
GSLB Port
Table 81 lists the DNS proxy parameters.
180 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 81 GSLB DNS Proxy Parameters
Parameter
Description
Supported Values
Proxy Section
Name
IP Address
Status
HA group
Name of the DNS proxy.

IP address of the virtual server for the DNS proxy.
State of the DNS proxy.

Enabled or Disabled
Specifies the HA group to use for the DNS proxy.
Default: Enabled
1 or 2
Default: not set
GSLB Port Section

Port
0-65534
Service Group
Service group to use for the DNS proxy.
Default: Not set

Status
If the service group is not already configured, you

you click OK after configuring the service group,
you are returned to this section.
State of the virtual server port.
HA Connection
Mirror
Backs up session information on the Standby AX

device in an HA configuration. When this option is
enabled, sessions remain up even following a
failover.
Default: Not set
Enabled or Disabled
Default: Enabled
Enabled or Disabled
Default: Disabled
Connection
Limit
Note: This option also requires configuration of

system HA parameters. (See Config > HA > Setting on page 268.)
DNS proxy.
Source NAT
Pool
IP address pool to use for IP source Network

Address Translation (NAT).
aFleX
Name of an aFleX policies policy.
UDP Template
UDP template to use.
Default: Not set

Name of a configured template.
If the template you want to use is not already configured, you can select create to configure it. In
this case, when you click OK after configuring the
template, you are returned to this section.
Default: The AX default UDP template is used. (See the SLB Parameters chapter in the AX Series
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
0-1000000 (one million)

0 means no limit.
Name of a configured IP address pool
Default: Not set
Name of an aFleX policies policy that
has been imported onto the AX device.
181 of 276

Config > Service > GSLB > Geo-location

The geo-location options enable you to import and load (activate) geo-location databases and to find information in the currently loaded geo-location
database.
Config > Service > GSLB > Geo-location > Import
This option displays sections listed in Table 82.
TABLE 82 GSLB Geo-location Import Parameters
Parameter
Description
Supported Values
File Section
This section enables you to import a geo-location database from an external server. The table at the bottom of the
section lists the geo-location databases that are already on the AX device. The Name column lists the database filename. The Type column indicates whether the database is automatically included with the software (Builtin) or is a
custom database that was imported (Template), in which case the data must be extracted using a CSV template.
To import a geo-location database, select or enter values for the following fields, then click Add.
Protocol
File transfer protocol to use for importing the geoFTP, TFTP, RCP, or SCP
location database. Some or all of the following
fields appear, depending on your selection.
Host
Hostname or IP address of the remote server.
Default: Not set
Port
Protocol port on which the remote server listens for 0-65535
the file transfer protocols traffic.
Configurable only for FTP, for which
Location
User
Password
Filename and directory path on the remote server.

Specify the directory path relative to the home
directory for the file transfer protocol.
Username required for access to the remote server.
Password required for access to the remote server.
the default is 21.

Default: Not set
Default: Not set

Default: Not set
Template Section
This section enables you to configure a template for extracting the geo-location data from an imported geo-location
database.
Name
String
Delimiter
Character used to delimit data fields in the CSV file.
IP-From
IP-To
Continent
Country
State
City
These fields indicate the position of the field in the

CSV file that provides the information required for
the database. For example, if the source IP address
or subnet is listed in the CSV file in data field 4,
enter 4 in the IP-From field.
182 of 276
Default: Not set

ASCII character or its decimal ASCII
code (0-255)
Default: comma
1-64
Default: Not set
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 82 GSLB Geo-location Import Parameters (Continued)
Parameter
Description
Supported Values
Load/Unload Section
This section loads or unloads a geo-location database. Loading a geo-location database makes it the active geolocation database to be used by GSLB. Only one geo-location database can be active.
File
Name of the CSV file.
Name of an imported CSV file
Template
Name of the CSV template to use to extract data

from the file.
Default: Not set

Name of a configured CSV template
Default: Not set
Note: If you are loading the IANA database

included with the AX device, enter iana in the
File field and leave the Template field blank.
Config > Service > GSLB > Geo-location > Find

This page lists the geo-location databases on the AX device. To display
entries within a database, click on the database name.
To find entries within the displayed geo-location database:
1. Select Geo-location or IP Address.
If you select Geo-location, you can specify a range of geo-locations
using the From and To fields. You also can select Statistics to display usage statistics for the geo-locations.
If you select IP Address, enter the client IP address. (You must enter
the entire address.)
2. Click Find.
Config > Service > GSLB > Policy

This option displays the configured GSLB policies.
click on a DNS proxy name.
General
Metric
DNS Options
Geo-location
Table 81 lists the GSLB policy parameters.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
183 of 276

TABLE 83 GSLB Policy Parameters
Parameter
Description
Supported Values
General Section
Name
Name of the policy.
1-31 characters
Metric Section
Metrics in the In Use column are enabled in this policy. Metrics in the Not In Use column are disabled in this policy.
To disable a metric, drag it from the In Use column to the Not In Use column.
To enable a metric, drag it from the Not In Use column to the In Use column.
The metrics in the In Use column are used in the order they are listed in the column, from the top down. To re-order
metrics in either column, drag-and-drop them to the desired location.
Health Check
Service IP addresses that pass their health checks
Enabled or Disabled
are preferred over addresses that do not pass their
Default: Enabled
health checks.
An IP address that fails its health check is not automatically ineligible to be included in the DNS reply
to a client.
Geographic
Round Robin
Note: This metric requires the GSLB protocol to be

enabled on the site AX devices, if the default health
checks are used on the service IPs.
Service IP addresses for the geographic region
where the client is located are preferred over
addresses from other regions.
The GSLB AX Series selects the geographic region
by matching the clients IP address with the GSLB
address ranges configured using geo-location
options.
Each service IP address is used sequentially, in rotation. The first service IP address is selected for the
first new connection, the second address is selected
for the second new connection, and so on until all
service IP addresses have been selected. Then selection starts over again with the first service IP
address.
Enabled or Disabled
Default: Enabled
Enabled or Disabled
Default: Enabled
Note: If all the enabled metrics in the policy result

in a tie (do not definitively select a single site as the
best site), the AX device uses round-robin to select
a site. This is true even if the round-robin metric is
disabled in the GSLB policy.
Note: If the last metric is ordered-ip, and
round-robin is disabled, the prioritized list of IP

addresses is sent to the client. Round-robin is
not used.
184 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 83 GSLB Policy Parameters (Continued)
Parameter
Weighted IP
Weighted Site
Session Capacity
Description
Service IP addresses with higher weight values are
preferred over addresses with lower weight values.
As a simple example, assume that the weighted-ip
metric is the only enabled metric, or at least always
ends up being the tie breaker. IP address 10.10.10.1
has weight 4 and IP address 10.10.10.2 has
weight 2. During a given session aging period, the
first 4 requests go to 10.10.10.1, the next 2 requests
go to 10.10.10.2, and so on, (4 to 10.10.10.1, then 2
to 10.10.10.2).
Sites with higher weight values are preferred over
sites with lower weight values.
As a simple example, assume that the weighted-site
metric is the only enabled metric, or at least always
ends up being the tie breaker. Site A has weight 4
and site B has weight 2. During a given session
aging period, the first 4 requests go to site A, the
next 2 requests go to site B, and so on, (4 to A, then
2 to B).
Sites that have not exceeded their thresholds for
their respective maximum TCP/UDP sessions are
preferred over sites that have exceeded their thresholds.
Supported Values
Enabled or Disabled
Default: Disabled
Enabled or Disabled
Default: Disabled
Enabled or Disabled
Default: Disabled
Example:
Site As maximum session capacity is 800,000 and
Site Bs maximum session capacity is 500,000. If
the session-capacity threshold is set to 90, then for
Site A the capacity threshold is 90% of 800,000,
which is 720,000. Likewise, the capacity threshold
for Site B is 90% of 500,000, which is 450,000.
Active Servers

enabled on both the GSLB controller and the site
AX devices.
Prefers the site that has the most active servers for
the requested service.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
Enabled or Disabled
Default: Disabled
185 of 276

Parameter
Passive RTT
Description
Sites with faster round-trip times (RTTs) between a
client and the site are preferred over sites with
slower times. The passive RTT is the time between
when the site AX device receives a clients TCP
connection (SYN) and the time when the site AX
device receives acknowledgement (ACK) back
from the client for the connection. Passive RTT
measurements are taken for client addresses in each
/24 subnet range.
Supported Values
Enabled or Disabled
Default: Disabled
Passive RTT tolerance is a percentage from 0 to

100. It specifies how much the RTT values of sites
must differ in order for GSLB to prefer one site over
the other based on RTT.
Example:
Site As RTT value is 0.3 seconds and Site Bs RTT
value is 0.32 seconds. If the passive RTT tolerance
is 10% then the two sites are treated as having the
same passive RTT preference.
Active RTT

AX devices.
Selects the site with the fastest round-trip-time for a
DNS query and reply between a site AX device and
the GSLB local DNS.
The active RTT metric is disabled by default. You
can enable it to take either a single sample (single
shot) or multiple samples at regular intervals.
1. Click the plus sign to display the Active RTT
configuration fields.
Enabled or Disabled
Active RTT, a site AX device sends 5
DNS requests to the GSLB domains
local DNS. The GSLB AX device
averages the RTT times of the 5 samples.
2. To use single-shot RTT, select the Single-shot

checkbox. To collect multiple samples, do not select
the Single-shot checkbox.
To change settings for single-shot, edit the values
in the Timeout and Skip fields.
To change settings for multiple samples, edit the
values in the Samples, Difference, and Tolerance
fields.
AX devices.
186 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Connection Load
Description
Sites that are at or below their thresholds of average
new connections per second are preferred over sites
that are above their thresholds.
Load limit Specifies the maximum average
number of new connections per second the site
AX Series can have.
Samples Number of samples for the SLB
device (the site AX device) to collect.
Interval Number of seconds between each sample.
AX devices.
Num Session
Sites that are at or below their thresholds of current

available sessions are preferred over sites that are
above their thresholds.
Supported Values
Enabled or Disabled
Default: Disabled
The load limit can be 1-999999999
(999,999,999).
The number of samples can be 1-8.
The sample interval can be 1-60 seconds.
Defaults:
Load limit not set
Samples 5
Interval 5 seconds
Enabled or Disabled
Default: Disabled
The tolerance specifies the percentage by which the

number of available sessions on site SLB devices
can differ without causing the num-session metric to
select one SLB device over another. Thus, minor
differences among SLB devices do not cause frequent, unnecessary changes in site preference.
Example:
Site A has 800,000 sessions available and Site B has
600,000 sessions available. The difference between
the two sites is 200,000 available sessions. If numsession is set to 10, then Site A is preferred because
200,000 is larger than 10% of 800,000, which is
80,000.
Admin
Preference
Bandwidth Cost

AX devices.
Selects the service with the highest administratively
set preference.
Selects sites based on bandwidth utilization on the
site AX links.
Enabled or Disabled
Default: Disabled
Enabled or Disabled
Default: Disabled
This metric requires an SNMP template. To configure the template, you must use the CLI. See the
Config Commands: Global Server Load Balancing chapter in the AX Series CLI Reference.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
187 of 276

Parameter
Least Response
Ordered IP
Description
Service IP addresses with the fewest hits are preferred over addresses with more hits.
AX devices.
Service IP addresses are re-ordered in DNS replies
to match the order administratively configured for
the service.
Supported Values
Enabled or Disabled
Default: Disabled
Enabled or Disabled
Default: Disabled
The prioritized list is sent to the next metric for further evaluation. If ordered-ip is the last metric, the
prioritized list is sent to the client.
The ordered list of IP addresses must be configured
for the service.
DNS Options Section

Action
Active Only
Best Only
Cache
Specifies the action to perform for DNS traffic. You

can specify one of the following:
Note: To take effect, the action options must be configured on the GSLB service. In the current release,
the actions can be configured using the CLI only.
See the description of the action command (under
zone configuration) in the Config Commands:
Global Server Load Balancing chapter of the
AX Series CLI Reference.
Removes IP addresses from DNS replies when
those addresses fail a health check.
Note: If none of the IP addresses in the DNS reply
pass the health check, the GSLB AX Series does not
use this metric, since it would result in an empty IP
address list.
Removes all IP addresses from DNS replies except
for the address selected as the best address by the
GSLB policy metrics.
Caches DNS replies and uses them when replying to
clients, instead of sending a new DNS request for
every client query.
Enabled or Disabled
Default: Disabled.
Enabled or Disabled
Default: Disabled
Enabled or Disabled
Default: Disabled
Enabled or Disabled
Default: Disabled
The aging time can be
1-1,000,000,000 seconds (nearly 32
years).
Default: TTL set by the DNS server in
the reply
CName Detect
Applies GSLB to CNAME records.
Note: If you change the value and later

want to restore it to the default, use the
TTL field.
Enabled or Disabled
Default: Enabled
188 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
External IP
IP Replace
Description
Returns the external IP address configured for a service IP. The external IP address must be configured
on the service IP. This option is disabled by default.
Note: The external IP address must be configured
on the service IP.
Replaces the IP addresses in the DNS reply with the
service IP addresses configured for the service.
Geo-location
Alias
Returns the alias name configured for the clients

geo-location.
Geo-location
Action
Performs the DNS traffic handling action specified

for the clients geo-location. The action is specified
as part of service configuration in a zone.
Uses the GSLB policy assigned to the clients geolocation.
Geo-location
Policy
MX Additional
Server Mode
Appends MX records in the Additional section in

replies for A records, when the device is configured
for DNS proxy or cache mode.
Directly responds to Address queries for specific
service IP addresses in the GSLB zone. (The AX
device still forwards other types of queries to the
DNS server.)
If you use this option, you do not need to use the
CName Detect option. When a client requests a configured alias name, GSLB applies the policy to the
CNAME records.
Supported Values
Enabled or Disabled
Default: Enabled
Enabled or Disabled
Default: Disabled
Enabled or Disabled
Default: Disabled
Enabled or Disabled
Default: Disabled
Enabled or Disabled
Default: Disabled
Enabled or Disabled
Default: Disabled
The Authoritative Mode option makes the AX

device the authoritative DNS server for the
GSLB zone, for the service IPs in which you
enable the Static option. If you omit the Authoritative Mode option, the AX device is a nonauthoritative DNS server for the zone domain.
The Full Server List option Appends all A
records in the Authoritative section of DNS
replies.
The MX option Provides the MX record in the
Answer section, and the A record for the mail
server in the Additional section, when the device
is configured for DNS server mode.
The MX Additional option enables the GSLB AX
device to provide the A record containing the
mail servers IP address in the Additional section,
when the device is configured for DNS server
mode.
(cont.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
189 of 276

Parameter
Server Mode
Description
The NS option provides the name server record.
Supported Values
Enabled or Disabled
(cont.)
The Auto NS option provides A records for NS

records automatically.
Default: Disabled
The PTR option provides the pointer record.

The Auto PTR option provides pointer records
automatically.
Sticky
Note: To place the Server Mode option into effect,

you also must enable the Static option on the individual service IP. (To configure the service IP
addresses, see Config > Service > GSLB > Service
IP on page 190.)
Sends the same service IP address to a client for all
requests from that client for the service address.
The DNS Client IP mask specifies the granularity
of the feature.
The Aging Time Specifies how many minutes a
DNS reply remains sticky.
TTL
Note: If you enable the Sticky option, the sticky

time must be as long or longer than the zone TTL.
Specifies the value to which the AX Series changes
the TTL of each DNS record contained in DNS
replies received from the DNS for which the
AX Series is a proxy.
Enabled or Disabled
The aging time can be 1-65535 minutes.
Default: Disabled. The default aging
time is 5 minutes.
0-1000000 (1 million) seconds.

Default: 10 seconds
Geo-location Section
Match First
Overlap
Specifies whether to match the requested IP address

with the global geo-location table or with the geolocation table configured in the policy.
Specifies whether overlap matching is enabled.
Global or Policy
Default: Global
Enabled or disabled
Default: Disabled
Config > Service > GSLB > Service IP

This option displays the configured GSLB services.
The Service IP and Port sections are displayed when you click Add or click
on a service name.
Table 84 lists the GSLB service parameters.
190 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 84 GSLB Service IP Parameters
Parameter
Description
Supported Values
Service IP Section
Name
IP Address
External IP
Address
Health Monitor
Name of the service.

IP address of the service.
Assigns an external IP address to the service IP. The
external IP address allows a service IP that has an
internal IP address to be reached from outside the
internal network.
Health monitor to use for checking the health of the
service IP address. You can specify any health monitor (Layer 3, 4 or 7). If you do not specify a health
monitor, the default Layer 3 health monitor (ICMP
ping) is used.


or blank (disabled)
Default: Enabled; default and ping
(ICMP)
Note: If you leave the health monitor for a service
left at its default setting (the default ICMP ping
health check), the health checks for the service IP
and its ports are performed within the GSLB protocol.
Status
If you use a custom health monitor, or you explicitly

apply the default Layer 3 health monitor to the service, the GSLB protocol is not used for any of the
health checks.
State of the service.
Enabled or Disabled
Default: Enabled
Port Section
Use this section to add the services to the service IP.
Port
Protocol port number.
0-65535
Protocol
Layer 4 transport protocol.
Default: None
TCP or UDP
Health Monitor
Health monitor to use to check the health of the service.

Note: If you use a custom health monitor for a service port, the port number specified in the service
configuration is used instead of the port number
specified in the health monitor configuration.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
Default: TCP
Configured health monitor
Default: (default). This is the default
TCP or UDP health monitor.
191 of 276

Config > Service > GSLB > Site

This option displays the configured GSLB sites.
click on a GSLB site name.
General
SLB-Device
Template
IP-Server
Geo-location
Options
Table 85 lists the GSLB site parameters.

TABLE 85 GSLB Site Parameters
Parameter
Description
Supported Values
General Section
Name
Name of the site.
Weight
Assigns a weight to the site. If the weighted-site

metric is enabled in the policy and all metrics before
weighted-site result in a tie, the site with the highest
weight is preferred.
Binds a template to the site. To use the bw-cost metric, use this option to bind a GSLB SNMP template
to the site.
Template
1-31 alphanumeric characters

Default: None
1-100
Default: 1
Name of a configured GSLB template

Default: Not set
SLB Device Section

Clicking Add in this section displays the SLB-Device section, which contains the following fields. Click OK when
finished to return to the Config > Service > GSLB > Site page.
Device
Name of an SLB device (an AX device configured
to provide SLB) at the site.
Default: None
IP Address
Admin
Preference
Max Client
192 of 276
IP address of the SLB device.

Assigns a preference value to the SLB device. If the
admin-preference metric is enabled in the policy
and all metrics before this one result in a tie, the
SLB device with the highest admin-preference
value is preferred.
Specifies the maximum number of GSLB clients for
the device.

0-255.
Default: 100
1-2147483647
Default: 32768
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 85 GSLB Site Parameters (Continued)
Parameter
Gateway
Passive RTT
Timer
VIP Server
Description
Specifies the gateway.
Supported Values
Valid IP address
For passive RTT, specifies the number of seconds

during which samples are collected during each
sampling period.
Maps GSLB services to the SLB device.
Default: None
1-255
Default: 3
Default: Not set
1. Select the service IP from the drop-down list.

If the service IP you want to use is not already
configured, you can select create to configure it.
In this case, when you click OK after configuring
the service, you are returned to this section.
2. Click Add.
Template Section
This section configures a GSLB SNMP template for use with the bw-cost metric.
To configure a template, enter all of the information into the fields, then click Add.
Name
User Name
Specifies the SNMPv3 username required for access String
to the SNMP agent on the site AX device.
Community
For SNMPv1 or v2c, specifies the community string String
required for authentication.
Host
Specifies the IP address of the site AX device.
Valid IP address
Port
Specifies the protocol port on which the site AX
0-65534
devices listen for the SNMP requests from the
Default: 161
GSLB AX device.
Version
Specifies the SNMP version running on the site AX v1, v2c, or v3
device.
OID
Specifies the interface MIB object to query on the
Valid OID
site AX device.
Interface
Security-level
Security-engineid
Note: If the object is part of a table, make sure to

append the table index to the end of the OID. Otherwise, the AX device will return an error.
Specifies the SNMP interface ID.
Specifies the SNMPv3 security level:
Valid SNMP interface ID

no-auth Authentication is not used and encryption (privacy) is not used.
no-auth
auth-no-priv Authentication is used but encryption is not used.
auth-priv
auth-priv Both authentication and encryption

are used.
Specifies the ID of the SNMPv3 security engine
running on the site AX device.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
auth-no-priv
Default: no-auth
193 of 276

Parameter
Auth-key
Description
Specifies the authentication key.
Supported Values
Auth-proto
Note: This option is applicable only if the security

level is auth-no-priv or auth-priv.
Specifies the authentication protocol.
sha or md5
Priv-key

level is authno-priv or auth-priv.
Specifies the encryption key.
Priv-proto

level is auth-priv.
Specifies the privacy protocol used for encryption.
aes or des
Context-engineid
Context-name
Interval

level is auth-priv.
Specifies the ID of the SNMPv3 protocol engine
running on the site AX device.
Specifies an SNMPv3 collection of management
information objects accessible by an SNMP entity.
Specifies the amount of time between each SNMP
GET to the site AX devices.
String
String
1-999 seconds
Default: 3
IP-Server Section
This section adds service IPs to the site. To add a service IP to the site, select the service IP from the drop-down list
and click Add.
Name
Name of the service IP.
Name of a configured service IP
IP Address
IP Address of the service IP.
IP address of the configured service IP
This section adds a geo-location database or add manually configured geo-locations.
To add a geo-location database, select it from the leftmost drop-down list next to Geo-location, and click Add.
To add a manually configured geo-location, select up to four nodes from the drop-down lists. Select them from left
to right. After selecting the nodes for a geo-location, click Add.
Name
Geo-location name.
Name of a manually configured geolocation
194 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
Description
Supported Values
Options Section
This section configures site settings for the bw-cost (bandwidth cost), active RTT, and passive RTT metrics.
Bandwidth Cost
Configures options for the bandwidth-cost metric:
The following settings are supported:
Active RTT
Limit Specifies the maximum amount the

SNMP object queried by the GSLB AX device
can increment since the previous query, in order
for the site to remain eligible for selection as the
best site.
Limit 0-2147483647
Threshold For a site to regain eligibility when

bw-cost is being compared, the SNMP objects
incremental value must be below the thresholdpercentage of the limit value.
Limit Not set
Threshold 0-100
Defaults:
Threshold Not set
For example, if the limit value is 80000 and the

threshold is 90, the limit value must increment by
72000 or less, in order for the site to become eligible again based on bandwidth cost. Once a site
again becomes eligible, the SNMP objects value
is again allowed to increment by as much as the
bandwidth limit value (80000, in this example).
Configures options for the active RTT metric:
Aging Time Specifies the maximum number of
minutes during which a stored active-RTT result
can be used.
Bind Geoloc Stores the active-RTT measurements on a per geo-location basis. Without this
option, the measurements are stored on a per siteSLB device basis.
Overlap Allows overlap for the Bind option, to
ensure the most precise match.
Limit Specifies the maximum RTT allowed for
the site. If the RTT measurement for a site
exceeds the configured limit, GSLB does not
eliminate the site. Instead, GSLB moves to the
next metric in the policy. You can specify
0-16383 milliseconds (ms).
Mask Specifies the IPv4 client subnet mask
length.
(cont.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
195 of 276

Parameter
Active RTT
(cont.)
Description
Range Factor Specifies the maximum percentage a new active-RTT measurement can differ
from the previous measurement. If the new measurement differs from the previous measurement
by more than the allowed percentage, the new
measurement is discarded and the previous measurement is used again.
For example, if the range-factor is set to 25 (the
default), a new measurement that has a value
from 75% to 125% of the previous value can be
used. A measurement that is less than 75% or
more than 125% of the previous measurement
can not be used.
Smooth Factor Blends the new measurement
with the previous one, to smoothen the measurements.
Passive RTT
For example, if the smooth-factor is set to 10 (the

default), 10% of the new measurement is used,
along with 90% of the previous measurement.
Similarly, if the smooth-factor is set to 50, 50%
of the new measurement is used, along with 50%
of the previous measurement.
The Passive RTT options are the same as those
available for Active RTT. (See above.)
Supported Values
The following settings are supported:
Aging Time 1-60 minutes
Bind Geoloc Enabled or disabled
Overlap Enabled or disabled
Limit 1-1023
Mask 1-32
Range Factor 1-1000
Smooth Factor 1-100
Defaults:
Aging Time 10 minutes
Bind Geoloc Disabled
Overlap Disabled
Limit 16383 ms
Mask 32
Range Factor 25
Smooth Factor 10
Config > Service > GSLB > Zone

This option displays the configured GSLB zones.
The Zone section is displayed when you click Add or click on a GSLB zone
name.
Table 86 lists the GSLB zone parameters.
196 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 86 GSLB Zone Parameters
Parameter
Supported Values
Zone Section
Name
Name of the zone.

Default: None
TTL
TTL Time
Policy
Enables the TTL option and displays the TTL Time

field.
Changes the TTL of each DNS record contained in
DNS replies received from the DNS for which the
AX Series is a proxy, for this zone.
Applies a GSLB policy to the zone.
Note: You can use lower case characters and upper case characters. However, since Internet domain names are
case-insensitive, the AX device internally converts all upper case characters
in GSLB zone names to lower case.
Selected or not selected.
Default: not selected
0-1000000 (1 million) seconds.
Default: 10 seconds
Name of a configured GSLB policy
Default: default
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
197 of 276

TABLE 86 GSLB Zone Parameters (Continued)
Parameter
Supported Values
Service Section
This section adds services to the zone.
Note: The service IPs must already be configured. If you have not already configured them, see Config > Service
> GSLB > Service IP on page 190.
1. Click Add.
2. Enter a name for the service in the Service field.
3. Select the service type from the Port drop-down list.
If the service type is not in the list, select Other to display an input field appears with a port number in it. Edit the
port number to the number for the service.
4. To use a GSLB policy other than the zones policy (the default setting), select the policy from the Policy dropdown list.
5. To specify the action to take for DNS requests or responses, select the action from the Action drop-down list.
(See Action Options on Service Section on page 199.)
6. To configure DNS Address (A) records for the service, use the DNS Address Record section. (See DNS
Address Record Section on page 199.)
7. To configure DNS Mail Exchange (MX) records for the service, use the DNS Address Record section. (See
DNS MX Record Section on page 200.)
8. To configure a Canonical Name (CNAME) record for the service, use the DNS CNAME Record section. (See
DNS CNAME Record Section on page 200.)
9. To configure a Name Server (NS) record for the service, use the DNS NS Record section. (See DNS NS Record
Section on page 200.)
10. To configure a Pointer (PTR) record for the service, use the DNS PTR Record section. (See DNS PTR Record
Section on page 200.)
11. To configure geo-location settings for the service, use the Geo-location section. (See Geo-location Section on
page 200.)
12. Click OK.
The port can be a well-known name recognized by the AX device or a port number from 1 to 65535.
The service name can be 1-31 alphanumeric characters. (For the same reason described for zone names, the AX
device converts all upper case characters in GSLB service names to lower case.)
DNS MX Record Section

Use this section if you need to add Mail Exchange (MX) records for the zone.
1. In the Name field, enter the fully-qualified domain name of the mail server for the zone.
2. If more than one MX record will be configured for the zone, enter the priority of this MX record in the Priority
field. The priorities of the MX records determine the order in which the mail server should attempt to deliver mail
to the MX hosts. The MX record with the lowest priority number has the highest priority and is tried first. The priority can be 0-65535. There is no default.
3. Click Add.
DNS NS Record Section

Use this section if you need to configure Name Server (NS) records for the zone. Enter the record name in the
Name field, then click Add.
198 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Action Options on Service Section
Use this section to configure general settings for the service. The action can
be one of the following:
Not set (default)
Forward Response Forwards responses to the local DNS server, but
does not forward queries to the Authoritative DNS server.

Forward Both Forwards queries to the Authoritative DNS server, and
forwards responses to the local DNS server.

Forward Query Forwards queries to the Authoritative DNS server, but
does not forward responses to the local DNS server.

Drop Drops DNS queries from the local DNS server.
Reject Rejects DNS queries from the local DNS server and returns the
Refused message in replies.

DNS Address Record Section
Use this section if you need to add Address (A) records for the service. The
A records are used with the DNS IP Replace option in the GSLB policy.
The no-response option is not valid with the Static or as-replace option.
Note:
To add an A record:
1. Select the VIP from the VIP Order drop-down list.
2. Select the as-replace option to replace the IP address in DNS replies to
clients. To use this option, you also must enable the DNS IP Replace
option in the GSLB policy.
3. Optionally, select the no-response option to prevent the IP address for
this site from being included in DNS replies to clients.
4. If the GSLB AX device will act as the DNS server for this service IP
address, select Static. To use this option, you also must enable the Server
Mode option in the GSLB policy.
5. To assign a weight to the service, enter the value in the Weight field. If
the weighted-ip metric is enabled in the policy and all metrics before
weighted-ip result in a tie, the service on the site with the highest weight
is selected. The weight can be 1-100. By default, the weight is not set.
6. Click Add.
The VIP addresses are placed in the DNS reply in the order they appear in
this section, starting with the VIP at the top of the list. To re-order the VIP
addresses, select the row for one of the A records and click Move Up or
Move Down.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
199 of 276

DNS MX Record Section
Use this section if you need to add Mail Exchange (MX) records for the service.
1. In the Name field, enter the fully-qualified domain name of the mail
server for the service.
2. If more than one MX record will be configured for the same service,
enter the priority of this MX record in the Priority field. The priorities of
the MX records determine the order in which the mail server should
attempt to deliver mail to the MX hosts. The MX record with the lowest
priority number has the highest priority and is tried first. The priority
can be 0-65535. There is no default.
3. Click Add.
DNS CNAME Record Section
Use this section if you need to configure CNAME (alias) records for the service.
To configure an alias, enter the alias in the Name field, then click Add.
DNS NS Record Section
Use this section if you need to configure Name Server (NS) records for the
service.
Enter the record name in the Name field, then click Add.
DNS PTR Record Section
Use this section if you need to configure Pointer (PTR) records for the service.
Enter the record name in the Name field, then click Add.
Use this section to configure geo-location parameters for the service.
1. In the Geo-location field, enter the geo-location name.
2. To configure an alias for the geo-location, enter the alias name in the
Alias field.
3. To set a DNS action for the geo-location, click Action and select the
action from the drop-down list:
Forward Response Forwards responses to the local DNS server,
but does not forward queries to the Authoritative DNS server.
Forward Both Forwards queries to the Authoritative DNS server,
and forwards responses to the local DNS server.
200 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Forward Query Forwards queries to the Authoritative DNS server,
but does not forward responses to the local DNS server.

Drop Drops DNS queries from the local DNS server.
Reject Rejects DNS queries from the local DNS server and returns
the Refused message in replies.
4. To use a GSLB policy other than the zones policy (the default setting),
click Policy and select the policy from the drop-down list.
5. Click Add.
Config > Service > GSLB > Global

This page displays the global GSLB settings you can configure.
Table 87 lists the global GSLB parameters.
TABLE 87 GSLB Global Parameters
Parameter
Supported Values
Global Section
Run GSLB as
Site SLB Device
Select this option if the AX device will perform

SLB at one of the GSLB sites.
Enabled or Disabled
Selecting this option displays the Enable Passive

RTT option, which enables you to enable collection
of passive RTT samples for the site. Enable this
option if you plan to use the Passive RTT metric in
the GSLB policy used by this site.
Passive RTT is also disabled by

default.
Default: Disabled
Note: To use the passive RTT metric, option, you

also must enable the Passive RTT metric in the policy.
Run GSLB as
Controller
Note: If the AX device will also manage all the SLB

sites in the GSLB deployment, also select Run
GSLB as Controller.
Select this option if the AX device will manage all
the SLB sites in the GSLB deployment.
GSLB Protocol
Update Interval
Note: The A10 Networks GSLB protocol uses port

4149. The protocol is registered on this port for both
TCP and UDP.
Specifies the number of seconds between GSLB status messages.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
Enabled or Disabled
Default: Disabled
1-300 seconds
Default: 30 seconds
201 of 276

TABLE 87 GSLB Global Parameters (Continued)
Parameter
GSLB Protocol
Limits

Changes message limits for the GSLB protocol.
Note: Generally, these settings do not need to be
changed.
Supported Values
For each of these, you can specify
0-1000000.
Defaults:
Active RTT query 200
Active RTT Response 1000
Active RTT Session 32768
Passive RTT Response 1000
Connection Load Response
Unlimited
Response 3600
GSLB Active
RTT
Configures global settings for the active RTT metric.
Message 10000
You can specify the following values:
Domain Valid domain name
Domain Specifies the domain for active-RTT

queries.
Interval 1-120 seconds
Interval Specifies the number of seconds

between queries.
Sleep 1-300 seconds
Retry Specifies the number of times GSLB will

resend a query to which no reply has been
received.
Sleep Specifies the number of seconds during
which GSLB will stop sending queries, if the
number of retries is used and no reply has been
received.
Timeout Specifies the number of milliseconds
GSLB will wait for a reply before resending the
query.
Retry 0-16
Timeout 1-1023 milliseconds (ms)
Track 15-3600 seconds
Defaults:
Interval 1 second
Retry 3
Sleep 3 seconds
Timeout 1000 ms
Track 60 seconds
Track Specifies the tracking time.
Metrics That Require the GSLB Protocol on Site AX Devices

AX devices use the GSLB protocol for GSLB management traffic. The protocol is required to be enabled on the GSLB controller. The protocol is recommended on site AX devices but is not required. However, some GSLB
policy metrics require the protocol to be enabled on the site AX devices as
well as the GSLB controller:
session-capacity
active-rtt
passive-rtt
202 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

connection-load
num-session
least-response
The GSLB protocol is required in order to collect the site information provided for these metrics.
The GSLB protocol is also required for the health-check metric, if the
default health checks are used. If you modify the health checks, the GSLB
protocol is not required.
Note:
Config > Service > aFleX

This page displays the aFleX policies that have been imported onto the AX
device.
The aFleX section is displayed when you click Add or click on an aFleX
policy name.
To import a new aFleX policy, enter a name for the policy, then copy and
paste the script into the Definition field and click OK.
Config > Service > IP Source NAT

The IP Source NAT pages enable you to configure IP source Network
Address Translation (NAT).
Layer 3 NAT translates internal host addresses into global routable
addresses before sending the hosts traffic to the Internet. When reply traffic
is received, the AX device then retranslates addresses back into internal
addresses before sending the reply to the client.
You can configure dynamic or static IP source NAT:
Dynamic source IP NAT Internal addresses are dynamically translated
into global addresses from a pool.

Static source IP NAT Internal addresses are explicitly mapped to
global addresses.
To configure dynamic IP Source NAT, you can use the IPv4, IPv6, Group,
Binding, and Interface options.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
203 of 276

To configure static IP source NAT, you can use the NAT Range, Global, and
Interface options.
Configuration Elements for Dynamic NAT
Dynamic NAT uses the following configuration elements:
ACL to identify the inside host addresses to be translated. (You must
configure the ACL first. See Config > Network > ACL on page 228.)
Pool to identify a contiguous range of global addresses into which to
translate inside addresses. (Use the IPv4 and IPv6 pages.)

Optionally, pool group to use non-contiguous address ranges. To use a
non-contiguous range of addresses, you can configure separate pools,

then combine them in a pool group and map the ACL to the pool group.
The addresses within an individual pool still must be contiguous, but
you can have gaps between the ending address in one pool and the starting address in another pool. You also can use pools that are in different
subnets.
A pool group can contain up to 5 pools. Pool group members must
belong to the same protocol family (IPv4 or IPv6) and must use the
same HA ID. A pool can be a member of multiple pool groups. Up to 50
NAT pool groups are supported.
(To configure a pool group, use the Group page.)
Inside NAT setting on the interface connected to the inside host.
Outside NAT setting on the interface connected to the Internet. Inside
host addresses are translated into global addresses from a pool before
the host traffic is sent to the Internet.
(To set the NAT interfaces, use the Interface page.)
Note:
In addition, on some AX models, if Layer 2 IP NAT is required, you also

must enable CPU processing on the NAT interfaces. This applies to models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200.
Configuration Elements for Static NAT
Static NAT uses following configuration elements:
Address range list or static translations Contiguous ranges of inside
addresses and global addresses to translate them into, or individual mappings of inside to global addresses.
(To enable static NAT and configure the address mappings, use the
Global and NAT Range pages.)
Inside NAT setting on the interface connected to the inside host.
204 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Outside NAT setting on the interface connected to the Internet. Inside
host addresses are translated into global addresses from a static mapping
or a range list before the host traffic is sent to the Internet.
(To set the NAT interfaces, use the Interface page.)
Config > Service > IP Source NAT > IPv4 Pool

This option lists the configured IPv4 pools.
The IPv4 Pool section is displayed when you click Add or click on an IPv4
pool name.
Table 88 lists the IPv4 pool parameters.
TABLE 88 IPv4 Pool Parameters
Parameter
Name
Start IP Address
End IP Address
Netmask
Gateway
Name of the address pool.

Beginning (lowest) IP address in the range.
Ending (highest) IP address in the range.
Network mask for the IP addresses in the pool.
Default gateway to use for NATted traffic.
HA Group
HA group ID to use for session backup.
Supported Values
IPv4 Pool Section

String
Valid IPv4 address
Valid IPv4 address
IP address of the next-hop router to use
as the default gateway for NATted traffic.
Default: Not set
Config > Service > IP Source NAT > IPv6 Pool

This option lists the configured IPv6 pools.
The IPv6 Pool section is displayed when you click Add or click on an IPv6
pool name.
Table 89 lists the IPv6 pool parameters.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
205 of 276

TABLE 89 IPv6 Pool Parameters
Parameter
Supported Values
IPv6 Pool Section

Name
Start IP Address
End IP Address
Netmask Length
Gateway
Name of the address pool.

Beginning (lowest) IP address in the range.
Ending (highest) IP address in the range.
Number of bits in the network mask for the IP
addresses in the pool.
Default gateway to use for NATted traffic.
HA Group
String
Valid IPv6 address
Valid IPv6 address
96-128
IP address of the next-hop router to use
as the default gateway for NATted traffic.
Default: Not set
Config > Service > IP Source NAT > Group

This option lists the configured pool groups.
The Group section is displayed when you click Add or click on a pool group
name.
Table 90 lists the pool group parameters.
TABLE 90 Pool Group Parameters
Parameter
Supported Values
Group Section
Name
IPv4/IPv6
Group Member
Name of the pool group.

Type of addresses to be used in the group.
The IP address pools in the group.
String
IPv4 or IPv6
Names of configured pools.
1. Select a configured address pool from the Available Pool drop-down list.
2. Click Add.
206 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > Service > IP Source NAT > Binding

This page enables you to bind ACLs to IP address pools or pool groups for
dynamic NAT. To create a binding:
1. Select a configured ACL from the ACL drop-down list.
2. Select a configured pool or pool group from the NAT Pool drop-down
list.
3. Click Add.
4. Repeat if needed for additional bindings.
5. Click OK.
The GUI supports binding IPv4 pools to ACLs but not IPv6 pools. To
bind an IPv6 pool to an ACL, use the CLI instead.
Note:
Config > Service > IP Source NAT > Interface

This page identifies the inside and outside NAT interfaces.
1.
2.
3.
4.
5.
6.
7.
8.
Select the inside interface from the Interface drop-down list.

Select Inside from the Direction drop-down list, if not already selected.
Click Add.
Repeat if needed for additional inside interfaces.
Select the outside interface from the Interface drop-down list.
Select Outside from the Direction drop-down list.
Click Add.
Click OK.
Config > Service > IP Source NAT > NAT Range

This option lists the configured static NAT range lists.
The NAT Range section is displayed when you click Add or click on a range
list name.
Table 91 lists the NAT range parameters.
TABLE 91 NAT Range Parameters
Parameter
Supported Values
NAT Range Section

Name
IPv4/IPv6
Name of the NAT range list.

Type of addresses to be used in the range.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
String
IPv4 or IPv6
207 of 276

TABLE 91 NAT Range Parameters (Continued)
Parameter
Local
Global
Count
HA Group

Beginning (lowest) IP address in the range of source
addresses.
Beginning (lowest) IP address in the range of NAT
addresses.
Specifies how many addresses to be translated. The
range contains a contiguous block of the number of
addresses you specify.
Supported Values
Valid IP address and network mask
(IPv4) or mask length (IPv6)
Valid IP address and network mask
(IPv4) or mask length (IPv6)
1-200000
Default:
1-32
Default: Not set
Config > Service > IP Source NAT > Static NAT

This option lists the configured static NAT translations.
The Static NAT Range section is displayed when you click Add or click on
a static translation name.
Table 92 lists the Static NAT parameters.
TABLE 92 Static NAT Parameters
Parameter
Supported Values
Static NAT Section

Source Address
Global Address
HA Group
Inside address to be translated into a global address.

Global address to use for the inside address.
Valid IP address
Valid IP address
Default: Not set
Config > Service > IP Source NAT > Global

This page enables you to set global NAT parameters.
Table 93 lists the global NAT parameters.
208 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 93 Global NAT Parameters
Parameter
Supported Values
Global Section
PPTP NAT ALG
IP Source NAT
Allow Static
Host
Source NAT
Gateway for L3
Disables or re-enables NAT Application-Layer

Gateway (ALG) support for the Point-to-Point Tunnelling Protocol (PPTP). This feature enables clients and servers to exchange Point-to-Point (PPP)
traffic through the AX device over a Generic Routing Encapsulation (GRE) tunnel. PPTP is used to
connect Microsoft Virtual Private Network (VPN)
clients and VPN hosts.
Enables or disabled static NAT.
Enabled or Disabled
Note: This option is required only to enable use of

individually configured static mappings. If you configure a NAT range list instead, you do not need this
option.
Default: Disabled
If you prefer to configure individual mappings, use

the CLI to configure the mappings. Configuration of
individual static source NAT mappings is not supported in the GUI.
Uses an IP pools default gateway to forward traffic
from a real server.
Default: Enabled
Enabled or Disabled
Enabled or Disabled
Default: Disabled
When this feature is enabled, the AX device checks

the server IP subnet against the IP NAT pool subnet.
If they are on the same subnet, then the AX device
uses the gateway as defined in the IP NAT pool for
Layer 2 / Layer 3 forwarding.
SYN Timeout
TCP Timeout
This feature is useful if the server does not have its

own upstream router and the AX device can leverage the same upstream router for Layer 2 / Layer 3.
Sets the timeout after a SYN.
Sets the timeout for TCP sessions that are not ended
normally by a FIN or RST.
UDP Timeout
Sets the timeout for UDP sessions.
ICMP Timeout
Sets the timeout for ICMP sessions.

The Fast option terminates the session as soon as a
response is received.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
60-300 seconds
The value you enter must be in intervals of 60 seconds.
Default: 60 seconds
60-15000 seconds
60-300 seconds
60-15000 seconds, or Fast
Default: 60 seconds
209 of 276

TABLE 93 Global NAT Parameters (Continued)
Parameter
Supported Values
Service Timeout Section

This section enables you to specify how long NATted sessions on a specific protocol port can remain idle before
being terminated. The timeout set for an individual protocol port overrides the global TCP or UDP timeout for
NATted sessions.
You can specify 60-15000 seconds, or fast. The fast option terminates the session as soon as a response is received.
By default, The TCP or UDP timeout set for NAT translation is used.
To configure a service timeout:
1. Select TCP or UDP from the Protocol drop-down list.
2. Enter the port number in the Port field.
3. Enter the number of seconds in the Timeout field, or select Fast.
4. Click Add.
Config > Service > SSL Management

The SSL Management pages enable you to manage certificates, keys, and
Certificate Revocation Lists (CRLs).
Note:
The AX device only supports certificates and CRLs that are in PrivacyEnhanced Mail (PEM) format. The maximum supported certificate size is
16 KB. You can specify the format when you import the certificate. The
AX device automatically converts the imported certificate into PEM format.
Config > Service > SSL Management > Certificate

The Certificate page enables you to manage certificates and keys.
Generating a Self-Signed Certificate
1. Select Config > Service > SSL Management, if not already selected.
2. On the menu bar, select Certificate.
3. Click Create.
4. Enter a name for the certificate.
5. In the Issuer drop-down list, select Self, if not already selected.
210 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

6. Enter the rest of the certificate information in the remaining fields of the
Certificate section.
If you need to create a wildcard certificate, use an asterisk as the first part
of the common name. For example, to create a wildcard certificate for
domain example.com and it sub-domains, enter the following common
name: *.example.com
Note:
7. From the Key drop-down list, select the length (bits) for the key.
8. Click OK. The AX device generates the self-signed certificate and its
key. The new certificate and key appear in the certificate list. The certificate is ready to be used in client-SSL and server-SSL templates.
Generating a Key and CSR for a CA-Signed Certificate
3. Click Create.
4. Enter a name for the certificate.
5. In the Issuer drop-down list, select Certificate Authority, if not already
selected.
This option displays the Pass Phrase and Confirm Pass Phrase fields.
6. Enter the rest of the certificate information in the remaining fields of the
Certificate section.
If you need to create a request for a wildcard certificate, use an asterisk as
the first part of the common name. For example, to request a wildcard certificate for domain example.com and it sub-domains, enter the following
common name: *.example.com
Note:
7. Enter a passphrase.
8. From the Key drop-down list, select the length (bits) for the key.
9. Click OK. The AX device generates the certificate key and the certificate signing request (CSR), and displays the CSR. The CSR is displayed
in the Request Text field.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
211 of 276

10. To save the CSR to your PC:
a. Click Download.
Note:
If the browser security settings normally block downloads, you may need
to override the setting. For example, in IE, hold the Ctrl key while clicking Download.
b. Click Save.
c. Navigate to the save location.
d. Click Save again.
Note:
If you prefer to copy-and-paste the CSR, make sure to include everything,

including -----BEGIN CERTIFICATE REQUEST----- and -----END
CERTIFICATE REQUEST-----.
11. When you receive the certificate from the CA, import it onto the AX
device. (See "Importing a Certificate and Key".)
Importing a Certificate and Key
You can import certificate and key files.
Note:
If you are importing a CA-signed certificate for which you used the AX
device to generate the CSR, you do not need to import the key. The key is
automatically generated on the AX device when you generate the CSR.
2. On the menu bar, select Certificate. (This option also applies to certificate chain files.)
3. Click Import.
4. In the Name field, enter a name for the certificate or key. This is the
name you will refer to when adding the certificate or key to a client-SSL
or server-SSL template.
5. Select the format of the certificate from the Certificate Format dropdown list.
Local The file is on the PC you are using to run the GUI, or is on a
PC or server in the local network. Go to step 7.

212 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

step 14.
10. Select the file transfer protocol: HTTP, HTTPS, FTP, TFTP, RCP, or
SCP.
11. In the URL field, enter the directory path and filename.
14. Click OK.
Exporting a Certificate and Key
3. Select the certificate. (Click the checkbox next to the certificate name.)
4. Click Export.
to override the setting. For example, in IE, hold the Ctrl key while clicking Export.
Note:
5. Click Save.
7. Click Save again.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
213 of 276

Config > Service > SSL Management > Cert Revocation List
The Cert Revocation List page enables you to manage Certificate Revocation Lists (CRLs).
Importing a CRL
You can locally import a CRL. Place it on the PC that is running the GUI or
CLI session, or onto a PC or file server that be locally reached over the network.
2. On the menu bar, select Cert Revocation List.
3. Click Import.
Local The file is on the PC you are using to run the GUI, or is on a
PC or server in the local network. Go to step 5.

step 12.
8. Select the file transfer protocol: HTTP, HTTPS, or FTP.
9. In the URL field, enter the directory path and filename.
12. Click OK.
214 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config Mode - Config > Network
Exporting a CRL
2. On the menu bar, select Cert Revocation List.
3. Select the CRL. (Click the checkbox next to the CRL name.)
4. Click Export.
to override the setting. For example, in IE, hold the Ctrl key while clicking Export.
Note:
5. Click Save.
7. Click Save again.
Config > Network

The Network pages enable you to configure Layer 2 and Layer 3 network
settings for the AX device.
Config > Network > Interface

The Interface pages enable you to configure the AX devices management
interface and data interfaces.
Config > Network > Interface > LAN

The LAN page shows the configuration settings for the AX devices Ethernet data interfaces.
The Status column indicates whether the interface is enabled.
The HA Status column indicates whether High Availability (HA) is enabled
on the interface. To enable HA on an interface, use the HA section. (See
Table 94.)
To disable interfaces, select the checkbox next to each interface you want to
disable, then click Disable. Likewise, to re-enable interfaces, select the
checkbox next to each interface you want to enable, then click Enable.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
215 of 276

The following configuration sections are displayed when you click on an
interface name:
General
IPv4
IPv6
VIP
HA
Table 94 lists the parameters you can configure on Ethernet data interfaces.
TABLE 94 Ethernet Data Interface Parameters
Parameter
Description
Supported Values
General Section
Status
Administrative state of the interface.
Enabled or Disabled
Name
Name for the interface.
Default: Disabled
String up to 63 characters
Speed
Maximum speed on the interface.
Default: None
10M 10 Megabits per second (Mbs/sec)
10M
100M 100 Megabits per second (Mbs/sec)
100M
1G 1 Gigabit per second (Gb/sec)
1G
10G 10 Gigabits per second (Gbs/sec)
10G
Auto The interface speed is negotiated based on

the speed of the other end of the link.
Auto
Duplex
Sets the duplex mode.
Default: Auto
Note: All possible options are listed
above. The options that are listed for a
particular interface depend on the
interface type.
Full Full-duplex mode.
Half Half-duplex mode.
Auto The mode is negotiated
based on the mode of the other end
of the link.
Flow Control
State of 802.3x flow control.
Default: Auto
Enabled or Disabled
Default: Disabled. The interface autonegotiates flow control settings with
the other end of the link.
216 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 94 Ethernet Data Interface Parameters (Continued)
Parameter
CPU Process
ICMP Rate
Limiting
Description
Enables software-based switching or routing of
Layer 2/Layer 3 traffic.
Note: This command is applicable only to models
AX 2200, AX 3100, AX 3200, AX 5100, and
AX 5200. The command does not appear in the CLI
on other models.
Configures ICMP rate limiting for the interface, to
protect against denial-of-service (DoS) attacks.
Normal Rate Maximum number of ICMP packets allowed per second on the interface. If the AX
interface receives more than the normal rate of
ICMP packets, the excess packets are dropped
until the next one-second interval begins.
Lockup Rate Maximum number of ICMP packets allowed per second before the AX device
locks up ICMP traffic on the interface. When
Supported Values
Enabled or Disabled
Default: Disabled.

second
Lockup Rate 1-65535 packets per
second
Default: Disabled
rate) and lockup time is optional. If
not occur.

the AX device drops all ICMP traffic on the interface, after the maximum rate is exceeded.
IPv4 Section
Note: This section is applicable only if the AX device is deployed in gateway (route) mode. If you are deploying in
transparent (Layer 2) mode, see Config > Network > Interface > Transparent on page 222.
IP Address
IPv4 address of the interface.
Valid IPv4 address
Mask
Network mask for the interface.
Valid IPv4 mask
Secondary IP
Additional IP addresses configured on the interface. None configured
List
Note: The address in the IP Address field is the priAccess List
mary IP address.
Access Control List (ACL) to use to filter inbound
traffic on the interface.
Configured ACL
The ACL must already be configured. To configure

an ACL, see Config > Network > ACL on
page 228.
IPv6 Section
Note: This section is applicable only if the AX device is deployed in gateway (route) mode. If you are deploying in
transparent (Layer 2) mode, see Config > Network > Interface > Transparent on page 222.
IP Address
Valid IPv6 address
Prefix Length
Length of the network prefix.
1-128.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
217 of 276

TABLE 94 Ethernet Data Interface Parameters (Continued)
Parameter
Auto Link-Local
Link-Local
Description
Automatically configures the link-local address.
Configures the specified address as the link-local

address for the interface. This option overrides the
automatically generated link-local address for the
interface.
Supported Values
Default: Not selected.
Note: If Auto Link-Local and LinkLocal are both unselected, the address
is configured as a global address.
VIP Section
Allow
Promiscuous
VIP
TCP Syn Cookie
Enables client traffic received on this interface and

addressed to TCP port 80 to be load balanced for
any VIP address.
This feature also requires configuration of a virtual
server that has IP address 0.0.0.0. For more information, see the Promiscuous VIP Load Balancing
Enables Layer 2/3 SYN cookies on the interface.
Note: Hardware-based SYN cookie support also
must be enabled globally. See Config > Service >
SLB > Global > Settings on page 124.
Enabled or disabled
Default: Disabled
Enabled or disabled
Default: Disabled
HA Section
HA Enabled
Type
Indicates whether this is an HA interface.
Yes or No
Note: The maximum number of HA interfaces you

can configure is the same as the number of Ethernet
data ports on the AX device.
Indicates the type of device to which this HA interface is connected.
Default: No
Selecting an option other than None allows the AX

device to base its HA status on the status of the links
to the real servers and upstream routers.
Router-Interface An upstream
router (and ultimately, clients) can
be reached through the interface.

None This option is not used.
Server-Interface A real server can

be reached through the interface.
Both Both a server and upstream
router can be reached through the
interface.
Heartbeat
Disables or enables sending of HA heartbeat messages on the interface.
VLAN
VLAN on which to send heartbeat messages, if this

interface is a tagged member of a VLAN.
218 of 276
Default: None
Enabled or Disabled
Default: Enabled
VLAN ID
Default: Not set
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Multiple IP Addresses on a Single Data Interface
You can configure multiple IP addresses on Ethernet and Virtual Ethernet
(VE) data interfaces and on loopback interfaces, on AX devices deployed in
gateway (route) mode.
Each IP address must be unique on the AX device. Addresses within a given
subnet can be configured on only one interface on the device. (The AX
device can have only one data interface in a given subnet.)
IP addresses are added to an interface in the order you configure them. The
addresses appear in show command output and in the configuration in the
same order.
The first IP address you add to an interface becomes the primary IP address
for the interface. If you remove the primary address, the next address in the
list (the second address to be added to the interface) becomes the primary
address.
In most cases, it does not matter which address is the primary address. However, this does matter if you plan to run RIP on the interface. In the current
release, RIP is supported only for the primary IP address. This limitation
does not apply to OSPF. OSPF can run on all subnets configured on a data
interface.
The AX device automatically generates a directly connected route to each
IP address. If you enable redistribution of directly connected routes by RIP
or OSPF, those protocols can advertise the routes to the IP addresses.
Multiple OSPF Networks on the Same Interface Not Supported
The AX device does not support multiple OSPF networks on a data interface. One OSPF network configuration can enable at most one network per
interface.
For example, assume a data port has 3 IP addresses configured that belong
to 3 separate subnets, S1, S2, and S3. If you configure network S4 with area
A.B.C.D, and S4 contains S1, S2, and S3, then only S1 will be running
OSPF. S2 and S3 will not be known to other OSPF routers.
To work around this limitation, enable OSPF redistribution of directly connected routes so that OSPF will redistribute S2 and S3 via the network running on S1.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
219 of 276

Config > Network > Interface > Management

The Management page shows the configuration settings for the AX devices
out-of-band management port.
The following configuration sections are displayed when you click on the
Management menu option:
General
IPv4
IPv6
Table 95 lists the parameters you can configure on the Ethernet management port.
TABLE 95 Ethernet Management Port Parameters
Parameter
Description
Supported Values
General Section
Status
Speed
Administrative state of the port.
Enabled or Disabled
Maximum speed on the interface.
Default: Disabled
10M 10 Megabits per second
(Mbs/sec)
100M 100 Megabits per second
(Mbs/sec)
1G 1 Gigabit per second (Gbs/sec)
Auto The interface speed is negotiated based on the speed of the
other end of the link.
Default: Auto
Duplex
Sets the duplex mode.
Note: All possible options are listed

above. The options that are listed for a
particular interface depend on the
interface type.
Full Full-duplex mode.
Half Half-duplex mode.
Auto The mode is negotiated
based on the mode of the other end
of the link.
Default: Auto
220 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 95 Ethernet Management Port Parameters (Continued)
Parameter
Flow Control
Apps Use Mgmt
Description
Enables 802.3x flow control.
Enables use of the management interface as the

source interface for automated management traffic.
This applies to management traffic using the following protocols:
SYSLOG
Supported Values
Enabled or Disabled
Default: Disabled. The AX Ethernet
interface auto-negotiates flow control
settings with the other end of the link.
Enabled or Disabled
attempts to use a route from the main
route table for management connections originated on the AX device.
SNMPD
NTP
RADIUS
TACACS+
SMTP
The AX device has two route tables:
Management route table Contains all static
routes whose next hops are connected to the management interface. The management route table
also contains the route to the device configured as
the management default gateway.
Main route table Contains all routes whose next
hop is connected to a data interface. These routes
are sometimes referred to as data plane routes.
Entries in this table are used for load balancing
and for Layer 3 forwarding on data ports.
This route table also contains copies of all static
routes in the management route table, excluding
the management default gateway route.
For more information, see the Using the Management Interface as the Source for Management Traffic chapter in the AX Series Configuration Guide.
IPv4 Section
IP Address
Mask
Default Gateway

IP address of the next-hop router to use for traffic
outside the management interfaces subnet.
Valid IPv4 address

Valid IPv4 mask
Valid IPv4 address
IPv6 Section
IP Address
Prefix Length
Default Gateway

outside the management interfaces subnet.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
Valid IPv6 address

1-128
Valid IPv6 address
221 of 276

Config > Network > Interface > Transparent

The Transparent page enables you to specify the global IP address of the
AX device, if deploying the device in transparent (Layer 2) mode.
Note: If you are deploying in gateway (Layer 3) mode, see Config >
Network > Interface > LAN on page 215.
Note:
The following configuration sections are displayed when you click on the
Transparent menu option:
IPv4
IPv6
Table 96 lists the global IP address parameters you can configure.

TABLE 96 Global IP Parameters (Transparent Mode only)
Parameter
Description
Supported Values
IPv4 Section
IP Address
Mask
Default Gateway

outside the AX devices subnet.
IP Address
Prefix Length
Default Gateway

outside the AX devices subnet.
Valid IPv4 address

Valid IPv4 mask
Valid IPv4 address
IPv6 Section
Valid IPv6 address
1-128
Valid IPv6 address
Config > Network > Interface > Virtual

The Virtual page shows the configuration settings for the AX devices Virtual Ethernet (VE) data ports.
The following configuration sections are displayed when you click on a VE
name:
IPv4
IPv6
Note:
You must create the VE before you can configure it here. To create a VE,
see Config > Network > VLAN on page 225.
Table 97 lists the parameters you can configure on VE data interfaces.
222 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 97 Virtual Ethernet Data Interface Parameters
Parameter
Description
Supported Values
IPv4 Section
Status
Administrative state of the interface.
Enabled or Disabled
Name
Name for the interface.
Default: Disabled
String up to 63 characters
IP Address
Mask
Secondary IP
List

Additional IP addresses configured on the interface.
Default: None
Valid IPv4 address
Valid IPv4 mask
None configured
Access List
ICMP Rate
Limiting
Note: The address in the IP Address field is the primary IP address.

Access Control List (ACL) to use to filter inbound
traffic on the VE.
The ACL must already be configured. To configure
an ACL, see Config > Network > ACL on
page 228.
Configures ICMP rate limiting for the interface, to
protect against denial-of-service (DoS) attacks.
Normal Rate Maximum number of ICMP packets allowed per second on the interface. If the AX
interface receives more than the normal rate of
ICMP packets, the excess packets are dropped
until the next one-second interval begins.
Lockup Rate Maximum number of ICMP packets allowed per second before the AX device
locks up ICMP traffic on the interface. When
Configured ACL

second
Lockup Rate 1-65535 packets per
second
Default: Disabled
rate) and lockup time is optional. If
not occur.

the AX device drops all ICMP traffic on the interface, after the maximum rate is exceeded.
IPv6 Section
IP Address
Prefix Length
Auto Link-Local

Automatically configures the link-local address.
Valid IPv6 address

1-128
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
223 of 276

TABLE 97 Virtual Ethernet Data Interface Parameters (Continued)
Parameter
Link-Local
Description
Configures the specified address as the link-local
address for the interface. This option overrides the
automatically generated link-local address for the
interface.
Supported Values
VIP Section
Allow
Promiscuous
VIP
TCP Syn Cookie
Enables client traffic received on this interface and

addressed to TCP port 80 to be load balanced for
any VIP address.
This feature also requires configuration of a virtual
server that has IP address 0.0.0.0. For more information, see the Promiscuous VIP Load Balancing
Enables Layer 2/3 SYN cookies on the interface.
Note: Hardware-based SYN cookie support also
must be enabled globally. See Config > Service >
SLB > Global > Settings on page 124.
Enabled or disabled
Default: Disabled
Enabled or disabled
Default: Disabled
Config > Network > Interface > Global

This page shows the TCP SYN cookie threshold. This parameter is the
threshold for TCP handshake completion, and is applicable when SYN
cookies are active.
If the handshake is not completed within the allowed time, the AX device
drops the session. You can specify 1-100 seconds. The default is 4 seconds.
Config > Network > Trunk

This option lists the configured trunks. A trunk is a set of Ethernet data ports
configure as a single logical link.
The Trunk section is displayed when you click Add or click on a trunk number.
Table 98 lists the trunk parameters you can configure.
224 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 98 Trunk Parameters
Parameter
Description
Supported Values
Trunk Section
Trunk ID
Interface
ID number of the trunk.
1-8
Specifies the Ethernet data ports in the trunk.
Default: Not set

Ethernet data port names
To add a port to the trunk:
Default: None
1. Select the port in the Available list.

2. Click >> to move the port to the Port list.
3. Repeat for each port to add to the trunk.
To disable a trunk port:
1. Select the port in the Port list.
2. Click >> to move the port to the Disabled Port
list.
When you finish configuring the trunk, click OK.
Ports Threshold Section

Threshold
Threshold Timer
Specifies the minimum number of up ports required

from the drop-down list.
Specifies the trunk-threshold timer.
The trunk-threshold timer is used in some situations
to delay the ports-threshold action. The configured
port threshold is not enforced until the timer
expires. The ports-threshold timer for a trunk is
used in the following situations:
2-8
Default: Not set
1-300 seconds
Default: 10 seconds
When a member of the trunk links up.

A port is added to or removed from the trunk.
The port threshold for the trunk is configured
during runtime. (If the threshold is set in the
startup-config, the timer is not used.)
Config > Network > VLAN

The VLAN option provides configuration pages for Layer 2 settings. The
following menu options are available:
VLAN
MAC
Global
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
225 of 276

Config > Network > VLAN > VLAN

This page lists the configured Virtual LANs (VLANs). A VLAN is a set of
Ethernet data ports configured as a separate Layer 2 collision domain.
The VLAN section is displayed when you click Add or click on a VLAN
number.
Table 99 lists the VLAN parameters you can configure.
TABLE 99 VLAN Parameters
Parameter
Description
Supported Values
VLAN Section
VLAN ID
Interface
ID number of the VLAN.
1-4094
Specifies the Ethernet data ports in the VLAN.
Default: 1
To add a port to the VLAN:
Default: None
1. Select the port in the Available list.

2. To add the port as untagged, click << to move the
port to the Untagged list. Otherwise, click >> to
move the port to the Tagged list.
Virtual Interface
3. Repeat for each port to add to the VLAN.

Specifies the VE number for the VLAN.
If the AX device is deployed in gateway (Layer 3)
mode, you can configure an IP interface on the VE.
(See Config > Network > Interface > Virtual on
page 222.)
1-128
Default: Not set
Note: To simplify configuration, select
the VE number that corresponds to the
VLAN number.
Static MAC Section

This section enables you to add static MAC entries to the VLAN.
To add a static MAC entry:
1. Enter the MAC address in the MAC Address field. Use the following format: aabb.ccdd.eeff
2. Select the port from the Port drop-down list.
3. Click Add.
226 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > Network > VLAN > MAC

This page displays the aging timer for dynamic (learned) MAC entries. An
entry that remains unused for the duration of the aging time is removed
from the MAC table.
You can specify 10-600 seconds. The default is 300 seconds.
On models AX 1000, AX 2000, AX 2100, and AX 3000, the actual MAC
aging time can be +/- 10 seconds from the configured value.
Note:
On models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200, the

actual MAC aging time can be up to 2 times the configured value. For
example, if the aging time is set to 50 seconds, the actual aging time will
be between 50 and 100 seconds.
Config > Network > VLAN > Global

This page enables you to change the traffic limits for VLANs. You can set
global limits for all VLANs, as well as per-VLAN limits.
Table 100 lists the VLAN traffic limits you can configure.
TABLE 100 VLAN Traffic Limit Parameters
Parameter
Description
Supported Values
All VLAN Limitation Section

Broadcast
Packets
Maximum number of broadcast packets allowed per

second, on all VLANs combined.
IP Multicast
Packets
Maximum number of IP multicast packets allowed

per second, on all VLANs combined.
Multicast
Packets
Maximum number of multicast packets allowed per

second, on all VLANs combined.
Unknown
Unicast Packets
Maximum number of unknown unicast packets

allowed per second, on all VLANs combined.
1-65535
Default: Not set
1-65535
Default: Not set
1-65535
Default: Not set
1-65535
Default: Not set
Per VLAN Limitation Section

Broadcast
Packets
Maximum number of broadcast packets allowed per

second, on any individual VLAN.
IP Multicast
Packets
Maximum number of IP multicast packets allowed

per second, on any individual VLAN.
Multicast
Packets
Maximum number of multicast packets allowed per

second, on any individual VLAN.
Unknown
Unicast Packets
Maximum number of unknown unicast packets

allowed per second, on any individual VLAN.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
1-65535
Default: Not set
1-65535
Default: Not set
1-65535
Default: Not set
1-65535
Default: Not set
227 of 276

Config > Network > ACL

The ACL pages enable you to configure and apply Access Control Lists
(ACLs).
You can use ACLs for the following tasks:
Permit or block through traffic.
Permit or block management access.
Specify the internal host or subnet addresses to which to provide Net-
work Address Translation (NAT).

An ACL can contain multiple rules. Each rule contains a single permit or
deny statement. Rules are added to the ACL in the order you configure
them. The first rule you add appears at the top of the ACL.
Configuring an ACL Rule
1.
2.
3.
4.
Select Config > Service > Network > ACL.

On the menu bar, select Standard or Extended.
Click Add.
Configure the options for the rule. (See Table 101 on page 229 and
Table 102 on page 230.)
5. When finished configuring the rule, click OK. The rule list is redisplayed, containing the new rule.
6. To commit the ACL changes, click OK.
Re-Ordering ACL Rules

Each row in the Standard ACL and Extended ACL tables is a separate ACL
rule. You can configure multiple rules in the same ACL. In this case, they
still appear as separate rows, with the same ACL number.
The AX device applies the ACL rules in the order they are listed, starting at
the top of the table. The first rule that matches traffic is used to permit or
deny that traffic. After the first rule match, no additional rules are compared
against the traffic.
If you need to re-order the ACL rules, you can do so by clicking the up or
down arrows at the ends of the rows containing the ACL rules.
Click OK to commit the changes.
228 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Applying (Binding) ACLs
Access lists do not take effect until you apply them.
To permit or block through traffic on an interface, apply the ACL to the
interface. (See Config > Network > Interface on page 215.)

To specify the internal host or subnet addresses to which to provide Net-
work NAT, select the ACL when configuring the pool. (See Config >
Service > IP Source NAT on page 203.)
To use the ACL permit or block management access, see Config > Sys-
tem > Access Control on page 256.
Config > Service > ACL > Standard

This option lists the configured standard ACLs. For configuration information, see the following topics:
Configuring an ACL Rule on page 228
Re-Ordering ACL Rules on page 228
Applying (Binding) ACLs on page 229
The Standard section is displayed when you click Add or click on an ACL
number.
Table 101 lists the Standard ACL parameters.
TABLE 101 Standard ACL Parameters
Parameter
Supported Values
Standard Section
ID
Remark / Entry
Action
ACL number.
Specifies whether you are configuring an ACL rule
or a remark for the ACL.
Specifies the action to perform on traffic that
matches the ACL:
1-99
Remark or Entry
Default: Deny
Deny Drops the traffic.

Log
Permit Allows the traffic.

Enables logging. When logging is enabled for the
ACL, the AX device generates log messages when
traffic matches the ACL.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
Default: Disabled
229 of 276

TABLE 101 Standard ACL Parameters (Continued)
Parameter
Source Address

Specifies the source address to match on:
Supported Values
Default: Any
Any The ACL matches on all source IP

addresses.
Host The ACL matches only on the specified
host IP address.
Address The ACL matches on any host in the
specified subnet. The filter-mask specifies the
portion of the address to filter:
Use 0 to match.
Use 255 to ignore.
For example, the following filter-mask filters on
a 24-bit subnet: 0.0.0.255
Config > Service > ACL > Extended

This option lists the configured extended ACLs. For configuration information, see the following topics:
The Extended section is displayed when you click Add or click on an ACL
number.
Table 102 lists the Extended ACL parameters.
TABLE 102 Extended ACL Parameters
Parameter
Supported Values
ID
Remark / Entry
ACL number.
matches the ACL:
Extended Section
Action
100-199
Remark or Entry
Default: Deny

230 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 102 Extended ACL Parameters (Continued)
Parameter
Log
Protocol

Specifies the IP protocol on which to match.
Supported Values
Default: Disabled
To match on source or destination protocol ports,

select TCP or UDP. The Source Port and Destination Port fields appear.
ICMP

IP
TCP
UDP
Source Address
Specifies the source address on which to match:
Default: ICMP
Default: Any

addresses.
host IP address.
Use 0 to match.
Use 255 to ignore.
Source Port
For example, the following filter-mask filters on a

24-bit subnet: 0.0.0.255
Specifies the source protocol port(s) on which to
match, and the match operator.
The port can be1 1-65535.

Default: Not set
Click the checkbox to activate the configuration

fields.
The operator can be one of the following:
= (equal) The ACL matches on traffic from the
specified source port.
> (greater than) The ACL matches on traffic
from any source port with a higher number than
the specified port.
< (less than) The ACL matches on traffic from
any source port with a lower number than the
specified port.
Destination
Address
Destination Port
Range The ACL matches on traffic from any

source port within the specified range.
Specifies the destination address on which to match.
The options are the same as those for Source
Address.
Specifies the destination protocol port(s) on which
to match.
Default: Any
The port can be 1-65535.

Default: Not set
The options are the same as those for Source Port.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
231 of 276

Config > Service > ACL > IPv6

This option lists the configured IPv6 ACLs. For configuration information,
see the following topics:
The IPv6 section is displayed when you click Add or click on an ACL number.
Table 103 lists the IPv6 ACL parameters.
TABLE 103 IPv6 ACL Parameters
Parameter
Supported Values
Name
Remark / Entry
ACL name.
matches the ACL:
IPv6 Section
Action
String
Remark or Entry
Default: Deny

Log
Protocol

Specifies the IP protocol on which to match.
To match on source or destination protocol ports,
select TCP or UDP. The Source Port and Destination Port fields appear.
Default: Disabled

ICMP
IPv6
TCP
UDP
Default: ICMP
232 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 103 IPv6 ACL Parameters (Continued)
Parameter
Source Address

Specifies the source address on which to match:
Supported Values
Default: Any

addresses.
host IP address.
Use 0 to match.
Use 255 to ignore.
Source Port
For example, the following filter-mask filters on a

24-bit subnet: 0.0.0.255
Specifies the source protocol port(s) on which to
match, and the match operator.

Default: Not set
Click the checkbox to activate the configuration

fields.
The operator can be one of the following:
= (equal) The ACL matches on traffic from the
specified source port.
> (greater than) The ACL matches on traffic
from any source port with a higher number than
the specified port.
< (less than) The ACL matches on traffic from
any source port with a lower number than the
specified port.
Destination
Address
Destination Port
Range The ACL matches on traffic from any

source port within the specified range.
Specifies the destination address on which to match.
The options are the same as those for Source
Address.
Specifies the destination protocol port(s) on which
to match.
Default: Any

Default: Not set
The options are the same as those for Source Port.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
233 of 276

Config > Network > ARP

The ARP pages enable you to configure static Address Resolution Protocol
(ARP) entries.
Config > Network > ARP > IPv4 ARP

The IPv4 ARP configuration section is displayed when you click Add or
click on a static ARP entry.
Table 104 lists the IPv4 ARP parameters.
TABLE 104 IPv4 ARP Parameters
Parameter
Description
Supported Values
IP Address
MAC Address
Interface
IPv4 address of the entry.

MAC address of the entry.
Ethernet data port through which the device with the
IP address and MAC address specified above can be
reached.
VLAN for which to add the ARP entry.
IPv4 ARP Section
VLAN ID
Valid IPv4 address

Valid MAC address
Default: None
VLAN ID
Default: The entry can be used for any
VLAN.
Config > Network > ARP > IPv6 Neighbor

The IPv6 Neighbor configuration section is displayed when you click Add
or click on a static IPv6 neighbor entry.
Table 105 lists the IPv6 neighbor parameters.
TABLE 105 IPv6 Neighbor Parameters
Parameter
Description
Supported Values
IPv6 Neighbor Section

IP Address
MAC Address
Interface
234 of 276
IPv4 address of the entry.

MAC address of the entry.
Ethernet data port through which the device with the
IP address and MAC address specified above can be
reached.
Valid IPv6 address

Valid MAC address
Default: None
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 105 IPv6 Neighbor Parameters (Continued)
Parameter
VLAN
Description
VLAN for which to add the ARP entry.
Supported Values
VLAN ID
Default: The entry can be used for any
VLAN.
Config > Network > ARP > Global

The Global section enables you to change the ARP timeout, which is used to
age out dynamic ARP table entries. By default, dynamic ARP entries age
out after 300 seconds (5 minutes). You can change the global ARP timer to
60-86400 seconds.
Config > Network > Route

The Route pages enable you to configure IP routing parameters.
Config > Network > Route > IPv4 Static

This option displays the configured IPv4 static routes.
The Static Route section is displayed when you click Add or click on an
IPv4 static route.
Table 106 lists the parameters you can configure for IPv4 static routes.
TABLE 106 IPv4 Static Route Parameters
Parameter
Description
Supported Values
IP Address
Prefix
Netmask
Gateway
Destination network of the route.
Valid IPv4 address
Network mask for the destination network.

IP address of the next-hop router to use to reach the
destination network.
Valid IPv4 mask

Valid IPv4 address
Static Route Section
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
235 of 276

Config > Network > Route > IPv6 Static

This option displays the configured IPv6 static routes.
The Static Route section is displayed when you click Add or click on an
IPv6 static route.
Table 107 lists the parameters you can configure for IPv6 static routes.
TABLE 107 IPv6 Static Route Parameters
Parameter
Description
Supported Values
IP Address
Prefix Length
Forwarding
Router Address
Destination network of the route.

IP address of the next-hop router to use to reach the
destination network.
Static Route Section

Valid IPv6 address
1-128
Valid IPv6 address
Config > Network > DNS

The DNS section enables you to configure the AX hostname and other DNS
settings.
Table 108 lists the DNS parameters you can configure.
TABLE 108 DNS Parameters
Parameter
Description
Supported Values
Hostname
DNS Suffix
Hostname of the AX device.

Default domain name (DNS suffix) for hostnames on the
AX device.
IP address of the DNS server to which the AX device
should send DNS requests.
IP address of the DNS server to use as a backup if the primary DNS server does not respond.
DNS Section
Primary DNS
Secondary DNS
236 of 276
String
String
Valid IPv4 address
Valid IPv4 address
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > Network > ICMP Rate Limiting

The ICMP Rate Limiting option globally enables protection against denialof-service (DoS) attacks.
Table 109 lists the ICMP Rate Limiting parameters you can configure.
TABLE 109 ICMP Rate Limiting Parameters
Parameter
Description
Supported Values
ICMP Rate Limiting Section

ICMP Rate
Limiting
Enables the configuration fields for the feature.
Normal Rate
Maximum number of ICMP packets allowed per second.

If the AX interface receives more than the normal rate of
ICMP packets, the excess packets are dropped until the
next one-second interval begins.
Maximum number of ICMP packets allowed per second
before the AX device locks up ICMP traffic. When ICMP
traffic is locked up, all ICMP packets are dropped until
the lockup expires.
Lockup Rate
Lockup Period
Note: Specifying a maximum rate (lockup rate) and

lockup time is optional. If you do not specify them,
lockup does not occur.
Number of seconds for which the AX device drops all
ICMP traffic, after the maximum rate is exceeded.
Selected or not selected

Default: Not selected
1-65535 packets per second
Default: Not set
1-65535 packets per second

Default: Not set
1-16383 seconds
Default: Not set
Config > Network > BPDU-Fwd-Group

This option enables you to configure BPDU forwarding groups. BPDU forwarding groups enable you to use the AX device in a network that runs
Spanning Tree Protocol (STP).
A BPDU forwarding group is a set of tagged Ethernet interfaces that will
accept and broadcast STP BPDUs among themselves. When an interface in
a BPDU forwarding group receives an STP BPDU (a packet addressed to
MAC address 01-80-C2-00-00-00), the interface broadcasts the BPDU to all
the other interfaces in the group.
You can configure up to 8 BPDU forwarding groups.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
237 of 276

Config Mode - Config > System
Rules for trunk interfaces:
PBDUs are broadcast only to the lead interface in the trunk.
If a BPDU is received on an Ethernet interface that belongs to a trunk,
the BPDU is not broadcast to any other members of the same trunk.
To configure a BPDU forwarding group:
1. Select the group number from the BPDU-Fwd-Group drop-down list.
2. Select the interfaces to add to the group.
3. Click >> to add the interfaces to the group.
Config > System

The System pages enable you to configure system-level parameters.
Config > System > Settings

The Settings options configure system management settings.
Config > System > Settings > Web

This menu option displays the following configuration sections:
Web
aXAPI
Preference
Table 110 lists the Web parameters.

TABLE 110 Web Parameters
Parameter
Description
Language
Language of the GUI.
Supported Values
Web Section
English
Simple Chinese
Japanese
Traditional Chinese
Korean
Default: English
238 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 110 Web Parameters (Continued)
Parameter
Web Timeout
HTTP Port
Description
Number of minutes a Web management session can
remain idle before it times out and is terminated by
the AX device.
HTTP protocol port number and port state.
Supported Values
0-60 minutes
Default: 10 minutes
To disable the timeout, specify 0.
Enabled or Disabled
1-65535
HTTPS Port
HTTPS protocol port number and port state.
Default: Enabled; 80
Enabled or Disabled
1-65535
Re-direct HTTP
to HTTPS
Automatically redirects requests for the unsecured

port (HTTP) to the secure port (HTTPS).
Default: Enabled; 443

Enabled or Disabled
Default: Enabled
aXAPI Section
aXAPI Timeout
Number of minutes an aXAPI session can remain

idle before being terminated. Once the aXAPI session is terminated, the session ID generated by the
AX device for the session is no longer valid.
Note: For information about aXAPI, see the
AX Series aXAPI Reference.
0-60 minutes.
If you specify 0, sessions never time
out.
Default: 10 minutes
Preference Section
Default IP
Address
Default IP address type for configuration fields in

the GUI.
IPv4 or IPv6
Default: IPv4
Note: Changing the default address type does not

change any addresses that are already configured.
This option simply changes the default address type
that is selected on configuration sections.
Config > System > Settings > Terminal > CLI

This menu option displays the CLI Terminal section.
Table 111 lists the parameters you can configure in this section.
To restore all CLI access settings to the default values, click the Reset To
Default button.
Caution:
b y
The Reset To Default option also resets the enable password to its
default value (empty no password).
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
239 of 276

TABLE 111 CLI Parameters
Parameter
Description
Supported Values
CLI Terminal Section

CLI Timeout
Current Enable
Password
Specifies the number of minutes a CLI session can

be idle before it times out and is terminated.
0-60 minutes
Default: 10 minutes
Allows you to change the enable password.
To disable the timeout, enter 0.

String
Enable Password
1. Enter the current enable password in the Current

Enable Password field.
Confirm
Password
2. Enter the new enable password in the Enable

Password and Confirm Enable Password fields.
Columns
3. When finished configuring CLI settings, click

OK.
Automatically adjusts the length and width of the
terminal display.
Disabling this option enables the Columns and
Lines input fields.
Specifies the number of columns to display.
Lines
Specifies the number of lines to display per page.
Enable Edit of
Command Line
Enables command editing.
Enable Control
of Command
History
Enables the command history.
History Size
Specifies the number of commands the command

history can contain.
Auto Size
240 of 276
Selected (enabled) or deselected (disabled)

Default: Selected
0-512
Default: 80 columns
To use an unlimited number of columns, enter 0.
0-512
Default: 24 lines
To disable paging, enter 0.
Default: Selected
Default: Selected
0-1000
Default: 256 commands
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > System > Settings > Terminal > Banner

The banner sections enable you to configure the banner messages displayed
in the CLI. By default, the messages shown in bold type in the following
example are displayed:
login as: admin
Welcome to AX
Using keyboard-interactive authentication.
Password:
Last login: Thu Feb
192.168.1.144
7 13:44:32 2008 from
[type ? for help]
You can format banner text as a single line or multiple lines.

If you configure a banner message that occupies multiple lines, you must
specify the end marker. The end marker is a simple string up to 2-characters
long, each of the which must be an ASCII character from the following
range: 0x21-0x7e. Pressing enter at the end of each line is not necessary.
The multi-line banner text starts from the first line and ends at the marker. If
the end marker is on a new line by itself, the last line of the banner text will
be empty. If you do not want the last line to be empty, put the end marker at
the end of the last non-empty line.
1. To configure a banner:
a. Select the banner type, single-line or multi-line.
b. If you selected multi-line, enter the end marker value in the End
Marker field.
c. Enter the message in the Login Banner or Exec Banner field.
If the message is a multi-line message, you can add line breaks by
pressing Enter / Return at the end of every line. Do not type the end
marker at the end of the message. The GUI automatically places the
end marker at the end of the message text in the configuration.
2. If you are configuring both messages, repeat step 1 for the other message.
3. Click OK.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
241 of 276

Config > System > Settings > Log

This menu option displays the following log configuration sections:
Log Configures log levels and output options
Status Configures display of the log on the Monitor > Overview > Sta-
tus page
Table 112 lists the system log parameters you can configure.
TABLE 112 Log Parameters
Parameter
Description
Supported Values
Disposition
Output options for each message level. For each message level, you can select which of the following output
options to enable:
The following message levels can be

individually selected for each output
option:
Console Messages are displayed in Console sessions.
Emergency
Buffered Messages are stored in the system log buffer. The GUI system log lists the messages in this
buffer.
Critical
Log Section
Email Messages are sent to the email addresses in

the Email To list. (See below.)
Logging
Email Filter
Logging
Email Buffer
Number
Logging
Email Buffer
Time
Facility
Error
Warning
Notification
Syslog Messages are sent to the external log servers

specified in the Log Server fields. (See below.)
Information
Monitor Messages are displayed in Telnet and SSH

sessions.
Settings for sending log messages by email.
Only Emergency, Alert, Critical, and

Notification can be selected for Email.
See Log Email Filter Configuration
on page 244.
Standard Syslog facility to use.
Standard Syslog facilities listed in RFC

3164.
10000 to 50000 entries
Log Buffer
Entries
Maximum number of log entries the log buffer can

store.
Log Server
IP addresses or fully-qualified domain names of external log servers.
Log Server
Port
Alert
Only the message levels for which Syslog is selected in

the Disposition list are sent to log servers.
Protocol port to which log messages sent to external log
servers are addressed.
242 of 276
Debug
Default: 30000
Any valid IP address or fully-qualified
domain name.
Any valid protocol port number
Default: 514
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 112 Log Parameters (Continued)
Parameter
Email To
Description
Email addresses to which to send log messages.
Only the message levels for which Email is selected in
the Disposition list are sent to log servers.
Use a single space between each address.
Supported Values
List of up to 10 email addresses. Use
commas to separate the addresses.
Each email address can be a maximum
of 63 characters long.
Formatting commands are not supported. For example,

do not enter any of the following: \n, \r, \t.
SMTP
Server
Addresses are allowed to wrap. Do not press the Enter

key to force an address to go to the next line.
IP address or fully-qualified domain name of an email
server using Simple Message Transfer Protocol.
SMTP
Server Port
Protocol port to which email messages sent to the

SMTP server are addressed.
Mail From
Specifies the email From address.
Default: 25
Valid email address
Need
Authentication
Specifies whether access to the SMTP server requires

authentication.
Default: Not set

Username
Username required for access to the SMTP server.
Default: disabled
Valid username
Password
Password required for access to the SMTP server.
Default: Not set

Valid password
Any valid IP address or fully-qualified

domain name.
Any valid protocol port number
Default: Not set
Status Section
Level
Specifies the log levels that are displayed on the

Monitor > Overview > Status page.
Any of the following:
You also can change the display color for each message
level.
Alert
Emergency
Critical
Error
Warning
Notification
Information
Debug
Default: All are enabled
Refresh
Interval
Specifies how often the Status page is automatically

refreshed.
Entry
Number
Specifies how many log entries can be views on the Status page.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
For default and available colors, display the drop-down lists next to the
message levels.
5-60 seconds
Default: 10 seconds
10-1000 messages
Default: the 100 most recent messages
243 of 276

Log Email Filter Configuration
1. Select Config > System > Settings.
2. On the menu bar, select Log.
3. In the Logging Email Filter section, click Add. A configuration page for
the filter appears.
4. In the ID field, enter the filter ID, 1-8.
5. To immediately send matching messages in an email instead of buffering them, select Trigger. Otherwise, matching messages are buffered
until the message buffer becomes full or the send timer for emailed log
messages expires.
6. Construct the rest of the filter by selecting the conditions.
Note:
The conditions must be selected in the order described here. Otherwise,

the filter will be invalid. If you accidentally configure an invalid filter,
you can click Clear to remove the filter conditions and start again.
a. Select the message severity level from the first drop-down list, at the
upper left, and click Add. To add more severity levels, repeat this
step for each severity level.
b. Optionally, select a software module from the second drop-down
list, to the right of the first drop-down list. Then click Add. To add
more modules, repeat this step for each module.
c. Optionally, enter a regular expression to specify message text to
match on, in the lower left entry field. Then click Add.
d. Select the operator from the drop-down list in the lower right field,
and click Add.
7. Click OK. The new filter appears in the Logging Email Filter section on
the Log page.
8. Optionally, to change the maximum number of log messages to buffer
before sending them in email, edit the number in the Logging Email
Buffer Number field. You can specify 16-256 messages. The default is
50.
9. Optionally, to change the number of minutes the AX device waits before
sending all buffered messages, edit the number in the Logging Email
Buffer Time field. This option takes affect if the buffer does not reach
the maximum number of messages allowed. You can specify 10-1440
minutes. The default is 10.
10. When finished configuring log settings, click OK.
244 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

FIGURE 16
section)
Config > System > Settings > Log - Add (Logging Email Filter
FIGURE 17
Config > System > Settings > Log (Logging Email Filter added)
Config > System > Settings > General

This menu option provides the following suboptions for configuring general
system parameters:
Threshold
TFTP
Resource Usage
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
245 of 276

Config > System > Settings > General > Threshold
This option enables you to specify event thresholds for utilization of system
resources. If utilization of a system resource crosses the configured threshold, a log message is generated. If applicable, an SNMP trap is also generated.
Table 113 lists the thresholds you can configure.
TABLE 113 Threshold Parameters
Parameter
Description
Supported Values
Threshold Section
System
Temperature
CPU temperature.
1-68 C (degrees Centigrade)
Control CPU
Usage
Control CPU utilization.
Default: 68
1-100 percent
Data CPU
Usage
Data CPU utilization.
Default: 90 percent
1-100 percent
Memory
Usage
Memory utilization.
Default: 90 percent
1-100 percent
Disk Usage
Hard disk utilization.
Default: 95 percent
1-100 percent
Default: 85 percent
1-32767 buffers per 10-second monitoring interval
Buffer Drop
Packet buffer drops.
Buffer
Usage
Packet control buffer utilization.
Default: 100
60000-120000 buffers
Default: 90000 buffers
Config > System > Settings > General > TFTP

This option enables you to increase the TFTP block size.
The TFTP block size is the maximum packet length the AX TFTP client can
use when sending or receiving files to or from a TFTP server. You can specify from 512-32768 bytes. The default is 512 bytes.
Increasing the TFTP block size can provide the following benefits:
TFTP file transfers can occur more quickly, since fewer blocks are
required to a send a file.

File transfer errors due to the server reaching its maximum block size
before a file is transferred can be eliminated.
246 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

To determine the maximum file size a block size will allow, use the following formula: 1K-blocksize = 64MB-filesize
Block Size
Maximum File Size
1024
64 MB
8192
512 MB
32768
2048 MB
Increasing the TFTP block size of the AX device only increases the maximum block size supported by the AX device. The TFTP server also must
support larger block sizes. If the block size is larger than the TFTP server
supports, the file transfer will fail and a communication error will be displayed on the CLI terminal.
If the TFTP block size is larger than the IP Maximum Transmission Unit
(MTU) on any device involved in the file transfer, the TFTP packets will be
fragmented to fit within the MTU. The fragmentation will not increase the
number of blocks; however, it can re-add some overhead to the overall file
transmission speed.
Config > System > Settings > General > Resource Usage
This page enables you to reconfigure the system capacity for certain system
resources.
Table 114 lists the resource capacities you can configure. The supported
values and defaults may differ depending on the AX model.
TABLE 114 Resource Usage Parameters
Parameter
Description
L4 Session
NAT Pool
Address
Total Layer 4 sessions.

Total IP source-NAT pool addresses.
Client SSL
Template
Connection
Reuse
Template
Fast-TCP
Template
Fast-UDP
Template
Total configurable client-SSL templates.
Network Usage Limitation Section
Template Usage Limitation Section
b y
Total configurable connection reuse templates.
Total configurable TCP templates.
Total configurable UDP templates.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
247 of 276

TABLE 114 Resource Usage Parameters (Continued)
Parameter
HTTP
Template
Persistent
Cookie Template
Persistent
Source IP
Template
Proxy
Template
RTSP
Template
Server SSL
Template
Description
Total configurable HTTP templates.

Total configurable cookie persistence templates.
Total configurable source-IP persistence templates.
Total configurable TCP-proxy templates.

Total configurable RTSP (streaming-media) templates.
Total configurable server-SSL templates.
Template Usage Limitation Section

Server Port
Server
Service
Group
Virtual
Server Port
Virtual
Server
Total configurable server ports.

Total configurable servers.
Total configurable service groups.
Total configurable virtual server ports.
Total configurable virtual servers.
Config > System > Settings > Boot

This menu option displays the boot image location from which the system
image will be loaded the next time the AX device is rebooted.
The AX device always tries to boot using the Hard Disk first. The Compact
Flash is used only if the hard drive is unavailable. You can select the primary or secondary image area on each boot device.
To change the priority, select Primary or Secondary, then click OK.
248 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > System > Settings > Action

This menu option has the following sub-options:
Reload Restarts AX system processes and reloads the startup-config,
without also reloading the system image. (This option also closes all
sessions.)
Shutdown Powers down the AX device.
Reboot Reboots the AX device.
Save Syncs the configuration file (startup-config) with the running-
config (running configuration), so that the startup-config includes all the

current changes made to the running-config. (This is equivalent to clicking Save on the top of the GUI window.)
Logout Ends your admin session. (This is equivalent to clicking Log-
out on the top of the GUI window.)
Config > System > Admin

The Admin pages enable you to configure and manage AX administrator
accounts.
Config > System > Admin > Administrator

This page lists the configured admin accounts.
Table 116 lists the admin parameters displayed in the admin table.
TABLE 115 Admin Parameters
Parameter
Name
Role
Description
Login name for the admin.
Super Admin Allows access to all levels of the system.
This account is not the Root account and can be
deleted. This account cannot configure other admin
accounts. (Only the admin account that has Root privileges can configure other admin accounts.)
Read Only Admin Allows monitoring access to the system but not configuration access. In the CLI, this account
can only access the User EXEC and Privileged EXEC
levels, not the configuration levels. In the GUI, this
account cannot modify configuration information.
(cont.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
249 of 276

TABLE 115 Admin Parameters (Continued)
Parameter
Role
Description
(cont.)
Partition Write Admin The admin has read-write privileges within the private partition to which the admin is
assigned. The admin has read-only privileges for the
shared partition.
Partition Read Admin The admin has read-only privileges within the private partition to which the admin is
assigned, and read-only privileges for the shared partition.
Partition RS Operator The admin is assigned to a private partition but has permission only to view service port
statistics for real servers in the partition, and to disable or
re-enable the real servers and their service ports.
Partition
Trusted Host
Lockout Time
Scheduled
Unlock
Status
(unlabeled)
The Partition roles apply to Role-Based Administration

(RBA). For information about this feature, see the RoleBased Administration chapter in the AX Series Configuration Guide.
Partition to which the admin is assigned.
Note: This field applies only to admins with the Partition
Write Admin, Partition Read Admin, or Partition RS Operator role.
Host or subnet address from which the admin is allowed to
log onto the AX device.
If the account is locked, indicates how long the account has
been locked.
If the account is locked, indicates how long the account will
continue to be locked.
Current state of the account:
The account is enabled.
The account is disabled.
Admin Account Configuration

The Admin section is displayed when you click Add or click on an admin
name.
250 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 116 Admin Configuration Parameters
Parameter
Description
Supported Values
Admin Section
Administrator
Name
Change
Administrator
Password
Login name for the admin.
1-31 characters
Enables you to change the admin password.
1-63 characters
Trusted Host IP
Address
When this option is selected, the Password and Confirm Password fields are displayed. Enter the
admins password into these fields.
Specifies the host or subnet address from which the
admin is allowed to log onto the AX device.
Netmask for
Trusted Host
Specifies the network mask for the trusted IP

address.
Privilege
Sets the privilege level for the account. (For

descriptions, see Table 115 on page 249.)
The Partition roles apply to Role-Based Administration (RBA). For information about this feature, see
the Role-Based Administration chapter in the
AX Series Configuration Guide.
Selecting either role enables the Partition field. (See
below.)
Partition
Status
Note: This field does not appear for the admin

admin account, which always has Super Admin
privileges and can configure other admin accounts.
Specifies the partition to which the admin is
assigned.
Note: This field applies only to admins with the
Partition Write Admin, Partition Read Admin, or
Partition RS Operator role.
Enables or disabled the account.
Note: This field does not appear for the admin
admin account, which cannot be disabled.
Valid IP address
Default: 0.0.0.0 (any address allowed)
Valid network mask
Default: 0.0.0.0 (any subnet allowed)
Super Admin
Read Only Admin
Partition Write Admin
Partition Read Admin
Partition RS Operator
Default: Read Only Admin
Enabled or Disabled
Default: Enabled
Enabled or Disabled
Default: Enabled
Config > System > Admin > Partition

This page enables you to configure a private partition for Role-Based
Administration (RBA).
Note:
b y
For information about RBA, see the Role-Based Administration chapter

of the AX Series Configuration Guide.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
251 of 276

The Partition table lists the private partitions that are configured on the AX
device. The partition name and the logo file associated with the partition are
shown.
The Partition section is displayed when you click Add or click on a partition
name.
TABLE 117 Partition Configuration Parameters
Parameter
Description
Supported Values
Partition Name
Max aFleX Files
Name for the partition.

Maximum number of aFleX policies the partition
can have.
Current Logo
Picture
Shows the logo currently associated with this partition.
Partition Section
Change Logo
Picture
Each private partition has a logo file associated with

it. The logo appears in the upper left corner of the
Web GUI when the partition is selected as the current partition for the GUI session. (See System
Partitions on page 27.)
Enables you to replace the logo.
1. Copy the logo file onto the PC on which you are
running the browser for the GUI session.
2. In this field, click Browse.
1-14 characters
1-128
Default: 32
Supported value: A graphic file
180x60 pixels.
Default: The A10 Networks logo is
used.
Supported value: A graphic file

180x60 pixels.
Default: The A10 Networks logo is
used.
3. Navigate to the logo file and click Open.

4. Click OK.
Config > System > Admin > Lockout Policy

This page enables you to configure the admin lockout policy. Admin lockout is a feature that disables an admin account after a specified number of
invalid login attempts (login attempts using the wrong password).
To set the lockout policy, select the Lockout Policy menu option. The Lockout Policy section appears.
252 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 118 Lockout Policy Parameters
Parameter
Description
Supported Values
Lockout Policy Section

Administrator
lockout Feature
Enables the feature.
Administrator
Lockout after
Number of consecutive failed login attempts

allowed before an administrator is locked out.
Lockout Time in
Number of minutes a lockout remains in effect.

After the lockout times out, the admin can try again
to log in.
Reset Lockout
after
Number of minutes the AX device remembers failed

login attempts.
Selected (enabled) or unselected (Disabled)

Default: Unselected
1-10
Default: 5
0-1440 minutes
Default: 10 minutes
To keep accounts locked until you or
another authorized administrator
unlocks them, specify 0.
1-1440 minutes.
Default: 10 minutes
Config > System > Admin > External Authentication

These options enable you to configure RADIUS or TACACS+ servers to
use for external authentication of admin access to the AX device.
(For information about the authentication process, see the Configuring
AAA for Admin Access section in the Management Security Features
chapter of the AX Series Configuration Guide.)
Config > System > Admin > External Authentication > General
Enables you to specify the authentication types to use, and the order in
which to use them.
By default, when someone attempts to log into the AX device, the device
checks its local admin database for the username and password entered by
the person attempting to gain access.
Without additional configuration, the authentication process stops at this
point. If the admin username and password are in the local database, the
person is granted access. Otherwise, they are denied.
You can configure the AX device to also use external RADIUS or
TACACS+ servers for authentication. You can use TACACS+ or RADIUS
for external authentication. Only one external authentication method can be
used.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
253 of 276

The local database must be included as one of the authentication sources,
regardless of the order is which the sources are used. Authentication using
only a remote server is not supported.
Local Only Check AX devices local admin database only. (This is the
default.)
Local/RADIUS Check AX devices local admin database first. If
admin name is not in the local database, check RADIUS.

RADIUS/Local Check RADIUS first. If RADIUS is unavailable,
check the local admin database.

Local/TACACS+ Check AX devices local admin database first. If
admin name is not in the local database, check TACACS+.

TACACS+/Local Check TACACS+ first. If TACACS+ is unavailable,
check the local admin database.
254 of 276
Note:
If the same username is configured in the local database and on the

remote server but the passwords do not match, the order in which the
authentication sources are used determines whether the admin is granted
access. (For information, see the Configuring AAA for Admin Access
section of the Management Security Features chapter in the AX Series
Note:
Unlike other admin accounts, the username admin has Root privileges.
To ensure against accidental lockout from the AX device, admin is
always authenticated using the local database only, regardless of the
authentication order used for other admin usernames.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > System > Admin > External Authentication > RADIUS
Enables you to configure RADIUS servers.
Table 119 lists the RADIUS server parameters you can configure.
TABLE 119 RADIUS Authentication Parameters
Parameter
Description
Supported Values
Server 1
Displays the RADIUS server configuration fields:
Valid values:
Hostname Hostname or IP address of the

RADIUS server.
Hostname Hostname or IP address

of the RADIUS server.
Secret and Confirm Secret Password required

by the RADIUS server for authentication
requests.
Secret and Confirm Secret String
RADIUS Authentication Section
Authentication Protocol port number on which

the RADIUS server listens for authentication
requests.
Account Protocol port number on which the
RADIUS server listens for accounting traffic.
Retransmit Maximum number of times the
AX device can resend an unanswered

authentication request to the server. If the
AX device does not receive a reply to the
final request, the AX device tries the secondary server, if one is configured.
Timeout Maximum number of seconds the
AX device will wait for a reply to an authentication request before resending the request.
Server 2
Enables you to configure a second RADIUS server

to use only as a backup if server 1 is unavailable.
Authentication 1-65535
Account 1-65535
Retransmit 0-5 retries
Timeout 1-15 seconds
Defaults:
Secret and Confirm Secret Not set
Authentication 1812
Account 1813
Retransmit 3 retries
Timeout 3 seconds
See above.
For parameter descriptions, see above.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
255 of 276

Config > System > Admin > External Authentication > TACACS+
Table 120 lists the TACACS+ server parameters you can configure.
TABLE 120 TACACS+ Authentication Parameters
Parameter
Description
Supported Values
TACACS+
Server 1
Displays the RADIUS server configuration fields:
Valid values:
Hostname Hostname or IP address of the

RADIUS server.

Secret and Confirm Secret Password required

by the RADIUS server for authentication
requests.
Secret and Confirm Secret String
TACACS+ Authentication Section
Port Protocol port number on which the

TACACS+ server listens for authentication
requests.
Timeout Maximum number of seconds the
AX device will wait for a reply to an authentication request before resending the request.
Port 1-65535
Timeout 1-12 seconds
Defaults:
Secret and Confirm Secret Not set
Port 49
TACACS+
Server 2
Enables you to configure a second TACACS+

server to use only as a backup if server 1 is unavailable.
Timeout 12 seconds
See above.
For parameter descriptions, see above.
Config > System > Admin > Change Password

Enables you to change the password for the admin account under which you
are currently logged in.
Note:
This option takes effect only if there are no other open admin sessions
using the same admin name.
Config > System > Access Control

The Access Control page controls management access to the AX devices
Ethernet interfaces. The management access settings apply to access
through the management interface, physical Ethernet data interfaces, and
Virtual Ethernet (VE) interfaces.
256 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

By default, certain types of management access through the AX devices
Ethernet interfaces are blocked. Table 121 lists the default settings for each
management service.
TABLE 121 Default Management Access
Management
Service
SSH
Telnet
HTTP
HTTPS
SNMP
Ping
Ethernet
Management
Interface
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Ethernet and VE
Data Interfaces
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
You can enable or disable management access, for individual access types
and interfaces. You also can use an ACL to permit or deny management
access through the interface by specific hosts or subnets.
To change management access settings for interfaces:
1. For each interface (each row), select or de-select the checkboxes for the
access types.
2. To use an ACL to control access, select the ACL from the ACL dropdown list in the row for the interface.
3. After selecting the settings for all the interfaces, click OK.
To reset the access settings to the defaults listed in Table 121, click Reset to
Default.
Notes Regarding Use of ACLs
If you use an ACL to secure management access, the action in the ACL rule
that matches the management traffics source address is used to permit or
deny access, regardless of other management access settings.
For example, if you disable Telnet access to a data interface, but you also
enable access to the interface using an ACL with permit rules, the ACL permits Telnet (and all other) access to the interface, for traffic that matches the
permit rules in the ACL.
If you want certain types of management access to be disabled on an interface, do not use a permit ACL to control management access to the interface.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
257 of 276

Each ACL has an implicit deny any any rule at the end. If the management
traffics source address does not match a permit rule in the ACL, the
implicit deny any any rule is used to deny access.
On data interfaces, you can disable or enable access to specific services and
also use an ACL to control access. However, on the management interface,
you can disable or enable access to specific services or control access using
an ACL, but you can not do both.
Config > System > Time

The Time pages enable you to set the system time and date and select the
timezone.
Note:
You do not need to configure Daylight Savings Time. The AX device

automatically adjusts the time for Daylight Savings Time based on the
timezone you select.
Note:
If you use the GUI or CLI to change the AX timezone or system time, the
statistical database is cleared. This database contains general system statistics (performance, and CPU, memory, and disk utilization) and SLB
statistics. For example, in the GUI, the graphs displayed on the Monitor >
Overview page are cleared.
Note:
If the system clock is adjusted while OSPF or RIP is enabled, the routing
protocols may stop working properly. To work around this issue, disable
OSPF and RIP before adjusting the system clock.
Config > System > Time > Time > Date/Time
This page enables you to configure the system time and date. You can use
one of the following methods:
Set the AX device to synchronize with a Network Time Protocol (NTP)
server.
Set the AX device to synchronize with the local system time on the PC
you are using to access the GUI.

Manually set the date and time.
Table 122 lists the configuration options on the Date/Time section.
258 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 122 Date/Time Parameters
Parameter
Description
Supported Values
Date/Time Section
Date
Time
Sync Local Time
Automatically
Synchronize
with Internet
Time
Server(NTP)
NTP
Manually sets the date. Click the icon at the right of

the field to open a calendar from which you can
select the date.
Manually sets the time, in hh:mm:ss format.
Synchronizes the AX date and time with the local
system time on the PC you are using to access the
GUI.
Activates the NTP input fields and disables the Date
and Time fields.
If NTP servers are configured and at least one of
them is enabled, the checkbox is selected.
Depends on when the device was first

booted
Depends on when the device was first
booted
N/A
Selected (enabled) or unselected (Disabled)

Default: Unselected
If NTP servers are configured but none of them are

enabled, the checkbox is un-selected.
Likewise, if no NTP servers are configured, the
checkbox is un-selected. Select it to enable the NTP
configuration fields.
Specifies the hostnames or IP addresses of the NTP
servers and how often the AX device resynchronizes with them.
1-518400 minutes
Default: 1440 minutes
1. Enter the NTP server IP address in the NTP

Server field.
2. Optionally, edit the synchronization interval in
the Interval field.
3. Click Add.
4. Click OK.
You can configure a maximum of 4 NTP servers.
Config > System > Time > Time > Time Zone
Use this section to select the timezone for the AX device. Select the timezone from the list, then click OK.
Daylight Savings Time (DST) is enabled by default, if applicable to the
selected timezone. To disable DST, select the Disable Daylight Saving Time
checkbox.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
259 of 276

Config > System > SNMP

The SNMP sections enable to configure the Simple Network Management
Protocol (SNMP) settings.
The following sections are available:
General
Community
Trap
Trap List
SNMP MIB Download
Note:
Some traps are triggered by a configurable threshold. The thresholds in

the trap descriptions below are the default thresholds. To change an event
threshold, use the monitor command at the global configuration level of
the CLI.
Note:
You can configure SNMPv1 and v2c settings using the GUI. To configure
SNMPv3 settings, use the CLI.
Table 123 lists the configuration options on the SNMP sections.
TABLE 123 General SNMP Parameters

Parameter
Description
Supported Values
General Section
System SNMP
Service
Specifies the state of the SNMP service on the AX

device.
Enabled or Disabled
System Location
Specifies the AX location.
Default: Disabled
String
System Contact
Specifies who to contact regarding the AX device.
Default: Not set

String
Default: Not set
Community Section
SNMP Community
Hostname
260 of 276
Name of a read-only SNMP community.
String
Note: Only read-only strings are supported.

Specifies the hosts or subnet that is allowed to
access the community.
Only the specified host or subnet can receive SNMP
data from the AX device by sending a GET request
to this community.
Valid subnet or host address

Default: Not set (any host or subnet is
allowed)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 123 General SNMP Parameters (Continued)
Parameter
Object Identifier
Description
Restricts the objects that the AX device returns in
response to GET requests. Values are returned only
for the objects within or under the specified OID.
Note: The OID for A10 Networks AX objects is
1.3.6.1.4.1.22610.
Supported Values
Valid OID
Default: Not set (all objects can be
accessed)
Trap Section
Community
Specifies the community string for the traps.
Valid community string
IP Address
Specifies the IP address of the trap receiver.
Default: public
Valid IP address
Port
Specifies the UDP port to which the AX device will

send the traps.
Version
Specifies the SNMP version.
Default: Not set

1-65535
Default: 162
V1 or V2c
Default: V1
Trap List Section

All Traps
SNMP Group
Enables all traps.
Enables all SNMP traps.

Selecting this option disables the checkboxes for the
individual traps in the group. To disable only certain
traps in the group, leave SNMP Group unselected,
and select the individual traps instead. The same
applies to the other group options described below.

Default: Unselected
Default: Unselected
The SNMP group contains the following traps:

Link Down Indicates that an Ethernet interface
has gone down.
Link Up Indicates that an Ethernet interface has
come up.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
261 of 276

Parameter
SLB Group
Description
Enables all Server Load Balancing (SLB) traps.
The SLB group contains the following traps:
Service Down Indicates that an SLB service has
gone down.
Supported Values
Default: Unselected
Service Up Indicates that an SLB service has

come up.
Server Down Indicates that an SLB server has
gone down.
Server Up Indicates that an SLB server has
come up.
Service Connection Limit Indicates that an SLB
service has reached its configured connection
limit.
Service Connection Resume Indicates that an
SLB service has reached its configured connection-resume value.
Service Conn-Rate-Limit Indicates that an SLB
service has reached its configured connection
limit.
Server Connection Limit Indicates that an SLB
server has reached its configured connection
limit.
Server Conn-Rate-Limit Indicates that an SLB
server has reached its configured connection rate
limit.
Server Connection Resume Indicates that an
SLB server has reached its configured connection-resume value.
Virtual Port Down Indicates that an SLB virtual
service port has gone down.
Virtual Port Up Indicates that an SLB virtual
service port has come up. An SLB virtual servers
service port is up when at least one member (real
server and real port) in the service group bound to
the virtual port is up.
Virtual Port Reach Conn-Limit Indicates that
the connection limit configured on a virtual port
has been exceeded.
Virtual Port Reach Conn-Rate-Limit Indicates
that the connection rate limit configured on a virtual port has been exceeded.
(cont.)
262 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Parameter
SLB Group
(cont.)
Description
Virtual Server Reach Conn-Limit Indicates that
the connection limit configured on a virtual
server has been exceeded.
Supported Values
Default: Unselected
Virtual Server Reach Conn-Rate-Limit Indicates that the connection rate limit configured on
a virtual server has been exceeded.
HA Group
App Buffer Reach Limit Indicates that the configured SLB application buffer threshold has
been exceeded. (See Config > System > Settings
> General > Threshold on page 246.)
Enables all High Availability (HA) traps.
The HA group contains the following traps:
Standby Indicates that the AX device is going
from HA Active mode to Standby mode.

Default: Unselected
Active Indicates that the AX device is going

from HA Standby mode to Active mode.
Network Group
Active-Active Indicates that an Active-Active

configuration has been enabled.
Enables all Network traps.
The Network group contains the following trap:
System Group
Trunk Port Threshold Indicates that the trunk

ports threshold feature has disabled trunk members because the number of up ports in the trunk
has fallen below the configured threshold. (See
Config > Network > Trunk on page 224.)
Enables all system-level traps.

Default: Unselected
The System Group group contains the following

traps:
Start Indicates that the AX device has started.
Shutdown Indicates that the AX device has shut
down.
Reload Indicates that the AX device is going to
reboot or reload.
High Temperature Indicates that the temperature inside the AX chassis has exceeded the configured threshold. (See Config > System >
Settings > General > Threshold on page 246.)
Fan Indicates that a system fan has failed. Contact A10 Networks.
(cont.)
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
263 of 276

Parameter
System Group
(cont.)
Description
Primary Hard Disk Indicates that the primary
Hard Disk has failed or the RAID system has
failed. In dual-disk models, the primary Hard
Disk is the one on the left, as you are facing the
front of the AX chassis.
Supported Values
Default: Unselected
Secondary Hard Disk Indicates that the secondary Hard Disk has failed or the RAID system has
failed. The secondary Hard Disk is the one on the
right, as you are facing the front of the AX chassis.
Note: This trap does not apply to the following
models: AX 2500, AX 2600, AX 3000, AX 5100, or
AX 5200.
High Memory Usage Indicates that the memory
usage has exceeded the configured threshold.
(See Config > System > Settings > General >
Threshold on page 246.)
High Control CPU Usage Indicates that the
control CPU utilization has exceeded the configured threshold. (See Config > System > Settings
> General > Threshold on page 246.)
High Data CPU Usage Indicates that data CPU
utilization has exceeded the configured threshold.
System High Disk Usage Indicates that hard
disk usage has exceeded the configured threshold. (See Config > System > Settings > General
> Threshold on page 246.)
System Drop Packet Indicates that the system
has dropped more than the configured threshold.
AX SNMP MIB
Download
Power Supply Indicates that a upper power supply has failed. Contact A10 Networks.
Web link to download the AX Management Information Base (MIB) files.
N/A
For information about the AX MIBs, see AX Series

MIB Reference.
264 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > System > Maintenance

The following sections describe the maintenance options for the AX Series
system software and configuration files.
System Reload When performing an upgrade, allow up to five minutes
for the reload procedure to complete, during which time the system performs a full reload and will be offline. The actual time may vary depending on system parameters.
Note:
Config > System > Maintenance > Upgrade

This menu option displays the Upgrade page, which you can use to upgrade
the system image on the AX device.
For complete upgrade instructions, see the release notes for the AX
release to which you plan to upgrade.
Note:
Table 124 lists the options on the Upgrade page.

TABLE 124 Upgrade Settings
Parameter
Description
Supported Values
Media
Specifies the boot device onto which you want to

install the upgrade.
Upgrade Section
Hard Disk
Compact Flash
Both
Destination
Specifies the image area on the selected boot

device(s).
Default: Hard Disk

Primary
Secondary
Reboot
Upgrade from
Specifies whether the AX device will reboot automatically after installing the upgrade.
Specifies whether the image you are installing is
located locally on the PC you are using to access the
GUI, or is located on a remote file server.
Default: Primary
Yes or No
Default: No
Local or Remote
Default: Local
If Local is selected, the Filename field appears.

If Remote is selected, the other fields listed
below appear.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
265 of 276

TABLE 124 Upgrade Settings (Continued)
Parameter
Filename
Description
Directory path and filename for the image, if locally
stored on the PC you are using.
Supported Values
Valid path and file name
1. Click Browse.
2. Navigate to the image file.
3. Click Open.
4. Click OK.
The following fields are applicable only if you select Remote.
Use
Uses the management interface as the source interManagement
face for the connection to the remote device.
Port
The management route table is used to reach the
Enabled or disabled
Default: Disabled
device. By default, the AX device attempts to use

the data route table to reach the remote device
through a data interface.
Protocol
Note: For information about the data and management route tables, see the Using the Management
Interface as the Source for Management Traffic
If you select to upgrade from a remote device, this
field appears. You can use it to specify the file transfer protocol to use.

FTP
TFTP
RCP
SCP
Host
Port
Location
User
Password
266 of 276
If you select to upgrade from a remote device, this

field appears. You can use it to specify the IP
address of the remote file server.
If you select to upgrade from an FTP server, this
field appears. You can use it to specify the protocol
port on the server to which to send the file transfer
request.
Directory path and filename of the image file on the
remote server. Enter the path relative to the root
directory for the file transfer method. For example,
if using FTP, enter a path relative to the FTP directory.
Username for logging onto the remote server, if
required.
Password for logging onto the remote server, if
required.
Default: FTP
Valid IP address
Default: Not set
1-65535
Default: Depends on the file transfer
protocol selected
String
Default: Not set
String
Default: Not set
String
Default: Not set
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > System > Maintenance > Backup

This menu option provides the following sub-options:
System Displays a page for selecting the location where to save a copy
of the AX configuration. This option backs up the startup-config file,

aFleX files, and SSL certificates and keys.
Config Displays a page for selecting the configuration to back up
(startup-config or running-config) and the location where to save it.

Syslog Displays a page for selecting the location where to save a copy
of the entries in the AX log buffer.

The Local and Remote location options work the same as described in
Table 124 on page 265.
Config > System > Maintenance > Restore

You can restore the AX Series to a saved backup configuration from a previously saved backup file on either a local or a remote host.
This menu option provides the following sub-options:
System Displays a page for selecting the location from where to
restore the AX configuration. This option restores the startup-config

file, aFleX files, and SSL certificates and keys saved in the system
backup.
Config Displays a page for selecting the configuration to restore
(startup-config or running-config) and the location from where to

restore it.
The Local and Remote location options work the same as described in
Table 124 on page 265.
Note:
b y
System Reboot When performing a restore, allow five minutes for the
backup procedure to complete, during which time the system performs a
full reset and will be offline. The actual time may vary depending on system parameters.
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
267 of 276

Config Mode - Config > HA
Config > HA
The HA pages enable you to configure options for High Availability.
Before configuring any HA options, see the High Availability chapter
in the AX Series Configuration Guide for detailed information about how
HA works and how to configure it.
Note:
Config > HA > Setting

This option provides access to the following suboptions:
HA Global Displays a page for configuring global HA settings. This is
the only page you need to configure Layer 3 HA.

HA Inline Mode Displays a page for configuring Layer 2 inline mode
HA. You need to use both the Global and HA Inline Mode pages to configure Layer 2 HA.
Config > HA > Setting > HA Global

The menu option displays the following sections.
General
Group
Floating IP Address
Status Check
Table 125 lists the configuration options in the HA Global sections.

TABLE 125 Global HA Parameters
Parameter
Description
Supported Values
General Section
HA Status
State of the HA feature on this AX device.
Identifier
HA ID of the AX device. The HA ID uniquely identifies the AX device within the HA pair.
268 of 276
Yes or No
Default: No
1 or 2
Select 1 on one of the AX devices and
select 2 on the other AX device.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 125 Global HA Parameters (Continued)
Parameter
Set ID
Preempt Status
Description
Set ID of the HA pair this AX is in. The HA set ID
specifies the HA set to which the AX device
belongs. This parameter is applicable to configurations that use multiple AX pairs.
To set this option if needed, use 1 or higher. Use the
same set ID on both AX devices in this HA pair.
If there is only one HA pair in the network, you do
not need to use this option.
Controls whether failovers can be caused by configuration changes to HA priority.
Time Interval
Specifies the amount of time between sending each

heartbeat message.
HA Mirroring
IP Address
Specifies the IP address of the other AX device in

the HA configuration.
Timeout Retries
Specifies the Number of times the HA time interval

can expire before the Standby AX device fails over
to become the Active AX device.
Specifies the number of additional gratuitous ARPs,
in addition to the first one, an AX sends after transitioning from Standby to Active in an HA configuration.
ARP Retry
Supported Values
1-7
Default: Not set
Yes or No
Default: No
1-255 units of 100 ms each
Default: 200 ms (0.2 seconds)
Valid IP address
Default: Not set
2-255
Default: 5
1-255
Default: 4 additional gratuitous ARPs,
for a total of 5
Group Section
Group
Adds the AX device to HA groups and sets the priorities for each group.
In Active-Standby configurations, configure only
one HA group. Use the same group ID on each AX
device.
Group ID can be 1-31

Priority can be 1 (low priority) to 255
(high priority)
Default: Not set
In Layer 3 Active-Active configurations, to make

one AX device active for some virtual servers and
make the other AX device active for the other virtual servers, configure both HA groups (1 and 2)
and give them different priorities. Use the same
group IDs for the same virtual servers on each AX
device.
Floating IP Address Section

Floating IP
Address
Specifies the IP address that downstream devices

should use as their default gateway. The same
address is shared by both AX devices in the HA
pair. Regardless of which device is Active, downstream devices can reach their default gateway at
this IP address.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
Default: not set
269 of 276

TABLE 125 Global HA Parameters (Continued)
Parameter
Description
Supported Values
Status Check Section

IP Address
Checks the health of gateways and changes HA status if a gateway fails its health check.
Default: not set
To configure gateway-based failover:

1.
VLAN
Configure a health monitor that uses the ICMP

method. (SeeConfig > Service > Health Monitor > Health Monitor on page 163.)
2. Configure the gateway as an SLB real server
and apply the ICMP health monitor to the
server. (See Config > Service > SLB >
Server on page 100.)
3. Enable HA checking for the gateway. In the
Status section, enter the gateway IP address in
the Gateway field, and click Add.
Checks the health of VLANs and changes HA status
if a VLAN stops responding.
To configure VLAN-based failover:
1. Enter the VLAN ID in the VLAN ID field.
2. In the Timeout field, enter the number of seconds a VLAN can be silent before triggering
an HA status change.
3. Click Add.
Default: not set

The timeout can be 2-600 seconds.
You must specify the timeout.
Although there is no default, A10 recommends trying 30 seconds.
Config > HA > Setting > HA Inline Mode

The menu option displays the HA Inline Mode section.
Table 126 lists the configuration options in the General section for HA
inline mode.
TABLE 126 HA Inline Mode Parameters
Parameter
Description
Supported Values
HA Inline Mode Section

Inline Mode
Status
270 of 276
Enables inline mode.
Yes or No
Default: No
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

TABLE 126 HA Inline Mode Parameters (Continued)
Parameter
Preferred Port
Description
Specifies the HA interface to use for session synchronization and for management traffic between
the AX devices.
Supported Values
AX Ethernet interface enabled for HA
Default: The AX selects the Active
AX devices preferred HA port as follows:
1. Is a preferred port specified with the
inline configuration, and is the port
up? If so, use the port.
2. If no preferred HA port is specified
in the configuration or that port is
down, the first HA interface that came
up on the AX is used as the preferred
HA port.
Restart Time
Amount of time interfaces in the restart port list

remain disabled following a failover.
Restart Port List
List of Ethernet interfaces on the previously Active

AX device to toggle (shut down and restart) following HA failover.
Enables blocking of traffic loops in a gateway
(Layer 3) hot-standby HA configuration.
L3 Inline Mode
Link Event
Delay
Amount of time the AX device waits before changing the HA state (Up, Partially Up, or Down) in
response to link-state changes on the HA interfaces.
If the preferred HA port selected by 1.

or 2. above goes down, the HA interface with the lowest port number is
used. If that port also goes down, the
HA interface with the next-lowest port
number is used, and so on.
1-100 units of 100 milliseconds (ms)
Default: 20 units of 100 ms (2 seconds)
AX Ethernet interfaces
Default: Not set
Enabled or Disabled
Default: Disabled
100 - 10000 milliseconds (ms)
The value you specify must be divisible by 100 ms.
Default: 3000 ms (3 seconds)
Config > HA > Setting > HA Interface

This option enables you to configure HA settings on Ethernet data interfaces.
To enable or disable HA on individual interfaces, select the interfaces, then
click Enable or Disable. The status change is shown in the HA status column.
When you click on an interface name, the VIP section is displayed.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
271 of 276

Table 127 lists the configuration options in the VIP section.
TABLE 127 HA Interface Parameters
Parameter
Description
Supported Values
VIP Section
Status
Specifies whether the interface is an HA interface.
HA Status
Enables or disables configuration of HA interface

parameters.
Type
Identifies the type of device connected to the HA

interface:
272 of 276
Default: Disabled
None
Router-Interface
Router-Interface The interface is connected to

an upstream router.
Both
Both The interface is connected to an upstream

router and a real server.
Enables or disables heartbeat messages on the interface.
To restrict the heartbeat messages to a specific
VLAN, enter the VLAN ID in the VLAN field.
VLAN
Default: Disabled
Enabled or Disabled
None The device type does not affect calculation of HA state.
Server-Interface The interface is connected to a

real server.
Heartbeat
Enabled or Disabled
Note: If the interface is tagged and heartbeat messages are enabled, you must specify the VLAN.
Specifies the VLAN on which heartbeat messages
are enabled.
Server-Interface
Default: None
Enabled or Disabled
Default: Disabled. When enabled,
heartbeat messages are enabled for all
VLANs.
VLAN ID
Heartbeat messages are enabled for all
VLANs. However, if the interface is
tagged and heartbeat messages are
enabled, you must specify the VLAN
ID.
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

Config > HA > Config Sync

This page enables you to synchronize the Layer 4-7 configuration information on the AX devices in an HA pair.
Requirements
Session synchronization (connection mirroring) is required for config sync.
Config sync uses the session synchronization link. To enable session synchronization, see Config > HA > Setting > HA Global on page 268.
SSH management access must be enabled on both ends of the link. (See
Config > System > Access Control on page 256.)
Before performing a config-sync procedure, see the Synchronizing HA
Information section in the High Availability chapter of the AX Series
Configuration Guide.
Note:
Performing Config Sync

To synchronize the Layer 4-7 configuration information with the other AX
device in the HA pair:
1. In the User and Password fields, enter the admin username and password for logging onto the other AX device.
2. If Role-Based Administration (RBA) is configured on the AX device,
select whether to synchronize all partitions or only the currently selected
partition. (See System Partitions on page 27. Also see the Synchronizing the Configuration section in the Role-Based Administration
chapter of the AX Series Configuration Guide.)
This option is applicable only if you are logged on with Root or Super
Admin privileges.
Note:
3. Next to Operation, select the information to be copied to the other AX

device:
All Copies all the following to the other AX device:
Admin accounts and settings
Floating IP addresses
IP NAT configuration
Access control lists (ACLs)
Health monitors
Policy-based SLB (black/white lists)
SLB
FWLB
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
273 of 276

GSLB
Data files (see below)
The items listed above that appear in the configuration file are copied to the other AX devices running-config.
Data Files Copies only the SSL certificates and private-key files,
aFleX files, External health heck files, and black/white-list files to
the other AX device
Running-config Copies everything listed for the All option, except
the data files, from this AX devices running-config
Startup-config Copies everything listed for the All option, except
the data files, from this AX devices startup-config
4. Next to Peer Option, select the target for the synchronization:
To Running-config Copies the items selected in step 3 to the other
AX devices running-config
To Startup-config Copies the items selected in step 3 to the other
AX devices startup-config
5. To reload the other AX device after synchronization, select With
Reload. Otherwise, the other AX device is not reloaded following the
synchronization.
Note:
In some cases, reload either is automatic or is not allowed. See the Synchronizing HA Information section in the High Availability chapter of
the AX Series Configuration Guide.
6. Click OK.
274 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010
276
b y
D e s i g n
AX Series Advanced Traffic Manager - Graphical User Interface

-
Corporate Headquarters
A10 Networks, Inc.
2309 Bering Dr.
Tel: +1-408-325-8668 (main)
Tel: +1-408-325-8676 (support - worldwide)
Tel: +1-888-822-7210 (support - toll-free in USA)
Fax: +1-408-325-8666
www.a10networks.com
276 of 276
b y
D e s i g n
Document No.: D-030-01-00-0002 - Ver. 1.2.3 6/21/2010

AX Series™ Advanced Traffic Manager Graphical User Interface Reference

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

AX Series™ Advanced Traffic Manager Graphical User Interface Reference

Enviado por

Direitos autorais:

Formatos disponíveis

P e r f o r m a n c e

AX Series Advanced Traffic Manager

Graphical User Interface

A10 Networks, Inc. 6/21/2010 - All Rights Reserved

Information in this document is subject to change without notice.

AX Series - Graphical User Interface - Reference

Obtaining Technical Assistance

Collecting System Information

USING THE GUI (RECOMMENDED)

Log into the GUI.

AX Series - Graphical User Interface - Reference

USING THE CLI

Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

AX Series - Graphical User Interface - Reference

About This Document

System Description The AX Series

The AX Series Advanced Traffic Manager

AX Series - Graphical User Interface - Reference

Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

AX Series - Graphical User Interface - Reference

Obtaining Technical Assistance

Collecting System Information...............................................................................................................3

About This Document

System Description The AX Series .....................................................................................................5

Monitor Modules ....................................................................................................................................29

AX Series - Graphical User Interface - Reference

CPU Usage Chart ........................................................................................................................ 34

Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

AX Series - Graphical User Interface - Reference

Monitor > Service > Application > Persistent ................................................................................59

AX Series - Graphical User Interface - Reference

Config > Get Started.............................................................................................................................. 86

Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

AX Series - Graphical User Interface - Reference

Config > Service > GSLB > Service IP .......................................................................................190

AX Series - Graphical User Interface - Reference

Config > System .................................................................................................................................. 238

Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

AX Series - Graphical User Interface - Reference

GUI Browser Support

AX Series - Graphical User Interface - Reference

Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

AX Series - Graphical User Interface - Reference

Monitor > Overview > Summary

The GUI consists of the following main components:

and where management information is displayed

These components are described further in GUI Features on page 16.

AX Series - Graphical User Interface - Reference

Redirection of HTTP To HTTPS

Mode Tabs and Module Buttons

Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

AX Series - Graphical User Interface - Reference

Modes Monitor (left) and Config (right)

Module buttons are available on the following two Mode tabs:

AX Series - Graphical User Interface - Reference

Config Mode > Service > SLB > Server

Main Display Area

Document No.: D-030-01-00-0002 - Ver. 2.4.3 6/21/2010

AX Series - Graphical User Interface - Reference

Save, Logout, and Help Options

If HA is configured, the status of configuration synchronization between the

Clicking on the status provides a shortcut to display HA statistics, and is

AX Series - Graphical User Interface - Reference

item to be deleted, then click Delete.