Management of FlowSpec with FNM Manager PRO

The use of FlowSpec in FNM Manager PRO allows network administrators to configure and manage traffic mitigation rules efficiently through an intuitive web interface. This functionality is designed to simplify the implementation of advanced configurations without the need for command-line usage.

FlowSpec Configuration in the Web Panel

Enabling FlowSpec

1. Navigate to the BGP, FlowSpec & Scrubbing section in the main menu of the panel.

2. Enable the Enable Flow spec Support option to activate the FlowSpec functionality across the configuration.

Configuring BGP Peers

1. In the same section, configure the BGP peers by clicking on the Edit Peer BGP option.

   • Enter the necessary information, such as Local Address, Local ASN, Remote Address, and Remote ASN.

   • Enable the Enable ipv4_flowspec and Enable ipv6_flowspec options to support FlowSpec.

   • Save the changes by clicking on Save BGP Peer.

Advanced FlowSpec Options

In the Flow Spec Settings section, several advanced options are available to customize the behavior of FlowSpec:

• Enable mitigations per each hostgroups: Allows applying specific mitigations at the hostgroup level.

• Threshold specific ban details: Activates advanced logic that applies rules based on traffic crossing defined thresholds.

• Options to exclude specific fields from FlowSpec rules, such as:

  • flow_spec_do_not_process_ip_fragmentation_flags_field

  • flow_spec_do_not_process_length_field

  • flow_spec_do_not_process_source_address_field

  • flow_spec_do_not_process_tcp_flags_field

These options are useful to adapt to limitations of different hardware vendors and optimize performance. Check your vendor’s documentation for the specific configuration required for your device.

Actions and Traffic Limits

• In the panel configuration, you can define the default action for FlowSpec rules (e.g., discard, rate-limit, accept).

• If you select rate-limit, specify the speed limit in bytes per second in the corresponding field.

Activation by Hostgroups

1. To enable FlowSpec for specific groups, navigate to the desired hostgroup configuration.

2. Enable the Enable bgp_flow_spec for this hostgroup option.

3. Save the changes to apply the configuration.

Custom FlowSpec Rules

FNM Manager PRO allows the creation of custom FlowSpec rules through its Custom FlowSpec Rules section. This functionality gives administrators the flexibility to configure specific rules according to network needs and apply them in various ways.

Creating and Publishing Rules

1. In the web panel, navigate to Block Manager > Create Custom FlowSpec Rules (PRO).

2. Fill in the required fields to define a custom rule:

   • Source Prefix and Destination Prefix: Enter prefixes with their CIDR mask.

   • Source Port and Destination Port: Define the source and destination ports.

   • Protocol: Select the relevant protocol (e.g., UDP, TCP).

   • Fragmented: Specify whether to include fragmented packets.

   • Packet Lengths and TCP Flags: Configure packet lengths and TCP flags as appropriate.

   • Action Type: Choose the action to take (e.g., discard, rate-limit).

3. Optionally, you can:

   • Save the rule in the database for future activation.

   • Publish the rule directly through BGP.

Rule Validation

The flow_spec_execute_validation option validates the source and destination prefixes entered in the rules to ensure they comply with requirements, such as being declared in the networks list. This option can be disabled in scenarios where custom rules need to be created without validation restrictions, keeping in mind that this might increase the risk of configuration errors.

Activating Saved Rules

From the Saved FlowSpec Rules section, previously saved rules can:

• Be published directly via the web panel by clicking the Resend All option.

• Be activated through integrations such as Telegram Bot Manager using the /flowspec command, enabling efficient and flexible remote control.

Considerations

• Verify that your routers support FlowSpec and configure the necessary AFI capabilities.

• The panel configurations are compatible with most router vendors, including Cisco, Juniper, and Huawei.

With these options, FNM Manager PRO offers complete and flexible control over FlowSpec rules, facilitating attack mitigation and the management of malicious traffic.