Command Line Interface Reference Guide > The Configuration Menu > /cfg/security/eaaf ERT Active Attackers Feed Menu
/cfg/security/eaaf
ERT Active Attackers Feed Menu
ERT Active Attackers Feed is a security feature that protects Alteon from known malicious IP addresses.
Using a dynamic list of IP addresses, the Alteon security administrator can easily and effectively stop network-based IP threats that are targeting the network.
The administrator can define whether to allow, block, or alert malicious IP addresses based on region, category (Tor Exit Nodes or Malicious IPs), and risk severity level.
An ERT Active Attackers Feed license (Secure package + Secure subscription) is required for the ERT Active Attackers Feed functionality.
You can enable ERT Active Attackers Feed for each vADC from the ADC-VX interface.
Note: Applying ERT Active Attackers Feed to:
*A VA requires a VA reset to allocate the required memory for the feed.
*At least one vADC requires a VX reboot to allocate the required memory for the feed (which is downloaded to the VX level).
 
[ERT Active Attackers Feed Menu]
action - Set IP Reputation action
country - Block/Unblock countries menu
wlist - IP Allowlist menu
eaaf - Enable/disable ERT Active Attackers Feed service
indirect - Feed download location
     endpoint - Set vision/Cyber controller endpoint for indirect feed download
vision - Vision Url

     cur - Display current ERT Active Attackers Feed configuration
     trevpol  - Set Traffic Event Log Policy
     aggrgate - Set aggregation time of events
evntrate - Set the maximum number of EAAF events to send per second for every single IP
 
ERT Active Attackers Feed Menu Options (/cfg/security/eaaf) 
Command Syntax and Usage
action <category|severity level>
 
Specifies whether to allow, block, or alert malicious IP addresses based on category and risk severity level.
Values
*Category — spam, malware, all
*Severity level — low, medium, high, all
Default: allow (for all categories and risk levels)
country
 
Displays the Blocked Countries List menu which allows you to specify whether to allow or block traffic from listed countries.
Values:
*add — Blocks traffic from IP addresses in the specified country.
*rem — Allows traffic from IP addresses in the specified country.
*cur — Displays a list of countries from which traffic is blocked.
wlist
 
Displays the IP Allowlist menu which allows you to specify whether to allow or block traffic from listed IP addresses.
Values:
*addwhite — Allows traffic from IP addresses in the specified country.
*remwhite — Blocks traffic from IP addresses in the specified country.
*cur — Displays a list of IP addresses from which traffic is allowed.
eaaf disabled|enabled
 
Specifies whether to enable the ERT Active Attackers Feed feature.
You need a valid license to enable this functionality.
Note: Enabling EAAF requires a device reboot (VA or VX) to allocate the necessary memory for the feed.
Default: disabled
cur
 
Displays the current ERT Active Attackers Feed settings.
indirect disabled|enabled
 
Specifies whether to process the feed coming to Alteon from the Radware domain.
Note: If indirect is enabled, you have to configure the Cyber Controller/APSolute Vision endpoint.
Default: disabled
endpoint manual|active
 
Sets the Cyber Controller/APSolute Vision reporter parameters. 
*manual - Sets the Cyber Controller/APSolute Vision IP address to retrieve the ERT Active Attackers Feed (EAAF) from.
*active - Alteon will retrieve the ERT Active Attackers Feed from the management interface of the active Cyber Controller instance.
Note: When adding Alteon to Cyber Controller tree, Alteon 'learns' the Cyber Controller high availability IP addresses and keeps monitoring their status. Make sure that the Cyber Controller table is not empty when setting the type to "active". This option is also applicable with Cyber Controller in standalone mode.
Values: manual, active    
vision disabled|enabled
 
Specifies whether to process the feed coming to Alteon from the Cyber Controller (or APSolute Vision 4.x) host name or IP address.
Default: disabled
trevpol
 
Displays the Traffic Event Log menu for configuring traffic event policies. To view this menu, see /cfg/slb/trevnt/trevpol Traffic Event Log Policy Menu.
aggrgate [15|30|60|300|900]
 
Specifies the aggregation period which is a global parameter for each entire EAAF table. During this time, Alteon aggregates events through the source IPs. By the end of this period, Alteon sends the (aggregated) event to Cyber Controller (or APSolute Vision 4.x) or any other syslog server.
This parameter is required for generating EAAF events.
Default: 60 seconds
evntrate
 
Specifies the maximum number of EAAF events to send per second for every single SP.