ThreatSTOP for A10 Thunder TPS / Thunder ADC

This installation guide describes the integration of ThreatSTOP and A10 ADC / TPS devices

Warning: This version has been superseded by the TSCM Based version. This documentation applies to devices created through 2018. New deployments must use the new release - TSCM Web Automation or TSCM CLI

Add a Device

Go to the portal (https://www.a10networks.com/products/threat-intelligence/login) and add your device.
Click on Devices.
Click on + Add Device.
The Add Device window will display.
Fill out the required fields:
- Nickname: Internal device reference
- Manufacturer: A10 Networks.
- Model: Thunder TPS
- IP Address: External IP address that will query the service. This can be determined by visiting https://logs.threatstop.com/cgi-bin/validip.pl
- IP Type (Static or Dynamic) used by the device.
- Policy: A10-TPS
- Location: country of residence (optional)
- Postal Code: The ZIP code, or other postal designator for your location (optional)
Click Next.

Note: You need to make certain you are always coming from the same IP address and not a NAT pool of IPs. This utility determines the external IP address of the device which is unlikely to rotate.

Prepare the Threat Intelligence Proxy

Create a Virtual Machine (VM) in your preferred Virtual Machine host. The VM will need to have the following system requirements:

OS: Ubuntu 14.04
RAM: 10 GB
Internet connectivity, for DNS requests

Log into the VM, and update the distribution to the most recent version with the following command:

sudo su –c ‘apt-get update && apt-get –y upgrade && apt-get install libwww-perl libcrypt-ssleay-perl’

Access the ThreatSTOP FTP through the VM using the following commands, for credential information simply type anonymous:
```
ftp ftp.threatstop.com
cd /pub
get ts-a10_2.37-03_all.deb
```
Download the .deb file from the ThreatSTOP FTP server (https://downloads.threatstop.com/pub/ts-a10_2.37-03_all.deb)
Install the downloaded file with the following command:
```
sudo dpkg –i ts-a10_2.37-03_all.deb
```

Configure the ThreatSTOP System

SSH into the VM with the following credentials:
- username: threatstop
- password: threatstop

Issue the following command:

wget –qO – https://logs.threatstop.com/cgi-bin/validip.pl

Record the IP address, this is your external IP address.
Run the automated setup script using the following command:

/opt/threatstop/setup.sh

Provide the following information as displayed at the prompts:
DDOS zones : <accept the default>
Enable NTP (y/n) ? [y] ==> <accept the default>
Enable DNS Resolvers (y/n) ? [y] ==> <accept the default>
Enable SSDP (y/n) ? [y] ==> <accept the default>
Enable SNMP (y/n) ? [y] ==> <accept the default>
Enable Drones (y/n) ? [y] ==> <accept the default>

Please enter the block_list to use:
[] ==> A10-TPS-001-netb.ANetwork.threatstop.local
Please enter the allow_list to use:
[] ==> A10-TPS-001-neta.ANetwork.threatstop.local

Please enter the external IP address of the A10 device:
[] ==> <Enter the IP address from steps 2-3>

Please enter port to use for DNS queries :
[53] ==>

Please enter the internal IP address of the A10 device:
[] ==> <Device IP>

Please enter the directory to store the A10 class lists:
[/etc/threatstop/lists] ==>

This will download the ThreatSTOP block and allow lists to your Virtual Machine which will then upload the policies directly to your A10 device.

Configure TPS using ACOS 3.2 or greater

Import the class list with the following command

import-periodic class-list a10-ddos-block use-mgmt-port scp://threatstop:threatstop@x.x.x.x/etc/threatstop/list/block-000-nsp.txt period 7200

Create the source based policy with the following command

ddos src-based-policy A10-Threat-Intel policy-class-list a10-ddos-block

° Bind the policy to the zone config with the following commands.

ddos dst zone www.example.com
ip 10.10.10.10
operational-mode monitor
port 80 tcp
    src-based-policy A10-Threat-Intel
        policy-class-list a10-ddos-block
            deny