Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
401402403404405406407408409410
11
To apply an attack protection policy to an interface:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Apply an attack protection
policy to the interface.
attack-defense apply policy
policy-number
By default, no attack protection
policy is applied to any interface.
The attack protection policy to be
applied to an interface must already
exist.
Configuring TCP proxy
TCP proxy is used on a device's interfaces connected to external networks to protect internal servers from
SYN flood attacks. It takes effect only on incoming packets of a TCP proxy-enabled interface.When
detecting a SYN flood attack, the device can take protection actions as configured by using the defense
syn-flood action command. If the trigger-tcp-proxy keyword is specified for the defense syn-flood action
command, the device adds a protected IP address entry for the server, and starts TCP proxy in the
specified mode to inspect and process subsequent TCP connection requests destined to the server.
To configure the TCP proxy function:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Set the TCP proxy operating
mode.
Unidirectional mode:
tcp-proxy mode unidirection
Bidirectional mode:
undo tcp-proxy mode
Optional.
By default, TCP proxy works in
bidirectional mode when enabled.
3. Enter interface view.
interface interface-type
interface-number
N/A
4. Enable the TCP proxy
function on the interface.
tcp-proxy enable
By default, TCP proxy is disabled on
an interface.
Configuring the blacklist function
You can configure a device to filter packets from certain IP addresses by configuring the blacklist
function.
The blacklist configuration includes enabling the blacklist function and adding blacklist entries. When
adding a blacklist entry, you can also configure the entry aging time. If you do not configure the aging
time, the entry never ages out, and always exist until you delete it manually.
To configure the blacklist function: