F3215-HP Load Balancing Module Security Configuration Guide-6PW101
203
Ste
p
Command
Remarks
3. Create an attack protection
policy and enter attack
protection policy view.
attack-defense policy
policy-number [ zone zone-name ]
By default, no attack protection
policy is created.
Enabling attack protection logging
After the attack protection policy is created, you can enable the device to log single-packet attacks,
scanning attacks, and flood attacks for adjusting network management strategies.
To enable attack protection logging:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable attack protection
logging.
attack-defense logging enable
Optional.
By default, attack protection logging is
disabled.
Configuring an attack protection policy
In an attack protection policy, you can specify the signatures for attack detection and the corresponding
protection measures according to the security requirements of your network.
Different types of attack protection policies have different configurations, which are described below in
terms of single-packet attacks, scanning attacks, and flood attacks.
Configuring a single-packet attack protection policy
The single-packet attack protection function determines whether a packet is an attack packet mainly by
analyzing the characteristics of the packet. It is usually applied to security zones connecting external
networks, and inspects only the inbound packets of the security zones. If detecting an attack packet, the
device outputs an alarm log by default and, depending on your configuration, drop or forward the
packet.
To configure a policy for preventing single-packet attacks:
Ste
p
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enter VD system view.
switchto vd vd-name Required for a non-default VD.
3. Enter attack protection policy
view.
attack-defense policy
policy-number
N/A
4. Enable signature detection for
single-packet attacks.
signature-detect { fraggle |
icmp-redirect | icmp-unreachable
| land | large-icmp |
route-record | smurf |
source-route | tcp-flag | tracert |
winnuke } enable
By default, signature detection is
disabled for all kinds of
single-packet attacks.
5. Configure the ICMP packet
length threshold that triggers
large ICMP attack protection.
signature-detect large-icmp
max-length length
Optional.
4000 bytes by default.