F3215-HP Load Balancing Module Security Configuration Guide-6PW101
208
Ste
p
Command
Remarks
3. Enter VD system view. switchto vd vd-name Required for a non-default VD.
4. Configure an IP address
protected by TCP proxy.
tcp-proxy protected-ip
destination-ip-address port
[ port-number | any ]
Optional.
By default, no IP address is protected
by TCP proxy.
5. Enter security zone view. zone name zone-name id zone-id N/A
6. Enable the TCP proxy
function for the security
zone.
tcp-proxy enable
By default, TCP proxy is disabled for
a security zone.
Configuring the blacklist function
You can configure a device to filter packets from certain IP addresses by configuring the blacklist
function.
The blacklist configuration includes enabling the blacklist function and adding blacklist entries. When
adding a blacklist entry, you can also configure the entry aging time. If you do not configure the aging
time, the entry never ages out and thus always exist until you delete it manually.
To configure the blacklist function:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VD system view. switchto vd vd-name Required for a non-default VD.
3. Enable the blacklist function.
blacklist enable Disabled by default.
4. Add a blacklist entry.
blacklist ip source-ip-address
[ timeout minutes ]
Optional.
The scanning attack protection
function can add blacklist entries
automatically.
You can add blacklist entries manually, or configure the device to automatically add the IP addresses of
detected scanning attackers to the blacklist. For the latter purpose, enable the blacklist function for the
device, the scanning attack protection function, and the blacklist function for scanning attack protection.
The blacklist entries added by the scanning attack protection function will be aged after the aging time,
which is configurable.
For the configuration of scanning attack protection, see "Configuring a scanning attack protection
poli
c
y."
Configuring connection limits
Connection limit configuration task list
Task Remarks
Creating a connection limit policy Required.
Configuring the connection limit policy Required.