F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100

You can choose a proper mode according to your network scenario. For example, if packets from TCP

clients to a server go through the TCP proxy but packets from the server to clients do not, as shown

265HFigure 1, configure unidirectional proxy.

Figure 1 Network diagram for unidirectional proxy

If all packets between TCP clients and a server go through the TCP proxy, as shown in 266HFigure 2, you can

configure unidirectional proxy or bidirectional proxy as desired.

Figure 2 Network diagram for unidirectional/bidirectional proxy

• Unidirectional proxy

Figure 3 Data exchange process in unidirectional proxy mode

When the TCP proxy receives a SYN message sent from a client to a protected server, it sends back a

SYN ACK message that uses a wrong sequence number on behalf of the server. The client, if legitimate,

responds with an RST message. If the TCP proxy receives an RST message from the client, it considers the

client legitimate, and forwards SYN messages that the client sends to the server during a period of time

so that the client can establish a TCP connection to the server. After the TCP connection is established, the

TCP proxy forwards the subsequent packets of the connection without any processing.

TCP client TCP proxy TCP server

1) SYN

2) SYN ACK (invalid sequence

number)

3) RST

4) SYN (retransmitting)

5) SYN (forwarding)

6) SYN ACK

7) ACK

8) ACK (forwarding)