F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100
18
Item Descri
p
tion
Enable connection limit per dest IP
Select the option to set the maximum number of connections that
can be present for a destination IP address.
Threshold
134BConfiguring scanning detection
Scanning detection is intended to detect scanning behaviors and is usually configured for an external
zone.
Scanning detection can be configured to add blacklist entries automatically.
To configure scanning detection:
1. From the navigation tree, select Intrusion Detection > Traffic Abnormality > Scanning Detection.
The scanning detection configuration page appears.
Figure 17 Scanning detection configuration page
2. Configure the scanning detection rule for the security zone, as described in 277HTable 8.
3. Click Apply.
Table 8 Configuration items
Item Descri
p
tion
Security Zone
Select a security zone to perform scanning detection configuration for it.
Enable Scanning Detection Select this option to enable scanning detection for the security zone.
Scanning Threshold Set the maximum connection rate for a source IP address.
Add a source IP to the
blacklist
Select this option to allow the system to blacklist a suspicious source IP address.
If this option is selected, you can then set the lifetime of the blacklisted source IP
addresses.
IMPORTANT:
Only when the blacklist feature is enabled, can the scanning detection function
blacklist a suspect and discard subsequent packets from the suspect.
Lifetime Set the lifetime of the blacklist entry.
57BTraffic abnormality detection configuration example
135BNetwork requirements
As shown in 278HFigure 18, the internal network is the trusted zone, the subnet where the internal servers are
located is the DMZ, and the external network is the untrusted zone.