F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100

Configure the firewall to perform the following operations:

• Protect the internal network against scanning attacks from the external network.

• Limit the number of connections initiated by each internal host.

• Limit the number of connections to the internal server.

• Protect the internal server against SYN flood attacks from the external network.

Figure 18 Network diagram

136BConfiguration considerations

To satisfy the requirements, perform the following configurations on the firewall:

• Configure scanning detection for the untrusted zone, enable the function to add entries to the

blacklist, and set the scanning threshold to 4500 connections per second.

• Configure source IP address-based connection limit for the trusted zone, and set the number of

connections each host can initiate to 100.

• Configure destination IP address-based connection limit for the DMZ, and set the number of

connections the server can accommodate to 10000.

• Configure SYN flood detection for the DMZ, and set the action threshold for attacks targeting the

internal server (for example, to 5000 packets per second) and the silent threshold (for example, to

1000 packets per second). Set the attack protection action to blocking subsequent packets destined

for the server.

137BConfiguring the firewall

1. Assign IP addresses and security zones to interfaces. (Details not shown.)

2. Enable the blacklist feature:

a. From the navigation tree, select Intrusion Detection > Blacklist.

b. In the Global Configuration area, select Enable Blacklist as shown in 279HFigure 19.

c. Click Apply.