F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100
22
e.
In the SYN Flood Configuration area, click Add.
f. The SYN flood attack detection page appears, as shown in 283HFigure 24.
g. Select Protected Host Configuration. Enter the IP address 10.1.1.2. Set the action threshold to
5000 packets per second and the silent threshold to 1000 packets per second.
h. Click Apply.
Figure 24 Configuring a SYN flood attack detection rule for the server
138BVerifying the configuration
• After a scanning attack packet is received from zone Untrust, the firewall outputs alarm logs and
adds the IP address of the attacker to the blacklist. You can select Intrusion Detection > Blacklist
from the navigation tree to view whether the attacker's IP address is on the blacklist.
• If a host in zone Trust initiates 100 or more connections, the firewall outputs alarm logs and discards
subsequent connection request packets from the host. You can select Intrusion Detection > Statistics
from the navigation tree to view how many times that a connection limit per source IP address has
been exceeded and the number of packets dropped.
• If the number of connections to the server in the DMZ reaches or exceeds 10000, the firewall
outputs alarm logs and discards subsequent connection request packets. You can select Intrusion
Detection > Statistics from the navigation tree to view how many times that a connection limit per
destination IP address has been exceeded and the number of packets dropped.
• If a SYN flood attack is initiated to the DMZ, the firewall outputs alarm logs and discards the attack
packets. You can select Intrusion Detection > Statistics from the navigation tree to view the number
of SYN flood attacks and the number of packets dropped.
58BConfiguring TCP proxy
139BRecommended configuration procedure
Task Remarks
1. 284HPerforming global TCP
proxy setting
Optional.
By default, bidirectional proxy is used.