Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
41424344454647484950
40
Ste
p
Command
Remarks
4. Apply an attack protection
policy to the security zone.
attack-defense apply policy
policy-number
By default, no attack protection
policy is applied to any security
zone.
The attack protection policy to be
applied to a security zone must
already exist.
68BConfiguring TCP proxy
Usually, TCP proxy is used on a device's security zones connected to external networks to protect internal
servers from SYN flood attacks. When detecting a SYN flood attack, the device can take protection
actions as configured by using the defense syn-flood action command. If the trigger-tcp-proxy keyword
is specified for the defense syn-flood action command, the device starts TCP proxy in the specified mode
to inspect and process subsequent TCP connection requests destined to the protected IP address. The
protected IP address can be configured manually or generated dynamically by SYN flood attack
detection.
To configure the TCP proxy function:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure TCP proxy
operating mode.
Unidirectional mode:
tcp-proxy mode unidirection
Bidirectional mode:
undo tcp-proxy mode
Optional.
By default, the TCP proxy operates in
bidirectional mode.
3. Enter VD system view. switchto vd vd-name Required for a non-default VD.
4. Configure an IP address
protected by TCP proxy.
tcp-proxy protected-ip
destination-ip-address [ port-number
| port any ]
Optional.
By default, no IP address is protected
by TCP proxy.
5. Enter security zone view.
zone name zone-name id zone-id N/A
6. Enable the TCP proxy
function for the security
zone.
tcp-proxy enable
By default, TCP proxy is disabled for
a security zone.
69BConfiguring the blacklist function
You can configure a device to filter packets from certain IP addresses by configuring the blacklist
function.
The blacklist configuration includes enabling the blacklist function and adding blacklist entries. When
adding a blacklist entry, you can also configure the entry aging time. If you do not configure the aging
time, the entry never ages out and thus always exist until you delete it manually.
To configure the blacklist function:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A