Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
41424344454647484950
42
Task Command
Remarks
Display the traffic statistics of a
security zone.
display flow-statistics statistics [ vd vd-name ]
zone zone-name { inbound | outbound } [ |
{ begin | exclude | include }
regular-expression ]
Available in any view.
Display the security zone traffic
statistics based on IP addresses.
display flow-statistics statistics
{ destination-ip dest-ip-address | source-ip
src-ip-address } [ vpn-instance
vpn-instance-name ] [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display information about the IP
addresses protected by the TCP
proxy function.
display tcp-proxy protected-ip [ vd vd-name ]
[ | { begin | exclude | include }
regular-expression ]
Available in any view.
Clear the attack protection statistics
information about a security zone.
reset attack-defense statistics [ vd vd-name ]
zone zone-name
Available in user view.
71BAttack protection functions on security zones configuration
example
157BNetwork requirements
As shown in 320HFigure 41, security zone Trust on Firewall is connected to the internal network, security zone
Untrust is connected to the external network, and security zone DMZ is connected to an internal server.
Protect internal hosts against Smurf attacks and scanning attacks from the external network. Protect the
internal server against SYN flood attacks from the external network. To meet the requirements, perform
the following configurations:
In security zone Untrust, configure Smurf attack protection and scanning attack protection, enable the
blacklist function for scanning attack protection, and set the connection rate threshold that triggers the
scanning attack protection to 4500 connections per second.
In security zone DMZ, configure SYN flood attack protection, so that the device drops subsequent SYN
packets when the SYN packet sending rate to a server constantly reaches or exceeds 5000 packets per
second, and permits SYN packets to be sent to the server again when this rate drops below 1000
packets per second.