F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100
43
Figure 41 Network diagram
158BConfiguration procedure
# Specify IP address for interfaces and add them into security zones. (Details not shown.)
# Enable blacklist function.
<Firewall> system-view
[Firewall] blacklist enable
# Create attack protection policy 1.
[Firewall] attack-defense policy 1
# Enable Smurf attack protection.
[Firewall-attack-defense-policy-1] signature-detect smurf enable
# Enable scanning attack protection.
[Firewall-attack-defense-policy-1] defense scan enable
# Set the connection rate threshold that triggers scanning attack protection to 4500 connections per
second.
[Firewall-attack-defense-policy-1] defense scan max-rate 4500
# Add source IP addresses detected by scanning attack protection to the blacklist.
[Firewall-attack-defense-policy-1] defense scan add-to-blacklist
[Firewall-attack-defense-policy-1] quit
# Apply attack protection policy 1 to the security zone untrust.
[Firewall] zone name untrust id 4
[Firewall-zone-untrust] attack-defense apply policy 1
[Firewall-zone-untrust] quit
# Create attack protection policy 2.
[Firewall] attack-defense policy 2
# Enable SYN flood attack protection.
[Firewall-attack-defense-policy-2] defense syn-flood enable
# Configure SYN flood attack protection for the internal server 10.1.1.2, and set the action threshold to
5000 and silence threshold to 1000.
[Firewall-attack-defense-policy-2] defense syn-flood ip 10.1.1.2 rate-threshold high 5000
low 1000