Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
41424344454647484950
44
# Configure the policy to drop the subsequent packets after a SYN flood attack is detected.
[Firewall-attack-defense-policy-2] defense syn-flood action drop-packet
[Firewall-attack-defense-policy-2] quit
# Apply attack protection policy 2 to security zone DMZ.
[Firewall] zone name dmz id 3
[Firewall-zone-dmz] attack-defense apply policy 2
[Firewall-zone-dmz] quit
159BVerifying the configuration
Use the display attack-defense policy command to display the contents of attack protection policy 1 and
2.
If security zone Untrust receives Smurf attack packets, the device should output alarm logs. If security
zone Untrust receives scanning attack packets, the device should output alarm logs and add the IP
addresses of the attackers to the blacklist. If SYN flood attack packets are received by security zone DMZ,
the device should output alarm logs and drop the subsequent attack packets.
After a period of time, use the display attack-defense statistics zone command to display the attack
protection statistics of each security zone. If scanning attacks occur, you can use the display blacklist
command to see the blacklist entries added automatically by scanning attack protection.
72BBlacklist configuration example
160BNetwork requirements
As shown in 321HFigure 42, Host D is an attacker in the external network. Configure the firewall to filter
packets from Host D permanently. Host C is in the internal network. Configure the firewall to drop packets
from Host C for 50 minutes, so that Host C cannot access the external network during the specified
period of time.
Figure 42 Network diagram
161BConfiguration procedure
# Specify IP addresses for interfaces and add them into security zones. (Details not shown.)
# Enable the blacklist function.
<Firewall> system-view
[Firewall] blacklist enable
# Add Host D's IP address 5.5.5.5 to the blacklist without configuring an aging time for it.
[Firewall] blacklist ip 5.5.5.5
# Add Host C's IP address 192.168.1.4 to the blacklist and configure the aging time as 50 minutes.