Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
51525354555657585960
52
If the attack packets have different source addresses, enable the ARP black hole routing function on the
firewall.
171BConfiguration procedure
# Enable ARP source suppression and set the threshold to 100.
<Firewall> system-view
[Firewall] arp source-suppression enable
[Firewall] arp source-suppression limit 100
# Enable ARP black hole routing.
<Firewall> system-view
[Firewall] arp resolving-route enable
17B
Configuring source MAC based ARP attack
detection
Source MAC based ARP attack detection can be configured only at the CLI.
The following matrix shows the feature and hardware compatibility:
Hardware Source MAC based ARP attack detection com
p
atible
F1000-A-EI/F1000-S-EI Yes
F1000-E No
F5000 No
Firewall module No
U200-A Yes
U200-S Yes
This feature checks the number of ARP packets received from the same MAC address within five seconds
against a specific threshold. If the threshold is exceeded, the device adds the MAC address in an ARP
attack entry.
Before the entry is aged out, the device handles the attack by using either of the following methods:
Monitor—Generates log messages.
Filter—Generates log messages and filters out subsequent ARP packets from that MAC address.
After an ARP attack detection entry expires, ARP packets sourced from the MAC address in the entry can
be processed normally.
You can exclude the MAC addresses of some gateways and servers from detection. This feature does not
inspect ARP packets from those devices even if they are attackers.
To configure source MAC address based ARP attack detection:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A