Manualshelf

R3166-R3206-HP High-End Firewalls Attack Protection Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
11121314151617181920
10
Connection limit
Connection limit limits the number of connections based on source IP address or destination IP address.
You can set a connection threshold for an IP address on your firewall. Once the number of connections
of that IP address exceeds the threshold, the firewall outputs an attack alarm log and, depending on your
configuration, blocks the subsequent connection requests from or to that IP address.
Scanning detection
A scanning attack explores the addresses and ports on a network to identify the hosts attached to the
network and the application ports available on the hosts.
To fence off scanning attacks, you can set a scanning rate threshold on your firewall. Once the rate of the
connections from an IP address exceeds the threshold, the firewall outputs an attack alarm log, blocks the
subsequent connections from the IP address, and blacklists the IP address, depending on your
configuration.
Configuring traffic abnormality detection
NOTE:
ICMP flood detection, UDP flood detection, and SYN flood detection are intended to protect servers and
are usually configured on an internal zone. They work by inspecting the relevant connection rate or
number of relevant connections.
Scanning detection is intended to detect scanning behaviors and is usually configured on an external
zone. It works by inspecting the connection rate.
Scanning detection can be configured to add blacklist entries automatically. If you remove such a
blacklist entry, the system will not add the entry back to the blacklist during a period of time. This is
because the system considers that the subsequent packets are initiated from the same attack.
To configure traffic abnormality, complete the following tasks:
Configuring ICMP flood detection
Configuring UDP flood detection
Configuring SYN flood detection
Configuring connection limits
Configuring scanning detection
Configuring ICMP flood detection
From the navigation tree, select Intrusion Detection > Traffic Abnormality > ICMP Flood to enter the ICMP
flood detection configuration page, as shown in Figure 6. You can select a security zone and then view
and confi
gure ICMP flood detection rules for the security zone.