R3166-R3206-HP High-End Firewalls Attack Protection Configuration Guide-6PW101
16
Item Description
Enable
Scanning
Detection
Scanning
Threshold
Set the maximum connection rate for a source IP address.
Add a source
IP to the
blacklist
Select this option to allow the system to blacklist a suspicious source IP address.
If this option is selected, you can then set the lifetime of the blacklisted source IP
addresses.
Lifetime Set the lifetime of the blacklist entry.
Traffic abnormality detection configuration
example
Network requirements
As shown in Figure 14, the intranet protected by the firewall is the trusted zone, the subnet where the
internal servers are located is the DMZ zone, and the extranet is the untrusted zone.
To fence off the SYN Flood attacks to a server in the DMZ zone, limit the number of new connections to
the protected server to 5000 per second and the number of half-open connections to 6000, considering
the actual traffic size of the server. Once either limit is exceeded, the subsequent connections to the server
will be blocked.
Figure 14 Network diagram for traffic abnormality detection configuration
Configuration procedure
# Assign IP addresses to interfaces.
1. From the navigation tree, select Device Management > Interface.
2. Assign IP address 192.168.1.2/24 to interface GigabitEthernet 0/0.
3. Assign IP address 10.110.1.2/24 to interface GigabitEthernet 0/1.
4. Assign IP address 202.1.0.1/24 to interface GigabitEthernet 0/2.
# Assign the interfaces to security zones.
1. In the navigation tree on the left of the web interface, select System > Zone.
2. Assign interface GigabitEthernet 0/0 to the trusted zone.
3. Assign interface GigabitEthernet 0/1 to the DMZ zone.