R3166-R3206-HP High-End Firewalls Attack Protection Configuration Guide-6PW101
25
Item Descri
p
tion
Port Number
Destination port of the TCP connection.
The option any specifies that TCP proxy services TCP connection requests to
any port of the server at the destination IP address.
Type The protected IP address entries can be static or dynamic.
Lifetime(min)
Lifetime for the IP address entry under protection. This item is displayed as –
for static IP address entries.
When the time reaches 0, the protected IP address entry will be deleted.
Number of Rejected
Amount of requests for TCP connection requests matching the protected IP
address entry but were proved to be illegitimate.
Return to TCP proxy configuration task list.
TCP proxy configuration example
Network requirements
• As shown in Figure 24, configure bidirectional TCP proxy on Firewall to protect Server A, Server B,
and Server C against SYN flood attacks from the Internet.
• Add a protected IP address entry for Server A manually and configure dynamic TCP proxy for the
other servers.
Figure 24 Network diagram for TCP proxy configuration
Configuration procedure
# Assign IP addresses for the interfaces and then add interface GigabitEthernet 1/1 to the security zone
Untrust, and GigabitEthernet 1/2 to the security zone Trust. (Omitted)
# Set the TCP proxy mode to bidirectional and enable TCP proxy for the security zone Untrust.
• Select Intrusion Detection > TCP Proxy > TCP Proxy Configuration from the navigation tree.
• Select Bidirection for the global setting.
• Click Apply.
• In the Zone Configuration area, click Enable for the Untrust zone.
# Add an IP address entry manually for protection.
• Select Intrusion Detection > TCP Proxy > Protected IP Configuration from the navigation tree. Then
on the right pane, click Add.