R3166-R3206-HP High-End Firewalls System Management and Maintenance Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

To do... Use the command...

Remarks

Enable the protection against

Naptha attack

tcp anti-naptha enable

Required

Disabled by default.

Configure the maximum of

TCP connections in a state

tcp state { closing | established |

fin-wait-1 | fin-wait-2 | last-ack |

syn-received } connection-number

number

Optional

5 by default.

If the maximum number of TCP

connections in a state is 0, the aging of

TCP connections in this state will not be

accelerated.

Configure the TCP state check

interval

tcp timer check-state timer-value

Optional

30 seconds by default.

NOTE:

• With the protection against Naptha attack enabled, the device will periodically check and record the

number of TCP connections in each state.

• With the protection against Naptha attack enabled, if the device detects that the number of TCP

connections in a state exceeds the maximum number, the device will consider that as Naptha attacks

and accelerate the aging of these TCP connections. The device will not stop accelerating the aging of

TCP connections until the number of TCP connections in the state is less than 80% of the maximum

number.

Configuring TCP optional parameters

TCP optional parameters that can be configured include:

• synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packet is

received within the synwait timer interval, the TCP connection cannot be created.

• finwait timer: When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is

started. If no FIN packet is received within the timer interval, the TCP connection will be terminated.

If a FIN packet is received, the TCP connection state changes to TIME_WAIT. If a non-FIN packet is

received, the system restarts the timer upon receiving the last non-FIN packet. The connection is

broken after the timer expires.

• Size of TCP receive/send buffer

Follow these steps to configure TCP optional parameters:

To do… Use the command…

Remarks

Enter system view system-view —

Configure the TCP synwait timer tcp timer syn-timeout time-value

Optional

75 seconds by default.

Configure the TCP finwait timer tcp timer fin-timeout time-value

Optional

675 seconds by default.

Configure the size of TCP

receive/send buffer

tcp window window-size

Optional

8 KB by default.