R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101
13
Blacklist configuration
NOTE:
The LB module supports configuring the blacklist function only in the web interface.
Overview
Blacklist is an attack prevention mechanism that filters packets based on source IP address. Compared
with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering packets
sourced from particular IP addresses.
The LB module can dynamically add and remove blacklist entries. This is implemented in cooperation
with the scanning detection feature. When the module detects that packets sourced from an IP address
have a behavior pattern that implies a potential scanning attack, it automatically blacklists the IP address
to filter subsequent packets sourced from that IP address. Blacklist entries added in this way will age out
after a period of time.
The module also supports adding and removing blacklist entries manually. Manually configured blacklist
entries fall into two categories: permanent and non-permanent. A permanent blacklist entry is always
present unless being removed manually, while a non-permanent blacklist entry has a limited lifetime
depending on your configuration. When the lifetime of a non-permanent entry expires, the module
removes the entry from the blacklist, allowing the packets of the IP address defined by the entry to pass
through.
Configuring the blacklist
Configuration task list
Perform the tasks in Table 5 to configure the blacklist feature.
Table 5 Blacklist configuration task list
Task Remarks
Enabling the blacklist function
Required
By default, the blacklist function is disabled.
Configuring the Scanning Detection
Feature to Add Blacklist Entries
Automatically
Required
Complete either of the task
For more information about scanning detection configuration,
see “Traffic abnormality detection configuration.”
By default, no blacklist entries exist.
TIP:
If you modify a dynamic blacklist entry, the entry will turn
into a manual one.
Adding a blacklist entry manually