HP High-End Firewalls Attack Protection Command Reference Part number: 5998-2660 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents ARP attack protection configuration commands ········································································································ 1 Gratuitous ARP configuration commands ······················································································································· 1 arp send-gratuitous-arp ············································································································································ 1 gratuitous-arp-sending e
ARP attack protection configuration commands Gratuitous ARP configuration commands arp send-gratuitous-arp Syntax arp send-gratuitous-arp [ interval milliseconds ] undo arp send-gratuitous-arp View Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view, Layer 3 aggregate interface view, Layer 3 aggregate subinterface view Default level 2: System level Parameters interval milliseconds: Sets the interval at which gratuitous ARP packets are sent, in the range of 200 to 200000 milliseconds.
gratuitous-arp-sending enable Syntax gratuitous-arp-sending enable undo gratuitous-arp-sending enable View System view Default level 2: System level Parameters None Description Use gratuitous-arp-sending enable to enable the firewall to send gratuitous ARP packets when receiving ARP requests from another network segment. Use undo gratuitous-arp-sending enable to restore the default. By default, the firewall cannot send gratuitous ARP packets when receiving ARP requests from another network segment.
source IP address of the ARP packet exists. If a matching ARP entry is found in the cache, the firewall updates the ARP entry regardless of whether this function is enabled. Examples # Enable the gratuitous ARP packet learning function.
arp scan Syntax arp scan [ start-ip-address to end-ip-address ] View Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view, Layer 3 aggregate interface view, Layer 3 aggregate sub-interface view Default level 2: System level Parameters start-ip-address: Start IP address of the scanning range. end-ip-address: End IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.
TCP attack protection configuration commands display tcp status Syntax display tcp status [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
tcp anti-naptha enable Syntax tcp anti-naptha enable undo tcp anti-naptha enable View System view Default level 2: System level Parameters None Description Use tcp anti-naptha enable to enable the protection against Naptha attack. Use undo tcp anti-naptha enable to disable the protection against Naptha attack. By default, the protection against Naptha attack is disabled.
syn-received: SYN_RECEIVED state of a TCP connection. connection-number number: Maximum number of TCP connections in a certain state. The argument number is in the range of 0 to 500. Description Use tcp state to configure the maximum number of TCP connections in a state. When this number is exceeded, the aging of TCP connections in this state will be accelerated. Use undo tcp state to restore the default. By default, the maximum number of TCP connections in each state is 5.
tcp timer check-state Syntax tcp timer check-state time-value undo tcp timer check-state View System view Default level 2: System level Parameters time-value: TCP connection state check interval in seconds, in the range of 1 to 60. Description Use tcp timer check-state to configure the TCP connection state check interval. Use undo tcp timer check-state to restore the default. By default, the TCP connection state check interval is 30 seconds.
Firewall configuration commands display firewall ipv6 statistics Syntax display firewall ipv6 statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters all: Displays the packet filtering statistics of all interfaces of the IPv6 firewall. interface interface-type interface-number: Displays the packet filtering statistics of the specified interface of the IPv6 firewall.
Table 2 Command output Field Description Interface Interface configured with the IPv6 packet filtering function In-bound Policy Indicates that an IPv6 ACL is configured in the inbound direction of the interface Out-bound Policy Indicates that an IPv6 ACL is configured in the outbound direction of the interface acl6 IPv6 ACL number 0 packets, 0 bytes, 0% permitted Indicates the packets permitted by IPv6 ACL rules: the number of packets and bytes, and the percentage of the permitted to the total.
[Sysname] firewall ipv6 default deny firewall ipv6 enable Syntax firewall ipv6 enable undo firewall ipv6 enable View System view Default level 2: System level Parameters None Description Use firewall ipv6 enable to enable the IPv6 firewall function. Use undo firewall ipv6 enable to disable the IPv6 firewall function. By default, the IPv6 firewall function is disabled. Examples # Enable the IPv6 firewall function.
Description Use firewall packet-filter ipv6 to configure IPv6 packet filtering on the interface. Use undo firewall packet-filter ipv6 to remove the IPv6 packet filtering setting on the interface. By default, IPv6 packets are not filtered on the interface. Examples # Configure IPv6 packet filtering for GigabitEthernet 0/1 using IPv6 ACL 2500.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ADFGRSTW gratuitous-arp-learning enable,2 A gratuitous-arp-sending enable,2 arp fixup,3 arp scan,4 R arp send-gratuitous-arp,1 reset firewall ipv6 statistics,12 D S display firewall ipv6 statistics,9 Subscription service,13 display tcp status,5 T Documents,13 tcp anti-naptha enable,6 F tcp state,6 firewall ipv6 default,10 tcp syn-cookie enable,7 firewall ipv6 enable,11 tcp timer check-state,8 firewall packet-filter ipv6,11 W G Websites,13 16
