R3721-F3210-F3171-HP High-End Firewalls Attack Protection Configuration Guide-6PW101
20
Item Descri
p
tion
Add a source IP to the
blacklist
Select this option to allow the system to blacklist a suspicious source IP address.
If this option is selected, you can then set the lifetime of the blacklisted source IP
addresses.
IMPORTANT:
Only when the blacklist feature is enabled, can the scanning detection function
blacklist a suspect and discard subsequent packets from the suspect.
Lifetime Set the lifetime of the blacklist entry.
Traffic abnormality detection configuration
example
Network requirements
As shown in Figure 21, the internal network is the trusted zone, the subnet where the internal servers are
located is the demilitarized zone (DMZ), and the external network is the untrusted zone.
Configure Firewall to:
• Protect the internal network against scanning attacks from the external network.
• Limit the number of connections initiated by each internal host.
• Limit the number of connections to the internal server.
• Protect the internal server against SYN flood attacks from the external network.
Figure 21 Network diagram
Configuration considerations
To satisfy the requirements, perform the following configurations on the Firewall:
• Configure scanning detection for the untrusted zone, enable the function to add entries to the
blacklist, and set the scanning threshold to, for example, 4500 connections per second.
• Configure source IP address-based connection limit for the trusted zone, and set the number of
connections each host can initiate to, for example, 100.