3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

151

152

153

154

155

156

157

158

159

160

Configuring Zone-Based Statistics 159

Enabling/Disabling the

System-Based

Connection Count

Monitoring

Using this command, you can configure the threshold value for the number of

connections in the system. The firewall will output an alarm log if the number of

TCP/UDP connections is greater than the threshold value.

Perform the following configuration in system view.

By default, restriction on the number of system-based connections is enabled and

the default values apply. The default upper threshold of TCP and UDP connections

allowed in the system is 500000 and the default lower threshold is 1. When this

function is disabled, the firewall restricts the system-based connection count by

using the default value.

Enabling/Disabling

Alarm Detection for

Abnormal System Packet

Rate

Using this command, you can configure the normal percentage for different types

of packets and the permitted alternation percentage. The system detects in

regular time the percentage of each type of packets, and compares the

information with the configured values. If the percentage for one type (TCP, UDP,

ICMP or others) of packets exceeds the configured upper threshold value (with the

alternation added), the system exports log alarm; if the percentage for one type of

packets falls below the lower threshold value (with the alternation added), the

system exports log alarm.

Perform the following configuration in system view.

By default, the percentages for TCP, UDP, and ICMP packets are 75, 15, and 5;

alternation percentage is 25; detection period is 60 minutes.

You must configure the percentages for the three types (TCP, UDP, and ICMP) of

packets simultaneously, and the sum of the three percentage numbers cannot

exceed 100, otherwise, the command will not take effect; you do not need to

configure packet percentages for other packets.

Configuring

Zone-Based Statistics

The zone-based statistics function configuration includes:

■ Enabling the zone-based statistics function

■ Enabling the zone-based connection count monitoring

Tab le 179 Enable/disable the system-based connection count monitoring function

Operation Command

Enable the system-based connection count

monitoring function

firewall statistics system connect-number

{ tcp | udp } { high high-value low low-value }

Disable the system-based connection count

monitoring function

undo statistics system connect-number {

tcp | udp }

Tab le 180 Enable/disable alarm detection for abnormal system packet rate

Operation Command

Enable alarm detection for abnormal system

packet rate

firewall statistics system flow-percent {

tcp tcp-percent udp udp-percent icmp

icmp-percent alteration alteration-percent [

time time-value] }

Disable alarm detection for abnormal system

packet rate

undo firewall statistics system

flow-percent