3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

161

162

163

164

165

166

167

168

169

170

Configuring IP-Based Statistics 161

By default, the zone-based connection rate restriction function is disabled. The

default upper threshold value of the zone-based TCP/UDP connections is 10,000,

and the lower threshold value is 1.

CAUTION: The connection rate restriction function of a zone will not take effect

unless the corresponding statistics function is enabled.

Configuring IP-Based

Statistics

The IP-based statistics function configuration includes:

■ Enabling the IP-based statistics function

■ Enabling the IP-based connection count monitoring

■ Enabling the IP-based connection rate monitoring

Enabling/Disabling the

IP-Based Statistics

Function

Once the IP-based statistics function is enabled, the firewall will perform statistics

on the outbound/inbound data packets in the current zone based on IP addresses

(source addresses in outbound direction and destination addresses in inbound

direction).

The inbound direction indicates the packet whose destination address is the local

zone and source address is other zone. The outbound direction is on the contrary.

Perform the following configuration in security zone view.

By default, the IP-based statistics function is disabled.

CAUTION: Once the IP-based statistics function is disabled, the IP-based traffic

monitoring function will be invalid accordingly.

Enabling/Disabling the

IP-Based Connection

Count Monitoring

Function

Using this command, you can configure the maximum number of TCP and UDP

connections in the outbound/inbound direction of a local IP address. With the

above configuration, you can restrict not only the number of connections initiated

from the current zone but also that of connections initiated from external

networks to the current zone. In other words, the system will deny the subsequent

connection requests without any alarm if the connection count is greater than the

set threshold value.

Perform the following configuration in security zone view.

Tab le 183 Enable/disable zone-based connection rate monitoring function

Operation Command

Enable the zone-based connection rate

monitoring function

statistics connect-speed { zone | ip } {

inzone | outzone } { tcp | udp } { high

high-limit low low-limit }

Disable the zone-based connection rate

monitoring function

undo statistics connect-speed { zone | ip } {

inzone | outzone } { tcp | udp }

Tab le 184 Enable/disable the IP-based statistics function

Operation Command

Enable the IP-based statistics function statistics enable ip { in | out }

Disable the IP-based statistics function undo statistics enable ip { in | out }