3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

161

162

163

164

165

166

167

168

169

170

162 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS

By default, the IP-based connection count monitoring function is disabled. The

default upper threshold value of the IP-based TCP/UDP connections is 500,000,

and the lower threshold value is 450,000.

CAUTION:

■ The IP-based connection count monitoring function will not take effect unless

the corresponding IP-based statistics function is enabled.

■ The ACL rule can only be used in one direction if you want to account the

number of the IP-based connection that matches an ACL rule at the same time.

Enabling/Disabling the

IP-Based Connection

Rate Monitoring

Function

Using this command, you can configure the maximum rate of TCP and UDP

connections in the outbound/inbound direction of a local IP address. With the

above configuration, you can restrict not only the rate of connections initiated

from the current zone but also that of connections initiated from external

networks to the current zone. In other words, the system will deny the subsequent

connection requests without any alarm if the connection rate is greater than the

set threshold value.

Perform the following configuration in security zone view.

By default, the IP-based connection rate restriction function is disabled. The

default upper threshold value of the IP-based TCP/UDP connections is 10,000, and

the lower threshold value is 1.

CAUTION: The ACL rule can only be used in one direction if you want to account

the number of the IP-based connection that matches an ACL rule at the same

time.

Tabl e 185 Enable/disable the IP-based connection count monitoring function

Operation Command

Enable the IP-based connection count

monitoring function

statistics connect-number ip { inbound |

outbound } { tcp | udp } { high high-limit

low low-limit } [ acl acl-number ]

Disable the IP-based connection count

monitoring function

undo statistics connect-number ip {

inbound | outbound } { tcp | udp } [ acl

acl-number ]

Tabl e 186 Enable/disable monitor of the IP-based connection rate

Operation Command

Enable monitor of the IP-based

connection rate

statistics connect-speed ip { inzone | outzone } { tcp |

udp } { high high-limit low low-limit } [ acl acl-number ]

Disable monitor of the IP-based

connection rate

undo statistics connect-speed ip { inzone | outzone }

{ tcp | udp } [ acl acl-number ]