HP VPN Firewall Appliances Attack Protection Command Reference
35
Usage guidelines
With signature detection of large ICMP attack enabled, a device considers all ICMP packets longer than
the specified maximum length as large ICMP attack packets.
This command is effective only when signature detection of large ICMP attack is enabled.
Examples
# Enable signature detection of large ICMP attack, set the ICMP packet length threshold that triggers
large ICMP attack protection to 5000 bytes, and configure the device to drop ICMP packets longer than
the specified maximum length.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] signature-detect large-icmp enable
[Sysname-attack-defense-policy-1] signature-detect large-icmp max-length 5000
[Sysname-attack-defense-policy-1] signature-detect action drop-packet
Related commands
• display attack-defense policy
• signature-detect large-icmp enable
tcp-proxy enable
Use tcp-proxy enable to enable TCP proxy for a security zone.
Use undo tcp-proxy enable to disable the TCP proxy function on an interface.
Syntax
tcp-proxy enable
undo tcp-proxy enable
Default
TCP proxy is disabled for a security zone.
Views
Security zone view
Default command level
2: System view
Usage guidelines
Typically, the TCP proxy function is used in a device's security zone connected to external networks to
protect internal servers from SYN flood attacks. When detecting a SYN flood attack, the device can take
protection actions configured by using the defense syn-flood action command. If the trigger-tcp-proxy
keyword is specified for the defense syn-flood action command, the device adds a protected IP address
entry for the server and starts TCP proxy in the specified mode to inspect and process subsequent TCP
connection requests to the server.
When detecting SYN flood attacks, the TCP proxy function can take effect only if it is enabled.
Examples
# Enable TCP proxy in security zone untrust.
<Sysname> system-view