HP VPN Firewall Appliances Attack Protection Configuration Guide
18
1. From the navigation tree, select Intrusion Detection > Traffic Abnormality > Scanning Detection.
The scanning detection configuration page appears.
Figure 17 Scanning detection configuration page
2. Configure the scanning detection rule for the security zone, as described in Table 8.
3. Click Apply.
Table 8 Configuration items
Item Descri
p
tion
Security Zone
Select a security zone to perform scanning detection configuration for it.
Enable Scanning Detection Select this option to enable scanning detection for the security zone.
Scanning Threshold Set the maximum connection rate for a source IP address.
Add a source IP to the
blacklist
Select this option to allow the system to blacklist a suspicious source IP address.
If this option is selected, you can then set the lifetime of the blacklisted source IP
addresses.
IMPORTANT:
Only when the blacklist feature is enabled, can the scanning detection function
blacklist a suspect and discard subsequent packets from the suspect.
Lifetime Set the lifetime of the blacklist entry.
Traffic abnormality detection configuration example
Network requirements
As shown in Figure 18, the internal network is the trusted zone, the subnet where the internal servers are
located is the DMZ, and the external network is the untrusted zone.
Configure the firewall to perform the following operations:
• Protect the internal network against scanning attacks from the external network.
• Limit the number of connections initiated by each internal host.
• Limit the number of connections to the internal server.
• Protect the internal server against SYN flood attacks from the external network.