HP VPN Firewall Appliances Attack Protection Configuration Guide

Figure 24 Configuring a SYN flood attack detection rule for the server

Verifying the configuration

• After a scanning attack packet is received from zone Untrust, the firewall outputs alarm logs and

adds the IP address of the attacker to the blacklist. You can select Intrusion Detection > Blacklist

from the navigation tree to view whether the attacker's IP address is on the blacklist.

• If a host in zone Trust initiates 100 or more connections, the firewall outputs alarm logs and discards

subsequent connection request packets from the host. You can select Intrusion Detection > Statistics

from the navigation tree to view how many times that a connection limit per source IP address has

been exceeded and the number of packets dropped.

• If the number of connections to the server in the DMZ reaches or exceeds 10000, the firewall

outputs alarm logs and discards subsequent connection request packets. You can select Intrusion

Detection > Statistics from the navigation tree to view how many times that a connection limit per

destination IP address has been exceeded and the number of packets dropped.

• If a SYN flood attack is initiated to the DMZ, the firewall outputs alarm logs and discards the attack

packets. You can select Intrusion Detection > Statistics from the navigation tree to view the number

of SYN flood attacks and the number of packets dropped.

Configuring TCP proxy

Recommended configuration procedure

Task Remarks

1. Performing global TCP proxy

setting

Optional.

By default, bidirectional proxy is used.

2. Enabling TCP Proxy for a

security zone

Required.

By default, the TCP proxy feature is disabled globally.

TIP:

The TCP proxy feature takes effect only for the incoming traffic of the

security zone.