HP VPN Firewall Appliances Attack Protection Configuration Guide
35
Ste
p
Command
Remarks
2. Enter VD system view.
switchto vd vd-name Required for a non-default VD.
3. Create an attack protection
policy and enter attack
protection policy view.
attack-defense policy
policy-number [ zone zone-name ]
By default, no attack protection
policy is created.
Enabling attack protection logging
After the attack protection policy is created, you can enable attack protection logging to record
single-packet attacks, scanning attacks, and flood attacks for adjusting network management strategies.
To enable attack protection logging:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable attack
protection logging.
attack-defense
logging enable
Optional.
By default, attack protection logging is disabled.
Configuring an attack protection policy
In an attack protection policy, you can specify the signatures for attack detection and the corresponding
protection measures according to the security requirements of your network.
Different types of attack protection policies have different configurations, which are described below in
terms of single-packet attacks, scanning attacks, and flood attacks.
Configuring a single-packet attack protection policy
The single-packet attack protection function determines whether a packet is an attack packet mainly by
analyzing the characteristics of the packet. It is typically applied to security zones connecting external
networks, and inspects only the inbound packets of the security zones. If detecting an attack packet, the
device outputs an alarm log by default and, depending on your configuration, drop or forward the
packet.
To configure a policy for preventing single-packet attacks:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VD system view.
switchto vd vd-name Required for a non-default VD.
3. Enter attack protection policy
view.
attack-defense policy
policy-number
N/A
4. Enable signature detection for
single-packet attacks.
signature-detect { fraggle |
icmp-redirect | icmp-unreachable
| land | large-icmp |
route-record | smurf |
source-route | tcp-flag | tracert |
winnuke } enable
By default, signature detection is
disabled for all kinds of
single-packet attacks.