HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

Ste

Command

Remarks

3. Enter VD system view.

switchto vd vd-name Required for a non-default VD.

4. Configure an IP address

protected by TCP proxy.

tcp-proxy protected-ip

destination-ip-address [ port-number

| port any ]

Optional.

By default, no IP address is protected

by TCP proxy.

5. Enter security zone view.

zone name zone-name id zone-id N/A

6. Enable the TCP proxy

function for the security

zone.

tcp-proxy enable

By default, TCP proxy is disabled for

a security zone.

Configuring the blacklist function

You can configure a device to filter packets from certain IP addresses by configuring the blacklist

function.

The blacklist configuration includes enabling the blacklist function and adding blacklist entries. When

adding a blacklist entry, you can also configure the entry aging time. If you do not configure the aging

time, the entry never ages out and thus always exist until you delete it manually.

To configure the blacklist function:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter VD system view.

switchto vd vd-name Required for a non-default VD.

3. Enable the blacklist function.

blacklist enable Disabled by default.

4. Add a blacklist entry.

blacklist ip

source-ip-address

[ timeout minutes ]

Optional.

The scanning attack protection function can

add blacklist entries automatically.

You can add blacklist entries manually, or configure the device to automatically add the IP addresses of

detected scanning attackers to the blacklist. For the latter purpose, enable the blacklist function for the

device, the scanning attack protection function, and the blacklist function for scanning attack protection.

The blacklist entries added by the scanning attack protection function will be aged after the aging time,

which is configurable. For the configuration of scanning attack protection, see "Configuring a scanning

tac

otec

on policy."

Enabling traffic statistics for a security zone

To collect traffic statistics on a security zone, you need to enable the traffic statistics function on the

security zone. The device supports traffic statistics in the following modes:

• By direction, inbound, or outbound of a security zone—Collect statistics on packets that enter or

leave a security zone.

• By source or destination IP address—Collect statistics on packets sent to a security zone by source

IP addresses or on packets sent from a security zone by destination IP addresses.

To enable traffic statistics on a security zone: