HP VPN Firewall Appliances Attack Protection Configuration Guide
41
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VD system view.
switchto vd vd-name Required for a non-default VD.
3. Enter security zone view.
zone name zone-name id zone-id N/A
4. Enable traffic statistics for the
security zone.
flow-statistics enable
{ destination-ip | inbound |
outbound | source-ip }
Disabled by default.
Displaying and maintaining attack detection and protection
Task Command
Remarks
Display the attack protection
statistics of a security zone.
display attack-defense statistics [ vd
vd-name ] zone zone-name [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display the configuration
information about one or all attack
protection policies.
display attack-defense policy
[ policy-number ] [ vd vd-name ] [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display information about blacklist
entries.
display blacklist { all | ip sour-address } [ vd
vd-name ] [ | { begin | exclude | include }
regular-expression ]
Available in any view.
Display the traffic statistics of a
security zone.
display flow-statistics statistics [ vd vd-name ]
zone zone-name { inbound | outbound } [ |
{ begin | exclude | include }
regular-expression ]
Available in any view.
Display the security zone traffic
statistics based on IP addresses.
display flow-statistics statistics
{ destination-ip dest-ip-address | source-ip
src-ip-address } [ vpn-instance
vpn-instance-name ] [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display information about the IP
addresses protected by the TCP
proxy function.
display tcp-proxy protected-ip [ vd vd-name ]
[ | { begin | exclude | include }
regular-expression ]
Available in any view.
Clear the attack protection statistics
information about a security zone.
reset attack-defense statistics [ vd vd-name ]
zone zone-name
Available in user view.
Attack protection functions on security zones configuration
example
Network requirements
As shown in Figure 41, security zone Trust on Firewall is connected to the internal network, security zone
Untrust is connected to the external network, and security zone DMZ is connected to an internal server.
Protect internal hosts against Smurf attacks and scanning attacks from the external network. Protect the
internal server against SYN flood attacks from the external network. To meet the requirements, perform
the following configurations: