05-Attack Protection Configuration Guide-Book

H3C SecPath Series Firewalls and UTM Devices
Attack Protection Configuration Guide
Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com
Software version: F100 series:
F1000-A-EI:
F1000-E-SI:
F1000-S-AI:
F5000-A5:
F5000-S/F5000-C:
F1000-E:
F1000-S-EI:
Firewall card:
Enhanced firewall card:
U200-A/M/CA:
U200-S/CM/CS:
Document version: 6PW100-20121210
ESS 5132
Feature 3722
Feature 3722
Feature 3722
Feature 3211
A3801
Feature 3174
Demo 5132P01
Feature 3174
ESS 3807
ESS 5132
ESS 5132
Copyright 2012, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved

No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
, IRF, NetPilot, Netflow,
H3C,
, H3CS, H3CIE, H3CNE, Aolynk,
, H3Care,
SecEngine, SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of
Hangzhou H3C Technologies Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C SecPath Series Firewalls and UTM Devices documentation set includes 10 configuration guides,
which describe the software features for the H3C SecPath Series Firewalls and UTM Devices and guide
you through the software configuration procedures. These configuration guides also provide
configuration examples to help you apply software features to different network scenarios.
The Attack Protection Configuration Guide describes how to configure attack detection and protection,
ARP attack protection, TCP attack protection, ND attack protection, firewall, content filtering, URPF, IDS
collaboration, and advanced security protection.
This preface includes:
Audience
Conventions
Obtaining documentation
Technical support
Documentation feedback
Audience
This documentation is intended for:
Network planners
Field technical support and servicing engineers
Network administrators working with the H3C SecPath Series Firewalls and UTM Devices
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention
Description
Boldface
Bold text represents commands and keywords that you enter literally as shown.
Italic
Italic text represents arguments that you replace with actual values.
[]
Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select at least one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
Convention
Description
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
A line that starts with a pound (#) sign is comments.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For
example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Convention
Description
Symbols
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
An alert that calls attention to essential information.

An alert that contains additional or supplementary information.
NOTE
TIP
An alert that provides helpful information.
Network topology icons

Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Represents a firewall
Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] Provides the documentation released with the
software version.
Technical support
service@h3c.com
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Contents
Configuring attack detection and protection 1
Overview 1
Types of network attacks the device can defend against 1
Connection limit 3
Blacklist function 3
Traffic statistics function 4
TCP proxy 4
Intrusion detection statistics 6
Configuring attack detection and protection in the Web interface 7
Configuring packet inspection 7
Packet inspection configuration example 8
Configuring traffic abnormality detection 9
Traffic abnormality detection configuration example 18
Configuring TCP proxy 22
TCP proxy configuration example 25
Configuring blacklist 27
Blacklist configuration example 29
Displaying intrusion detection statistics 32
Configuring the attack detection and protection at the CLI 34
Attack detection and protection configuration task list 34
Creating an attack protection policy 35
Enabling attack protection logging 35
Configuring an attack protection policy 35
Applying an attack protection policy to a security zone 39
Configuring TCP proxy 40
Configuring the blacklist function 40
Displaying and maintaining attack detection and protection 41
Attack protection functions on security zones configuration example 42
Blacklist configuration example 44
Traffic statistics configuration example 45
TCP proxy configuration example 47
Configuring ARP attack protection 49
Overview 49
ARP attack protection configuration task list 49
Configuring unresolvable IP attack protection 50
Configuring ARP source suppression 50
Enabling ARP black hole routing 50
Displaying and maintaining ARP source suppression 51
Unresolvable IP attack protection configuration example 51
Configuring source MAC based ARP attack detection 52
Displaying and maintaining source MAC based ARP attack detection 53
Source MAC based ARP attack detection configuration example 53
Configuring ARP packet source MAC consistency check 54
Configuring ARP active acknowledgement 55
Configuring periodic sending of gratuitous ARP packets 56
Configuration restrictions and guidelines 57
Configuring periodic sending of gratuitous ARP packets 57
Configuring ARP detection 58
i
Configuring user validity check 58

Configuring ARP packet validity check 59
Configuring ARP restricted forwarding 59
Displaying and maintaining ARP detection 60
Configuring ARP automatic scanning and fixed ARP 60
Configuring the ARP automatic scanning and fixed ARP in the Web interface 60
Configuring the ARP automatic scanning and fixed ARP at the CLI 63
Configuring TCP attack protection 64

Overview 64
Enabling the SYN Cookie feature 64
Enabling protection against Naptha attacks 65
Displaying and maintaining TCP attack protection 65
Configuring ND attack defense 66
Feature and hardware compatibility 66
Overview 66
Enabling source MAC consistency check for ND packets 67
Configuring firewall 68
Overview 68
ACL based packet filter 68
ASPF 69
Configuring an IPv6 packet-filter firewall 71
IPv6 packet-filter firewall configuration task list 71
Enabling the IPv6 firewall function 71
Configuring the default filtering action of the IPv6 firewall 71
Configuring packet filtering on an interface 72
Configuring an ASPF 73
ASPF configuration task list 73
Configuring port mapping 73
Enabling ASPF for an interzone instance 73
Displaying ASPF 74
ASPF configuration example 74
Configuring content filtering 76
Overview 76
HTTP packet content filtering 76
SMTP packet content filtering 77
POP3 packet content filtering 77
FTP packet content filtering 77
Telnet packet content filtering 78
Configuration guidelines 78
Configuring content filtering in the Web interface 79
Recommended configuration procedure 79
Configuring a keyword filtering policy 79
Configuring a content filtering policy 86
Configuring a content filtering policy template 93
Displaying content filtering statistics 95
Content filtering configuration example 95
Configuring content filtering at the CLI 106
Content filtering configuration task list 106
Displaying and maintaining content filtering 115
Interzone content filtering configuration example 115
Configuring URPF 119
Overview 119
ii
URPF check modes 119

URPF features 119
URPF work flow 120
Network application 121
Configuring the URPF in the Web interface 122
URPF configuration example 122
Configuring the URPF at the CLI 125
URPF configuration example 125
Configuring IDS collaboration 127

IDS collaboration overview 127
Enabling IDS collaboration 128
Configuring advanced security protection 129
Time tables 129
Creating a time table 130
Licenses 130
Viewing license information 131
Importing a license 131
Exporting a license 131
Signature upgrade 131
Upgrading the signature database 132
IPS 133
Configuring IPS log output parameters 133
Creating an IPS policy 134
Applying an IPS policy 135
Antivirus 137
Configuring antivirus log output parameters 137
Creating an antivirus policy 138
Applying an antivirus policy 139
Content monitoring 141
Configuring the content monitoring log output parameter 141
Creating a content monitoring policy 142
Applying a content monitoring policy 144
Bandwidth management 146
Configuring a protocol 147
Configuring a service 149
Configuring bandwidth management log output parameters 152
Creating a bandwidth management policy 152
Applying a bandwidth management policy 155
Protocol audit 156
Configuring protocol audit log output parameters 157
Creating a protocol audit policy 157
Applying a protocol audit policy 158
iii
Advanced security prevention configuration example 160
Index 172
iv
Configuring attack detection and protection

Overview
Attack detection and protection is an important network security feature. It determines whether received
packets are attack packets according to the packet contents and behaviors and, if detecting an attack,
take measures to deal with the attack, such as recording alarm logs, dropping packets, and blacklisting
the source IP address.
The attack protection function can detect three types of network attacks: single-packet attacks, scanning
attacks, and flood attacks. In addition, this function also supports traffic statistics for session analysis on
security zones.
Types of network attacks the device can defend against

The device can defend against three types of network attacks: single-packet attacks, scanning attacks,
and flood attacks, according to the attack characteristics.
Single-packet attack
Single-packet attack is also called malformed packet attack because many single-packet attacks use
defective IP packets, such as overlapping IP fragments and packets with illegal TCP flags.
A single-packet attack occurs when:
An attacker sends defective IP packets to a target, causing the target system to malfunction or crash.
An attacker sends large quantities of junk packets to the network, using up the network bandwidth.
Table 1 lists the single-packet attacks that can be prevented by the device.
Table 1 Types of single-packet attacks
Description
Fraggle
An attacker sends large amounts of UDP echo requests with the UDP port number
being 7 or Chargen packets with the UDP port number being 19, resulting in a large
quantity of junk replies and eventually exhausting the bandwidth of the target
network.
ICMP Redirect
An attacker sends ICMP redirect messages to a user host to modify the host's routing
table, interfering with the normal forwarding of IP packets.
ICMP Unreachable
Upon receiving an ICMP unreachable response, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
destination. By sending ICMP unreachable packets, an attacker can cut off the
connection between the target host and the network.
Land
An attacker sends a great number of TCP SYN packets using the target IP address as
both the source and destination IP addresses, exhausting the half-open connection
resources of the target and thereby making the target unable to provide services
normally.
Large ICMP
For some hosts and devices, large ICMP packets cause memory allocation error and
thus crash down the protocol stack. A large ICMP attacker sends large ICMP packets
to a target to make it crash down.
1
Description
Route Record
An attacker exploits the route record option in the IP header to probe the topology of
a network.
Smurf
An attacker sends an ICMP echo request to the broadcast address or the network
address of the target network. As a result, all hosts on the target network reply to the
request, causing the network congested and hosts on the target network unable to
provide services.
Source Route
An attacker exploits the source route option in the IP header to probe the topology of
a network.
TCP Flag
Some TCP flags are processed differently on different operating systems. A TCP flag
attacker sends TCP packets with such TCP flags to a target host to probe its operating
system. If the operating system cannot process such packets properly, the attacker
successfully makes the host crash down.
An attacker exploits the Tracert program to probe the network topology.
Tracert
WinNuke
The Tracert program sends batches of UDP packets with a large destination port
number and an increasing TTL (starting from 1). The TTL of a packet is decreased by
1 when the packet passes each router. Upon receiving a packet with a TTL of 0, a
router must send an ICMP time exceeded message back to the source IP address of the
packet. The Tracert program uses these returning packets to figure out the hosts that
the packets have traversed from the source to the destination.
An attacker sends Out-of-Band (OOB) data with the pointer field values overlapped to
the NetBIOS port (139) of a Windows system with an established connection to
introduce a NetBIOS fragment overlap, causing the system to crash.
Scanning attack
An attacker uses some scanning tools to scan host addresses and ports in a network, so as to find
possible targets and the services enabled on the targets and figure out the network topology, preparing
for further attacks to the target hosts.
Scanning detection detects scanning attempts by tracking the rates at which connections are initiated to
protected systems. Usually, it is deployed on the device for the external security zone and takes effect for
packets from the security zone.
If detecting that a connection rate of an IP address has reached or exceeded the threshold, the device
outputs an attack alarm log, blocks the subsequent connection requests from the IP address, and
blacklists the IP address, depending on your configuration.
Flood attack
An attacker sends a large number of forged requests to the targets in a short time, so that the target
systems are too busy to provide services for legal users, resulting in denial of services.
The device can effectively defend against the following types of flood attacks:
SYN flood attack

Because of the limited resources, the TCP/IP stack permits only a limited number of TCP
connections. An attacker sends a great quantity of SYN packets to a target server, using a forged
address as the source address. After receiving the SYN packets, the server replies with SYN ACK
packets. As the destination address of the SYN ACK packets is unreachable, the server can never
receive the expected ACK packets, and thus have to maintain large amounts of half-open
connections. In this way, the attacker exhausts the system resources of the server, making the
server unable to service normal clients.
2
ICMP flood attack

An attacker sends a large number of ICMP requests to the target in a short time by, for example,
using the ping program, causing the target too busy to process normal services.
UDP flood attack

An attacker sends a large number of UDP packets to the target in a short time, making the target
too busy to process normal services.
DNS flood attack

An attacker sends a large number of DNS request packets to the target in a short time, making the
target too busy to process normal services.
Flood detection mainly protects servers against flood attacks. It detects flood attacks by tracking the
connection rates at which certain types of connection establishment requests are initiated to a server.
Usually, flood detection is deployed on the device for an internal security zone, and takes effect for
packets entering the security zone when an attack detection policy is configured for the security zone.
After you configure flood detection for a device, the device enters the attack detection state, and starts to
track the sending rates of packets destined for certain servers. If the sending rate of a certain type of
packets destined for a server constantly reaches or exceeds the protection action threshold, the device
considers the server is under attack, transitions to the attack protection state, logs the event, and takes
attack protection actions as configured. Later, if the sending rate drops below the silent threshold, the
device considers the attack is over, returns to the attack detection state, and stops the attack protection
actions.
Connection limit
When an internal user initiates a large number of connections to a host on the external network in a short
period of time, system resources on the device are used up soon. This will make the device unable to
service other users. In addition, if an internal server receives large number of connection requests in a
short period of time, the server is not able to process normal connection requests from other hosts.
To protect internal network resources (including hosts and servers) and distribute resources of the device
reasonably, you can set connection limits based on source or destination IP addresses for security zones.
When a limit based on source or destination IP address is reached or exceeded, the device will output
an alarm log and discard subsequent connection requests from or to the IP address.
Blacklist function
The blacklist function is an attack protection measure that filters packets by source IP address. Compared
with ACL packet filtering, blacklist filtering is simpler in matching packets and therefore can filter packets
at a high speed. Blacklist filtering is very effective in filtering packets from certain IP addresses.
Working in conjunction with the scanning attack protection function or the user login authentication
function, the device can add blacklist entries automatically and can age such blacklist entries. More
specifically:
When the device detects a scanning attack from an IP address according to the packet behavior, it
adds the IP address to the blacklist. Thus, packets from the IP address are filtered.
When the device detects that an FTP, Telnet, SSH, SSL, or web user has failed to provide the correct
username, password, or verification code (for a web login user) after the maximum number of
attempts, it considers the user an attacker, adds the IP address of the user to the blacklist, and filters
subsequent login requests from the user. This mechanism can effectively prevent attackers from
cracking login passwords through repeated login attempts. The maximum number of login failures
is six, the blacklist entry aging time is 10 minutes, and they are not configurable.
The device also allows you to add and delete blacklist entries manually. Blacklist entries added manually
can be permanent blacklist entries or non-permanent blacklist entries. A permanent entry always exists in
the blacklist unless you delete it manually. You can configure the aging time of a non-permanent entry.
After the timer expires, the device automatically deletes the blacklist entry, allowing packets from the
corresponding IP address to pass.
Traffic statistics function

The traffic statistics function collects statistics on sessions between the internal network and external
network almost in real time. You can custom attack protection policies based on the statistics. For
example, by analyzing whether the total number of TCP or UDP session requests initiated from the
external network to the internal network exceeds the threshold, you can determine whether to limit new
sessions in the direction, or limit new sessions to a specific internal IP address.
The device supports collecting statistics on the following items:
Total number of sessions
Session establishment rate
Number of TCP sessions
Number of half-open TCP sessions
Number of half-close TCP sessions
TCP session establishment rate
Number of UDP sessions
UDP session establishment rate
Number of ICMP sessions
ICMP session establishment rate
Number of RAW IP sessions
RAW IP session establishment rate
The device collects statistics to calculate the session establishment rates at an interval of 5 seconds.
Therefore, the session establishment rates displayed on the device are based on the statistics collected
during the latest 5-second interval.
The traffic statistics function does not concern about the session status (except the TCP half-open and
half-close states). As long as a session is established, the count increases by 1. As long as a session is
deleted, the count decreases by 1.
TCP proxy
The TCP proxy function can protect servers from SYN flood attacks. A device enabled with the TCP proxy
function can function as a TCP proxy between TCP clients and servers. Upon detecting a SYN flood
attack, the device can add a protected IP address entry for the attacked server and use the TCP proxy
function to inspect and process all subsequent TCP requests destined to the server.
TCP proxy can operate in two modes:
Unidirectional proxyProcesses only packets from TCP clients.
Bidirectional proxyProcesses packets from both TCP clients and TCP servers.
4
You can choose a proper mode according to your network scenario. For example, if packets from TCP
clients to a server go through the TCP proxy but packets from the server to clients do not, as shown
in Figure 1, configure unidirectional proxy.
Figure 1 Network diagram for unidirectional proxy
If all packets between TCP clients and a server go through the TCP proxy, as shown in Figure 2, you can
configure unidirectional proxy or bidirectional proxy as desired.
Figure 2 Network diagram for unidirectional/bidirectional proxy
Unidirectional proxy
Figure 3 Data exchange process in unidirectional proxy mode

TCP client
TCP proxy
TCP server
1) SYN
2) SYN ACK (invalid sequence
number)
3) RST
4) SYN (retransmitting)
5) SYN (forwarding)
6) SYN ACK
7) ACK
8) ACK (forwarding)
When the TCP proxy receives a SYN message sent from a client to a protected server, it sends back a
SYN ACK message that uses a wrong sequence number on behalf of the server. The client, if legitimate,
responds with an RST message. If the TCP proxy receives an RST message from the client, it considers the
client legitimate, and forwards SYN messages that the client sends to the server during a period of time
so that the client can establish a TCP connection to the server. After the TCP connection is established, the
TCP proxy forwards the subsequent packets of the connection without any processing.
Unidirectional proxy mode can satisfy the requirements of most environments. Generally, servers do not
initiate attacks to clients, and packets from servers to clients do not need to be inspected by the TCP proxy.
In this case, you can configure a TCP proxy to inspect only packets that clients send to servers. To filter
packets destined to clients, you can deploy a firewall as required.
The unidirectional proxy mode requires that the clients use the standard TCP protocol suite. Legitimate
clients that use non-standard TCP protocol suites may be considered illegitimate by the TCP proxy. In
addition, when the TCP proxy function works, a client takes more time to establish a TCP connection to
a server because the client must send an RST message to the server to reinitiate a TCP connection request.
Bidirectional proxy
Figure 4 Data exchange process in bidirectional proxy mode
After receiving a SYN message from a client to a protected server, the TCP proxy sends back a SYN ACK
message with the window size of 0 on behalf of the server. If the client is legitimate, the TCP proxy
receives an ACK message. Upon receiving an ACK message from the client, the TCP proxy sets up a
connection between itself and the server through a three-way handshake on behalf of the client. Thus,
two TCP connections are established, and the two connections use different sequence numbers.
In bidirectional proxy mode, the TCP proxy plays two roles: a virtual server that communicates with
clients and a virtual client that communicates with servers. To use this mode, you must deploy the TCP
proxy on the key path that passes through the ingress and egress of the protected servers, and make sure
all packets that the clients send to the server and all packets that the servers send to the clients pass
through the TCP proxy device.
Intrusion detection statistics

Intrusion detection is an important network security feature. By analyzing the contents and behaviors of
packets passing by, it determines whether the packets are attack packets. If so, it takes actions
accordingly, as configured. Supported actions include outputting alarm logs, discarding packets, and
adding the attacker to the blacklist.
The intrusion detection statistics reflect the counts of attacks as per attack type, and the counts of attack
packets dropped. This helps you analyze the intrusion types and quantities present to generate better
network security policies.
For information about packet inspection, see "Configuring packet inspection." For information about
traffic abnormality detection, see "Types of network attacks the device can defend against."
Configuring attack detection and protection in the

Web interface
Configuring packet inspection
1.
From the navigation tree, select Intrusion Detection > Packet Inspection.
Figure 5 Packet inspection configuration page
2.
Configure packet inspection, as described in Table 2.
3.
Click Apply.
Table 2 Configuration items

Item
Description
Zone
Select a zone to detect attacks from the zone.
Discard Packets when the specified attack is detected
Select this option to discard detected attack packets.
Enable Fraggle Attack Detection
Enable or disable detection of Fraggle attacks.
Enable Land Attack Detection
Enable or disable detection of Land attacks.
Enable WinNuke Attack Detection
Enable or disable detection of WinNuke attacks.
Enable TCP Flag Attack Detection
Enable or disable detection of TCP flag attacks.
Enable ICMP Unreachable Packet Attack Detection
Enable or disable detection of ICMP unreachable

attacks.
Enable ICMP Redirect Packet Attack Detection
Enable or disable detection of ICMP redirect attacks.
Enable Tracert Packet Attack Detection
Enable or disable detection of Tracert attacks.
Enable Smurf Attack Detection
Enable or disable detection of Smurf attacks.

7
Item
Description
Enable IP Packet Carrying Source Route Attack

Detection
Enable or disable detection of source route attacks.
Enable Route Record Option Attack Detection
Enable or disable detection of route record attacks.
Enable Large ICMP Packet Attack Detection
Enable detection of large ICMP attacks and set the

packet length limit, or disable detection of such
attacks.
Max Packet Length
Packet inspection configuration example

Network requirements
As shown in Figure 6, the internal network is the trusted zone and the external network is the untrusted
zone.
Configure the firewall to protect the trusted zone against Land attacks and Smurf attacks from the
untrusted zone.
Figure 6 Network diagram
Configuring Firewall
1.
Assign IP addresses and security zones to interfaces. (Details not shown.)
2.
Enable Land attack detection and Smurf attack detection for the untrusted zone:
a. From the navigation tree, select Intrusion Detection > Packet Inspection.
b. The packet inspection configuration page appears, as shown in Figure 7.
c.
Select Untrust from the Zone list. Then select Discard Packets when the specified attack is
detected, Enable Land Attack Detection, and Enable Smurf Attack Detection.
d. Click Apply.
Figure 7 Enabling Land and Smurf attack detection for the untrusted zone
Verifying the configuration

Check that the firewall can detect Land and Smurf attacks from the untrusted zone, output alarm logs
accordingly, and drop the attack packets.
You can select Intrusion Detection > Statistics from the navigation tree to view the counts of Land and
Smurf attacks and the counts of dropped attack packets.
Configuring traffic abnormality detection

Configuring ICMP flood detection
ICMP flood detection is mainly intended to protect servers and is usually configured for an internal zone.
1.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > ICMP Flood.
The ICMP flood detection configuration page appears, as shown in Figure 8.
Figure 8 ICMP flood detection configuration page
2.
Select a security zone.
3.
In the Attack Prevention Policy area, select the Discard packets when the specified attack is
detected box. Click Apply.
If you do not select the box, the device only collects ICMP flood attack statistics.
4.
In the ICMP Flood Configuration area, click Add.
Figure 9 Adding an ICMP flood detection rule
5.
Configure an ICMP flood detection rule, as described in Table 3.
6.
Click Apply.
10

Item
Description
IP Address
Specify the IP address of the protected host.

Set the protection action threshold for ICMP
flood attacks that target the protected host.
Action
Threshold
Protected Host
Configuration
If the sending rate of ICMP packets destined

for the specified IP address constantly
reaches or exceeds this threshold, the device
enters the attack protection state and takes
attack protection actions as configured.
Set the silent threshold for actions that protect
against ICMP flood attacks targeting the
protected host.
Silent
Threshold
By default, the silent

threshold is three
quarters of the action
threshold that is 1000
packets per second.

for the specified IP address drops below this
threshold, the device returns to the attack
detection state and stops the protection
actions.
Set the protection action threshold for ICMP
flood attacks that target a host in the
protected security zone.
Action
Threshold
Global
Configuration of
Security Zone

for a host in the security zone constantly
reaches or exceeds this threshold, the device
enters the attack protection state and takes
attack protection actions as configured.
against ICMP flood attacks targeting a host
in the protected security zone.
Silent
Threshold

threshold is three
packets per second.

for a host in the security zone drops below
this threshold, the device returns to the attack
actions.
NOTE:
Host-specific settings take precedence over the global settings for security zones.
Configuring UDP flood detection

UDP flood detection is mainly intended to protect servers and is usually configured for an internal zone.
1.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > UDP Flood.
The UDP flood detection configuration page appears.
11
Figure 10 UDP flood detection configuration page
2.
3.
In the Attack Prevention Policy area, select the Discard packets when the specified attack is
detected box. Click Apply.
If you do not select the box, the device only collects UDP flood attack statistics.
4.
In the UDP Flood Configuration area, click Add.
Figure 11 Adding a UDP flood detection rule
5.
Configure a UDP flood detection rule, as described in Table 4.
6.
Click Apply.
12

Item
Description
IP Address

Set the protection action threshold for UDP
Action
Threshold
Protected Host
Configuration
If the sending rate of UDP packets destined for

the specified IP address constantly reaches or
exceeds this threshold, the device enters the
attack protection state and takes attack
protection actions as configured.
against UDP flood attacks targeting the
protected host.
Silent
Threshold

threshold is three
packets per second.

the specified IP address drops below this
actions.
Set the protection action threshold for UDP
flood attacks that target a host in the protected
security zone.
Action
Threshold
Global
Configuration of
Security Zone

a host in the security zone constantly reaches
or exceeds this threshold, the device enters the
attack protection state and takes attack
protection actions as configured.
against UDP flood attacks targeting a host in
the protected security zone.
Silent
Threshold

threshold is three
packets per second.

a host in the security zone drops below this
actions.
NOTE:
Configuring DNS flood detection

DNS flood detection is mainly intended to protect servers and is usually configured for an internal zone.
You cannot configure the DNS flooding detection silent threshold through Web. By default, the global
silent threshold for DNS flood detection in a security zone is 750 packets per second, which is three
quarters of the action threshold.
1.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > DNS Flood.
The DNS flood detection configuration page appears.
13
Figure 12 DNS flood detection configuration page
2.
3.
In the DNS Flood Attack Prevention Policy area, select Enable DNS Flood Attack Detection, and
then click Apply.
The device will collect DNS flood attack statistics of the specified security zone, and output logs
upon detecting DNS flood attacks.
4.
In the DNS Flood Configuration area, click Add.
Figure 13 Adding a DNS flood detection rule
5.
Configure a DNS flood detection rule, as described in Table 5.
6.
Click Apply.

Item
Description
IP Address
Protected Host
Configuration

Set the protection action threshold for DNS flood attacks that
target the protected host.
Action Threshold
If the sending rate of DNS query requests destined for the

specified IP address constantly reaches or exceeds this
threshold, the device drops all extra requests and logs the
event.
14
Item
Description
Global Configuration
of Security Zone
Set the protection action threshold for DNS flood attacks that
target a host in the protected security zone.
Action Threshold
If the sending rate of DNS query requests destined for a host in

the security zone constantly reaches or exceeds this threshold,
the device enters all extra requests and logs the event.
NOTE:
Configuring SYN flood detection

SYN flood detection is mainly intended to protect servers and is usually configured for an internal zone.
1.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood.
The SYN flood detection configuration page appears.
Figure 14 SYN flood detection configuration page
2.
3.
In the Attack Prevention Policy area, specify the protection actions to be taken upon detection of a
SYN flood attack for the specified security zone. Click Apply.
If you do not select any option, the device only collects SYN flood attack statistics depending on
your configuration. The available protection actions include:
{
4.
Discard packets when the specified attack is detected. If detecting that a protected object in the
security zone is under SYN flood attack, the device drops the TCP connection requests to the
protected host to block subsequent TCP connections.
Add protected IP entry to TCP Proxy. If detecting that a protected object in the security zone is
under SYN flood attack, the device adds the target IP address to the protected IP list on the TCP
proxy as a dynamic one, setting the port number as any. If TCP proxy is configured for the
security zone, all TCP connection requests to the IP address will be processes by the TCP proxy
until the protected IP entry gets aged out. If you select this option, configure the TCP proxy
feature on the page you can enter after selecting Intrusion Detection > TCP Proxy.
In the SYN Flood Configuration area, click Add.

15
Figure 15 Adding a SYN flood detection rule
5.
Configure a SYN flood detection rule, as described in Table 6.
6.
Click Apply.

Item
Description
IP Address

Set the protection action threshold for SYN
Action
Threshold
Protected Host
Configuration
If the sending rate of SYN packets destined

for the specified IP address constantly
reaches or exceeds this threshold, the
device enters the attack protection state
and takes attack protection actions as
configured.
Set the silent threshold for actions that
protect against SYN flood attacks targeting
the protected host.
Silent
Threshold

for the specified IP address drops below
this threshold, the device returns to the
attack detection state and stops the
protection actions.
Set the protection action threshold for SYN
flood attacks that target a host in the
protected security zone.
Global
Configuration of
Security Zone
Action
Threshold

threshold is three quarters
of the action threshold that
is 1000 packets per
second.

for a host in the security zone constantly
reaches or exceeds this threshold, the
device enters the attack protection state
and takes attack protection actions as
configured.
16

threshold is three quarters
of the action threshold that
is 1000 packets per
second.
Item
Description
Set the silent threshold for actions that
protect against SYN flood attacks targeting
a host in the protected security zone.
Silent
Threshold

for a host in the security zone drops below
this threshold, the device returns to the
attack detection state and stops the
protection actions.
NOTE:
Configuring connection limits

1.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > Connection Limit.
The connection limit configuration page appears.
Figure 16 Connection limit configuration page
2.
Configure the connection limits for the security zone, as described in Table 7.
3.
Click Apply.

Item
Description
Security Zone
Select a security zone to perform connection limit configuration

for it.
Discard packets when the specified attack

is detected
Select this option to discard subsequent packets destined for or

sourced from an IP address when the number of the connections
for that IP address has exceeded the limit.
Enable connection limit per source IP

Threshold
Enable connection limit per dest IP
Threshold
Select the option to set the maximum number of connections that

can be present for a source IP address.
Select the option to set the maximum number of connections that
can be present for a destination IP address.
Configuring scanning detection

Scanning detection is intended to detect scanning behaviors and is usually configured for an external
zone.
Scanning detection can be configured to add blacklist entries automatically.
To configure scanning detection:
17
1.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > Scanning Detection.
The scanning detection configuration page appears.
Figure 17 Scanning detection configuration page
2.
Configure the scanning detection rule for the security zone, as described in Table 8.
3.
Click Apply.

Item
Description
Security Zone
Select a security zone to perform scanning detection configuration for it.
Enable Scanning Detection
Select this option to enable scanning detection for the security zone.
Scanning Threshold
Set the maximum connection rate for a source IP address.

Select this option to allow the system to blacklist a suspicious source IP address.
Add a source IP to the

blacklist
If this option is selected, you can then set the lifetime of the blacklisted source IP
addresses.
IMPORTANT:
Only when the blacklist feature is enabled, can the scanning detection function
blacklist a suspect and discard subsequent packets from the suspect.
Lifetime
Set the lifetime of the blacklist entry.
Traffic abnormality detection configuration example

As shown in Figure 18, the internal network is the trusted zone, the subnet where the internal servers are
located is the DMZ, and the external network is the untrusted zone.
Configure the firewall to perform the following operations:
Protect the internal network against scanning attacks from the external network.
Limit the number of connections initiated by each internal host.
Limit the number of connections to the internal server.
Protect the internal server against SYN flood attacks from the external network.
18
Configuration considerations
To satisfy the requirements, perform the following configurations on the firewall:
Configure scanning detection for the untrusted zone, enable the function to add entries to the
blacklist, and set the scanning threshold to 4500 connections per second.
Configure source IP address-based connection limit for the trusted zone, and set the number of
connections each host can initiate to 100.
Configure destination IP address-based connection limit for the DMZ, and set the number of
connections the server can accommodate to 10000.
Configure SYN flood detection for the DMZ, and set the action threshold for attacks targeting the
internal server (for example, to 5000 packets per second) and the silent threshold (for example, to
1000 packets per second). Set the attack protection action to blocking subsequent packets destined
for the server.
Configuring the firewall

1.
Assign IP addresses and security zones to interfaces. (Details not shown.)
2.
Enable the blacklist feature:

a. From the navigation tree, select Intrusion Detection > Blacklist.
b. In the Global Configuration area, select Enable Blacklist as shown in Figure 19.
c.
Click Apply.
19
Figure 19 Enabling the blacklist feature
3.
Configure scanning detection for the untrusted zone:

a. From the navigation tree, select Intrusion Detection > Traffic abnormality > Scanning Detection.
The scanning detection configuration page appears, as shown in Figure 20.

b. Select the security zone Untrust.
c.
Select Enable Scanning Detection.
d. Set the scanning threshold to 4500 connections per second.

e. Select Add the source IP to the blacklist.
f.
Click Apply.
Figure 20 Configuring scanning detection for the untrusted zone
4.
Configure connection limits for the trusted zone:

a. From the navigation tree, select Intrusion Detection > Traffic Abnormality > Connection Limit.
The connection limit configuration page appears, as shown in Figure 21.

b. Select the security zone Trust.
c.
Select Discard packets when the specified attack is detected.
d. Select Enable connection limit per source IP and set the threshold to 100.
e. Click Apply.
20
Figure 21 Configuring connection limit for the trusted zone
5.
Configure connection limits for the DMZ on the connection limit configuration page:
a. Select the security zone DMZ.
b. Select Discard packets when the specified attack is detected.
c.
Select Enable connection limit per dest IP and set the threshold to 10000.
d. Click Apply.
Figure 22 Configuring connection limit for the DMZ
6.
Configure SYN flood detection for the DMZ:

a. From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood.
The SYN flood detection confirmation page appears, as shown in Figure 23.
b. Select the security zone DMZ.
c.
In the Attack Prevention Policy area, select Discard packets when the specified attack is
detected.
d. Click Apply.
Figure 23 Configuring SYN flood detection for the DMZ
21
e. In the SYN Flood Configuration area, click Add.

f.
The SYN flood attack detection page appears, as shown in Figure 24.
g. Select Protected Host Configuration. Enter the IP address 10.1.1.2. Set the action threshold to
5000 packets per second and the silent threshold to 1000 packets per second.
h. Click Apply.
Figure 24 Configuring a SYN flood attack detection rule for the server
After a scanning attack packet is received from zone Untrust, the firewall outputs alarm logs and
adds the IP address of the attacker to the blacklist. You can select Intrusion Detection > Blacklist
from the navigation tree to view whether the attacker's IP address is on the blacklist.
If a host in zone Trust initiates 100 or more connections, the firewall outputs alarm logs and discards
subsequent connection request packets from the host. You can select Intrusion Detection > Statistics
from the navigation tree to view how many times that a connection limit per source IP address has
been exceeded and the number of packets dropped.
If the number of connections to the server in the DMZ reaches or exceeds 10000, the firewall
outputs alarm logs and discards subsequent connection request packets. You can select Intrusion
Detection > Statistics from the navigation tree to view how many times that a connection limit per
destination IP address has been exceeded and the number of packets dropped.
If a SYN flood attack is initiated to the DMZ, the firewall outputs alarm logs and discards the attack
packets. You can select Intrusion Detection > Statistics from the navigation tree to view the number
of SYN flood attacks and the number of packets dropped.
Configuring TCP proxy

Recommended configuration procedure
Task
1.
Remarks
Performing global TCP
proxy setting
Optional.
By default, bidirectional proxy is used.
22
Task
Remarks
Required.
2.
Enabling TCP Proxy for a

security
By default, the TCP proxy feature is disabled globally.

TIP:
The TCP proxy feature takes effect only for the incoming traffic of the security
zone.
At least one method is required.
3.
Adding a protected IP
address entry
You can add protected IP address entries by either of the methods:
StaticAdd entries manually. By default, no such entries are configured in

the system.
DynamicSelect Intrusion Detection > Traffic Abnormality > SYN Flood,

4.
5.
Configure to
automatically add a
protected IP address entry
Displaying information
about protected IP
address entries
and then select the Add protected IP entry to TCP Proxy check box. After
the configuration, the TCP proxy-enabled device automatically adds
protected IP address entries when detecting SYN flood attacks. For more
information, see "Configuring traffic abnormality detection."
You can configure a maximum of 250 protected IP addresses for each
security zone through Web.
Optional.
Performing global TCP proxy setting

1.
From the navigation tree, select Intrusion Detection > TCP Proxy > TCP Proxy Configuration to enter
the page shown in Table 8Figure 26.
2.
In the Global Configuration area, select Unidirection or Bidirection for TCP proxy.
3.
Click Apply.
Figure 26 TCP proxy configuration
Enabling TCP Proxy for a security zone

1.
From the navigation tree, select Intrusion Detection > TCP Proxy > TCP Proxy Configuration to enter
the page as shown in Table 8Figure 26.
23
2.
In the Zone Configuration area, click Enable to enable the TCP proxy feature for a target zone.
The icon in the Status column changes to , which indicates that the TCP proxy feature is enabled.
You can click Disable to disable the feature.
The
icon indicates that the TCP proxy feature is disabled.
Adding a protected IP address entry

1.
Select Intrusion Detection > TCP Proxy > Protected IP Configuration to enter the page shown
in Figure 27.
The page lists information about protected IP address entries and the relative statistics.
Figure 27 Protected IP address entries
2.
Click Add to enter the page for configuring a protected IP address entry.
Figure 28 Protected IP address entry configuration page
3.
Enter the destination IP address and select the port number of the TCP connection.
To protect all TCP connection requests to any port of the server at the destination IP address, select
Any from the Port Number list.
NOTE:
The Web performance is degraded if the IP address and port number of the administrator's host are set as
the protected IP entry.
Displaying information about protected IP address entries

Select Intrusion Detection > TCP Proxy > Protected IP Configuration to enter the page shown in Figure 27,
which lists information about protected IP address entries.
Table 9 Field description
Item
Description
Protected IP
IP addresses protected by the TCP proxy feature.

Destination port of the TCP connection.
Port Number
The option any specifies that TCP proxy services TCP connection requests to
any port of the server at the destination IP address.
24
Item
Description
Type
The protected IP address entries can be static or dynamic.
Lifetime(min)
Lifetime for the IP address entry under protection. This item is displayed as
for static IP address entries.
When the time reaches 0, the protected IP address entry is deleted.
Number of Rejected
Amount of requests for TCP connection requests matching the protected IP

address entry but were proved to be illegitimate.
TCP proxy configuration example

As shown in Figure 29, configure bidirectional TCP proxy on Firewall to protect Server A, Server B, and
Server C against SYN flood attacks.
Add a protected IP address entry for Server A manually and configure dynamic TCP proxy for the other
servers.
Configuring Firewall
1.
Assign IP addresses for the interfaces and then add interface GigabitEthernet 1/1 to zone Untrust,
and GigabitEthernet 1/2 to zone Trust. (Details not shown.)
2.
Set the TCP proxy mode to bidirectional and enable TCP proxy for zone Untrust:
a. From the navigation tree, select Intrusion Detection > TCP Proxy > TCP Proxy Configuration.
25
Figure 31 Select the bidirectional mode and enable TCP proxy for zone Untrust
b. Select Bidirection for the global setting, and click Apply.

c.
3.
In the Zone Configuration area, click Enable for the Untrust zone.
Add an IP address entry manually for protection:

a. From the navigation tree, select Intrusion Detection > TCP Proxy > Protected IP Configuration.
b. Click Add.
c.
Enter 20.0.0.10 in the Protected IP Address field.
d. Click Apply.
Figure 32 Add an IP address entry for protection
e. Configure the SYN flood detection feature, specifying to automatically add protected IP
address entries:
i
From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood.
ii
In the Attack Prevention Policy area, select Trust from the Security Zone list.
iii Select the Add protected IP entry to TCP Proxy box in the Attack Prevention Policy area.
iv Click Apply.
26
Figure 33 Configure the action to be taken upon detecting a SYN flood
In the SYN Flood Configuration area, click Add.
vi Select Global Configuration of Security Zone.

vii Click Apply.
Figure 34 Configure global settings
Configuring blacklist
Step
1.
2.
Remarks
Enabling the blacklist
function
Required.
Adding a blacklist entry

manually
Optional.
By default, the blacklist function is disabled.

By default, no blacklist entries exist.
27
Step
3.
4.
Remarks
Configuring the scanning
detection feature to add
blacklist entries
automatically
Viewing the blacklist
Optional.
For more information about scanning detection configuration, see
"Configuring traffic abnormality detection."
By default, the scanning detection feature is disabled.
Optional.
Enabling the blacklist function

1.
From the navigation tree, select Intrusion Detection > Blacklist.

The blacklist management page appears, as shown in Figure 35.
2.
Select Enable Blacklist.
3.
Click Apply.
Figure 35 Blacklist management page
Adding a blacklist entry manually

1.
From the navigation tree, select Intrusion Detection > Blacklist.
2.
Click Add to enter the blacklist entry configuration page as shown in Figure 36.
Figure 36 Adding a blacklist entry manually
3.
Configure a blacklist entry, as described in Table 9.
4.
Click Apply.
28

Item
Description
IP Address
Specify the IP address to be blacklisted.
Hold Time
Configure the entry to be a non-permanent one and specify a lifetime for it.
Permanence
Configure the entry to be a permanent one.
Viewing the blacklist

Select Intrusion Detection > Blacklist from the navigation tree to enter the blacklist management page,
where you can view the blacklist information. Table 10 describes the blacklist fields.
Table 11 Field description
field
Description
IP Address
Blacklisted IP address.
Add Method
AutoAdded by the scanning detection feature automatically.

ManualAdded manually or modified manually.
Type of the blacklist entry. Possible values include:
IMPORTANT:
Once modified manually, an auto entry becomes a manual one.
Start Time
Time when the blacklist entry is added.
Hold Time
Lifetime of the blacklist entry.
Dropped Count
Number of packets dropped based on the blacklist entry.
Blacklist configuration example

As shown in Figure 37, the internal network is the trusted zone and the external network is the untrusted
zone.
Configure the firewall to satisfy the following requirements:
Block packets from Host D forever (it is assumed that Host D is an attack source).
Block packets from Host C within 50 minutes, so as to control access of the host.
Perform scanning detection for traffic from the untrusted zone and, upon detecting a scanning
attack, blacklist the source. The scanning threshold is 4500 connections per second.
29

Host A
Host B
GE0/2
192.168.1.1/16
Trust
GE0/1
202.1.0.1/16
Internet
Untrust
Firewall
Host D
5.5.5.5/24
Host C
192.168.1.5/16

1.
Assign IP addresses and security zones to the interfaces. (Details not shown.)
2.
Enable the blacklist feature:

a. From the navigation tree, select Intrusion Detection > Blacklist.
b. The blacklist management page appears, as shown in Figure 39.
c.
In the Global Configuration area, select Enable Blacklist, and click Apply.
d. Click Apply.
Figure 39 Enabling the blacklist feature
3.
Add a blacklist entry for Host D:

a. In the Blacklist Configuration area, click Add.
b. On the page that appears (see Figure 40), enter the IP address 5.5.5.5, select Permanence.
c.
Click Apply.
30
Figure 40 Adding a blacklist entry for Host D
d. In the Blacklist Configuration area, click Add again.

e. On the page that appears (see Figure 41), enter the IP address 192.168.1.5, select Hold Time
and set the lifetime of the entry to 50 minutes.
f.
Click Apply.
Figure 41 Adding a blacklist entry for Host C
5.
Configure scanning detection for the untrusted zone, as shown in Figure 42:
a. From the navigation tree, select Intrusion Detection > Traffic Abnormality > Scanning
Detection.
b. Select the security zone Untrust.
c.
Select Enable Scanning Detection.
d. Set the scanning threshold to 4500.

e. Select Add the source IP to the blacklist.
f.
Click Apply.
Figure 42 Configuring scanning detection for the untrusted zone

Select Intrusion Detection > Blacklist from the navigation tree to view the manually added blacklist
entries.
31
The firewall discards all packets from Host D before you remove the blacklist entry for the host. If the
firewall receives packets from Host C, the firewall discards all packets from Host C within 50 minutes.
After 50 minutes, the firewall forwards packets from Host C normally.
The firewall outputs an alarm log and adds the IP address to the blacklist when detecting a scanning
attack from the untrusted zone. You can select Intrusion Detection > Blacklist from the navigation tree to
view the blacklist entry automatically added by scanning attack protection.
Displaying intrusion detection statistics

1.
From the navigation tree, select Intrusion Detection > Statistics to enter the intrusion detection
statistics page, as shown in Figure 44.
2.
Select a zone to view the counts of attacks and the counts of dropped packets in the security zone.
Descriptions of attack types are shown in Table 12.
Figure 44 Intrusion detection statistics
Table 12 Attack types description

Attack type
Description
Fraggle
A Fraggle attack occurs when an attacker sends a large number of UDP echo requests
with the UDP port number of 7 or Chargen packets with the UDP port number of 19.
This results in a large quantity of junk replies, and finally exhausts the bandwidth of the
target network.
ICMP Redirect
An ICMP redirect attacker sends ICMP redirect messages to a target to modify its
routing table. This interferes with the normal forwarding of IP packets.
32
Attack type
Description
ICMP Unreachable
Upon receiving an ICMP unreachable response, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
destination. By sending ICMP unreachable packets, an ICMP unreachable attacker
can cut off the connection between the target host and the network.
Land
A Land attack occurs when an attacker sends a great number of TCP SYN packets with
both the source and destination IP addresses specified as the IP address of the target.
This exhausts the half-open resources of the victim, and disables the target from
working properly.
Large ICMP
For some hosts and devices, large ICMP packets cause a memory allocation error and
crash down the protocol stack. A large ICMP attacker sends large ICMP packets to a
target to make it crash down.
Route Record
A route record attack exploits the route record option in the IP header to probe the
topology of a network.
Scan
A scanning attack probes the addresses and ports on a network to identify the hosts
attached to the network and the application ports available on the hosts. Then, it
figures out the topology of the network, enabling it to prepare for further attacks.
Source Route
A source route attack exploits the source route option in the IP header to probe the
topology of a network.
Smurf
A Smurf attacker sends large quantities of ICMP echo requests to the broadcast
address or the network address of the target network. As a result, all hosts on the target
network will reply to the requests. This causes network congestions, and hosts on the
target network cannot provide services.
TCP Flag
Some TCP flags are processed differently on different operating systems. A TCP flag
attacker sends TCP packets with such TCP flags to a target to probe its operating
system. If the operating system cannot process such packets properly, the attacker will
successfully make the host crash down.
Tracert
The Tracert program usually sends UDP packets with a large destination port number
and an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when the
packet passes each router. When a router gets a packet with a TTL of 0, the router must
send an ICMP time exceeded message back to the source IP address of the packet. A
Tracert attacker exploits the Tracert program to figure out the network topology.
WinNuke
A WinNuke attacker sends out-of-band data with the pointer field values overlapped to
the NetBIOS port (139) of a Windows system with an established connection to
introduce a NetBIOS fragment overlap. This causes the system to crash.
SYN Flood
A SYN flood attack exploits TCP SYN packets. Due to resource limitation, the number
of TCP connections that can be created on a device is limited. A SYN flood attacker
sends a barrage of spurious SYN packets to a victim to initiate TCP connections. As the
SYN_ACK packets that the victim sends in response can never get acknowledgments,
large amounts of half-open connections are created and retained on the victim. This
makes the victim inaccessible before the number of half-open connections drops to a
reasonable level due to timeout of half-open connections. In this way, a SYN flood
attack exhausts system resources such as memory on a system whose implementation
does not limit creation of connections.
ICMP Flood
An ICMP flood attack overwhelms the victim with an enormous number of ICMP echo
requests (such as ping packets) in a short period. This prevents the victim from
providing normal services.
UDP Flood
A UDP flood attack overwhelms the victim with an enormous number of UDP packets in
a short period. This disables the victim from providing normal services.
33
Attack type
Description
DNS Flood
A DNS flood attack overwhelms the victim with an enormous number of DNS query
requests in a short period. This disables the victim from providing normal services.
Number of
connections per
source IP exceeds the
threshold
When an internal user initiates a large number of connections to a host on the external
network in a short period of time, system resources on the device are used up soon.
This makes the device unable to service other users.
Number of
connections per dest
IP exceeds the
threshold
If an internal server receives large quantities of connection requests in a short period of

time, the server is not able to process normal connection requests from other hosts.
Configuring the attack detection and protection at

the CLI
Attack detection and protection configuration task list
The attack detection and protection configuration tasks fall into the following categories:
Configuring attack protection functions for a security zone. To do so, you need to create an attack
protection policy, configure the required attack protection functions (such as Smurf attack protection,
scanning attack protection, and flood attack protection) in the policy, and then apply the policy to
the security zone. There is no specific configuration order for the attack functions, and you can
configure them as needed.
Configuring a TCP proxy when the SYN flood attack protection policy specifies the processing
method for SYN flood attack packets as TCP proxy.
Configuring the blacklist function. This function can be used independently or used in conjunction
with the scanning attack protection function on a security zone.
Enabling the traffic statistics function. This function can be used independently.
Complete the following tasks to configure attack detection and protection:

Task
Configuring attack
protection functions for
a security zone
Remarks
Creating an attack protection policy
Required.
Enabling attack protection logging
Optional.
Configuring an attack protection policy:
Configuring a single-packet attack protection policy

Configuring a scanning attack protection policy
Configuring a flood attack protection policy
Applying an attack protection policy to a security zone
Required.
Configure one or more
policies as needed.
Required.
Optional.
Configuring the blacklist function
Optional.
Enabling traffic statistics for a security zone
Optional.
34
Creating an attack protection policy

Before configuring attack protection functions for a security zone, you need to create an attack protection
policy and enter its view. In attack protection policy view, you can define one or more signatures used for
attack detection and specify the corresponding protection measures.
When creating an attack protection policy, you can also specify a security zone so that the security zone
uses the policy exclusively.
To create an attack protection policy:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VD system view.
switchto vd vd-name
Required for a non-default VD.
3.
Create an attack protection

policy and enter attack
protection policy view.
attack-defense policy
policy-number [ zone zone-name ]
By default, no attack protection

policy is created.
Enabling attack protection logging

After the attack protection policy is created, you can enable attack protection logging to record
single-packet attacks, scanning attacks, and flood attacks for adjusting network management strategies.
To enable attack protection logging:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable attack
protection logging.
attack-defense
logging enable
Optional.
By default, attack protection logging is disabled.
Configuring an attack protection policy

In an attack protection policy, you can specify the signatures for attack detection and the corresponding
protection measures according to the security requirements of your network.
Different types of attack protection policies have different configurations, which are described below in
terms of single-packet attacks, scanning attacks, and flood attacks.
Configuring a single-packet attack protection policy

The single-packet attack protection function determines whether a packet is an attack packet mainly by
analyzing the characteristics of the packet. It is usually applied to security zones connecting external
networks, and inspects only the inbound packets of the security zones. If detecting an attack packet, the
device outputs an alarm log by default and, depending on your configuration, drop or forward the
packet.
To configure a policy for preventing single-packet attacks:
Step
1.
Enter system view.
Command
Remarks
system-view
N/A
35
Step
Command
Remarks
2.
switchto vd vd-name
3.
Enter attack protection policy

view.
policy-number
N/A
4.
Enable signature detection for

single-packet attacks.
signature-detect { fraggle |
icmp-redirect | icmp-unreachable
| land | large-icmp |
route-record | smurf |
source-route | tcp-flag | tracert |
winnuke } enable
By default, signature detection is

disabled for all kinds of
single-packet attacks.
5.
Configure the ICMP packet

length threshold that triggers
large ICMP attack protection.
signature-detect large-icmp
max-length length
Optional.
4000 bytes by default.
Optional.
6.
Configure the device to drop

single-packet attack packets.
By default, the device only

outputs alarm logs if detecting a
single-packet attack.
signature-detect action
drop-packet
You can configure a maximum

of 250 protected IP addresses
for each security zone.
Configuring a scanning attack protection policy

The scanning attack protection function detects scanning attacks by monitoring the establishment rate of
connections to the target systems. It is usually applied to security zones connecting external networks and
inspects only the inbound packets of the security zones. If the device detects that the rate at which an IP
address initiates connections reaches or exceeds the pre-defined threshold, the device outputs alarm logs,
drop subsequent packets received from the IP address, and, depending on your configuration, add the
IP address to the blacklist.
To configure a policy for preventing scanning attacks:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
switchto vd vd-name
3.
Enter attack protection

policy view.
policy-number
N/A
4.
Enable scanning attack

protection.
defense scan enable
Disabled by default.
5.
Specify the connection rate

threshold that triggers
scanning attack protection.
defense scan max-rate

rate-number
Optional.
36
4000 connections per second by default.
Step
Command
Remarks
Enable the blacklist
6.
7.
8.
Configure the blacklist

function for scanning attack
protection.
Return to system view.
Enable the blacklist function.
function for scanning

attack protection:
defense scan
add-to-blacklist
Set the aging time for
entries blacklisted by the

scanning attack protection
function:
defense scan
blacklist-timeout minutes
Optional.
By default:
The blacklist function for scanning

attack protection is disabled.
The aging time for entries blacklisted

by the scanning attack protection
function is 10 minutes.
quit
N/A
blacklist enable
Required to make the blacklist entries

added by the scanning attack protection
function take effect.
By default, the blacklist function is
disabled.
Configuring a flood attack protection policy

The flood attack protection function is mainly used to protect servers. It detects various flood attacks by
monitoring the rate at which connection requests are sent to a server. The flood attack protection function
is usually applied to the security zones connecting the internal network and inspects only the outbound
packets of the security zones.
With flood attack protection enabled, the device is in attack detection state. When the device detects that
the rate of sending connection requests to a server constantly reaches or exceeds the specified action
threshold, the device considers the server is under attack and enters the attack protection state. Then, the
device takes protection actions as configured (by default, the device only outputs alarm logs, but can be
configured to drop the subsequent connection request packets or use the TCP proxy as well). When the
device detects that the packet sending rate to the server drops below the silence threshold, it considers
that the attack to the server is over, turns back to the attack detection state, and stops taking the protection
actions.
You can configure attack protection for specific IP addresses. For IP addresses for which you do not
configure attack protection specifically, the device uses the global attack protection settings.
To configure a SYN flood attack protection policy:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
switchto vd vd-name
3.

policy view.
policy-number
N/A
4.
Enable SYN flood attack

protection.
defense syn-flood enable
37
Step
Command
Remarks
Optional.
5.
Configure the global action

and silence thresholds for
SYN flood attack protection.
defense syn-flood rate-threshold

high rate-number [ low
rate-number ]
By default, the action threshold is

1000 packets per second and the
silence threshold is 750 packets per
second.
6.
Configure the action and

silence thresholds for SYN
flood attack protection of a
specific IP address.
defense syn-flood ip ip-address

rate-threshold high rate-number
[ low rate-number ]
Optional.

SYN flood attack packets or
use the TCP proxy.
defense syn-flood action

{ drop-packet | trigger-tcp-proxy }
7.
Not configured by default.

Optional.
By default, the device only outputs
alarm logs if detecting an attack.
To configure an ICMP flood attack protection policy:

Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
switchto vd vd-name
3.

policy view.
policy-number
N/A
4.
Enable ICMP flood attack

protection.
defense icmp-flood enable
5.

ICMP flood attack
protection.
defense icmp-flood rate-threshold

rate-number ]

second.
6.

silence thresholds for ICMP
defense icmp-flood ip ip-address

[ low rate-number ]
Optional.

ICMP flood attack packets.
defense icmp-flood action

drop-packet
7.
Optional.
Not specifically configured for an IP

address by default.
Optional.
To configure a UDP flood attack protection policy:

Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
switchto vd vd-name
3.

policy view.
policy-number
N/A
4.
Enable UDP flood attack

protection.
defense udp-flood enable
38
Step
Command
Remarks
Optional.
5.

UDP flood attack protection.
defense udp-flood rate-threshold

rate-number ]

second.
6.

silence thresholds for UDP
flood attack protection for a
defense udp-flood ip ip-address

[ low rate-number ]
Optional.

UDP flood attack packets.
defense udp-flood action

drop-packet
7.

Optional.
To configure a DNS flood attack protection policy:

Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
switchto vd vd-name
3.

policy view.
policy-number
N/A
4.
Enable DNS flood attack

protection.
defense dns-flood enable
5.

DNS flood attack protection.
defense dns-flood rate-threshold

rate-number ]

second.
6.

silence thresholds for DNS
defense dns-flood ip ip-address

[ low rate-number ]
Optional.
Optional.
Not specifically configured for an IP

address by default.
Applying an attack protection policy to a security zone

To make a configured attack protection policy take effect, you need to apply the policy to a specific
security zone.
To apply an attack protection policy to a security zone:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
switchto vd vd-name
3.
Enter security zone view.
zone name zone-name id zone-id
N/A
39
Step
4.
Command
Apply an attack protection

policy to the security zone.
Remarks
By default, no attack protection
policy is applied to any security
zone.
attack-defense apply policy

policy-number
The attack protection policy to be

applied to a security zone must
already exist.

Usually, TCP proxy is used on a device's security zones connected to external networks to protect internal
servers from SYN flood attacks. When detecting a SYN flood attack, the device can take protection
actions as configured by using the defense syn-flood action command. If the trigger-tcp-proxy keyword
is specified for the defense syn-flood action command, the device starts TCP proxy in the specified mode
to inspect and process subsequent TCP connection requests destined to the protected IP address. The
protected IP address can be configured manually or generated dynamically by SYN flood attack
detection.
To configure the TCP proxy function:
Step
1.
Enter system view.
Command
Remarks
system-view
N/A
Unidirectional mode:
2.
Configure TCP proxy

operating mode.
tcp-proxy mode unidirection
Optional.
Bidirectional mode:
By default, the TCP proxy operates in

bidirectional mode.
undo tcp-proxy mode
3.
switchto vd vd-name
4.
Configure an IP address
protected by TCP proxy.
tcp-proxy protected-ip
destination-ip-address [ port-number
| port any ]
Optional.
5.
N/A
6.
Enable the TCP proxy

function for the security
zone.
tcp-proxy enable
By default, TCP proxy is disabled for

a security zone.
By default, no IP address is protected

by TCP proxy.
Configuring the blacklist function

You can configure a device to filter packets from certain IP addresses by configuring the blacklist
function.
The blacklist configuration includes enabling the blacklist function and adding blacklist entries. When
adding a blacklist entry, you can also configure the entry aging time. If you do not configure the aging
time, the entry never ages out and thus always exist until you delete it manually.
To configure the blacklist function:
Step
1.
Enter system view.
Command
Remarks
system-view
N/A
40
Step
Command
Remarks
2.
switchto vd vd-name
3.
Enable the blacklist function.
blacklist enable
Add a blacklist entry.
blacklist ip
source-ip-address
[ timeout minutes ]
Optional.
4.
The scanning attack protection function can

add blacklist entries automatically.
You can add blacklist entries manually, or configure the device to automatically add the IP addresses of
detected scanning attackers to the blacklist. For the latter purpose, enable the blacklist function for the
device, the scanning attack protection function, and the blacklist function for scanning attack protection.
The blacklist entries added by the scanning attack protection function will be aged after the aging time,
which is configurable. For the configuration of scanning attack protection, see "Configuring a scanning
attack protection policy."
Enabling traffic statistics for a security zone

To collect traffic statistics on a security zone, you need to enable the traffic statistics function on the
security zone. The device supports traffic statistics in the following modes:
By direction, inbound, or outbound of a security zoneCollect statistics on packets that enter or

leave a security zone.
By source or destination IP addressCollect statistics on packets sent to a security zone by source

IP addresses or on packets sent from a security zone by destination IP addresses.
To enable traffic statistics on a security zone:

Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
switchto vd vd-name
3.
N/A
4.
Enable traffic statistics for the

security zone.
flow-statistics enable
{ destination-ip | inbound |
outbound | source-ip }
Displaying and maintaining attack detection and protection

Task
Command
Remarks
Display the attack protection

statistics of a security zone.
display attack-defense statistics [ vd

vd-name ] zone zone-name [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display the configuration

information about one or all attack
protection policies.
display attack-defense policy

[ policy-number ] [ vd vd-name ] [ | { begin |
Display information about blacklist

entries.
display blacklist { all | ip sour-address } [ vd

vd-name ] [ | { begin | exclude | include }
regular-expression ]
41
Task
Command
Remarks
Display the traffic statistics of a

security zone.
display flow-statistics statistics [ vd vd-name ]

zone zone-name { inbound | outbound } [ |
{ begin | exclude | include }
Display the security zone traffic

statistics based on IP addresses.
display flow-statistics statistics

{ destination-ip dest-ip-address | source-ip
src-ip-address } [ vpn-instance
vpn-instance-name ] [ | { begin | exclude |
include } regular-expression ]
Display information about the IP

addresses protected by the TCP
proxy function.
display tcp-proxy protected-ip [ vd vd-name ]

[ | { begin | exclude | include }
Clear the attack protection statistics

information about a security zone.
reset attack-defense statistics [ vd vd-name ]

zone zone-name
Available in user view.
Attack protection functions on security zones configuration

example
As shown in Figure 45, security zone Trust on Firewall is connected to the internal network, security zone
Untrust is connected to the external network, and security zone DMZ is connected to an internal server.
Protect internal hosts against Smurf attacks and scanning attacks from the external network. Protect the
internal server against SYN flood attacks from the external network. To meet the requirements, perform
the following configurations:
In security zone Untrust, configure Smurf attack protection and scanning attack protection, enable the
blacklist function for scanning attack protection, and set the connection rate threshold that triggers the
scanning attack protection to 4500 connections per second.
In security zone DMZ, configure SYN flood attack protection, so that the device drops subsequent SYN
packets when the SYN packet sending rate to a server constantly reaches or exceeds 5000 packets per
second, and permits SYN packets to be sent to the server again when this rate drops below 1000
packets per second.
42
Configuration procedure
# Specify IP address for interfaces and add them into security zones. (Details not shown.)
# Enable blacklist function.
<Firewall> system-view
[Firewall] blacklist enable
# Create attack protection policy 1.

[Firewall] attack-defense policy 1
# Enable Smurf attack protection.

[Firewall-attack-defense-policy-1] signature-detect smurf enable
# Enable scanning attack protection.

[Firewall-attack-defense-policy-1] defense scan enable
# Set the connection rate threshold that triggers scanning attack protection to 4500 connections per
second.
[Firewall-attack-defense-policy-1] defense scan max-rate 4500
# Add source IP addresses detected by scanning attack protection to the blacklist.

[Firewall-attack-defense-policy-1] defense scan add-to-blacklist
[Firewall-attack-defense-policy-1] quit
# Apply attack protection policy 1 to the security zone untrust.

[Firewall] zone name untrust id 4
[Firewall-zone-untrust] attack-defense apply policy 1
[Firewall-zone-untrust] quit

# Enable SYN flood attack protection.

[Firewall-attack-defense-policy-2] defense syn-flood enable
# Configure SYN flood attack protection for the internal server 10.1.1.2, and set the action threshold to
5000 and silence threshold to 1000.
[Firewall-attack-defense-policy-2] defense syn-flood ip 10.1.1.2 rate-threshold high 5000
low 1000
43
# Configure the policy to drop the subsequent packets after a SYN flood attack is detected.
[Firewall-attack-defense-policy-2] defense syn-flood action drop-packet
# Apply attack protection policy 2 to security zone DMZ.

[Firewall] zone name dmz id 3
[Firewall-zone-dmz] attack-defense apply policy 2
[Firewall-zone-dmz] quit

Use the display attack-defense policy command to display the contents of attack protection policy 1 and
2.
If security zone Untrust receives Smurf attack packets, the device should output alarm logs. If security
zone Untrust receives scanning attack packets, the device should output alarm logs and add the IP
addresses of the attackers to the blacklist. If SYN flood attack packets are received by security zone DMZ,
the device should output alarm logs and drop the subsequent attack packets.
After a period of time, use the display attack-defense statistics zone command to display the attack
protection statistics of each security zone. If scanning attacks occur, you can use the display blacklist
command to see the blacklist entries added automatically by scanning attack protection.
Blacklist configuration example

As shown in Figure 46, Host D is an attacker in the external network. Configure the firewall to filter
packets from Host D permanently. Host C is in the internal network. Configure the firewall to drop packets
from Host C for 50 minutes, so that Host C cannot access the external network during the specified
period of time.
# Specify IP addresses for interfaces and add them into security zones. (Details not shown.)
# Enable the blacklist function.
[Firewall] blacklist enable
# Add Host D's IP address 5.5.5.5 to the blacklist without configuring an aging time for it.
[Firewall] blacklist ip 5.5.5.5
# Add Host C's IP address 192.168.1.4 to the blacklist and configure the aging time as 50 minutes.
44
[Firewall] blacklist ip 192.168.1.4 timeout 50

Use the display blacklist all command to display the added blacklist entries.
[Firewall] display blacklist all
Blacklist information
------------------------------------------------------------------------Blacklist
: enabled
Blacklist items
: 2
-----------------------------------------------------------------------------IP
Type
Aging started
Aging finished
Dropped packets
YYYY/MM/DD hh:mm:ss YYYY/MM/DD hh:mm:ss

5.5.5.5
manual 2008/04/09 16:02:20 Never
192.168.1.4
manual 2008/04/09 16:02:26 2008/04/09 16:52:26 0
After the configuration takes effect, Firewall should:
Always drop packets from Host D unless you delete Host D's IP address from the blacklist by using
the undo blacklist ip 5.5.5.5 command.
Within 50 minutes, drop Host C's packets received.
After 50 minutes, normally forward Host C's packets received.
Traffic statistics configuration example

As shown in Figure 47, configure traffic statistics in security zone Trust, and configure UDP flood attack
protection to protect the internal server against UDP flood attacks.
# Specify IP addresses to interfaces and add them into security zones. (Details not shown.)
# Enable UDP flood attack protection.

45
[Firewall-attack-defense-policy-1] defense udp-flood enable
# Set the global action threshold that triggers UDP flood attack protection to 100 packets per second.
[Firewall-attack-defense-policy-1] defense udp-flood rate-threshold high 100
# Configure the policy to drop the subsequent packets after a UDP flood attack is detected.
[Firewall-attack-defense-policy-1] defense udp-flood action drop-packet
# Apply attack protection policy 1 to security zone trust.

[Firewall] zone name trust id 2
[Firewall-zone-trust] attack-defense apply policy 1
# Enable the traffic statistics function for packets sourced from security zone trust.
[Firewall-zone-trust] flow-statistic enable outbound
# Enable the traffic statistics function based on packet destination IP address.

[Firewall-zone-trust] flow-statistic enable destination-ip

If you suspect that the server is under an attack, you can view the traffic statistics information on the
security zone to check whether there is an attack.
[Firewall-zone-trust] display flow-statistics statistics destination-ip 10.1.1.2
Flow Statistics Information
-----------------------------------------------------------IP Address
: 10.1.1.2
-----------------------------------------------------------Total number of existing sessions
: 13676
: 2735/s
TCP sessions
: 0
Half-open TCP sessions
: 0
Half-close TCP sessions
: 0
: 0/s
UDP sessions
: 13676
: 2735/s
ICMP sessions
: 0
: 0/s
RAWIP sessions
: 0
RAWIP session establishment rate
: 0/s
TCP packet count
: 0
TCP byte count
: 0
UDP packet count
: 194
UDP byte count
: 12264
ICMP packet count
: 0
ICMP byte count
: 0
RAWIP packet count
: 0
RAWIP byte count
: 0
[Firewall-zone-trust] display flow-statistics statistics zone trust outbound

Flow Statistics Information
-----------------------------------------------------------Zone
: Trust
------------------------------------------------------------
46
Total number of existing sessions
: 13676
: 2735/s
TCP sessions
: 0
Half-open TCP sessions
: 0
Half-close TCP sessions
: 0
: 0/s
UDP sessions
: 13676
: 2735/s
ICMP sessions
: 0
: 0/s
RAWIP sessions
: 0
RAWIP session establishment rate
: 0/s
The output shows that in security zone trust, a large number of UDP packets are destined for 10.1.1.2, and
the session establishment rate has exceeded the specified threshold. Therefore, you can determine that
the server is under a UDP flood attack. You can use the display attack-defense statistics command to
view the related statistics collected after the UDP flood protection function takes effect.
TCP proxy configuration example

Configure a bidirectional TCP proxy on Firewall to protect Server A, Server B, and Server C from SYN
flood attacks.
Add the IP address of Server A as a static protected IP and protect other servers dynamically.
Server A
192.168.1.10/24
Server B
GE0/1
192.168.1.1/16
Firewall
GE0/2
202.1.0.1/16
Internet
Untrust
Trust
Server C
# Specify IP addresses for interfaces and add them into security zones. (Details not shown.)
# Configure the operating mode of TCP Proxy as bidirectional.
[Firewall] undo tcp-proxy mode unidirection
# Configure TCP proxy for IP address 192.168.1.10 and port number 21.
[Firewall] tcp-proxy protected-ip 192.168.1.10 21
# Enable TCP proxy for security zone untrust.

[Firewall] zone name untrust
[Firewall-zone-untrust] tcp-proxy enable
[Firewall-zone-untrust] quit

47
# Enable SYN flood attack protection.

[Firewall-attack-defense-policy-1] defense syn-flood enable
# Set the global action threshold for SYN flood attack protection to 100 packets per second.
[Firewall-attack-defense-policy-1] defense syn-flood rate-threshold high 100
# Configure the device to use the TCP proxy for subsequent packets after a SYN flood attack is detected.
[Firewall-attack-defense-policy-1] defense syn-flood action trigger-tcp-proxy
# Apply policy 1 to security zone trust.

[Firewall] zone name trust
[Firewall-zone-trust] attack-defense apply policy 1
[Firewall-zone-trust] quit

When a SYN flood attack targeting an internal server occurs, use the display tcp-proxy protected-ip
command to view information about the IP addresses protected by the TCP proxy function.
[Firewall] display tcp-proxy protected-ip
Protected IP
Port number
Type
Lifetime(min)
Rejected packets
192.168.1.10
21
Static
20
192.168.1.11
any
Dynamic
30
The output shows that Server A's IP address is a static entry and a dynamic entry has been added for the
attacked server.
48
Configuring ARP attack protection

ARP attacks and viruses threaten LAN security. This chapter describes multiple features used to detect and
prevent such attacks.
Overview
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP
entries.
Sends a large number of unresolvable IP packets (ARP cannot find MAC addresses for those
packets) to keep the receiving device busy with resolving destination IP addresses until the CPU is
overloaded.
Sends a large number of ARP packets to overload the CPU of the receiving device.
For more information about ARP attack features and types, see ARP Attack Protection Technology White
Paper.
ARP attack protection configuration task list

Perform the following tasks to prevent flood attacks:
Task
Configuring
unresolvable IP attack
protection
Remarks
Configuring ARP
source suppression
Optional.
Enabling ARP black

hole routing
Optional.
Configure this function on gateways (recommended).

Optional.
Configuring source MAC based ARP attack

detection
Perform the following tasks to prevent user and gateway spoofing:

Task
Remarks
Configuring ARP packet source MAC consistency

check
Optional.
Optional.
Configuring ARP active acknowledgement

Optional.
Configuring periodic sending of gratuitous ARP

packets

Optional.
Configuring ARP detection

49
Task
Remarks
Configuring ARP automatic scanning and fixed

ARP
Optional.
Configuring unresolvable IP attack protection

Unresolvable IP attack protection can be configured only at the CLI.
If a device receives from a host a large number of IP packets that cannot be resolved by ARP (called
unresolvable IP packets), the following situations can occur:
The device sends a large number of ARP requests, overloading the target subnets.
The device keeps trying to resolve target IP addresses, overloading its CPU.
To protect the device from such IP packet attacks, you can configure the following features:
ARP source suppressionIf the attack packets have the same source address, you can enable the
ARP source suppression function, and set the maximum number of unresolvable IP packets that a
host can send within five seconds. If the threshold is reached, the device stops resolving packets
from the host until the five seconds elapse.
ARP black hole routingYou can enable the ARP black hole routing function regardless of whether
the attack packets have the same source address. After receiving an unresolveble IP packet, the
device creates a black hole route destined for that IP address and drops all the matching packets
until the black hole route ages out.
Configuring ARP source suppression

Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable ARP source suppression.
arp source-suppression enable
3.
Set the maximum number of unresolvable

packets that the device can receive from a
device in five seconds.
arp source-suppression limit

limit-value
Optional.
10 by default.
Enabling ARP black hole routing

Step
Command
Remarks
N/A
1.
Enter system view.
system-view
2.
Enable ARP black hole

routing.
arp resolving-route enable
50
Optional.
Displaying and maintaining ARP source suppression

Task
Command
Remarks
Display the ARP source suppression

configuration information.
display arp source-suppression [ |

{ begin | exclude | include }
Unresolvable IP attack protection configuration

example
As shown in Figure 24, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN
20. The two areas connect to the gateway (Firewall) through an access switch respectively.
A large number of ARP requests are detected in the office area and are considered as a consequence of
an IP flood attack. To prevent such attacks, configure ARP source suppression and ARP black hole
routing.
If the attack packets have the same source address, you can enable the ARP source suppression function
as follows:
1.
Enable ARP source suppression.
2.
Set the threshold to 100. If the number of unresolvable IP packets received from a host within five
seconds exceeds 100, the device stops resolving packets from the host until the five seconds
elapse.
51
If the attack packets have different source addresses, enable the ARP black hole routing function on the
firewall.
# Enable ARP source suppression and set the threshold to 100.
[Firewall] arp source-suppression enable
[Firewall] arp source-suppression limit 100
# Enable ARP black hole routing.

[Firewall] arp resolving-route enable

detection
Source MAC based ARP attack detection can be configured only at the CLI.
The following matrix shows the feature and hardware compatibility:
Hardware
Source MAC based ARP attack detection compatible
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
No
F1000-S-EI
Yes
F100-C-G/F100-S-G
Yes
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
No
Firewall module
No
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
Yes
This feature checks the number of ARP packets received from the same MAC address within five seconds
against a specific threshold. If the threshold is exceeded, the device adds the MAC address in an ARP
attack entry.
Before the entry is aged out, the device handles the attack by using either of the following methods:
MonitorGenerates log messages.
FilterGenerates log messages and filters out subsequent ARP packets from that MAC address.
After an ARP attack detection entry expires, ARP packets sourced from the MAC address in the entry can
be processed normally.
You can exclude the MAC addresses of some gateways and servers from detection. This feature does not
inspect ARP packets from those devices even if they are attackers.
To configure source MAC address based ARP attack detection:
52
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable source MAC address based

ARP attack detection and specify the
handling method.
arp anti-attack source-mac { filter

| monitor }
3.
Configure the threshold.
arp anti-attack source-mac

threshold threshold-value
Optional.
4.
Configure the lifetime for ARP attack

entries.

aging-time time
Optional.
Configure excluded MAC

addresses.

exclude-mac mac-address&<1-n>
5.
50 by default.
300 seconds by default.
Optional.
No MAC address is excluded
by default.
Displaying and maintaining source MAC based ARP attack

detection
Task
Command
Remarks
Display attacking MAC addresses

detected by source MAC address
based ARP attack detection.
display arp anti-attack source-mac [ interface

interface-type interface-number ] [ | { begin |
Available in any
view.
Source MAC based ARP attack detection configuration

example
As shown in Figure 25, the hosts access the Internet through a gateway (Device). If malicious users send
a large number of ARP requests to the gateway, the gateway may crash and cannot process requests
from the clients. To solve this problem, configure source MAC address based ARP attack detection on the
gateway.
53
IP network
ARP attack protection

Gateway
Firewall
Server
0012-3f86-e94c
Host A
Host B
Host C
Host D
An attacker may forge a large number of ARP packets by using the MAC address of a valid host as the
source MAC address. To prevent such attacks, configure the gateway as follows:
1.
Enable source MAC address based ARP attack detection and specify the handling method.
2.
Set the threshold.
3.
Set the lifetime for ARP attack entries.
4.
Exclude the MAC address of the server from this detection.
# Enable source MAC address based ARP attack detection and specify the handling method.
[Firewall] arp source-mac filter
# Set the threshold to 30.

[Firewall] arp source-mac threshold 30
# Set the lifetime for ARP attack entries to 60 seconds.

[Firewall] arp source-mac aging-time 60
# Exclude 0012-3f86-e94c from this detection.

[Firewall] arp source-mac exclude-mac 0012-3f86-e94c

check
ARP packet source MAC consistency check can be configured only at the CLI.
54

Hardware
ARP packet source MAC consistency check compatible
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
No
F1000-S-EI
Yes
F100-C-G/F100-S-G
Yes
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
No
Firewall module
No
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
Yes
This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet
header is different from the sender MAC address in the message body, so that the gateway can learn
correct ARP entries.
To enable ARP packet source MAC address consistency check:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable ARP packet source MAC

address consistency check.
arp anti-attack valid-check enable
Configuring ARP active acknowledgement

ARP active acknowledgement can be configured only at the CLI.
Hardware
ARP active acknowledgement compatible
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
No
F1000-S-EI
Yes
F100-C-G/F100-S-G
Yes
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
No
Firewall module
No
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
Yes
Configure this feature on gateway devices to prevent user spoofing.
55
ARP active acknowledgement prevents a gateway from generating incorrect ARP entries. For more
information about its working mechanism, see ARP Attack Protection Technology White Paper.
To configure ARP active acknowledgement:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable the ARP active

acknowledgement function.
arp anti-attack active-ack enable

packets
Periodic sending of gratuitous ARP packet can be configured only in the Web interface.
Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their
corresponding ARP entries or MAC entries in time. This feature can be used to prevent gateway spoofing,
prevent ARP entries from aging out, and prevent the virtual IP address of a VRRP group from being used
by a host.
Prevent ARP spoofing.

An attacker can use the gateway address to send gratuitous ARP packets to the hosts on a network
so that the traffic destined for the gateway from the hosts is sent to the attacker instead. As a result,
the hosts cannot access the external network.
To prevent such gateway spoofing attacks, you can enable the gateway to send gratuitous ARP
packets containing its primary IP address and manually configured secondary IP addresses at a
specific interval, so hosts can learn correct gateway address information.
Prevent aging of the gateway ARP entry.

If network traffic is heavy or if a host's CPU usage is high, received ARP packets may be discarded
or may not be processed in time. Eventually, the dynamic ARP entries on the receiving host age out,
and the traffic between the host and the corresponding devices is interrupted until the host
re-creates the ARP entries.
To prevent this problem, you can enable the gateway to send gratuitous ARP packets periodically.
The gratuitous ARP packets contain the gateway's primary IP address or one of its manually
configured secondary IP addresses, so the receiving hosts can update ARP entries in time.
Prevent the virtual IP address of a VRRP group from being used by a host.
The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts on the
local network, so that the hosts can update local ARP entries and avoid using the virtual IP address
of the VRRP group.
If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender
MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. If the
virtual IP address of the VRRP group is associated with the real MAC address of an interface, the
sender MAC address in the gratuitous ARP packet is the MAC address of the interface on the
master router in the VRRP group.
Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured.
In VRRP configuration, if ambiguous VLAN termination is configured for many VLANs and VRRP
groups, interfaces configured with VLAN termination need to be disabled from transmitting
56
broadcast/multicast packets and a VRRP control VLAN needs to be configured so that VRRP
advertisements can be transmitted within the control VLAN only. In such cases, you can enable
periodic sending of gratuitous ARP packets containing the VRRP virtual IP address, and the primary
IP address or a manually configured secondary IP address of the sending interface on the
subinterfaces. In this way, when a VRRP failover occurs, devices in the VLANs having ambiguous
VLAN termination configured can use the gratuitous ARP packets to update their corresponding
MAC entries in time.
For more information about VRRP, see High Availability Web-based Configuration Guide.
Configuration restrictions and guidelines
You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces.
Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface
goes up and an IP address has been assigned to the interface.
If you change the interval for sending gratuitous ARP packets, the configuration is effective at the
next sending interval.
The frequency of sending gratuitous ARP packets may be much lower than the sending interval set
by the user if this function is enabled on multiple interfaces, if each interface is configured with
multiple secondary IP addresses, or if a small sending interval is configured when the previous two
conditions exist.
Configuring periodic sending of gratuitous ARP packets

1.
From the navigation tree, select Firewall > ARP Anti-Attack > Send Gratuitous ARP to enter the
Send Gratuitous ARP page.
Figure 26 Configuring periodic sending of gratuitous ARP packets
2.
Specify on interface and interval for periodically sending gratuitous ARP packets.
Select an interface from the Standby Interface list, set its sending interval, and then click << to add
it to the Sending Interface list box.
To delete the combination of an interface and its sending interval, select it from the Sending
Interface list and click >>.
57
3.
Click Apply.
Configuring ARP detection

Hardware
ARP detection compatible
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
No
F1000-S-EI
Yes
F100-C-G/F100-S-G
Yes
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
No
Firewall module
No
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
Yes
ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user
spoofing and gateway spoofing attacks.
ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding
functions.
Configuring user validity check

Upon receiving an ARP packet from an ARP untrusted interface, the device compares the sender IP and
MAC addresses against the user validity check rule. If a match is found, the ARP packet is considered
valid and is forwarded. If no match is found, the ARP packet is considered invalid and is discarded.
If both ARP packet validity check and user validity check are enabled, the former one applies first, and
then the latter applies.
Configure a user validity check rule before you enable user validity check. Otherwise, ARP packets
received from ARP untrusted ports are discarded.
To configure user validity check:
Step
Command
Remarks
Enter system view.
system-view
N/A
Configure a user validity

check rule.
arp detection id-number { deny |

permit } ip { any | ip-address
[ ip-address-mask ] } mac { any |
mac-address [ mac-address-mask ] }
[ vlan vlan-id ]
3.
Enter VLAN view.
vlan vlan-id
N/A
4.
Enable ARP detection.
arp detection enable
By default, ARP detection is disabled.
5.
quit
N/A
1.
2.
58
Optional.
By default, no rule is configured.
Step
6.
7.
Command
Remarks
Enter Layer 2 Ethernet

interface view or Layer 2
aggregate interface view.
interface interface-type
interface-number
N/A
Configure the interface as

a trusted interface
excluded from ARP
detection.
arp detection trust
Optional.
By default, an interface is untrusted.
Configuring ARP packet validity check

Enable validity check for ARP packets received on untrusted ports and specify the following objects to be
checked:
src-macChecks whether the sender MAC address in the message body is identical to the source
MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the
packet is discarded.
dst-macChecks the target MAC address of ARP replies. If the target MAC address is all-zero,
all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
ipChecks the sender and target IP addresses of ARP replies, and the sender IP address of ARP
requests. All-zero, all-one, or multicast IP addresses are considered invalid and the corresponding
packets are discarded.
To configure ARP packet validity check:

Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VLAN view.
vlan vlan-id
N/A
3.
Enable ARP detection.
arp detection enable
By default, ARP detection is disabled.
4.
quit
N/A
5.
Enable ARP packet validity check

and specify the objects to be
checked.
arp detection validate

{ dst-mac | ip | src-mac }
*
The default depends on the device

model.
6.
Enter Layer 2 Ethernet interface view

or Layer 2 aggregate interface view.
interface-number
N/A
7.
Configure the interface as a trusted

interface excluded from ARP
detection.
arp detection trust
Optional.
By default, an interface is untrusted.
Configuring ARP restricted forwarding

ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted
interfaces and have passed user validity check as follows:
If the packets are ARP requests, they are forwarded through the trusted interface.
If the packets are ARP replies, they are forwarded according to their destination MAC address. If no
match is found in the MAC address table, they are forwarded through the trusted interface.
59
Before configuring this feature, configure user validity check.

To enable ARP restricted forwarding:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VLAN view.
vlan vlan-id
N/A
3.
Enable ARP restricted forwarding.
arp restricted-forwarding enable
By default, ARP restricted

forwarding is disabled.
Displaying and maintaining ARP detection

Task
Command
Remarks
Display the VLANs enabled

with ARP detection.
display arp detection [ | { begin | exclude |

Display the ARP detection

statistics.
display arp detection statistics [ interface

interface-type interface-number ] [ | { begin |
Clear the ARP detection

statistics.
reset arp detection statistics [ interface

interface-type interface-number ]
Configuring ARP automatic scanning and fixed ARP

ARP automatic scanning is usually used together with the fixed ARP feature.
With ARP automatic scanning enabled on an interface, the device automatically scans neighbors on the
interface, sends ARP requests to the neighbors, obtains their MAC addresses, and creates dynamic ARP
entries.
Fixed ARP allows the device to change the existing dynamic ARP entries (including those generated
through ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents ARP
entries from being modified by attackers.
Use both ARP automatic scanning and fixed ARP in small-scale networks such as a cybercafe.
Configuring the ARP automatic scanning and fixed

ARP in the Web interface
ARP automatic scanning is usually used together with the fixed ARP feature.
Configuration guidelines
Follow these guidelines when you configure ARP automatic scanning and fixed ARP:
With ARP automatic scanning enabled on an interface, the device automatically scans neighbors
on the interface, sends ARP requests to the neighbors, obtains their MAC addresses, and creates
dynamic ARP entries.
60
Fixed ARP allows the device to change the existing dynamic ARP entries (including those generated
through ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents
ARP entries from being modified by attackers.
The static ARP entries changed from dynamic ARP entries have the same attributes as the manually
configured static ARP entries.
The number of static ARP entries changed from dynamic ARP entries is restricted by the number of
static ARP entries that the device supports. As a result, the device may fail to change all dynamic
ARP entries into static ARP entries.
The fixing process may take some time, during which some dynamic entries may be added or be
aged out. The newly added dynamic entries are fixed and the aged ones are not.
Use both ARP automatic scanning and fixed ARP in small-scale networks such as a cybercafe.
Configuring ARP automatic scanning

Do not perform other operations when ARP automatic scanning is in progress.
ARP automatic scanning may take a long time. You can abort the scanning by clicking Interrupt on the
ARP scan page.
1.
From the navigation tree, select Firewall > ARP Anti-Attack > Scan.
The ARP scanning configuration page appears.
Figure 27 ARP scanning
2.
Configure ARP automatic scanning parameters as shown in Table 9.
3.
Click Scan to begin ARP automatic scanning.

To abort scanning, click Interrupt.

Item
Description
Interface
Select the interface to be configured to perform ARP automatic scanning.
61
Item
Description
Specify the start and end IP addresses of the IP address range for ARP automatic
scanning.
Start IP Address
To reduce the scanning time, you can specify the IP address range for scanning if
you know the IP address range assigned to the neighbors in a LAN. The specified
start and end IP addresses must be in the same network segment as the primary IP
address or manually configured secondary IP address of the interface. If the
specified address range covers multiple network segments of the interface, the
source IP address in the ARP request is the interface address on the smallest
network segment.
IMPORTANT:
End IP address
Specify the start and end IP addresses in pair. When neither is specified,
the device scans only the network segment of the primary IP address of the
interface for neighbors. The source IP address of the sent ARP request is
the primary IP address of the interface.
The start and end IP addresses must be in the same network segment as
the primary IP address or manually configured secondary IP address of
the interface, and the start IP address must be lower than or equal to the
end IP address.
Also scan IP addresses of

dynamic ARP entries
Set whether to scan the IP addresses of the existing dynamic ARP entries.
Configuring fixed ARP

1.
From the navigation tree, select Firewall > ARP Anti-Attack > Fix.
The fixed ARP page appears. The page lists all static ARP entries, including manually configured
ones and fixed ones, and all dynamic ARP entries.
Figure 28 Fixed ARP page
2.
Click Fix All to convert all dynamic ARP entries to static ones.
3.
Click Del All Fixed to delete all static ARP entries.
4.
Select the box before dynamic ARP entries, and click Fix to convert the selected ARP entry to a
static ARP entry.
62
5.
Select the box before static ARP entries, and click Del Fixed to delete the selected static ARP entry.
If you select a dynamic one and click Del Fixed, the entry is not deleted.
Configuring the ARP automatic scanning and fixed ARP at the

CLI
When you configure ARP automatic scanning and fixed ARP, follow these guidelines:
IP addresses existing in ARP entries are not scanned.
ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic
ARP entries are created based on ARP replies received before the scan is terminated.
The static ARP entries changed from dynamic ARP entries have the same attributes as the manually
configured static ARP entries.
Use the arp fixup command to change the existing dynamic ARP entries into static ARP entries. You
can use this command again to change the dynamic ARP entries learned later into static ARP
entries.
The number of static ARP entries changed from dynamic ARP entries is restricted by the number of
static ARP entries that the device supports. As a result, the device may fail to change all dynamic
ARP entries into static ARP entries.
To delete a specific static ARP entry changed from a dynamic one, use the undo arp ip-address
[ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset
arp static command.
To configure ARP automatic scanning and fixed ARP:
Step
Command
1.
Enter system view.
system-view
2.
Enter interface view.
interface interface-type interface-number
3.
Enable ARP automatic scanning.
arp scan [ start-ip-address to end-ip-address ]
4.
quit
5.
Enable fixed ARP.
arp fixup
63
Configuring TCP attack protection

TCP attack protection can be configured only at the CLI.
Overview
Attackers can attack the device during the process of TCP connection establishment. To prevent such
attacks, the device provides the following features:
SYN Cookie
Protection against Naptha attacks
This chapter describes the attacks that these features can prevent, working mechanisms of these features,
and configuration procedures.
Enabling the SYN Cookie feature

As a general rule, the establishment of a TCP connection involves the following three handshakes:
1.
The request originator sends a SYN message to the target server.
2.
After receiving the SYN message, the target server establishes a TCP connection in
SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response.
3.
After receiving the SYN ACK message, the originator returns an ACK message, establishing the
TCP connection.
Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large number
of SYN messages to the server to establish TCP connections, but they never make any response to SYN
ACK messages. As a result, a large number of incomplete TCP connections are established, resulting in
heavy resource consumption and making the server unable to handle services normally.
The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the
server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection. Only
after receiving an ACK message from the client can the server establish a connection, and then enter the
ESTABLISHED state. In this way, incomplete TCP connections could be avoided to protect the server
against SYN Flood attacks.
To enable the SYN Cookie feature:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable the SYN Cookie feature.
tcp syn-cookie enable
Enabled by default.
If you enable MD5 authentication for TCP connections, the SYN Cookie configuration is ineffective. Then,
if you disable MD5 authentication for TCP connections, the SYN Cookie configuration automatically
becomes effective. For more information about MD5 authentication, see Network Management
Configuration Guide.
With the SYN Cookie feature enabled, only the maximum segment size (MSS), is negotiated during TCP
connection establishment, instead of the window's zoom factor and timestamp.
64
Enabling protection against Naptha attacks

Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the
six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and
SYN_RECEIVED), and SYN Flood attacks by using only SYN_RECEIVED state.
Naptha attackers control a huge amount of hosts to establish TCP connections with the server, keep these
connections in same state (any of the six), and request for no data so as to exhaust the memory resource
of the server. As a result, the server cannot process normal services.
Protection against Naptha attacks mitigates such attacks by accelerating the aging of TCP connections
in a state. After the feature is enabled, the device (serving as a TCP server) periodically checks the
number of TCP connections in each state. If the device detects that the number of TCP connections in a
state exceeds the maximum number, it considers that a Naptha attack occurs and accelerates the aging
of TCP connections in this state. The device stops accelerating the aging of TCP connections when the
number of TCP connections in the state is less than 80% of the maximum number (1 at least).
To enable the protection against Naptha attack:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable the protection

against Naptha attack.
tcp anti-naptha enable
Optional.
3.
Configure the maximum

number of TCP
connections in a state.
tcp state { closing | established |

fin-wait-1 | fin-wait-2 | last-ack |
syn-received } connection-number
number
4.
Configure the TCP state

check interval.
tcp timer check-state timer-value
5 by default.
If the maximum number of TCP
connections in a state is 0, the aging of
TCP connections in this state is not
accelerated.
Optional.
30 seconds by default.
Displaying and maintaining TCP attack protection

Task
Command
Remarks
Display current TCP connection state.
display tcp status [ | { begin | exclude |

65
Configuring ND attack defense

ND attack defense can be configured only at the CLI.
Feature and hardware compatibility

Hardware
ND attack defense compatible
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
Yes
F1000-S-EI
Yes
F100-C-G/F100-S-G
No
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
Yes
Firewall module
Yes
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
No
Overview
The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor
reachability detection, duplicate address detection, router/prefix discovery and address
autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can
easily exploit the ND protocol to attack hosts and gateways by sending forged packets.
The ND protocol implements its function by using five types of ICMPv6 messages:
Neighbor Solicitation (NS)
Neighbor Advertisement (NA)
Router Solicitation (RS)
Router Advertisement (RA)
Redirect (RR)
An attacker can attack a network by sending forged ICMPv6 messages, as shown in Figure 29:
Sending forged NS/NA/RS packets with the IPv6 address of a victim host. The gateway and other
hosts update the ND entry for the victim host with incorrect address information. As a result, all
packets intended for the victim host are sent to the attacking host.
Sending forged RA packets with the IPv6 address of a victim gateway. As a result, all hosts attached
to the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.
66
Figure 29 ND attack diagram
All forged ND packets have two common features:
The Ethernet frame header and the source link layer address option of the ND packet contain
different source MAC addresses.
The mapping between the source IPv6 address and the source MAC address in the Ethernet frame
header is invalid.
To identify forged ND packets, H3C developed the source MAC consistency check feature.
For more information about the five functions of the ND protocol, see Network Management
Enabling source MAC consistency check for ND

packets
Use source MAC consistency check on a gateway to filter out ND packets that carry different source
MAC addresses in the Ethernet frame header and the source link layer address option.
If VRRP is used, disable source MAC consistency check for ND packets to prevent incorrect dropping of
packets. With VRRP, the NA message always conveys a MAC address different than the Source
Link-Layer Address option.
To enable source MAC consistency check for ND packets:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable source MAC consistency check

for ND packets.
ipv6 nd mac-check enable
67
Configuring firewall
The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices.
Overview
A firewall blocks unauthorized Internet access to a protected network while allowing internal network
users to access the Internet through WWW, or to send and receive e-mails. A firewall can also be used
to control access to the Internet, for example, to permit only specific hosts within the organization to
access the Internet. Many of today's firewalls offer additional features, such as identity authentication
and encryption.
Another application of firewall is to protect the mainframe and important resources (such as data) on
internal networks. Any access to protected data is filtered by the firewall, even if the access is initiated by
a user within the internal network.
ACL based packet filter

An ACL packet-filter firewall implements IP packet specific filtering.
Before an IP packet can be forwarded, the firewall obtains the header information of the packet,
including the following:
Number of the upper layer protocol carried by the IP layer
Source address
Destination address
Source port number
Destination port number
The firewall compares the head information against the preset ACL rules and processes the packet based
on the comparison result.
IPv4 packet-filter firewalls are configured mainly through interzone policy and interzone policy group
configurations. For more information about interzone policies and interzone policy groups, see Access
Control Configuration Guide. This chapter mainly describes the IPv6 packet-filter firewall configuration.
ACL packet filter limitations

An ACL packet filter is a static firewall. It cannot solve the following issues:
For multi-channel application layer protocols, such as FTP and H.323, the values of some security
policy parameters are unpredictable.
Some attacks from the transport layer and application layer, such as TCP SYN flooding, cannot be
detected.
ICMP attacks cannot be prevented because not all faked ICMP error messages from the network
can be recognized.
For a TCP connection, the first packet must be a SYN packet. Any non-SYN packet that is the first
packet over the TCP connection is dropped. If a packet-filter firewall is deployed in a network, the
non-SYN packets of existing TCP connections passing the firewall for the first time are dropped,
breaking the existing TCP connections.
68
ASPF
Application Specific Packet Filter (ASPF) was proposed to address the issues that a static firewall cannot
solve. An ASPF implements application layer and transport specific, namely status-based, packet filtering.
An ASPF can detect application layer protocols including FTP, GTP, HTTP, SMTP, Real RTSP, SCCP, SIP,
H.323 (Q.931, H.245, and RTP/RTCP), and transport layer protocols TCP and UDP.
ASPF functions
An ASPF provides the following main functions:
Application layer protocol inspectionASPF checks the application layer information of packets,
such as the protocol type and port number, and monitors the application layer protocol status for
each connection. ASPF maintains the status information of each connection, and based on the
status information, determines whether to permit a packet to pass through the firewall into the
internal network, thus defending the internal network against attacks.
Transport layer protocol inspection (generic TCP and UDP inspection)ASPF checks a TCP/UDP
packet's source and destination addresses and port numbers to determine whether to permit the
packet to pass through the firewall into the internal network.
Enhanced session loggingASPF can record the information of each connection, including the
duration, source and destination addresses and port numbers of the connection, and number of
bytes transmitted.
Port to Application Mapping (PAM)Allows you to specify port numbers other than the standard
ones for application layer protocols.
ICMP error message inspectionASPF checks the connection information carried in an ICMP error
message. If the information does not match the connection, the ASPF processes the packet as
configured, for example, it discards the packet.
First packet inspection for TCP connectionASPF checks the first packet over a TCP connection. If
the first packet over a TCP connection is not a SYN packet, the ASPF will discard the packet.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide the
network with a security policy that is more comprehensive and better satisfies the actual needs.
ASPF basic concepts
PAM
While application layer protocols use the standard port numbers for communication, PAM allows
you to define a set of new port numbers for different applications, and provides mechanisms to
maintain and use the configuration information of user-defined ports.
PAM supports two types of port mapping mechanisms: general port mapping and host port
mapping.
{
General port mappingA mapping of a user-defined port number to an application layer

protocol. If port 8080 is mapped to HTTP, for example, all TCP packets to port 8080 are
regarded as HTTP packets.
Host port mappingA mapping of a user-defined port number to an application layer
protocol for packets to/from specific hosts. For example, you can establish a host port mapping
so that all TCP packets using 8080 as the destination port and 10.110.0.0/16 as the
destination network segment are regarded as HTTP packets. The hosts can be specified by
means of a basic ACL.
Single-channel protocol and multi-channel protocol
69
Single-channel protocolA single-channel protocol establishes only one channel to exchange

both control messages and data for a user. SMTP and HTTP are examples of single-channel
protocols.
Multi-channel protocolA multi-channel protocol establishes more than one channel for a user
and transfers control messages and user data through different channels. FTP and RTSP are
examples of multi-channel protocols.
Internal interface and external interface

On an edge device configured with ASPF to protect servers on the internal network, interfaces
connected with the internal network are internal interfaces and the interface connected with the
Internet is the external interface.
When an ASPF is applied on the outbound direction of the external interface of a device, a
temporary channel can be opened on the firewall for return packets to internal network users
accessing the Internet.
Application layer protocol inspection

As shown in Figure 30, to protect the internal network, an ACL is usually required on the router to permit
internal hosts to access external networks while prohibiting hosts on external networks from accessing the
internal network. However, the ACL will also filter out the return packets to internal users, thus failing the
connection setup attempts.
Figure 30 Application layer protocol detection
Packets of other sessions are blocked

Client A
Client A initiates a session
WAN
Return packets of
the session are
permitted to pass
Client B
Router
Server
Protected network
ASPF implements the application layer protocol detection function in cooperation with the session
management and ALG features. After detecting the first packet of a session, ASPF matches the packet
with the configured policy and sends the result to the session management feature, which is responsible
for session information database establishment and session status maintenance. Then, the ASPF
processes subsequent packets of the session based on session status information returned by the session
management feature.
For information about session management, see Access Control Configuration Guide. For information
about ALG, see NAT and ALG Configuration Guide.
Basic idea of transport layer protocol inspection

The transport layer protocol inspection here refers to generic TCP/UDP inspection. Different from
application layer protocol inspection, generic TCP/UDP inspection is specific to the transport layer
information in the packets, such as source and destination addresses and port number. generic TCP/UDP
inspection requires a full match between the packets returned to the external interface of the ASPF and
the packets previously sent out from the external interface of ASPF, namely a perfect match of the source
and destination address and port number. Otherwise, the return packets will be blocked. Therefore, for
70
multi-channel application layer protocols like FTP and H.323, the deployment of TCP detection without
application layer detection will lead to failure of establishing a data connection.
Configuring an IPv6 packet-filter firewall

IPv6 packet-filter firewall can be configured only at the CLI.
Hardware
Feature compatible
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
Yes
F1000-S-EI
Yes
F100-C-G/F100-S-G
No
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
Yes
Firewall module
Yes
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
No
IPv6 packet-filter firewall configuration task list

Task
Remarks
Enabling the IPv6 firewall function
Required.
Configuring the default filtering action of the IPv6 firewall
Optional.
Configuring packet filtering on an interface
Required.
Enabling the IPv6 firewall function

Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable the IPv6 firewall function.
firewall ipv6 enable
Configuring the default filtering action of the IPv6 firewall

The default filtering action configuration is used for the firewall to determine whether to permit a data
packet to pass or deny the packet when there is no appropriate criterion for judgment.
To configure the default filtering action of the IPv6 firewall:
Step
1.
Enter system view.
Command
Remarks
system-view
N/A
71
Step
Command
Specify the default filtering
action of the firewall.
2.
firewall ipv6 default { deny |

permit }
Remarks
Optional.
permit (permit packets to pass the
firewall) by default.
Configuring packet filtering on an interface

When an ACL is applied to an interface, the time range-based filtering will also work at the same time.
In addition, you can specify separate access rules for inbound and outbound packets.
The effective range for basic ACL numbers is 2000 to 2999. A basic ACL defines rules based on the
Layer 3 source IP addresses only to analyze and process data packets.
The effective range for advanced ACL numbers is 3000 to 3999. An advanced ACL defines rules
according to the source and destination IP addresses of packets, the type of protocol over IP, TCP/UDP
source and destination ports, and so on.
An advanced ACL supports the following match modes:
Normal matchMatches Layer 3 information. Non-layer 3 information is ignored. The default

mode is normal match mode.
Exact matchMatches all advanced ACL rules. For this reason, you must enable fragment
inspection for the firewall to record the status of the first fragment of each packet and obtain the
match information of the subsequent fragments. The exact match mode is not supported on the
device.
You can neither enable packet filtering on an interface in an aggregation group, nor add an interface
with packet filtering enabled to an aggregation group.
Configuring IPv6 packet filtering on an interface

IPv6 packet filtering is a basic firewall function of an IPv6-based ACL. You can configure IPv6 packet
filtering in the inbound or outbound direction of an interface so that the interface filters packets that
match the IPv6 ACL rules.
To configure IPv6 packet filtering on an interface:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter interface view.
interface-number
N/A
3.
4.
Configure IPv6 packet filtering

on an interface.
firewall packet-filter ipv6

{ acl6-number | name acl6-name }
{ inbound | outbound }
Display the packet filtering

statistics of the IPv6 firewall.
display firewall ipv6 statistics { all

| interface interface-type
interface-number } [ | { begin |
exclude | include }
72
IPv6 packets are not filtered by

default.
You can apply only one IPv6 ACL
in one direction of an interface for
packet filtering.
Step
Clear the packet filtering
statistics of the IPv6 firewall.
5.
Command
Remarks
reset firewall ipv6 statistics { all |

interface-number }
Configuring an ASPF
ASPF can be configured at the CLI and in the Web interface. This section describes only the CLI
configuration for ASPF. For ASPF configuration in the Web interface, see Access Control Configuration
Guide.
ASPF configuration task list

Task
Remarks
Configuring port mapping
Optional.
Enabling ASPF for an interzone instance
Required.
Configuring port mapping

Two mapping mechanisms exist: general port mapping and basic ACLbased host port mapping.
General port mappingRefers to a mapping of a user-defined port number to an application layer

protocol. If port 8080 is mapped to HTTP, for example, all TCP packets the destination port of which
is port 8080 are regarded as HTTP packets.
Host port mappingRefers to a mapping of a user-defined port number to an application layer

protocol for packets to some specific hosts. For example, you can establish a host port mapping so
that all TCP packets using port 8080 sent to the network segment 10.110.0.0 are regarded as HTTP
packets. The address range of hosts can be specified by means of a basic ACL.
To configure port mapping:

Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Configure mapping
between the port and the
application protocol.
port-mapping
application-name port
port-number [ acl
acl-number ]

At present, the application layer protocols
supported by this function include FTP, GTP,
H323, HTTP, RTSP, SCCP, SIP, SMTP, SQLNET.
Enabling ASPF for an interzone instance

An interzone instance specifies the service traffic for security inspection by specifying a source zone and
a destination zone. The source zone refers to the zone where the network device receives the first packet
of the service traffic, and the destination zone refers to the zone out of which the network device sends
the first packet. You can enable ASPF for an interzone instance to inspect the specified service traffic.
To enable ASPF for an interzone instance:
73
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
switchto vd vd-name
3.
Enter interzone instance view.
interzone souce souce-zone-name

destination destination-zone-name
N/A
4.
Enable ASPF for the interzone

instance.
firewall aspf enable [ icmp-error

drop | tcp syn-check ]
For more information about security zones, see Access Control Configuration Guide..
Displaying ASPF
Task
Command
Remarks
Display the port mapping

information.
display port-mapping [ application-name |

port port-number ] [ | { begin | exclude |
ASPF configuration example

Configure ASPF on the firewall to allow access from internal users to the remote server, deny access from
the external network to the internal users, and drop non-SYN TCP first packets from the internal network
to the external network.
# Add interface GigabitEthernet 0/1 and GigabitEthernet 0/2 to zone Trust and Untrust, respectively.
[Firewall] zone name Trust
[Firewall-zone-Trust] import interface gigabitethernet 0/1
[Firewall-zone-Trust] quit
[Firewall] zone name Untrust
[Firewall-zone-Untrust] import interface gigabitethernet 0/2
[Firewall-zone-Untrust] quit
# Create an interzone instance, with the source zone being Trust and the destination zone being Untrust.
[Firewall] interzone source Trust destination Untrust
74
# Enable ASPF for the interzone instance.

[Firewall-interzone-trust-untrust] firewall aspf enable tcp syn-check
75
Configuring content filtering

Overview
Content filtering enables the device to filter contents carried in HTTP packets, SMTP packets, POP3
packets, FTP packets, and Telnet packets, to prevent internal users from accessing illegal websites or
sending junk emails and prevent packets carrying illegal contents from entering the internal network.
Upon receiving HTTP, SMTP, POP3, FTP, or Telnet packets, the device first matches the packets against
interzone policies. If the action of the matching interzone policy rule is permit and the policy rule is
configured with a content filtering policy, the device proceeds matching the packets against the content
filtering policy to filter out illegal packets. For more information about interzone policies, see Access
Control Configuration Guide.
HTTP packet content filtering

The HTTP packet content filtering, hereafter referred to as HTTP filtering, provides the following functions:
Uniform Resource Locator (URL) hostname filteringChecks the hostname in the required URL of an
HTTP request to block internal users from accessing specific websites.
Header filteringThe Header field in an HTTP response usually contains the type of the current web
page (such as text and figure), the content length, the basic server information (such as server type
and response time), and the HTTP version. Using header filtering, the device can block HTTP
responses with specified information carried in the header.
Body filteringFilters the message body in an HTTP packet from a server to a client, which is the
content to be displayed by the browser. In this way, the device can block HTTP packets with
specified body contents, to prevent illegal contents from spreading over the internal network.
URL IP blockingBlocks all HTTP requests that carry an IP address in the URL, to prevent internal
users from using IP addresses to access websites.
URL parameter filteringProtects websites against attacks that use URL parameters. For example,
URL parameter filtering matches each HTTP request against the keywords of Structured Query
Language (SQL) statements and other characters that may constitute an SQL statement. If they match,
the device considers the request an SQL injection attack packet and drops it. The device supports
URL parameter filtering of HTTP requests for the Get, Post, or Put operation. Web pages are usually
dynamic and connected with a database. HTTP allows web requests to query or modify data in the
database. This makes it possible for attackers to fabricate special SQL statements in web requests
to obtain confidential data from the database or break down the database by modifying database
information repeatedly. Such attacks are known as SQL injection attacks.
ActiveX blockingBlocks ActiveX plugin requests to untrusted websites, protecting the network
from being attacked by malicious ActiveX plugins.
Java applet blockingBlocks java applet requests to untrusted websites, protecting the network
from being attacked by malicious java applets.
76
SMTP packet content filtering

The SMTP packet content filtering, hereafter referred to as SMTP filtering, provides the following
functions:
Sender filteringFilters sender addresses in SMTP requests, to prevent specified senders from
sending emails.
Receiver filteringFilters receiver addresses (including recipients and carbon copy or named CC
recipients) in SMTP requests, to prevent internal users from sending emails to the specified receiver
addresses.
Subject filteringFilters email subjects in SMTP requests, to prevent users from sending emails that
contain specified subject keywords.
Body filteringFilters email bodies in SMTP requests, to prevent users from sending emails that
contain specified body keywords.
Attachment filteringChecks the names and contents of the attachments in SMTP requests, to
prevent users from sending emails that carry attachments with specified names or content keywords.
Illegal command blockingBlocks SMTP requests that carry illegal command words. Legal
command words considered by content filtering include HELO, EHLO, RSET, QUIT, DATA, NOOP,
HELP, EXPN, TURN, VRFY, SOML, SAML, SEND, MAIL, RCPT, and AUTH.
Oversize email blockingLimits the size of the emails from internal users and blocks oversized
emails.
POP3 packet content filtering

The POP3 packet content filtering, hereafter referred to as POP3 filtering, provides the following
functions:
Sender filteringFilters sender addresses in POP3 responses, to prevent users from receiving
emails from the specified senders.
Receiver filteringFilters receiver addresses (including recipients and CC recipients) in POP3

responses, to block emails that contain the specified receiver addresses.
Subject filteringFilters email subjects in POP3 responses, to prevent users from receiving emails
that contain specified subject keywords.
Body filteringFilters email bodies in POP3 responses, to prevent users from receiving emails that
contain specified body keywords.
Attachment filteringChecks the names and contents of the attachments in POP3 responses, to
prevent users from receiving emails that carry attachments with specified names or content
keywords.
FTP packet content filtering

The FTP packet content filtering, hereafter referred to as FTP filtering, provides the following functions:
Command word filteringBlocks FTP requests that carry the specified command words. FTP
command words refer to the command words carried in the FTP requests rather than the command
words in command lines. They include RETR, STOR, APPE, USER, PASS, PORT, PASV, RNFR, RNTO,
DELE, LIST, and QUIT. For example, to upload a file named 123.txt, you enter command put 123.txt.
In this case, the FTP command word to be filtered is not put but STOR.
Upload filename filteringFilters filenames carried in FTP upload requests, to prevent clients from
uploading files with the specified names to the server.
77
Download filename filteringFilters filenames carried in FTP download requests, to prevent clients
from downloading files with the specified names from the server.
Telnet packet content filtering

Telnet packet content filtering, hereafter referred to as Telnet filtering, filters command words in Telnet
requests. Telnet filtering prevents Telnet users from executing specific commands, such as format and
reboot, which greatly affect the normal operation of the device.
Telnet command filtering supports the following characters:
Visible charactersASCII codes 0x20 to 0x7e.
Special charactersASCII codes 0x0, 0x8, 0x0d, 0x0d00, and 0x0d0a.
OthersCursor Left (0x1b5b44) and Cursor Right (0x1b5b43).
Wildcard usage in URL hostname filtering keywords:

{
The caret (^) matches the beginning of the string. It can be used only once in a keyword and
must be at the beginning.
The dollar sign ($) matches the end of the string. It can be used only once in a keyword and
must be at the end.
The ampersand (&) matches a single character other than dot (.) and space. It can be used for
multiple times in a keyword, consecutively or non-consecutively. It can appear at any position
of a keyword, but cannot be used next to asterisk (*).
The asterisk (*) matches any number of characters excluding dot (.). It can be used only once
in a keyword and must be at the beginning or in the middle. It cannot be used at the end or next
to ^ or dollar sign ($).
A keyword with caret (^) at the beginning or dollar sign ($) at the end indicates an exact match.
For example, keyword ^webfilter matches website addresses starting with webfilter (such as
webfilter.com.cn) or containing webfilter at the beginning of a string after a dot (such as
cmm.webfilter-any.com). Keyword ^webfilter$ matches website addresses containing
standalone word webfilter like www.webfilter.com; it does not match website addresses like
www.webfilter-china.com.
A keyword with no wildcard used at the beginning and end indicates a fuzzy match, and
matches website addresses containing the keyword.
A filtering keyword with only numerals is invalid. To filter a website address like www.123.com,
you can define a keyword like ^123$, www.123.com, or 123.com, instead of 123. H3C
recommends you to use exact match to filter such website addresses.
Wildcard usage in URL parameter filtering keywords:

{
The caret (^) matches the beginning of the string. It can be used only once in a keyword and
must be at the beginning.
The dollar sign ($) matches the end of the string. It can be used only once in a keyword and
must be at the end.
The ampersand (&) matches any single character. It can be used for multiple times in a keyword,
consecutively or non-consecutively. It can appear at any position of a keyword, but cannot be
used next to asterisk (*).
78
The asterisk (*) matches any string of up to 4 characters, including spaces. It can be used only
once in a keyword and must not be at the beginning or end.
A keyword with caret (^) at the beginning or dollar sign ($) at the end indicates an exact match.
For example, keyword ^webfilter$ matches URLs containing standalone word webfilter, like
www.abc.com/webfilter any; it does not match URLs like www.abc.com/webfilterany.
A keyword with no wildcard used at the beginning and end indicates a fuzzy match, and
matches URLs containing the keyword.
Configuring content filtering in the Web interface

Step
Description
1.
Configuring a keyword filtering policy
Required.
2.
Configuring a content filtering policy
Required.
3.
Configuring a content filtering policy template
Required.
Required.
4.
Configure an interzone policy to be used between the

source and destination security zones, and apply the
content filtering policy template to the interzone policy.
In this way, the device can filter packets that match the
interzone policy.
Configuring an interzone policy
You must set the action to Permit in the interzone policy

to make the referenced content filtering policy template
take effect.
For more information, see Access Control Configuration
Guide.
5.
Optional.
Displaying content filtering statistics
View the statistics of various content filtering functions.
Configuring a keyword filtering policy

You can configure filtering entries and filtering keywords as needed.
To configure filtering entries and filtering keywords:
79
Step
Description
Keyword filtering entries include:
HTTP keyword filtering entriesFor header filtering and body filtering in

HTTP filtering policies.
SMTP keyword filtering entriesFor subject filtering, body filtering, and

attachment content filtering in SMTP filtering policies.
Configuring a keyword
filtering entry
POP3 keyword filtering entriesFor subject filtering, body filtering, and

attachment content filtering in POP3 filtering policies.
FTP keyword filtering entriesFor command word filtering in FTP filtering

polices.
Telnet keyword filtering entriesFor command word filtering in Telnet

filtering policies.
By default, no keyword filtering entries exist.
Configuring a URL
hostname filtering
Used for URL hostname filtering in HTTP filtering policies.

By default, no URL hostname filtering entries exist.
Filename filtering entries include:
SMTP filename filtering entriesFor attachment name filtering in SMTP

filtering policies.
Configuring a filename
filtering
POP3 filename filtering entriesFor attachment name filtering in POP3

filtering policies.
FTP filename filtering entriesFor upload filename filtering and download

filename filtering in FTP filtering policies.
By default, no filename filtering entries exist.

Email address filtering entries include:
SMTP email address filtering entriesFor sender filtering and receiver

Configuring an email
address filtering entry
filtering in SMTP filtering policies.
POP3 email address filtering entriesFor sender filtering and receiver

filtering in POP3 filtering policies.
By default, no mail address filtering entries exist.

Add keywords to be used for URL parameter filtering in HTTP filtering policies.
Configuring URL parameter
filtering keywords
The system provides the following predefined URL parameter filtering keywords:
^select$, însert$, ûpdate$, ^delete$, ^drop$, --, , êxec$, and %27.
By default, the predefined URL parameter filtering keywords are not used. In this
case, you can define the same URL parameter filtering keywords as the system
predefined ones, and, these keywords are still used as user-defined keywords
even after you enable the predefined keywords.
Configuring java blocking

keywords
Used for java applet blocking in HTTP filtering policies.
Configuring ActiveX
blocking keywords
Used for ActiveX blocking in HTTP filtering policies.
By default, the following java suffix keywords exist: .class and .jar.
By default, the system has the ActiveX suffix keyword: .ocx.
Configuring keyword filtering entries

1.
From the navigation tree, select Identification > Content Filtering > Filtering Entry.
The keyword filtering entry list page appears.
80
Figure 32 Keyword filtering entry list
2.
Click Add to enter the page for adding a keyword filtering entry, as shown in Figure 33.
Figure 33 Adding a keyword filtering entry
3.
Configure the keyword filtering entry, as described in Table 10.
4.
Click Apply.

Item
Description
Name
Specify the name of the keyword filtering entry.

Specify the keywords for the keyword filtering entry.
Keyword
You can specify up to 16 keywords separated by commas.

You can use a wildcard (*) to represent any string up to 6 characters. Wildcard * can
appear only once in each keyword and cannot be at the start or end of a keyword.
Configuring URL hostname filtering entries

1.
2.
Select the URL Hostname tab to enter the URL hostname filtering entry list page, as shown in Figure
34.
Figure 34 URL hostname filtering entry list
3.
Click Add to enter the page for adding a URL hostname filtering entry, as shown in Figure 35.
81
Figure 35 Adding a URL hostname filtering entry
4.
Configure the URL hostname filtering entry as described in Table 11.
5.
Click Apply.

Item
Description
Name
Specify the name of the URL hostname filtering entry.

Specify URL hostname keywords for the URL hostname filtering entry.
URL Hostname
You can specify up to 16 keywords separated by commas.

See "Configuration guidelines" for the rules of using wildcards.
Configuring filename filtering entries

1.
2.
Select the Filename tab to enter the filename filtering entry list page, as shown in Figure 36.
Figure 36 Filename filtering entry list
3.
Click Add to enter the page for adding a filename filtering entry, as shown in Figure 37.
Figure 37 Adding a filename filtering entry
4.
Configure the filename filtering entry as described in Table 12.

82
5.
Click Apply.

Item
Description
Name
Specify the name of the filename filtering entry.

Specify filename keywords for the filename filtering entry.
You can specify up to 16 filename keywords separated by commas.
If you specify a filename keyword in the format of filename.extension, the device will perform
exact match for this keyword. You can use a wildcard (*) to stand for the filename part, the
extension, or a string of up to 6 characters in the filename or extension. In each keyword,
wildcard * can be present only once in the filename and once in the extension. If multiple
dots (.) are present in the keyword, the content following the last dot is regarded as the
extension.
Filename
If you specify a filename keyword containing no dots, the device will perform fuzzy match for
this keyword. You can use wildcard * to stand for a string of up to 6 characters in the
keyword. In each keyword, wildcard * can be present only once.
Configuring email address filtering entries

1.
2.
Select the Email Address tab to enter the email address filtering entry list page, as shown in Figure
38.
Figure 38 Email address filtering entry list
3.
Click Add to enter the page for adding an email address filtering entry, as shown in Figure 39.
Figure 39 Adding an email address filtering entry
4.
Configure the email address filtering entry as described in Table 13.
5.
Click Apply.

Item
Description
Name
Specify the name of the email address filtering entry.
83
Item
Description
Specify email address keywords for the email address filtering entry, in the
format of username@domain name.
Email Address
You can specify up to 16 email address keywords separated by commas.

You can use a wildcard (*) to stand for any number of characters excluding dot
(.) and use it only in the format of *@domain name or *@*domain name.
Configuring URL parameter filtering keywords

1.
2.
Click the URL Parameter tab to enter the URL parameter filtering keyword list page, as shown
in Figure 40.
Figure 40 URL parameter filtering keyword setup
3.
Select the Use the Default Filtering Keywords box and click Apply to enable the system predefined
URL parameter filtering keywords, as shown in Figure 41.
Figure 41 Using the default filtering keywords
4.
Click Add to enter the page for adding a URL parameter filtering keyword, as shown in Figure 42.
5.
Specify a URL parameter filtering keyword.

84
See Figure 42 for the requirements on a keyword. See "Configuration guidelines" for the rules of
using wildcards. A keyword string can contain spaces, but consecutive spaces are not allowed.
6.
Click Apply.
Figure 42 Adding a URL parameter filtering keyword
Configuring java blocking keywords

1.
2.
Select the Java tab to enter the java blocking keyword list page, as shown in Figure 43.
Figure 43 Java blocking keywords setup
3.
Click Add to enter the page for adding a java blocking keyword, as shown in Figure 44.
4.
Specify a suffix keyword for java blocking.

See Figure 44 for the requirements on a keyword.
5.
Click Apply.
Figure 44 Adding a java blocking keyword
Configuring ActiveX blocking keywords

1.
2.
Select the ActiveX tab to enter the ActiveX blocking keyword list page, as shown in Figure 45.
85
Figure 45 ActiveX blocking keywords setup
3.
Click Add to enter the page for adding an ActiveX blocking keyword, as shown in Figure 46.
4.
Specify a suffix keyword for ActiveX blocking.

See Figure 46 for the requirements on a keyword.
5.
Click Apply.
Figure 46 Adding an ActiveX blocking keyword
Configuring a content filtering policy

Content filtering policies fall into HTTP filtering policies, SMTP filtering policies, POP3 filtering policies,
FTP filtering policies, and Telnet filtering policies. You can configure one or more content filtering policies
as needed.
To configure content filtering policies:
Step
Remarks
Configuring an HTTP filtering policy
By default, no HTTP filtering policies exist.
Configuring an SMTP filtering policy
By default, no SMTP filtering policies exist.
Configuring a POP3 filtering policy
By default, no POP3 filtering policies exist.
Configuring an FTP filtering policy
By default, no FTP filtering policies exist.
Configuring a Telnet filtering policy
By default, no Telnet filtering policies exist.

1.
From the navigation tree, select Identification > Content Filtering > Filtering Policy.
The HTTP filtering policy list page appears, as shown in Figure 47.
86
Figure 47 HTTP filtering policy list
2.
Click Add to enter the page for adding an HTTP filtering policy, as shown in Figure 48.
Figure 48 Adding an HTTP filtering policy
3.
Configure the HTTP filtering policy as described in Table 14.
4.
Click Apply.

Item
Description
Name
Specify the name for the HTTP filtering policy.
URL Filtering
Select the filtering entries to be used for URL

hostname filtering.
Header Filtering
Select the filtering entries to be used for header

filtering.
Body Filtering
Select the filtering entries to be used for body

filtering.
URL IP Blocking
Specify whether to prevent internal users from

using IP addresses in URLs to access websites.
87
IMPORTANT:
Packets that match

these filtering
conditions will be
dropped.
You must configure or
enable at least one of

these items.
Item
Description
Specify whether to enable URL parameter filtering.
URL Parameter Filtering
If you select this item, all URL parameter filtering

keywords are effective.
Specify whether to enable ActiveX blocking.
ActiveX Blocking
If you select this item, all ActiveX blocking

keywords are effective.
Specify whether to enable java applet blocking.
Java Applet Blocking
If you select this item, all java blocking keywords

are effective.
Specify whether to log packet matching events.
IMPORTANT:
Enable Logging
The logging function takes effect only when it is enabled in both the content filtering
policy and the interzone policy.

1.
2.
Select the SMTP Policy tab to enter the SMTP filtering policy list page, as shown in Figure 49.
Figure 49 SMTP filtering policy list
3.
Click Add to enter the page for adding an SMTP filtering policy, as shown in Figure 50.
4.
Configure the SMTP filtering policy, as described in Table 15.
5.
Click Apply.
88
Figure 50 Adding an SMTP filtering policy

Item
Description
Name
Specify the name for the SMTP filtering policy.
Sender Filtering
Select the filtering entries to be

used for sender filtering.
Receiver Filtering

used for receiver filtering.
Subject Filtering

used for subject filtering.
Body Filtering

used for body filtering.
Attachment Name
Filtering

used for attachment name
filtering.
Attachment Content
Filtering

used for attachment content
filtering.
Attachment Filtering
Specify whether to block SMTP

requests that carry illegal
command words.
IllegalCmd Blocking
Specify whether to block

oversize emails sent by internal
users.
Oversize Mail Blocking
If you select this option, you

need to specify the maximum
size allowed in bytes.
89
IMPORTANT:
Packets that match

these filtering
conditions will be
dropped.
You must configure

or enable at least
one of these items.
Item
Description
IMPORTANT:
Enable Logging
The logging function takes effect only when it is enabled in

both the content filtering policy and the interzone policy.

1.
2.
Select the POP3 Policy tab to enter the POP3 filtering policy list page, as shown in Figure 51.
Figure 51 POP3 filtering policy list
3.
Click Add to enter the page for adding a POP3 filtering policy, as shown in Figure 52.
Figure 52 Adding a POP3 filtering policy
4.
Configure the POP3 filtering policy, as described in Table 16.
5.
Click Apply.

Item
Description
Name
Specify the name for the POP3 filtering policy.

90
Item
Description
Sender Filtering
Select the filtering entries to be used for

sender filtering.
Receiver Filtering

receiver filtering.
Subject Filtering

subject filtering.
Body Filtering

body filtering.
Attachment
Filtering
Attachment
Name Filtering

attachment name filtering.
Attachment
Content Filtering

attachment content filtering.
IMPORTANT:
Packets that match

these filtering
conditions will be
dropped.
You must configure at

least one of these
items.

Enable Logging
IMPORTANT:
The logging function takes effect only when it is enabled in both the
content filtering policy and the interzone policy.

1.
2.
Select the FTP Policy tab to enter the FTP filtering policy list page, as shown in Figure 53.
Figure 53 FTP filtering policy list
3.
Click Add to enter the page for adding an FTP filtering policy, as shown in Figure 54.
91
Figure 54 Adding an FTP filtering policy
4.
Configure the FTP filtering policy, as described in Table 17.
5.
Click Apply.

Item
Description
Name
Specify the name for the FTP filtering policy.
Command Filtering

command word filtering.
Upload Filename Filtering

upload filename filtering.
Download Filename Filtering

download filename filtering.
IMPORTANT:
Packets that match

these filtering
conditions will be
dropped.
You must configure at

least one of these
items.

IMPORTANT:
Enable Logging
The logging function takes effect only when it is enabled in both the content
filtering policy and the interzone policy.

1.
2.
Select the Telnet Policy tab to enter the Telnet filtering policy list page, as shown in Figure 55.
Figure 55 Telnet filtering policy list
92
3.
Click Add to enter the page for adding a Telnet filtering policy, as shown in Figure 56.
Figure 56 Adding a Telnet filtering policy
4.
Configure the Telnet filtering policy, as described in Table 18.
5.
Click Apply.

Item
Description
Name
Specify the name for the Telnet filtering policy.

Select the filtering entries to be used for command word filtering.
Command Filtering
IMPORTANT:
Packets that match these filtering conditions will be dropped.

You must select at least one command word filtering entry for the
Telnet filtering policy.

Enable Logging
IMPORTANT:
The logging function takes effect only when it is enabled in both the content
filtering policy and the interzone policy.

You can configure a content filtering policy template in the content filtering module or in the interzone
policy module. The configuration items in the two modules are the same. This chapter describes the
policy template configuration in the content filtering module. For that in the interzone policy module, see
Access Control Configuration Guide.
1.
From the navigation tree, select Identification > Content Filtering > Policy Template.
The policy template list page appears, as shown in Figure 57.
93
Figure 57 Policy template list
2.
Click Add to enter the page for adding a content filtering policy template, as shown in Figure 58.
Figure 58 Adding a content filtering policy template
3.
Configure the content filtering policy template, as described in Table 19.
4.
Click Apply.

Item
Description
Name
Enter the name of the content filtering policy template.
HTTP Filtering Policy
Select the HTTP filtering policy to be used in

the content filtering policy template.
SMTP Filtering Policy
Select the SMTP filtering policy to be used in

POP3 Filtering Policy
Select the POP3 filtering policy to be used in

FTP Filtering Policy
Select the FTP filtering policy to be used in

Telnet Filtering Policy
Select the Telnet filtering policy to be used in

94
IMPORTANT:
You must specify at least one
filtering policy.
Displaying content filtering statistics

From the navigation tree, select Identification > Content Filtering > Statistic Information. The content
filtering statistics page appears, as shown in Figure 59. You can view the statistics of each content
filtering function.
Figure 59 Statistic information
Content filtering configuration example

As shown in Figure 60, hosts in LAN segment 192.168.1.0/24 access the Internet through the firewall.
Security zones Trust and Untrust are configured on the device for the LAN and the Internet respectively.
On the firewall:
Enable HTTP body filtering to block HTTP responses that carry keyword abc.
Enable HTTP java applet blocking to block java applet requests to all websites except the one with
IP address 5.5.5.5.
Enable SMTP attachment name filtering to block all emails that carry .exe attachments.
Enable FTP upload filename filtering to prevent users from uploading files that carry system in the
filenames.
95
Enable Telnet command word filtering to prevent users from executing commands that carry the
command keyword reboot.

1.
Configure IP addresses for the interfaces of the device and assign the interfaces to security zones.
(Details not shown.)
2.
Configure a keyword filtering entry named abc:

a. From the navigation tree, select Identification > Content Filtering > Filtering Entry.
The keyword filtering entry list page appears.

b. Click Add.
c.
Enter the entry name abc, and the keyword abc as shown in Figure 61.
d. Click Apply.
Figure 61 Configure keyword filtering entry abc
3.
Configure a Telnet keyword filtering entry reboot:

a. Select the Keyword tab, and then click Add.
b. Enter the entry name reboot, and the keyword reboot as shown in Figure 62.
c.
Click Apply.
96
Figure 62 Configuring keyword filtering entry reboot
4.
Configure an SMTP filename filtering entry .exe:

a. Select the Filename tab.
b. Click Add.
c.
Enter the entry name exe, and the filename keyword *.exe as shown in Figure 63.
d. Click Apply.
Figure 63 Configuring a filename filtering entry *.exe
5.
Configure an FTP filename filtering entry system:

a. Select the Filename tab, and then click Add
b. Enter the entry name system, and the filename keyword system as shown in Figure 64.
c.
Click Apply.
Figure 64 Configuring a filename filtering entry system
6.
Configure an HTTP filtering policy without java applet blocking:

a. From the navigation tree, select Identification > Content Filtering > Filtering Policy.
The HTTP filtering policy list page appears.

b. Click Add.
c.
Enter the policy name http_policy1.
d. Click Body Filtering.

e. Select body filtering entry abc in the available filtering entry list, and then click << to add it to
the selected filtering entry list.

f.
Click Apply.
97
Figure 65 Configuring an HTTP filtering policy without java applet blocking
7.
Configure an HTTP filtering policy with java applet blocking:

a. On the HTTP filtering policy list page, click Add.
b. Enter the policy name http_policy2.
c.
Click Body Filtering.
d. Select body filtering entry abc in the available filtering entry list, and then click << to add it to
the selected filtering entry list.

e. Select the box before Java Applet Blocking.
f.
Click Apply.
98
Figure 66 Configuring an HTTP filtering policy with java applet blocking
8.
Configure an SMTP filtering policy:

a. Select the SMTP Policy tab.
b. Click Add.
c.
Enter the policy name smtp_policy.
d. Click Attachment Filtering.

e. In the Attachment Name Filtering area, select filename filtering entry exe in the available
filtering entry list, and then click << to add it to the selected filtering entry list.
f.
Click Apply.
99
Figure 67 Configuring an SMTP filtering policy
9.
Configure an FTP filtering policy:

a. Select the FTP Policy tab.
b. Click Add.
c.
Enter the policy name ftp_policy.
d. Click Upload Filename Filtering.

e. Select filename filtering entry system in the available filtering entry list, and then click << to add
it to the selected filtering entry list.

f.
Click Apply.
100
Figure 68 Configuring an FTP filtering policy
10.
Configure a Telnet filtering policy:

a. Select the Telnet tab.
b. Click Add.
c.
Enter the policy name telnet_policy.
d. Click Command Filtering.

e. Select command filtering entry reboot in the available filtering entry list, and then click << to
add it to the selected filtering entry list.

f.
Click Apply.
101
Figure 69 Configuring a Telnet filtering policy
11.
Configure a content filtering policy template without java applet blocking:

a. From the navigation tree, select Identification > Content Filtering > Policy Template.
b. Click Add.
c.
Enter the template name template1.
d. Select HTTP filtering policy http_policy1, SMTP filtering policy smtp_policy, FTP filtering policy
ftp_policy, and Telnet filtering policy telnet_policy.
e. Click Apply.
Figure 70 Configuring a content filtering policy template without java applet blocking
12.
Configure a content filtering policy template with java applet blocking:

a. From the navigation tree, select Identification > Content Filtering > Policy Template.
b. Click Add.
c.
Enter the template name template2.

102
d. Select HTTP filtering policy http_policy2, SMTP filtering policy smtp_policy, FTP filtering policy
ftp_policy, and Telnet filtering policy telnet_policy.
e. Click Apply.
Figure 71 Configuring a content filtering policy template with java applet blocking
13.
Configure an interzone policy for traffic from security zone Trust to destination 5.5.5.5 in security
zone Untrust, referencing the content filtering policy template without java applet blocking:
a. From the navigation tree, select Firewall > Security Policy > Interzone Policy.
b. Click Add.
c.
Select Trust as the source zone and Untrust as the destination zone.
d. Select any_address as the source IP address. In the Destination IP Address area, select the New
IP Address option and then enter destination IP address 5.5.5.5/0.0.0.0.

e. Select any_service as the service name and Permit as the filter action.
f.
Select content filtering policy template template1.
g. Select the Enable the rule box to enable the rule.

h. Select the Continue to add next rule box to add another rule after finishing this one.
i.
Click Apply.
103
Figure 72 Configuring the interzone policy referencing the template without java applet blocking
14.
Configure an interzone policy for traffic from security zone Trust to security zone Untrust,
referencing the content filtering policy template with java applet blocking:
a. Select Trust as the source zone and Untrust as the destination zone.
b. Select any_address as the source IP address and destination IP address.
c.
Select any_service as the service name and Permit as the filter action.
d. Select content filtering policy template template2.

e. Select the Enable the rule box to enable the rule.
f.
Click Apply.
104
Figure 73 Configuring the interzone policy referencing the template with java applet blocking

After the previous configurations, LAN users cannot receive HTTP responses that carry keyword abc, send
java applet requests to Web servers except server 5.5.5.5, send emails with .exe attachments, upload
files named abc through FTP, or execute Telnet command reboot.
After the firewall runs for a period of time, select Identification > Content Filtering > Statistic Information
from the navigation tree. You can see the content filtering statistics, as shown in Figure 74.
105
Figure 74 Content filtering statistics
Configuring content filtering at the CLI

Content filtering configuration task list
1.
Configure keyword filtering entries and add keywords, URL hostnames, file names, and email
addresses to be filtered to each entry. You can also configure URL parameter filtering keywords,
java blocking keywords, and ActiveX blocking keywords in system view. These keywords take
effect without being applied to a content filtering policy or a content filtering policy template.
2.
Configure a content filtering policy and apply the keyword filtering entries to the policy.
3.
Configure a content filtering policy template and apply the content filtering policy to the template.
4.
Configure an interzone policy rule, and apply the content filtering policy template to the interzone
policy rule. For information about interzone policy rule and interzone policy, see Access Control
To configure content filtering, perform the following tasks:
106
Tasks at a glance
(Required.) Configure filtering entries and keywords:
Configuring a keyword filtering entry

Configuring a URL hostname filtering entry
Configuring a filename filtering entry
Configuring an email address filtering entry
(Required.) Configure filtering policy:

(Required.) Configuring a content filtering policy template
Configuring a keyword filtering entry

You can specify multiple keywords in a keyword filtering entry to implement the following filtering:
HTTP header and body filtering
SMTP subject, body, and attachment filtering
POP3 subject, body, and attachment filtering
FTP command word filtering
Telnet command word filtering
To configure a keyword filtering entry:

Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter virtual device

(VD) view.
switchto vd vd-name
3.
Create a keyword
filtering entry and
enter its view.
content-filtering keyword-entry
keyword-entry-name
By default, no keyword filtering entry

exists.
4.
Add a keyword to the

keyword entry.
keyword fix-string keyword
Optional.
By default, a keyword filtering entry
does not have any keyword.
NOTE:
Keyword filtering entries created in system view belong to the default VD.
Keyword filtering entries created in VD view belong to the corresponding VD.
Configuring a URL hostname filtering entry

You can specify multiple URL hostnames to be filtered in an URL hostname filtering entry.
107
To configure a URL hostname filtering entry:

Step
Commands
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
Create a URL hostname

filtering entry and enter its
view.
content-filtering
url-hostname-entry
url-hostname-entry-name
By default, no URL hostname filtering entry

exists.
4.
Add a URL hostname to the

URL hostname filtering entry.
url-hostname fix-string
url-hostname
Optional.
By default, a URL hostname filtering entry
does not have any URL hostname.
NOTE:
URL hostname filtering entries created in system view belong to the default VD.
URL hostname filtering entries created in VD view belong to the corresponding VD.
Configuring a filename filtering entry

You can specify multiple filenames in a filename filtering entry to implement the following filtering:
SMTP attachment filtering
POP3 attachment filtering
FTP upload and download filename filtering
To configure a filename filtering entry:

Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
Create a filename filtering

entry and enter its view.
content-filtering filename-entry
filename-entry-name
By default, no filename filtering entry

exists.
4.
Add a filename to the

filename filtering entry.
filename filename
Optional.
By default, a filename filtering entry
does not have any filename.
NOTE:
Filename filtering entries created in system view belong to the default VD.
Filename filtering entries created in VD view belong to the corresponding VD.
Configuring an email address filtering entry

You can specify multiple email addresses in an email address filtering entry to implement the following
filtering:
SMTP sender and receiver filtering
POP3 sender and receiver filtering
To configure an email address filtering entry:
108
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
Create an email address

filtering entry and enter its
view.
content-filtering
email-address-entry
email-entry-name
By default, no email address filtering entry

exists.
4.
Add an email address to

the email address filtering
entry.
Optional.
email-address mail-address
By default, an email address filtering entry

does not have any email address.
NOTE:
Email address filtering entries created in system view belong to the default VD.
Email address filtering entries created in VD view belong to the corresponding VD.

Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
content-filtering url-filter
parameter { default | keywords
keywords }
By default, the predefined URL parameter

filtering keywords are disabled. In this case,
you can define the same URL parameter
filtering keywords as the system predefined
ones, and, these keywords are still used as
user-defined keywords even after you
enable the predefined keywords.
3.
Configure URL
parameter filtering
keywords.

Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
Configure java
blocking keywords.
content-filtering java-blocking suffix

keywords
By default, the following java suffix

keywords exist: .class and .jar.

Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
3.
Configure ActiveX
blocking keywords.
content-filtering activex-blocking suffix

keywords
By default, the system has the

ActiveX suffix keyword .ocx.
109

You can specify multiple filtering entries for filtering HTTP packets in an HTTP filtering policy. Packets that
match any filtering entry are dropped.
An HTTP filtering policy can contain different types of filtering entries and each type can contain multiple
filtering entries.
To configure an HTTP filtering policy:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
This command is required for entering the

system view of a non-default VD.
3.
Create an HTTP
filtering policy and
enter its view.
content-filtering http-policy
policy-name
By default, no HTTP filtering policy exists.
Specify a URL
hostname filtering
entry for URL filtering.
url-filtering url-hostname-entry
url-hostname-entry-name
Specify a keyword
filtering entry for
header filtering.
head-filtering keyword-entry
keyword-entry-name
Specify a keyword
filtering entry for
body filtering.
body-filtering keyword-entry
keyword-entry-name
7.
Enable URL IP
address blocking.
url-ip-blocking enable
8.
Enable URL
parameter blocking.
url-parameter-filtering enable
9.
Enable ActiveX
blocking.
activex-blocking enable
4.
5.
6.
10. Enable java applet

blocking.
Optional.
By default, no URL hostname filtering entry
is specified for URL filtering.
Optional.
By default, no keyword filtering entry is
specified for header filtering.
Optional.
specified for body filtering.
Optional.
By default, URL IP address blocking is
disabled.
Optional.
By default, URL parameter blocking is
disabled.
Optional.
By default, ActiveX blocking is disabled.
Optional.
java-applet-blocking enable
By default, java applet blocking is

disabled.
Optional.
11. Enable HTTP filtering

logging.
By default, HTTP filtering logging is

disabled.
logging enable
HTTP filtering logging takes effect only

when interzone policy rule logging is
enabled.
NOTE:
HTTP filtering policies created in system view belong to the default VD.
HTTP filtering policies created in VD view belong to the corresponding VD.
110

You can specify multiple filtering entries for filtering SMTP packets in an SMTP filtering policy. Packets that
An SMTP filtering policy can contain different types of filtering entries and each type can contain multiple
filtering entries.
To configure an SMTP filtering policy:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name

3.
Create a SMTP
enter its view.
content-filtering smtp-policy
policy-name
By default, no SMTP filtering policy exists.
Specify an email
for sender filtering.
sender-filtering email-entry
email-entry-name
Specify an email
for receiver filtering.
receiver-filtering email-entry
email-entry-name
Specify a keyword
filtering entry for
subject filtering.
subject-filtering keyword-entry
keyword-entry-name
Specify a keyword
filtering entry for
body filtering.
keyword-entry-name
Specify a filename
filtering entry for
attachment name
filtering.
attachment-name-filtering
filename-entry
filename-entry-name
Optional.
Specify a keyword
filtering entry for
attachment content
filtering.
attachment-body-filtering
keyword-entry
keyword-entry-name
Optional.
4.
5.
6.
7.
8.
9.
Optional.
By default, no email address filtering entry is
specified for sender filtering.
Optional.
By default, no email address filtering entry is
specified for receiver filtering.
Optional.
specified for subject filtering.
Optional.
By default, no filename filtering entry is

specified for attachment name filtering.

specified for attachment content filtering.
Optional.
10. Enable illegal

command word
blocking.
illegal-command-blocking enable
11. Enable oversize

email blocking.
oversize-mail-blocking enable
[ maxsize max-bytes ]
By default, illegal command word blocking

is disabled.
Optional.
By default, oversize email blocking is
disabled.
Optional.
12. Enable SMTP filtering

logging.
By default, SMTP filtering logging is

disabled.
logging enable
SMTP filtering logging takes effect only when

interzone policy rule logging is enabled.
111
NOTE:
SMTP filtering policies created in system view belong to the default VD.
SMTP filtering policies created in VD view belong to the corresponding VD.

You can specify multiple filtering entries for filtering POP3 packets in a POP3 filtering policy. Packets that
A POP3 filtering policy can contain different types of filtering entries and each type can contain multiple
filtering entries.
To configure a POP3 filtering policy:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name

3.
Create a POP3
enter its view.
content-filtering pop3-policy
policy-name
By default, no POP3 filtering policy exist.
Specify an email
for sender filtering.
sender-filtering email-entry
email-entry-name
Specify an email
for receiver filtering.
receiver-filtering email-entry
email-entry-name
Specify a keyword
filtering entry for
subject filtering.
subject-filtering keyword-entry
keyword-entry-name
Specify a keyword
filtering entry for
body filtering.
keyword-entry-name
Specify a filename
filtering entry for
attachment name
filtering.
attachment-name-filtering
filename-entry filename-entry-name
Specify a keyword
filtering entry for
attachment content
filtering.
attachment-body-filtering
keyword-entry
keyword-entry-name
4.
5.
6.
7.
8.
9.
Optional.
is specified for sender filtering.
Optional.
is specified for receiver filtering.
Optional.
By default, no keyword filtering entry exists
is specified for subject filtering.
Optional.
Optional.
specified for attachment name filtering.
Optional.
specified for attachment content filtering.
Optional.
10. Enable POP3 filtering

logging.
By default, POP3 filtering logging is

disabled.
logging enable
POP3 filtering logging takes effect only

when interzone policy rule logging is
enabled.
112
NOTE:
POP3 filtering policies created in system view belong to the default VD.
POP3 filtering policies created in VD view belong to the corresponding VD.

You can specify multiple filtering entries for filtering FTP packets in an FTP filtering policy. Packets that
An FTP filtering policy can contain different types of filtering entries and each type can contain multiple
filtering entries.
To configure an FTP filtering policy:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name

3.
Create an FTP
enter its view.
content-filtering ftp-policy
policy-name
By default, no FTP filtering policy exists.
Specify a keyword
filtering entry for
command word
filtering.
command-filtering
keyword-entry
keyword-entry-name
Optional.
Specify a filename
filtering entry for
upload filename
filtering.
upload-filename-filtering
filename-entry
filename-entry-name
Optional.
Specify a filename
filtering entry for
download filename
filtering.
download-filename-filtering
filename-entry
filename-entry-name
Optional.
4.
5.
6.

specified for command word filtering.

specified for upload filename filtering.

specified for download filename filtering.
Optional.
7.
Enable FTP filtering

logging.
By default, FTP filtering logging is disabled.
logging enable
FTP filtering logging takes effect only when

NOTE:
FTP filtering policies created in system view belong to the default VD.
FTP filtering policies created in VD view belong to the corresponding VD.

You can specify multiple filtering entries for filtering Telnet packets in a Telnet filtering policy. Packets that
A Telnet filtering policy can contain different types of filtering entries and each type can contain multiple
filtering entries.
To configure a Telnet filtering policy:
113
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name

3.
Create a Telnet
enter its view.
content-filtering telnet-policy
policy-name
By default, no Telnet filtering policy exists.
Specify a keyword
filtering entry for
command word
filtering.
command-filtering
keyword-entry
keyword-entry-name
4.
Optional.
specified for command word filtering.
Optional.
5.
Enable Telnet filtering

logging.
By default, Telnet filtering logging is

disabled.
logging enable
Telnet filtering logging takes effect only when

NOTE:
Telnet filtering policies created in system view belong to the default VD.
Telnet filtering policies created in VD view belong to the corresponding VD.

A content filtering policy template combines content filtering policies. You can apply configured content
filtering policies in a policy template to filter specific packets.
To configure a content filtering policy template:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter VD view.
switchto vd vd-name
This command is required for

entering the system view of a
non-default VD.
3.
Create a content
filtering policy template
and enter its view.
content-filtering policy-template
policy-template-name
By default, no content filtering policy

template exists.
Apply an HTTP filtering policy:

http-policy policy-name
Apply an SMTP filtering policy:

smtp-policy policy-name
4.
Apply a content filtering

policy.
Apply a POP3 filtering policy:

pop3-policy policy-name
Apply an FTP filtering policy:

ftp-policy policy-name
Apply a Telnet filtering policy:

telnet-policy policy-name
114
Configure at least one command.

By default, no content filtering policy
is applied in a policy template.
NOTE:
Content filtering policy templates created in system view belong to the default VD.
Content filtering policy templates created in VD view belong to the corresponding VD.
Displaying and maintaining content filtering

Perform display commands in any view and reset commands in user view.
Task
Command
Displaying URL parameter filtering

information.
display content-filtering url-filter parameter [ all | item keywords |

verbose ] [ | { begin | exclude | include } regular-expression ]
Displaying java blocking information.
display content-filtering java-blocking [ all | item keywords |

Displaying ActiveX blocking

information.
display content-filtering activex-blocking [ all | item keywords |

Display content filtering statistics.
display content-filtering statistics [ vd vd-name ]
Clear content filtering statistics.
reset content-filtering statistics [ vd vd-name ]
Interzone content filtering configuration example

As shown in Figure 75, hosts on the subnet 192.168.1.0/24 can access the Internet through the Firewall.
Perform the following configuration:
Configure HTTP body filtering to block HTTP responses with keyword abc.
Enable HTTP java applet blocking to permit java applet requests only sent to the web server with IP
address 5.5.5.5.
Configure SMTP attachment name filtering to block emails with .exe attachment.
Configure FTP upload filename filtering to block uploaded files with name abc.
Configure Telnet command word filtering to block commands with keyword reboot.
115
1.
Specify the IP addresses for the interfaces and assign the interfaces to appropriate zones. (Details
not shown.)
2.
Configure filtering entries:

# Create a keyword filtering entry kwd1 and enter its view.
[Firewall] content-filtering keyword-entry kwd1
# Add a keyword abc to the entry kwd1.

[Firewall-contflt-keyword-kwd1] keyword fix-string abc
[Firewall-contflt-keyword-kwd1] quit
# Create a keyword filtering entry kwd2 and enter its view.

[Firewall] content-filtering keyword-entry kwd2
# Add a keyword reboot to the entry kwd2.

[Firewall-contflt-keyword-kwd2] keyword fix-string reboot
[Firewall-contflt-keyword-kwd2] quit
# Create a filename filtering entry file1 and enter its view.

[Firewall] content-filtering filename-entry file1
# Add a filename *.exe to the entry file1.

[Firewall-contflt-filename-file1] filename *.exe
[Firewall-contflt-filename-file1] quit
# Create a filename filtering entry file2, and enter its view.

[Firewall] content-filtering filename-entry file2
# Add a filename abc to the entry file2.

[Firewall-contflt-filename-file2] filename abc
[Firewall-contflt-filename-file2] quit
3.
Configure content filtering policies:

# Create an HTTP filtering policy http_policy1 and enter its view.
[Firewall] content-filtering http-policy http_policy1
# Specify the keyword filtering entry kwd1 for HTTP body filtering.
[Firewall-contflt-http-policy-http_policy1] body-filtering keyword-entry kwd1
[Firewall-contflt-http-policy-http_policy1] quit
# Create an HTTP filtering entry http_policy2 and enter its view.

[Firewall] content-filtering http-policy http_policy2
# Specify the keyword filtering entry kwd1 for HTTP body filtering.
[Firewall-contflt-http-policy-http_policy2] body-filtering keyword-entry kwd1
# Enable java applet blocking for http_policy2.

[Firewall-contflt-http-policy-http_policy2] java-applet-blocking enable
[Firewall-contflt-http-policy-http_policy2] quit
# Create an SMTP filtering policy smtp_policy1 and enter its view.

[Firewall] content-filtering smtp-policy smtp_policy1
# Specify the filename filtering entry file1 for SMTP attachment name filtering.
[Firewall-contflt-smtp-policy-smtp_policy1] attachment-name-filtering
filename-entry file1
[Firewall-contflt-smtp-policy-smtp_policy1] quit
116
# Create an FTP filtering policy ftp_policy1 and enter its view.

[Firewall] content-filtering ftp-policy ftp_policy1
# Specify the filename filtering entry file2 for FTP upload filename filtering.
[Firewall-contflt-ftp-policy-ftp_policy] upload-filename-filtering filename-entry
file2
[Firewall-contflt-ftp-policy-ftp_policy] quit
# Create a Telnet filtering policy telnet_policy1 and enter its view.

[Firewall] content-filtering telnet-policy telnet_policy1
# Specify the keyword filtering entry kwd2 for Telnet command word filtering.
[Firewall-contflt-telnet-policy-telnet_policy1] command-filtering keyword-entry
kwd2
[Firewall-contflt-telnet-policy-telnet_policy1] quit
4.
Configure content filtering policy templates:

# Create a content filtering policy template template1 and enter its view.
[Firewall] content-filtering policy-template template1
# Apply the filtering policies http_policy1, smtp_policy1, ftp_policy1, and telnet_policy1 to the
policy template template1.
[Firewall-contflt-policy-template-template1] http-policy http_policy1
[Firewall-contflt-policy-template-template1] smtp-policy smtp_policy1
[Firewall-contflt-policy-template-template1] ftp-policy ftp_policy1
[Firewall-contflt-policy-template-template1] telnet-policy telnet_policy1
[Firewall-contflt-policy-template-template1] quit
# Create a policy template template2 and enter its view.

[Firewall] content-filtering policy-template template2
# Apply the filtering policies http_policy2, smtp_policy1, ftp_policy1, and telnet_policy1 to the
policy template template2.
[Firewall-contflt-policy-template-template2] http-policy http_policy2
[Firewall-contflt-policy-template-template2] smtp-policy smtp_policy1
[Firewall-contflt-policy-template-template2] ftp-policy ftp_policy1
[Firewall-contflt-policy-template-template2] telnet-policy telnet_policy1
[Firewall-contflt-policy-template-template2] quit
5.
Configure an interzone policy that uses the content filtering policy templates:
# Create a subnet object private and specify its subnet 192.168.1.0/24.
[Firewall] object network subnet private
[Firewall-object-network-private] subnet 192.168.1.0 0.0.0.255
[Firewall-object-network-private] quit
# Create an IP address object webserver and specify its IP address 5.5.5.5.

[Firewall] object network host webserver
[Firewall-object-network-webserver] host address 5.5.5.5
[Firewall-object-network-webserver] quit
# Configure an interzone instance for traffic from the Trust zone to the Untrust zone.
[Firewall] interzone source Trust destination Untrust
# Configure an interzone policy rule that uses the content filtering policy template 1 without java
Applet blocking enabled to filter HTTP packets from subnet 192.168.1.0/24 to the web server
5.5.5.5.
[Firewall-interzone-Trust-Untrust] rule permit content-filter template1
117
[Firewall-interzone-Trust-Untrust-rule-0] source-ip private

[Firewall-interzone-Trust-Untrust-rule-0] destination-ip webserver
[Firewall-interzone-Trust-Untrust-rule-0] service any_service
[Firewall-interzone-Trust-Untrust-rule-0] rule enable
[Firewall-interzone-Trust-Untrust-rule-0] quit
# Configure another interzone policy rule that uses the content filtering policy template 2 with java
Applet blocking enabled to filter HTTP packets from subnet 192.168.1.0/24 to external networks.
[Firewall-interzone-Trust-Untrust] rule permit content-filter template2
[Firewall-interzone-Trust-Untrust-rule-1] source-ip private
[Firewall-interzone-Trust-Untrust-rule-1] destination-ip any_address
[Firewall-interzone-Trust-Untrust-rule-1] service any_service
[Firewall-interzone-Trust-Untrust-rule-1] rule enable
[Firewall-interzone-Trust-Untrust-rule-1] quit
[Firewall-interzone-Trust-Untrust] quit

After the proceeding configurations, LAN users cannot receive HTTP responses that carry keyword abc,
send java applet requests to web servers except to server 5.5.5.5, send emails with .exe attachments,
upload files named abc through FTP, or execute Telnet command reboot.
Use the following command to display statistics:
<Firewall> display content-filtering statistics
Content-filtering statistics:
Item
Dropped packets
HTTP URL hostname filtering
HTTP URL IP blocking
HTTP URL parameter blocking
HTTP header filtering
HTTP body filtering
HTTP ActiveX control blocking
HTTP Java blocking
SMTP sender filtering
SMTP receiver filtering
SMTP subject filtering
SMTP body filtering
SMTP illegal command blocking
SMTP oversize email blocking
SMTP attachment name filtering
SMTP attachment body filtering
POP3 sender filtering
POP3 receiver filtering
POP3 subject filtering
POP3 body filtering
POP3 attachment name filtering
POP3 attachment body filtering
FTP command filtering
FTP upload filename filtering
FTP download filename filtering
Telnet command filtering
118
Configuring URPF
The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices.
Overview
Unicast Reverse Path Forwarding (URPF) protects a network against source spoofing attacks, such as
denial of service (DoS) and distributed denial of service (DDoS) attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication,
in the name of authorized users or even the administrator. Even if the attackers cannot receive any
response packets, the attacks are still disruptive to the attacked target.
Figure 76 Source address spoofing attack
As shown in Figure 76, an attacker on Router A sends the server (Router B) requests with a forged source
IP address 2.2.2.1, and Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently,
both Router B and Router C are attacked. URPF can prevent such attacks.
The term router in this document refers to both routers and firewalls.
URPF check modes

URPF supports two check modes:
Strict URPFTo pass strict URPF check, the source address of a packet and the receiving interface
must match the destination address and output interface of a forwarding information base (FIB)
entry. In some scenarios such as asymmetrical routing, strict URPF may discard valid packets. Strict
URPF is often deployed between a provider edge (PE) device and a customer edge (CE) device.
Loose URPFTo pass loose URPF check, the source address of a packet must match the destination
address of a FIB entry. Loose URPF can avoid discarding valid packets, but may let go attack
packets. Loose URPF is often deployed between ISPs, especially in asymmetrical routing.
URPF features
Default routeWhen a default route exists, all packets that fail to match a specific FIB entry can
match the default route during URPF check and are permitted to pass. To avoid this situation, you
can disable URPF from using any default route to discard such packets. By default, URPF discards
packets that can only match a default route.
Link layer checkStrict URPF check can further perform link layer check on a packet. It uses the next
hop address in the matching FIB entry to look up the ARP table for a matching entry. If the source
MAC address of the packet matches the MAC address in the matching ARP entry, the packet passes
strict URPF check. Link layer check is applicable to ISP devices where a Layer 3 Ethernet interface
connects a large number of users. Loose URPF does not support link layer check.
119
ACLTo identify specific packets as valid packets, you can use an ACL to match these packets.
Even if the packets do not pass URPF check, they are still forwarded normally.
URPF work flow

URPF does not check multicast packets.
Figure 77 shows how URPF works.
Figure 77 URPF work flow
Check the received
packet
Yes
A broadcast
source address?
No
Yes
An all-zero
source address?
Yes
No
Does
the source
address match a
FIB entry?
No
A broadcast
destination address?
Discard
No
Yes
A default route?
No
Does
the receiving
interface match the
output interface of
the matching FIB
entry?
Yes
Is
the default route
allowed for URPF
check?
No
Yes
No
No
Loose URPF?
Yes
Yes
Check passed
1.
Does the
ACL permit the
packet?
Yes
URPF checks source address validity:

{
Discards packets with a source broadcast address.
120
No
2.
3.
If yes, proceeds to step 3.
If not, proceeds to step 5.
URPF checks whether the matching route is a default route:
If yes, URPF checks whether the allow-default-route keyword is configuredIf yes, proceeds to
step 4. If not, proceeds to step 5.
If not, proceeds to step 4.
URPF checks whether the receiving interface matches the output interface of the matching FIB entry:
{
{
5.
Proceeds to step 2 for other packets.
URPF checks whether the source address matches a FIB entry:
4.
Discards packets with an all-zero source address but a non-broadcast destination address. (A
packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a
DHCP or BOOTP packet and cannot be discarded.)
If yes, the packet passes URPF check and is forwarded.

If not, URPF checks whether the check mode is looseIf yes, the packet passes URPF check and
is forwarded. If not, proceeds to step 5.
URPF checks whether the packet is permitted by the ACL:

{
If yes, the packet is forwarded (such a packet is displayed in the URPF information as a
"suppressed drop").
If not, the packet is discarded.
Network application
Configure strict URPF check between an ISP network and a customer network, and loose URPF
check between ISPs.
121
Configure ACLs for special packets or users.
Configuring the URPF in the Web interface

Configuring URPF
1.
From the navigation tree, select Intrusion Detection > URPF Check to enter the URPF check
configuration page, as shown in Figure 79.
Figure 79 URPF check configuration page
2.
Configure URPF settings for the security zone, as shown in Table 20.
3.
Click Apply.

Item
Description
Security zone where the URPF check is to be configured. URPF configuration takes
effect on all the interfaces in the security zone.
Security Zone
IMPORTANT:
URPF configuration takes effect on the packets received by the interfaces in the security
zone only.
Enable/disable URPF check.
Enable URPF
If this box is not selected, URPF check is disabled and the following parameters are
not configurable.
Allow Default Route
Allow using the default route for URPF check.
ACL
Reference an ACL.
Type of Check
Set the URPF check type, Strict or Loose.
URPF configuration example

Either Device A or Device in the configuration example can be used as a firewall.
122
As shown in Figure 80, Device A (CE) directly connects to Device B (PE). Enable strict URPF check in Zone
B of Device B to allow packets whose source addresses match ACL 2010 to pass. Enable strict URPF
check in Zone A of Device A and allow use of the default route for URPF check.
Configuring Device B
1.
Configure the interface IP addresses and security zones they belong to. (Details not shown.)
2.
Define ACL 2010 to permit traffic from network 10.1.1.0/24 to pass.

a. From the navigation tree, select Firewall > ACL.
b. Click Add.
c.
Enter 2010 in ACL Number as shown in Figure 81.
d. Click Apply.
Figure 81 Defining ACL 2010
e. Click
corresponding to ACL 2010.

The ACL 2010 rule page appears.
f.
Click Add.
The page ACL configuration page appears, as shown in Figure 82.
g. Select Permit in Operation.

h. Select the Source IP Address box, and type 10.1.1.0 in the field.
i.
Enter 0.0.0.255 in Source Wildcard.
j.
Click Apply.
123
Figure 82 Configuring ACL 2010
3.
Enable strict URPF check in Zone B:

a. From the navigation tree, select Intrusion Detection > URPF Check.
The URPF configuration page appears, as shown in Figure 83.

b. Select zoneB in Security Zone.
c.
Select Enable URPF.
d. Select ACL and type 2010 in the field.

e. Select Strict in Type of Check.
f.
Click Apply.
Figure 83 Configuring URPF in zoneB
Configuring Device A
1.
Configure the interface IP addresses and security zones they belong to. (Details not shown.)
2.
Enable strict URPF check in Zone A:

a. From the navigation tree, select Intrusion Detection > URPF Check.
The URPF configuration page appears, as shown in Figure 84.

b. Select zoneA in Security Zone.
c.
Select Enable URPF.
d. Select Allow Default Route.

124
e. Select Strict in Type of Check.

f.
Click Apply.
Figure 84 Configuring URPF on zoneA
Configuring the URPF at the CLI

Configuring URPF
Perform this task to configure URPF for a security zone.
URPF checks only incoming packets on a zone
Do not configure the allow-default-route keyword for loose URPF check. Otherwise, URPF might fail to
work.
To enable URPF:
Step
1.
Enter system view.
Command
Remarks
system-view
N/A
Optional.
2.
Create a security zone

and enter its view.
zone name zone-name [ id

zone-id ]
3.
Enable URPF check for

the security zone.
ip urpf { loose | strict }

[ allow-default-route ] [ acl
acl-number ]
By default, a default VD has five default security

zones. They are Management (numbered 0), Local
(numbered 1), Trust (numbered 2), DMZ
(numbered 3) and Untrust (numbered 4). A
non-default VD has no security zones.
URPF check is disabled for the security zone by
default.
URPF configuration example

Either Device A or Device B in the configuration example can be used as a firewall.
125
As shown in Figure 85, configure strict URPF check for zoneB on Device B to permit packets from network
10.1.1.0/24.
Enable strict URPF check for zoneA on Device A and allow using the default route for URPF check.
1.
Assign IP addresses for interfaces and add them into security zones. (Details not shown.)
2.
Configure Device B:
# Define ACL 2010 to permit traffic from network 10.1.1.0/24 to pass.
<DeviceB> system-view
[DeviceB] acl number 2010
[DeviceB-acl-basic-2010] rule permit source 10.1.1.0 0.0.0.255
[DeviceB-acl-basic-2010] quit
# Enable strict URPF check for security zone zoneB.

[DeviceB] zone name zoneB
[DeviceB-zone-zoneB] ip urpf strict acl 2010
3.
Configure Device A:
# Enable strict URPF check for security zone zone A and allow use of the default route for URPF
check.
[DeviceA] zone name zoneA
[DeviceA-zone-zoneA] ip urpf strict allow-default-route
126
Configuring IDS collaboration

The firewall device can collaborate with only Venusense IDS devices.
IDS collaboration can be configured only in the Web interface.

Hardware
IDS collaboration compatible
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
Yes
F1000-S-EI
Yes
F100-C-G/F100-S-G
Yes
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
No
Firewall module
Yes
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
Yes
IDS collaboration overview

Figure 86 Network diagram for IDS collaboration
As shown in Figure 86, IDS collaboration is introduced for firewalls to work with an Intrusion detection
system (IDS) device. The collaboration process occurs:
1.
The IDS device examines network traffic for attacks.
2.
When the IDS device detects an attack, it sends an SNMP trap message to the firewall device. The
trap message may carry attack information such as source IP address of the attacker, target IP
address to be attacked, source port and destination port.
3.
When a firewall with IDS collaboration enabled receives the trap message, it retrieves the attack
information, generates a blocking entry, and blocks subsequent traffic from the source.
127
Enabling IDS collaboration

1.
From the navigation tree, select Intrusion Detection > IDS Collaboration.
The IDS collaboration configuration page appears.
Figure 87 Enable IDS collaboration
2.
Select the Enable IDS Collaboration box.
3.
Click Apply.
When you configure IDS collaboration, follow these guidelines:
Both the firewall devices and IDS devices must support and have SNMPv2c configured.
The aging time for an IDS blocking entry is five minutes. The timer restarts if the firewall receives an
SNMP trap with the same attack information before the timer expires.
A blocking entry is effective only to subsequent connections matching this entry. To make entries
apply to the current connections, disable the fast forwarding function of the firewall.
Disabling IDS collaboration removes the generated blocking entries from the firewall.
128
Configuring advanced security protection

Advanced security protection can be configured only in the Web interface.

Hardware
Advanced security protection compatible
F1000-A-EI/F1000-E-SI/F1000-S-AI
Yes
F1000-E
No
F1000-S-EI
No
F100-C-G/F100-S-G
Yes
F100-M-G/F100-A-G/F100-E-G
Yes
F5000-A5
No
Firewall module
No
U200-A/U200-M/U200-CA
Yes
U200-S/U200-CS/U200-CM
Yes
When the device is operating in UTM mode, the device provides advanced security protection functions
such as IPS, AV, content monitoring, bandwidth management, and protocol audit, and basic security
functions such as VPN and firewall. For more information about the system operating modes, see Getting
Started Guide.
When you configure advanced security protection, follow these guidelines:
Advanced security protection cannot be configured in these zones: Management, Any, and Local.
Advance security protection policies (IPS, antivirus, content filtering, bandwidth management, and
protocol audit) cannot be configured on virtual devices.
Advanced security protection logs (IPS, antivirus, content filtering, bandwidth management, and
protocol audit) do not contain virtual device information, system logs, and host logs about IPv6 and
VPN instances.
Advanced security protection does not support processing fragmented packets.
Time tables
Time tables define time ranges. Bandwidth management policies reference time tables, so that they can
take different actions to the matching packets in different time ranges.
A time table can define up to ten periodic time ranges, such as 8:30 to 18:00 every Monday through
Friday. If you define multiple time ranges in a time table, the time table takes effect as long as one of the
time ranges takes effect.
129
Creating a time table

1.
Select Advanced Security Prevention > Time Table from the navigation tree.
The time table list page appears, as shown in Figure 88.
Figure 88 Time table list
2.
Click Add to enter the time table configuration page, as shown in Figure 89.
Figure 89 Creating a time table
3.
Enter a name for the time table.
4.
Set a time range in which the time table takes effect:

a. Enter the start time (in the From filed) and end time (in the To filed) for the time range to take
effect.
b. Select the days in a week for the time range to take effect.
c.
5.
Click Add.
Repeat step 4 to add multiple time ranges for the time table.
You can define ten time ranges at most.
6.
Click Apply.
Licenses
Licenses control whether you can upgrade signature databases and use time-sensitive features. Signature
databases define which attacks the device can detect and defend against. They must be upgraded in
time to ensure security. When its license expires, a signature database cannot be upgraded and you
must recharge to get a new license for the signature database.
The license module allows you to view the license information, import licenses, and export licenses.
130
Viewing license information

Select Advanced Security Prevention > License from the navigation tree. The license information page
appears.
In the License tab, you can view the signature databases covered by the license, and their expiration
dates.
Figure 90 License
Importing a license
1.
Select Advanced Security Prevention > License from the navigation tree.
The license information page appears, as shown in Figure 90.
2.
In the Import License tab, browse to a license file saved on the local host.
3.
Click Import to import the license to the device.
Exporting a license
1.
Select Advanced Security Prevention > License from the navigation tree.
The license information page appears, as shown in Figure 90.
2.
In the Export License tab, click Export.
3.
On the popup file download dialog box, perform operations as prompted to save the license to a
file on the local host.
Signature upgrade
Signature databases define which signatures the device can recognize. For example, they recognize the
attack signatures and virus signatures. You must upgrade them in time to ensure security.
Use the following methods to upgrade signature databases:
131
Auto upgradeOnline upgrade mode. In this mode, the device periodically gets the most current
signature database file from a specific signature database server to upgrade the local database.
Manual upgradeOnline upgrade mode. In this mode, you can get the most current signature
database file from a specific signature database server and upgrade the local database by a single
click.
Local upgradeOffline upgrade mode. You can get a signature database file in offline mode, save
the file to the local host, and import the file to the device to upgrade the signature database with the
file. Local upgrade is usually used in a LAN and it allows you to use any signature database version
that is compatible with the device.
Upgrading the signature database

Follow these guidelines when you upgrade the signature database:
To upgrade signature database file online, you must first navigate to page Network > DNS >
Dynamic to configure the DNS server (see Access Control Configuration Guide).
For successful signature database upgrade, make sure the current license file is valid and not
expired, the new signature database version is compatible with the device's software version, and
you perform no other operations during the upgrade.
If you upgrade the software to a version that contains a new feature and the new feature requires
the cooperation of a certain signature database version, you must also upgrade the signature
database to the required version.
To upgrade the signature database, select Advanced Security Prevention > Signature Upgrade from the
navigation tree. The signature upgrade page appears.
Figure 91 Signature upgrade
Signature database upgrade modes include automatic online upgrade, manual online upgrade, and
local upgrade.
132
The following uses the IPS signature database to describe the signature database upgrade process.
Upgrade of the antivirus signature database is similar.
Automatic online upgradeIn the IPS Signature area, select the Upgrade Automatically box, select
the day of the week and the time, and then click Apply at the bottom of the page. For example, if
you select the day as Every Monday and the time as 03:00, the device upgrades the IPS signature
database in online mode automatically at 03:00 every Monday.
Manual online upgradeIn the IPS Signature area, click the Upgrade Now button to upgrade the
database immediately.
Local upgradeIn the IPS Signature area, click Browse to locate the IPS signature database
upgrade file, and then click Upgrade.
IPS
The IPS typically runs on a network trunk. Based on IPS policies, IPS can implement real-time traffic
analysis and anomaly detection, and trigger predefined actions in response. For example, IPS can block
abnormal traffic to prevent suspicious codes from being injected into target hosts and executed.

Step
Remarks
Optional.
1.
Configuring IPS log output

parameters
2.
Creating an IPS policy
3.
Applying an IPS policy
Specify whether to send logs to remote log hosts and whether to send logs
through emails.
By default, logs are not sent to remote log hosts and are not sent through
emails.
Required.
No IPS policy exists by default.
Required.
No IPS policy is applied by default.
Configuring IPS log output parameters

1.
Select Advanced Security Prevention > IPS from the navigation tree.
The IPS Policies tab is displayed, as shown in Figure 92.
133
Figure 92 IPS policies
NOTE:
IPS policies that have been referenced cannot be deleted. The delete icon (
policies.
) is not provided for such IPS
2.
At the top of the page, you can set the IPS log output parameters, as describe in Table 21.
3.
Click Apply.

Item
Description
Send logs to remote log

hosts
Select this option to send IPS logs to the specified remote log hosts.
Send logs through emails
Navigate to page Log Report > Syslog to specify the remote log host addresses.
Select this option to send IPS logs to the specified recipients through emails.
Navigate to page Log Report > Log Email to specify the email parameters.
Creating an IPS policy

1.
The IPS Policies tab is displayed, as shown in Figure 92.
2.
In the lower part of the page, click Add.

The Add IPsec Policy page appears.
134
Figure 93 Adding an IPS policy
3.
Configure the IPsec policy, as described in Table 22.
4.
Click Apply.

Item
Description
Name
Enter a name for the IPS policy.

Select the severity levels of attacks to be detected and prevented. Severity levels include
critical, major, minor, and warning, in descending order.
Severity
IMPORTANT:
To ensure the device performance, H3C recommends detecting and preventing only attacks
of the critical level.
Action
Select the actions to be taken to the detected attacks, including logging the attacks (Log)
and blocking the attack packets (Block).
Attack Type
This field displays the types of attacks that the device can detect and prevent.
Applying an IPS policy

1.
2.
Click the IPS Policy Applications tab, as shown in Figure 94.
Figure 94 IPS policy applications
135
3.
Click Add to enter the IPS policy application configuration page.
Figure 95 Applying an IPS policy
4.
Configure the IPsec policy application as described in Table 23.
5.
Click Apply.

Items
Description
Source Zone
Select the source zone to which to

apply the IPS policy.
IMPORTANT:
You can configure only one IPS policy

application for a pair of source and
destination security zones.
When the source zone and the destination

Destination Zone
Select the destination zone to which

to apply the IPS policy.
zone are different zones, specify the internal

trusted zone as the destination zone and the
external untrusted zone as the source zone.
Do not use the Management, Any, or Local

zone as the source or destination zone.
136
Items
Description
Select the IPS policy to be applied.
IPS Policy
Protected Zones
Source IP List
Destination IP List
Excluded IP List
To add an IPS policy to the IPS Policy list, click the following Add button (see "Creating
an IPS policy").
Specify the zones to be protected by the IPS policy, which can be the destination zone,
or both the destination and source zones.
Add the source IP addresses to be matched by the IPS policy.
You can add up to ten host addresses or network segment addresses.
Add the destination IP addresses to be matched by the IPS policy.
Add IP addresses to be excluded from the source or destination IP list of the IPS policy.
The IPS policy does not match excluded IP addresses.
You can add up to ten host addresses or network segment addresses that are included on
the source or destination IP list.
Antivirus
You can configure antivirus policies on a device and then apply them so that the device can identify
traffic with viruses and take actions to prevent viruses from infecting the network.

Step
Remarks
Optional.
1.
Configuring antivirus log output

parameters
2.
Creating an antivirus policy
3.
Applying an antivirus policy
Specify whether to send logs to remote log hosts and whether to send
logs through emails.
By default, logs are not sent to remote log hosts and are not sent through
emails.
Required.
No antivirus policy exists by default.
Required.
No antivirus policy is applied by default.
Configuring antivirus log output parameters

1.
Select Advanced Security Prevention > AV from the navigation tree.

The AV Policies tab is displayed, as shown in Figure 96.
137
Figure 96 Antivirus policies
Antivirus policies that have been referenced cannot be deleted. The delete icon (
such antivirus policies.
2.
) is not provided for
At the top of the page, set the antivirus log output parameters as described in Table 24.

Item
Description

hosts
Select this option to send antivirus logs to the specified remote log hosts.
Select this option to send antivirus logs to the specified recipients through emails.
Navigate to page Log Report > Log Email to specify the recipients.
Creating an antivirus policy

1.

The AV Policies tab is displayed, as shown in Figure 96.
2.
Click Add and add an antivirus policy.
138
Figure 97 Adding an antivirus policy
3.
Configure the antivirus policy as describe in Table 25.
4.
Click Apply.

Item
Description
Name
Enter a name for the antivirus policy.
Action
Select the actions to be taken to the detected virus attacks, including logging the attacks
(Log) and blocking the attack packets (Block).
Virus Category
This field displays the categories of viruses that the device can detect and prevent.
Applying an antivirus policy

1.

Click the AV Policy Applications tab, as shown in Figure 98.
Figure 98 Antivirus policy applications
2.
Click Add to enter the antivirus policy application configuration page.

139
Figure 99 Applying an antivirus policy
3.
Configure the antivirus policy application as describe in Table 26.
4.
Click Apply.

Item
Description
Source Zone

apply the antivirus policy.
IMPORTANT:
You can configure only one antivirus policy

application for a pair of source and

Destination Zone


to apply the antivirus policy.

Select the antivirus policy to be applied.

AV Policy
To add an antivirus policy to the AV Policy list, click the following Add button (see
"Creating an antivirus policy").
140
Item
Description
Protected Zones
Specify the zones to be protected by the antivirus policy, which can be the destination
zone, or both the destination and source zones.
Source IP List
Destination IP List
Excluded IP List
Add the source IP addresses to be matched by the antivirus policy.

Add the destination IP addresses to be matched by the antivirus policy.
Add IP addresses to be excluded from the source or destination IP list of the antivirus
policy. The antivirus policy does not match excluded IP addresses.
Content monitoring
In conventional network security solutions, network attack defense focuses on attacks from external
networks. However, with the popularity of networks in every walk of life, attacks from LANs are
increasing, which requires network devices to accommodate internal network security features. The
content monitoring feature is developed to meet this requirement.
The content monitoring feature monitors, filters, and logs user network access behaviors, including:
Instant messaging (IM) applications, such as QQ and MSN.
Remote access applications, such as FTP.
Database applications, such as Oracle, Sybase, SQL Server, and MySQL.

Step
1.
Remarks
Configuring the content monitoring log output
parameter
2.
Creating a content monitoring policy
3.
Applying a content monitoring policy
Optional.
Specify whether to send logs to remote log hosts
By default, logs are not sent to remote log hosts.
Required.
No content monitoring policy exists by default.
Required.
No content filtering policy is applied.
Configuring the content monitoring log output parameter

1.
Select Advanced Security Prevention > Content Monitoring from the navigation tree.
The Content Monitoring Policies tab is displayed, as shown in Figure 100.
141
Figure 100 Content monitoring policies
Content monitoring policies that have been referenced cannot be deleted. The delete icon (
provided for such content monitoring policies.
2.
) is not
At the top of the page, set whether to send content monitoring logs to the specified remote log
hosts.
If you select the Send logs to remote log hosts option, you need to navigate to page Log Report >
Syslog to specify the remote log host addresses.
3.
Click Apply.
Creating a content monitoring policy

1.
The Content Monitoring Policies tab is displayed, as shown in Figure 100.
2.
Click Add to enter the content monitoring policy configuration page.
142
Figure 101 Adding a content monitoring policy
3.
Configure the content monitoring policy as describe in Table 27.
4.
Click Apply.

Item
Description
Name
Enter a name for the content monitoring policy.
IM
Applications
QQ
Select the types of QQ applications to be monitored.
MSN
Select the types of MSN applications to be monitored.
Effective Time
Set the effective time for monitoring the selected IM applications.
143
Item
Remote
Access
Applications
Database
Applications
Description
FTP
Select the types of FTP operations to be monitored.
Effective Time
Set the effective time for monitoring the selected FTP operations.
Oracle
Select the types of Oracle access behaviors to be monitored.
Sybase
Select the types of Sybase access behaviors to be monitored.
SQL Server
Select the types of SQL server access behaviors to be monitored.
MySQL
Select the types of MySQL access behaviors to be monitored.
Effective Time
Set the effective time for monitoring the selected database access behaviors.
Applying a content monitoring policy

1.
2.
Click the Content Monitoring Policy Applications tab, as shown in Figure 102.
Figure 102 Content monitoring policy applications
3.
Click Add to enter the content monitoring policy application configuration page, as shown
in Figure 103.
144
Figure 103 Applying a content monitoring policy
4.
Configure the content monitoring policy application as described in Table 28.
5.
Click Apply.

Item
Description
Source Zone

apply the content monitoring policy.
IMPORTANT:
You can configure only one content monitoring

policy application for a pair of source and
Destination Zone

to apply the content monitoring
policy.


Content
Monitoring Policy
Select the content monitoring policy to be applied.

To add a content monitoring policy to the Content Monitoring Policy list, click the following
Add button (see "Creating a content monitoring policy").
145
Item
Description
Monitored Zones
Specify the zones to be monitored by the content monitoring policy, which can be the
destination zone, or both the destination and source zones.
Source IP List
Destination IP List
Excluded IP List
Add the source IP addresses to be matched by the content monitoring policy.

Add the destination IP addresses to be matched by the content monitoring policy.
Add IP addresses to be excluded from the source or destination IP list of the content
monitoring policy. The content monitoring policy does not match excluded IP addresses.
Bandwidth management
Network traffic can be divided into multiple types of services, such as the email service and VoIP service.
Bandwidth management refers to performing different management and control behaviors for different
service types. Bandwidth management includes two major components: service and service-specific
control behavior.
A service is system-defined or user-defined. All services are organized into a tree, which is called a
service tree. A node of the service tree represents a service.
The device determines the service type of a received packet by its application protocol and IP address,
and then performs the corresponding action for the packet according to the user-defined rule for the
service.
An interzone instance specifies the source zone and destination zone of the packets to be inspected by
a security policy. You can apply different bandwidth management policies to different interzone
instances for more flexible control of the network traffic.
By performing flexible bandwidth controls for applications and limiting non-critical applications,
bandwidth management guarantees bandwidth for mission-critical applications of the user network.
A service is a set of match rules. All network behaviors conforming to the match rules belong to the
service.
A match rule consists of protocol, node, and direction, where protocol indicates the network protocol,
node indicates a certain device or devices in a certain network segment, and direction indicates the
probe direction. The three factors together determine that packets of a certain protocol sent or received
by a specific device (or devices in a specific network segment) match the rule.
The service itself does not manage or control the network. A service can be referenced by a policy in the
system. Then, the policy cooperates with the service to manage and control the network.
In the system, services are organized into a tree with only one root node. Except the root node, any other
service can be appended to another service, with the first service as the child service and the second one
as the father service.
146

Step
Remarks
Optional.
1.
Configuring a protocol
Configure a protocol to be used by a service.

By default, system-defined protocols are used for the service.
Optional.
2.
Configuring a service
Configure a service to be used by a bandwidth management policy.

By default, system-defined services exist.
Optional.
3.
4.
5.
Configuring bandwidth
management log output
parameters
Specify whether to send logs to remote log hosts and whether to send
logs through emails.
Creating a bandwidth
management policy
Required.
Applying a bandwidth
management policy
Required.
By default, logs are not sent to remote log hosts and are not sent
through emails.
No bandwidth management policy exists by default.
No bandwidth management policy is applied by default.
Configuring a protocol
1.
Select Advanced Security Prevention > Bandwidth Management from the navigation tree.
2.
Click the Protocol Management tab.

{
{
{
Selecting a protocol in the protocol tree, the right part of the page displays the information of
the protocol. You can modify the information of all user-defined protocols and the port number
information of some system-defined protocols.
To restore the default settings of a system-defined protocol, click the Restore button.
To delete a user-defined protocol, select the protocol in the protocol tree and then click the
Delete Protocol button under the tree.
147
Figure 104 Protocol management
3.
Click Add Protocol.

On the popup page, as shown in Figure 105, you can specify an application layer protocol
carried over TCP or UDP.
Figure 105 Adding a protocol
4.
Configure the protocol as describe in Table 29.
5.
Click Apply.
148

Item
Description
Enter a name for the protocol.
IMPORTANT:
Name
After the device updates its IPS signature database, new system-defined protocols may be
added. If a new system-defined protocol has the same name as that of an existing user-defined
protocol, the user-defined protocol is deleted when the device is restarted. Therefore, H3C
recommends that you specify a characteristic name for each user-defined protocol.
Description
Configure the description information for the protocol, helping memorizing different
protocols.
Type
Select a transport layer protocol that carries the protocol. Options include TCP and UDP.
Specify the TCP or UDP port numbers to be used by the protocol.
Port Number List
IMPORTANT:
The port number range to be specified cannot overlap with existing port number ranges.
You can add up to eight port number ranges to the port number list. Each port number
range can contain 32 ports at most.
Configuring a service
1.
2.
Click the Service Management tab.

{
Selecting a service in the service tree, you can view and modify the information of the service
on the right part of the page. The description of a system-defined service cannot be modified.
The default match rule of a system-defined service cannot be modified or deleted.
To delete a user-defined service, select the service in the service tree and click Delete Service.
User-defined services that are referenced by bandwidth management policy rules and the
system-defined services cannot be deleted.
Deleting the protocol used by a match rule of a service also deletes the match rule.
149
Figure 106 Service management
3.
Select a service in the service tree and then click the Add Service button to enter the service
configuration page, as shown in Figure 107.
On the page, you can add a service that uses the selected service as the father service.
Figure 107 Adding a service
4.
Configure the service as described in Table 30.
5.
Click Apply.

Item
Description
Displays the father service of the service to be added.
Father Service
Father service is the service you selected in the service tree before clicking the Add Service
button.
Enter a name for the service.
IMPORTANT:
Service Name
After the device updates its IPS signature database, new system-defined services may be
added. If a new system-defined service has the same name as that of an existing user-defined
service, the user-defined service is deleted when the device is restarted. Therefore, H3C
recommends that you specify a characteristic name for each user-defined service.
150
Item
Description
Description
Configure the description information for the service, helping memorizing different services.
6.
In the service tree, select a service for which you want to add a match rule.
7.
Click Add Match Rule to enter the match rule configuration page, as shown in Figure 108.
Figure 108 Adding a match rule
8.
Configure a match rule for the service, as described in Table 31.
9.
Click Apply.

Item
Description
Protocol
Select a protocol for the match rule.
Server IP
Specify the server (or host) address or network segment.

Select the initiator of the protocol packets.
Initiator
Source ZoneThe protocol packets initiator is the source zone.

Destination ZoneThe protocol packets initiator is the destination zone.
BothThe protocol packets initiator is the source zone or the destination zone.
151
Configuring bandwidth management log output parameters

1.
The Bandwidth Management Policies tab is displayed, as shown in Figure 109.
{
On the bandwidth management policy list, you can click the

rules of the policy.
icon for a policy to view the
The bandwidth management policies that have been referenced cannot be deleted. The delete
icon (
) is not provided for such bandwidth management policies.
Figure 109 Bandwidth management policies
2.
At the top of the page, set the bandwidth management log output parameters, as shown in Table
32.
3.
Click Apply.

Item
hosts
Description
Select this option to send bandwidth management logs to the specified remote log
hosts.
Select this option to send bandwidth management logs to the specified recipients
through emails.
Navigate to page Log Report > Log Email to specify the recipients.
Creating a bandwidth management policy

1.
The Bandwidth Management Policies tab is displayed, as shown in Figure 109.
2.
Click Add to enter the bandwidth management policy configuration page, as shown in Figure
110.
152
Figure 110 Adding a bandwidth management policy
3.
Configure the bandwidth management policy as described in Table 33.

Item
Description
Name
Enter a name for the bandwidth management policy.
Working mode
Group ModeLimits the total bandwidth of all users matching the policy.
User ModeLimits the bandwidth of each user matching the policy
Set the working mode for the policy:
independently.
Upstream Bandwidth for All

Rules
Set the total bandwidth for all upstream (destination zone to source zone) traffic
that matches the policy.
Downstream Bandwidth for

All Rules
Set the total bandwidth for all downstream (source zone to destination zone)
traffic that matches the policy.
4.
Click Add to add a new rule to the rule list, as shown in Figure 111.
By default, there is a rule for all services, which cannot be deleted.
Figure 111 Rule list
5.
Configure the rule as describe in Table 34.
153

Item
Description
Specify the service that the rule matches. On the rule's advanced configuration page,
this field only displays the service name.
Click the
Service Name
icon of the rule, and a page appears, where you can select a service.
IMPORTANT:
In one policy, you cannot specify the same service for different rules.
If you configure a rule for a child service and a rule for its child service, the rule for the
child service takes effect.
Configure the system to take different actions to the traffic matching the rule at different
time ranges.
Valid Time
Action
On the rule list, click the

icon a rule to add a time table to the Valid Time list of the
rule. You can also add a time table on page Advanced Security Prevention > Time Table
(see "Creating a time table").
Available actions include Bandwidth Control, Permit, Permit + Log, Block, Block + Log. If
you select Bandwidth Control, you must also configure the upstream bandwidth,
downstream bandwidth, or both.
Upstream
Bandwidth
Set the maximum bandwidth for the upstream traffic

(destination zone to source zone) matching the service
within the specified time ranges.
Upstream
Bandwidth
Set the maximum bandwidth for the downstream traffic

(source zone to destination zone) matching the service
within the specified time ranges.
6.
IMPORTANT:
The two configuration items
are configurable when you
select the Bandwidth Control
action, and you must
configure at least one item.
Click the
icon for a rule to configure the rule on the advanced rule setup page, as shown
in Figure 112.
Figure 112 Advanced configuration
7.
Click the
icon to add a time table-action association for the service of the rule.
You can add up to six time table-action associations for a rule. If multiple time tables overlap in
time range, the action corresponding to the one on the top is executed.
For configuration guidelines for adding a time table-action association, see the Valid Time, Action,
Upstream Bandwidth, Downstream Bandwidth fields in Table 34.
8.
Click Apply on the Advanced Rule Setup page.

154
9.
Click Apply on the Add Bandwidth Management Policy page.
Applying a bandwidth management policy

1.
2.
Click the Bandwidth Management Policy Applications tab, as shown in Figure 113.
Figure 113 Bandwidth management policy applications
3.
Click Add to enter the bandwidth management policy application configuration page, as shown
in Figure 114.
Figure 114 Applying a bandwidth management policy
4.
Configure the bandwidth management policy application as described in Table 35.
5.
Click Apply.
155

Item
Description
Source Zone

apply the bandwidth management
policy.
Destination Zone

to apply the bandwidth management
policy.
IMPORTANT:
Bandwidth management policies can be
applied only to interzone instances

(source-destination zone pairs), and in the
same zone, only one bandwidth management
policy can be applied.


Bandwidth
Management
Policy
Source IP List
Destination IP List
Excluded IP List
Select the bandwidth management policy to be applied.

To add a bandwidth management policy to the Bandwidth Management Policy list, click
the following Add button (see "Creating a bandwidth management policy").
Add the source IP addresses to be matched by the bandwidth management policy.
Add the destination IP addresses to be matched by the bandwidth management policy.
Add IP addresses to be excluded from the source or destination IP list of the bandwidth
management policy. The bandwidth management policy does not match excluded IP
addresses.
Protocol audit
You can configure protocol audit to audit the following protocols:
HTTPAudits the URI that users have accessed and the host field.
SMTP and POP3Audits receivers (including recipients, CC recipients, and BCC recipients),
senders, and subjects of the mails that are sent or received through SMTP or POP3.
FTPAudits information of the file that users upload or download, such as the file name.
Protocol audit supports outputting logs only to remote log hosts.
156

Step
Remarks
Required.
Configure the device to send protocol audit logs to remote log hosts.
1.
Configuring protocol audit log

output parameters
For this function to work, navigate to page Log Report > Syslog to
specify the remote log host addresses (see System Management and
Maintenance).
By default, logs are not sent to remote log hosts.
2.
Creating a protocol audit policy
3.
Applying a protocol audit policy
Required.
No protocol audit policy exists by default.
Required.
No protocol audit policy is applied by default.
Configuring protocol audit log output parameters

1.
Select Advanced Security Prevention > Protocol Audit from the navigation tree.
The Protocol Audit Policies tab is displayed, as shown in Figure 115.
Figure 115 Protocol audit policies
Protocol audit policies that have been referenced cannot be deleted. The delete icon (
provided for such protocol audit policies.
2.
) is not
At the top of the page, set whether to send protocol audit logs to the specified remote log hosts.
If you select the Send logs to remote log hosts option, you need to navigate to page Log Report >
Syslog to specify the remote log host addresses.
3.
Click Apply.
Creating a protocol audit policy

1.
The Protocol Audit Policies tab is displayed, as shown in Figure 115.
157
2.
Click Add to enter the protocol audit policy configuration page.
Figure 116 Adding a protocol audit policy
3.
Configure the protocol audit policy as described in Table 36.
4.
Click Apply.

Item
Description
Name
Enter a name for the protocol audit policy.
Protocol Type
Select the protocols to be audited, including HTTP, FTP, SMTP, and POP3.
Applying a protocol audit policy

1.
2.
Click the Protocol Audit Policy Applications tab, as shown in Figure 117.
Figure 117 Protocol audit policy applications
3.
Click Add to enter the protocol audit policy application configuration page, as shown in Figure
118.
158
Figure 118 Applying a protocol audit policy
4.
Configure the protocol audit policy application as described in Table 37.
5.
Click Apply.

Item
Description
Source Zone

apply the protocol audit policy.
IMPORTANT:
You can configure only one protocol audit
policy application for a pair of source and


Destination Zone

to apply the protocol audit policy.


Protocol Audit
Policy
Select the protocol audit policy to be applied.

To add a protocol audit policy to the Protocol Audit Policy list, click the following Add
button (see "Creating a protocol audit policy").
159
Item
Description
Audited Zones
Select the zones to be audited.
Source IP List
Destination IP List
Excluded IP List
Add the source IP addresses to be matched by the protocol audit policy.

Add the destination IP addresses to be matched by the protocol audit policy.
Add IP addresses to be excluded from the source or destination IP list of the protocol audit
policy. The protocol audit policy does not match excluded IP addresses.
Advanced security prevention configuration

example
As shown in Figure 119, the internal network of the enterprise is connected to the Internet through the
firewall. Configure the firewall to protect the enterprise's internal network as follows:
Block and log critical-level attacks from the Internet.
Block and log traffic from the Internet that carries viruses or is abnormal.
Monitor QQ and MSN applications of the internal users every Monday to Friday.
Limit the bandwidth occupied by the Internet BitTorrent traffic of the internal users, setting the
maximum upstream bandwidth and downstream bandwidth to 1500 kbps, respectively.
Audit the HTTP and FTP traffic generated by internal users and send protocol audit logs to the
remote log host whose IP address is 10.1.1.2.
160
Configuring IPS
1.
Create an IPS policy:

a. Select Advanced Security Prevention > IPS from the navigation tree.
The IPS Policies tab is displayed.

b. Click Add.
c.
Enter ips_policy as the policy name.
d. Select the severity level Critical.

e. Select actions Log and Block.
f.
Click Apply.
Figure 120 Adding an IPS policy
2.
Apply the IPS policy:

a. Click the IPS Policy Applications tab.
b. Click Add.
c.
Select Untrust as the source zone.
d. Select Trust as the destination zone.

e. Select the IPS policy ips_policy.
f.
Select Both as the protected zones.
g. Click Apply.
161
Figure 121 Applying the IPS policy
Configuring antivirus
1.
Create an antivirus policy:

a. Select Advanced Security Prevention > AV from the navigation tree.
The AV Policies tab is displayed.

b. Click Add.
c.
Enter av_policy as the policy name.
d. Select actions Log and Block.

e. Click Apply.
162
Figure 122 Adding an antivirus policy
2.
Apply the antivirus policy:

a. Click the AV Policy Applications tab.
b. Click Add.
c.

e. Select the antivirus policy av_policy.
f.
Select Both as the protected zones.
g. Click Apply.
163
Figure 123 Applying the antivirus policy
Configuring content monitoring

1.
Create a content monitoring policy:

a. Select Advanced Security Prevention > Content Monitoring from the navigation tree.
The Content Monitoring Policies tab is displayed.

b. Click Add.
c.
Enter content_policy as the policy name.
d. In the IM Applications area, select the All box.

e. Select Periodically from the effective time list, and then select the boxes before Monday through
Friday.
f.
Click Apply.
164
Figure 124 Adding a content monitoring policy
2.
Apply the content monitoring policy:

a. Click the Content Monitoring Policy Applications tab.
b. Click Add.
c.

e. Select the content monitoring policy content_policy.
f.
Select Both as the monitored zones.
g. Click Apply.
165
Figure 125 Applying the content monitoring policy
Configuring bandwidth management

1.
Create a bandwidth management policy:

a. Select Advanced Security Prevention > Bandwidth Management from the navigation tree.
The Bandwidth Management Policies tab is displayed.

b. Click Add.
c.
Enter bandwidth_policy as the policy name.
d. Select Group Mode as the policy working mode.

e. Click Add under the rule list to add a rule.
f.
Click the
icon at the Service Name column of the added rule.
g. On the pop-up page, select BitTorrent under the P2P service node, and click Apply.
h. Select the action Bandwidth Control for the service BitTorrent, and enter 1500 for the upstream
bandwidth (kbps) and downstream bandwidth (kbps), respectively.

i.
Click Apply.
166
Figure 126 Adding a bandwidth management policy
2.
Apply the bandwidth management policy:

a. Click the Bandwidth Management Policy Applications tab.
b. Click Add.
c.

e. Select the bandwidth management policy bandwidth_policy.
f.
Click Apply.
167
Figure 127 Applying the bandwidth management policy
Configuring protocol audit

1.
Configure the remote log host:

a. Select Log Report > Syslog from the navigation tree.
b. Enter the IP address of log host 1, 10.1.1.2.
c.
Click Apply.
168
Figure 128 Configuring the remote log host
2.
Configure the firewall to send protocol audit logs to the remote log host:
a. Select Advanced Security Prevention > Protocol Audit from the navigation tree.
The Protocol Audit Policies tab is displayed.

b. Select the Send logs to remote log hosts box.
c.
Click Apply.
Figure 129 Sending protocol logs to the remote log host
169
3.
Add a protocol audit policy:

a. Click the Protocol Audit Policies tab.
b. Click Add.
c.
Enter audit as the policy name.
d. Clear the boxes before SMTP and POP3.

e. Click Apply.
Figure 130 Adding a protocol audit policy
4.
Apply the protocol audit policy:

a. Click the Protocol Audit Policy Applications tab.
b. Click Add.
c.

e. Select the protocol audit policy audit.
f.
Select Destination zone as the audited zone.
g. Click Apply.
170
Figure 131 Applying the protocol audit policy
171
Index
ABCDEFILOPSTU
A
Advanced security prevention configuration

example,160
Enabling IDS collaboration,128

Enabling protection against Naptha attacks,65
Antivirus,137
ARP attack protection configuration task list,49
Enabling source MAC consistency check for ND

packets,67
Enabling the SYN Cookie feature,64
Bandwidth management,146
Feature and hardware compatibility,129

Configuration guidelines,78
Configuring an ASPF,73
IDS collaboration overview,127
Configuring an IPv6 packet-filter firewall,71
IPS,133
Configuring ARP active acknowledgement,55
Configuring ARP automatic scanning and fixed ARP,60
Licenses,130
Configuring ARP detection,58

check,54
Configuring attack detection and protection in the

Web interface,7
Overview,76
Overview,64
Overview,68
Configuring content filtering at the CLI,106
Overview,119
Configuring content filtering in the Web interface,79
Overview,49

packets,56
Overview,1
Overview,66

detection,52
Configuring the ARP automatic scanning and fixed

ARP in the Web interface,60
Protocol audit,156
S
Configuring the attack detection and protection at the

CLI,34
Signature upgrade,131
Configuring the URPF at the CLI,125
Configuring the URPF in the Web interface,122
Time tables,129
Configuring unresolvable IP attack protection,50

Content monitoring,141
Unresolvable IP attack protection configuration

example,51
Displaying and maintaining TCP attack protection,65
172

05-Attack Protection Configuration Guide-Book

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

05-Attack Protection Configuration Guide-Book

Uploaded by

Copyright:

Available Formats

H3C SecPath Series Firewalls and UTM Devices

Attack Protection Configuration Guide

Hangzhou H3C Technologies Co., Ltd.

All rights reserved

Field technical support and servicing engineers

A line that starts with a pound (#) sign is comments.

An alert that calls attention to essential information.

An alert that provides helpful information.

Network topology icons

Port numbering in examples

Configuring user validity check 58

Configuring TCP attack protection 64

URPF check modes 119

Configuring IDS collaboration 127

Advanced security prevention configuration example 160

Configuring attack detection and protection

Types of network attacks the device can defend against

SYN flood attack

ICMP flood attack

UDP flood attack

DNS flood attack

Traffic statistics function

Total number of sessions

Session establishment rate

Number of TCP sessions

Number of half-open TCP sessions

Number of half-close TCP sessions

TCP session establishment rate

Number of UDP sessions

UDP session establishment rate

Number of ICMP sessions

ICMP session establishment rate

Number of RAW IP sessions

RAW IP session establishment rate

Unidirectional proxyProcesses only packets from TCP clients.

Figure 3 Data exchange process in unidirectional proxy mode

Figure 4 Data exchange process in bidirectional proxy mode

Intrusion detection statistics

Configuring attack detection and protection in the

Figure 5 Packet inspection configuration page

Configure packet inspection, as described in Table 2.

Table 2 Configuration items

Select a zone to detect attacks from the zone.

Discard Packets when the specified attack is detected

Select this option to discard detected attack packets.

Enable Fraggle Attack Detection

Enable or disable detection of Fraggle attacks.

Enable Land Attack Detection

Enable or disable detection of Land attacks.

Enable WinNuke Attack Detection

Enable or disable detection of WinNuke attacks.

Enable TCP Flag Attack Detection

Enable or disable detection of TCP flag attacks.

Enable ICMP Unreachable Packet Attack Detection

Enable or disable detection of ICMP unreachable

Enable ICMP Redirect Packet Attack Detection

Enable or disable detection of ICMP redirect attacks.

Enable Tracert Packet Attack Detection

Enable or disable detection of Tracert attacks.

Enable Smurf Attack Detection

Enable or disable detection of Smurf attacks.

Enable IP Packet Carrying Source Route Attack

Enable or disable detection of source route attacks.