Establishing The Configuration Task; Enabling The Attack Defense Function - Huawei quidway s7700 Configuration Manual

Quidway S7700 Smart Routing Switch
Configuration Guide - SPU

2.11.1 Establishing the Configuration Task

Before configuring the attack defense function, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data.
Applicable Environment
On the SPU, you can enable the attack defense function for the protected area. The protected
area may be zones or IP addresses.
Pre-configuration Tasks
Before configuring the attack defense function, complete the following tasks:
l
l
Data Preparation
To configure the attack defense function, you need the following data.
No.
1
2
3
4
5

2.11.2 Enabling the Attack Defense Function

Context
Steps 2-19 are optional and can be performed in any sequence. You can select these steps to
defend different types of attacks.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Issue 01 (2011-07-15)
Configuring zones and adding interfaces to the zones
Configuring the interzone and enabling the firewall function in the interzone
Data
Attack type, a specified type or all types
Zones or IP addresses (the VPN instance may be included) to be protected against
Flood attacks (ICMP Flood, SYN Flood, and UDP Flood), and maximum session
rate
Status of the TCP proxy that prevents SYN Flood attacks, including always
enabled, always disabled, or auto enabled (automatically enabled when the session
rate exceeds the threshold)
Timeout of blacklist and maximum session rate to prevent scanning attacks (IP
address sweeping and port scanning)
Maximum packet length to prevent large ICMP packet attack
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 Firewall Configuration
54