Table of Contents
Advertisement
S9700 Core Routing Switch
Configuration Guide - SPU
2.11.1 Establishing the Configuration Task
Before configuring the attack defense function, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.
Applicable Environment
On the SPU, you can enable the attack defense function for the protected area. The protected
area may be zones or IP addresses.
Pre-configuration Tasks
Before configuring the attack defense function, complete the following tasks:
l
l
Data Preparation
To configure the attack defense function, you need the following data.
No.
1
2
3
4
5
2.11.2 Enabling the Attack Defense Function
Context
Steps 2-19 are optional and can be performed in any sequence. You can select these steps to
defend against different types of attacks.
Procedure
Step 1 Run:
system-view
Issue 01 (2012-03-15)
Configuring zones and adding interfaces to the zones
Configuring the interzone and enabling the firewall function in the interzone
Data
Attack type, a specified type or all types
Zones or IP addresses (the VPN instance may be included) to be protected against
Flood attacks (ICMP Flood, SYN Flood, and UDP Flood), and maximum session
rate
Status of the TCP proxy that prevents SYN Flood attacks, including always
enabled, always disabled, or auto enabled (automatically enabled when the session
rate exceeds the threshold)
Timeout of blacklist and maximum session rate to prevent scanning attacks (IP
address sweeping and port scanning)
Maximum packet length to prevent a large ICMP packet attack
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 Firewall Configuration
54
Advertisement
Table of Contents
