D-Link DFL-260E User Manual page 512

10.3. Threshold Rules
The Group By Setting
The two groupings allowed are as follows:
• Host Based
The threshold is applied separately to connections from different IP addresses.
• Network Based
The threshold is applied to all connections matching the rules as a group.
Rule Actions
When a Threshold Rule is triggered one of two responses are possible:
• Audit
Leave the connection intact but log the event.
• Protect
Drop the triggering connection.
Logging would be the preferred option if the appropriate triggering value cannot be determined
beforehand. Multiple actions for a given rule might consist of Audit for a given threshold while the
action might become Protect for a higher threshold.
Multiple Triggered Actions
When a rule is triggered then NetDefendOS will perform the associated rule actions that match the
condition that has occurred. If more than one action matches the condition then those matching
actions are applied in the order they appear in the user interface.
If several actions that have the same combination of Type and Grouping (see above for the
definition of these terms) are triggered at the same time, only the action with the highest threshold
value will be logged.
Exempted Connections
It should be noted that some advanced settings, known as Before Rules settings, can exempt certain
types of connections for remote management from examination by the NetDefendOS IP rule set if
they are enabled. These Before Rules settings will also exempt the connections from Threshold
Rules if they are enabled.
Threshold Rules and ZoneDefense
Threshold Rules are used in the D-Link ZoneDefense feature to block the source of excessive
connection attmepts from internal hosts. More information on this feature can be found in
Chapter 12, ZoneDefense.
Threshold Rule Blacklisting
If the Protect option is used, Threshold Rules can be configured so that the source that triggered the
512
Chapter 10. Traffic Management