H3C SecPath F1800-A Operation Manual page 402

Operation Manual - Security Defence
H3C SecPath F1800-A Firewall
III. Enabling the IP Sweep Attack Defence
1) Networking requirements
Adopt the SecPath F1800-A in the network and add the Ethernet 0/0/0 to the trust
zone, the Ethernet 0/1/0 to the untrust zone and the Ethernet 1/0/0 to the DMZ zone.
You need to enable the address scanning attack defence on the server in the untrust
zone.
2) Networking diagram
Refer to Figure
3) Configuration procedures
# Configure the Ethernet 0/0/0 on the firewall.
[SecPath] interface Ethernet 0/0/0
[SecPath-Ethernet0/0/0] ip address 192.168.1.1 255.255.255.0
# Configure the Ethernet 0/1/0 on the firewall.
[SecPath] interface Ethernet 0/1/0
[SecPath-Ethernet0/1/0] ip address 202.1.0.1 255.255.0.0
# Configure the Ethernet 1/0/0 on the firewall.
[SecPath] interface Ethernet 1/0/0
[SecPath-Ethernet1/0/0] ip address 10.0.0.1 255.0.0.0
# Add the Ethernet 0/0/0 to the trust zone.
[SecPath] firewall zone trust
[SecPath-zone-trust] add interface Ethernet 0/0/0
# Add the Ethernet 0/1/0 to the untrust zone.
[SecPath] firewall zone untrust
[SecPath-zone-untrust] add interface Ethernet 0/1/0
# Add the Ethernet 1/0/0 to the DMZ zone.
[SecPath] firewall zone dmz
[SecPath-zone-dmz] add interface Ethernet 1/0/0
# Enable the outbound IP statistics in the trust zone.
[SecPath] firewall zone untrust
[SecPath-zone-untrust] statistic enable ip outzone
[SecPath-zone-untrust] quit
# Enable IP sweep attack defence.
[SecPath] firewall defend ip-sweep enable
# Set the maximum scanning rate to 1000 packets per second.
[SecPath] firewall defend ip-sweep max-rate 1000
# Set the valid time of the black list to five minutes.
2-4.
6-50
Chapter 2 Security Policy