No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

No attack defense for appointed data flow in USG5300 firewall

Publication Date:  2012-12-12 Views:  44 Downloads:  0
Issue Description
The customer opened attack defense, but many host computer the internal network was recognized as attack and added to the blacklist, that made the host computer of  internal network cannot on-line.
Alarm Information
NULL
Handling Process
In USG5300 V1R3 version,No attack defense for appointed data flow  can be realized by firewall defend ddos acl outbound command,  it is the same with traffic attack defense, application layer attack defense and scan type attack defense
If the packet matched acl rule whose action is deny,USG5300 will not defense the attack for this kind of packet, if the packet matched acl rule whose behavior is permit, USG5300 will defense the attack for this kind of packet.

configuration instance
# Configure that will not defense the traffic attack whose source IP address is 10.1.1.1 on Untrust area outbound way

system-view
[USG5300] acl 3000
[USG5300-acl-adv-3000] rule deny ip source 10.1.1.1 0
[USG5300-acl-adv-3000] rule permit ip
[USG5300-acl-adv-3000] quit
[USG5300] firewall zone untrust
[USG5300-zone-untrust] firewall defend ddos 3000 outbound# 在Untrust区域的出方向配置DDoS攻击防范功能,只对源IP地址为10.1.1.1的流量进行攻击防范。

system-view
[USG5300] acl 3001
[USG5300-acl-adv-3001] rule permit ip source 10.1.1.1 0
[USG5300-acl-adv-3001] rule deny ip
[USG5300-acl-adv-3001] quit
[USG5300] firewall zone untrust
[USG5300-zone-untrust] firewall defend ddos 3001 outbound

Root Cause
NULL
Suggestions
NULL

END