CLI: Example for Configuring New Connection Rate Limit Per IP Address
Networking Requirements
The FW serves as the security gateway at the border of an enterprise network. The intranet (LAN) PCs access the Internet (WAN) through the public IP addresses in the address pool. The enterprise applies to the carrier for two public IP addresses (1.1.1.10 and 1.1.1.11) for address translation, as shown in Figure 1.
When malicious attackers use intranet PCs to initiate a large number of new connections to the Internet, the FW performance resources are greatly consumed. As a result, other services may be abnormal. In this case, the source IP addresses of the malicious attacks are fixed, and the destination IP addresses are random and numerous. Therefore, you need to configure the source IP address-based rate limit function on the FW's interface that connects to the intranet.
In addition, public network addresses may be used by malicious attackers from the Internet. Malicious attackers on the Internet initiate a large number of new connections to the public network addresses. Black-hole routes are enabled in the public address pool. As a result, a large number of packets are discarded due to black-hole routes, causing high route costs and occupying a large number of performance resources on the FW. As a result, other services are abnormal. In this case, the destination IP addresses of the attack packets are the addresses in the address pool. Therefore, you need to configure the destination IP address-based rate limit function on the FW's interface that connects to the Internet.
Data Planning
Item |
Data |
Description |
|---|---|---|
GigabitEthernet 0/0/1 |
IP address: 10.1.1.1/24 Security zone: Trust |
Configure 10.1.1.1 as the default gateway for intranet PCs. |
GigabitEthernet 0/0/2 |
IP address: 1.1.1.1/24 Security zone: Untrust |
- |
Post-NAT public addresses |
1.1.1.10-1.1.1.11 |
As the number of private addresses is greater than public addresses, one-to-one mapping is impossible. Port translation must be enabled to allow the reuse of public addresses. A black-hole route must be configured for the public address pool. |
Configuration Roadmap
- Assign IP addresses to interfaces, add the interfaces to security zones, and configure network connectivity.
- Configure a security policy to allow a specific intranet segment to access the Internet.
- Configure a NAT address pool and enable port translation.
- Configure a source NAT policy for translating source addresses between private and public address realms when hosts on the specific intranet segment access the Internet.
- Configure routes on the FW and carrier network devices to ensure that private network traffic can be normally forwarded to the Internet and the traffic returned from the Internet can be forwarded to the FW. Set the parameters according to the actual network environment. This example does not describe the configuration.
- Configure the default gateway on each PC in the intranet, so that the PCs send traffic to the FW when they access the Internet. Set the parameters according to the actual network environment. This example does not describe the configuration.
- On the FW, configure new connection rate limit per P address for LAN and WAN protection.
Procedure
- Assign IP addresses to interfaces, add the interfaces to
security zones, and configure network connectivity.
# Assign an IP address to GigabitEthernet 0/0/1.
<FW> system-view [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet0/0/1] ip address 10.1.1.1 24 [FW-GigabitEthernet0/0/1] quit
# Assign an IP address to GigabitEthernet 0/0/2.
[FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet0/0/2] ip address 1.1.1.1 24 [FW-GigabitEthernet0/0/2] quit
# Add GigabitEthernet 0/0/1 to the Trust zone.
[FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/1 [FW-zone-trust] quit
# Add GigabitEthernet 0/0/2 to the Untrust zone.
[FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 0/0/2 [FW-zone-untrust] quit
- Configure a security policy to allow a specific intranet
segment to access the Internet.
[FW] security-policy [FW-policy-security] rule name policy1 [FW-policy-security-rule-policy1] source-zone trust [FW-policy-security-rule-policy1] destination-zone untrust [FW-policy-security-rule-policy1] source-address 10.1.1.0 24 [FW-policy-security-rule-policy1] action permit [FW-policy-security-rule-policy1] quit [FW-policy-security] quit
- Configure a NAT address pool and enable port translation.
[FW] nat address-group addressgroup1 [FW-address-group-addressgroup1] mode pat [FW-address-group-addressgroup1] section 0 1.1.1.10 1.1.1.11 [FW-address-group-addressgroup1] route enable [FW-address-group-addressgroup1] quit
- Configure a source NAT policy for translating source addresses
between private and public address realms when hosts on the specific
intranet segment access the Internet.
[FW] nat-policy [FW-policy-nat] rule name policy_nat1 [FW-policy-nat-rule-policy_nat1] source-zone trust [FW-policy-nat-rule-policy_nat1] destination-zone untrust [FW-policy-nat-rule-policy_nat1] source-address 10.1.1.0 24 [FW-policy-nat-rule-policy_nat1] action source-nat address-group addressgroup1 [FW-policy-nat-rule-policy_nat1] quit [FW-policy-nat] quit
- Configure new connection rate limit per IP address for
LAN and WAN protection.
This function on the FW limits the rate of new connections per IP address in the inbound direction of an interface. In the LAN protection scenario, the source IP addresses of malicious attacks are fixed, and the destination IP addresses are random and numerous. Therefore, you need to configure new connection rate limit based on source IP addresses on the interface connecting to the Intranet. In WAN protection scenarios, the destination IP addresses of attack packets are the addresses in the address pool. Therefore, you need to configure new connection rate limit based on destination IP addresses on the interface connecting to the Internet.
During initial configuration, you are advised to set the protection mode to the alert mode, adjust the threshold based on the reported logs and the peak value of the new connection rate in the IP monitoring entries, and then change the protection mode to the drop mode.
[FW] firewall defend ipcar source session-rate-limit 500 [FW] firewall defend ipcar destination session-rate-limit 1000 [FW] firewall defend ipcar source mode alert [FW] firewall defend ipcar destination mode alert [FW] interface GigabitEthernet0/0/1 [FW-GigabitEthernet0/0/1] firewall defend ipcar source session-rate-limit enable [FW-GigabitEthernet0/0/1] quit [FW] interface GigabitEthernet0/0/2 [FW-GigabitEthernet0/0/2] firewall defend ipcar destination session-rate-limit enable [FW-GigabitEthernet0/0/2] quit
The configuration of the maximum new connection rate is for reference only and must be determined based on the actual network environment. In most cases, you are advised to set the maximum new connection rate per IP address to 500 for LAN protection and the maximum new connection rate per IP address to 1000 for WAN protection.
- After the device runs for a period of time, run
the display logbuffer module DEFEND_IPCAR command
to check whether alarm logs exist, run the display firewall
defend ipcar table all command to view the new connection
rate per IP address in IP monitoring entries, check whether the maximum
new connection rate is set properly. If not, adjust the maximum new
connection rate to a proper value and then check logs and IP monitoring
entries.
<sysname> display logbuffer module DEFEND_IPCAR Logging buffer configuration and contents : enabled Allowed max buffer size : 2048 Actual buffer size : 1024 Channel number : 4 , Channel name : logbuffer Dropped messages : 0 Overwritten messages : 0 Current messages : 1 Jul 6 2018 18:26:45 sysname %%01DEFEND_IPCAR/4/SESS_RATE(l): The session creation rate exceeded the threshold. (vsys=public, IP address=10.1.1.1, type=source, peak rate=520, session rate threshold=500)
- After the maximum new connection rate is adjusted to a
proper value, change the defense action to drop for LAN and WAN protection.
[FW] firewall defend ipcar source mode drop [FW] firewall defend ipcar destination mode drop
Verification
Run the display firewall defend ipcar table all command to check whether the IP monitoring table exists.
Run the display logbuffer module DEFEND_IPCAR command to check whether alarm logs exist.
<sysname> display logbuffer module DEFEND_IPCAR Logging buffer configuration and contents : enabled Allowed max buffer size : 2048 Actual buffer size : 1024 Channel number : 4 , Channel name : logbuffer Dropped messages : 0 Overwritten messages : 0 Current messages : 1 Jul 6 2018 18:26:45 sysname %%01DEFEND_IPCAR/4/SESS_RATE(l): The session creation rate exceeded the threshold. (vsys=public, IP address=10.1.1.1, type=source, peak rate=520, session rate threshold=500)
Configuration Scripts
The following lists only the scripts of this configuration example.
# sysname FW # firewall defend ipcar destination session-rate-limit 1000 firewall defend ipcar source session-rate-limit 500 firewall defend ipcar destination mode drop firewall defend ipcar source mode drop # interface GigabitEthernet0/0/1 undo shutdown ip address 10.1.1.1 255.255.255.0 firewall defend ipcar source session-rate-limit enable # interface GigabitEthernet0/0/2 undo shutdown ip address 1.1.1.1 255.255.255.0 firewall defend ipcar destination session-rate-limit enable # firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/2 # nat address-group addressgroup1 0 mode pat route enable section 0 1.1.1.10 1.1.1.11 # security-policy rule name policy1 source-zone trust destination-zone untrust source-address 10.1.1.0 24 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 10.1.1.0 24 action source-nat address-group addressgroup1 # return