Configuring Threat Protection

System > Network > Basic Network > Zone; Policy > Security Policy

To realize the zone-based or policy-based threat protection, you need:

  1. Create a zone/policy rule. For more information about how to create, refer to Configuring Zones or Configuring Policies.
  2. In the Zone Configuration dialog, select Threat Protection tab.
    In the Policy Configuration dialog, select Advanced tab
  3. Enable the threat protection you need, and click Configure to customize threat protection configurations according to your need.

Network Layer Attack Protection

System only supports zone-based network layer attack protection. Select the check box behind Network Layer Attack Protection to enable the function. Click Configure to customize the network layer attack protection parameters.

Options in the Network Layer Attack Protection dialog:

Options Descriptions

Whitelist

IP address or IP range in the whitelist is exempt from attack.

  • IP/Netmask - Specifies the IP address and netmask and click Add to add to the whitelist.
  • Address entry - Specifies the address entry and click Add to add to the whitelist.

Select All

Enable all: Select this check box to enable all network layer attack protections for the security zone.

Action: Specifies an action for all the network layer attack protections, i.e., the defense measure the system will take if any attack has been detected.

  • Drop - Drops packets. This is the default action.
  • Alarm - Gives an alarm but still permits packets to pass through.
  • --- - Do not specify global actions。

Flood Attack Defense

ICMP flood: Select this check box to enable ICMP flood defense for the security zone.

  • Threshold - Specifies a threshold for inbound ICMP packets. If the number of inbound ICMP packets destined to one single IP address per second exceeds the threshold, the system will identify the traffic as an ICMP flood and take the specified action. The value range is 1 to 50000. The default value is 1500.
  • Action - Specifies an action for ICMP flood attacks. If the default action Drop is selected, the system will only permit the specified number (threshold) of IMCP packets to pass through during the current and the next second, and also give an alarm. All the excessive packets of the same type will be dropped during this period.

UDP flood: Select this check box to enable UDP flood defense for the security zone.

  • Src threshold - Specifies a threshold for outbound UDP packets. If the number of outbound UDP packets originating from one single source IP address per second exceeds the threshold, system will identify the traffic as a UDP flood and take the specified action. The value range is 1 to 50000. The default value is 1500.
  • Dst threshold - Specifies a threshold for inbound UDP packets. If the number of inbound UDP packets destined to one single port of one single destination IP address per second exceeds the threshold, system will identify the traffic as a UDP flood and take the specified action. The value range is 1 to 50000. The default value is 1500.
  • Action - Specifies an action for UDP flood attacks. If the default action Drop is selected, system will only permit the specified number (threshold) of UDP packets to pass through during the current and the next second, and also give an alarm. All the excessive packets of the same type will be dropped during this period.

ARP spoofing: Select this check box to enable ARP spoofing defense for the security zone.

  • Max IP number per MAC - Specifies whether system will check the IP number per MAC in ARP table. If the parameter is set to 0, system will not check the IP number; if set to a value other than 0, the system will check the IP number, and if the IP number per MAC is larger than the parameter value, system will take the specified action. The value range is 0 to 1024.
  • Reverse query - Select this check box to enable Reverse query. When system receives an ARP request, it will log the IP address and reply with another ARP request; and then system will check if any packet with a different MAC address will be returned, or if the MAC address of the returned packet is the same as that of the ARP request packet.
  • Gratuitous ARP send rate - Specifies if system will send gratuitous ARP packet(s). If the parameter is set to 0 (the default value), system will not send any gratuitous ARP packet; if set to a value other than 0, system will send gratuitous ARP packet(s), and the number sent per second is the specified parameter value. The value range is 0 to 10.

SYN flood: Select this check box to enable SYN flood defense for the security zone.

  • Src threshold - Specifies a threshold for outbound SYN packets (ignoring the destination IP address and port number). If the number of outbound SYN packets originating from one single source IP address per second exceeds the threshold, system will identify the traffic as a SYN flood. The value range is 0 to 50000. The default value is 1500. The value of 0 indicates the Src threshold is void.
  • Dst threshold - Click IP-based and then type a threshold value into the box behind. If the number of inbound SYN packets destined to one single destination IP address per second exceeds the threshold, system will identify the traffic as a SYN flood. The value range is 0 to 50000. The default value is 1500. The value of 0 indicates the Dst threshold is void. You can also click Port-based and then type a threshold value into the box behind. If the number of inbound SYN packets destined to one single destination port of the destination IP address per second exceeds the threshold, system will identify the traffic as a SYN flood. The value range is 0 to 50000. The default value is 1500. The value of 0 indicates the Dst threshold is void. After clicking Port-based, you also need to type an address into or select an IP Address or Address entry from the Dst address combo box to enable port-based SYN flood defense for the specified segment. The SYN flood attack defense for other segments will be IP based. The value range for the mask of the Dst address is 24 to 32.
  • Action - Specifies an action for SYN flood attacks. If the default action Drop is selected, system will only permit the specified number (threshold) of SYN packets to pass through during the current and the next second, and also give an alarm. All the excessive packets of the same type will be dropped during this period. Besides if Src threshold and Dst threshold are also configured, system will first detect if the traffic is a destination SYN flood attack: if so, system will drop the packets and give an alarm, if not, system will continue to detect if the traffic is a source SYN attack; if so, system will drop the packets and give an alarm.

MS-Windows Defense

WinNuke attack: Select this check box to enable WinNuke attack defense for the security zone. If any WinNuke attack has been detected, the system will drop the packets and give an alarm.

Scan/Spoof Defense

IP address spoof: Select this check box to enable IP address spoof defense for the security zone. If any IP address spoof attack has been detected, the system will drop the packets and give an alarm.

IP address sweep: Select this check box to enable IP address sweep defense for the security zone.

  • Threshold - Specifies a time threshold for IP address sweep. If over 10 ICMP packets from one single source IP address are sent to different hosts within the period specified by the threshold, the system will identify them as an IP address sweep attack. The value range is 1 to 5000 milliseconds. The default value is 1.
  • Action - Specifies an action for IP address sweep attacks. If the default action Drop is selected, the system will only permit 10 IMCP packets originating from one single source IP address while destined to different hosts to pass through during the specified period (threshold), and also give an alarm. All the excessive packets of the same type will be dropped during this period.

Port scan: Select this check box to enable port scan defense for the security zone.

  • Threshold - Specifies a time threshold for port scan. If over 10 TCP SYN packets are sent to different ports of one single destination address within the period specified by the threshold, the system will identify them as a port scan attack. The value range is 1 to 5000 milliseconds. The default value is 1.
  • Action - Specifies an action for port scan attacks. If the default action Drop is selected, the system will only permit 10 TCP SYN packets destined to different ports of one single destination address to pass through, and also give an alarm. All the excessive packets of the same type will be dropped during this period.

Denial of Service Defense

Ping of Death attack: Select this check box to enable Ping of Death attack defense for the security zone. If any Ping of Death attack has been attacked, the system will drop the attacking packets, and also give an alarm.

Teardrop attack: Select this check box to enable Teardrop attack defense for the security zone. If any Teardrop attack has been attacked, the system will drop the attacking packets, and also give an alarm.

IP fragment: Select this check box to enable IP fragment defense for the security zone.

  • Action - Specifies an action for IP fragment attacks. The default action is Drop.

IP option: Select this check box to enable IP option attack defense for the security zone. Hillstone device will defend against the following types of IP options: Security, Loose Source Route, Record Route, Stream ID, Strict Source Route and Timestamp.

  • Action - Specifies an action for IP option attacks. The default action is Drop.

Smurf or fraggle attack: Select this check box to enable Smurf or fraggle attack defense for the security zone.

  • Action - Specifies an action for Smurf or fraggle attacks. The default action is Drop.

Land attack: Select this check box to enable Land attack defense for the security zone.

  • Action - Specifies an action for Land attacks. The default action is Drop.

Large ICMP packet: Select this check box to enable large ICMP packet defense for the security zone.

  • Threshold - Specifies a size threshold for ICMP packets. If the size of any inbound ICMP packet is larger than the threshold, the system will identify it as a large ICMP packet and take the specified action. The value range is 1 to 50000 bytes. The default value is 1024.
  • Action - Specifies an action for large ICMP packet attacks. The default action is Drop.

Proxy

SYN proxy: Select this check box to enable SYN proxy for the security zone. SYN proxy is designed to defend against SYN flood attacks in combination with SYN flood defense. When both SYN flood defense and SYN proxy are enabled, SYN proxy will act on the packets that have already passed detections for SYN flood attacks.

  • Proxy trigger rate - Specifies a min number for SYN packets that will trigger SYN proxy or SYN-Cookie (if the Cookie check box is selected). If the number of inbound SYN packets destined to one single port of one single destination IP address per second exceeds the specified value, the system will trigger SYN proxy or SYN-Cookie. The value range is 1 to 50000. The default value is 1000.
  • Cookie - Select this check box to enable SYN-Cookie. SYN-Cookie is a stateless SYN proxy mechanism that enables the system to enhance its capacity of processing multiple SYN packets. Therefore, you are advised to expand the range between "Proxy trigger rate" and "Max SYN packet rate" appropriately.
  • Max SYN packet rate - Specifies a max number for SYN packets that are permitted to pass through per second by SYN proxy or SYN-Cookie (if the Cookie check box is selected). If the number of inbound SYN packets destined to one single port of one single destination IP address per second exceeds the specified value, the system will only permit the specified number of SYN packets to pass through during the current and the next second. All the excessive packets of the same type will be dropped during this period. The value range is 1 to 1500000. The default value is 3000.
  • Timeout - Specifies a timeout for half-open connections. The half-open connections will be dropped after timeout. The value range is 1 to 180 seconds. The default value is 30.

Protocol Anomaly Report

TCP option anomaly: Select this check box to enable TCP option anomaly defense for the security zone.

  • Action - Specifies an action for TCP option anomaly attacks. The default action is Drop.

DNS query flood

DNS query flood: Select this check box to enable DNS query flood defense for the security zone.

  • Src threshold - Specifies a threshold for outbound DNS query packets. If the number of outbound DNS query packets originating from one single IP address per second exceeds the threshold, the system will identify the traffic as a DNS query flood and take the specified action.
  • Dst threshold - Specifies a threshold for inbound DNS query packets. If the number of inbound DNS query packets destined to one single port of one single IP address per second exceeds the threshold, the system will identify the traffic as a DNS query flood and take the specified action.
  • Action - Specifies an action for DNS query flood attacks. If the default action Drop is selected, the system will only permit the specified number (threshold) of DNS query packets to pass through during the current and next second, and also give an alarm. All the excessive packets of the same type will be dropped during this period; if Alarm is selected, the system will give an alarm but still permit the DNS query packets to pass through.

Recursive DNS query flood: Select this check box to enable recursive DNS query flood defense for the security zone.

  • Src threshold - Specifies a threshold for outbound recursive DNS query packets. If the number of outbound DNS query packets originating from one single IP address per second exceeds the threshold, system will identify the traffic as a DNS query flood and take the specified action.
  • Dst threshold - Specifies a threshold for inbound recursive DNS query packets. If the number of inbound DNS query packets destined to one single port of one single IP address per second exceeds the threshold, system will identify the traffic as a DNS query flood and take the specified action.
  • Action - Specifies an action for recursive DNS query flood attacks. If the default action Drop is selected, system will only permit the specified number (threshold) of recursive DNS query packets to pass through during the current and next second, and also give an alarm. All the excessive packets of the same type will be dropped during this period; if Alarm is selected, system will give an alarm but still permit the recursive DNS query packets to pass through.

Restore Default

Restore the system default settings.

Application Layer Protection

Application layer protection consists Signature Configuration and Protocol Configuration. System analyzes the protocol and processes the packets (log only, reset, and block) according to the configuration so that it can generate logs for the administrator if any anomaly has been detected.

Select the check box behind Application Layer Protection to enable the function. Click Configure to customize the application layer protection parameters.

Options in the Application Layer Protection dialog:

Options Descriptions
Signature Configuration Tab

Basic
(Critical/Warning/Information level attack)

Capture Packet: Select the Enable check box to enable the capture packet tools.

Action: Specifies an action for attacks of different levels. Select the radio button below:

  • Log only - Only generates logs if intrusions have been detected.
  • Reset - Resets connections (TCP) or sends destination unreachable packets (UDP) and also generates logs if intrusions have been detected.

Block attacker: Select the Enable check box to block the specified attacker.

  • Block IP - Specifies a block duration for the block IP address. The value range is 60 to 3600 seconds, and the default value is 60.
  • Block Service - Specifies a block duration for the block service. The value range is 60 to 3600 seconds, and the default value is 60.

Signature List

Search: Specifies the filtering conditions and then click Search, the Signature List will show you the signatures that meet your requirements.
  • Save Selection As - Save the current filtering conditions to the system.
  • Search - Click Search, the Signature List will show you the signatures that meet your requirements.
  • Reset - Click Reset to reset all the searching conditions.

Enable: Select the signature you want to enable in the list and then click Enable.

Disable: Select the signature you want to disable in the list and then click Disable. System cannot detect the signature packet after it is disabled.

Edit: Select the signature you want to edit in the list and then click Edit. Patch edit is supported. Below is the option descriptions in Signature List Configuration dialog:

  • Capture Packet - Select the Enable check box to enable the capture packet tools. For more information about the capture packet function, refer to Introduction to Packets Capture Tools.
  • Action - Specifies an action for attacks of different levels. If Follow General Configuration is selected, it means the action depends on the configuration of the signature attack level.
  • Block Attacker - Block the specified attacker. If Follow General Configuration is selected, it means the action depends on the configuration of the signature attack level.
    • Block IP - Specifies a block duration for the block IP address. The value range is 60 to 3600 seconds, and the default value is 60.
    • Block Service - Specifies a block duration for the block service. The value range is 60 to 3600 seconds, and the default value is 60.
Protocol Configuration Tab

DNS

Protocol anomaly detection: Specifies a check level for the protocol validity check of the signature set.

  • Strict - When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, system will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
  • Loose - When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, system will only generate logs and invoke the engine to perform signature matching.

FTP

Action for Brute-force: If the login attempts per minute fail for the times specified by the threshold, system will identify the attempts as an intrusion and take an action according to the configuration. Select the Enable check box to enable brute-force.

  • Login Threshold per Min - Specifies a permitted authentication/login failure count per minute. The value range is 1 to 100000.
  • Block - Select the block object whose login failure count exceeds the threshold.
  • Block Time - Specifies the block duration. The value range is 60 to 3600 seconds.

Protocol Anomaly Detection: Specifies a check level for the protocol validity check of the signature set.

  • Strict - When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, system will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
  • Loose - When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, system will only generate logs and invoke the engine to perform signature matching.

Banner Detection: Select the Enable check box to enable protection against FTP server banners.

  • Banner Information: Type the new information into the box that will replace the original server banner information.

Max Command Line Length: Specifies a max length (including carriage return) for the FTP command line. The value range is 5 to 1024 bytes.

  • Security Level: Specifies a security level for the events that exceed the max command line length. The system will take action according to this level.

Max Response Line Length: Specifies a max length for the FTP response line. The value range is 5 to 1024 bytes.

  • Security Level: Specifies a security level for the events that exceed the max response line length. The system will take action according to this level.

POP3

Action for Brute-force: If the login attempts per minute fail for the times specified by the threshold, system will identify the attempts as an intrusion and take an action according to the configuration. Select the Enable check box to enable brute-force.

  • Login Threshold per Min - Specifies a permitted authentication/login failure count per minute. The value range is 1 to 100000.
  • Block - Select the block object whose login failure count exceeds the threshold.
  • Block Time - Specifies the block duration. The value range is 60 to 3600 seconds.

Protocol Anomaly Detection: Specifies a check level for the protocol validity check of the signature set.

  • Strict - When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, system will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
  • Loose - When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, system will only generate logs and invoke the engine to perform signature matching.

Banner Detection: Select the Enable check box to enable protection against POP3 server banners.

  • Banner information - Type the new information into the box that will replace the original server banner information.

Max Command Line Length: Specifies a max length (including carriage return) for the POP3 command line. The value range is 5 to 1024 bytes.

  • Security Level - Specifies a security level for the events that exceed the max command line length. The system will take action according to this level.

Max Parameter Length: Specifies a max length for the POP3 client command parameter. The value range is 8 to 256 bytes.

  • Security Level - Specifies a security level for the events that exceed the max parameter length. The system will take action according to this level.

Max failure time: Specifies a max failure time (within one single POP3 session) for the POP3 server. The value range is 0 to 512 times.

  • Security Level - Specifies a security level for the events that exceed the max failure time. The system will take action according to this level.

SMTP

Action for Brute-force: If the login attempts per minute fail for the times specified by the threshold, system will identify the attempts as an intrusion and take an action according to the configuration. Select the Enable check box to enable brute-force.

  • Login Threshold per Min - Specifies a permitted authentication/login failure count per minute. The value range is 1 to 100000.
  • Block - Select the block object whose login failure count exceeds the threshold.
  • Block Time - Specifies the block duration. The value range is 60 to 3600 seconds.

Protocol Anomaly Detection: Specifies a check level for the protocol validity check of the signature set.

  • Strict - When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, system will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
  • Loose - When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, system will only generate logs and invoke the engine to perform signature matching.

Banner Detection: Select the Enable check box to enable protection against POP3 server banners.

  • Banner information - Type the new information into the box that will replace the original server banner information.

Max Command Line Length: Specifies a max length (including carriage return) for the POP3 command line. The value range is 5 to 1024 bytes.

  • Security Level - Specifies a security level for the events that exceed the max command line length. The system will take action according to this level.

Max Path Length: Specifies a max length for the reverse-path and forward-path field in the SMTP client command. The value range is 16 to 512 bytes (including punctuation marks).

  • Security Level - Specifies a security level for the events that exceed the max path length. The system will take action according to this level.

Max Reply Line Length: Specifies a max reply line length for the SMTP server. The value range is 64 to 1024 bytes (including carriage return).

  • Security Level - Specifies a security level for the events that exceed the max reply line length. The system will take action according to this level.

Max Text Line Length: Specifies a max length for the E-mail text of the SMTP client. The value range is 64 to 2048 bytes (including carriage return).

  • Security Level - Specifies a security level for the events that exceed the max text line length. The system will take action according to this level.

Max Content Type Length: Specifies a max length for the Content-Type field. The value range is 64 to 1024 bytes.

  • Security Level - Specifies a security level for the events that exceed the max Content-Type length. The system will take action according to this level.

Max Content Filename Length: Specifies a max length for the filename of E-mail attachment. The value range is 64 to 1024 bytes

  • Security Level - Specifies a security level for the events that exceed the max content filename length. The system will take action according to this level.

Max Failure Time: Specifies a max failure time (within one single SMTP session) for the SMTP server. The value range is 0 to 512 times.

  • Security Level - Specifies a security level for the events that exceed the max failure time. The system will take action according to this level.

Telnet

Action for Brute-force: If the login attempts per minute fail for the times specified by the threshold, system will identify the attempts as an intrusion and take an action according to the configuration. Select the Enable check box to enable brute-force.

  • Login Threshold per Min - Specifies a permitted authentication/login failure count per minute. The value range is 1 to 100000.
  • Block - Select the block object whose login failure count exceeds the threshold.
  • Block Time - Specifies the block duration. The value range is 60 to 3600 seconds.

Protocol Anomaly Detection: Specifies a check level for the protocol validity check of the signature set.

  • Strict - When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, system will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
  • Loose - When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, system will only generate logs and invoke the engine to perform signature matching.

Username/Password max length: Specifies a max length for the username and password used in Telnet. The value range is 64 to 1024 bytes.

  • Security Level - Specifies a security level for the events that exceed the max username/password length. System will take action according to this level.

IMAP/Finger/
NNTP/TFTP/
SNMP/MYSQL/
MSSQL/ORACLE/
NETBIOS/DHCP/
LDAP/VoIP

Max scan length: Specifies a max scan length. The value range is 0 to 65535 bytes.

SUNRPC

Protocol Anomaly Detection: Specifies a check level for the protocol validity check of the signature set.

  • Strict - When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, system will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
  • Loose - When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, system will only generate logs and invoke the engine to perform signature matching.

MSRPC

Action for Brute-force: If the login attempts per minute fail for the times specified by the threshold, system will identify the attempts as an intrusion and take an action according to the configuration. Select the Enable check box to enable brute-force.

  • Login Threshold per Min - Specifies a permitted authentication/login failure count per minute. The value range is 1 to 100000.
  • Block - Select the block object whose login failure count exceeds the threshold.
  • Block Time - Specifies the block duration. The value range is 60 to 3600 seconds.

Protocol Anomaly Detection: Specifies a check level for the protocol validity check of the signature set.

  • Strict - When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, system will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
  • Loose - When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, system will only generate logs and invoke the engine to perform signature matching.

Max bind length: Specifies a max length for MSRPC's binding packets. The value range is 16 to 65535 bytes.

  • Security Level - Specifies a security level for the events that exceed the max bind length. System will take action according to this level.

Max request length: Specifies a max length for MSRPC's request packets. The value range is 16 to 65535 bytes.

  • Security Level - Specifies a security level for the events that exceed the max request length. System will take action according to this level.

Web Protection

Web protection consists Signature Configuration and Protocol Configuration. System analyzes the protocol and processes the packets (log only, reset, and block) according to the configuration so that it can generate logs for the administrator if any anomaly has been detected.

Select the check box behind Web Protection to enable the function. Click Configure to customize the web protection parameters.

Options in the Web Protection Configuration dialog:

Options Descriptions
Signature Configuration Tab: refer to option descriptions in Signature Configuration of Application Layer Protection.
Protocol Configuration Tab

Protocol Anomaly Detection

Specifies a check level for the protocol validity check of the signature set.

  • Strict - When the Check level is set to Strict, if any protocol anomaly has been detected during the parsing, system will take the action that is specified in the corresponding attack level against the attacking packets according to the security level of the anomaly.
  • Loose - When the Check level is set to Loose, if any protocol anomaly has been detected during the parsing, system will only generate logs and invoke the engine to perform signature matching.

Banner Detection

Select the Enable check box to enable protection against HTTP server banners.

  • Banner information - Type the new information into the box that will replace the original server banner information.

Max URI length

Specifies a max URI length for the HTTP protocol. The value range is 64 to 4096 bytes.

Security level

Specifies a security level for the events that exceed the max URI length. System will take action according to this level.

Allowed methods

Specifies allowed HTTP method(s).

XSS check

Select the Enable check box to enable XSS check for the HTTP protocol.

  • Capture Packet - Select the Enable check box to enable the capture packet tools. For more information about the capture packet function, refer to Introduction to Packets Capture Tools.
  • Action - Specifies an action for XSS check.
  • Block Attacker - Block the specified attacker.
    • Block IP - Specifies a block duration for the block IP address. The value range is 60 to 3600 seconds, and the default value is 60.
    • Block Service - Specifies a block duration for the block service. The value range is 60 to 3600 seconds, and the default value is 60.

SQL check

Select the Enable check box to enable SQL injection check for the HTTP protocol.

  • Capture Packet - Select the Enable check box to enable the capture packet tools. For more information about the capture packet function, refer to Introduction to Packets Capture Tools.
  • Action - Specifies an action for SQL injection check.
  • Block Attacker - Block the specified attacker.
    • Block IP - Specifies a block duration for the block IP address. The value range is 60 to 3600 seconds, and the default value is 60.
    • Block Service - Specifies a block duration for the block service. The value range is 60 to 3600 seconds, and the default value is 60.

Command injection check

Select the Enable check box to enable command injection check for the HTTP protocol.

Trojan Attack Protection

Trojan attack protection consists Signature Configuration and Protocol Configuration. System analyzes the protocol and processes the packets (log only, reset, and block) according to the configuration so that it can generate logs for the administrator if any anomaly has been detected.

Select the check box behind Trojan Attack Protection to enable the function. Click Configure to customize the Trojan attack protection parameters.

Options in the Trojan Attack Protection Configuration dialog:

Options Descriptions
Signature Configuration Tab: refer to option descriptions in Signature Configuration of Application Layer Protection.
Protocol Configuration Tab

Other-TCP/
Other-UDP

Max Scan Length: Specifies a max scan length. The value range is 0 to 65535 bytes.

Malware Download Protection

Select the check box behind Malware Download Protection to enable the function. Click Configure to customize the malware download protection parameters. You need to update the Threat Protection Signature Database before enabling the function for the first time. For more information about how to update, see Upgrading Firmware. To assure a proper connection to the default update server, you need to configure a DNS server before updating.

Options in the Malware Download Protection Configuration dialog:

Options Descriptions

Security Level

Specifies the protection security level.
  • Low - Scans file types including GZIP, HTML, Mail and PE. Scans protocol types including HTTP, SMTP, POP3, IMAP4 and FTP. Resets the HTTP and FTP connection when virus is detected by default. Logs only for SMTP, POP3 and IMAP4 when virus is detected by default.
  • High - Scans file types including GZIP, HTML, Mail, PE, ZIP, RAR, TAR、BZIP2、RIFF and JPEG. Scans protocol types including HTTP, SMTP, POP3, IMAP4 and FTP. Resets the HTTP and FTP connection when virus is detected by default. Fills magic numbers for SMTP, POP3 and IMAP4 when virus is detected by default.
  • Customize - Specifies the file type and protocol type you want to scan and specifies the action the system will take after virus is found.

File Types

Specifies the file types you want to scan. It can be GZIP, HTML, JPEG, PE, Mail.

Protocol Types

Specifies the protocol types(HTTP, SMTP, POP3, IMAP4, FTP) you want to scan and specifies the action the system will take after virus is found.

  • Fill Magic - Processes the virus file by filling magic words, i.e., fills the file with the magic words (Virus is found, cleaned) from the beginning to the ending part of the infected section.
  • Log Only - Only generates log.
  • Reset Connection - If virus has been detected, system will reset connections to the files.
  • Warning - Pops up a warning page to prompt that a virus has been detected. This option is only effective to the messages transferred over HTTP.

Capture Packet

Select the Enable check box before Capture Packet to enable the capture packet tools. For more information about the capture packet function, refer to Introduction to Packets Capture Tools.

Malicious Website Access Control

Select the check box behind Malicious Website Access Control to enable the function. Click Configure to customize the malicious website access control parameters.

Options in the Malicious Website Access Control Configuration dialog:

Options Descriptions

Capture Packet

Select the Enable check box before Capture Packet to enable the capture packet tools. For more information about the capture packet function, refer to Introduction to Packets Capture Tools.

Action

Specifies the action the system will take after the malicious website is found.

  • Log Only - Only generates log.
  • Reset Connection - If malicious website has been detected, system will reset connections to the files.
  • Return to the Alarm Page - Pops up a warning page to prompt that a malicious website has been detected.This option is only effective to the messages transferred over HTTP.