D-Link DFL-800-AV-12 User Manual - Page 279
Threshold Rules, 10.2.1. Overview, 10.2.2. Connection Rate/Total Connection Limiting
View all D-Link DFL-800-AV-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 279 highlights
10.2. Threshold Rules Chapter 10. Traffic Management 10.2. Threshold Rules 10.2.1. Overview The objective of a Threshold Rule is to have a means of detecting abnormal connection activity as well as reacting to it. An example of a cause for such abnormal activity might be an internal host becoming infected with a virus that is making repeated connections to external IP addresses. It might alternatively be some external source trying to open excessive numbers of connections. (A "connection" in this context refers to all types of connections, such as TCP, UDP or ICMP, tracked by the NetDefendOS state-engine). A Threshold Rule is like a normal policy based rule. A combination of source/destination network/interface can be specified for a rule and a type of service such as HTTP can be associated with it. Each rule can have associated with it one or more Actions which specify how to handle different threshold conditions. A Threshold has the following parameters: • Action - The response to exceeding the limit: either Audit or Protect • Group By - Either Host or Network based • Threshold - The numerical limit which must be exceeded to trigger a response • Threshold Type - Limiting connections per second or limiting total number of concurrent connections These parameters are described below: 10.2.2. Connection Rate/Total Connection Limiting Connection Rate Limiting allows an administrator to put a limit on the number of new connections being opened to the D-Link Firewall per second. Total Connection Limiting allows the administrator to put a limit on the total number of connections opened to the D-Link Firewall. This function is extremely useful when NAT pools are required due to the large number of connections generated by P2P users. 10.2.3. Grouping The two groupings are as follows: • Host Based - The threshold is applied separately to connections from different IP addresses. • Network Based - The threshold is applied to all connections matching the rules as a group. 10.2.4. Rule Actions When a Threshold Rule is triggered one of two responses are possible: • Audit - Leave the connection intact but log the event • Protect - Drop the triggering connection Logging would be the preferred option if the appropriate triggering value cannot be determined beforehand. Multiple Actions for a given rule might consist of Audit for a given threshold while the action might become Protect for a higher threshold. 279