IPCAR
This help contains the following topics:
Introduction
This feature limits the number of connections established per second to prevent DDoS attacks from degrading device performance.
The device supports the following types of connection rate limit:
Public network protection —Limits the number of connections from the public network to the internal network based on destination IP address.Internal network protection —Limits the number of connections from the internal network to the public network based on source IP address.
vSystem support information
Support of non-default vSystems for this feature depends on the device model. This feature is available on the Web interface only if it is supported.
Restrictions and guidelines
You cannot configure both public network protection and private network protection on the same interface.
Configuration guidelines
Configuration flow
Figure-1 shows the configuration flow chart.
Figure-1 Configuration flow chart
Prerequisites
Complete the following tasks before you configure this feature:
Assign IP addresses to interfaces on the
Network >Interface Configuration >Interfaces page.Configure routes on the
Network >Routing page. Make sure the routes are available.Create security zones on the
Network >Security Zones page.Add interfaces to security zones. You can add interfaces to a security zone on the
Security Zones page or select a security zone for an interface on theInterfaces page.Configure security policies to permit the target traffic on the
Policies >Security Policies page.
Configure connection rate limits
You can configure connection rate limits for both public and private network protection. Public network protection is achieved by limiting connections from the public network to the private network, and private network protection is achieved by limiting connections from the private network to the public network.
To configure connection rate limits
Select
Policies >Active Defense >IPCAR .Select public or private network protection, and configure the following parameters:
Figure-2 Public network protection
Figure-3 Private network protection
Table-1 Configuration items
Item
Description
IP type
Select an IP type. Options include IPv4 and IPv6.
Protection action
Select a protection action.
Alarm —Sends logs when the connection rate exceeds the rate limit. You can view the logs on theIPCAR Logs page.Packet dropping —Drops packets when the connection rate exceeds the rate limit.
Interfaces
Select interfaces to apply the rate limit.
Per-IP Connection Rate Threshold
Enter a connection rate limit.
Click
OK.