Link Search Menu Expand Document

Firewall Protection Profiles

Configuration > Overlays & Security > Security > Firewall Protection Profiles

Use the Firewall Protection Profiles tab to add or modify a protection profile on any appliance with a firewall.

Create a Firewall Protection Profile

  1. Select an appliance or group of appliances from the list on the right-side menu.

  2. Navigate to Configuration > Overlays & Security > Security > Firewall Protection Profiles.

    img

  3. Click the edit icon next to the appliance you want to configure a profile for.

    The Firewall Protection Profiles - <Appliance Name> dialog box opens.

    img

  4. Under the Firewall Protection Profiles header, click Add.

    The Firewall Protection Profile dialog box opens.

    img

  5. Enter a name for the profile.

  6. Select or clear any of the Security Settings check boxes.

    NOTE: When asymmetric routing is configured, strict three-way TCP enforcement and deep packet inspection (DPI) validation cannot be performed. To enable these settings, turn off asymmetric routing.

  7. In the DoS Thresholds field, select a preset threshold (Lenient, Moderate, or Strict). To further edit a preset threshold, click the edit icon next to the classification you want to edit.

    Alternatively, click Add custom threshold to define specific threshold values. For more information, see Set Firewall Protection Profile Thresholds.

  8. (Optional) Add exceptions to the Allowlist or Blocklist fields.

  9. (Optional) Click Show advanced settings and set the following fields:

    Field Description
    Rapid aging Set a threshold value (in seconds) to enforce the tearing down of TCP connections when the period of inactivity matches the configured value (for example, 30s).
    Block duration Enforce dynamic blocking of flows originating from a source for a specified duration (for example, 300s).
    Embryonic timeout Set this value so that the firewall can tear down half-open TCP connections when the timeout value is reached (for example, 30s). While TCP connection goes through the three-way handshake (SYN, ACK, SYN-ACK), an embryonic connection is a half-open connection that produces (for example) a SYN without the other two parts of the handshake. This is a popular form of denial of service (DoS) attack.
  10. Click OK.

Set Firewall Protection Profile Thresholds

To view the threshold settings on an existing firewall protection profile, click the link in the Thresholds Count column of the Firewall Protection Profiles table.

To change the threshold settings:

  1. Click the edit icon next to the appliance you want to configure.

    The Firewall Protection Profiles - <Appliance Name> dialog box opens.

  2. Click the edit icon next to the profile name whose threshold you want to edit.

    The Firewall Protection Profile dialog box opens.

  3. Either select a preset threshold from the DoS Thresholds drop-down list, or click Add custom threshold.

    The DoS Threshold dialog box opens.

    img

  4. Set the following parameters:

    Field Description
    Classification Classify flows in two ways:

    Zone level: Flows originating from multiple endpoints that are part of a single firewall zone.

    Source level: All flows originating from a single endpoint or source device.
    Metric DoS thresholds can be configured with any or all of the three metrics available in a firewall protection profile:

    Flows per second: Rate of flow (fps). A single flow is a unidirectional set of packets containing common attributes (source and destination IP, ports, protocols).

    Concurrent Flows: Number of flows that are active at a given point in time.

    Embryonic Flows: A half-open connection. While TCP connection goes through the three-way handshake (SYN, ACK, SYN-ACK), an embryonic connection is a half-open connection that produces (for example) a SYN without the other two parts of the handshake.
    IP Protocol Select an IP protocol (TCP, UDP, ICMP, Others, or All) for use in threshold settings.
    Min value Minimum threshold value. When this value is breached, the protection profile takes a corresponding minimum action (Log, Rapid aging, Drop excess, or Block source).
    Max value Maximum threshold value. When this value is breached, the protection profile takes a corresponding maximum action (Log, Rapid aging, Drop excess, or Block source).
  5. Click OK.

Add Profile Mappings

After you create a profile, you can map it to a segment and zone of your firewall to achieve the expected behavior.

To map a profile to a segment:

  1. Click Add under the Profile Mappings header.

  2. Click the box under the Segment field and start typing the segment you want to map to your profile, then click the segment.

  3. Click the box under the Zone field and start typing the zone you want to assign to your profile, then click the zone.

  4. Click the box under the Profile Name field and select the profile you created earlier.

  5. Click Save.

Add Firewall Protection Profile to a Template Group

  1. On the Firewall Protection Profiles tab, click Manage Firewall Protection Profiles with Templates.

  2. Select a template group to add the firewall protection profile to, and then click Add/Edit.

    Firewall Protection Profile appears as a template under Active Templates > Policies.

    img


Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.