Link Search Menu Expand Document

Firewall Protection Profiles Template

Use this template to enable baseline learning for appliances and to add or modify a protection profile on any appliance with a firewall and map it to a segment and zone of your firewall. For more information about firewall protection profile settings and baseline learning, see Firewall Protection Profiles.

Enable Baseline Learning

The following instructions describe how to enable baseline learning for appliances using a template.

NOTE: Baseline learning, Auto rate limit, and Smart burst all require either an AS (Advanced Security) license or an AAS-DTD (Dynamic Threat Defense) license.

  1. Select the Baseline Learning check box.

  2. To customize the baseline learning settings, click Baseline Settings.

    The Baseline Settings dialog box opens.

  3. Enter the following information based on your network or click Cancel to use the default settings.

    Field Description
    Data aggregation method The technique used for data aggregation. The default is percentile and there are currently no other options.
    Data aggregation limit Indicates what percentage of the sample data is used to determine baseline values. The default setting is 95%, which means the top 5% of the sample is discarded and the other 95% is considered when computing the baselines. You can enter a value between 75-100%.
    Computation interval The time that passes before the system computes new baselines. The default is 8 hours. For example, when using the default, the baselines are computed every 8 hours using the latest sample data collected during the Model training interval. This can be configured in 4-hour units (e.g., 4, 8, 12, and so on) up to 240 hours.
    Model training interval During this period, data is collected for various metrics every five minutes and is aggregated into a data file. This data is used to compute the baselines. The default is 14 days, the minimum is 7 days, and the maximum is 56 days.

    NOTE: This period should include a diverse set of data that covers various types of legitimate traffic and captures the characteristics that distinguish normal traffic from malicious traffic during an attack.
    Baseline upper limit The upper limit for the minimum baseline. An alarm is raised when this value is reached. This setting is useful if Auto rate limit is configured without Smart burst. The setting is a percentage of the maximum baseline value, which is set manually. The default is 90%. You can enter a value between 50-100%.
    TCP inactivity timeout Inactivity timeout used for TCP flows created using burst support levels. Inactive flow gets deleted after this timeout. The default is 300 seconds. You can enter a value between 30-1800 seconds.
    Headroom for baseline plus The percentage of headroom that is added to the baseline. The default is 20%. You can enter a value between 5-100%.
    Per-source limit for committed burst The committed burst for a zone is available to all sources in the zone. This determines the percentage of committed burst in a zone that one source can use. The default is 50%. You can enter a value between 1-50%.
    Reserve flow capacity distribution Spare flow capacity is distributed among all zones by Smart burst using different methods (Proportional or Equal). The default method is Proportional.
    Excess burst credit interval On a per second basis, the zone is supposed to use a portion of committed burst capacity. Unused committed burst capacity of zones is made available as excess burst capacity every second. After this interval of time, unused excess burst capacity goes back to the respective committed burst. The default is 30 seconds. Enter a value between 30-100 seconds.
    Minimum reserve capacity limit The minimum amount of reserve flow capacity that should be available before Smart burst redistributes new reserve capacity after a baseline computation interval. Smart burst continues with previously distributed capacities if the minimum reserve capacity limit is not available. The default is 20%. You can enter a value between 10-50%.
  4. Click OK.

Add New Profiles

  1. Under the Profiles header, click Add.

    The Firewall Protection Profile dialog box opens.

    img

  2. Enter a name for the profile.

  3. Select or clear any of the Security Settings check boxes.

    NOTE: When asymmetric routing is configured, strict three-way TCP enforcement and deep packet inspection (DPI) validation cannot be performed. To enable these settings, turn off asymmetric routing.

  4. In the DoS Thresholds field, select a preset threshold (Lenient, Moderate, Strict, Auto rate limit, or Smart burst). To further edit a preset threshold, click the edit icon next to the classification you want to edit.

    Alternatively, click Add Custom Threshold to define specific threshold values. For more information, see Set Firewall Protection Profile Thresholds.

    NOTE: To use Auto rate limit or Smart burst, you must enable baseline learning first. These options only appear in the menu after baseline learning is enabled.

  5. (Optional) Add exceptions to the following fields:

    Field Description
    Allowlist Enter an existing Address Group. Any IP address contained within the Address Group will be exempt from DoS threshold analysis. The Allowlist does not exempt flows from the options shown in the Security Settings section.
    Blocklist Enter an existing Address Group to explicitly block any IP address contained within the configured Address Group.
  6. (Optional) Click Show advanced settings and set the following fields:

    Field Description
    Rapid aging Set a threshold value (in seconds) to enforce the tearing down of TCP connections when the period of inactivity matches the configured value (for example, 30s).
    Block duration Enforce dynamic blocking of flows originating from a source for a specified duration (for example, 300s).
    Embryonic timeout Set this value so that the firewall can tear down half-open TCP connections when the timeout value is reached (for example, 30s). While TCP connection goes through the three-way handshake (SYN, ACK, SYN-ACK), an embryonic connection is a half-open connection that produces (for example) a SYN without the other two parts of the handshake. This is a popular form of denial of service (DoS) attack.
    Share committed burst Select this check box to enable unused committed burst to be shared with other zones. This check box is enabled by default. For critical zones, you can disable this option, which retains the committed burst capacity for the zone itself.

Set Firewall Protection Profile Thresholds

To change the threshold settings:

  1. Either select a preset threshold from the DoS Thresholds drop-down list, or click Add Custom Threshold.

    The DoS Threshold dialog box opens.

  2. Set the following parameters:

    Field Description
    Classification Classify flows in two ways:

    Zone level: Flows originating from multiple endpoints that are part of a single firewall zone.

    Source level: All flows originating from a single endpoint or source device.
    Metric DoS thresholds can be configured with any or all of the three metrics available in a firewall protection profile:

    Flows per second: Rate of flow (fps). A single flow is a unidirectional set of packets containing common attributes (source and destination IP, ports, protocols).

    Concurrent Flows: Number of flows that are active at a given point in time.

    Embryonic Flows: A half-open connection. While TCP connection goes through the three-way handshake (SYN, ACK, SYN-ACK), an embryonic connection is a half-open connection that produces (for example) a SYN without the other two parts of the handshake.
    IP Protocol Select an IP protocol (TCP, UDP, ICMP, Others, or All) for use in threshold settings.
    Min Label Select the method used to determine the min value:

    Baseline – If selected, the min value is determined by the system using baseline learning, and the corresponding Value field shows “Dynamic”.

    Custom – If selected, you configure the min value by entering a percentage in the corresponding Value field.
    Value Minimum threshold value as a percentage of target appliance flow capacity. When this value is breached, the protection profile takes a corresponding minimum action. If Baseline is selected as the Min Label, the system determines this value, and it cannot be configured.
    Action Action to take when the min value is breached (Log, Rapid aging, Drop excess, or Block source). Because this corresponds to the min value, less intensive action can be configured.
    Max Label Select the method used to determine the max value:

    Custom – If selected, you configure the max value by entering a percentage in the corresponding Value field.

    Baseline plus – A buffer of 20% is added to the computed baseline when determining flow capacity. If selected, the max value is determined by the system using baseline learning and the corresponding Value field shows “Dynamic”.

    Committed burst – Reserve flow capacity is divided equally or proportionally among all zones configured for Smart burst. If selected, the max value is determined by the system using baseline learning and the corresponding Value field shows “Dynamic”.

    Excess burst – Continuously, on a per second basis, unused committed burst (distributed reserve flow capacity) is collected from all zones and shared as a second level of support for all zones. If selected, the max value is determined by the system using baseline learning and the corresponding Value field shows “Dynamic”.
    Value Maximum threshold value as a percentage of target appliance flow capacity. When this value is breached, the protection profile takes a corresponding maximum action. If Baseline plus, Committed burst, or Excess burst are selected as the Max Label, the system determines this value, and it cannot be configured.
    Action Action to take when the max value is breached (Log, Rapid aging, Drop excess, or Block source). Because this corresponds to the max value, more intensive action can be configured.
  3. Click OK.

Add Profile Mappings

After you create a profile, you can map it to a segment and zone of your firewall to achieve the expected behavior.

To map a profile to a segment:

  1. Click Add under the Profile Mappings header.

  2. Click the box under the Segment field and start typing the segment you want to map to your profile, then click the segment.

  3. Click the box under the Zone field and start typing the zone you want to assign to your profile, then click the zone.

  4. Click the box under the Profile Name field and select the profile you created earlier.

  5. Click Save.


Back to top

© Copyright 2025 Hewlett Packard Enterprise Development LP.

For third-party trademark acknowledgements, go to Trademark Acknowledgements. All third-party marks are property of their respective owners.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America