10.3. Threshold Rules
10.3.1. Overview
The objective of a Threshold Rule is to have a means of detecting abnormal connection activity as
well as reacting to it. An example of a cause for such abnormal activity might be an internal host
becoming infected with a virus that is making repeated connections to external IP addresses. It
might alternatively be some external source trying to open excessive numbers of connections. (A
"connection" in this context refers to all types of connections, such as TCP, UDP or ICMP, tracked
by the NetDefendOS state-engine).
Note: Threshold Rules are not available on all D-Link models
The Threshold Roles feature is only available on the D-Link DFL-800, DFL-860,
DFL-1600 and DFL-2500 product models.
Threshold Policies
A Threshold Rule is like a normal policy based rule. A combination of source/destination
network/interface can be specified for a rule and a type of service such as HTTP can be associated
with it. Each rule can have associated with it one or more Actions which specify how to handle
different threshold conditions.
A Threshold has the following parameters:
•
Action - The response to exceeding the limit: either Audit or Protect
•
Group By - Either Host or Network based
•
Threshold - The numerical limit which must be exceeded to trigger a response
•
Threshold Type - Limiting connections per second or limiting total number of concurrent
connections
These parameters are described below:
10.3.2. Limiting the Connection Rate/Total Connections
Connection Rate Limiting allows an administrator to put a limit on the number of new connections
being opened to the D-Link Firewall per second.
Total Connection Limiting allows the administrator to put a limit on the total number of connections
opened to the D-Link Firewall. This function is extremely useful when NAT pools are required due
to the large number of connections generated by P2P users.
10.3.3. Grouping
The two groupings are as follows:
•
Host Based - The threshold is applied separately to connections from different IP addresses.
•
Network Based - The threshold is applied to all connections matching the rules as a group.
10.3.4. Rule Actions
When a Threshold Rule is triggered one of two responses are possible:
•
Audit - Leave the connection intact but log the event.
10.3. Threshold Rules
Chapter 10. Traffic Management
399
Содержание 800 - DFL 800 - Security Appliance
Страница 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Страница 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Страница 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Страница 166: ...interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 166 ...
Страница 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Страница 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Страница 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Страница 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Страница 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Страница 303: ... Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authentication 303 ...
Страница 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Страница 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Страница 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Страница 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Страница 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Страница 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Страница 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...