Configuring blacklist, Overview, Recommended configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual
Page 9
1
Configuring blacklist
The blacklist configuration is available only in the web interface.
Overview
Blacklist is an attack prevention mechanism that filters packets based on source IP address. Compared
with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering packets
sourced from particular IP addresses.
The firewall can dynamically add and remove blacklist entries. This is implemented in cooperation with
the scanning detection feature. When the firewall detects that packets sourced from an IP address have
a behavior pattern that implies a potential scanning attack, it automatically blacklists the IP address to
filter subsequent packets sourced from that IP address. Blacklist entries added in this way will age out
after a period of time.
NOTE:
For more information about scanning detection configuration, see "Configuring traffic abnormality
detection."
The firewall also supports adding and removing blacklist entries manually. Manually configured blacklist
entries fall into two categories: permanent and non-permanent. A permanent blacklist entry is always
present unless being removed manually, whereas a non-permanent blacklist entry has a limited lifetime
depending on your configuration. When the lifetime of a non-permanent entry expires, the firewall
removes the entry from the blacklist, allowing the packets of the IP address defined by the entry to pass
through.
Recommended configuration procedure
Step Remarks
Required.
By default, the blacklist function is disabled.
2.
Configuring the scanning
detection feature to add
blacklist entries
automatically
Required.
Complete either of the tasks.
For more information about scanning detection configuration, see
"Configuring traffic abnormality detection."
By default, no blacklist entries exist.
IMPORTANT:
If you modify a dynamic blacklist entry, the entry will turn into a manual one.
Optional.