Bidirectional proxy, Configuring tcp proxy, Recommended configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual

33

Bidirectional proxy

Figure 38 Data exchange process in bidirectional proxy mode

After receiving a SYN message from a client to the protected server (such a message matches a protected

IP address entry), the TCP proxy sends back a SYN ACK message with the window size being 0 on

behalf of the server. If the client is legitimate, the TCP proxy will receive an ACK message, and then sets
up a connection between itself and the server through a three-way handshake on behalf of the client.
As two TCP connections are established, different sequence numbers are used. They are translated by the

TCP proxy for data exchange between the client and the server.

Configuring TCP proxy

Recommended configuration procedure

Task

Remarks

Performing global TCP proxy
setting

Optional.
The configuration is effect on all security zones.
By default, bidirectional proxy is used.

Enabling TCP proxy for a
security zone

Required.
By default, the TCP proxy feature is disabled globally.

Adding a protected IP address
entry

At least one method is required.
You can add protected IP address entries by either of the methods:

•

Static—Add entries manually. By default, no such entries are configured in

the system.

•

Dynamic—Select Intrusion Detection > Traffic Abnormality > SYN Flood,

and then select the Add protected IP entry to TCP Proxy box. After the

configuration, the TCP proxy-enabled device will automatically add

protected IP address entries when detecting SYN flood attacks. For more
information, see "Configuring traffic abnormality detection."

Configure to Automatically
Add a Protected IP address

Entry

Displaying information about
protected IP address entries

Optional.
You can view information about all protected IP address entries.