Configuring blacklist, Overview, Recommended configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual

Page 9

Configuring blacklist

The blacklist configuration is available only in the web interface.

Overview

Blacklist is an attack prevention mechanism that filters packets based on source IP address. Compared
with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering packets

sourced from particular IP addresses.
The firewall can dynamically add and remove blacklist entries. This is implemented in cooperation with

the scanning detection feature. When the firewall detects that packets sourced from an IP address have
a behavior pattern that implies a potential scanning attack, it automatically blacklists the IP address to

filter subsequent packets sourced from that IP address. Blacklist entries added in this way will age out

after a period of time.

NOTE:

For more information about scanning detection configuration, see "Configuring traffic abnormality
detection."

The firewall also supports adding and removing blacklist entries manually. Manually configured blacklist

entries fall into two categories: permanent and non-permanent. A permanent blacklist entry is always
present unless being removed manually, whereas a non-permanent blacklist entry has a limited lifetime

depending on your configuration. When the lifetime of a non-permanent entry expires, the firewall

removes the entry from the blacklist, allowing the packets of the IP address defined by the entry to pass

through.

Recommended configuration procedure

Step Remarks

1. Enabling the blacklist

function

Required.
By default, the blacklist function is disabled.

Configuring the scanning

detection feature to add
blacklist entries

automatically

Required.
Complete either of the tasks.
For more information about scanning detection configuration, see
"Configuring traffic abnormality detection."
By default, no blacklist entries exist.

IMPORTANT:

If you modify a dynamic blacklist entry, the entry will turn into a manual one.

3. Adding a blacklist entry

manually

4. Viewing the blacklist

Optional.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS