Login
- Table of Contents
-
- 09-Configuration Examples
- 01-Web Login Configuration Examples
- 02-Internet Access Through a Static IP Address Configuration Examples
- 03-Internet access through PPPoE configuration examples
- 04-License Configuration Examples
- 05-Signature Library Upgrade Configuration Examples
- 06-Software Upgrade Examples
- 06-Software Upgrade Examples (only for F50X0-D and F5000-AK5X5 firewalls)
- 07-Routing deployment configuration examples
- 08-Transparent deployment configuration examples
- 09-Static routing configuration examples
- 10-RIP configuration examples
- 11-OSPF configuration examples
- 12-BGP configuration examples
- 13-Policy-based routing configuration examples
- 14-Security Policy Configuration Examples
- 15-APR-Based Security Policy Configuration Examples
- 16-Object Group Configuration Examples
- 17-User identification configuration examples
- 18-Attack defense configuration examples
- 19-IPCAR Configuration Examples
- 20-IPS Configuration Examples
- 21-URL Filtering Configuration Examples
- 22-Anti-Virus Configuration Examples
- 23-File Filtering Configuration Examples
- 24-Data Filtering Configuration Examples
- 25-WAF Configuration Examples
- 26-IP Reputation Configuration Examples
- 27-APT Defense Configuration Examples
- 28-NetShare Control Configuration Examples
- 29-Bandwidth Management Configuration Examples
- 30-IPsec configuration examples
- 31-SSL VPN IP access configuration examples
- 31-SSL VPN TCP access configuration examples
- 31-SSL VPN Web access configuration examples
- 32-L2TP Configuration Examples
- 33-NAT configuration examples
- 34-NPTv6 Configuration Examples
- 35-Policy-based NAT configuration examples
- 36-NAT hairpin configuration examples
- 37-NAT Flow Logging Configuration Examples
- 38-Inbound Link Load Balancing Configuration Examples
- 39-Outbound Link Load Balancing Configuration Examples
- 40-Server Load Balancing Configuration Examples
- 41-Transparent DNS Proxy Configuration Examples
- 42-High Availability Group Configuration Examples
- 43-Context Configuration Examples
- 43-Context Configuration Examples(only for F50X0-D and F5000-AK5X5 firewalls)
- 44-IRF configuration examples
- 44-IRF configuration examples(only for F50X0-D and F5000-AK5X5 firewalls)
- 45-DHCP configuration examples
- 46-DNS configuration examples
- 47-Server Connection Detection Configuration Examples
- 48-Connection Limit Configuration Examples
- 49-Public key management configuration examples
- 50-SSL Decryption Configuration Examples
- 51-MAC Address Learning Through a Layer 3 Device Configuration Examples
- 52-4G Configuration Examples
- 53-WLAN Configuration Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 47-Server Connection Detection Configuration Examples | 345.84 KB |
Server connection detection configuration examples
Contents
The following information provides server connection detection (SCD) configuration examples.
This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of the SCD feature.
Network configuration
As shown in Figure 1, configure SCD on the device to perform the following tasks:
· Monitor connections initiated by servers in subnet 2.2.1.0/24 for one day.
· Logs all connections initiated by the server except for TCP connections destined for TCP ports 80 and 443 on host 2.2.3.2/24.
Software versions used
This configuration example was created and verified on R8860 of the F1000-AI-55 device.
Procedure
1. Assign IP addresses to interfaces and add the interfaces to security zones:
# On the top navigation bar, click Network.
# From the navigation pane, select Interface Configuration > Interfaces.
# Click the Edit icon for GE 1/0/1.
# In the dialog box that opens, configure the interface:
a. Select the DMZ security zone.
b. Click the IPv4 Address tab, and then enter the IP address and mask of the interface. In this example, enter 2.2.1.1/24.
c. Click OK.
# Add GE 1/0/2 to the Untrust security zone and set its IP address to 2.2.2.1./24 in the same way you configure GE 1/0/1.
2. Configure a route:
This example configures a static route. If dynamic routes are required, configure a dynamic routing protocol.
# On the top navigation bar, click Network.
# From the navigation pane, select Routing > Static Routing.
# On the IPv4 Static Routing tab, click Create.
# In the dialog box that opens, create an IPv4 static route:
¡ Enter destination address 2.2.3.0.
¡ Enter mask length 24.
¡ Enter next hop address 2.2.2.2.
# Click OK.
3. Create a security policy:
# On the top navigation bar, click Policies.
# From the navigation pane, select Security Policies > Security Policies.
# Click Create.
# In the dialog box that opens, configure a security policy:
¡ Enter policy name test-a.
¡ Select source zone DMZ.
¡ Select destination zone Untrust.
¡ Select type IPv4.
¡ Select action Permit.
¡ Select source IP address 2.2.1.0/24.
# Cilck OK.
4. Create an internal IP address object group.
# On the top navigation bar, click Objects.
# From the navigation pane, select Object Groups > IPv4 Address Object Groups.
# Click Create.
# In the dialog box that opens, configure the IPv4 address object group:
a. Enter a group name. In this example, enter abc.
b. Enter a description. In this example, enter 2.2.1.0/24.
Figure 2 Creating IPv4 address object group
c. Click Add.
d. In the dialog box that opens, select the Network segment object, and enter the IPv4 address and mask 2.2.1.0/24.
Figure 3 Creating object
e. Click OK.
5. Configure server connection learning.
# On the top navigation bar, click Policies.
# From the navigation pane, select Server Connection Detect > SCD learning.
# Enter a server address. In this example, enter abc.
# Select a learning period. In this example, select 24 hours.
# Click Apply.
Figure 4 Configuring server connection learning
6. Configure an SCD policy.
# On the top navigation bar, click Policies.
# From the navigation pane, select Server Connection Detect > SCD Policy.
# Click Create.
# In the dialog box that opens, create an SCD policy:
a. Enter a policy name. In this example, enter policy1.
b. Enter a server address. In this example, enter 2.2.1.2.
c. Enable policy.
d. Enable SCD logging.
Figure 5 Creating an SCD policy
e. Click Create.
f. In the dialog box that opens, enter the destination address 2.2.3.12 and TCP ports 80 and 443.
Figure 6 Creating an SCD rule
g. Click OK to create the SCD rule.
h. Click OK to create the SCD policy.
Verifying the configuration
To view the logs generated for server connection events, click Monitor on the top navigation bar, and then select Device Logs > System Logs from the navigation pane.
Figure 7 Viewing the device logs
