To provide the service-specific refined defense for servers or major services in the Zone or the defense for TCP, UDP, and HTTP ephemeral ports, you can create a service.
Prerequisites
The basic policies of the Zone have been configured. For details, see Configuring a Defense Mode.
Context
During traffic cleaning, the cleaning device first matches services by destination IP address, service type, and destination port. After successful matching, detection and defense are performed according to service-specific defense policies. Otherwise, detection and defense are performed on default defense policies by protocol type.
NOTE: Only traffic limiting can be configured for certain devices in the defense policy of services. In this case, detection and defense are performed on the traffic of services according to the default defense policy. The procedure is as follows: When cleaning traffic, the cleaning device first matches services by service type and destination IP address. After successful matching, the cleaning device matches the default defense policy by protocol type for detecting and defense. Then the cleaning device limits traffic according to the traffic limiting policy of services.
For fragments, service-specific defense policies apply only to the first fragment. Subsequent fragments will not go through the defense process even if they match the service.
Service learning can be used to configure TCP and UDP services. For details, see Configuring a Service Learning Task.
Procedure
- Choose .
- Click
of the Zone. - On the Defense Policy tab page, click
. - On the Basic Information tab page, configure the basic information of the service. Table 1 shows parameters.
Table 1 Parameters of services Parameter Description Value Name
Indicates the name of the service.
-
Device Name
Selects a device to be associated with the service in the Zone.
-
Protocol
Indicates the type of the service.
-
Protocol ID
Indicates the protocol ID of the service.
This parameter can be configured only when the protocol is Other.
IP Address
Indicates the destination IP address to be protected.
The IP address needs to be defined in the Zone. For details, see Adding a Zone.
Destination Port
Indicates the destination port to be protected.
The value can be a port number or port range, such as 1024-1030. You can enter at most 10 port numbers each time.
Description
Indicates the description of a service.
The value contains a maximum of 64 characters including letters, digits, and special characters except question marks (?). It does not support any Chinese characters.
- Configure defense policies for services.
Click all tabs and configure defense policies for services. For parameters, see Configuring the Zone-based Defense Policy.
You are advised to enable baseline learning to configure the thresholds of defense policies. For details, see Configuring the Baseline Learning.
Click Import Policy Template to import service policy configurations in the service policy template.
- Optional: Click Export Policy Template to save current service policy configurations as a template for future use.
For details on how to manage policy templates globally, see Configuring Policy Templates.
- Click OK.
Example
A server is deployed in a Zone to provide HTTP services by port 8080. To protect this server, the configuration roadmap of a defense policy is as follows:
- Configure the defense policies default defense policy. Considering possible Telnet and ping operations, limit the traffic of the TCP and ICMP services and block the UDP service and other services to prevent network congestion.
- Create an HTTP service with destination port 8080 and IP address used by the server to provide HTTP services. The service provides refined defense for HTTP services.
Follow-up Procedure
Services configured for the Zone take effect only after deployed on devices. For details, see Deploying the Defense Policy.
You are advised to enable baseline learning to adjust the threshold configurations of service policies. For details, see Configuring the Baseline Learning.