Adding a Hardware Filter

Hardware filters of five protocol types are supported, and static filtering is implemented through defining rules and matching actions. When creating a hardware filter, you can directly associate it with a device.

Procedure

Choose Defense > Policy Settings > Filter > Hardware Filter.
Click .

On the Basic Information tab, configure basic information about the hardware filter. For detailed parameter description, see Table 1.

**Table 1** Basic information about the hardware filter
Parameter	Description
Name	Indicates the name of a hardware filter. The value is a unique string of 1 to 64 case-insensitive characters that can contain letters, digits, and underscores (_) and must start with a letter.
Protocol Type	Indicates the protocol type, which can be IPv4 or IPv6.
Protocol	Protocol type: IPv4 The protocols include ID, ICMPv4, TCP, UDP, and IPv4. If the protocol ID is selected, the protocol ID text box is displayed for you to enter a protocol ID. Each ID corresponds to a protocol. The value ranges from 0 to 255. Protocol type: IPv6 The protocols include ID, ICMPv6, TCP, UDP, and IPv6. If the protocol ID is selected, the protocol ID text box is displayed for you to enter a protocol ID. Each ID corresponds to a protocol. The value ranges from 0 to 255.
Operation	Indicates the action, which can be discard and rate limit.
Rate threshold (Kbps)	Indicates the rate threshold, which needs to be set when the action is rate limit. NOTICE: The rate limit unit is an NP chip.

Click the Rule tab and set rule parameters. When the protocol type is IPv4, refer to Table 2 for rule parameter settings. When the protocol type is IPv6, refer to Table 3 for rule parameter settings.

**Table 2** Rules for the hardware filter of the IPv4 protocol type
Parameter	Description
Source IP address	Indicates the source IP address, which can be an IPv4 address.
Destination IP address	Indicates the destination IP address, which can be an IPv4 address.
Source port	Indicates the source port, which can be a value or range.
Destination Port	Indicates the destination port, which can be a value or range.
Packet length threshold/range (byte)	Indicates the packet length range, for example, 100-200.
TCP Flag	This parameter is optional and empty by default. The first item in the drop-down list box indicates the default value.
Fragment type	Indicates the fragment type, which can be fragment or non-fragment.

**Table 3** Rules for the hardware filter of the IPv6 protocol type
Parameter	Description
Destination IP address	Indicates the source IP address, which can be an IPv6 address.
Source port	Indicates the source port, which can be a value or range.
Destination Port	Indicates the destination port, which can be a value or range.
Packet length threshold/range (byte)	Indicates the packet length range, for example, 100-200.
TCP Flag	This parameter is optional and empty by default. The first item in the drop-down list box indicates the default value.

Bind a device to the hardware filter.
1. Click the Associate Device tab.
2. Click , select a device, and click OK.
  Only the devices whose Deployment Status is Succeeded are displayed on the page. Ensure that the device to be bound has been deployed.
Click Deploy.
- When the device is associated with the hardware filter and you click Deploy, the hardware filter is deployed on the AntiDDoS and configurations take effect.
- If only a hardware filter is created and no device is associated, after you click Deploy, the hardware filter configuration is saved in the ATIC management center. The hardware filter takes effect only after it is associated with the device and deployed again.