Brocade Virtual ADX Security Guide (Supporting ADX v03.1.0 Manual do Utilizador

53-1003250-01July 2014®Brocade Virtual ADXSecurity GuideSupporting Brocade Virtual ADX version 03.1.00

x Brocade Virtual ADX Security Guide53-1003250-01Command syntax conventionsNotes, cautions, and warningsThe following notices and statements may be us

88 Brocade Virtual ADX Security Guide53-1003250-01DDoS protection5The log parameter directs the Brocade Virtual ADX to log traffic on the bound interf

Brocade Virtual ADX Security Guide 8953-1003250-01DDoS protection5Configuring a rule for ip-option attack types Brocade Virtual ADX has a set of built

90 Brocade Virtual ADX Security Guide53-1003250-01DDoS protection5The log parameter directs the Brocade Virtual ADX to log traffic on the bound interf

Brocade Virtual ADX Security Guide 9153-1003250-01DDoS protection5The drop parameter directs the Brocade Virtual ADX to drop traffic on the bound inte

92 Brocade Virtual ADX Security Guide53-1003250-01DDoS protection5Configuring a rule for IPv6 ICMP types Brocade Virtual ADX has a set of built-in rul

Brocade Virtual ADX Security Guide 9353-1003250-01DDoS protection5Virtual ADX(config)#security filter filter5Virtual ADX(config-sec-filter5)#rule ipv6

94 Brocade Virtual ADX Security Guide53-1003250-01DDoS protection5Clearing all DDOS Filter & Attack CountersUse security clear all-dos-filter-coun

Brocade Virtual ADX Security Guide 9553-1003250-01DDoS protection5Displaying security filter statisticsYou can display security filter statistics as s

96 Brocade Virtual ADX Security Guide53-1003250-01DDoS protection5

Brocade Virtual ADX Security Guide 9753-1003250-01Chapter6Secure Socket Layer (SSL) IntroductionBrocade Virtual ADX supports integrated software-based

Brocade Virtual ADX Security Guide xi53-1003250-01Brocade resourcesTo get up-to-the-minute information, go to http://my.brocade.com to register at no

98 Brocade Virtual ADX Security Guide53-1003250-01SSL overview6Asymmetric cryptography This method alters information so that the key used for encrypt

Brocade Virtual ADX Security Guide 9953-1003250-01SSL on the Brocade Virtual ADX6Public key The other half of a key pair, a public key is held in a di

100 Brocade Virtual ADX Security Guide53-1003250-01SSL on the Brocade Virtual ADX6Brocade Virtual ADX SSL This section describes the SSL features used

Brocade Virtual ADX Security Guide 10153-1003250-01Configuring SSL on a Brocade Virtual ADX6Four level chainCA ---> 1st level Intermediate CA ---&g

102 Brocade Virtual ADX Security Guide53-1003250-01Configuring SSL on a Brocade Virtual ADX6NOTEThe Brocade Virtual ADX does not support key strength

Brocade Virtual ADX Security Guide 10353-1003250-01Configuring SSL on a Brocade Virtual ADX6The password variable is the password that is used to stor

104 Brocade Virtual ADX Security Guide53-1003250-01Configuring SSL on a Brocade Virtual ADX6-----BEGIN CERTIFICATE-----MIIDKTCCApKgAwIBAgIRAJoKUHAGHgh

Brocade Virtual ADX Security Guide 10553-1003250-01Configuring SSL on a Brocade Virtual ADX67. In the Export File Format dialog box, choose.PFX. If th

106 Brocade Virtual ADX Security Guide53-1003250-01Configuring SSL on a Brocade Virtual ADX611. When prompted for the import password, enter the passw

Brocade Virtual ADX Security Guide 10753-1003250-01Configuring SSL on a Brocade Virtual ADX612. You can now begin copying the certificates and the key

xii Brocade Virtual ADX Security Guide53-1003250-01Document feedback• For questions regarding service levels and response times, contact your OEM/Solu

108 Brocade Virtual ADX Security Guide53-1003250-01Configuring SSL on a Brocade Virtual ADX6Converting certificate formatsThe Brocade Virtual ADX acce

Brocade Virtual ADX Security Guide 10953-1003250-01Configuring SSL on a Brocade Virtual ADX6Converting a PFX file to a P12 fileTo convert a PFX file t

110 Brocade Virtual ADX Security Guide53-1003250-01Configuring SSL on a Brocade Virtual ADX6Windows usersGUI-based SCP tools do not work in the curren

Brocade Virtual ADX Security Guide 11153-1003250-01Configuring SSL on a Brocade Virtual ADX6After uploading the keypair file, the same file can be dow

112 Brocade Virtual ADX Security Guide53-1003250-01Configuring SSL on a Brocade Virtual ADX6After transferring the file, it can be used both as a key

Brocade Virtual ADX Security Guide 11353-1003250-01Configuring SSL on a Brocade Virtual ADX6Certificate verificationEvery certificate has two very imp

114 Brocade Virtual ADX Security Guide53-1003250-01Configuring SSL on a Brocade Virtual ADX6Chained certificate verification When the server certifica

Brocade Virtual ADX Security Guide 11553-1003250-01Configuring SSL on a Brocade Virtual ADX6Figure 8 shows the certificate fields.FIGURE 8 Certificate

116 Brocade Virtual ADX Security Guide53-1003250-01Configuring SSL on a Brocade Virtual ADX6*s:*sX509v3 Basic Constraints: *sCA:FALSE*sX509v3 Key Usag

Brocade Virtual ADX Security Guide 11753-1003250-01Configuring SSL on a Brocade Virtual ADX6*s:*sX509v3 Basic Constraints: *sCA:TRUE, pathlen:0*sX509v

Brocade Virtual ADX Security Guide 153-1003250-01Chapter1Network SecurityNo response to non-SYN first packet of a TCP flowThe Brocade Virtual ADX Appl

118 Brocade Virtual ADX Security Guide53-1003250-01Configuring SSL on a Brocade Virtual ADX6Find and match this certificate in the list of trusted roo

Brocade Virtual ADX Security Guide 11953-1003250-01Configuring SSL on a Brocade Virtual ADX6The certificate hierarchy is shown as follows:Level 0 (roo

120 Brocade Virtual ADX Security Guide53-1003250-01Configuring SSL on a Brocade Virtual ADX6*sX509v3 Certificate Policies: *sPolicy: 1.1.1.1.1*sCPS: *

Brocade Virtual ADX Security Guide 12153-1003250-01Configuring SSL on a Brocade Virtual ADX6 Exponent: lu IÕ8~0xlx)*s:*sX509v3 Basic Co

122 Brocade Virtual ADX Security Guide53-1003250-01Configuring SSL on a Brocade Virtual ADX6 Subject Public Key Info: Public

Brocade Virtual ADX Security Guide 12353-1003250-01Configuring SSL on a Brocade Virtual ADX6Figure 10 shows the certificate hierarchy.FIGURE 10 Certif

124 Brocade Virtual ADX Security Guide53-1003250-01Configuring SSL on a Brocade Virtual ADX6• Symptom: The wrong format was specified when uploading t

Brocade Virtual ADX Security Guide 12553-1003250-01Basic SSL profile configuration6Support for SSL renegotiationSome SSL application clients use reneg

126 Brocade Virtual ADX Security Guide53-1003250-01Basic SSL profile configuration6Syntax: keypair-file keypair-file-nameThe keypair-file-name variabl

Brocade Virtual ADX Security Guide 12753-1003250-01Advanced SSL profile configuration6To configure this feature, use commands such as the following:Vi

2 Brocade Virtual ADX Security Guide53-1003250-01Application Traffic Prioritization1Prioritization of TCP port 80 traffic to management IP 10.200.1.1

128 Brocade Virtual ADX Security Guide53-1003250-01Advanced SSL profile configuration6Enabling certificate verificationThe Brocade Virtual ADX can be

Brocade Virtual ADX Security Guide 12953-1003250-01Advanced SSL profile configuration6Virtual ADX(config)#ssl profile profile1Virtual ADX(config-ssl-p

130 Brocade Virtual ADX Security Guide53-1003250-01Advanced SSL profile configuration6NOTETo avoid “man-in-the-middle” attacks, where the CRL may be c

Brocade Virtual ADX Security Guide 13153-1003250-01Advanced SSL profile configuration6Enabling session caching Session caching or session reuse is a m

132 Brocade Virtual ADX Security Guide53-1003250-01Advanced SSL profile configuration6Virtual ADX(config)#ssl profile profile1Virtual ADX(config-ssl-p

Brocade Virtual ADX Security Guide 13353-1003250-01Configuring Real and Virtual Servers for SSL Termination Mode6Configuring Real and Virtual Servers

134 Brocade Virtual ADX Security Guide53-1003250-01Configuration examples for SSL Termination Mode6• An SSL port is defined on the virtual server vip2

Brocade Virtual ADX Security Guide 13553-1003250-01Configuration examples for SSL Termination Mode6State or province (full name) [California] Californ

136 Brocade Virtual ADX Security Guide53-1003250-01Configuration examples for SSL Termination Mode6FIGURE 11 Client Capture

Brocade Virtual ADX Security Guide 13753-1003250-01Configuration examples for SSL Termination Mode6FIGURE 12 Server CaptureIn these examples, the HTTP

Brocade Virtual ADX Security Guide 353-1003250-01Application Traffic Prioritization1The Brocade Virtual ADX offers up to eight priority levels ranging

138 Brocade Virtual ADX Security Guide53-1003250-01Configuration examples for SSL Termination Mode6ResolutionThere two possible approaches to this pro

Brocade Virtual ADX Security Guide 13953-1003250-01Configuration examples for SSL Termination Mode6Disabling Nagle’s AlgorithmYou can disable Nagle’s

140 Brocade Virtual ADX Security Guide53-1003250-01Configuration examples for SSL Termination Mode6Applying the TCP profile to VIP for SSL terminateWh

Brocade Virtual ADX Security Guide 14153-1003250-01Configuration examples for SSL Termination Mode6Define client certificate insertion mode and prefix

142 Brocade Virtual ADX Security Guide53-1003250-01Configuration examples for SSL Termination Mode6Other protocols supported for SSLIn addition to HTT

Brocade Virtual ADX Security Guide 14353-1003250-01Configuration examples for SSL Termination Mode6Configuring SSLv2 connection rateYou can configure

144 Brocade Virtual ADX Security Guide53-1003250-01SSL debug and troubleshooting commands6Syntax: [no] system-max ssl-cert-count num-max-certsSyntax:

Brocade Virtual ADX Security Guide 14553-1003250-01SSL debug and troubleshooting commands6Using RconsoleTo access the display command that present thi

146 Brocade Virtual ADX Security Guide53-1003250-01SSL debug and troubleshooting commands6Displaying authentication statisticsUse the show ssl authent

Brocade Virtual ADX Security Guide 14753-1003250-01SSL debug and troubleshooting commands6Displaying SSL connection information Use the show ssl con c

4 Brocade Virtual ADX Security Guide53-1003250-01Application Traffic Prioritization1Specifying traffic priority per VIPUse the priority command to con

148 Brocade Virtual ADX Security Guide53-1003250-01SSL debug and troubleshooting commands6Virtual ADX#show ssl crl crl-name (on MP)Output : URL : /tem

Brocade Virtual ADX Security Guide 14953-1003250-01SSL debug and troubleshooting commands6Displaying SSL debug countersUse the show ssl debug command

150 Brocade Virtual ADX Security Guide53-1003250-01SSL debug and troubleshooting commands6The following example provides information about a specified

Brocade Virtual ADX Security Guide 15153-1003250-01SSL debug and troubleshooting commands6The keyfile-name variable specifies a locally stored SSL key

152 Brocade Virtual ADX Security Guide53-1003250-01SSL debug and troubleshooting commands6Displaying the certificate bound to an SSL profileUse the sh

Brocade Virtual ADX Security Guide 15353-1003250-01SSL debug and troubleshooting commands6Syntax: show ssl profile profile-name keyThe profile-name va

154 Brocade Virtual ADX Security Guide53-1003250-01SSL debug and troubleshooting commands6Displaying SSL statistics informationThe following SSL stati

Brocade Virtual ADX Security Guide 15553-1003250-01SSL debug and troubleshooting commands6Displaying SSL decoded client site status countersUse the sh

156 Brocade Virtual ADX Security Guide53-1003250-01SSL debug and troubleshooting commands6Displaying SSL statistics countersUse the show ssl statistic

Brocade Virtual ADX Security Guide 15753-1003250-01SSL debug and troubleshooting commands6ASM SSL dump commandsThe following ASM SSL dump commands can

Brocade Virtual ADX Security Guide 553-1003250-01Application Traffic Prioritization1Syntax: [no] server attack-interval classify interval-1 de-classif

158 Brocade Virtual ADX Security Guide53-1003250-01SSL debug and troubleshooting commands6asm dm ssldump bothUse the asm dm ssldump both command on th

Brocade Virtual ADX Security Guide 15953-1003250-01SSL debug and troubleshooting commands6asm dm ssldump mode detailUse the asm dm ssldump mode detail

160 Brocade Virtual ADX Security Guide53-1003250-01Displaying socket information6asm dm ssldump maxUse the asm dm ssldump max count command to limit t

Brocade Virtual ADX Security Guide 16153-1003250-01Displaying socket information6Syntax: show socket stateDisplaying TCP IP informationThe following T

162 Brocade Virtual ADX Security Guide53-1003250-01Displaying socket information6Syntax: show tcp-ip buffersDisplaying TCP and IP chain length statist

Brocade Virtual ADX Security Guide 16353-1003250-01Displaying socket information6Displaying TCP and IP statisticsUse the show tcp-ip statistics comman

164 Brocade Virtual ADX Security Guide53-1003250-01Displaying socket information6Show SSL memoryUse the show ssl mem command in rconsole mode to displ

Brocade Virtual ADX Security Guide 16553-1003183-03AppendixAAcknowledgementsThis appendix presents the acknowledgements for portions of code from vari

166 Brocade Virtual ADX Security Guide53-1003183-03Cryptographic softwareACryptographic softwareThis product includes cryptographic software written b

Brocade Virtual ADX Security Guide 16753-1003183-03Original SSLeay LicenseAThe license and distribution terms for any publicly available version or de

6 Brocade Virtual ADX Security Guide53-1003250-01VIP Maximum Connection Rate1Syntax: show server virtual [name]The show server virtual command display

168 Brocade Virtual ADX Security Guide53-1003183-03Original SSLeay LicenseA

Brocade Virtual ADX Security Guide 753-1003250-01Protection against malformed IP packets1BP 1: last sec: 0.20%, 5 sec: 0.10%, 60 sec: 0.09%, 300 se

DRAFT: BROCADE CONFIDENTIALCopyright © 2014 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, Brocade Assurance, A

8 Brocade Virtual ADX Security Guide53-1003250-01Transaction rate limit1• Ability to apply a default transaction rate limit value to all clients, whil

Brocade Virtual ADX Security Guide 953-1003250-01Transaction rate limit1Virtual ADX# configure terminal3. Configure name of a transaction rate limit r

10 Brocade Virtual ADX Security Guide53-1003250-01Transaction rate limit1Configure a transaction rate limit default You can specify a default transact

Brocade Virtual ADX Security Guide 1153-1003250-01Transaction rate limit1NOTEIf you configure the hold-down-time keyword with a value of 0, the incomi

12 Brocade Virtual ADX Security Guide53-1003250-01Transaction rate limit1Applying policy on virtual interfaceVirtual ADX(config)# interface ve 20Virtu

Brocade Virtual ADX Security Guide 1353-1003250-01Transaction rate limit1Changing the maximum number of rules globallyYou can change the maximum numbe

14 Brocade Virtual ADX Security Guide53-1003250-01Transaction rate limit1NOTEWhere the storage of TRL rules on the internal USB drive of a Brocade Vir

Brocade Virtual ADX Security Guide 1553-1003250-01Transaction rate limit1Global TRLIf TRL per client subnet is not needed, Global TRL can be used to c

16 Brocade Virtual ADX Security Guide53-1003250-01Transaction rate limit1Displaying TRL rules in a policyYou can display TRL rules in a policy as show

Brocade Virtual ADX Security Guide 1753-1003250-01DNS-DPI Attack Protection1DNS-DPI Attack ProtectionThe Brocade Virtual ADX can be configured to prov

Brocade Virtual ADX Security Guide iii53-1003250-01ContentsPrefaceDocument conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

18 Brocade Virtual ADX Security Guide53-1003250-01DNS-DPI Attack Protection1• When multiple queries are in a single DNS packet, only first RR will be

Brocade Virtual ADX Security Guide 1953-1003250-01DNS-DPI Attack Protection1The name variable specifies the name of the DNS query type to match on.Syn

20 Brocade Virtual ADX Security Guide53-1003250-01DNS-DPI Attack Protection1NOTEA maximum of 255 DNS policies can be configured on a Brocade Virtual A

Brocade Virtual ADX Security Guide 2153-1003250-01DNS-DPI Attack Protection1You can bind a DNS DPI policy to a virtual port as shown.Virtual ADX(confi

22 Brocade Virtual ADX Security Guide53-1003250-01DNS-DPI Attack Protection1Displaying DNS attack protection informationThe following information can

Brocade Virtual ADX Security Guide 2353-1003250-01Rate Limiting Feature on a Brocade Virtual ADX1Rate Limiting Feature on a Brocade Virtual ADXThe rat

24 Brocade Virtual ADX Security Guide53-1003250-01Rate Limiting Feature on a Brocade Virtual ADX1

Brocade Virtual ADX Security Guide 2553-1003250-01Chapter2Access Control ListHow the Brocade Virtual ADX processes ACLsThis chapter describes the Acce

26 Brocade Virtual ADX Security Guide53-1003250-01Default ACL action2Default ACL actionThe default action when no ACLs is configured on a device is to

Brocade Virtual ADX Security Guide 2753-1003250-01Configuring numbered and named ACLs2Support for up to 4096 ACL entries You can configure up to 4096

iv Brocade Virtual ADX Security Guide53-1003250-01DNS-DPI Attack Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Config

28 Brocade Virtual ADX Security Guide53-1003250-01Configuring numbered and named ACLs2The commands in this example configure an ACL to deny packets fr

Brocade Virtual ADX Security Guide 2953-1003250-01Configuring numbered and named ACLs2The host source-ip | hostname parameter lets you specify a host

30 Brocade Virtual ADX Security Guide53-1003250-01Configuring numbered and named ACLs2The first entry permits ICMP traffic from hosts in the 10.157.22

Brocade Virtual ADX Security Guide 3153-1003250-01Configuring numbered and named ACLs2Extended ACL syntaxUse the following syntax for configuring exte

32 Brocade Virtual ADX Security Guide53-1003250-01Configuring numbered and named ACLs2NOTEIf you use the CIDR format, the ACL entries appear in this f

Brocade Virtual ADX Security Guide 3353-1003250-01Configuring numbered and named ACLs2• range – The policy applies to all TCP or UDP port numbers that

34 Brocade Virtual ADX Security Guide53-1003250-01Configuring numbered and named ACLs2• min-monetary-cost or 1 – The ACL matches packets that have the

Brocade Virtual ADX Security Guide 3553-1003250-01Configuring numbered and named ACLs2The commands in this example configure a standard ACL named “Net

36 Brocade Virtual ADX Security Guide53-1003250-01Configuring numbered and named ACLs2Displaying ACL definitionsTo display the ACLs configured on a de

Brocade Virtual ADX Security Guide 3753-1003250-01Configuring numbered and named ACLs2permit any If you want to display ACL entries beginning with the

Brocade Virtual ADX Security Guide v53-1003250-01Chapter 4 Network Address TranslationIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . .

38 Brocade Virtual ADX Security Guide53-1003250-01Configuring numbered and named ACLs2If you want to display ACL entries beginning with the entry that

Brocade Virtual ADX Security Guide 3953-1003250-01Modifying ACLs2To show all entries containing the keyword “deny” you obtain the following output:Vir

40 Brocade Virtual ADX Security Guide53-1003250-01Modifying ACLs2no access-list 1no access-list 101When you load the ACL list into the device, the sof

Brocade Virtual ADX Security Guide 4153-1003250-01Displaying a list of ACL entries2Displaying a list of ACL entriesThe show access-list and show ip ac

42 Brocade Virtual ADX Security Guide53-1003250-01ACL logging2To reapply ACLs following an ACL configuration change, enter the following command at th

Brocade Virtual ADX Security Guide 4353-1003250-01ACL logging2NOTEFor an ACL entry to be eligible to generate a Syslog entry for permitted or denied p

44 Brocade Virtual ADX Security Guide53-1003250-01Dropping all fragments that exactly match an ACL2ETH PORTICMP inbound packets received 400ICMP inbou

Brocade Virtual ADX Security Guide 4553-1003250-01ACLs and ICMP2The commands in this example deny (drop) ICMP echo request packets that contain a tota

46 Brocade Virtual ADX Security Guide53-1003250-01ACLs and ICMP2Named ACLsFor example, to deny the administratively-prohibited message type in a named

Brocade Virtual ADX Security Guide 4753-1003250-01ACLs and ICMP2host-redirect 5 1host-tos-redirect 5 3host-tos-unreachable 3 12host-unreachable 3 1inf

vi Brocade Virtual ADX Security Guide53-1003250-01SSL overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

48 Brocade Virtual ADX Security Guide53-1003250-01Displaying ACL bindings2Displaying ACL bindingsYou can display which ACLs (IPv4 and IPv6) are bound

Brocade Virtual ADX Security Guide 4953-1003250-01Chapter3IPv6 Access Control ListsIPv6 ACL overviewBrocade Virtual ADX supports IPv6 access control l

50 Brocade Virtual ADX Security Guide53-1003250-01IPv6 ACL overview3NOTETCP and UDP filters will be matched only if they are listed as the first optio

Brocade Virtual ADX Security Guide 5153-1003250-01IPv6 ACL overview3Here is another example of commands for configuring an ACL and applying it to an i

52 Brocade Virtual ADX Security Guide53-1003250-01IPv6 ACL overview3The following commands apply the ACL rtr to the incoming traffic on ports 2/1 and

Brocade Virtual ADX Security Guide 5353-1003250-01IPv6 ACL overview3Furthermore, if you add the statement deny icmp any any in the access list, then a

54 Brocade Virtual ADX Security Guide53-1003250-01IPv6 ACL overview3protocol The type of IPv6 packet you are filtering. You can specify a well-known n

Brocade Virtual ADX Security Guide 5553-1003250-01IPv6 ACL overview3Applying an IPv6 ACL to an interfaceTo apply an IPv6 ACL to an interface, enter co

56 Brocade Virtual ADX Security Guide53-1003250-01Using an ACL to restrict SSH access3Syntax: show ipv6 access-list [access-list-name]Displaying ACLs

Brocade Virtual ADX Security Guide 5753-1003250-01Using an ACL to restrict Telnet access3Using an ACL to restrict Telnet accessTo configure an ACL tha

Brocade Virtual ADX Security Guide vii53-1003250-01Appendix A AcknowledgementsOpenSSL license . . . . . . . . . . . . . . . . . . . . . . . . . . . .

58 Brocade Virtual ADX Security Guide53-1003250-01Using an ACL to restrict Telnet access3

Brocade Virtual ADX Security Guide 5953-1003250-01Chapter4Network Address TranslationIntroductionNetwork Address Translation (NAT) translates one IP a

60 Brocade Virtual ADX Security Guide53-1003250-01Configuring NAT4Configuring NAT The following types of NAT are supported: • Static NAT — Maps a spec

Brocade Virtual ADX Security Guide 6153-1003250-01Configuring NAT4The priority variable specifies a value of 1 or 2 and enables static NAT redundancy.

62 Brocade Virtual ADX Security Guide53-1003250-01Configuring NAT4Associating a range of private addresses with a pool and enabling PATUse ip nat insi

Brocade Virtual ADX Security Guide 6353-1003250-01Configuring NAT4The Brocade Virtual ADX is connected to the Internet through a router. The outside i

64 Brocade Virtual ADX Security Guide53-1003250-01Configuring NAT4Dynamic NAT configuration example 2In the following example, the Brocade Virtual ADX

Brocade Virtual ADX Security Guide 6553-1003250-01Configuring NAT4Static NAT configuration exampleThe following examples describe how to configure a S

66 Brocade Virtual ADX Security Guide53-1003250-01PAT4Configured for outside to inside translationTo configure the network shown in Figure 5 for Outsi

Brocade Virtual ADX Security Guide 6753-1003250-01Translation timeouts4Translation timeoutsThe NAT translation table contains all the currently active

viii Brocade Virtual ADX Security Guide53-1003250-01

68 Brocade Virtual ADX Security Guide53-1003250-01Stateless static IP NAT4The icmp-timeout keyword indicates timeout for NAT ICMP flows.The syn-timeou

Brocade Virtual ADX Security Guide 6953-1003250-01Displaying NAT information4Syntax: [no] ip nat [inside | outside]The inside parameter configures the

70 Brocade Virtual ADX Security Guide53-1003250-01Displaying NAT information4Syntax: show ip nat statistics TABLE 4 Display fields for show ip nat sta

Brocade Virtual ADX Security Guide 7153-1003250-01Displaying NAT information4nat tcp rev ip status zero Indicates the number of times that an error in

72 Brocade Virtual ADX Security Guide53-1003250-01Displaying NAT information4Displaying NAT translationTo display the currently active NAT translation

Brocade Virtual ADX Security Guide 7353-1003250-01Clearing NAT entries from the table4Clearing NAT entries from the tableUse the clear ip nat command

74 Brocade Virtual ADX Security Guide53-1003250-01Clearing NAT entries from the table4

Brocade Virtual ADX Security Guide 7553-1003250-01Chapter5Syn-Proxy and DoS ProtectionUnderstanding Syn-ProxySyn-Proxy™ allows TCP connections to be t

76 Brocade Virtual ADX Security Guide53-1003250-01Configuring Syn-Proxy5NOTEIn a syn-proxy configuration for a local client, if an ARP entry for the c

Brocade Virtual ADX Security Guide 7753-1003250-01Configuring Syn-Proxy5Setting SYN-Ack-Window-SizeTo globally set the TCP window size that the Brocad

Brocade Virtual ADX Security Guide ix53-1003250-01PrefaceDocument conventionsThis section describes text formatting conventions and important notice f

78 Brocade Virtual ADX Security Guide53-1003250-01Configuring Syn-Proxy5Retransmitting the SYN to the server in this way allows the server to respond

Brocade Virtual ADX Security Guide 7953-1003250-01Configuring Syn-Proxy5Dropping ACK packets with no dataThis feature applies where Syn-Proxy is enabl

80 Brocade Virtual ADX Security Guide53-1003250-01Configuring Syn-Proxy53. Global level – Values configured at this level take effect over all SYN-ACK

Brocade Virtual ADX Security Guide 8153-1003250-01Configuring Syn-Proxy5The mss-value variable specifies MSS value for all SYN-ACK packets generated b

82 Brocade Virtual ADX Security Guide53-1003250-01Configuring Syn-Proxy51. Set the SYN-Proxy auto control threshold levels – This procedure described

Brocade Virtual ADX Security Guide 8353-1003250-01Configuring Syn-Proxy5Setting the interval time for counting TCP SYN packetsThe rate at which Syn-pr

84 Brocade Virtual ADX Security Guide53-1003250-01Configuring Syn-Proxy5Displaying Server Traffic informationThe show server traffic command displays

Brocade Virtual ADX Security Guide 8553-1003250-01DDoS protection5Displaying SYN Cookie InformationThis show server syn-cookie command displays inform

86 Brocade Virtual ADX Security Guide53-1003250-01DDoS protection5• “Configuring a rule for ip-option attack types” on page 89• “Configuring a rule fo

Brocade Virtual ADX Security Guide 8753-1003250-01DDoS protection5• gt greater-than• gteq greater-than-or-equals• lt less-than• lteq less-than-or-equ