This application note explains configuration of HP Virus Throttle (connection rate filtering) on ProCurve switches. This details the operation of the new version of Virus Throttle. Until the K.12.01 release, Virus Throttle on a ProCurve switch was able to detect virus-like network behavior—identified as a high number of connections to a high number of different IP addresses in a short time—and to prevent the traffic from the originating source from being routed. Thus, in a network with multiple VLANs, an infected machine could only contact other systems in its own VLAN. This was Virus Throttle at layer 3.

Beginning with the K.12.01 release, the switch is now able to block traffic from an infected machine even within a VLAN: if a virus is detected, within a few seconds, the infected system cannot reach any other IP address. This new capability is more efficient and effective, and increases network protection against viruses.

General steps for configuration of Virus Throttle have not changed:

1. You first specify the “sensitivity” of the filter you want to apply; you have a choice of low, medium, high, or aggressive throttling.
2. Then you define the ports to which you apply this filter and the action you want the switch to take if a virus is detected. You can choose from:
• Notify-only: A trap is sent to ProCurve Manager Plus, but the traffic is not blocked
Block or throttle: Traffic is blocked for one minute, time for an administrator to find the machine and take action.

For the command line (CLI) configuration, you will need a switch such as the ProCurve Switch 5406zl that supports the Virus Throttle feature. For configuration with PCM+, you will need to have your switch managed by an already configured PCM+ server.

» Return to top

Figure 1. Setup for configuring Virus Throttle on a ProCurve switch

You can use either the CLI or PCM+ to configure Virus Throttle on the ProCurve switch.

Two commands, connection-rate-filter and filter connection-rate, allow configuring Virus Throttle from the command line interface.

For example, here is how to activate virus throttling on ports 1-20, with sensitivity set to high. The following commands will cause traffic to be throttled when triggered by a virus:

To view virus throttling, use the show connection-rate-filter all command. For example:

The output shows that no host is blocked or throttled yet.

When Virus Throttle is triggered by a client, the show connection-rate-filter all command displays the source IP address of the throttled virus. For example:

5.1 Configure Virus Throttle
To configure Virus Throttle in PCM+ 2.2:

1. In PCM+ 2.2, select the switch. In the right pane, in the Dashboard tab (first tab on the left), click on the Virus Throttle icon:
   
   The VT Configuration window opens:
   
2. In the VT Configuration window set the VT Status to enable VT and the VT Sensitivity to high.
3. Specify the VT Action:
   • To specify virus throttling on all ports of all switches, configure the VT Action for VT Management Devices to throttle.
   • To specify throttling on only one switch, configure the VT Action to throttle for the IP address of the switch.
   • To specify throttling on a port, click the + sign to expand the port list of each switch, and set the VT action to throttle individually on the port.
   The example shows virus throttling specified on all ports of the 5400 switch: VT Action is set to no for VT Management Devices, and to throttle for the switch at 10.1.1.2.
4. Click Apply to enforce this policy on the switch. You see the Status: CT Configuration window, where you can confirm that virus throttling was successfully configured.
   

» Return to top

5.2 Troubleshooting
If the policy enforcement fails, it might be because the Communications Parameters known by PCM+ do not match the actual communication parameters on the device. To check the communication parameters:

1. In PCM+ highlight the device, and on the Dashboard tab click the second icon from the right. You see a dropdown list of tests:
   

2. Select Test Communication Parameters in PCM+. You see the Testing Communications Parameters window as testing proceeds:

3. Confirm that Success appears against all parameters. If this is not the case, correct any mismatched parameters.
   
4. Then in PCM+ go to the Port List tab, select Port Status, and verify that the Virus Filter Action has been set to throttle for all ports on the 5400:
   

» Return to top

5.3 Monitor and block viruses
Once Virus Throttle is configured, you can monitor virus activity and take action when needed:

1. To see if the policy is triggered, select the Events tab. Virus throttling will appear as an event. In the example below you can see that you received a trap from the switch, indicating that Address 10.1.1.100 of type 1 has been flagged by the connection rate filter:

2. To block viruses, return to the VT Configuration window, change the VT Action to block on all ports, and click Apply to apply the new configuration.
3. In the Virus Throttle configuration window, click to the Blocked Hosts tab and confirm that the address of the blocked machine appears.

» Return to top

This concludes the procedure for configuring Virus Throttle on ProCurve switches.

For further information about how to configure ProCurve switches to support security, please refer to the following links:

• For PCM+ and IDM manuals:
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=ProCurve-Manager
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=IDM
• For user manuals for ProCurve 3500yl-5400zl-8212zl switches:
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=3500-6200-5400-ChapterFiles
• For ProCurve Switch 2610 series manuals:
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=2610

» Return to top