This function is extremely useful when NAT pools are required due to the large number ofconnections generated by P2P users.10.3.3. GroupingThe two groupings are as follows:• Host Based - The threshold is applied separately to connections from different IP addresses.• Network Based - The threshold is applied to all connections matching the rules as a group.10.3.4. Rule ActionsWhen a Threshold Rule is triggered one of two responses are possible:• Audit - Leave the connection intact but log the event.• Protect - Drop the triggering connection.Logging would be the preferred option if the appropriate triggering value cannot be determinedbeforehand. Multiple Actions for a given rule might consist of Audit for a given threshold while theaction might become Protect for a higher threshold.10.3.5. Multiple Triggered ActionsWhen a rule is triggered then NetDefendOS will perform the associated rule Actions that match thecondition that has occurred. If more than one Action matches the condition then those matchingActions are applied in the order they appear in the user interface.If several Actions that have the same combination of Type and Grouping (see above for thedefinition of these terms) are triggered at the same time, only the Action with the highest thresholdvalue will be logged.10.3.6. Exempted ConnectionsIt should be noted that some advanced settings, known as Before Rules settings, can exempt certaintypes of connections for remote management from examination by the NetDefendOS IP rule set ifthey are enabled. These Before Rules settings will also exempt the connections from ThresholdRules if they are enabled.10.3.7. Threshold Rules and ZoneDefenseThreshold Rules are used in the D-Link ZoneDefense feature to block the source of excessiveconnection attmepts from internal hosts. For more information on this refer to Chapter 12,ZoneDefense.10.3.8. Threshold Rule BlacklistingIf the Protect option is used, Threshold Rules can be configured so that the source that triggered therule, is added automatically to a Blacklist of IP addresses or networks. If several Protect Actionswith blacklisting enabled are triggered at the same time, only the first triggered blacklisting Actionwill be executed by NetDefendOS.A host based Action with blacklisting enabled will blacklist a single host when triggered. A networkbased action with blacklisting enabled will blacklist the source network associated with the rule. Ifthe Threshold Rule is linked to a service then it is possible to block only that service.When Blacklisting is selected, the administrator can choose to leave pre-existing connections fromthe triggering source unaffected, or can alternatively choose to have the connections dropped by10.3.3. Grouping Chapter 10. Traffic Management478
