No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Enabling the Blacklist Function

Enabling the Blacklist Function


A blacklist filters packets based on source IP addresses. Compared with ACLs, the blacklist uses simpler matching fields and therefore filters packets at a higher speed. Packets from certain IP addresses can be filtered out.

The firewall can dynamically add IP addresses to the blacklist. When detecting an attack from an IP address, the firewall adds the IP address to the blacklist to filter out all packets from this IP address. To enable the firewall to dynamically create blacklist entries, enable IP address scanning attack defense and port scanning attack defense.


  1. Run:


    The system view is displayed.

  2. (Optional) Run:

    firewall defend ip-sweep enable

    The IP address sweeping attack defense is enabled.

  3. (Optional) Run:

    firewall defend ip-sweep { blacklist-expire-time interval | max-rate rate-value }

    The parameters for IP address sweeping attack defense are set.

  4. (Optional) Run:

    firewall defend port-scan enable

    The port scanning attack defense is enabled.

  5. (Optional) Run:

    firewall defend port-scan { blacklist-expire-time interval | max-rate rate-value }

    The parameters for port scanning attack defense are set.

    For scanning attack defense, the following two parameters need to be set:

    • Maximum session rate: When the session rate of an IP address or a port exceeds the limit, the firewall considers that a scanning attack occurs. Then the firewall adds the IP address or port to the blacklist to reject new sessions from the IP address or port.
    • Blacklist timeout: After an IP address or a port stays in the blacklist for a specified period, it is deleted from the blacklist. Then new connections can be initiated from this IP address or port.

    By default, the maximum session rate for IP address sweeping and port scanning attack defense is 4000 pps, and the blacklist timeout is 20 minutes.

  6. Run:

    firewall blacklist enable

    The blacklist function is enabled.

    By default, the blacklist function is disabled.

Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 12464

Downloads: 38

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next