No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Firewall Configuration Commands

Firewall Configuration Commands

NOTE:
  • AR502G-L-D-H, and AR502GR-L-D-H do not support firewall.

clear firewall statistics system

Function

The clear firewall statistics system command clears the statistics about normal packets in the system.

Format

clear firewall statistics system normal

Parameters

Parameter

Description

Value

normal

Indicates the statistics about normal packets.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

To view the communication packets of a device within a specified period, run the clear firewall statistics system normal command to clear the previous packet statistics on the device first.

Example

# Clear the statistics about normal packets in the system.

<Huawei> system-view
[Huawei] clear firewall statistics system normal

clear firewall statistics zone

Function

The clear firewall statistics zone command clears the statistics about normal packets in a zone.

Format

clear firewall statistics zone zone-name

Parameters

Parameter

Description

Value

zone-name

Specifies the name of a zone.

The name is a string of 1 to 32 case-sensitive characters. The character string cannot contain name or -.

Views

System view

Default Level

3: Management level

Usage Guidelines

To view the packets in a zone within a specified period, run the clear firewall statistics zone command to clear the previous packet statistics in the zone first.

Example

# Clear the statistics about normal packets in the zone zone1.

<Huawei> system-view
[Huawei] clear firewall statistics zone zone1

detect aspf

Function

The detect aspf command enables application specific packet filter (ASPF) in an interzone.

The undo detect aspf command disables ASPF in an interzone.

By default, ASPF is disabled in an interzone.

Format

detect aspf { ftp | rtsp | sip }

undo detect aspf { ftp | rtsp | sip }

NOTE:

AR510 series do not support the sip keywords.

Parameters

Parameter

Description

Value

ftp

Applies ASPF to for the FTP protocol packets.

-

rtsp

Applies ASPF to the RTSP protocol packets.

-

sip

Applies ASPF to the SIP protocol packets.

-

Views

Interzone view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ASPF filters application-layer protocol packets. It is a status-based packet filtering method. ASPF can detect the sessions that attempt to traverse the application layer and deny the undesired packets.

Prerequisites

An interzone has been created using the firewall interzone command.

Example

# Enable ASPF in the interzone between zone1 and zone2.

<Huawei> system-view
[Huawei] firewall interzone zone1 zone2
[Huawei-interzone-zone2-zone1] detect aspf ftp

display firewall app session table

Function

The display firewall app session table command displays the application session table.

Format

display firewall app session table [ application-protocol { dns | ftp | http | pptp | rtsp | sip } ] [ source-ip ip-address [ port-number ] ] [ destination-ip ip-address [ port-number ] ]

NOTE:

AR510 series do not support the sip keyword.

Parameters

Parameter

Description

Value

application-protocol

Indicates the type of the application-layer protocol.

-

dns

Displays the application session table information of DNS packets.

-

ftp

Displays the application session table information of FTP packets.

-

http

Displays the application session table information of HTTP packets.

-

pptp

Displays the application session table information of PPTP packets.

-

rtsp

Displays the application session table information of RTSP packets.

-

sip

Displays the application session table information of SIP packets.

-

source-ip ip-address

Indicates the source IP address of flows.

The value is in dotted decimal notation.

destination-ip ip-address

Indicates the destination IP address of flows.

The value is in dotted decimal notation.

port-number

Indicates the port number.

The value is an integer that ranges from 1 to 65535.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display firewall app session table command displays information about a specified application session table or all application session tables. The application session table information is displayed only when some traffic is sent to the application layer.

Example

# Display information about all application session tables.

<Huawei> display firewall app session table
 The total number of session tables is 1.
  NO.1.
    APP-Protocol : RTSP
    Initiator-VPN: ----
    Responder-VPN: ----
    Connection Info:
      Initiator(IP:Port)         Responder(IP:Port)    Protocol
      10.7.11.2       :33713 ---> 10.5.11.2       :554   TCP(6)
      10.7.11.2       :33713 <--- 10.5.11.2       :554   TCP(6) 
Table 14-52  Description of the display firewall app session table command output

Item

Description

NO.1.

The first entry in the session table.

APP-Protocol : RTSP

The application protocol is RTSP.

Initiator-VPN: ----

Source VPN name.

Responder-VPN: ----

Destination VPN name.

Connection Info:

Connection between source address and destination address.

Initiator(IP:Port)

Source IP address and port number.

Responder(IP:Port)

Destination IP address and port number.

Protocol

Transport protocol type (TCP/UDP).

display firewall app table statistics

Function

The display firewall app table statistics command displays statistics on firewall application entries.

Format

display firewall app { servermap | session } table statistics

Parameters

Parameter

Description

Value

servermap

Displays statistics on servermap entries at the application layer.

-

session

Displays statistics on session entries at the application layer.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view statistics on firewall Session entries and Servermap entries to facilitate firewall related fault diagnosis and troubleshooting.

Session entry: includes quintuple information (the protocol number, source IP address, source port number, destination IP address, and destination port number). When each session passes through the firewall, a session entry is created on the firewall.

Servermap entry: includes triplet information (the protocol number, source IP address, and destination IP address). When the firewall uses a multi-channel protocol for communication, Servermap entries are created.

Example

# Display statistics on all session entries at the application layer.

<Huawei> display firewall app session table statistics
 App-inspect Session History Maximum Info:
 Maximum Number :115
 Record Time    :2013-09-22 12:19:05
Table 14-53  Description of the display firewall app session table statistics command output

Item

Description

App-inspect Session History Maximum Info

Information about maximum number of session entries in the history.

Maximum Number

Maximum number of session entries.

Record Time

Time when maximum number of session entries is recorded.

# Display statistics on all Servermap entries at the application layer.

<Huawei> display firewall app servermap table statistics
 App-inspect Servermap History Maximum Info:
 Maximum Number :115
 Record Time    :2013-09-22 12:19:31
Table 14-54  Description of the display firewall app servermap table statistics command output

Item

Description

App-inspect Servermap History Maximum Info

Information about maximum number of Servermap entries in the history.

Maximum Number

Maximum number of Servermap entries.

Record Time

Time when maximum number of Servermap entries is recorded.

display firewall blacklist

Function

The display firewall blacklist command displays the blacklist entries.

Format

display firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] | dynamic | static | vpn-instance vpn-instance-name }

Parameters

Parameter

Description

Value

all

Displays all the blacklist entries.

-

ip-address

Displays the blacklist entry matching a specified IP address.

The value is a valid IPv4 IP address.

dynamic

Displays the dynamic blacklist entries.

-

static

Displays the static blacklist entries.

-

vpn-instance vpn-instance-name

Indicates the name of the VPN instance that the specified IP address belongs to.

The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display all the blacklist entries.

<Huawei> display firewall blacklist all
Firewall blacklist items :
------------------------------------------------------------------------
IP-Address      Reason       Expire-Time(m)    VPN-Instance
------------------------------------------------------------------------
10.1.1.1        Manual       100
------------------------------------------------------------------------
 Total number is : 1                                                            
Table 14-55  Description of the display firewall blacklist command output

Item

Description

IP-Address

IP address in a blacklist entry.

Reason

Reason why a blacklist entry is generated, including:

  • IPSweep: The entry is generated because of an IP address sweeping attack.

  • Manual: The entry is added to the blacklist manually.

  • PortScan: The entry is generated because of a port scanning attack.

Expire-Time(m)

Aging time of a blacklist entry. m indicates minute. If the Permanent keyword is used, the entry will be valid permanently.

To configure a blacklist entry, run the firewall blacklist command.

VPN-Instance

Name of the VPN instance that the IP address in a blacklist entry belongs to.

Total number is : 1

There is a total of one entry in the blacklist.

Related Topics

display firewall blacklist configuration

Function

The display firewall blacklist configuration command displays the status of the blacklist function.

Format

display firewall blacklist configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Check whether the blacklist function is enabled on the device.

<Huawei> display firewall blacklist configuration
Info:Blacklist is disabled.
Table 14-56  Description of the display firewall blacklist configuration command output

Item

Description

Info:Blacklist is disabled

The blacklist function is disabled.

To enable the blacklist function, run the firewall blacklist enable command.

display firewall defend

Function

The display firewall defend command displays the status and configurations of the attack defense functions. For the Flood attack defense function, you can also view the attack defense configuration of the specified zone or IP address.

Format

display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ip-address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type }

Parameters

Parameter

Description

Value

flag

Displays the status of all the attack defense functions.

-

icmp-flood

Displays the configuration of the ICMP Flood attack defense.

-

syn-flood

Displays the configuration of the SYN Flood attack defense.

-

udp-flood

Displays the configuration of the UDP Flood attack defense.

-

ip [ ip-address ]

Displays the Flood attack defense function configured for the specified IP address.

The value is a valid IPv4 IP address.

vpn-instance vpn-instance-name

Indicates the name of the VPN instance that the specified IP address belongs to.

The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.

zone [ zone-name ]

Displays the Flood attack defense function configured for the specified zone.

The value of zone-name is a string of 1 to 32 case-sensitive characters. It must be an existing zone name.

other-attack-type

Displays the configurations of other attack defense except for the Flood attack defense.

The other types of attacks include:

  • fraggle

  • icmp-redirect

  • icmp-unreachable

  • ip-fragment

  • ip-sweep

  • land

  • large-icmp

  • ping-of-death

  • port-scan

  • smurf

  • tcp-flag

  • teardrop

  • tracert

  • winnuke

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the status of each attack defense function.

<Huawei> display firewall defend flag
--------------------------------
  Type                  Flag
--------------------------------
  land                 : disable
  smurf                : disable
  fraggle              : disable
  winnuke              : disable
  syn-flood            : disable
  udp-flood            : disable
  icmp-flood           : disable
  icmp-redirect        : disable
  icmp-unreachable     : disable
  ip-sweep             : disable
  port-scan            : disable
  tracert              : disable
  ping-of-death        : disable
  teardrop             : disable
  tcp-flag             : disable
  ip-fragment          : disable
  large-icmp           : disable
--------------------------------
                                      

# Display the configuration of IP address sweeping attack defense.

<Huawei> display firewall defend ip-sweep
  defend-flag          : disable
  max-rate             : 4000  (pps)
  blacklist-expire-time : 20    (m)
                                         
Table 14-57  Description of the display firewall defend command output

Item

Description

Type

Type of attacks to defend against.

Flag

Flag indicating whether attack defense is enabled.
  • disable: Attack defense is disabled.
  • enable: Attack defense is enabled.

defend-flag

Flag indicating whether attack defense is enabled.
  • disable: Attack defense is disabled.
  • enable: Attack defense is enabled.

max-rate

Maximum session rate of address scanning attack defense, in pps.

To set the maximum session rate of address scanning attack defense, run the firewall defend ip-sweep command.

blacklist-expire-time

Timeout interval of the blacklist.

To set the timeout interval of the blacklist, run the firewall defend ip-sweep command.

display firewall interzone

Function

The display firewall interzone command displays information about an interzone.

Format

display firewall interzone [ zone-name1 zone-name2 ]

Parameters

Parameter

Description

Value

zone-name1

Specifies the name of a zone included in the interzone.

The name is a string of 1 to 32 case-sensitive characters. zone-name1 must be a zone name created by the firewall zone command.

zone-name2

Specifies the name of a zone included in the interzone.

The name is a string of 1 to 32 case-sensitive characters. zone-name2 must be a zone name created by the firewall zone command.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display firewall interzone command displays the following information about an interzone:

  • Names of the zones included in the interzone

  • Whether the firewall function is enabled in the interzone

  • Packet filtering policy of the firewall in the interzone

  • Whether the ASPF function is enabled in the interzone

  • Whether the firewall logging function is enabled in the interzone

Example

# Display information about the interzone between zone1 and zone2.

<Huawei> display firewall interzone zone1 zone2
interzone zone2 zone1
 firewall enable 
 session-log 2006 inbound                                                               
 packet-filter default permit inbound
 packet-filter default deny outbound                                          
 detect aspf ftp                                                                
Table 14-58  Description of the display firewall interzone command output

Item

Description

interzone zone2 zone1

Interzone between two zones.

To configure an interzone, run the firewall interzone command.

firewall enable

Firewall function is enabled in the interzone.

To enable the firewall function, run the firewall enable command.

session-log 2006 inbound

Firewall logs are recorded based on filtering rules in ACL 2006.

To reference an ACL, run the session-log command.

packet-filter default permit inbound

Default inbound packet filtering rule in an interzone: permit.

To configure a packet filtering rule, run the packet-filter command.

packet-filter default deny outbound

Default outbound packet filtering rule in an interzone: deny.

To configure a packet filtering rule, run the packet-filter command.

detect aspf ftp

ASPF is enabled for FTP packets.

To enable ASPF, run the detect aspf command.

display firewall log configuration

Function

The display firewall log configuration command displays the global configuration of the firewall logging functions.

Format

display firewall log configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the global configuration of the firewall logging functions.

<Huawei> display firewall log configuration
defend log :
  status : enabled
  log-interval : 30 s
statistics log :
  status : enabled
  log-interval : 30 s
blacklist log :
  status : enabled
  log-interval : 30 s
session log :
  status : enabled
  log-interval : 30 s
  out-of-band status : disabled
  nat-session : disabled
binary-log host :
  host                   source                 VPN instance-name
  ----:--                ----:--                ---     
Table 14-59  Description of the display firewall log configuration command output

Item

Description

status

Status of a firewall logging function. enable indicates that the logging function is enabled; disable indicates that the logging function is disabled.

log-interval

Interval for exporting logs.

nat-session

Status of NAT session logs. enable indicates that the logging function is enabled; disable indicates that the logging function is disabled.

host

IP address and port number of the log server.

source

IP address and port number used by the device to communicate with the log server.

VPN instance-name

Name of a VPN instance.

display firewall session

Function

The display firewall session command displays the firewall session table.

Format

display firewall session { all [ verbose ] | number }

display firewall session destination destination-address [ destination-port ] [ verbose ]

display firewall session source source-address [ source-port ] [ destination destination-address [ destination-port ] ] [ verbose ]

display firewall session protocol { protocol-number | protocol-name } [ source source-address [ source-port ] ] [ destination destination-address [ destination-port ] ] [ verbose ]

Parameters

Parameter

Description

Value

all

Displays all entries in the firewall session table.

-

verbose

Displays details about the firewall session table.

-

number

Displays the number of entries in the firewall session table.

-

protocol { protocol-number | protocol-name }

Displays entries with a specified protocol number or protocol type.

  • The value of protocol-number is an integer that ranges from 1 to 255.

  • The value of protocol-name can be ICMP, TCP, or UDP.

source source-address [ source-port ]

Displays entries with a specified source IP address or both a source IP address and a source port number.
  • source-address specifies the source IP address of packets.
  • source-port specifies the source port number of packets.
  • source-address is in dotted decimal notation.

  • The value of source-port is an integer that ranges from 1 to 65535.

destination destination-address[ destination-port ]

Displays entries with a specified destination IP address or both a destination IP address and a destination port number.
  • destination-address specifies the destination IP addresses of packets.
  • destination-port specifies the destination port number of packets.
  • destination-address is in dotted decimal notation.

  • The value of destination-port is an integer that ranges from 1 to 65535.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check information about a firewall session table.

Example

# Display the number of entries in the session table.

<Huawei> display firewall session number
  The total number of firewall session tables is: 1
# Display details about all entries in the session table.
<Huawei> display firewall session all verbose
   Firewall Session Table Information:
       Protocol          : TCP(6)
       SrcAddr  Port Vpn : 10.6.34.204    114   vpn1
       DestAddr Port Vpn : 10.1.1.1         21
       Time To Live      : 120 s
       Firewall-Info
         InZone          : a
         OutZone         : b

   Total : 1
Table 14-60  Description of the display firewall session all verbose command output

Item

Description

Protocol

Protocol type.

SrcAddr Port Vpn

Source address, service port number, and VPN instance name.

DestAddr Port Vpn

Destination address, service port number, and VPN instance name.

Time To Live

Lifetime of the session table entries.

Firewall-Info

Firewall information.

InZone

Inbound zone name.

OutZone

Outbound zone name.

Total

Number of entries in the firewall session table.

display firewall statistics system

Function

The display firewall statistics system command displays traffic statistics on the firewall.

Format

display firewall statistics system [ normal all | defend ]

Parameters

Parameter

Description

Value

normal all

Displays the statistics about packets passing the firewall.

-

defend

Displays the statistics about attack packets passing the firewall.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When you run the display firewall statistics system command without specifying any parameters, the upper and lower thresholds for controlling the TCP, UDP, ICMP, TCP proxy, and IP fragment packets (session number) are displayed.

Example

# Display the global traffic thresholds set on the firewall.
<Huawei> display firewall statistics system
 --------------------------------------------------------------------           
             Global system statistics config information                        
 --------------------------------------------------------------------   
  Is enable          0                 <enable : 1  disable : 0 >
 ---------------------------------High---------------------Low-------           
 Tcp connect-number               16384                   12288                 
                                                                                
 Udp connect-number               16384                   12288                 
                                                                                
 Icmp connect-number              16384                   12288                 
                                                                                
 Tcp-proxy connect-number         16384                   12288                 
                                                                                
 Frag connect-number              16384                   12288                 
                                                                                
 --------------------------------------------------------------------     

# Display the statistics of packets passing the firewall.

<Huawei> display firewall statistics system normal all
HistoryTcpTotal-----------0
CurTcpTearTotal-----------0
HistoryUdpTotal-----------0
CurUdpTearTotal-----------0
HistoryIcmpTotal----------0
CurIcmpTearTotal----------0
HisTcpProxyTotal----------0
CurTcpProxyTearTotal------0
HistoryFragTotal------0
CurFragTearTotal------0
 
Table 14-61  Description of the display firewall statistics system normal all command output

Item

Description

HistoryTcpTotal

Number of historical TCP connections.

CurTcpTearTotal

Number of TCP current connections.

HistoryUdpTotal

Number of history UDP connections.

CurUdpTearTotal

Number of UDP current connections.

HistoryIcmpTotal

Number of history ICMP connections.

CurIcmpTearTotal

Number of ICMP current connections.

HisTcpProxyTotal

Number of historical TCP proxy connections.

CurTcpProxyTearTotal

Number of TCP current proxy connections.

HistoryFragTotal

Number of historical fragment flow entries.

CurFragTearTotal

Number of current fragment flow entries.

# Display the statistics on attack packets passing the firewall.
<Huawei> display firewall statistics system defend
 --------------------FW GLOBAL DEFEND TABLE--------------------
DropID[710]               0 FW_INTERZONE_DENY_DROP                 
DropID[715]               0 FW_ACL_FILTER_DENY_DROP                
DropID[736]               0 FW_GLOBAL_UDP_CONNECT_DROP             
DropID[737]               0 FW_GLOBAL_TCP_CONNECT_DROP             
DropID[738]               0 FW_GLOBAL_ICMP_CONNECT_DROP            
DropID[739]               0 FW_GLOBAL_TCP_PROXY_CONNECT_DROP       
DropID[740]               0 FW_ZONE_IN_UDP_CONNECT_DROP            
DropID[741]               0 FW_ZONE_OUT_UDP_CONNECT_DROP           
DropID[742]               0 FW_ZONE_IN_TCP_CONNECT_DROP            
DropID[743]               0 FW_ZONE_OUT_TCP_CONNECT_DROP           
DropID[744]               0 FW_ZONE_IN_ICMP_CONNECT_DROP           
DropID[745]               0 FW_ZONE_OUT_ICMP_CONNECT_DROP          
DropID[746]               0 FW_ZONE_IP_IN_UDP_CONNECT_DROP         
DropID[747]               0 FW_ZONE_IP_OUT_UDP_CONNECT_DROP        
DropID[748]               0 FW_ZONE_IP_IN_TCP_CONNECT_DROP         
DropID[749]               0 FW_ZONE_IP_OUT_TCP_CONNECT_DROP        
DropID[750]               0 FW_ZONE_IP_IN_ICMP_CONNECT_DROP        
DropID[751]               0 FW_ZONE_IP_OUT_ICMP_CONNECT_DROP       
DropID[752]               0 FW_GLOBAL_FRAG_CONNECT_DROP            
DropID[764]               0 FW_LAND_DEFEND_DROP                    
DropID[765]               0 FW_SMURF_DEFEND_DROP                   
DropID[766]               0 FW_FRAGGLE_DEFEND_DROP                 
DropID[767]               0 FW_WINNUKE_DEFEND_DROP                 
DropID[768]               0 FW_CONNECT_SYNFLOOD_DEFEND_DROP        
DropID[769]               0 FW_CONNECT_ICMPFLOOD_DEFEND_DROP       
DropID[770]               0 FW_CONNECT_UDPFLOOD_DEFEND_DROP        
DropID[771]               0 FW_ICMPREDIRECT_DEFEND_DROP            
DropID[772]               0 FW_ICMPUNREACHABLE_DEFEND_DROP         
DropID[773]               0 FW_IPSWEEP_DEFEND_DROP                 
DropID[774]               0 FW_PORTSCAN_DEFEND_DROP                
DropID[775]               0 FW_TRACERT_DEFEND_DROP                 
DropID[776]               0 FW_PINGOFDEATH_DEFEND_DROP             
DropID[777]               0 FW_TEARDROP_DEFEND_DROP                
DropID[778]               0 FW_TCPFLAG_DEFEND_DROP                 
DropID[779]               0 FW_IPFRAGMENT_DEFEND_DROP              
DropID[780]               0 FW_LARGEICMP_DEFEND_DROP               
DropID[781]               0 FW_BLACKIPLIST_DEFEND_DROP             
DropID[782]               0 FW_FLOW_SYNFLOOD_DEFEND_DROP           
DropID[783]               0 FW_FLOW_ICMPFLOOD_DEFEND_DROP          
DropID[784]               0 FW_FLOW_UDPFLOOD_DEFEND_DROP           
DropID[785]               0 FW_FRAG_SESSION_NUM_OVER_DROP          
DropID[786]               0 FW_TEARDROP_BAD_IPLEN_DROP   
Table 14-62  Description of the display firewall statistics system defend command output

Item

Description

FW_INTERZONE_DENY_DROP

Number of packets rejected by the firewall.

FW_ACL_FILTER_DENY_DROP

Number of packets rejected by the ACL.

FW_GLOBAL_UDP_CONNECT_DROP

Number of discarded packets of excess global UDP connections.

FW_GLOBAL_TCP_CONNECT_DROP

Number of discarded packets of excess global TCP connections.

FW_GLOBAL_ICMP_CONNECT_DROP

Number of discarded packets of excess global ICMP connections.

FW_GLOBAL_TCP_PROXY_CONNECT_DROP

Number of discarded packets of excess global split TCP proxy connections initiated globally.

FW_ZONE_IN_UDP_CONNECT_DROP

Number of discarded incoming packets of excess UDP connections in a zone.

FW_ZONE_OUT_UDP_CONNECT_DROP

Number of discarded outgoing packets of excess UDP connections.

FW_ZONE_IN_TCP_CONNECT_DROP

Number of discarded incoming packets of excess TCP connections in a zone.

FW_ZONE_OUT_TCP_CONNECT_DROP

Number of discarded outgoing packets of excess TCP connections in a zone.

FW_ZONE_IN_ICMP_CONNECT_DROP

Number of discarded incoming packets of excess ICMP connections.

FW_ZONE_OUT_ICMP_CONNECT_DROP

Number of discarded outgoing packets of excess ICMP connections in a zone.

FW_ZONE_IP_IN_UDP_CONNECT_DROP

Number of discarded incoming packets of excess UDP connections.

FW_ZONE_IP_OUT_UDP_CONNECT_DROP

Number of discarded outgoing packets of excess UDP connections.

FW_ZONE_IP_IN_TCP_CONNECT_DROP

Number of discarded incoming packets of excess TCP connections.

FW_ZONE_IP_OUT_TCP_CONNECT_DROP

Number of discarded outgoing packets of excess TCP connections.

FW_ZONE_IP_IN_ICMP_CONNECT_DROP

Number of discarded incoming packets of excess ICMP connections.

FW_ZONE_IP_OUT_ICMP_CONNECT_DROP

Number of discarded outgoing packets of excess ICMP connections.

FW_GLOBAL_FRAG_CONNECT_DROP

Number of discarded packets of excess fragment connections initiated globally.

FW_LAND_DEFEND_DROP

Number of discarded Land attack packets.

FW_SMURF_DEFEND_DROP

Number of discarded Smurf attack packets.

FW_FRAGGLE_DEFEND_DROP

Number of discarded Fraggle attack packets.

FW_WINNUKE_DEFEND_DROP

Number of discarded Winnuke attack packets.

FW_CONNECT_SYNFLOOD_DEFEND_DROP

Number of discarded initial packets of SYN flood attacks.

FW_CONNECT_ICMPFLOOD_DEFEND_DROP

Number of discarded initial packets of ICMP flood attacks.

FW_CONNECT_UDPFLOOD_DEFEND_DROP

Number of discarded initial packets of UDP flood attacks.

FW_ICMPREDIRECT_DEFEND_DROP

Number of discarded ICMP redirection attack packets.

FW_ICMPUNREACHABLE_DEFEND_DROP

Number of discarded ICMP unreachable attack packets.

FW_IPSWEEP_DEFEND_DROP

Number of discarded IP scanning attack packets.

FW_PORTSCAN_DEFEND_DROP

Number of discarded port scanning attack packets.

FW_TRACERT_DEFEND_DROP

Number of discarded Tracert attack packets.

FW_PINGOFDEATH_DEFEND_DROP

Number of discarded ping of death attack packets.

FW_TEARDROP_DEFEND_DROP

Number of discarded Teardrop attack packets.

FW_TCPFLAG_DEFEND_DROP

Number of discarded malformed TCP attack packets.

FW_IPFRAGMENT_DEFEND_DROP

Number of discarded IP fragment attack packets.

FW_LARGEICMP_DEFEND_DROP

Number of discarded large-sized ICMP attack packets.

FW_BLACKIPLIST_DEFEND_DROP

Number of discarded blacklisted attack packets.

FW_FLOW_SYNFLOOD_DEFEND_DROP

Number of discarded non-initial SYN flood attack packets.

FW_FLOW_ICMPFLOOD_DEFEND_DROP

Number of discarded non-initial ICMP flood attack packets.

FW_FLOW_UDPFLOOD_DEFEND_DROP

Number of discarded non-initial UDP flood attack packets.

FW_FRAG_SESSION_NUM_OVER_DROP

Number of discarded excess fragments.

FW_TEARDROP_BAD_IPLEN_DROP

Number of discarded invalid packets.

display firewall statistics zone

Function

The display firewall statistics zone command displays traffic statistics and monitoring information in a zone.

Format

display firewall statistics zone zone-name { inzone | outzone } all

Parameters

Parameter

Description

Value

zone-name

Indicates the name of a zone.

It is a string of 1 to 32 characters. The character string cannot contain name or -.

inzone

Displays the statistics about the traffic entering the zone.

-

outzone

Displays the statistics about the traffic leaving the zone.

-

all

Displays the statistics about the traffic entering and leaving the zone.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display firewall statistics zone command displays the number of current sessions and historical sessions in the inbound or outbound direction of a zone and the number of HTTP, FTP, or DNS packets in a certain direction.

Example

# Display the inbound packet statistics of zone1.

<Huawei> display firewall statistics zone zone1 inzone all
ZoneID:0  Direction:IN
InTcpSetupTotal-----------------0
InTcpTearTotal------------------0
InUdpSetupTotal-----------------0
InUdpTearTotal------------------0
InIcmpSetupTotal----------------0
InIcmpTearTotal-----------------0       

# Display the outbound packet statistics of zone1.

<Huawei> display firewall statistics zone zone1 outzone all
ZoneID:0  Direction:OUT
OutTcpSetupTotal-----------------0
OutTcpTearTotal------------------0
OutUdpSetupTotal-----------------0
OutUdpTearTotal------------------0
OutIcmpSetupTotal----------------0
OutIcmpTearTotal-----------------0      
Table 14-63  Description of the display firewall statistics zone command output

Item

Description

InTcpSetupTotal / OutTcpSetupTotal Number of TCP connections in inbound and outbound directions.
InTcpTearTotal / OutTcpTearTotal Number of deleted TCP connections in inbound and outbound directions.
InUdpSetupTotal / OutUdpSetupTotal Number of UDP connections in inbound and outbound directions.
InUdpTearTotal / OutUdpTearTotal Number of deleted UDP connections in inbound and outbound directions.
InIcmpSetupTotal / OutIcmpSetupTotal Number of ICMP connections in inbound and outbound directions.
InIcmpTearTotal / OutIcmpTearTotal Number of deleted ICMP connections in inbound and outbound directions.

display firewall statistics zone-ip

Function

The display firewall statistics zone-ip command displays the status of traffic monitoring function and session thresholds for each protocol.

Format

display firewall statistics zone-ip zone-name

Parameters

Parameter

Description

Value

zone-name

Indicates the name of a zone.

The value is a string of 1 to 32 case-sensitive characters. The value cannot contain name or -.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the traffic monitoring function is enabled and the session thresholds of each protocol are set, you can run the display firewall statistics zone-ip command to view the traffic monitoring information of the zone.

Example

# Display the configuration of traffic monitoring in zone2.
<Huawei> display firewall statistics zone-ip zone2
 --------------------------------------------------------------------           
                 Zone statistics config information                             
 -------------------------------------------------------------------- 
 Zone in enable          0              <enable : 1  disable : 0>    
 ---------------------------------High---------------------Low-------           
 Tcp connect-number               16384                   12288                 
                                                                                
 Udp connect-number               16384                   12288                 
                                                                                
 Icmp connect-number              16384                   12288                 
                                                                                
 --------------------------------------------------------------------
 Zone out enable         0              <enable : 1  disable : 0>   
 --------------------------------------------------------------------           
 Tcp connect-number               16384                   12288                 
                                                                                
 Udp connect-number               16384                   12288                 
                                                                                
 Icmp connect-number              16384                   12288                 
                                                                                
 --------------------------------------------------------------------    
 Ip in enable           0              <enable : 1  disable : 0> 
 --------------------------------------------------------------------           
 Tcp connect-number               16384                   12288                 
                                                                                
 Udp connect-number               16384                   12288                 
                                                                                
 Icmp connect-number              16384                   12288                 
                                                                                
 --------------------------------------------------------------------   
 Ip out enable          0              <enable : 1  disable : 0>     
 --------------------------------------------------------------------           
 Tcp connect-number               16384                   12288                 
                                                                                
 Udp connect-number               16384                   12288                 
                                                                                
 Icmp connect-number              16384                   12288                 
                                                                                
 --------------------------------------------------------------------      

display firewall whitelist

Function

The display firewall whitelist command displays entries in the whitelist.

Format

display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name }

Parameters

Parameter

Description

Value

all

Displays all the entries in the whitelist.

-

ip-address

Displays the whitelist entry matching the specified IP address.

The value is a valid IPv4 IP address in dotted decimal notation.

vpn-instance vpn-instance-name

Indicates the name of the VPN instance that the specified IP address belongs to.

The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display all the whitelist entries on the device.

<Huawei> display firewall whitelist all
Firewall whitelist items  :
------------------------------------------------------------------------
IP-Address     Expire-Time(m)  VPN-Instance
------------------------------------------------------------------------
10.1.1.1         3             vpn1
10.1.1.2         Permanent     vpn2
10.1.1.3         6             
 ------------------------------------------------------------------------
 Total number is : 3
Table 14-64  Description of the display firewall whitelist command output

Item

Description

IP-Address

IP address in a whitelist entry.

VPN-Instance

Name of the VPN instance that the IP address in a whitelist entry belongs to.

Expire-Time(m)

Aging time of a whitelist entry, in minutes.

Total number is : 3

There are a total of three entries in the whitelist.

Related Topics

display firewall zone

Function

The display firewall zone command displays the configuration of a specified zone or all zones.

Format

display firewall zone [ zone-name ] [ interface | priority ]

Parameters

Parameter

Description

Value

zone-name

Displays the configuration of a specified zone.

The value is a string of 1 to 32 case-sensitive characters. The character string cannot contain name or -.

interface

Displays the interfaces added to the zone.

-

priority

Displays the priorities of all zones.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display information about all zones configured on the device.

<Huawei> display firewall zone
zone zone1
 priority is 5
 interface of the zone is (total number 1):
 Vlanif77
 
 total number is : 1
Table 14-65  Description of the display firewall interzone command output

Item

Description

zone zone1

Security zone named zone1.

To configure a security zone, run the firewall zone command.

priority is 5

Priority of a security zone: 5.

To configure the priority for a security zone, run the priority command.

interface of the zone is (total number 1):

Vlanif77

One interface, VLANIF 77, has been added to the zone.

To add interfaces a zone, run the zone command.

total number is : 1

There is a total of one zone on the device.

display firewall-nat session aging-time

Function

The display firewall-nat session aging-time command displays the timeout interval of entries in the firewall session table or NAT session table.

Format

display firewall-nat session aging-time

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays the timeout interval of sessions on the firewall session table or NAT session table.

Example

# Display the timeout time of all entries in the session table.

<Huawei> display firewall-nat session aging-time
---------------------------------------------                                   
  tcp protocol timeout         : 600   (s)                                      
  tcp-proxy timeout            : 10    (s)                                      
  udp protocol timeout         : 120   (s)                                      
  icmp protocol timeout        : 20    (s)                                      
  dns protocol timeout         : 120   (s)                                      
  http protocol timeout        : 120   (s)                                      
  ftp protocol timeout         : 120   (s)                                      
  ftp-data protocol timeout    : 120   (s)                                      
  rtsp protocol timeout        : 60    (s)                                      
  rtsp-media protocol timeout  : 120   (s)                                      
  sip protocol timeout         : 1800  (s)                                      
  sip-media protocol timeout   : 120   (s)                                      
  pptp protocol timeout        : 600   (s)                 
  pptp-data protocol timeout   : 600   (s) 
---------------------------------------------  
Table 14-66  Description of the display firewall-nat session aging-time command output

Item

Description

tcp protocol timeout

Timeout interval of TCP connections. The default value is 600, in seconds.

tcp-proxy timeout

Timeout interval of the TCP proxy. The default value is 10, in seconds.

udp protocol timeout

Timeout interval of UDP connections. The default value is 120, in seconds.

icmp protocol timeout

Timeout interval of ICMP connections. The default value is 20, in seconds.

dns protocol timeout

Timeout interval of the DNS protocol. The default value is 120, in seconds.

http protocol timeout

Timeout interval of the HTTP connections. The default value is 120, in seconds.

ftp protocol timeout

Timeout interval of the FTP control connection. The default value is 120, in seconds.

ftp-data protocol timeout

Timeout interval of the FTP connections. The default value is 120, in seconds.

sip protocol timeout

Timeout interval of the SIP protocol. The default value is 1800, in seconds.

sip-media protocol timeout

Timeout interval of the SIP media protocol. The default value is 120, in seconds.

rtsp protocol timeout

Timeout interval of the RTSP protocol. The default value is 60, in seconds.

rtsp-media protocol timeout

Timeout interval of the RTSP media protocol. The default value is 120, in seconds.

pptp protocol timeout

Timeout interval of the PPTP control connection. The default value is 600, in seconds.

pptp-data protocol timeout

Timeout interval of the PPTP data connection. The default value is 600, in seconds.

display port-mapping

Function

The display port-mapping command displays mappings between the specified application-layer protocols and ports.

Format

display port-mapping [ dns | ftp | http | rtsp | sip | port port-number | pptp ]

Parameters

Parameter

Description

Value

dns

Displays the mapping between the DNS protocol and port.

-

ftp

Displays the mapping between the FTP protocol and port.

-

rtsp

Displays the mapping between the RTSP protocol and port.

-

sip

Displays the mapping between the SIP protocol and port.

-

http

Displays the mapping between the HTTP protocol and port.

-

port port-number

Displays the mapping between the specified port and the application-layer protocol.

The value is an integer that ranges from 1 to 65535.

pptp

Displays the mapping between the PPTP protocol and port.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display port-mapping command displays the port mappings, including the mappings between application-layer protocols and ports, condition (ACL) in which each mapping takes effect, and the type of each mapping (defined by the system or user).

Example

# Display the mapping between the DNS protocol and port.

<Huawei> display port-mapping dns
 -------------------------------------------------
  Service    Port       Acl        Type  
 -------------------------------------------------
  dns          53                  system defined
 ------------------------------------------------- 
 Total number is : 1
Table 14-67  Description of the display port-mapping command output

Item

Description

Service

Type of the application-layer protocol.

Port

Port number.

Acl

Number of the ACL for mappings.

Type

Mapping type.

  • system defined: default mapping.

  • user defined: mapping defined by the user.

Total number is : 1

The total number of mappings is 1.

Related Topics

display session

Function

The display session command displays the session table information.

Format

display session { all [ verbose ] | number }

display session destination destination-address [ destination-port ] [ verbose ]

display session source source-address [ source-port ] [ destination destination-address [ destination-port ] ] [ verbose ]

display session protocol { protocol-number | protocol-name } [ source source-address [ source-port ] ] [ destination destination-address [ destination-port ] ] [ verbose ]

Parameters

Parameter

Description

Value

all

Displays all session table information.

-

verbose

Displays detailed information about the session table.

-

number

Displays the number of entries in the session table.

-

protocol { protocol-number | protocol-name }

Displays entries with a specified protocol number or protocol type.

  • The value of protocol-number is an integer that ranges from 1 to 255.

  • The value of protocol-name can be ICMP, TCP, or UDP.

source source-address [ source-port ]

Displays entries with a specified source IP address or both a source IP address and a source port number.
  • source-address specifies the source IP address of packets.
  • source-port specifies the source port number of packets.
  • source-address is in dotted decimal notation.

  • The value of source-port is an integer that ranges from 1 to 65535.

destination destination-address [ destination-port ]

Displays entries with a specified destination IP address or both a destination IP address and a destination port number.
  • destination-address specifies the destination IP addresses of packets.
  • destination-port specifies the destination port number of packets.
  • destination-address is in dotted decimal notation.

  • The value of destination-port is an integer that ranges from 1 to 65535.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check information about a firewall session table, NAT session table, or a common session table.

Example

# Display the number of entries in the session table.

<Huawei> display session number
  The total number of session tables is: 1
# Display details about all entries in the session table.
<Huawei> display session all verbose
   Session Table Information:
     Protocol          : TCP(6)
     SrcAddr  Port Vpn : 10.200.200.200 65532 vpn1
     DestAddr Port Vpn : 10.100.100.100 1024
     Time To Live      : 60 s
     NAT-Info
       New SrcAddr     : 10.10.10.10
       New SrcPort     : 10240
       New DestAddr    : 10.30.30.30
       New DestPort    : 21
     Firewall-Info        
       InZone          : a
       OutZone         : b

   Total : 1
Table 14-68  Description of the display session all verbose command output

Item

Description

Protocol

Protocol type.

SrcAddr Port Vpn

Source address, service port number, and VPN instance name.

DestAddr Port Vpn

Destination address, service port number, and VPN instance name.

Time To Live

Lifetime of the session table entries.

NAT-Info

NAT information.

New SrcAddr

Translated source IP address.

New SrcPort

Translated source port.

New DestAddr

Translated destination IP address.

New DestPort

Translated destination port.

Firewall-Info

Firewall information.

InZone

Inbound zone name.

OutZone

Outbound zone name.

Total

Number of entries in the session table.

firewall blacklist

Function

The firewall blacklist command adds an entry to the blacklist.

The undo firewall blacklist command deletes an entry from the blacklist.

Format

firewall blacklist ip-address [ vpn-instance vpn-instance-name ] [ expire-time minutes ]

undo firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name }

Parameters

Parameter

Description

Value

ip-address

Indicates the IP address that you want to add to the blacklist.

The value is a valid IPv4 IP address.

vpn-instance vpn-instance-name

Indicates the name of the VPN instance that the specified IP address belongs to.

The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.

expire-time minutes

Specifies the aging time of a blacklist entry.

The value is an integer that ranges from 1 to 1000, in minutes.

NOTE:

If this parameter is not set, the entry is always valid.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After an IP address is added to the blacklist by the firewall blacklist command, the firewall denies the packets from this IP address until this entry ages.

An IP address cannot exist in both the whitelist and blacklist.

NOTE:

The blacklist entry with an aging time is not written into the configuration file. You can view it using the display firewall blacklist command.

Example

# Add IP address 192.168.10.10 to the blacklist entry and set its aging time to 100 minutes.

<Huawei> system-view
[Huawei] firewall blacklist 192.168.10.10 expire-time 100

firewall blacklist enable

Function

The firewall blacklist enable command enables the blacklist function.

The undo firewall blacklist enable command disables the blacklist function.

By default, the blacklist function is disabled.

Format

firewall blacklist enable

undo firewall blacklist enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Configurations of the blacklist take effect only after you run the firewall blacklist enable command to enable the blacklist function.

Precautions

A blacklist entry can be manually configured or automatically generated.

After you run the firewall defend ip-sweep enable command to enable defense against address scanning attacks, the device adds attacking IP addresses to the blacklist.

After you run the firewall defend port-scan enable command to enable defense against port scanning attacks, the device adds attacking ports to the blacklist.

Example

# Enable the blacklist function.

<Huawei> system-view
[Huawei] firewall blacklist enable

firewall black-white-list load configuration-file

Function

The firewall black-white-list load configuration-file command loads the configuration file of blacklist and whitelist.

Format

firewall black-white-list load configuration-file configuration-file-name

Parameters

Parameter

Description

Value

configuration-file-name

Indicates the name of the configuration file.

The value is a string of 1 to 127 characters in the format [drive][file-name] (the default drive is flash:/). The configuration file is in txt format.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can batch configure entries in the blacklist and whitelist by loading a configuration file.

A configuration file can contain multiple entries, but the entries must be edited one by one. Blank lines are allowed between lines. A configuration file contains up to 50000 lines. The following is an example of the configuration file:
[FirewallBlacklist]
IPAddress = 10.10.10.1
VPNName = vpna
[FirewallBlacklist]
IPAddress = 10.10.10.2
VPNName = 

[FirewallWhitelist]
IPAddress = 10.10.10.3
VPNName = vpnb
[FirewallWhitelist]
IPAddress = 10.20.20.1
VPNName = 
NOTE:

An invalid configuration file cannot be loaded. For example, if a configuration file contains an invalid IP address or excess entries, the invalid IP address cannot be added and the excess entries do not take effect; however, the valid IP addresses and the entries in the range can still take effect.

Example

# Load the configuration file named bwls.txt.

<Huawei> system-view
[Huawei] firewall black-white-list load configuration-file bwls.txt

firewall black-white-list save configuration-file

Function

The firewall black-white-list save configuration-file command saves the blacklist and whitelist to a configuration file.

Format

firewall black-white-list save configuration-file configuration-file-name

Parameters

Parameter

Description

Value

configuration-file-name

Indicates the name of the configuration file.

The value is a string of 1 to 127 characters in the format [drive][file-name] (the default drive is flash:/). The configuration file is in txt format.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By using this command, you can save the blacklist and whitelist to the configuration file configuration-file-name. Only the entries with the aging time being 0 can be saved.

NOTE:

The configuration file configuration-file-name must be available before this command is executed.

Example

# Save the blacklist and whitelist to the configuration file bls_wls.txt.

<Huawei> system-view
[Huawei] firewall black-white-list save configuration-file bwls.txt

firewall defend all enable

Function

The firewall defend all enable command enables all the attack defense functions.

The undo firewall defend all enable command disables all the attack defense functions.

By default, no attack defense function is enabled.

Format

firewall defend all enable

undo firewall defend all enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Enable all attack defense functions.

<Huawei> system-view
[Huawei] firewall defend all enable

firewall defend fraggle enable

Function

The firewall defend fraggle enable command enables the Fraggle attack defense function.

The undo firewall defend fraggle enable command disables the Fraggle attack defense function.

By default, the Fraggle attack defense function is disabled.

Format

firewall defend fraggle enable

undo firewall defend fraggle enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

A Fraggle attack is similar to a Smurf attack, except that the Fraggle attack sends UDP packets, rather than ICMP packets. Therefore, the Fraggle attack packets can traverse some firewalls that prevent ICMP packets.

A Fraggle attack can be successful because both UDP port 7 (ECHO) and port 19 (Chargen) return responses after receiving UDP packets. The details are as follows:

  • UDP port 7 returns a response (similar to the ICMP ECHO-Reply packet) after receiving a packet.
  • UDP port 19 generates a character stream after receiving the packet.

The two UDP ports send a lot of response packets, which occupy high network bandwidth.

An attacker can send a UDP packet to the target network. The source address of the UDP packet is the IP address of the attacked host and its destination address is the broadcast address or network address of the host's subnet. The destination port number of the packet is 7 or 19. All the hosts on the subnet then send response packets to the attacked host. This generates heavy traffic and hence congests the network or makes the host break down.

Example

# Enable the Fraggle attack defense function.

<Huawei> system-view
[Huawei] firewall defend fraggle enable

firewall defend icmp-flood

Function

The firewall defend icmp-flood command sets the parameters of ICMP Flood attack defense, including the protected zone or IP address and maximum connection rate.

The undo firewall defend icmp-flood command restores the default values of ICMP Flood attack defense parameters.

By default, the maximum connection rate of ICMP Flood attack defense is 1000 pps.

Format

firewall defend icmp-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ]

undo firewall defend icmp-flood [ ip [ ip-address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ]

Parameters

Parameter

Description

Value

ip ip-address

Specifies a protected IP address.

The value is a valid IPv4 IP address.

zone zone-name

Specifies a protected zone.

The value of zone-name is a string of 1 to 32 characters. It must be an existing zone name.

vpn-instance vpn-instance-name

Indicates the name of the VPN instance that the specified IP address belongs to.

The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.

max-rate rate-value

Specifies the maximum connection rate of a new flow.

The value of rate-value is an integer that ranges from 1 to 65535, in pps.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ICMP Flood attack sends a large number of ICMP packets (such as ping packets) to the attacked host in a short time and requests for responses. The host is then overloaded and cannot process normal tasks.

ICMP Flood attack defense parameters configured for an IP address take precedence over those configured for a zone. If ICMP Flood attack defense is configured for both an IP address and the zone where the IP address resides, the configuration for the IP address takes effect. If you cancel the configuration for the IP address, the configuration for the zone takes effect.

Precautions

Parameters of ICMP Flood attack defense take effect only after ICMP Flood defense is enabled using the firewall defend icmp-flood enable command.

Example

# Enable ICMP Flood attack defense for IP address 10.1.64.200 and set the maximum connection rate of ICMP packets to 500 pps.

<Huawei> system-view
[Huawei] firewall defend icmp-flood enable
[Huawei] firewall defend icmp-flood ip 10.1.64.200 max-rate 500

firewall defend icmp-flood enable

Function

The firewall defend icmp-flood enable command enables the ICMP Flood attack defense function.

The undo firewall defend icmp-flood enable command disables the ICMP Flood attack defense function.

By default, the ICMP Flood attack defense function is disabled.

Format

firewall defend icmp-flood enable

undo firewall defend icmp-flood enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ICMP Flood attack sends a large number of ICMP packets (such as ping packets) to the attacked host in a short time and requests for responses. The host is then overloaded and cannot process normal tasks.

Precaution

You can run firewall defend icmp-flood command to set parameters for ICMP Flood attack defense.

Example

# Enable the ICMP Flood attack defense function.

<Huawei> system-view
[Huawei] firewall defend icmp-flood enable

firewall defend icmp-redirect enable

Function

The firewall defend icmp-redirect enable command enables the ICMP-Redirect attack defense function.

The undo firewall defend icmp-redirect enable command disables the ICMP-Redirect attack defense function.

By default, the ICMP-Redirect attack defense function is disabled.

Format

firewall defend icmp-redirect enable

undo firewall defend icmp-redirect enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Enable the ICMP-Redirect attack defense function.

<Huawei> system-view
[Huawei] firewall defend icmp-redirect enable

firewall defend icmp-unreachable enable

Function

The firewall defend icmp-unreachable enable command enables the ICMP-Unreachable attack defense function.

The undo firewall defend icmp-unreachable enable command disables the ICMP-Unreachable attack defense function.

By default, the ICMP-Unreachable attack defense function is disabled.

Format

firewall defend icmp-unreachable enable

undo firewall defend icmp-unreachable enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Enable the ICMP-Unreachable attack defense function.

<Huawei> system-view
[Huawei] firewall defend icmp-unreachable enable

firewall defend ip-fragment enable

Function

The firewall defend ip-fragment enable command enables the IP fragment attack defense function.

The undo firewall defend ip-fragment enable command disables the IP fragment attack defense function.

By default, the IP fragment attack defense function is disabled.

Format

firewall defend ip-fragment enable

undo firewall defend ip-fragment enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None.

Example

# Enable the IP fragment attack defense function.

<Huawei> system-view
[Huawei] firewall defend ip-fragment enable

firewall defend ip-sweep

Function

The firewall defend ip-sweep command sets the parameters of address sweeping attack defense, including the maximum session rate and blacklist timeout interval.

The undo firewall defend ip-sweep command restores the default values of address sweeping attack defense parameters.

By default, the maximum session rate for address scanning and port scanning attack defense is 4000 pps, and the blacklist timeout interval is 20 minutes.

Format

firewall defend ip-sweep { blacklist-expire-time interval | max-rate rate-value }

undo firewall defend ip-sweep { blacklist-expire-time | max-rate }

Parameters

Parameter

Description

Value

blacklist-expire-time interval

Specifies the timeout interval of blacklist entries. After an IP address stays in the blacklist for the specified period, the firewall deletes the IP address from the blacklist. Then the IP address can initiate connections.

The value of interval is an integer that from 1 to 1000, in minutes. The default value is 20.

max-rate rate-value

Specifies the maximum session rate. When the session rate of an IP address exceeds the limit, the firewall considers that an IP address sweeping attack occurs. Then the firewall adds the IP address to the blacklist and denies the new sessions from the IP address or port.

The value of rate-value is an integer that ranges from 1 to 10000, in pps. The default value is 4000.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Parameters of address sweeping attack defense take effect only after address sweeping attack defense is enabled using the firewall defend ip-sweep enable command.

Example

# Enable the address sweeping attack defense function, set the maximum session rate to 1000 pps, and set the blacklist timeout interval to 5 minutes.

<Huawei> system-view
[Huawei] firewall defend ip-sweep enable
[Huawei] firewall defend ip-sweep max-rate 1000
[Huawei] firewall defend ip-sweep blacklist-expire-time 5

firewall defend ip-sweep enable

Function

The firewall defend ip-sweep enable command enables the IP sweeping attack defense function.

The undo firewall defend ip-sweep enable command disables the IP sweeping attack defense function.

By default, the IP sweeping attack defense function is disabled.

Format

firewall defend ip-sweep enable

undo firewall defend ip-sweep enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IP sweeping attack detects the IP addresses of the target hosts by using scanning tools. The attacker then determines the hosts that exist on the target network according to the responses received.

Precaution

You can run firewall defend ip-sweep command to set parameters for IP address sweep attack defense.

Example

# Enable the IP sweeping defense function.

<Huawei> system-view
[Huawei] firewall defend ip-sweep enable

firewall defend land enable

Function

The firewall defend land enable command enables the defense against Land attacks.

The undo firewall defend land enable command disables the defense against Land attacks.

By default, the Land attack defense function is disabled.

Format

firewall defend land enable

undo firewall defend land enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None.

Example

# Enable the defense against Land attacks.

<Huawei> system-view
[Huawei] firewall defend land enable

firewall defend large-icmp

Function

The firewall defend large-icmp command sets the maximum length of ICMP packets allowed to pass.

The undo firewall defend large-icmp command restores the default maximum length of ICMP packets allowed to pass.

By default, the maximum length of ICMP packet allowed to pass is 4000 bytes.

Format

firewall defend large-icmp max-length length

undo firewall defend large-icmp max-length

Parameters

Parameter

Description

Value

max-length length

Specifies the maximum length of ICMP packets allowed to pass.

The value of length is an integer that ranges from 28 to 65535, in bytes. The default value is 4000.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Similar to a "Ping of Death" attack, a Large-ICMP attack sends the oversized ICMP packets to attack a system. The difference is that the length of Large-ICMP packet does not exceed the maximum length of an IP packet (65535 bytes). Large-ICMP packets also have great impact on some operating systems. To prevent Large-ICMP attack, set the maximum length of ICMP packets on the firewall.

Precautions

The maximum length of ICMP packets allowed to pass takes effect only after large-ICMP attack defense is enabled using the firewall defend large-icmp enable command.

Example

# Enable Large-ICMP attack defense and set the maximum length of ICMP packet allowed to pass to 4000 bytes.

<Huawei> system-view
[Huawei] firewall defend large-icmp enable
[Huawei] firewall defend large-icmp max-length 4000

firewall defend large-icmp enable

Function

The firewall defend large-icmp enable command enables the Large-ICMP attack defense function.

The undo firewall defend large-icmp enable command disables the Large-ICMP attack defense function.

By default, the Large-ICMP attack defense function is disabled.

Format

firewall defend large-icmp enable

undo firewall defend large-icmp enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Similar to a "Ping of Death" attack, a large-ICMP attack sends the oversize ICMP packets to attack a system. The difference is that the length of Large-ICMP packet does not exceed the maximum length of an IP packet (65535 bytes). Large-ICMP packets also have great impact on some operating systems.

Precaution

You can run firewall defend large-icmp command to set Large-ICMP attack defense.

Example

# Enable the Large-ICMP attack defense function.

<Huawei> system-view
[Huawei] firewall defend large-icmp enable

firewall defend ping-of-death enable

Function

The firewall defend ping-of-death enable command enables the defense against Ping of Death attack.

The undo firewall defend ping-of-death enable command disables the defense against Ping of Death attack.

By default, the defense against Ping of Death attack is disabled.

Format

firewall defend ping-of-death enable

undo firewall defend ping-of-death enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Enable the defense against Ping of Death attack.

<Huawei> system-view
[Huawei] firewall defend ping-of-death enable

firewall defend port-scan

Function

The firewall defend port-scan command sets the parameters of port scanning attack defense, including the maximum session rate and blacklist timeout interval.

The undo firewall defend port-scan command restores the default values of port scanning attack defense parameters.

By default, the maximum session rate for port scanning attack defense is 4000 pps, and the blacklist timeout interval is 20 minutes.

Format

firewall defend port-scan { blacklist-expire-time interval | max-rate rate-value }

undo firewall defend port-scan { blacklist-expire-time | max-rate }

Parameters

Parameter

Description

Value

blacklist-expire-time interval

Specifies the timeout interval of blacklist entries. After a port stays in the blacklist for the specified period, the firewall deletes the port from the blacklist. Then the port can initiate connections.

The value of interval is an integer that from 1 to 1000, in minutes. The default value is 20.

max-rate rate-value

Specifies the maximum session rate. When the session rate of a port exceeds the limit, the firewall considers that a scanning attack occurs. Then the firewall adds the port to the blacklist and denies the new sessions from the port.

The value of rate-value is an integer that ranges from 1 to 10000, in pps. The default value is 4000.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Parameters of port scanning attack defense take effect only after port scanning attack defense is enabled using the firewall defend port-scan enable command.

Example

# Enable the port scanning attack defense function, set the maximum session rate to 1000 pps, and set the blacklist timeout interval to 5 minutes.

<Huawei> system-view
[Huawei] firewall defend port-scan enable
[Huawei] firewall defend port-scan max-rate 1000
[Huawei] firewall defend port-scan blacklist-expire-time 5

firewall defend port-scan enable

Function

The firewall defend port-scan enable command enables the port scanning attack defense function.

The undo firewall defend port-scan enable command disables the port scanning attack defense function.

By default, the port scanning attack defense function is disabled.

Format

firewall defend port-scan enable

undo firewall defend port-scan enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Port scanning attack detects the ports of the target hosts by using scanning tools. The attacker then finds out the hosts that exist on the target network according to the responses and the ports that are used to provide services.

Precaution

You can run the firewall defend port-scan command to set parameters for port scanning attack defense.

Example

# Enable the port scanning attack defense function.

<Huawei> system-view
[Huawei] firewall defend port-scan enable

firewall defend smurf enable

Function

The firewall defend smurf enable command enables the Smurf attack defense function.

The undo firewall defend smurf enable command disables the Smurf attack defense function.

By default, the Smurf attack defense function is disabled.

Format

firewall defend smurf enable

undo firewall defend smurf enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Enables the Smurf attack defense function.

<Huawei> system-view
[Huawei] firewall defend smurf enable

firewall defend syn-flood

Function

The firewall defend syn-flood command sets the parameters of SYN Flood attack defense, including the protected zone or IP address and maximum connection rate.

The undo firewall defend syn-flood command restores the default configuration of SYN Flood attack defense.

By default, the maximum connection rate of SYN Flood attack defense is 1000 pps.

Format

firewall defend syn-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ] [ tcp-proxy { auto | off | on } ]

undo firewall defend syn-flood [ ip [ ip-address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ]

Parameters

Parameter

Description

Value

ip ip-address

Specifies a protected IP address.

The value is a valid IPv4 IP address.

zone zone-name

Specifies a protected zone.

The value of zone-name is a string of 1 to 32 characters. It must be an existing zone name.

max-rate rate-value

Specifies the maximum connection rate of a new flow.

The value of rate-value is an integer that ranges from 1 to 65535. The default value is 1000, in pps.

vpn-instance vpn-instance-name

Indicates the name of the VPN instance that the specified IP address belongs to.

The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.

tcp-proxy { auto | off | on }

Indicates whether to use the TCP proxy. The status of TCP proxy includes:

  • auto: The TCP proxy is enabled automatically when the actual connection rate exceeds the upper limit.

  • off: The TCP proxy is always disabled.

  • on: The TCP proxy is always enabled.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Flood attack defense parameters configured for an IP address take precedence over those configured for a zone. If Flood attack defense is configured for both an IP address and the zone where the IP address resides, the configuration for the IP address takes effect. If you cancel the configuration for the IP address, the configuration for the zone takes effect.

Precautions

Parameters of SYN Flood attack defense take effect only after SYN Flood attack defense is enabled using the firewall defend syn-flood enable command.

Example

# Enable SYN Flood attack defense for IP address 10.1.64.200 and set the maximum connection rate of TCP packets to 500 pps.

<Huawei> system-view
[Huawei] firewall defend syn-flood enable
[Huawei] firewall defend syn-flood ip 10.1.64.200 max-rate 500

firewall defend syn-flood enable

Function

The firewall defend syn-flood enable command enables the SYN Flood attack defense function.

The undo firewall defend syn-flood enable command disables the SYN Flood attack defense function.

By default, the SYN Flood attack defense function is disabled.

Format

firewall defend syn-flood enable

undo firewall defend syn-flood enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The TCP/IP protocol stack permits only a certain number of TCP connections due to resource restriction. SYN Flood attacks utilize this feature. The attacker forges a SYN packet with a forged or nonexistent source address to initiate a connection to the server. When receiving this packet, the server replies with a SYN-ACK message. The receiver of the SYN-ACK packet does not exist, so a half-connection is caused. If the attacker sends a large number of such packets, a lot of half-connections will be produced on the attacked host and the resources of the attacked host will be exhausted. Therefore, authorized users cannot access the host till the half-connections expire. If the number of connections is not limited, SYN Flood will consume the system resources such as memory.

Precaution

You can run firewall defend syn-flood command to set parameters for SYN Flood attack defense.

Example

# Enable the SYN Flood attack defense function.

<Huawei> system-view
[Huawei] firewall defend syn-flood enable

firewall defend tcp-flag enable

Function

The firewall defend tcp-flag enable command enables the defense against TCP flag attack.

The undo firewall defend tcp-flag enable command disables the defense against TCP flag attack.

By default, the TCP flag attack defense function is disabled.

Format

firewall defend tcp-flag enable

undo firewall defend tcp-flag enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Enable the TCP flag attack defense function.

<Huawei> system-view
[Huawei] firewall defend tcp-flag enable

firewall defend teardrop enable

Function

The firewall defend teardrop enable command enables the defense against Teardrop attack.

The undo firewall defend teardrop enable command disables the defense against Teardrop attack.

By default, the Teardrop attack defense function is disabled.

Format

firewall defend teardrop enable

undo firewall defend teardrop enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None.

Example

# Enable the defense against Teardrop attack.

<Huawei> system-view
[Huawei] firewall defend teardrop enable

firewall defend tracert enable

Function

The firewall defend tracert enable command enables the Tracert attack defense function.

The undo firewall defend tracert enable command disables the Tracert attack defense function.

By default, the Tracert attack defense function is disabled.

Format

firewall defend tracert enable

undo firewall defend tracert enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Tracert attack traces the path of an ICMP timeout packet returned when the value of time to live (TTL) is 0 or an ICMP port-unreachable packet. In this way, the attacker obtains the network structure.

Example

# Enable the Tracert attack defense function.

<Huawei> system-view
[Huawei] firewall defend tracert enable

firewall defend udp-flood

Function

The firewall defend udp-flood command sets the parameters of UDP Flood attack defense, including the protected zone or IP address and maximum connection rate.

The undo firewall defend udp-flood command restores the default configuration of UDP Flood attack defense.

By default, the maximum connection rate of UDP Flood attack defense is 1000 pps.

Format

firewall defend udp-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ]

undo firewall defend udp-flood [ ip [ ip-address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ]

Parameters

Parameter

Description

Value

ip ip-address

Specifies a protected IP address.

The value is a valid IPv4 IP address.

zone zone-name

Specifies a protected zone.

The value of zone-name is a string of 1 to 32 characters. It must be an existing zone name.

max-rate rate-value

Specifies the maximum connection rate of a new flow.

The value of rate-value is an integer that ranges from 1 to 65535. The default value is 1000, in pps.

vpn-instance vpn-instance-name

Indicates the name of the VPN instance that the specified IP address belongs to.

The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

UDP Flood attack sends a large number of UDP packets to the attacked host in a short time and requests for responses. The host is then overloaded and cannot process normal tasks.

Flood attack defense parameters configured for an IP address take precedence over those configured for a zone. If Flood attack defense is configured for both an IP address and the zone where the IP address resides, the configuration for the IP address takes effect. If you cancel the configuration for the IP address, the configuration for the zone takes effect.

Precautions

Parameters of UDP Flood attack defense take effect only after UDP Flood attack defense is enabled using the firewall defend udp-flood enable command.

Example

# Enable UDP Flood attack defense for IP address 10.1.64.200 and set the maximum connection rate of UDP packets to 500 pps.

<Huawei> system-view
[Huawei] firewall defend udp-flood enable
[Huawei] firewall defend udp-flood ip 10.1.64.200 max-rate 500

firewall defend udp-flood enable

Function

The firewall defend udp-flood enable command enables the UDP Flood attack defense function.

The undo firewall defend udp-flood enable command disables the UDP Flood attack defense function.

By default, the UDP Flood attack defense function is disabled.

Format

firewall defend udp-flood enable

undo firewall defend udp-flood enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

UDP Flood attack sends a large number of UDP packets to the attacked host in a short time and requests for responses. The host is then overloaded and cannot process normal tasks.

Precaution

You can run firewall defend udp-flood command to set parameters for ICMP Flood attack defense.

Example

# Enable UDP Flood attack defense.

<Huawei> system-view
[Huawei] firewall defend udp-flood enable

firewall defend winnuke enable

Function

The firewall defend winnuke enable command enables the WinNuke attack defense function.

The undo firewall defend winnuke enable command disables the WinNuke attack defense function.

By default, the WinNuke attack defense function is disabled.

Format

firewall defend winnuke enable

undo firewall defend winnuke enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

WinNuke attack sends an out-of-band (OOB) data packet to the NetBIOS port (139) of the target host running a Windows operating system. The NetBIOS fragment then overlaps and the host stops responding. An Internet Group Management Protocol (IGMP) fragment packet can also damage the target host because the IGMP packet should not be fragmented. If a host receives an IGMP fragment packet, the host may be attacked.

Example

# Enables the WinNuke attack defense function.

<Huawei> system-view
[Huawei] firewall defend winnuke enable

firewall enable

Function

The firewall enable command enables the firewall function in an interzone.

The undo firewall enable command disables the firewall function in an interzone.

By default, the firewall function is disabled in an interzone.

Format

firewall enable

undo firewall enable

Parameters

None

Views

Interzone view

Default Level

2: Configuration level

Usage Guidelines

The packet filtering, ASPF, and attack defense functions take effect only after this command is executed. This command does not needs to be executed for other advanced security features.

Example

# Enable the firewall function in the interzone between zone1 and zone2.

<Huawei> system-view
[Huawei] firewall interzone zone1 zone2
[Huawei-interzone-zone1-zone2] firewall enable

firewall interzone

Function

The firewall interzone command creates an interzone.

The undo firewall interzone command deletes an interzone.

Format

firewall interzone zone-name1 zone-name2

undo firewall interzone zone-name1 zone-name2

Parameters

Parameter

Description

Value

zone-name1

Specifies the name of a zone included in the interzone.

The name is a string of 1 to 32 characters. zone-name1 must be a zone name created by the firewall zone command.

zone-name2

Specifies the name of the other zone included in the interzone.

The name is a string of 1 to 32 characters. zone-name2 must be a zone name created by the firewall zone command.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To configure the firewall in an interzone to filter packets or application-layer services, run the firewall interzone command to enter the interzone view.

Precautions

At least two valid zones must exist on the device; otherwise, the device does not execute the firewall interzone command.

Example

# Create an interzone between zone1 and zone2.

<Huawei> system-view
[Huawei] firewall interzone zone1 zone2

firewall log binary-log host

Function

The firewall log binary-log host command sets parameters of a binary log server, including the IP address and port number of the binary log server, and the IP address and port number that the local device uses to communicate with the log server.

The undo firewall log binary-log host command deletes a binary log server.

Format

firewall log binary-log host host-ip-address host-port source source-ip-address source-port [ vpn-instance vpn-instance-name ]

undo firewall log binary-log host

Parameters

Parameter

Description

Value

host-ip-address

Specifies the IP address of the log server.

The value is a valid IPv4 IP address.

host-port

Specifies the port number of the log server.

The value is an integer that ranges from 1 to 65535.

source-ip-address

Specifies the source IP address that the local device uses to send logs to the log server.

The value is a valid IPv4 IP address.

source-port

Specifies the source port number that the local device uses to send logs to the log server.

The value is an integer that ranges from 10240 to 55534.

vpn-instance vpn-instance-name

Indicates the name of the VPN instance that the source IP address belongs to.

The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Only one binary log server can be configured in the system view. Any time a new binary log server is configured, the new one replaces the previous one.

Example

# Configure a binary log server whose IP address is 10.10.10.1 and port number is 3456. Set the source IP address and source port number used to communicate with the log server to 10.10.10.2 and 20000 respectively.

<Huawei> system-view
[Huawei] firewall log binary-log host 10.10.10.1 3456 source 10.10.10.2 20000

firewall log enable

Function

The firewall log enable command enables the firewall logging function.

The undo firewall log enable command disables the firewall logging function.

By default, firewall logging function is disabled.

Format

firewall log { all | blacklist | defend | session | statistics | packet-filter } enable

undo firewall log { all | blacklist | defend | session | statistics | packet-filter } enable

Parameters

Parameter

Description

Value

all

Enables all the logging functions on the firewall.

NOTE:

Firewall logs are classified into blacklist logs, attack defense logs, session logs, and traffic statistics logs.

-

blacklist

Enables blacklist logs.

-

defend

Enables attack defense logs.

-

session

Enables session logs.

-

statistics

Enables traffic statistics logs.

-

packet-filter

Enables packet-filter logs.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Firewall logs record the operating status of the firewall in real time. By analyzing the logs, the network administrator can find potential security threats to the network and take preventive measures to protect the network.

You can configure the following types of logs on the firewall:

  • Blacklist log: records the IP addresses that are added to or deleted from the blacklist.

  • Attack defense log: records different types of attacks detected by the firewall.

  • Session log: records the sessions that match the specified ACL rules and sessions processed by the NAT server.

  • Traffic statistics log: records the events that the traffic rate exceeds the threshold or falls below the threshold.

  • Packet filtering log: records information about packet filtering.

Example

# Enable blacklist logs.

<Huawei> system-view
[Huawei] firewall log blacklist enable

firewall log log-interval

Function

The firewall log log-interval command sets the interval for exporting firewall logs.

The undo firewall log log-interval command restores the default interval for exporting firewall logs.

By default, firewall logs are exported every 30 seconds.

Format

firewall log { blacklist | defend | session | statistics | packet-filter } log-interval time

undo firewall log { blacklist | defend | session | statistics | packet-filter } log-interval

Parameters

Parameter

Description

Value

blacklist

Sets the interval for sending blacklist logs to the log server.

-

defend

Sets the interval for sending attack defense logs to the log server.

-

session

Sets the interval for sending session logs to the log server.

-

statistics

Sets the interval for sending traffic statistics logs to the log server.

-

packet-filter

Sets the interval for sending packet filtering logs to the log server.

-

log-interval time

Specifies the value of the interval.

The value is an integer that ranges from 1 to 65535, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Firewall logs are classified into binary logs and text logs depending on the format. Binary logs are sent to the binary log server in real time, and text logs are sent to the text log server at intervals. The firewall log log-interval command sets the interval for sending text logs to the text log server.

Example

# Set the interval for sending attack defense logs to the log server to 200 seconds.

<Huawei> system-view
[Huawei] firewall log defend log-interval 200

firewall log session nat enable

Function

The firewall log session nat enable command enables NAT session logs.

The undo firewall log session nat enable command disables NAT session logs.

By default, NAT session logs are disabled.

Format

firewall log session nat enable

undo firewall log session nat enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Session logs record the sessions that match the specified ACL rules and sessions processed by the NAT server.

Example

# Enable NAT session logs.

<Huawei> system-view
[Huawei] firewall log session nat enable

firewall statistics system connect-number

Function

The firewall statistics system connect-number command sets the session thresholds on the firewall.

The undo firewall statistics system connect-number command restores the default session thresholds on the firewall.

By default, the upper threshold and lower threshold for each type of protocol packets are 16384 and 12288.

Format

firewall statistics system connect-number { frag | icmp | tcp | tcp-proxy | udp } high high-threshold low low-threshold

undo firewall statistics system connect-number { frag | icmp | tcp | tcp-proxy | udp }

Parameters

Parameter

Description

Value

frag

Sets the session thresholds of IP fragment packets.

-

icmp

Sets the session thresholds of ICMP packets.

-

tcp

Sets the session thresholds of TCP packets.

-

tcp-proxy

Sets the session thresholds of TCP proxy packets.

-

udp

Sets the session thresholds of UDP packets.

-

high high-threshold

Specifies the upper threshold of a specified type of protocol packets.

The value is an integer that ranges from 1 to 16384. The default value is 16384.

low low-threshold

Specifies the lower threshold of a specified type of protocol packets.

The value is an integer that ranges from 1 to 16384. The default value is 16384.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Before setting the session thresholds on the firewall, run the firewall statistics system enable command to enable traffic statistics collection on the firewall.

Example

# Set the session thresholds of TCP packets on the firewall. Set the upper threshold to 15000 and lower threshold to 10000.

<Huawei> system-view
[Huawei] firewall statistics system enable
[Huawei] firewall statistics system connect-number tcp high 15000 low 10000

firewall statistics system enable

Function

The firewall statistics system enable command enables traffic statistics collection on the firewall.

The undo firewall statistics system enable command disables traffic statistics collection on the firewall.

By default, traffic statistics collection is disabled on the firewall.

Format

firewall statistics system enable

undo firewall statistics system enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can run the display firewall statistics system command to check whether traffic statistics collection is enabled.

Example

# Enable traffic statistics collection on the firewall.

<Huawei> system-view
[Huawei] firewall statistics system enable

firewall whitelist

Function

The firewall whitelist command adds an entry to the whitelist.

The undo firewall whitelist command deletes an entry from the whitelist.

Format

firewall whitelist ip-address [ vpn-instance vpn-instance-name ] [ expire-time minutes ]

undo firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name }

Parameters

Parameter

Description

Value

all

Deletes all whitelist entries.

-

ip-address

Specifies the IP address to be added to the whitelist.

The value is a valid IPv4 IP address in dotted decimal notation.

expire-time minutes

Specifies the aging time of a whitelist entry.

The value is an integer that ranges from 1 to 1000, in minutes.

NOTE:

If this parameter is not set, the entry is always valid.

vpn-instance vpn-instance-name

Indicates the name of the VPN instance that the specified IP address belongs to.

The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

An IP address cannot exist in both the whitelist and blacklist. To move an IP address from one list to the other list, delete the corresponding entry first.

The entries in the whitelist take effect directly and you do not need to enable the whitelist function.

Example

# Add IP address 10.1.1.1 to the whitelist and set the aging time of this entry to 3 minutes.

<Huawei> system-view
[Huawei] firewall whitelist 10.1.1.1 expire-time 3

firewall zone

Function

The firewall zone command creates an interzone.

The undo firewall zone command deletes an interzone.

Format

firewall zone zone-name

undo firewall zone zone-name

Parameters

Parameter

Description

Value

zone-name

Specifies the name of a zone.

The value is a string of 1 to 32 case-sensitive characters. The value cannot contain the string name or hyphen (-).

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Before configuring a firewall, create zones. Then you can deploy security services according to the security priorities of the zones.

The device considers that the data transmission within a zone is reliable; therefore, it does not enforce any security policy on the intra-zone data transmission.

NOTE:

If an interface is added to a zone, the zone cannot be deleted in the system view. To delete the zone, delete the interface from the zone first.

Example

# Create the zone zone1.

<Huawei> system-view
[Huawei] firewall zone zone1
Related Topics

firewall-nat session aging-time

Function

The firewall-nat session aging-time command sets the timeout interval of each entry in the session table.

The undo firewall-nat session aging-time command restores the default timeout interval of each entry in the session table.

Format

firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } aging-time time-value

undo firewall-nat session { all | dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } aging-time

NOTE:

AR510 series do not support the sip and sip-media keywords.

Parameters

Parameter

Description

Value

dns

Sets the timeout interval of the DNS protocol.

-

ftp

Sets the timeout interval of the FTP control connection.

-

ftp-data

Sets the timeout interval of the FTP connection.

-

http

Sets the timeout interval of the HTTP connection.

-

icmp

Sets the timeout interval of the ICMP connection.

-

tcp

Sets the timeout interval of the TCP connection.

-

tcp-proxy

Sets the timeout interval of the TCP proxy.

-

udp

Sets the timeout interval of the UDP connection.

-

sip

Sets the timeout interval of the SIP connection.

-

sip-media

Sets the timeout interval of the SIP media protocol.

-

rtsp

Sets the timeout interval of the RTSP protocol.

-

rtsp-media

Sets the timeout interval of the RTSP media protocol.

-

pptp

Sets the timeout interval of the PPTP control connection.

-

pptp-data

Sets the timeout interval of the PPTP connection.

-

all

Restores the default timeout interval of all the preceding connections.

-

aging-time time-value

Specifies the timeout interval value.

The value of time-value is an integer that ranges from 1 to 65535, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The firewall-nat session aging-time command sets the timeout interval for sessions of each protocol. If an entry in a session table is not used within the specified period, the entry expires. For example, the user with IP address 10.110.10.10 initiates a TCP connection through port 2000. If the TCP connection is not used within the timeout interval, the system deletes the TCP connection.

The following table lists the default session timeout interval of each protocol.

Protocol

Default Session Timeout Interval

tcp

600 seconds

tcp-proxy

10 seconds

udp

120 seconds

icmp

20 seconds

dns

120 seconds

http

120 seconds

ftp

120 seconds

ftp-data

120 seconds

sip

1800 seconds

sip-media

120 seconds

rtsp

60 seconds

rtsp-media

120 seconds

pptp

600 seconds

pptp-data

600 seconds

Precautions

For some services such as voice service, increase the TCP/UDP timeout interval to prevent service interruption.

Example

# Set the timeout interval of the DNS connection to 60 seconds.

<Huawei> system-view
[Huawei] firewall-nat session dns aging-time 60

packet-filter

Function

The packet-filter command configures packet filtering in an interzone.

The undo packet-filter command cancels packet filtering in an interzone.

By default, all outgoing packets are permitted and all incoming packets are denied.

Format

packet-filter { acl-number | default { deny | permit } } { inbound | outbound }

undo packet-filter acl-number { inbound | outbound }

Parameters

Parameter

Description

Value

acl-number

Indicates the number of the ACL for packet filtering. The ACLs include basic ACL and advanced ACL.

The value is an integer that ranges from 2000 to 3999:
  • 2000-2999: basic ACLs
  • 3000-3999: advanced ACLs

default

Indicates the default packet filtering method.

-

deny

Rejects all packets.

NOTE:

This parameter sets the default packet filtering method of the interzone. The default packet filtering method takes effect on all the packets not matching the ACLs.

-

permit

Allows all packets to pass.

NOTE:

This parameter sets the default packet filtering method of the interzone. The default packet filtering method takes effect on all the packets not matching the ACLs.

-

inbound

Filters inbound packets. An inbound packet refers to a packet sent from a low-priority zone to a high-priority zone.

-

outbound

Filters outbound packets. An outbound packet refers to a packet sent from a high-priority zone to a low-priority zone.

-

Views

Interzone view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Filter the inbound packets in the interzone between zone1 and zone2 by using ACL 3000.

<Huawei> system-view
[Huawei] acl 3000 
[Huawei-acl-adv-3000] rule permit ip  
[Huawei-acl-adv-3000] quit  
[Huawei] firewall interzone zone1 zone2
[Huawei-interzone-zone1-zone2] packet-filter 3000 inbound

packet-filter logging

Function

The packet-filter logging command enables the packet filtering log in the interzone.

The undo packet-filter logging command disables the packet filtering log in the interzone.

By default, the packet filtering log is disabled in the interzone.

Format

packet-filter logging

undo packet-filter logging

Parameters

None

Views

Interzone view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the firewall filters packets, a log is recorded if this function is enabled. By analyzing the logs, the network administrator can find potential security threats to the network and take preventive measures to protect the network.

Precautions

This function takes effect only after the packet-filter logging and firewall log packet-filter enable commands are executed.

Example

# Enable the packet filtering log in the interzone.

<Huawei> system-view
[Huawei] firewall zone trust
[Huawei-zone-trust] priority 14 
[Huawei-zone-trust] quit
[Huawei] firewall zone untrust
[Huawei-zone-untrust] priority 12 
[Huawei-zone-untrust] quit
[Huawei] firewall log packet-filter enable
[Huawei] firewall interzone trust untrust
[Huawei-interzone-trust-untrust] packet-filter logging
Related Topics

port-mapping

Function

The port-mapping command configures the mappings between ports and application-layer protocols.

The undo port-mapping command deletes the mappings between ports and application-layer protocols.

Format

port-mapping { dns | ftp | http | sip | rtsp | pptp } port port-number acl acl-number

undo port-mapping { all | { dns | ftp | http | sip | rtsp | pptp } port port-number acl acl-number }

Parameters

Parameter

Description

Value

all

Deletes the mappings from all ports.

-

dns

Specifies the mapping between the DNS protocol and a port.

-

ftp

Specifies the mapping between the FTP protocol and a port.

-

sip

Specifies the mapping between the SIP protocol and a port.

-

rtsp

Specifies the mapping between the RTSP protocol and a port.

-

pptp

Specifies the mapping between the PPTP protocol and a port.

-

http

Specifies the mapping between the HTTP protocol and a port.

-

port port-number

Specifies the port mapping to a protocol.

The value of port-number is an integer that ranges from 1 to 65535.

acl acl-number

Specifies the ACL that controls the packets to which port mapping is applied.

The value of acl-number is an integer that ranges from 2000 to 2999.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Port mapping enables a server to provide various application-layer services for external systems through non-well-known ports. For example, the well-known port of the HTTP service is port 80. After port mapping is configured on the firewall, the firewall can use a non-well-known port to provide the HTTP service.

Port mapping reduces attacks to a certain service on the server.

Example

# Map the HTTP service to port 10 and apply ACL 2000 to control the packets to which the mapping takes effect.

<Huawei> system-view
[Huawei] acl 2000 
[Huawei-acl-basic-2000] rule  permit 
[Huawei-acl-basic-2000] quit  
[Huawei] port-mapping http port 10 acl 2000
Related Topics

priority

Function

The priority command sets the priority for a zone.

Format

priority security-priority

Parameters

Parameter

Description

Value

security-priority

Indicates the priority of a zone.

The value is an integer that ranges from 0 to 15.

NOTE:

If security-priority is set to a large value, the priority of the zone is high.

Views

Security zone view

Default Level

2: Configuration level

Usage Guidelines

After creating a zone, set a priority for the zone; otherwise, the zone is invalid.

The priority of a zone cannot be changed.

Example

# Set the priority of zone1 to 5.

<Huawei> system-view
[Huawei] firewall zone zone1
[Huawei-zone-zone1] priority 5
Related Topics

reset firewall app table statistics

Function

The reset firewall app table statistics command clears statistics on firewall application entries.

Format

reset firewall app { servermap | session } table statistics

Parameters

Parameter

Description

Value

servermap

Clears statistics on Servermap entries at the application layer.

-

session

Clears statistics on session entries at the application layer.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run this command when you need to collect new firewall application entry statistics. After you run this command, all statistics on firewall application entries are cleared.

Precautions

Statistics on firewall application entries cannot be restored after they are cleared. Exercise caution when you use the command.

Example

# Clear statistics on firewall session entries at the application layer.

<Huawei> system-view
[Huawei] reset firewall app session table statistics

reset firewall session all

Function

The reset firewall session all command deletes all entries from the firewall session table.

Format

reset firewall session all

Parameters

None.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command will delete all entries from a firewall session table.

Precautions

After this command is executed, entries are deleted from the firewall session table and the firewall configurations are modified immediately.

After this command is executed, you must wait at least 10 seconds before running the command again; otherwise, an error message is displayed.

Example

# Delete all entries from a firewall session table.

<Huawei> system-view
[Huawei] reset firewall session all
Warning:The current all firewall sessions will be deleted.
Are you sure to continue?[Y/N]y
Related Topics

reset session all

Function

The reset session all command deletes entries from all session tables.

Format

reset session all

Parameters

None.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command will delete all entries from a firewall or NAT session table.

Precautions

After this command is executed, entries are deleted from session tables and the session table configurations are modified immediately. You must wait at least 10 seconds before running the command again; otherwise, an error message is displayed.

Example

# Display entries from all session tables.

<Huawei> system-view
[Huawei] reset session all
Warning:The current all sessions will be deleted.
Are you sure to continue?[Y/N]y  
Related Topics

reset firewall statistics system defend

Function

The reset firewall statistics system defend command deletes attack defense statistics on firewall.

Format

reset firewall statistics system defend

Parameters

None

Views

All views

Default Level

2: Configuration level

Usage Guidelines

Use Scenario

Before you run the display firewall statistics system defend command to collect attack defense statistics on a firewall, you can run this command to delete the old statistics.

Precautions

Statistics cannot be restored after they are cleared. Exercise caution when you delete them.

Example

# Delete attack defense statistics on the firewall.

<Huawei> reset firewall statistics system defend

session-log

Function

The session-log command configures a condition for recording logs about sessions in the firewall interzone.

The undo session-log command deletes a condition for recording logs about sessions in the firewall interzone.

By default, no condition is configured for recording logs about sessions in the firewall interzone.

Format

session-log acl-number { inbound | outbound }

undo session-log acl-number { inbound | outbound }

Parameters

Parameter

Description

Value

acl-number

Specifies the number of the ACL used to match sessions.

The value is an integer that ranges from 2000 to 3999.

inbound

Applies the ACL to the inbound sessions.

NOTE:

An inbound session refers to a session from a low-priority zone to a high-priority zone.

-

outbound

Applies the ACL to the outbound sessions.

NOTE:

An outbound session refers to a high-priority session sent from a zone to a low-priority zone.

-

Views

Interzone view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Create zone1 and zone2, and set their priorities to 10 and 5 respectively. Then configure an interzone between zone1 and zone2, and record logs about the inbound sessions (from zone 1 to zone 2) that match ACL 2001.

<Huawei> system-view
[Huawei] firewall zone zone1
[Huawei-zone-zone1] priority 10
[Huawei-zone-zone1] quit
[Huawei] firewall zone zone2
[Huawei-zone-zone2] priority 5
[Huawei-zone-zone2] quit
[Huawei] firewall interzone zone1 zone2
[Huawei-interzone-zone1-zone2] session-log 2001 inbound
[Huawei-interzone-zone1-zone2] quit
[Huawei] firewall log session enable

statistics connect-number ip

Function

The statistics connect-number ip command sets the thresholds for the number of sessions on an IP address.

The undo statistics connect-number ip command restores the default thresholds.

By default, the upper threshold and lower threshold for each type of protocol packets are 16384 and 12288.

Format

statistics connect-number ip [ range beginip endip ] { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold

undo statistics connect-number ip { inzone | outzone } { icmp | tcp | udp }

Parameters

Parameter

Description

Value

range

Specified an IP address segment

NOTE:
If the range parameter is not specified, this command takes effect on a single IP address.

-

beginip

Specifies the start IP address.

The value is in dotted decimal notation.

endip

Specified the end IP address, which cannot be smaller than the start IP address. The start and end IP addresses must be in the same IP address segment.

The value is in dotted decimal notation.

inzone

Specifies the thresholds for the number of packets entering the zone.

-

outzone

Specifies the thresholds for the number of packets leaving the zone.

-

icmp

Specifies the thresholds for the number of ICMP packets.

-

tcp

Specifies the thresholds for the number of TCP packets.

-

udp

Specifies the thresholds for the number of UDP packets.

-

high high-threshold

Specifies the upper threshold value.

The value is an integer that ranges from 1 to 16384. The default value is 16384.

low low-threshold

Sets the lower thresholds value.

The value is an integer that ranges from 1 to 16384. The default value is 12288.

Views

Security zone view

Default Level

2: Configuration level

Usage Guidelines

Before setting the thresholds for the number of packets sent to a certain IP address, run the statistics ip enable command to enable the IP address-level traffic statistics function in the zone.

Example

# Configure the thresholds for the number of inbound TCP packets sent to a certain IP address. Set the upper threshold to 15000 and lower threshold to 10000.

<Huawei> system-view
[Huawei] firewall zone zone1
[Huawei-zone-zone1] statistics ip enable inzone
[Huawei-zone-zone1] statistics connect-number ip inzone tcp high 15000 low 10000

statistics connect-number zone

Function

The statistics connect-number zone command sets the thresholds for the number of packets in a zone.

The undo statistics connect-number zone command restores the default thresholds for the number of packets in a zone.

By default, the upper threshold and lower threshold for each type of protocol packets are 16384 and 12288.

Format

statistics connect-number zone { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold

undo statistics connect-number zone { inzone | outzone } { icmp | tcp | udp }

Parameters

Parameter

Description

Value

inzone

Specifies the thresholds for the number of packets entering the zone.

-

outzone

Specifies the thresholds for the number of packets leaving the zone.

-

icmp

Specifies the thresholds for the number of ICMP packets.

-

tcp

Specifies the thresholds for the number of TCP packets.

-

udp

Specifies the thresholds for the number of UDP packets.

-

high high-threshold

Specifies the upper threshold value.

The value is an integer that ranges from 1 to 16384. The default value is 16384.

low low-threshold

Specifies the lower threshold value.

The value is an integer that ranges from 1 to 16384. The default value is 12288.

Views

Security zone view

Default Level

2: Configuration level

Usage Guidelines

Before setting the thresholds for the number of packets in a zone, run the statistics zone enable command to enable the zone-level traffic statistics function.

Example

# Configure the thresholds for the number of inbound TCP packets in a zone. Set the upper threshold to 15000 and lower threshold to 10000.

<Huawei> system-view
[Huawei] firewall zone zone1
[Huawei-zone-zone1] statistics zone enable inzone
[Huawei-zone-zone1] statistics connect-number zone inzone tcp high 15000 low 10000

statistics ip enable

Function

The statistics ip enable command enables the IP address-level traffic statistics collection in a zone.

The undo statistics ip enable command disables the IP address-level traffic statistics collection in a zone.

By default, IP address-level traffic statistics collection is disabled.

Format

statistics ip enable { inzone | outzone }

undo statistics ip enable { inzone | outzone }

Parameters

Parameter

Description

Value

inzone

Enables the IP address-level traffic statistics collection for the inbound packets of the zone.

-

outzone

Enables the IP address-level traffic statistics collection for the outbound packets of the zone.

-

Views

Security zone view

Default Level

2: Configuration level

Usage Guidelines

The IP address-based traffic statistics collection counts and monitors the TCP and UDP sessions set up by an IP address in a zone. When the number of TCP and UDP sessions set up by the IP address exceeds the threshold, the device reduces the number of sessions to the specified range.

You can enable IP address-level traffic statistics collection for inbound or outbound packets of a zone.

Example

# Enable IP address-level traffic statistics collection for inbound packets and outbound packets in zone1.

<Huawei> system-view
[Huawei] firewall zone zone1
[Huawei-zone-zone1] statistics ip enable inzone
[Huawei-zone-zone1] statistics ip enable outzone

statistics zone enable

Function

The statistics zone enable command enables zone-level traffic statistics collection for the packets in a zone.

The undo statistics zone enable command disables zone-level traffic statistics collection for the packets in a zone.

By default, zone-level traffic statistics collection is disabled.

Format

statistics zone enable { inzone | outzone }

undo statistics zone enable { inzone | outzone }

Parameters

Parameter

Description

Value

inzone

Enables zone-level traffic statistics collection for the inbound packets of the zone.

-

outzone

Enables zone-level traffic statistics collection for the outbound packets of the zone.

-

Views

Security zone view

Default Level

2: Configuration level

Usage Guidelines

You can enable zone-level traffic statistics collection for inbound or outbound packets in a zone.

Example

# Enable zone-level traffic statistics collection for inbound packets and outbound packets of zone1.

<Huawei> system-view
[Huawei] firewall zone zone1
[Huawei-zone-zone1] statistics zone enable inzone
[Huawei-zone-zone1] statistics zone enable outzone

zone

Function

The zone command adds an interface to a zone.

The undo zone command deletes removes an interface from a zone.

Format

zone zone-name

Parameters

Parameter

Description

Value

zone-name

Specifies the name of a zone.

The value is a string of 1 to 32 characters. The character string cannot contain -.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

When you add an interface to a zone, ensure that the zone has been created using the firewall zone command.

Example

# Add GE1/0/0 to zone1.
<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0 
[Huawei-GigabitEthernet1/0/0] zone zone1 
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 49038

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next