No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Intrusion Prevention

Configuring Intrusion Prevention

Before you configure intrusion prevention, update the intrusion prevention signature database or, if necessary, configure user-defined signatures, create intrusion prevention profiles, reference signatures matching the specified conditions in the intrusion prevention profiles, and apply the intrusion prevention profiles in the attack defense profiles.

Enabling the Defense Engine

Context

After the defense engine is enabled, the system automatically loads the default signature database.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    defence engine enable

    The defense engine is enabled.

    By default, the defense engine is disabled.

Updating the Signature Database

Updating the IPS signature database and malicious domain name database in a timely manner helps the device better defend against threats on the network.

Preparation

Before updating the IPS signature database and malicious domain name database, do as follows:

  • Checking the Free Space of the Root Directory

    Before updating the IPS signature database and malicious domain name database, check whether the free space of the root directory is sufficient. For details, see the following table.

    Signature Database

    Required Free Space

    IPS signature database (IPS-SDB)

    5 MB or higher

    Malicious domain name database

    1 MB or higher

    To check the free space of the root directory, perform the following operations:

    1. In the user view, run the dir command to check the free space of the root directory.

      <Huawei> dir
      Directory of sdcard:/                                                             
                                                                                      
        Idx  Attr     Size(Byte)  Date        Time(LMT)  FileName                     
          0  -rw-          8,208  May 05 2016 17:50:47   AP.pat          
          1  -rw-     47,774,428  Jan 24 2016 11:49:56   AP.bin   
                                    ........                                         
         56  drw-              -  May 13 2016 15:25:17   update                       
         57  -rw-        828,686  Apr 16 2016 10:04:37   url.so                       
         58  -rw-          1,511  May 12 2016 11:44:41   vrpcfg.zip 
                                                                                      
      1,975,380 KB total (393,452 KB free)                              
    2. In the user view, run the delete command to delete unwanted files from the CF card if the free space is insufficient.

      NOTE:

      Files are deleted and cannot be restored after the delete command with the /unreserved parameter is executed.

  • Checking the Current Update Status

    Signature databases cannot be updated simultaneously. You can update a signature database only after the current update status is idle.

    To check the current update status, perform the following operation:

    1. Run the display update status command to check the update status of the signature database.

      <Huawei> display update status
        Current Update Status: Idle.
      

      If Current Update Status is Idle, you can update the desired signature database. Otherwise, repeat the display update status command until Current Update Status changes to Idle, and then update the desired signature database.

  • Checking the Signature Database Version

    Check the signature database version to determine whether the signature database needs to be updated.

    To check the signature database version, perform the following operation:

    1. Run the display version { ips-sdb | cnc } command to check the signature database version.

      <Huawei> display version ips-sdb                                           
      IPS SDB Update Information List:                                                
      ----------------------------------------------------------------                
        Current Version:                                                              
          Signature Database Version    : 2016042310                                  
          Signature Database Size(byte) : 653281                                      
          Update Time                   : 16:15:13 2016/05/14                         
          Issue Time of the Update File : 17:31:13 2016/04/23                         
                                                                                      
        Backup Version:                                                               
          Signature Database Version    : 2016042704                                  
          Signature Database Size(byte) : 568481                                      
          Update Time                   : 16:12:23 2016/05/14                         
          Issue Time of the Update File : 13:14:59 2016/04/27                         
      ----------------------------------------------------------------                
      IPS Engine Information List:                                                    
      ----------------------------------------------------------------                
        Current Version:                                                              
          IPS Engine Version            : V200R002C20SPC015S001                       
          IPS Engine Size(byte)         : 4270561                                     
          Update Time                   : 16:15:13 2016/05/14                         
          Issue Time of the Update File : 10:39:25 2016/05/14                         
                                                                                      
        Backup Version:                                                               
          IPS Engine Version            : V200R002C20SPC012                           
          IPS Engine Size(byte)         : 3145728                                     
          Update Time                   : 16:12:23 2016/05/14                         
          Issue Time of the Update File : 19:45:45 2016/04/27                         
      ----------------------------------------------------------------
Context

The IPS signature database and malicious domain name database can be updated in either of the following modes:

  • Online update

    If the Central AP can communicate with the update center (sec.huawei.com) directly over the Internet or through a proxy server, you can update the databases in online mode.

    Online update has two ways:

    • Scheduled update

      The Central AP accesses the update center on a scheduled basis to search for the latest IPS signature database and malicious domain name database. If the new versions of IPS signature database and malicious domain name database are found, the Central AP downloads the latest IPS signature database and malicious domain name database to update the local IPS signature database and malicious domain name database at scheduled time.

    • Immediate update

      After the online IPS signature database and malicious domain name database are updated, you can immediately update the local database instead of waiting for the scheduled update.

      The download address and process for updating the IPS signature database and malicious domain name database immediately is the same as that for the update through scheduled update. The two update modes differ in that immediate update can be performed at any time whereas scheduled update must be implemented at the specified time.

  • Local update

    When the Central AP is physically isolated from the Internet and no proxy server is deployed on the intranet, you can update IPS signature database and malicious domain name database locally.

For details on signature database update scenarios, see Updating Signature Databases Configuration (Central AP).

Online Update

If the Central AP can directly access the update center, you must configure a security policy on the Central AP to permit HTTP and FTP packets. If the Central AP accesses the update center through a proxy server, you must configure a security policy on the Central AP to permit HTTP packets.

  1. Configure an update center.
    1. Access the system view.

      system-view

    2. Configure the update center.

      update server { domain domain-name | ip ip-address } [ port port-number ]

      The update center is the security center platform, and its default domain name is sec.huawei.com.

  2. Optional: Configure a proxy server.

    Perform this step when the Central AP needs to access the update center using a proxy server.

    1. Enable the signature database proxy update.

      update proxy enable

    2. Set the domain name (or IP address), user name, and password of the proxy server.

      update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name [ password password ] ]
      NOTE:

      If a domain name is configured for the proxy server, a DNS server must be configured to resolve the domain name. For details on how to configure the DNS server, see 3.

  3. Optional: Configure a DNS server.
    1. Configure the DNS server to resolve domain names.

      dns resolve

    2. Specify the IP address of the DNS server.

      dns server ip-address

  4. Optional: Specify the source IP address for online update request packets.

    • Specify an interface IP address as the source IP address for online update request packets.

      update host source interface-type interface-number
    • Specify the source IP address of online update request packets.

      update host source ip ip-address

    If the administrator does not specify the source IP address of online update request packets, the system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets.

    If the interface has multiple IP addresses, run the update host source ip ip-address command to set the source IP address of update request packets and ensure that the Central AP can receive the reply packets. Otherwise, the online update may fail.

    When the Central AP connects to the Internet through a VPN instance, these commands are mandatory. If the commands are not configured, the update will fail.
    • When update host source interface-type interface-number is configured, the interface must be bound to the corresponding VPN instance name.

    • When the update host source ip ip-address command is configured, vpn-instance vpn-instance must be specified.

  5. Configure the scheduled or immediate update function.

    NOTE:

    After the scheduled or immediate update is started, you can run the update abort command to abort the update if the update consumes too much bandwidth and interrupts normal services. Wait until the bandwidth is sufficient for the update and normal services and then run the update online { ips-sdb | cnc } command to download the latest signature database.

    • Scheduled update

      1. Enable the scheduled update function.

        update schedule { ips-sdb | cnc } enable
      2. Set scheduled update time.

        update schedule { ips-sdb | cnc } { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time

        You are advised to update the IPS signature database every week and the malicious domain name database every day. The update time can be adjusted based on network conditions.

    • Immediate update

      Download the latest signature database.

      update online { ips-sdb | cnc }
Local Update

The update package has been uploaded to the memory of the Central AP using SFTP, FTP or TFTP.

  1. Download the update package.

    Download update packages from the security center (sec.huawei.com). For details, refer to Update Center.

  2. Upload the update package from the PC to the memory of the Central AP.

    NOTE:

    The upgrade package can be placed in any directory of the Central AP storage. However, the root directory is recommended.

    The signature database files are in .zip format. You can upload them directly to the Central AP without decompressing them.

  3. Access the system view.

    system-view

  4. Enable the local update function.

    update local { ips-sdb | cnc } file filename

Version Rollback

When the current signature database is faulty (for example, false positive occurs or system performance is degraded), you can roll back the current signature database to the previous version through version rollbacks.

You can roll back to only one version. If you perform version rollbacks repeatedly, the version rollback is implemented between the current version and the rollback version.

  1. Access the system view.

    system-view

  2. Roll back the signature database to an earlier version.

    update rollback { ips-sdb | cnc }

Creating an Attack Defense Profile

Context

As the network develops continuously, there are various types of potential risks such as Trojan horses, worms, and viruses in packets. After an attack defense profile is created, various security functions are available, such as URL filtering, intrusion prevention, and antivirus.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    defence-profile name profile-name

    An attack defense profile is created and the attack defense profile view is displayed.

    By default, no attack defense profile is created.

Configuring Signatures

This section describes how to configure intrusion prevention signatures. A signature contains the features of a network intrusion. The device compares the received data flow with intrusion prevention signatures. If the data flow content matches a signature, the data flow contains threats.

Viewing a Predefined Signature
Predefined signatures cannot be modified. However, you can extract the detected intrusion features by viewing the signature content to facilitate follow-up configurations.
  • View information about all predefined signatures.

    display ips-signature pre-defined [ associated ] [ application { application-name | all } | category { category-name | all } | os { all | android | ios | unix-like | windows | other } * | protocol { protocol-name | all } | severity { information | low | medium | high } * | state { disabled | enabled | retired } | target { server | client | both } ] *

  • View information about a specific predefined signature.

    display ips-signature ips-signature-id

Configuring the State of Predefined Signatures

The state of a predefined signature can be enabled, disabled, and deprecated. For enabled or disabled predefined signatures, you can change their state in batches or individually. Deprecated predefined signatures are ineffective and their state cannot be changed. They are displayed in the IPS signature database for only for checking signature history.

NOTE:

Only the public system supports configuration for the state of predefined signatures.

After the state of a predefined signature is changed, run engine configuration commit to commit the change to apply it.

  • In the system view, sets the state of all predefined signatures to Enable.

    ips signature-state enabled

  • In the system view, sets the state of all predefined signatures to Disable.

    ips signature-state disabled

  • In the system view, set the status of a specific predefined signature.

    ips signature-state signature-id signature-id { enabled | disabled }

Modifying the Predefined Associated Signature

By default, the Central AP provides predefined associated signatures. The display ips-signature pre-defined associated command displays supported predefined associated signatures.

If the check items of a predefined associated signature cannot meet requirements, you can modify the check items.

  1. In the system view, configure a predefined associated signature.

    ips associated pre-defined signature-id signature-id { threshold threshold-value | interval interval-value | correlateby { source | destination | source-destination } } *

  2. Commit the configuration in the system view.

    engine configuration commit

    After a predefined associated signature is modified, the configuration takes effect only after being committed. To save time, you can submit the configuration after all predefined associated signature operations are complete.

Configuring a User-Defined Signature
Each user-defined signature contains multiple rules, and each rule contains multiple conditions. Packets match signature rules and conditions in the following order:
  • The rules configured first are preferentially matched. Conditions in rules are matched in configuration order or random order.
  • A packet matches a rule only when the packet matches all conditions in the rule. However, a packet matches a signature as long as the packet matches any rule in the signature.

Traffic Processing Flow shows how the device processes matched packets.

  1. In the system view, create a user-defined signature.

    ips signature-id signature-id

  2. Optional: Configure a name for the user-defined signature.

    name name

  3. Optional: Configure a description for the user-defined signature.

    description description

  4. Configure the basic features of the user-defined signature.

    Item

    Command

    Configure a detection target for the user-defined signature.

    target { both | client | server }

    Configure a protocol for the user-defined signature.

    protocol protocol-name

    Configure a severity for the user-defined signature.

    severity { high | medium | low | information }

    Configure an action for the user-defined signature.

    action { alert | block | allow }

  5. Create a rule for the user-defined signature.

    rule name name

  6. Set parameters for the user-defined signature rule.

    Item

    Command

    Basic Information

    Configure a detection scope for the user-defined signature rule.

    scope { flow | message | packet }

    Configure a detection sequence for the user-defined signature rule.

    check { sequential | random-order }

    NOTE:

    Selecting sequential is not recommended. If you select it, the matching order becomes stricter, which may cause false positives during intrusion detection. Sequential check does not apply to value match (including:equal, gthan, lthan, and noequal).

    Check Item

    Configure check items for the user-defined signature rule.

    condition [ condition-id ] field field-name operate { equal | gthan | lthan | noequal } value value-content [ direction direction | qualifier http-method http-method ] *

    condition [ condition-id ] field field-name operate pmatch value value-content [ offset { offset-value | begin } ] [ depth depth-value ] [ direction direction | qualifier http-method http-method ] *

    NOTE:

    If the fields to be detected are DNS.Query.Name and NETBIOS.NS.Queries.Name, the field values cannot contain consecutive periods (.). The values of fields DNS.Query.Name and NETBIOS.NS.Queries.Name do not support abbreviations. Enter full names when you configure them. For example, if you want to configure field DNS.Query.Name to match huawei123.com, enter the full name huawei123.com.

    Advanced Information

    Configure the source IP address in the user-defined signature rule.

    source-ip { [ ipv4 ] start-ipv4-address [ end-ipv4-address | ipv4-mask-length ] | any }

    Configure the source port in the user-defined signature rule.

    source-port { start-port end-port | any }

    Configure the destination IP address in the user-defined signature rule.

    destination-ip { [ ipv4 ] start-ipv4-address [ end-ipv4-address | ipv4-mask-length ] | any }

    Configure the destination port in the user-defined signature rule.

    destination-port { start-port end-port | any }

  7. Commit the configuration in the system view.

    engine configuration commit

    After a user-defined signature is created or modified, the configuration takes effect only after being committed. To save time, you can submit the configuration after all user-defined signature operations are complete.

Configuring a User-Defined Associated Signature

Only one rule can be configured for a user-defined associated signature. Only one check item can be configured in the rule.

If a user-defined signature is configured as an associated signature, you must remove the association relationship of the signature before deleting the user-defined signature. Only enabled predefined signatures can be configured as associated signatures.

  1. In the system view, create a user-defined associated signature.

    ips signature-id signature-id

  2. Optional: Configure a name for the user-defined associated signature.

    name name

  3. Optional: Configure a description for the user-defined associated signature.

    description description

  4. Create a rule for the user-defined signature.

    rule name name

  5. Configure a check item for the user-defined associated signature.

    condition associated signature-id signature-id [ threshold threshold-value | interval interval-value | correlateby { source | destination | source-destination } ] *

  6. Configure the basic features of the user-defined associated signature in the user-defined associated signature view.

    Item

    Command

    Configure a severity for the user-defined associated signature.

    severity { high | medium | low | information }

    Configure an action for the user-defined associated signature.

    action { alert | block | allow }

  7. Commit the configuration in the system view.

    engine configuration commit

    After a user-defined associated signature is created or modified, the configuration takes effect only after being committed. To save time, you can submit the configuration after all user-defined associated signature operations are complete.

Configuring Intrusion Prevention Profile

You can configure signature filters in an intrusion prevention profile to filter out the signatures containing the same features and set an action for the threats matching these features. You can also add a signature as an exception and configure a different action for the exception signature.

Context

The device has multiple default intrusion prevention profiles for different application scenarios, as shown in Table 26-24. The default intrusion prevention profiles can be displayed, cloned, or referenced in attack defense profiles, but cannot be modified or deleted.

NOTE:

You can run the display profile type ips name name command on the CLI to view the configuration information about the default profile. IF you use the CLI to reference the default profile in a attack defense profile, you must enter the complete profile name (such as default). Otherwise, the profile fails to be referenced. To view the configuration result, run the display current-configuration command. Then you can view that the attack defense profile references the default profile, but the configuration information about the default profile is not displayed.

Table 26-24  Default intrusion prevention profiles

Name

Target

Severity

Operating System

Application Program

Protocol

Category

Action

Application Scenario

strict

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

All

All

Block

The intrusion prevention profile applies to the scenarios in which the device is required to block all matched packets.

web_server

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

DNS, HTTP, FTP

All

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a web server.

file_server

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

DNS, SMB, NETBIOS, NFS, SUNRPC, MSRPC, FILE, TELNET

All

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a file server.

dns_server

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

DNS

All

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a DNS server.

mail_server

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

DNS, IMAP4, SMTP, POP3

All

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a mail server.

inside_firewall

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

Except TELNET and TFTP

All

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed behind a firewall.

dmz

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

Except NETBIOS, NFS, SMB, TELNET and TFTP

All

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a .

outside_firewall

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

All

Except Scanner

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a firewall.

ids

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

All

All

Alert

The intrusion prevention profile applies to the scenarios in which the device is deployed off-line as an IDS.

default

All

Low, Medium, High

Unix-like, Windows, Android, iOS, Other

All

All

All

Default

The intrusion prevention profile applies to the scenarios in which the device is deployed in-line as an IPS.

Procedure

  1. Create an IPS profile in the system view.

    profile type ips name name

  2. Optional: Configure a description for the IPS profile.

    description description

  3. Optional: Configure attack evidence collection.

    collect-attack-evidence enable

    NOTE:
    • Attack evidence collection does not apply to HTTPS traffic.
    • Attack evidence collection is for troubleshooting only. Because attack evidence collection compromises system performance, you must enable it only when necessary and disable it immediately after you finish attack evidence collection.

    If the action in the intrusion prevention profile is block, the device collects only the identified threat packets and previous packets. Subsequent packets of the same session are blocked and discarded by the device, and therefore are not collected. If the action in the intrusion prevention profile is not block, the device collects all threat packets of the session.

  4. Create an IPS signature filter.

    signature-set name name

  5. Configure the IPS signature filter.

    Item

    Command

    Add the IPS signatures of a specified detection target to the IPS signature filter.

    target { both | client | server }

    Add the IPS signatures with a specified severity value to the IPS signature filter.

    severity { high | medium | low | information } *

    Add the IPS signatures of a specific operating system to the IPS signature filter.

    os { android | ios | unix-like | windows | other } *

    Add the IPS signatures of a specific protocol to the IPS signature filter.

    protocol { protocol-name &<1-10> | all }

    Add the IPS signatures of a specific category to the IPS signature filter.

    category { category-name &<1-10> | all }

    Configure the application name for the IPS signature filter.

    application { application-name &<1-10> | all }

    Configure an action for the IPS signature filter.

    action { alert | block | default }

  6. Optional: Configure exception signatures in the IPS profile view.

    exception ips-signature-id ips-signature-id [ action { alert | allow } ]

  7. Optional: Configure malicious domain name check.

    cnc domain-filter enable [ action { alert | block } ]

    Enable the domain name filtering function.

    The domain name-based filtering function enables the device to filter out packets using the malicious domain name signature database. Upon receiving a packet matching a malicious domain name, the device implements the specified action and logs the threats for auditing and troubleshooting.

    In the system-view, add exception domain names.

    cnc domain-filter exception domain-name domain-name

    If you check logs and find that some detected malicious domain names are false positives, you can configure these domain names as exceptions.

  8. Optional: Configure correlation detection.

    assoc-check enable

    By default, the function is enabled.

  9. Optional: Configure protocol anomaly detection in the IPS profile view.

    Item

    Command

    Detecting whether an HTTP traffic contains the SSH traffic

    http ssh-over-http check action { alert | block }

    Detecting whether an HTTP packet contains multiple Host fields

    http multi-host check action { alert | block }

    Detecting the X-Online-Host field in an HTTP packet

    http x-online-host check { any | blacklist | multiple } action { alert | block }

    http x-online-host blacklist blacklist

    Detecting the X-Forwarded-For field in an HTTP packet

    http x-forwarded-for check { any | whitelist } action { alert | block }

    http x-forwarded-for whitelist ipv4 ip-address

    Detecting whether the protocol format of a DNS packet is abnormal

    dns malformed-packet check action { alert | block }

    Detecting the query of a DNS packet

    dns request-type check { start-type [ to end-type ] action | default-action } { alert | allow | block }

    Detecting whether a DNS domain name contains unexpected characters

    dns domain check action { alert | block }

    Detecting the length of a DNS domain name

    dns domain length check [ max-length max-length ] action { alert | block }

    Detecting the number of DNS session request times

    dns session request-times check [ max-time max-time ] action { alert | block }

  10. Commit the configuration in the system view.

    engine configuration commit

    The created or modified intrusion prevention profile does not take effect immediately. You need to commit the configuration to activate the configuration. To save time, commit the configuration after you complete all operations on the intrusion prevention profile.

Follow-up Procedure

After configuring the IPS profile, adjust it as follows:

  • In the IPS signature filter view, run the rename new-name command to rename the IPS signature filter.
  • In the IPS profile view, run the rename new-name command to rename the profile.
  • In the system view, run the profile type ips copy old-name [ new-name ] command to create a profile by copying an existing one.

Applying the Configuration

Context

After an intrusion prevention profile is created, you need to bind it to an attack defense profile and then bind the attack defense profile to a VAP profile, user group, or interface to make the application take effect.

Procedure

  1. Bind an intrusion prevention profile to an attack defense profile.
    1. Run the system-view command to enter the system view.
    2. Run the defence-profile name profile-name command to enter the attack defense profile view.
    3. Run the profile type ips profile-name command to bind an intrusion prevention profile to an attack defense profile.

      By default, no intrusion prevention profile is bound to an attack defense profile.

    4. Run the quit command to return to the system view.
  2. Bind the attack defense profile to a VAP profile, or a user group.

    • VAP profile:

      1. Run the wlan command to enter the WLAN view.
      2. Run the vap-profile name profile-name command to enter the VAP profile view.
      3. Run the defence-profile profile-name command to bind the attack defense profile to a VAP profile.

        By default, no attack defense profile is bound to a VAP profile.

    • User group:

      1. Run the user-group group-name command to enter the user group view.
      2. Run the defence-profile profile-name command to bind the attack defense profile to a user group.

        By default, no attack defense profile is bound to a user group.

    • Interface:

      1. Run the interface interface-type interface-number command to enter the interface view.
      2. Run the defence-profile profile-name command to bind the attack defense profile to an interface.

        By default, no attack defense profile is bound to an interface.

Checking the Configuration
  • Run the display defence-profile { all | name profile-name } command to check information about the attack defense profile.
  • Run the display references defence-profile name profile-name command to check reference information about the attack defense profile.

Verification and Check

This section describes the verification and check operations after the intrusion prevention feature is configured.

Verification

After configuring the intrusion prevention feature, you can do as follows to check the configuration result.

Operation

Command

View IPS signatures.

display ips-signature ips-signature-id

display ips-signature [ { pre-defined | user-defined } [ associated ] ] [ application { application-name | all } | category { category-name | all } | os { all | android | ios | unix-like | windows | other } * | protocol { protocol-name | all } | severity { information | low | medium | high } * | state { disabled | enabled | retired } | target { server | client | both } ] *

View a predefined IPS signature based on a CVE ID.

display ips-signature cve-id { cve-id | year year }

View a predefined IPS signature based on a CVE ID.

display ips-signature vendor-id vendor-id

View the status of predefined IPS signatures.

display ips signature-state

View the rule of a specified user-defined signature.

display ips signature-id signature-id rule { name rule-name | all }

View all exception domain names configured for domain name filtering.

display cnc domain-filter exception

View the IPS profile.

display profile type ips [ name name [ signature-set-name signature-set-name | exception-signature-id exception-signature-id ] ]

After configuring the intrusion prevention feature, you can do as follows to view or clear statistics:

Operation

Command

View IPS statistics.

display ips statistics

View top N matched IPS signatures.

display ips-signature statistics top-number

View domain name filtering statistics.

display cnc domain-filter { exception | domain-name domain-name } statistics

View top N matched malicious domain names.

display cnc domain-filter domain statistics [ topn-number ]

Clear IPS statistics.

reset ips statistics

Clear IPS signature statistics.

reset ips-signature statistics { signature-id signature-id | all } { event | collect-attack-evidence | all }

Clear domain name filtering statistics.

reset cnc domain-filter { domain | exception | domain-name domain-name } statistics

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 119042

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next