No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Antivirus

Configuring Antivirus

This section describes how to configure antivirus using the CLI.

Enabling the Defense Engine

Context

After the defense engine is enabled, the system automatically loads the default signature database.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    defence engine enable

    The defense engine is enabled.

    By default, the defense engine is disabled.

Updating the Antivirus Signature Database

You can update the antivirus signature database to improve the detection capability and efficiency of the device.

Preparation

Before updating the antivirus signature database, do as follows:

  • Checking the Free Space of the Root Directory

    Before updating the antivirus signature database, check whether the free space of the root directory is sufficient. For details, see the following table.

    Signature Database

    Required Free Space

    Antivirus signature database (AV-SDB)

    8 MB or higher

    To check the free space of the root directory, perform the following operations:

    1. In the user view, run the dir command to check the free space of the root directory.

      <Huawei> dir
      Directory of flash:/                                                            
                                                                                      
        Idx  Attr     Size(Byte)  Date        Time(LMT)  FileName                     
          0  -rw-          8,208  May 05 2016 17:50:47   AP.pat    
          1  -rw-     47,774,428  Jan 24 2016 11:49:56   AP.bin   
                                    ........                                         
         56  drw-              -  May 13 2016 15:25:17   update                       
         57  -rw-        828,686  Apr 16 2016 10:04:37   url.so                       
         58  -rw-          1,511  May 12 2016 11:44:41   vrpcfg.zip 
                                                                                      
      1,975,380 KB total (393,452 KB free)                              
    2. In the user view, run the delete command to delete unwanted files from the CF card if the free space is insufficient.

      NOTE:

      Files are deleted and cannot be restored after the delete command with the /unreserved parameter is executed.

  • Checking the Current Update Status

    Signature databases cannot be updated simultaneously. You can update a signature database only after the current update status is idle.

    To check the current update status, perform the following operation:

    1. Run the display update status command to check the update status of the signature database.

      <Huawei> display update status
        Current Update Status: Idle.
      

      If Current Update Status is Idle, you can update the desired signature database. Otherwise, repeat the display update status command until Current Update Status changes to Idle, and then update the desired signature database.

  • Checking the Signature Database Version

    Check the signature database version to determine whether the signature database needs to be updated.

    To check the signature database version, perform the following operation:

    1. Run the display version av-sdb command to check the signature database version.

      <Huawei> display version av-sdb                                           
      AV SDB Update Information List:                                                 
      ----------------------------------------------------------------                
        Current Version:                                                              
          Signature Database Version    : 2016030400                                  
          Signature Database Size(byte) : 6768274                                     
          Update Time                   : 16:12:23 2016/05/14                         
          Issue Time of the Update File : 12:01:00 2016/03/04                         
                                                                                      
        Backup Version:                                                               
          Signature Database Version    :                                             
          Signature Database Size(byte) : 0                                           
          Update Time                   : 00:00:00 0000/00/00                         
          Issue Time of the Update File : 00:00:00 0000/00/00                         
      ----------------------------------------------------------------
Context

The antivirus signature database can be updated in either of the following modes:

  • Online update

    If the Central AP can communicate with the update center (sec.huawei.com) directly over the Internet or through a proxy server, you can update the antivirus signature database in online mode.

    Online update has two ways:

    • Scheduled update

      The Central AP accesses the update center on a scheduled basis to search for the latest antivirus signature databases. If the new versions of antivirus signature databases are found, the Central AP downloads the latest antivirus signature databases to update the local antivirus signature databases at scheduled time.

    • Immediate update

      After the online antivirus signature database is updated, you can immediately update the local database instead of waiting for the scheduled update.

      The download address and process for updating the antivirus signature database immediately is the same as that for the update through scheduled update. The two update modes differ in that immediate update can be performed at any time whereas scheduled update must be implemented at the specified time.

  • Local update

    When the Central AP is physically isolated from the Internet and no proxy server is deployed on the intranet, you can update antivirus signature databases locally.

For details on signature database update scenarios, see Updating Signature Databases Configuration (Central AP).

Online Update

If the Central AP can directly access the update center, you must configure a security policy on the Central AP to permit HTTP and FTP packets. If the Central AP accesses the update center through a proxy server, you must configure a security policy on the Central AP to permit HTTP packets.

  1. Configure an update center.
    1. Access the system view.

      system-view

    2. Configure the update center.

      update server { domain domain-name | ip ip-address } [ port port-number ]

      The update center is the security center platform, and its default domain name is sec.huawei.com.

  2. Optional: Configure a proxy server.

    Perform this step when the Central AP needs to access the update center using a proxy server.

    1. Enable the signature database proxy update.

      update proxy enable

    2. Set the domain name (or IP address), user name, and password of the proxy server.

      update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name [ password password ] ]
      NOTE:

      If a domain name is configured for the proxy server, a DNS server must be configured to resolve the domain name. For details on how to configure the DNS server, see 3.

  3. Optional: Configure a DNS server.
    1. Configure the DNS server to resolve domain names.

      dns resolve

    2. Specify the IP address of the DNS server.

      dns server ip-address

  4. Optional: Specify the source IP address for online update request packets.

    • Specify an interface IP address as the source IP address for online update request packets.

      update host source interface-type interface-number
    • Specify the source IP address of online update request packets.

      update host source ip ip-address

    If the administrator does not specify the source IP address of online update request packets, the system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets.

    If the interface has multiple IP addresses, run the update host source ip ip-address command to set the source IP address of update request packets and ensure that the Central AP can receive the reply packets. Otherwise, the online update may fail.

    When the Central AP connects to the Internet through a VPN instance, these commands are mandatory. If the commands are not configured, the update will fail.
    • When update host source interface-type interface-number is configured, the interface must be bound to the corresponding VPN instance name.

    • When the update host source ip ip-address command is configured, vpn-instance vpn-instance must be specified.

  5. Configure the scheduled or immediate update function.

    NOTE:

    After the scheduled or immediate update is started, you can run the update abort command to abort the update if the update consumes too much bandwidth and interrupts normal services. Wait until the bandwidth is sufficient for the update and normal services and then run the update online av-sdb command to download the latest signature database.

    • Scheduled update

      1. Enable the scheduled update function.

        update schedule av-sdb enable
      2. Set scheduled update time.

        update schedule av-sdb { hourly minute | { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time }

        You are advised to update the antivirus signature database every day. The update time can be adjusted based on network conditions.

    • Immediate update

      Download the latest signature database.

      update online av-sdb
Local Update

The update package has been uploaded to the memory of the Central AP using SFTP, FTP or TFTP.

  1. Download the update package.

    Download update packages from the security center (sec.huawei.com). For details, refer to Update Center.

  2. Upload the update package from the PC to the memory of the Central AP.

    NOTE:

    The upgrade package can be placed in any directory of the Central AP storage. However, the root directory is recommended.

    The signature database files are in .zip format. You can upload them directly to the Central AP without decompressing them.

  3. Access the system view.

    system-view

  4. Enable the local update function.

    update local av-sdb file filename

Version Rollback

When the current signature database is faulty (for example, false positive occurs or system performance is degraded), you can roll back the current signature database to the previous version through version rollbacks.

You can roll back to only one version. If you perform version rollbacks repeatedly, the version rollback is implemented between the current version and the rollback version.

  1. Access the system view.

    system-view

  2. Roll back the signature database to an earlier version.

    update rollback av-sdb

Creating an Attack Defense Profile

Context

As the network develops continuously, there are various types of potential risks such as Trojan horses, worms, and viruses in packets. After an attack defense profile is created, various security functions are available, such as URL filtering, intrusion prevention, and antivirus.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    defence-profile name profile-name

    An attack defense profile is created and the attack defense profile view is displayed.

    By default, no attack defense profile is created.

Configuring Antivirus Profile

This section describes how to configure antivirus.

Context

The Central AP has a default antivirus profile named default, which defines the default action in the upload or download direction of each protocol, as shown in the following figure. You cannot modify or delete the default profile.

NOTE:

You can run the display profile type av name default command on the CLI to view the configuration information about the default profile. IF you use the CLI to reference the default profile in an attack defense profile, you must enter the complete profile name (such as default). Otherwise, the profile fails to be referenced.

Table 26-25  Default antivirus profile

Name

Protocol

Virus Detection in the Upload Direction

Virus Detection in the Download Direction

Default Action

default

HTTP

Enable

Enable

Block

FTP

Enable

Enable

Block

SMTP

Enable

-

Alert

POP3

-

Enable

Alert

IMAP

Enable

Enable

Alert

NFS

Enable

Enable

Alert

SMB

Enable

Enable

Block

Attack Evidence Collection: disabled

Application Exception List: not configured

Virus Exception List: not configured

The Central AP supports user-defined profiles. You can specify the action for each protocol.

Procedure

  1. Create an antivirus profile in the system view.

    profile type av name name

  2. Optional: Configure a description for the antivirus profile.

    description description

  3. Optional: Configure attack evidence collection function.

    collect-attack-evidence enable

    NOTE:
    • Attack evidence collection does not apply to HTTPS traffic.

    • Attack evidence collection is for troubleshooting only. Because attack evidence collection compromises system performance, you must enable it only when necessary and disable it immediately after you finish attack evidence collection.

  4. Configure the protocols and traffic directions requiring virus detection and the response action for detected viruses.

    Protocol

    Command

    HTTP

    http-detect direction { both | download | upload } [ action { alert | block } ]

    FTP

    ftp-detect direction { both | download | upload } [ action { alert | block } ]

    SMTP

    smtp-detect [ action alert ]

    POP3

    pop3-detect [ action alert ]

    IMAP

    imap-detect direction { both | download | upload } [ action alert ]

    NFS

    nfs-detect direction { both | download | upload }

    SMB

    smb-detect direction { both | download | upload } [ action { alert | block } ]

  5. Optional: Configure application exception.

    exception application name name [ action { alert | allow | block } ]

  6. Optional: Configure virus exception.

    exception av-signature-id av-signature-id

  7. Commit the configuration in the system view.

    engine configuration commit

    The created or modified antivirus profile does not take effect immediately. You need to commit the configuration to activate the configuration. To save time, commit the configuration after you complete all operations on the antivirus profile.

  8. Optional: Configure the antivirus log aggregation function in the system view.

    av log merge enable

    After the antivirus log aggregation function is enabled, the system will aggregate multiple same antivirus logs generated in a short period into one log.

  9. Optional: Enable the function of extracting the complete hash value from the PE file in the system view.

    av extract hash enable

    In a scenario where the function of extracting the complete hash value from the PE file is enabled, if the Central AP detects viruses in a PE file, and the response action is alert or declare, the antivirus log displays the complete hash value.

Follow-up Procedure

After configuring the antivirus profile, adjust it as follows:

  • Run the rename new-name command in the antivirus profile view to rename the profile.
  • In the system view, run the profile type av copy old-name [ new-name ] command to create a profile by copying an existing one.

Applying the Configuration

Context

After an antivirus profile is created, you need to bind it to an attack defense profile and then bind the attack defense profile to a VAP profile, user group, or interface to make the application take effect.

Procedure

  1. Bind an antivirus profile to an attack defense profile.
    1. Run the system-view command to enter the system view.
    2. Run the defence-profile name profile-name command to enter the attack defense profile view.
    3. Run the profile type av name command to bind an antivirus profile to an attack defense profile.

      By default, no antivirus profile is bound to an attack defense profile.

    4. Run the quit command to return to the system view.
  2. Bind the attack defense profile to a VAP profile, or a user group.

    • VAP profile:

      1. Run the wlan command to enter the WLAN view.
      2. Run the vap-profile name profile-name command to enter the VAP profile view.
      3. Run the defence-profile profile-name command to bind the attack defense profile to a VAP profile.

        By default, no attack defense profile is bound to a VAP profile.

    • User group:

      1. Run the user-group group-name command to enter the user group view.
      2. Run the defence-profile profile-name command to bind the attack defense profile to a user group.

        By default, no attack defense profile is bound to a user group.

    • Interface:

      1. Run the interface interface-type interface-number command to enter the interface view.
      2. Run the defence-profile profile-name command to bind the attack defense profile to an interface.

        By default, no attack defense profile is bound to an interface.

Checking the Configuration
  • Run the display defence-profile { all | name profile-name } command to check information about the attack defense profile.
  • Run the display references defence-profile name profile-name command to check reference information about the attack defense profile.

Verification and Check

This section describes the verification and check operations after the antivirus feature is configured.

Verification

After configuring the antivirus feature, you can do as follows to check the configuration result.

Operation

Command

View the antivirus profile.

display profile type av [ name name [ protocol | exception { application | av-signature-id } ] ]

View a specific virus signature or a virus family in the antivirus signature database.

display av-signature { av-signature-id | database }

After configuring the antivirus feature, you can do as follows to view or clear statistics:

Operation

Command

View antivirus statistics.

display av statistics

Clear antivirus statistics.

reset av statistics

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 117820

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next