No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


The intrusion prevention function detects and analyzes all packets and allows or blocks the packets accordingly. This section describes how the Central AP processes intrusions, the basic concepts for intrusion prevention, and the signature matching order and actions.


The intrusion prevention mechanism is as follows:

  1. Application data reassembly

    Some attacks attempt to evade intrusion prevention by fragmenting packets. To prevent such attacks, a Central AP reassembles IP fragments and TCP flows before inspecting.

  2. Protocol identification and analysis

    The Central AP identifies multiple types of application-layer protocols based on packet contents.

    The Central AP implements refined analysis and extracts packet features based on the identified protocol.

    Compared with the traditional Central AP that identifies protocols only by IP address and port, the Central AP increases the detection ratio of application-layer attacks.

  3. Feature matching

    The Central AP compares the extracted features with the intrusion prevention signatures. If a match is found, the packets are processed according to the configured action.

    For the matching order of signatures, see Traffic Processing Flow.

  4. Action

    After the detection, the Central AP processes the packets that match the signature based on the configured action.

    Figure 26-42 illustrates the flow for processing packets.


Signatures describe the features of attacks on the network. The Central AP detects and prevents attacks by comparing data flow contents with intrusion prevention signatures.

The intrusion prevention signatures of the Central AP fall into two types:

  • Predefined signature

    Predefined signatures are those in the IPS signature database. Predefined signatures cannot be created, modified, or deleted.

    A predefined signature has a default action, and the action can be:

    • Allow: The Central AP permits the packet matching the signature without a log.
    • Alert: The Central AP permits the packet matching the signature and generates a log.
    • Block: The Central AP discards the packet matching the signature, blocks the data flow to which the packet belongs, and generates a log.
  • User-defined signature

    You are advised to configure user-defined signatures only when you understand the attack features. Incorrect signatures may be useless, cause packet loss, or interrupt services.

    User-defined signatures refer to those that are created by administrators. The signature database may not have a signature for a new type of attack. If you understand the attack, you can create a user-defined signature for the attack. You can also create user-defined signature for any other purpose if the predefined signatures cannot meet your needs. After user-defined signatures are created, the system automatically checks the validity of the rules to prevent inefficient signatures from wasting resources.

    The action of a user-defined signature can be Block and Alert, which can be configured when you create a user-defined signature.

Signature Filter

A large number of signatures flood the signature database after updates. By analyzing the features of common threats, you can summarize signatures that contain these features and add these signatures to a signature filter.

A signature filter is a set of signatures matching the specified filtering conditions, including the type of signatures, object, protocol, severity, and operating system. Only signatures that match all the filtering conditions can be added to a signature filter. If a condition has multiple values and the values are logically ORed, a packet matches the condition if the packet matches any value of the condition.

The action of a signature filter can be Block, Alert, or Default (use the default actions of signatures). The action of a signature filter has a higher priority than the default actions of signatures in the filter.

Signature filters configured earlier have higher priorities. If two signature filters in one intrusion prevention profile contain the same signature, packets matching the signature are processed according to the signature filter configured earlier.

Signature Exception

All signatures in a signature filter have the same action. However, you can add a signature as an exception and configure a different action for the exception signature.

The action of a signature exception can be Alert, or Allow.

The action of a signature exception has a higher priority than that of a signature filter. If a signature matches a signature exception and a signature filter, the action of the signature exception takes effect.

For example, the actions for a batch of signatures in the signature filter are block. Then the Central AP blocks an R&D software requested by an employee. The log indicates that the R&D software matches a signature in the signature filter and is blocked because of false positive. In such cases, add the signature as an exception and set the action to Allow.

Traffic Processing Flow

An intrusion prevention profile contains multiple signature filters and exception signatures.

Figure 26-41 shows the relationship between signatures, signature filters, and exception signatures. In this example, a01, a02, and a03 are predefined signatures. a04 is a user-defined signature. Two signature filters are configured in the profile. Signature filter 1 filters signatures a01 and a02 whose protocol set is set to HTTP and other filtering conditions are set to condition A. The action for signature filter 1 is set to the default action for signatures. Signature filter 2 filters a03 and a04 whose protocol set is set to HTTP or UDP and other filtering conditions are set to condition B. The action for signature filter 2 is set to block. Besides, two exception signatures are configured in the profile. In exception signature 1, set the action for a02 to alert. In exception signature 2, set the action for a04 to alert.

The actual action for a signature is jointly determined by the default action for the signature, action for the signature filter, and action for the exception signature. For details, see Actual action in Figure 26-41.

Figure 26-41  Relationship between signatures, signature filters, and exception signatures

When a data flow matches the intrusion prevention profile, the Central AP sends the data flow to the intrusion prevention module to match the signatures referenced by the profile one by one. Figure 26-42 shows the traffic processing flow.

Figure 26-42  Traffic processing flow


When a packet matches multiple signatures, the actual action for the packet is as follows:

  • If the actions for all the matched signatures are Alert, the action for the packet is Alert.
  • If the action for any matched signature is Block, the action for the packet is Block.

When a data flow matches multiple signature filters, the action for the signature filter with the highest priority is performed on the data flow.

Detection Directions

If an attack defense profile references an intrusion prevention profile, the direction in the attack defense profile is determined by the node that initiates a session, not the node that sends attack packets.

Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 116443

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next