No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring SAC

Configuring SAC

Enabling the Defense Engine

Context

After the defense engine is enabled, the system automatically loads the default signature database.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    defence engine enable

    The defense engine is enabled.

    By default, the defense engine is disabled.

(Optional) Configuring Applications

This section describes how to configure applications on the CLI.

Updating the Application Identification Signature Database

Timely update of the application identification signature database helps enhance the device's application identification capability.

Preparation

Before updating the application identification signature database, do as follows:

  • Checking the Free Space of the Root Directory

    Before updating the application signature database, check whether the free space of the root directory is sufficient. For details, see the following table.

    Signature Database

    Required Free Space

    Application signature database (SA-SDB)

    10 MB or higher

    To check the free space of the root directory, perform the following operations:

    1. In the user view, run the dir command to check the free space of the root directory.

      <Huawei> dir
      Directory of flash:/                                                             
                                                                                      
        Idx  Attr     Size(Byte)  Date        Time(LMT)  FileName                     
          0  -rw-          8,208  May 05 2016 17:50:47   AC.pat          
          1  -rw-     47,774,428  Jan 24 2016 11:49:56   AC.cc   
                                    ........                                         
         56  drw-              -  May 13 2016 15:25:17   update                       
         57  -rw-        828,686  Apr 16 2016 10:04:37   url.so                       
         58  -rw-          1,511  May 12 2016 11:44:41   vrpcfg.zip 
                                                                                      
      1,975,380 KB total (393,452 KB free)                              
    2. In the user view, run the delete command to delete unwanted files from the storage device if the free space is insufficient.

      NOTE:

      Files are deleted and cannot be restored after the delete command with the /unreserved parameter is executed.

  • Checking the Current Update Status

    Signature databases cannot be updated simultaneously. You can update a signature database only after the current update status is idle.

    To check the current update status, perform the following operation:

    1. Run the display update status command to check the update status of the signature database.

      <Huawei> display update status
        Current Update Status: Idle.
      

      If Current Update Status is Idle, you can update the desired signature database. Otherwise, repeat the display update status command until Current Update Status changes to Idle, and then update the desired signature database.

  • Checking the Signature Database Version

    Check the signature database version to determine whether the signature database needs to be updated.

    To check the signature database version, perform the following operation:

    1. Run the display version { sa-sdb command to check the signature database version.

      <Huawei> display version sa-sdb                                           
      SA SDB Update Information List:                                                 
      ----------------------------------------------------------------                
        Current Version:                                                              
          Signature Database Version    : 2016033101                                  
          Signature Database Size(byte) : 1735779                                     
          Update Time                   : 16:12:26 2016/05/14                         
          Issue Time of the Update File : 15:55:31 2016/03/31                         
                                                                                      
        Backup Version:                                                               
          Signature Database Version    :                                             
          Signature Database Size(byte) : 0                                           
          Update Time                   : 00:00:00 0000/00/00                         
          Issue Time of the Update File : 00:00:00 0000/00/00                         
      ---------------------------------------------------------------- 
Context

The application identification signature database can be updated in either of the following modes:

  • Online update

    If the Central AP can communicate with the update center (sec.huawei.com) directly over the Internet or through a proxy server, you can update the application identification signature database in online mode.

    Online update has two ways:

    • Scheduled update

      The Central AP accesses the update center on a scheduled basis to search for the latest application signature databases. If the new versions of application signature databases are found, the Central AP downloads the latest application signature databases to update the local application signature databases at scheduled time.

    • Immediate update

      After the online application signature database is updated, you can immediately update the local database instead of waiting for the scheduled update.

      The download address and process for immediate update is the same as that for the update through scheduled update. The two update modes differ in that immediate update can be performed at any time whereas scheduled update must be implemented at the specified time.

  • Local update

    When the Central AP is physically isolated from the Internet and no proxy server is deployed on the intranet, you can update application signature databases locally.

For details on signature database update scenarios, see Updating Signature Databases Configuration (Central AP).

Online Update
  1. Configure an update center.
    1. Access the system view.

      system-view

    2. Configure the update center.

      update server { domain domain-name | ip ip-address } [ port port-number ]

      The update center is the security center platform, and its default domain name is sec.huawei.com.

  2. Optional: Configure a proxy server.

    Perform this step when the Central AP needs to access the update center using a proxy server.

    1. Enable the signature database proxy update.

      update proxy enable

    2. Set the domain name (or IP address), user name, and password of the proxy server.

      update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name [ password password ] ]
      NOTE:

      If a domain name is configured for the proxy server, a DNS server must be configured to resolve the domain name. For details on how to configure the DNS server, see 3.

  3. Optional: Configure a DNS server.
    1. Configure the DNS server to resolve domain names.

      dns resolve

    2. Specify the IP address of the DNS server.

      dns server ip-address

  4. Optional: Specify the source IP address for online update request packets.

    • Specify an interface IP address as the source IP address for online update request packets.

      update host source interface-type interface-number
    • Specify the source IP address of online update request packets.

      update host source ip ip-address

    If the administrator does not specify the source IP address of online update request packets, the system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets.

    If the interface has multiple IP addresses, run the update host source ip ip-address command to set the source IP address of update request packets and ensure that the Central AP can receive the reply packets. Otherwise, the online update may fail.

    When the Central AP connects to the Internet through a VPN instance, these commands are mandatory. If the commands are not configured, the update will fail.
    • When update host source interface-type interface-number is configured, the interface must be bound to the corresponding VPN instance name.

    • When the update host source ip ip-address command is configured, vpn-instance vpn-instance must be specified.

  5. Configure the scheduled or immediate update function.

    NOTE:

    After the scheduled or immediate update is started, you can run the update abort command to abort the update if the update consumes too much bandwidth and interrupts normal services. Wait until the bandwidth is sufficient for the update and normal services and then run the update online sa-sdb command to download the latest signature database.

    • Scheduled update

      1. Enable the scheduled update function for the signature database.

        update schedule sa-sdb enable
      2. Set the scheduled update time for the signature database.

        update schedule sa-sdb { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time

        It is recommended that the signature database be updated once every week. You can adjust the time as required.

    • Immediate update

      Download the latest signature database.

      update online sa-sdb
Local Update

The update package has been uploaded to the memory of the Central AP using SFTP, FTP or TFTP.

  1. Download the update package.

    Download update packages from the security center (sec.huawei.com). For details, refer to Update Center.

  2. Upload the update package from the PC to the memory of the Central AP.

    NOTE:

    The upgrade package can be placed in any directory of the Central AP storage. However, the root directory is recommended.

    The signature database files are in .zip format. You can upload them directly to the Central AP without decompressing them.

  3. Access the system view.

    system-view

  4. Enable the local update function.

    update local sa-sdb file filename

Version Rollback

When the current signature database is faulty (for example, false positive occurs or system performance is degraded), you can roll back the current signature database to the previous version through version rollbacks.

You can roll back to only one version. If you perform version rollbacks repeatedly, the version rollback is implemented between the current version and the rollback version.

  1. Access the system view.

    system-view

  2. Roll back the signature database to an earlier version.

    update rollback sa-sdb

Configuring a Predefined Application

This section describes how to configure the predefined applications and SA parameters.

Context

Multiple well-known applications are predefined on the Central AP.

Procedure

  • Query the details on a predefined application.

    display application [ pre-defined | name name ]

  • Set SA parameters.
    1. Access the SA view from the system view.

      sa

    2. Set SA parameters.

      Item

      Command

      Set the aging time of the predefined application identification correlation table.

      application name name cache type multi-channel aging-time aging-time

      Set the threshold of packet quantity for the SA module to enable port identification.

      port-identification packet-number-threshold packets

      Set the maximum number of bytes of sessions that can be detected by the SA module.

      detect max-bytes max-bytes

      Set the maximum number of packets of sessions that can be detected by the SA module.

      detect max-packets max-packets

      Set the maximum duration in which the SA module detects sessions.

      detect max-time max-time

      Enable unidirectional detection for the SA module.

      detect uni-direction

Verification and Check

This section describes the verification and check operations after applications are configured.

After configuring applications, you can do as follows to check the configuration result.

Operation

Command

View applications.

display application [ pre-defined | name name ]

View the aging time of the application identification correlation table.

display application name name aging-time

Enabling the SAC Statistics Collection Function

Context

After going online on the RU, the user starts various applications on the STA to access the network. By analyzing packets sent by users, the central AP collects information about network usage by applications of each user and reports the collected information to the network management system (NMS). The NMS then displays and stores the information, which the administrator can view at any time.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    sac-profile name profile-name

    An SAC profile is created and the SAC profile view is displayed.

    By default, no SAC profile is available in the system.

  4. Run:

    vap-protocol-statistic enable

    The protocol statistics collection function is enabled on the VAP.

    By default, the protocol statistics collection function is disabled on a VAP.

  5. Run:

    user-protocol-statistic enable

    The user-based protocol statistics collection function is enabled.

    By default, the user-based protocol statistics collection function is disabled.

    NOTE:
    This function takes effect only for STAs who go online after the user-protocol-statistic enable command is successfully executed.

Configuring an SAC Policy

Context

You can configure SAC policies for re-marking packet priorities, discarding packets, and limiting packet rates based on applications or application groups, so as to control different types of applications and ensure stable and highly efficient running of key services.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    sac-profile name profile-name

    The SAC profile view is displayed.

  4. Configure an SAC policy.

    • Configure a packet priority modification policy based on the application or application list.

      Run the application-group group-name app-protocol { app-protocol-name | all } remark { dscp dscp-value | dot1p dot1p-value } command to modify the priority of specified packets.

      By default, the priority of packets is not specified in an SAC profile.

    • Configure a packet discarding policy based on the application or application list.

      Run the application-group group-name app-protocol { app-protocol-name | all } deny command to discard specified packets.

      By default, application packets are not discarded in an SAC profile.

    • Configure a packet rate limiting policy based on the application or application list.

      Run the application-group group-name app-protocol { app-protocol-name | all } car cir-value command to limit the rate of specified packets.

      By default, the packet rate of all applications or specified applications in the application list is not limited.

Applying the Configuration to a VAP Profile or a User Group

Context

After an SAC policy is configured in an SAC profile, bind the SAC profile to a VAP profile or a user group.

Procedure

  • Bind an SAC profile to a VAP profile.
    1. Run the system-view command to enter the system view.
    2. Run the wlan command to enter the WLAN view.
    3. Run the vap-profile name profile-name command to enter the VAP profile view.
    4. Run the sac-profile profile-name command to bind the SAC profile to a VAP profile.

      By default, no SAC profile is bound to a VAP profile.

  • Bind an SAC profile to a user group.
    1. Run the system-view command to enter the system view.
    2. Run the user-group user-group command to enter the user group view.
    3. Run the sac-profile profile-name command to bind the SAC profile to a user group.

      By default, no SAC profile is bound to a user group.

Checking the Configuration

Context

After SAC configuration is complete, you can check SAC profiles saved on the device, including their configuration and profile reference information.

Procedure

  • Run the display sac-profile { all | name profile-name } command to check configuration and reference information about all SAC profiles or a specified SAC profile.
  • Run the display references sac-profile name profile-name command to check reference information about an SAC profile.
  • Run the display sac information command to check the SAC configuration on the device.
  • Run the display sac application-group [ group-name ] command to check configuration information about the SAC application group on the device.
  • Run the display sac protocol-list command to check the SAC protocol list on the device.
  • Run the display sac protocol-statistic { period | total } { inbound | outbound | all } { protocol protocol-name | top-n number } { ap-id ap-id radio-id radio-id ssid ssid | ap-name ap-name radio-id radio-id ssid ssid | user user-mac } command to check statistics about packets of a specified SAC application protocol.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 130811

Downloads: 312

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next