No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This section provides antivirus configuration examples.

Example for Configuring the Antivirus Function

Networking Requirements

An enterprise has deployed a central AP on the network border as a security gateway. To allow intranet users to download files through the web server, the enterprise leverages the antivirus function of the central AP to protect the network from virus files, therefore ensuring security of intranet users and servers. Figure 26-45 shows the network environment of the enterprise.

A user failed to download software through the web server. Through troubleshooting, it was found that the central AP considers the software a virus and blocks it. Considering the importance and trusted source of the software, the administrator decided to temporarily permit such type of virus files so that the user could successfully download the software.

Figure 26-45  Networking diagram for configuring the antivirus function

Configuration Roadmap
  1. Configure basic WLAN services.
  2. Configure an antivirus profile. Configure the matching condition and action for HTTP requests, and configure the virus (ID: 16424404) as an exception in the antivirus profile.
  3. Configure an attack defense profile and bind the antivirus profile to it.
  4. Configure a VAP profile and bind the attack defense profile to it.

Procedure

  1. Configure basic WLAN services. For details, see Example for Configuring an Agile Distributed WLAN.
  2. Enable the security engine and configure an antivirus profile.
    1. Enable the security engine.

      <Huawei> system-view
      [Huawei] sysname AP
      [AP] defence engine enable
             It will take several minutes to initialize engine, please wait.
      Info: Load the IPS signature database if IPS detection is required after license activation.
      Info: Load the AV signature database if AV detection is required after license activation.
      Info:Engine has been initialized successfully.

    2. Create an attack defense profile named defence_wlan.

      [AP] defence-profile name defence_wlan
      [AP-defence-profile-defence_wlan] quit
      

    3. Configure an antivirus profile for detecting viruses in HTTP traffic. After the configuration is complete, detection for other viruses is disabled.

      [AP] profile type av name av_http
      [AP-profile-av-av_http] http-detect direction download action block
      [AP-profile-av-av_http] exception av-signature-id 16424404
      [AP-profile-av-av_http] undo ftp-detect
      [AP-profile-av-av_http] undo smtp-detect
      [AP-profile-av-av_http] undo pop3-detect
      [AP-profile-av-av_http] undo imap-detect
      [AP-profile-av-av_http] undo nfs-detect
      [AP-profile-av-av_http] undo smb-detect
      [AP-profile-av-av_http] quit

    4. Bind antivirus profile defence_wlan to attack defense profile av_http.

      [AP] defence-profile name defence_wlan
      [AP-defence-profile-defence_wlan] profile type av av_http
      [AP-defence-profile-defence_wlan] quit
      

  3. Configure a VAP profile and bind it to attack defense profile av_http.

    [AP] wlan
    [AP-wlan-view] vap-profile name wlan-vap
    [AP-wlan-vap-prof-wlan-vap] defence-profile defence_wlan
    

  4. Verification

    • Download connections are blocked when intranet users attempt to download files infected with viruses through HTTP.
    • Intranet users can successfully download a piece of important software (virus 16424404 detected).
    Check whether the configuration is correct using a EICAR test file.
    1. Construct an EICAR test file and compress it.
      1. Create a .txt file on the PC and add the following content:

        X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

      2. Save the file by setting File name to EICAR.COM and Save as type to All Files.
      3. Compress the EICAR.COM file into eicar.zip.
    2. Before adding the ID 16424404 of the EICAR test file to virus exceptions, test whether the antivirus function takes effect for the HTTP download.

      On the web server, make an HTML page containing the path for downloading eicar.zip. When an intranet user attempts to download eicar.zip from this page through HTTP, the download fails.

    3. After adding the ID 16424404 of the EICAR test file to virus exceptions, test whether the antivirus function takes effect for the HTTP download.

      The eicar.zip file can be successfully transmitted through HTTP, without blocking.

Configuration Script

Central AP configuration script

#
 defence engine enable
 sysname AP
#
profile type av name av_http
 http-detect direction download
 undo ftp-detect
 undo smtp-detect
 undo pop3-detect
 undo imap-detect
 undo nfs-detect
 undo smb-detect
 exception av-signature-id 16424404
#
vlan batch 100 to 101
#
dhcp enable
#
defence-profile name defence_wlan
  profile type av av_http
# 
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 101
#
management-vlan 100
#
wlan
 security-profile name wlan-security
  security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  defence-profile defence_wlan 
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 1 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
  radio 0
   channel 20mhz 6
   eirp 127
  radio 1
   channel 20mhz 149
   eirp 127
#
return
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 117999

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next