No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NETCONF YANG API Reference

AR100, AR120, AR160, AR1200, AR2200, AR3200, and AR3600 V300R003

NETCONF YANG API Reference
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Firewall

Firewall

Data Model

The data model file matching the firewall is huawei-zone-based-firewall.yang.

Table 3-1271 Data model of a firewall security zone

Object

Description

/huawei-zone-based-firewall/security-zone/zone-instance

Indicates that the operation request (creating, deleting, and modifying) object is the local user. It is a root object, which is only used to contain sub-objects, but does not have any data meaning.

/huawei-zone-based-firewall/security-zone/zone-instance/zone-name

Indicates the name of security zone. The value is a string of 1 to 32 case-sensitive characters without hyphens (-).

/huawei-zone-based-firewall/security-zone/zone-instance/priority

The value is an integer and the value range varies according to product model:

  • AR120, AR150, AR160, and AR200 series: 0 to 15
  • AR1200 series, AR2201-48FE, AR2202-48FE, AR2204-24GE, AR2204-27GE, AR2204-27GE-P, AR2204-48GE-P, AR2204-51GE-P, AR2204-51GE-R, AR2204E, AR2204E-D, AR2204-51GE, and AR2204: 0 to 15
  • AR2220, and AR2220E: 0 to 63
  • AR2240C: 0 to 63
  • AR2240, AR3260 (SRU40, and SRU60): 0 to 63
  • AR2240, AR3260 (SRU80, SRU100, and SRU100E), AR2204XE: 0 to 127
  • AR2240, AR3260 (SRU200, SRU200E, and SRU400): 0 to 127
  • AR3600 series: 0 to 127

A larger value indicates a higher priority.

/huawei-zone-based-firewall/security-zone/zone-instance/assign-interface

-

/huawei-zone-based-firewall/firewall-interzone/interzone-instance/zone1

Indicates the name of a security zone included in the interzone. The value is a string of 1 to 32 characters.

/huawei-zone-based-firewall/firewall-interzone/interzone-instance/zone2

Indicates the name of the other security zone included in the interzone. The value is a string of 1 to 32 characters.

/huawei-zone-based-firewall/firewall-interzone/interzone-instance/firewall-enable

-

/huawei-zone-based-firewall/firewall-interzone/interzone-instance/security-policy-name

Indicates the name of a security policy for an interzone. Ensure that the configured security policy has been created successfully.

/huawei-zone-based-firewall/firewall-interzone/interzone-instance/inter-zone-polices/direction

Indicates the packet filtering direction in the interzone. The options are as follows:

  • inbound: Filters inbound packets. An inbound packet is sent from a low-priority zone to a high-priority zone.
  • outbound: Filters outbound packets. An outbound packet is sent from a high-priority zone to a low-priority zone.

/huawei-zone-based-firewall/firewall-interzone/interzone-instance/inter-zone-polices/default-action

Indicates the default packet filtering method of the interzone. The options are as follows:

  • deny: Rejects all packets.
  • permit: Allows all packets to pass.

/huawei-zone-based-firewall/firewall-interzone/interzone-instance/inter-zone-polices/filter-acl

Indicates the number of the ACL for packet filtering in the interzone. The ACLs include basic ACL and advanced ACL.

The value is an integer that ranges from 2000 to 3999:

  • 2000-2999: basic ACLs
  • 3000-3999: advanced ACLs

/huawei-zone-based-firewall/firewall-interzone/interzone-instance/detect-aspf

Enables application specific packet filtering (ASPF) in the interzone.

  • ftp: Applies ASPF to FTP protocol packets.
  • rtsp: Applies ASPF to RTSP protocol packets.
  • sip: Applies ASPF to SIP protocol packets.

/huawei-zone-based-firewall/black-list/enable

-

/huawei-zone-based-firewall/black-list/black-instance/index

Indicates the index of a black instance.

/huawei-zone-based-firewall/black-list/black-instance/ip-address

Indicates the IP address that you want to add to the blacklist.

The value is a valid IPv4 IP address in dotted decimal notation.

/huawei-zone-based-firewall/black-list/black-instance/vpn-instance

Indicates the name of a VPN instance to which the specified IP address belongs.

The value is a string of 1 to 31 case-sensitive characters.

/huawei-zone-based-firewall/black-list/black-instance/expire-time

Indicates the aging time of a blacklist entry.

The value is an integer that ranges from 1 to 1000, in minutes.

/huawei-zone-based-firewall/firewall-defend/defence-action/type

Type of attack defense:

  • fraggle-defend
  • icmp-redirect-defend
  • icmp-unreachable-defend
  • ip-fragment-defend
  • ip-sweep-defend
  • land-defend
  • large-icmp-defend
  • ping-of-death-defend
  • tcp-flag-defend
  • teardrop-defend
  • tracert-defend
  • winnuke-defend
  • smurf-defend
  • port-scan-defend
  • icmp-flood-defend
  • syn-flood-defend
  • udp-flood-defend

/huawei-zone-based-firewall/firewall-defend/defence-action/enable

-

/huawei-zone-based-firewall/firewall-defend/defence-action/parameters/length

Indicates the maximum length of ICMP packets allowed to pass.

The value is an integer that ranges from 28 to 65535, in bytes. The default value is 4000.

/huawei-zone-based-firewall/firewall-defend/defence-action/parameters/blacklist-expire-time

Indicates the timeout interval of a blacklist.

The value is an integer that ranges from 1 to 1000, in minutes. The default value is 20.

/huawei-zone-based-firewall/firewall-defend/defence-action/parameters/rate

Indicates the maximum connection rate.

The value is an integer that ranges from 1 to 10000, in pps. The default value is 4000.

/huawei-zone-based-firewall/firewall-defend/defence-action/parameters/flood-target/index

Indicates the index of flood-target.

/huawei-zone-based-firewall/firewall-defend/defence-action/parameters/flood-target/protected-type

Indicates the protected type.

/huawei-zone-based-firewall/firewall-defend/defence-action/parameters/flood-target/ip-address

Indicates the protected IP address.

The value is a valid IPv4 IP address in dotted decimal notation.

/huawei-zone-based-firewall/firewall-defend/defence-action/parameters/flood-target/vpn-instance

Indicates the name of a VPN instance to which the specified IP address belongs.

The value is a string of 1 to 31 case-sensitive characters.

/huawei-zone-based-firewall/firewall-defend/defence-action/parameters/flood-target/zone-name

Indicates the protected security zone.

The name is a string of 1 to 32 characters. The security zone name must already exist.

/huawei-zone-based-firewall/firewall-defend/defence-action/parameters/flood-target/tcp-proxy

Indicates whether to enable the TCP proxy. The status of TCP proxy includes:

  • auto: The TCP proxy is enabled automatically when the actual connection rate exceeds the upper limit.
  • off: The TCP proxy is always disabled.
  • on: The TCP proxy is always enabled.

/huawei-zone-based-firewall/firewall-defend/defence-action/parameters/flood-target/rate

Indicates the maximum connection rate.

The value is an integer that ranges from 1 to 65535, in pps. The default value is 1000.

Firewall Security Zone

This section describes samples of creating, modifying, and deleting a firewall security zone.

Creating a Firewall Security Zone

This section provides a sample of creating a firewall security zone using the merge method. A firewall security zone can also be configured using the create method.

Table 3-1272 Creating a firewall security zone

Operation

XPATH

edit-config:merge

/huawei-zone-based-firewall/security-zone/zone-instance

Data Requirements
Table 3-1273 Creating a firewall security zone

Item

Data

Description

Name of a security zone

zone1

Create a zone named zone1, set the priority to 10, and add the interface VLANIF 3 to the zone.

Priority of a security zone

10

Interface

Vlanif3

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <security-zone xmlns="urn:huawei:params:xml:ns:yang:huawei-zone-based-firewall">
    <zone-instance xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <zone-name>zone1</zone-name>
     <priority>10</priority>
     <assign-interface>Vlanif3</assign-interface>
    </zone-instance>
   </security-zone>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>
Modifying a Firewall Security Zone

This section provides a sample of modifying a firewall security zone using the replace method.

Table 3-1274 Modifying a firewall security zone

Operation

XPATH

edit-config:replace

/huawei-zone-based-firewall/security-zone/zone-instance

Data Requirements
Table 3-1275 Modifying a firewall security zone

Item

Data

Description

Name of a security zone

zone1

Modify the zone zone1, modify the priority to 15, and add the interface VLANIF 3 to the zone.

Priority of a security zone

15

Interface

Vlanif3

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <security-zone xmlns="urn:huawei:params:xml:ns:yang:huawei-zone-based-firewall">
    <zone-instance xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="replace">
     <zone-name>zone1</zone-name>
     <priority>15</priority>
     <assign-interface>Vlanif3</assign-interface>
    </zone-instance>
   </security-zone>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>
Deleting a Firewall Security Zone

This section provides a sample of deleting a firewall security zone using the remove method.

Table 3-1276 Deleting a firewall security zone

Operation

XPATH

edit-config:remove

/huawei-zone-based-firewall/security-zone/zone-instance

Data Requirements
Table 3-1277 Deleting a firewall security zone

Item

Data

Description

Name of a security zone

zone1

Delete configurations of the zone named zone1.

Priority of a security zone

10

Interface

Vlanif3

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <security-zone xmlns="urn:huawei:params:xml:ns:yang:huawei-zone-based-firewall">
    <zone-instance xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
     <zone-name>zone1</zone-name>
     <priority>10</priority>
     <assign-interface>Vlanif3</assign-interface>
    </zone-instance>
   </security-zone>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Firewall Interzone

This section describes samples of creating, modifying, and deleting a firewall interzone.

Creating a Firewall Interzone

This section provides a sample of creating a firewall interzone using the merge method. A firewall interzone can also be configured using the create method.

Table 3-1278 Creating a firewall interzone

Operation

XPATH

edit-config:merge

/huawei-zone-based-firewall/firewall-interzone/interzone-instance

Data Requirements
Table 3-1279 Creating a firewall interzone

Item

Data

Description

Name of a security zone included in the interzone

zone1

Create an interzone between zone1 and zone2, enable the firewall function, filter the inbound packets by ACL 3001, apply ASPF to the FTP protocol, and configure the security policy to security.

Name of the other security zone included in the interzone

zone2

Whether to enable firewall in the interzone

true

Packet filtering direction of the interzone

inbound

Number of the ACL for packet filtering in the interzone

3001

Default packet filtering method of the interzone

permit

Enable ASPF in an interzone

ftp

Name of a security policy for an interzone

security

Request Example
NOTE:
  • Before creating an interzone, create two zones by referring to Creating a Firewall Security Zone .
  • Before configuring the number of the ACL for packet filtering of the interzone, create the ACL by referring to Creating an ACL.
  • Before configuring the name of an interzone security policy, deliver packets for creating a security policy by referring to Creating a Security Policy.
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <firewall-interzone xmlns="urn:huawei:params:xml:ns:yang:huawei-zone-based-firewall">
    <interzone-instance xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <zone1>zone1</zone1>
     <zone2>zone2</zone2>
     <firewall-enable>true</firewall-enable>
     <inter-zone-polices>
      <direction>inbound</direction>
      <filter-acl>3001</filter-acl>
      <default-action>permit</default-action>
     </inter-zone-polices>
     <detect-aspf xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="replace">ftp</detect-aspf>
     <security-policy-name xmlns="urn:huawei:params:xml:ns:yang:huawei-security-policy">security</security-policy-name>
    </interzone-instance>
   </firewall-interzone>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>
Modifying a Firewall Interzone

This section provides a sample of modifying a firewall interzone using the replace method.

Table 3-1280 Modifying a firewall interzone

Operation

XPATH

edit-config:replace

/huawei-zone-based-firewall/firewall-interzone/interzone-instance

Data Requirements
Table 3-1281 Modifying a firewall interzone

Item

Data

Description

Name of a security zone included in the interzone

zone1

Modify an interzone between zone1 and zone2, filter the inbound packets by ACL 3002, apply ASPF to the RTSP protocol, and configure the security policy to security.

Name of the other security zone included in the interzone

zone2

Whether to enable firewall in the interzone

true

Packet filtering direction of the interzone

inbound

Number of the ACL for packet filtering in the interzone

3002

Default packet filtering method of the interzone

permit

Enable ASPF in an interzone

rtsp

Name of a security policy for an interzone

security

Request Example
NOTE:
  • Before creating an interzone, create two zones by referring to Creating a Firewall Security Zone .
  • Before configuring the number of the ACL for packet filtering of the interzone, create the ACL by referring to Creating an ACL.
  • Before configuring the name of an interzone security policy, deliver packets for creating a security policy by referring to Creating a Security Policy.
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <firewall-interzone xmlns="urn:huawei:params:xml:ns:yang:huawei-zone-based-firewall">
    <interzone-instance xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="replace">
     <zone1>zone1</zone1>
     <zone2>zone2</zone2>
     <firewall-enable>true</firewall-enable>
     <inter-zone-polices>
      <direction>inbound</direction>
      <filter-acl>3002</filter-acl>
      <default-action>permit</default-action>
     </inter-zone-polices>
     <detect-aspf xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="replace">rtsp</detect-aspf>
     <security-policy-name xmlns="urn:huawei:params:xml:ns:yang:huawei-security-policy">security</security-policy-name>
    </interzone-instance>
   </firewall-interzone>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>
Deleting a Firewall Interzone

This section provides a sample of deleting a firewall interzone using the remove method.

Table 3-1282 Deleting a firewall interzone

Operation

XPATH

edit-config:remove

/huawei-zone-based-firewall/firewall-interzone/interzone-instance

Data Requirements
Table 3-1283 Deleting a firewall interzone

Item

Data

Description

Name of a security zone included in the interzone

zone1

Delete configurations of the interzone between zone1 and zone2.

Name of the other security zone included in the interzone

zone2

Whether to enable firewall in the interzone

true

Packet filtering direction of the interzone

inbound

Number of the ACL for packet filtering in the interzone

3001

Default packet filtering method of the interzone

permit

Whether to enable ASPF in an interzone

ftp

Name of a security policy for an interzone

security

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <firewall-interzone xmlns="urn:huawei:params:xml:ns:yang:huawei-zone-based-firewall">
    <interzone-instance xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
     <zone1>zone1</zone1>
     <zone2>zone2</zone2>
     <firewall-enable>true</firewall-enable>
     <inter-zone-polices>
      <direction>inbound</direction>
      <filter-acl>3001</filter-acl>
      <default-action>permit</default-action>
     </inter-zone-polices>
     <detect-aspf xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="replace">ftp</detect-aspf>
     <security-policy-name xmlns="urn:huawei:params:xml:ns:yang:huawei-security-policy">security</security-policy-name>
    </interzone-instance>
   </firewall-interzone>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Firewall Blacklist

This section describes samples of creating, modifying, and deleting a firewall blacklist.

Creating a Firewall Blacklist

This section provides a sample of creating a firewall blacklist using the merge method. A firewall blacklist can also be configured using the create method.

Table 3-1284 Creating a firewall blacklist

Operation

XPATH

edit-config:merge

/huawei-zone-based-firewall/black-list

Data Requirements
Table 3-1285 Creating a firewall blacklist

Item

Data

Description

Whether to enable the blacklist function

true

Enable the blacklist function and add a blacklist entry with the IP address set to 10.1.1.1 and the name of the VPN instance to which the specified IP address belongs to hhhh.

Blacklist entry

IP address: 10.1.1.1; name of the VPN instance to which the specified IP address belongs: hhhh

Request Example
NOTE:

Before configuring the VPN instance to which the specified IP address belongs, configure the VPN instance by referring to Configuring a VPN Instance.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <black-list xmlns="urn:huawei:params:xml:ns:yang:huawei-zone-based-firewall">
    <enable>true</enable>
    <black-instance xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <index>0</index>
     <ip-address>10.1.1.1</ip-address>
     <vpn-instance>hhhh</vpn-instance>
    </black-instance>
   </black-list>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>
Modifying a Firewall Blacklist

This section provides a sample of modifying a firewall blacklist using the replace method.

Table 3-1286 Modifying a firewall blacklist

Operation

XPATH

edit-config:replace

/huawei-zone-based-firewall/black-list

Data Requirements
Table 3-1287 Modifying a firewall blacklist

Item

Data

Description

Whether to enable the blacklist function

true

Enable the blacklist function and modify a blacklist entry with the IP address set to 10.1.1.2 and the name of the VPN instance to which the specified IP address belongs to hhh.

Blacklist entry

IP address: 10.1.1.2; name of the VPN instance to which the specified IP address belongs: hhh

Request Example
NOTE:

Before configuring the VPN instance to which the specified IP address belongs, configure the VPN instance by referring to Configuring a VPN Instance.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <black-list xmlns="urn:huawei:params:xml:ns:yang:huawei-zone-based-firewall">
    <enable>true</enable>
    <black-instance xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="replace">
     <index>0</index>
     <ip-address>10.1.1.2</ip-address>
     <vpn-instance>hhh</vpn-instance>
    </black-instance>
   </black-list>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>
Deleting a firewall blacklist

This section provides a sample of deleting a firewall blacklist using the remove method.

Table 3-1288 Deleting a firewall blacklist

Operation

XPATH

edit-config:remove

/huawei-zone-based-firewall/black-list

Data Requirements
Table 3-1289 Deleting a firewall blacklist

Item

Data

Description

Whether to enable the blacklist function

true

Delete a blacklist entry with the IP address set to 10.1.1.1 and the name of the VPN instance to which the specified IP address belongs to hhhh.

Blacklist entry

IP address: 10.1.1.1; name of the VPN instance to which the specified IP address belongs: hhhh

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <black-list xmlns="urn:huawei:params:xml:ns:yang:huawei-zone-based-firewall">
    <enable>true</enable>
    <black-instance xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
     <index>0</index>
     <ip-address>10.1.1.1</ip-address>
     <vpn-instance>hhhh</vpn-instance>
    </black-instance>
   </black-list>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>

Firewall Attack Defense

This section describes samples of creating, modifying, and deleting firewall attack defense.

Creating Firewall Attack Defense

This section provides a sample of creating firewall attack defense using the merge method. Firewall attack defense can also be configured using the create method.

Table 3-1290 Creating firewall attack defense

Operation

XPATH

edit-config:merge

/huawei-zone-based-firewall/firewall-defend/defence-action

Data Requirements
Table 3-1291 Creating firewall attack defense

Item

Data

Description

Whether to enable the firewall attack defense function

true

Enable the firewall function, set the maximum length of ICMP packets allowed to pass to 3000 bytes, set the blacklist timeout interval for address sweeping attack defense to 30 minutes, and set the maximum connection rate of address sweeping attack defense to 3000 pps. Configure attack defense for IP address 10.1.1.1, set the VPN instance to which this IP address belongs to vpna, disable TCP proxy, and set the maximum connection rate to 500 pps.

Maximum length of ICMP packets allowed to pass

3000

Blacklist timeout interval for address sweeping attack defense

30

Maximum connection rate of address sweeping attack defense

3000

Protected IP address

10.1.1.1

VPN instance to which the specified IP address belongs

vpna

Whether to enable TCP proxy

off

Maximum connection rate

500

Request Example
NOTE:

Before configuring the VPN instance to which the specified IP address belongs, configure the VPN instance by referring to Configuring a VPN Instance.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <firewall-defend xmlns="urn:huawei:params:xml:ns:yang:huawei-zone-based-firewall">
    <defence-action xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
     <type>large-icmp-defend</type>
     <enable>true</enable>
     <parameters>
      <length>3000</length>
     </parameters>
     <type>ip-sweep-defend</type>
     <rate>3000</rate>
     <parameters>
      <blacklist-expire-time>30</blacklist-expire-time>
     </parameters>
     <type>syn-flood-defend</type>
     <enable>true</enable>
     <parameters>
      <flood-target>
       <index>1</index>
       <protected-type>host</protected-type>
       <ip-address>10.1.1.1</ip-address>
       <vpn-instance>vpna</vpn-instance>
       <tcp-proxy>off</tcp-proxy>
       <rate>500</rate>
      </flood-target>
     </parameters>
    </defence-action>
   </firewall-defend>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>
Modifying Firewall Attack Defense

This section provides a sample of modifying firewall attack defense using the replace method.

Table 3-1292 Modifying firewall attack defense

Operation

XPATH

edit-config:replace

/huawei-zone-based-firewall/firewall-defend/defence-action

Data Requirements
Table 3-1293 Modifying firewall attack defense

Item

Data

Description

Whether to enable the firewall attack defense function

true

Enable the firewall function, modify the maximum length of ICMP packets allowed to pass to 3500 bytes, set the blacklist timeout interval for address sweeping attack defense to 30 minutes, and set the maximum connection rate of address sweeping attack defense to 3000 pps. Configure attack defense for IP address 10.1.1.1, set the VPN instance to which this IP address belongs to vpna, disable TCP proxy, and set the maximum connection rate to 500 pps.

Maximum length of ICMP packets allowed to pass

3500

Blacklist timeout interval for address sweeping attack defense

30

Maximum connection rate of address sweeping attack defense

3000

Protected IP address

10.1.1.1

VPN instance to which the specified IP address belongs

vpna

Whether to enable TCP proxy

off

Maximum connection rate

500

Request Example
NOTE:

Before configuring the VPN instance to which the specified IP address belongs, configure the VPN instance by referring to Configuring a VPN Instance.

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <firewall-defend xmlns="urn:huawei:params:xml:ns:yang:huawei-zone-based-firewall">
    <defence-action xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="replace">
     <type>large-icmp-defend</type>
     <enable>true</enable>
     <parameters>
      <length>3500</length>
     </parameters>
     <type>ip-sweep-defend</type>
     <rate>3000</rate>
     <parameters>
      <blacklist-expire-time>30</blacklist-expire-time>
     </parameters>
     <type>syn-flood-defend</type>
     <enable>true</enable>
     <parameters>
      <flood-target>
       <index>1</index>
       <protected-type>host</protected-type>
       <ip-address>10.1.1.1</ip-address>
       <vpn-instance>vpna</vpn-instance>
       <tcp-proxy>off</tcp-proxy>
       <rate>500</rate>
      </flood-target>
     </parameters>
    </defence-action>
   </firewall-defend>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>
Deleting Firewall Attack Defense

This section provides a sample of deleting firewall attack defense using the remove method.

Table 3-1294 Deleting firewall attack defense

Operation

XPATH

edit-config:remove

/huawei-zone-based-firewall/firewall-defend/defence-action

Data Requirements
Table 3-1295 Deleting firewall attack defense

Item

Data

Description

Whether to enable the firewall attack defense function

true

Delete configurations of firewall attack defense.

Maximum length of ICMP packets allowed to pass

3000

Blacklist timeout interval for address sweeping attack defense

30

Maximum connection rate of address sweeping attack defense

3000

Protected IP address

10.1.1.1

VPN instance to which the specified IP address belongs

vpna

Whether to enable TCP proxy

off

Maximum connection rate

500

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
 <edit-config>
  <target>
   <running/>
  </target>
  <error-option>rollback-on-error</error-option>
  <config>
   <firewall-defend xmlns="urn:huawei:params:xml:ns:yang:huawei-zone-based-firewall">
    <defence-action xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
     <type>large-icmp-defend</type>
     <enable>true</enable>
     <parameters>
      <length>3000</length>
     </parameters>
     <type>ip-sweep-defend</type>
     <rate>3000</rate>
     <parameters>
      <blacklist-expire-time>30</blacklist-expire-time>
     </parameters>
     <type>syn-flood-defend</type>
     <enable>true</enable>
     <parameters>
      <flood-target>
       <index>1</index>
       <protected-type>host</protected-type>
       <ip-address>10.1.1.1</ip-address>
       <vpn-instance>vpna</vpn-instance>
       <tcp-proxy>off</tcp-proxy>
       <rate>500</rate>
      </flood-target>
     </parameters>
    </defence-action>
   </firewall-defend>
  </config>
 </edit-config>
</rpc>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
  <ok/>
</rpc-reply>
Translation
Download
Updated: 2019-03-06

Document ID: EDOC1100022096

Views: 8456

Downloads: 69

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next