No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the Blacklist

Example for Configuring the Blacklist

Networking Requirements

As shown in Figure 6-24, Eth2/0/0 of the Router is connected to a highly secure internal network, and GE3/0/0 is connected to the insecure external network.

The Router needs to apply IP address sweeping defense and blacklist functions to the packets sent from the Internet to the enterprise intranet. If the Router detects that an IP address sweeping attack defense from an IP address, it adds the IP address to the blacklist. The maximum session rate is 5000 pps, and the blacklist timeout is 30 minutes.

If an IP address, for example, 1.1.1.2, attempts to attack the enterprise intranet multiple times, you can manually add the IP address to the blacklist. Then the IP address will be always in the blacklist.

Figure 6-24  Network diagram of blacklist configuration

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure zones and an interzone.

  2. Add interfaces to the zones.

  3. Enable the blacklist function.

  4. Add an entry to the blacklist.

  5. Enable the defense against IP address sweeping and port scanning.

  6. Configure the maximum session rate and blacklist timeout for the defense against IP address sweeping and port scanning.

Procedure

  1. Configure zones and an interzone on the Router .

    [Huawei] firewall zone trust
    [Huawei-zone-trust] priority 14
    [Huawei-zone-trust] quit
    [Huawei] firewall zone untrust
    [Huawei-zone-untrust] priority 1
    [Huawei-zone-untrust] quit
    [Huawei] firewall interzone trust untrust
    [Huawei-interzone-trust-untrust] firewall enable
    [Huawei-interzone-trust-untrust] quit
    

  2. Add Router interfaces to zones.

    [Huawei] vlan 100 
    [Huawei-vlan100] quit
    [Huawei] interface vlanif 100 
    [Huawei-Vlanif100] ip address 10.38.1.1 24 
    [Huawei-Vlanif100] quit       
    [Huawei] interface ethernet 2/0/0 
    [Huawei-Ethernet2/0/0] port link-type access  
    [Huawei-Ethernet2/0/0] port default vlan 100 
    [Huawei-Ethernet2/0/0] quit  
    [Huawei] interface vlanif 100 
    [Huawei-Vlanif100] zone trust
    [Huawei-Vlanif100] quit
    [Huawei] interface gigabitethernet 3/0/0
    [Huawei-GigabitEthernet3/0/0] ip address 1.1.2.1 24 
    [Huawei-GigabitEthernet3/0/0] zone untrust
    [Huawei-GigabitEthernet3/0/0] quit 

  3. Enable the blacklist function.

    [Huawei] firewall blacklist enable

  4. Add an entry to the blacklist.

    [Huawei] firewall blacklist 1.1.1.2

  5. Enable the defense against IP address sweeping and port scanning.

    [Huawei] firewall defend ip-sweep enable
    [Huawei] firewall defend port-scan enable

  6. Configure the maximum session rate and blacklist timeout for the defense against IP address sweeping and port scanning.

    [Huawei] firewall defend ip-sweep max-rate 5000
    [Huawei] firewall defend ip-sweep blacklist-expire-time 30
    [Huawei] firewall defend port-scan max-rate 5000     
    [Huawei] firewall defend port-scan blacklist-expire-time 30
    

  7. Verify the configuration.

    Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router , and the command output is as follows:

    [Huawei] display firewall interzone trust untrust 
     interzone trust untrust                                                         
     firewall enable                                                                
     packet-filter default deny inbound                                             
     packet-filter default permit outbound                                                                  
    

    Run the display firewall blacklist all command on the Router , and the command output is as follows:

    [Huawei] display firewall blacklist all
    Firewall Blacklist Items :
    ------------------------------------------------------------------------
    IP-Address      Reason       Expire-Time(m) VPN-Instance
    ------------------------------------------------------------------------
    1.1.1.2      Manual       Permanent
    ------------------------------------------------------------------------
     total number is : 1  
    Run the display firewall defend command on the Router , and the command output is as follows:
    [Huawei] display firewall defend port-scan
      defend-flag               : enable                                            
      max-rate                  : 5000  (pps)                                       
      blacklist-expire-time     : 30    (m)                                         
                                               
    [Huawei] display firewall defend ip-sweep
      defend-flag               : enable                                            
      max-rate                  : 5000  (pps)                                       
      blacklist-expire-time     : 30    (m)                                         
                                               

Configuration Files

Configuration file of the Router

#                                                                               
 firewall defend ip-sweep enable                                                
 firewall defend port-scan enable                                               
 firewall defend ip-sweep max-rate 5000                                         
 firewall defend ip-sweep blacklist-expire-time 30                              
 firewall defend port-scan max-rate 5000                                        
 firewall defend port-scan blacklist-expire-time 30                             
#                                                                               
 firewall blacklist enable
 firewall blacklist 1.1.1.2                                                       
#                                                                               
vlan batch 100                                                                 
#
interface Vlanif100                                                             
 ip address 10.38.1.1 255.255.255.0   
 zone trust                                         
# 
firewall zone trust                                                             
 priority 14                                                                    
#                                                                               
firewall zone untrust                                                           
 priority 1                                                                     
#                                                                               
firewall interzone trust untrust                                                
 firewall enable                                                                
#                                                                               
interface Ethernet2/0/0
 port link-type access                                                          
 port default vlan 100                                                          
#                                                                              
interface GigabitEthernet3/0/0
 ip address 1.1.2.1 255.255.255.0    
 zone untrust                                                                  
# 
return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 112216

Downloads: 204

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next