No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPS

Configuring IPS

(Optional) Configuring User-Defined Signatures

Context

User-defined signatures are created by the administrator according to the characteristics of intrusion behaviors. The administrator creates such signatures in the following scenarios:
  • When the administrator wants to reject or record a certain behavior that is not included in predefined signatures. For example, when the administrator wants to forbid staff to transmit executable files (which are prone to virus) but the executable file forbidden behavior is not defined in the predefined signatures, the administrator can create a signature according to the behavior characteristics, set the action to block, and import the created signature to the configuration file.
  • When the network is undergoing an attack but the IPS signature database has not been updated, the administrator can create a signature for the attack according to the attack characteristics. After the IPS signature database is updated, the created signature takes effect.

A user-defined IPS signature consists of multiple rules, and each rule contains multiple conditions.

The device matches packets against the rules in the configuration sequence. When a packet matches one rule in a signature, the packet matches the signature. When a packet matches all conditions in a rule, the packet matches the rule.

NOTE:
A user-defined IPS signature takes effect for all security policies on the device. After a security policy is applied to a security interzone, the user-defined signature takes effect immediately.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ips signature-id signature-id

    A user-defined IPS signature is created and the IPS signature view is displayed.

    By default, no user-defined IPS signature exists on the device.

  3. (Optional) Run name name

    The name of the user-defined signature is set.

  4. (Optional) Run description description

    The description of the user-defined signature is configured.

    By default, no description is configured for a user-defined signature.

  5. Configure the basic characteristics of the user-defined signature.

    • Run target { both | client | server }

      The detection target of the user-defined signature is specified.

      By default, the user-defined signatures are used to detect the packets on clients and servers.

    • Run severity { high | information | low | medium }

      The severity of the user-defined signature is set.

      By default, the severity of a user-defined signature is high.

    • Run protocol protocol-name

      The protocol type of the user-defined signature is set.

      By default, the protocol type of a user-defined signature is HTTP.

      NOTE:

      A user-defined signature can have only one protocol type.

    • Run action { alert | block }

      The action of the user-defined signature is set.

      By default, the action of a user-defined signature is alert.

  6. Configure rules for a user-defined signature.

    1. Run rule name name

      A user-defined signature rule is created and the rule view is displayed.

      By default, no user-defined signature rule exists on the device.

      NOTE:

      To facilitate memorization and management, rename the user-defined signature rule.

      To rename the user-defined signature rule and enter the view of the rule, run the rename new-name command.

    2. Run scope { flow | message | packet }

      The matching scope of user-defined signature rules is specified.

      By default, the matching scope of user-defined signature rules is packet.

    3. Run condition [ condition-id ] field field-name operate { equal | gthan | lthan | noequal } value value-content

      The conditions of user-defined signature rules are specified.

      By default, no condition is configured for user-defined signature rules.

      At most four conditions can be configured for a rule.

    4. Specify the matching order of user-defined signature rules.

      1. Run check { random-order | sequential }

        The matching order of user-defined signature rules is specified.

        By default, the matching order is random-order.

        NOTE:

        After the sequential parameter is specified, only the packets matching the conditions in the ascending order of condition IDs are considered as intrusion packets. However, some intrusion packets do not match the conditions in sequence. These intrusion packets will be ignored.

      2. (Optional) When the matching order is set to sequential, run:

        The condition locations are adjusted.

    5. (Optional) Run source-ip { [ ipv4 ] ip-address | any }

      The source IP address of user-defined signature rules is specified.

      By default, any source IP address is checked by the user-defined signature rule.

    6. (Optional) Run source-port { start-port end-port | any }

      The source port of user-defined signature rules is specified.

      By default, all source ports are checked.

    7. (Optional) Run destination-ip { [ ipv4 ] ip-address | any }

      The destination IP address of user-defined signature rules is specified.

      By default, any destination IP address is checked by the user-defined signature rule.

    8. (Optional) Run destination-port { start-port end-port | any }

      The destination port of user-defined signature rules is specified.

      By default, all destination ports are checked.

  7. (Optional) Run quit

    Exit from the User-defined IPS signature rule view.

  8. (Optional) Run quit

    Exit from the IPS signature view.

  9. (Optional) Run ips signature-state [ signature-id signature-id ] { enabled | disabled }

    The state of user-defined signature is configured.

    By default, the state of user-defined signature is not specified.

  10. Run condition move condition-id to new-condition-id

    engine configuration commit

    Deliver the configuration.

Configuring IPS Profiles

Context

After the IPS signature database is loaded, a large number of signatures dynamically generated by files in the IPS signature database are not categorized, and features contained in some signatures do not exist on the local network. You need to use the signature filter to filter signatures in batches and configure unified actions. To configure specified actions for some signatures, administrators need to add the signatures to exception signatures.

You can configure IPS profiles to solve the preceding problem. One IPS profile can be configured with multiple signature filters and multiple exception signatures. After being configured with signature filters and exception signatures, IPS profiles can filter signatures that are suitable for the local network. The device can use IPS profiles to defend against intrusion behaviors.

The device has multiple default intrusion prevention profiles for different application scenarios. The default intrusion prevention profiles can be displayed, cloned, or referenced in security policies, but cannot be modified or deleted.
  • strict: It contains all signatures and the action is block. Apply to all protocols and categories. The intrusion prevention profile applies to the scenarios in which the device is required to block all matched packets.
  • web_server: It contains all signatures and the action is the default actions. Apply to DNS, HTTP, FTP protocols and all categories. The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a web server.
  • file_server: It contains all signatures and the action is the default actions. Apply to DNS, SMB, NETBIOS, NFS, SUNRPC, MSRPC, FILE, TELNET protocols and all categories. The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a file server.
  • dns_server: It contains all signatures and the action is the default actions. Apply to DNS protocol and all categories. The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a DNS server.
  • mail_server: It contains all signatures and the action is the default actions. Apply to DNS, IMAP4, SMTP, POP3 protocols and all categories. The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a mail server.
  • inside_firewall: It contains all signatures and the action is the default actions. Apply to all protocols and categories. The intrusion prevention profile applies to the scenarios in which the device is deployed behind a firewall.
  • dmz: It contains all signatures and the action is the default actions. Apply to all protocols except NETBIOS, NFS, SMB, TELNET TFTP and categories. The intrusion prevention profile applies to the scenarios in which the device is deployed behind a firewall. The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a DMZ.
  • outside_firewall: It contains all signatures and the action is the default actions. Apply to all protocols and categories except Scanner. The intrusion prevention profile applies to the scenarios in which the device is deployed in front of a firewall.
  • ids: It contains all signatures and the action is alert. Apply to all protocols and categories. The intrusion prevention profile applies to the scenarios in which the device is deployed offline as an IDS.
  • default: It contains all signatures and the action is the default actions. Apply to all protocols and categories. The intrusion prevention profile applies to the scenarios in which the device is deployed in-line as an IPS.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create an IPS profile and enter the IPS profile view.

    • Create an IPS profile without any configuration.

      Run profile type ips name name

      An IPS profile is created and the IPS profile view is displayed.

    • Create an IPS profile by copying another profile.

      Run profile type ips copy old-name [ new-name ]

      An IPS profile is created by copying an existing IPS profile and the IPS profile view is displayed.

      The old-name has been created.

    By default, the device has the IPS profile. The name is strict, web_server, file_server, dns_server, mail_server, inside_firewall, dmz, outside_firewall, ids and default.

    NOTE:

    To facilitate IPS profile management, you can rename the IPS profile.

    Run the command rename new-name to rename an existing IPS profile and displays the new IPS profile view.

  3. (Optional) Run collect-attack-evidence enable

    The attack evidence collection function of IPS is enabled.

    By default, the attack evidence collection function of IPS is disabled.

    NOTE:

    The log sending function of the IPS module has been enabled using the engine log ips enable command.

  4. (Optional) Run description description

    The description of an IPS profile is configured to identify the IPS profile.

    By default, no description is configured for an IPS profile.

  5. (Optional) Run cnc domain-filter enable [ action { alert | block } ]

    The domain name-based filtering function is enabled.

    By default, domain name-based filtering is disabled.

    After domain name-based filtering is enabled, the default action is alert for packets matching the specified condition.

    The domain name-based filtering function enables the device to filter out packets using the malicious domain name signature database.

    NOTE:
    • Because the CNC is not installed on the device, you must obtain the IPS license, and then download the CNC to your local computer from sec.huawei.com or install the CNC online.
    • When the startup path is changed, you must load the signature library again from sec.huawei.com through online or local upgrade.

  6. Run signature-set name name

    An IPS signature filter is created in the IPS profile view and the IPS signature filter view is displayed.

    By default, no IPS signature filter is configured.

    An IPS profile can be configured with multiple IPS signature filters.

    NOTE:

    To facilitate IPS signature filter management, you can rename the user-defined IPS signature filters.

    Run the command rename new-name to rename an existing IPS signature filter and displays the new IPS signature filter view.

  7. After an IPS signature filter is configured, all predefined signatures are contained in the signature filter by default. You can run the following commands as required to configure the filtering conditions of the signature filter to select signatures that meet the requirements.

    • Run category { category-name &<1-10> | all }

      IPS signatures of a specified category are added to the IPS signature filter.

      By default, no IPS signatures of a specified category are added to an IPS signature filter.

    • Run protocol { protocol-name &<1-10> | all }

      IPS signatures with a specified protocol are added to the IPS signature filter.

      By default, no protocol is specified in an IPS signature filter.

    • Run os { android | ios | other | unix-like | windows } *

      IPS signatures with a specified operating system are added to the IPS signature filter.

      By default, the IPS signature filter contains signatures of all operating systems.

    • Run severity { high | information | low | medium } *

      The threat level of IPS signatures contained in the IPS signature filter is configured.

      By default, no threat level is specified in an IPS signature filter.

    • Run target { both | client | server }

      IPS signatures with a specified target are added to the IPS signature filter.

      By default, no target is specified in the IPS signature filter.

  8. Run action { alert | block | default }

    The action of the IPS signature filter is configured.

    By default, the action of an IPS signature filter is default, that is, the signature filter uses the action of each signature to process packets.

  9. Run application { application-name &<1-10> | all }

    An application name in an IPS signature filter is configured.

    By default, the IPS does not filter packets based on application names.

    The application name specified in this command is a filtering condition in the IPS signature filter and helps filter packets of the specified application. &<1-10> indicates that a maximum of 10 applications can be specified at a time. To specify more applications, repeat this command. A packet matches the filtering condition if the application type of this packet matches any of the specified applications.

  10. Run quit

    Exit from the signature filter view.

  11. (Optional) Run signature-set move signature-set-name1 { before | after } signature-set-name2

    The priority of the IPS signature filter is configured.

  12. (Optional) Run exception ips-signature-id ips-signature-id [ action { alert | allow | block } ]

    The response method of the IPS exception signature is configured.

    By default, the response method of an exception signature is allow.

    If the response method of an IPS exception signature is different from that of the IPS profile and signature filter, the configuration of the IPS exception signature takes effect.

  13. Run quit

    Exit from the IPS profile view.

  14. (Optional) Run ips collect-attack-evidence max-session-number session-number [ signature-id signature-id ]

    The maximum number of attack evidence collection sessions for each IPS signature on each CPU is configured.

    By default, the number of attack evidence collection sessions for each IPS signature on each CPU is 5.

    You can set the maximum number of sessions in which the NGFW captures packets that match the intrusion prevention profile for each IPS signature on each CPU to collect necessary information for packet tracing, with the impact brought about by packet capture on system performance controlled to the minimum extent. When the NGFW provides multiple CPUs, the maximum number of attack evidence collection sessions for each IPS signature is the value of session-number multiplying the number of CPUs.

  15. Run engine configuration commit

    Configurations related to the security policy are submitted.

    After creating or modifying configurations related to the security policy, the configurations do not take effect immediately. You need to run the engine configuration commit command to activate the configurations. Because the activation process takes a long time, you are advised to complete all configurations related to the security policy and then submit the configurations together.

  16. (Optional) Run cnc domain-filter exception domain-name domain-name

    An exception domain name is added.

    By default, the exception domain name is not specified.

    The exception domain name must be a domain name in the malicious domain name signature database. Adding any domain name that is not in the malicious domain name signature database is pointless. You can determine whether to add a malicious domain name as an exception domain name based on the threat logs. After a malicious domain name is added as an exception domain name, the device does not filter out the packets matching the exception domain name.

  17. Configure protocol anomaly detection in the IPS profile view.

    Item

    Command

    Detecting whether an HTTP traffic contains the SSH traffic

    http ssh-over-http check action { alert | block }

    Detecting whether an HTTP packet contains multiple Host fields

    http multi-host check action { alert | block }

    Detecting the X-Online-Host field in an HTTP packet

    http x-online-host check { any | blacklist | multiple } action { alert | block }

    http x-online-host blacklist blacklist

    Detecting the X-Forwarded-For field in an HTTP packet

    http x-forwarded-for check { any | whitelist } action { alert | block }

    http x-forwarded-for whitelist ipv4 ip-address

    Detecting whether the protocol format of a DNS packet is abnormal

    dns malformed-packet check action { alert | block }

    Detecting the query of a DNS packet

    dns request-type check { start-type [ to end-type ] action | default-action } { alert | allow | block }

Binding an IPS Profile to a Security Policy

Context

A security policy not only forwards network traffic, but also implements integrated content security detection on network traffic. After enabling the IPS function, you need to bind an IPS profile to a security policy and apply the security policy in interzones. The device can defend against intrusions based on the security policy.

Various types of service traffic exist on the network. The device configures multiple security policies for different service traffic. Different types of profiles can be bound to a security policy at the same time. However, a security policy can only bind one profile among all profiles of the same type. To ensure that security policies are configured correctly, administrators need to complete security policy planning before configuring security policies.
NOTE:

If multiple content security protection functions (such as the IPS function and URL filtering function) need to be configured concurrently, configure the IPS profile and URL filtering profile first, and run the profile (security policy view) command to bind the profiles to the security policy.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run security-policy policy-name

    A security policy is created and the security policy view is displayed.

    By default, no security policy is created.

  3. Run profile ips ips-name [ acl acl-id ]

    An IPS profile bound to the security policy is configured.

    By default, no IPS profile is bound to a security policy.

    The acl-id has been created.

    Currently, IPS only supports the binding of an ACL4, not an ACL6.

    NOTE:

    When IPS is bound to ACL4, create bidirectional rules in the ACL to make the configuration take effect.

Applying a Security Policy in Interzones

Prerequisites

Security zones have been created and interfaces have been added to the security zones. For details, see Creating a Zone and Adding Interfaces to the Zone in "Firewall Configuration."

Context

After the security policy configuration is complete, the security policy takes effect only when its application range is specified. The device considers that data transmission within a security zone is reliable and no security policy needs to be used. The device checks the data and carries out security policies only when the data flows from one security zone to another. When configuring the IPS service, you need to enter interzones and apply security policies that have bound IPS profiles.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run firewall interzone zone-name1 zone-name2

    An interzone is created and the interzone view is displayed.

    You must specify two existing security zones for the interzone.

    For details about interzone, see Creating an Interzone in "Firewall Configuration."

  3. Run security-policy policy-name

    The security policy is applied to the interzone.

    By default, no security policy is applied to an interzone.

    After the security policy is applied, if no ACL is configured when an IPS profile is bound to the security policy, the device performs IPS detection for the traffic in all interzones. If an ACL is configured when an IPS profile is bound to the security policy, the device determines whether to perform IPS detection for the traffic according to ACL rules.

    • If the ACL includes a permit rule, the device detects traffic that matches this rule.
    • If the ACL includes a deny rule, the device does not detect traffic that matches this rule.
    • If traffic does not match the ACL, the device does not detect the traffic.

(Optional) Controlling the IPS Log Sending Function

Context

When a lot of intrusion behaviors occur at a certain time, IPS triggers alarms or blocking actions frequently, and sends a large number of logs to the device in a short time. By default, the device displays logs in real time. This may refresh the screen and affect the administrator's work.

To solve the problem, you can disable the log sending function or configure the log caching function to control the IPS log sending frequency.

A maximum of 1024 logs can be recorded in the log cache. A maximum of 16 logs can be displayed each time and the displayed logs are cleared from the cache. By default, logs are displayed every minute.
NOTE:

When the log cache is full, the excess logs are discarded. You can reduce the output time if the configured output time is too long and results in a full log cache.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run engine log ips enable

    The log sending function of a specified module or all modules is enabled.

    By default, the system enables the log sending function of all modules.

  3. Run engine log timeout interval

    The log output frequency is configured.

    By default, logs are displayed every minute.

  4. Run ips log merge enable

    The IPS log aggregation function is enabled.

    By default, the system enables the IPS log aggregation function.

Verifying the IPS Configuration

Procedure

  • Run the display profile type ips [ name name [ signature-set-name signature-set-name | exception-signature-id exception-signature-id ] ] command to view the current IPS profile configuration.
  • Run the display ips-signature [ pre-defined [ associated ] | user-defined ] [ application { application-name | all } | category { category-name | all } | os { all | android | ios | other | unix-like | windows } * | protocol { protocol-name | all } | severity { information | low | medium | high }* | state { disabled | enabled | retired } | target { server | client | both } ]* command to view IPS signature information.
  • Run the display ips-signature vendor-id vendor-id command to display IPS signatures of a specified vendor ID.
  • Run the display ips signature-id signature-id rule { name rule-name | all } command to view user-defined IPS signature information.
  • Run the display ips signature-state command to view the state of user-predefined IPS signature.
  • Run the display ips-signature cve-id { cve-id | year year } command to display IPS signatures of a specified CVE ID.
  • Run the display cnc domain-filter exception command to display all exception domain names.
  • Run the display security-policy { name policy-name | all } command to view the security policy rule.
  • Run the display firewall zone [ zone-name ] [ interface | priority ] command to view security zone information.
  • Run the display firewall interzone [ zone-name1 zone-name2 ] command to view interzone information.
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 137503

Downloads: 244

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next