No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Enabling the Blacklist Function

Enabling the Blacklist Function


A blacklist filters packets based on source IP addresses. Compared with ACLs, the blacklist uses simpler matching fields and therefore filters packets at a higher speed. Packets from certain IP addresses can be filtered out.

The firewall can dynamically add IP addresses to the blacklist. When detecting an attack from an IP address, the firewall adds the IP address to the blacklist to filter out all packets from this IP address. To enable the firewall to dynamically create blacklist entries, enable IP address scanning attack defense and port scanning attack defense.

Entries can be added to the blacklist manually or dynamically. After IP address scanning and port scanning defense is enabled on the attack defense module, the firewall can dynamically create blacklist entries. When the connection rate of an IP address or a port exceeds the threshold, the firewall considers that a scanning attack occurs and adds the source IP address to the blacklist. All the packets from this source IP address are then filtered out.


  1. Run system-view

    The system view is displayed.

  2. (Optional) Run firewall defend ip-sweep enable

    The IP address sweeping attack defense is enabled.

  3. (Optional) Run firewall defend ip-sweep { blacklist-expire-time interval | max-rate rate-value }

    The parameters for IP address sweeping attack defense are set.

  4. (Optional) Run firewall defend port-scan enable

    The port scanning attack defense is enabled.

  5. (Optional) Run firewall defend port-scan { blacklist-expire-time interval | max-rate rate-value }

    The parameters for port scanning attack defense are set.

    For scanning attack defense, the following two parameters need to be set:

    • Maximum session rate: When the session rate of an IP address or a port exceeds the limit, the firewall considers that a scanning attack occurs. Then the firewall adds the IP address or port to the blacklist to reject new sessions from the IP address or port.
    • Blacklist timeout: After an IP address or a port stays in the blacklist for a specified period, it is deleted from the blacklist. Then new connections can be initiated from this IP address or port.

    By default, the maximum session rate for IP address sweeping and port scanning attack defense is 4000 pps, and the blacklist timeout is 20 minutes.

  6. Run firewall blacklist enable

    The blacklist function is enabled.

    By default, the blacklist function is disabled.

Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 126538

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next