Configuring SA Applications
(Optional) Specifying Parameters for SA Detection
Context
Signature identification technology determines an application by detecting character codes in packets. Because character codes of some protocols are embedded in multiple packets, signature identification technology must collect and analyze multiple packets. Signature identification technology can identify the protocol type only when detection parameters in packets are set correctly. The default values of detection parameters in packets are recommended.
Procedure
- Run sa
The SA view is displayed.
- Run detect max-packets max-packets
The maximum number of packets to be detected in a session of the SA module is set.
- Run detect max-bytes max-bytes
The maximum number of bytes to be detected in a session of the SA module is set.
- Run port-identification packet-number-threshold packets
The packet number threshold is set for the SA module to enable port information-based identification.
- Run detect uni-direction
Unidirectional detection of the SA module is enabled.
(Optional) Configuring a User-Defined SA Application
Context
Generally, the built-in SA application signature database can identify various common SA applications. For an SA application that is not included in the predefined applications, you can create an SA application based on signatures of the application.
For SA applications, the router can create rules based on the triplet, keyword, or a combination of them. The triplet refers to the server IP address, protocol type, and port number. A keyword is a signature of a data packet or a data flow corresponding to the application and uniquely identifies the application.
Content |
Rule Creation Mode |
|---|---|
Server address, protocol type, and fixed port number |
Triplet |
Server address, protocol type, and variable port number |
Keyword |
Identical port number for two or more services |
Triplet + keyword |
Procedure
- Run system-view
The system view is displayed.
- Run sa
The SA view is displayed.
- Run user-defined-application name name
A user-defined application is created and its view is displayed.
- (Optional) Run description description
A description is configured for the user-defined application.
By default, no description is configured for a user-defined application.
- (Optional) Configure basic attributes of the user-defined application.
- Configure a user-defined application rule.
Run rule name name
A user-defined application rule is created and its view is displayed.
By default, no user-defined application rule is configured.
(Optional) Run description description
A description is configured for the user-defined application rule.
By default, no description is configured for a user-defined application rule.
- Configure a user-defined application rule.
Run ip-address ip-address [ mask | mask-length ]
The IPv4 address is configured for the user-defined application rule.
By default, no IPv4 address is configured for a user-defined application rule.
Run port port
The port number is configured for the user-defined application rule.
By default, no port number is configured for a user-defined application rule.
(Optional) Run protocol { tcp | udp }
The transport layer protocol type is configured for the user-defined application rule.
By default, a user-defined application rule uses any type of a transport layer protocol, that is, the rule is valid for both TCP and UDP packets.
(Optional) Run signature context { flow | packet } direction { request | response | both } { plain-string plain-string | regular-expression regular-expression } [ field field ]
A signature is configured for the user-defined application rule.
By default, no signature is configured for a user-defined application rule.
A user-defined application rule contains at least one IP address or one port number.
Only AR6000-S series support regular-expression.
Only AR600 and AR6000 series support regular-expression.
Only SRU-100H, SRU-100HH, SRU-200H, SRU-400HK, SRU-600HK, SRU-400H, and SRU-600H support regular-expression.
- Run quit
Exit from the user-defined application rule view.
- Run quit
Exit from the user-defined application view.
- Run quit
Exit from the SA view.
- Run engine configuration commit
The configuration is committed.
After a user-defined application is created or modified, you must submit the configuration to activate it. Activating the configuration takes a long period of time. It is recommended that you commit the configuration after performing all user-defined application operations.
Follow-up Procedure
After configuring user-defined applications, you can adjust them as follows:
- Run the rename new-name command in the user-defined application view to rename an existing user-defined application.
- Run the rename new-name command in the user-defined application rule view to rename an existing user-defined application rule.
Configuring SA Flow Table Backup
Context
In a dual-gateway scenario, if no SA flow table information exists on the standby device, some application traffic may not be identified when the traffic is forwarded by the standby link upon disconnection of the active link. You can enable SA flow table backup to back up flow tables on the active device to the standby device, so that traffic can be identified when forwarded by the standby link.
Procedure
- Run system-view
The system view is displayed.
- Run forward-session-syn enable
SA flow table backup is enabled.
By default, the SA flow table backup function is disabled on devices.
- Run forward-session-syn local-ip local-ip local-data-port local-data-port
The local IP address and port number are set for SA flow table backup.
By default, no local IP address or port number for SA flow table backup is configured on a device.
- Run forward-session-syn peer-ip peer-ip peer-data-port peer-data-port
The remote IP address and port number are set for SA flow table backup.
By default, no remote IP address or port number for SA flow table backup is configured on a device.