NetEngine AR1000V V300R022 Command Reference

Firewall Configuration Commands

Support for Firewall Feature Name
bypass
clear firewall statistics system
clear firewall statistics zone
detect aspf
display firewall app session table
display firewall app table statistics
display firewall blacklist
display firewall blacklist configuration
display firewall defend
display firewall interzone
display firewall log configuration
display firewall session
display firewall statistics system
display firewall statistics zone
display firewall statistics zone-ip
display firewall whitelist
display firewall zone
display firewall-nat session aging-time
display port-mapping
display session
firewall blacklist
firewall blacklist enable
firewall black-white-list load configuration-file
firewall black-white-list save configuration-file
firewall defend all enable
firewall defend fraggle enable
firewall defend icmp-flood
firewall defend icmp-flood enable
firewall defend icmp-redirect enable
firewall defend icmp-unreachable enable
firewall defend ip-fragment enable
firewall defend ip-sweep
firewall defend ip-sweep enable
firewall defend land enable
firewall defend large-icmp
firewall defend large-icmp enable
firewall defend ping-of-death enable
firewall defend port-scan
firewall defend port-scan enable
firewall defend smurf enable
firewall defend syn-flood
firewall defend syn-flood enable
firewall defend tcp-flag enable
firewall defend teardrop enable
firewall defend tracert enable
firewall defend udp-flood
firewall defend udp-flood enable
firewall defend winnuke enable
firewall enable
firewall interzone
firewall log binary-log host
firewall log enable
firewall log log-interval
firewall log session nat enable
firewall statistics system connect-number
firewall statistics system enable
firewall whitelist
firewall zone
firewall-nat session aging-time
packet-filter
packet-filter logging
port-mapping
priority(security zone view)
reset firewall app table statistics
reset firewall session all
reset session all
reset firewall statistics system defend
session-log
statistics connect-number ip
statistics connect-number zone
statistics ip enable
statistics zone enable
zone

Support for Firewall Feature Name

Hardware Requirements

This section is applicable to all models. For details about differences for specific models, see the description in the corresponding section.

bypass

Function

The bypass command enables the packet filtering firewall bypass function in an interzone.

The undo bypass command disables the packet filtering firewall bypass function in an interzone.

By default, the packet filtering firewall bypass function is disabled in an interzone.

Format

bypass

undo bypass

Parameters

Parameter	Description	Value
session-overrun	Configures the device to create a flow table and forward traffic based on the flow table before the number of flow tables reaches the upper limit, and to create no flow table and forward traffic based on the interzone ACL policy after the number of flow tables reaches the upper limit. If this parameter is not specified, the device does not create a flow table and forwards traffic based on the interzone ACL policy.	-

Parameter

Description

Value

session-overrun

Configures the device to create a flow table and forward traffic based on the flow table before the number of flow tables reaches the upper limit, and to create no flow table and forward traffic based on the interzone ACL policy after the number of flow tables reaches the upper limit.

If this parameter is not specified, the device does not create a flow table and forwards traffic based on the interzone ACL policy.

Views

Interzone view

Default Level

2: Configuration level

Usage Guidelines

A packet filtering firewall builds a flow table based on source IP addresses, source ports, destination IP addresses, destination ports, and transport-layer protocol. There is a limit on the flow table size since it occupies memory resources. If the flow table size reaches the limit, traffic of new services will fail to be forwarded because they cannot obtain flow table resources. To address this issue, configure the packet filtering firewall bypass function in an interzone. This configuration allows traffic to be forwarded based on inter-zone ACL rules, without the need of building flow table entries.

After the packet filtering firewall bypass function is configured, the firewall supports only the packet filtering and packet filtering log functions.

Example

# Enable the packet filtering firewall bypass function in the interzone between zone1 and zone2.

<Huawei> system-view
[Huawei] firewall zone zone1
[Huawei-zone-zone1] priority 5
[Huawei-zone-zone1] quit
[Huawei] firewall zone zone2
[Huawei-zone-zone2] priority 6
[Huawei-zone-zone2] quit
[Huawei] firewall interzone zone1 zone2
[Huawei-interzone-zone1-zone2] bypass

clear firewall statistics system

Function

The clear firewall statistics system command clears the statistics about normal packets in the system.

Format

clear firewall statistics system normal

Parameters

Parameter	Description	Value
normal	Indicates the statistics about normal packets.	-

Views

System view

Default Level

3: Management level

Usage Guidelines

To view the communication packets of a device within a specified period, run the clear firewall statistics system normal command to clear the previous packet statistics on the device first.

Example

# Clear the statistics about normal packets in the system.

<Huawei> system-view
[Huawei] clear firewall statistics system normal

clear firewall statistics zone

Function

The clear firewall statistics zone command clears the statistics about normal packets in a zone.

Format

clear firewall statistics zone zone-name

Parameters

Parameter	Description	Value
zone-name	Specifies the name of a zone.	The value must be the name of an existing zone.

Views

System view

Default Level

3: Management level

Usage Guidelines

To view the packets in a zone within a specified period, run the clear firewall statistics zone command to clear the previous packet statistics in the zone first.

Example

# Clear the statistics about normal packets in the zone zone1.

<Huawei> system-view
[Huawei] clear firewall statistics zone zone1

detect aspf

Function

The detect aspf command enables application specific packet filter (ASPF) in an interzone.

The undo detect aspf command disables ASPF in an interzone.

By default, ASPF is disabled in an interzone.

Format

detect aspf { ftp | rtsp | sip }

undo detect aspf { ftp | rtsp | sip }

Parameters

Parameter	Description	Value
ftp	Applies ASPF to the FTP protocol packets.	-
rtsp	Applies ASPF to the RTSP protocol packets.	-
sip	Applies ASPF to the SIP protocol packets.	-

Views

Interzone view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ASPF filters application-layer protocol packets. It is a status-based packet filtering method. ASPF can detect the sessions that attempt to traverse the application layer and deny the undesired packets.

Prerequisites

An interzone has been created using the firewall interzone command.

Example

# Enable ASPF for FTP packets in the interzone between zone1 and zone2.

<Huawei> system-view
[Huawei] firewall interzone zone1 zone2
[Huawei-interzone-zone2-zone1] detect aspf ftp

display firewall app session table

Function

The display firewall app session table command displays the application session table.

Format

display firewall app session table [ application-protocol { dns | ftp | http | pptp | rtsp | sip } ] [ source-ip ip-address [ port-number ] ] [ destination-ip ip-address [ port-number ] ]

Parameters

Parameter	Description	Value
application-protocol	Indicates the type of the application-layer protocol.	-
dns	Displays the application session table information of DNS packets.	-
ftp	Displays the application session table information of FTP packets.	-
http	Displays the application session table information of HTTP packets.	-
pptp	Displays the application session table information of PPTP packets.	-
rtsp	Displays the application session table information of RTSP packets.	-
sip	Displays the application session table information of SIP packets.	-
source-ip ip-address	Indicates the source IP address of flows.	The value is in dotted decimal notation.
destination-ip ip-address	Indicates the destination IP address of flows.	The value is in dotted decimal notation.
port-number	Indicates the port number.	The value is an integer that ranges from 1 to 65535.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display firewall app session table command displays information about a specified application session table or all application session tables. The application session table information is displayed only when some traffic is sent to the application layer.

Example

# Display information about all application session tables.

<Huawei> display firewall app session table
 The total number of session tables is 1.
  NO.1.
    APP-Protocol : RTSP
    Initiator-VPN: ----
    Responder-VPN: ----
    Connection Info:
      Initiator(IP:Port)         Responder(IP:Port)    Protocol
      10.7.11.2       :33713 ---> 10.5.11.2       :554   TCP(6)
      10.7.11.2       :33713 <--- 10.5.11.2       :554   TCP(6)

Table 16-48 Description of the display firewall app session table command output

Item	Description
NO.1.	The first entry in the session table.
APP-Protocol : RTSP	The application protocol is RTSP.
Initiator-VPN: ----	Source VPN name.
Responder-VPN: ----	Destination VPN name.
Connection Info:	Connection between source address and destination address.
Initiator(IP:Port)	Source IP address and port number.
Responder(IP:Port)	Destination IP address and port number.
Protocol	Transport protocol type (TCP/UDP).

display firewall app table statistics

Function

The display firewall app table statistics command displays statistics on firewall application entries.

Format

display firewall app { servermap | session } table statistics

Parameters

Parameter	Description	Value
servermap	Displays statistics on servermap entries at the application layer.	-
session	Displays statistics on session entries at the application layer.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view statistics on firewall Session entries and Servermap entries to facilitate firewall related fault diagnosis and troubleshooting.

Session entry: includes 5-tuple information (the protocol number, source IP address, source port number, destination IP address, and destination port number). When each session passes through the firewall, a session entry is created on the firewall.

Servermap entry: includes 3-tuple information (the protocol number, source IP address, and destination IP address). When the firewall uses a multi-channel protocol for communication, Servermap entries are created.

Example

# Display statistics on all session entries at the application layer.

<Huawei> display firewall app session table statistics
 App-inspect Session History Maximum Info:
 Maximum Number :115
 Record Time    :2013-09-22 12:19:05

Table 16-49 Description of the display firewall app session table statistics command output

Item	Description
App-inspect Session History Maximum Info	Information about maximum number of session entries in the history.
Maximum Number	Maximum number of session entries.
Record Time	Time when maximum number of session entries is recorded.

# Display statistics on all Servermap entries at the application layer.

<Huawei> display firewall app servermap table statistics
 App-inspect Servermap History Maximum Info:
 Maximum Number :115
 Record Time    :2013-09-22 12:19:31

Table 16-50 Description of the display firewall app servermap table statistics command output

Item	Description
App-inspect Servermap History Maximum Info	Information about maximum number of Servermap entries in the history.
Maximum Number	Maximum number of Servermap entries.
Record Time	Time when maximum number of Servermap entries is recorded.

display firewall blacklist

Function

The display firewall blacklist command displays the blacklist entries.

Format

display firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] | dynamic | static | vpn-instance vpn-instance-name }

Parameters

Parameter	Description	Value
all	Displays all the blacklist entries.	-
ip-address	Displays the blacklist entry matching a specified IP address.	The value is a valid IPv4 IP address.
dynamic	Displays the dynamic blacklist entries.	-
static	Displays the static blacklist entries.	-
vpn-instance vpn-instance-name	Indicates the name of the VPN instance that the specified IP address belongs to.	The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display all the blacklist entries.

<Huawei> display firewall blacklist all
Firewall blacklist items :
------------------------------------------------------------------------
IP-Address      Reason       Expire-Time(m)    VPN-Instance
------------------------------------------------------------------------
10.1.1.1        Manual       100
------------------------------------------------------------------------
 Total number is : 1

Table 16-51 Description of the display firewall blacklist command output

Item	Description
IP-Address	IP address in a blacklist entry.
Reason	Reason why a blacklist entry is generated, including: IPSweep: The entry is generated because of an IP address sweeping attack. Manual: The entry is added to the blacklist manually. PortScan: The entry is generated because of a port scanning attack.
Expire-Time(m)	Aging time of a blacklist entry. m indicates minute. If the Permanent keyword is used, the entry will be valid permanently. To configure a blacklist entry, run the firewall blacklist command.
VPN-Instance	Name of the VPN instance that the IP address in a blacklist entry belongs to.
Total number is : 1	There is a total of one entry in the blacklist.

display firewall blacklist configuration

Function

The display firewall blacklist configuration command displays the status of the blacklist function.

Format

display firewall blacklist configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Check whether the blacklist function is enabled on the device.

<Huawei> display firewall blacklist configuration
Info:Blacklist is disabled.

Table 16-52 Description of the display firewall blacklist configuration command output

Item	Description
Info:Blacklist is disabled	The blacklist function is disabled. To enable the blacklist function, run the firewall blacklist enable command.

Item

Description

Info:Blacklist is disabled

The blacklist function is disabled.

To enable the blacklist function, run the firewall blacklist enable command.

display firewall defend

Function

The display firewall defend command displays the status and configurations of the attack defense functions. For the Flood attack defense function, you can also view the attack defense configuration of the specified zone or IP address.

Format

display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ip-address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type }

Parameters

Parameter	Description	Value
flag	Displays the status of all the attack defense functions.	-
icmp-flood	Displays the configuration of the ICMP Flood attack defense.	-
syn-flood	Displays the configuration of the SYN Flood attack defense.	-
udp-flood	Displays the configuration of the UDP Flood attack defense.	-
ip [ ip-address ]	Displays the Flood attack defense function configured for the specified IP address.	The value is a valid IPv4 IP address.
vpn-instance vpn-instance-name	Indicates the name of the VPN instance that the specified IP address belongs to.	The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.
zone [ zone-name ]	Displays the Flood attack defense function configured for the specified zone.	The value of zone-name is a string of 1 to 32 case-sensitive characters. It must be an existing zone name.
other-attack-type	Displays the configurations of other attack defense except for the Flood attack defense.	The other types of attacks include: fraggle icmp-redirect icmp-unreachable ip-fragment ip-sweep land large-icmp ping-of-death port-scan smurf tcp-flag teardrop tracert winnuke

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the status of each attack defense function.

<Huawei> display firewall defend flag

--------------------------------
  Type                  Flag
--------------------------------
  land                 : disable
  smurf                : disable
  fraggle              : disable
  winnuke              : disable
  syn-flood            : disable
  udp-flood            : disable
  icmp-flood           : disable
  icmp-redirect        : disable
  icmp-unreachable     : disable
  ip-sweep             : disable
  port-scan            : disable
  tracert              : disable
  ping-of-death        : disable
  teardrop             : disable
  tcp-flag             : disable
  ip-fragment          : disable
  large-icmp           : disable
--------------------------------

# Display the configuration of IP address sweeping attack defense.

<Huawei> display firewall defend ip-sweep

  defend-flag          : disable
  max-rate             : 4000  (pps)
  blacklist-expire-time : 20    (m)

Table 16-53 Description of the display firewall defend command output

Item	Description
Type	Type of attacks to defend against.
Flag	Flag indicating whether attack defense is enabled. disable: Attack defense is disabled. enable: Attack defense is enabled.
defend-flag	Flag indicating whether attack defense is enabled. disable: Attack defense is disabled. enable: Attack defense is enabled.
max-rate	Maximum session rate of address scanning attack defense, in pps. To set the maximum session rate of address scanning attack defense, run the firewall defend ip-sweep command.
blacklist-expire-time	Timeout interval of the blacklist. To set the timeout interval of the blacklist, run the firewall defend ip-sweep command.

display firewall interzone

Function

The display firewall interzone command displays information about an interzone.

Format

display firewall interzone [ zone-name1 zone-name2 ]

Parameters

Parameter	Description	Value
zone-name1	Specifies the name of a zone included in the interzone.	The name is a string of 1 to 32 case-sensitive characters. zone-name1 must be a zone name created by the firewall zone command.
zone-name2	Specifies the name of a zone included in the interzone.	The name is a string of 1 to 32 case-sensitive characters. zone-name2 must be a zone name created by the firewall zone command.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can use the display firewall interzone command to obtain information about an interzone.

Example

# Display information about the interzone between zone1 and zone2.

<Huawei> display firewall interzone zone1 zone2
interzone zone2 zone1
 firewall enable
 packet-filter default deny inbound
 packet-filter default permit outbound
 session-log 3000 inbound
 detect aspf ftp
 bypass

Table 16-54 Description of the display firewall interzone command output

Item	Description
interzone zone2 zone1	Interzone between two zones. To configure an interzone, run the firewall interzone command.
firewall enable	Firewall function is enabled in the interzone. To enable the firewall function, run the firewall enable command.
session-log 2006 inbound	Firewall logs are recorded based on filtering rules in ACL 2006. To reference an ACL, run the session-log command.
packet-filter default permit inbound	Default inbound packet filtering rule in an interzone: permit. To configure a packet filtering rule, run the packet-filter command.
packet-filter default deny outbound	Default outbound packet filtering rule in an interzone: deny. To configure a packet filtering rule, run the packet-filter command.
detect aspf ftp	ASPF is enabled for FTP packets. To enable ASPF, run the detect aspf command.
bypass	The packet filtering firewall bypass function is enabled in an interzone. To enable this function, run the bypass command.

display firewall log configuration

Function

The display firewall log configuration command displays the global configuration of the firewall logging functions.

Format

display firewall log configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the global configuration of the firewall logging functions.

<Huawei> display firewall log configuration
defend log :
  status : enabled
  log-interval : 30 s
statistics log :
  status : enabled
  log-interval : 30 s
blacklist log :
  status : enabled
  log-interval : 30 s
session log :
  status : enabled
  log-interval : 30 s
  nat-session : disabled
binary-log host :
  host                   source                 VPN instance-name
  ----:--                ----:--                ---     
packet filter log :
  status : disabled
  log-interval : 30 s

Table 16-55 Description of the display firewall log configuration command output

Item	Description
status	Status of a firewall logging function. enable indicates that the logging function is enabled; disable indicates that the logging function is disabled.
log-interval	Interval for exporting logs.
nat-session	Status of NAT session logs. enable indicates that the logging function is enabled; disable indicates that the logging function is disabled.
host	IP address and port number of the log server.
source	IP address and port number used by the device to communicate with the log server.
VPN instance-name	Name of a VPN instance.

display firewall session

Function

The display firewall session command displays the firewall session table.

Format

display firewall session { all [ verbose ] | number }

display firewall session destination destination-address [ destination-port ] [ verbose ]

display firewall session source source-address [ source-port ] [ destination destination-address [ destination-port ] ] [ verbose ]

display firewall session protocol { protocol-number | protocol-name } [ source source-address [ source-port ] ] [ destination destination-address [ destination-port ] ] [ verbose ]

Parameters

Parameter	Description	Value
all	Displays all entries in the firewall session table.	-
verbose	Displays details about the firewall session table.	-
number	Displays the number of entries in the firewall session table.	-
protocol { protocol-number \| protocol-name }	Displays entries with a specified protocol number or protocol type.	The value of protocol-number is an integer that ranges from 1 to 255. The value of protocol-name can be ICMP, TCP, or UDP.
source source-address [ source-port ]	Displays entries with a specified source IP address or both a source IP address and a source port number. source-address specifies the source IP address of packets. source-port specifies the source port number of packets.	source-address is in dotted decimal notation. The value of source-port is an integer that ranges from 1 to 65535.
destination destination-address[ destination-port ]	Displays entries with a specified destination IP address or both a destination IP address and a destination port number. destination-address specifies the destination IP addresses of packets. destination-port specifies the destination port number of packets.	destination-address is in dotted decimal notation. The value of destination-port is an integer that ranges from 1 to 65535.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check information about a firewall session table.

Example

# Display the number of entries in the session table.

<Huawei> display firewall session number
  The total number of firewall session tables is: 1

# Display details about all entries in the session table.

<Huawei> display firewall session all verbose
   Firewall Session Table Information:
       Protocol          : TCP(6)
       SrcAddr  Port Vpn : 10.6.34.204    114   vpn1
       DestAddr Port Vpn : 10.1.1.1         21
       Time To Live      : 120 s
       Firewall-Info
         InZone          : a
         OutZone         : b

   Total : 1

Table 16-56 Description of the display firewall session all verbose command output

Item	Description
Protocol	Protocol type.
SrcAddr Port Vpn	Source address, service port number, and VPN instance name.
DestAddr Port Vpn	Destination address, service port number, and VPN instance name.
Time To Live	Lifetime of the session table entries.
Firewall-Info	Firewall information.
InZone	Inbound zone name.
OutZone	Outbound zone name.
Total	Number of entries in the firewall session table.

display firewall statistics system

Function

The display firewall statistics system command displays traffic statistics on the firewall.

Format

display firewall statistics system [ normal all | defend ]

Parameters

Parameter	Description	Value
normal all	Displays the statistics about packets passing the firewall.	-
defend	Displays the statistics about attack packets passing the firewall.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When you run the display firewall statistics system command without specifying any parameters, the upper and lower thresholds for controlling the TCP, UDP, ICMP, TCP proxy, and IP fragment packets (session number) are displayed.

Example

# Display the global traffic thresholds set on the firewall.

<Huawei> display firewall statistics system
 --------------------------------------------------------------------           
             Global system statistics config information                        
 --------------------------------------------------------------------   
  Is enable          0                 <enable : 1  disable : 0 >
 ---------------------------------High---------------------Low-------           
 Tcp connect-number               16384                   12288                 
                                                                                
 Udp connect-number               16384                   12288                 
                                                                                
 Icmp connect-number              16384                   12288                 
                                                                                
 Tcp-proxy connect-number         16384                   12288                 
                                                                                
 Frag connect-number              16384                   12288                 
                                                                                
 --------------------------------------------------------------------

# Display the statistics of packets passing the firewall.

<Huawei> display firewall statistics system normal all
IPv4 statistics:                                                                
HistoryTcpTotal-------------0                                                   
CurTcpTearTotal-------------0                                                   
HistoryUdpTotal-------------0                                                   
CurUdpTearTotal-------------0                                                   
HistoryIcmpTotal------------0                                                   
CurIcmpTearTotal------------0                                                   
HisTcpProxyTotal------------0                                                   
CurTcpProxyTearTotal--------0                                                   
HistoryFragTotal------------0                                                   
CurFragTearTotal------------0                                                   
IPv6 statistics:                                                                
HistoryIPv6Total------------0                                                   
CurTcpIPv6TearTotal---------0                                                   
HistoryUdpIPv6Total---------0                                                   
CurUdpIPv6TearTotal---------0                                                   
HistoryIcmpV6Total----------0                                                   
CurIcmpV6TearTotal----------0                                                   
HistoryIPv6FragTotal--------0                                                   
CurIPv6FragTearTotal--------0

Table 16-57 Description of the display firewall statistics system normal all command output

Item	Description
IPv4 statistics:	IPv4 traffic statistics on the firewall.
HistoryTcpTotal	Number of historical TCP connections.
CurTcpTearTotal	Number of TCP current connections.
HistoryUdpTotal	Number of history UDP connections.
CurUdpTearTotal	Number of UDP current connections.
HistoryIcmpTotal	Number of history ICMP connections.
CurIcmpTearTotal	Number of ICMP current connections.
HisTcpProxyTotal	Number of historical TCP proxy connections.
CurTcpProxyTearTotal	Number of TCP current proxy connections.
HistoryFragTotal	Number of historical fragment flow entries.
CurFragTearTotal	Number of current fragment flow entries.
IPv6 statistics:	IPv6 traffic statistics on the firewall.
HistoryIPv6Total	Number of historical TCP IPv6 connections.
CurTcpIPv6TearTotal	Number of TCP IPv6 connections that are torn down.
HistoryUdpIPv6Total	Number of historical UDP IPv6 connections.
CurUdpIPv6TearTotal	Number of UDP IPv6 connections that are torn down.
HistoryIcmpV6Total	Number of historical ICMPv6 connections
CurIcmpV6TearTotal	Number of ICMPv6 connections that are torn down.
HistoryIPv6FragTotal	Number of historical IPv6 fragment flow entries.
CurIPv6FragTearTotal	Number of current IPv6 fragment flow entries.

# Display the statistics on attack packets passing the firewall.

<Huawei> display firewall statistics system defend
 --------------------FW GLOBAL DEFEND TABLE--------------------
DropID[710]               0 FW_INTERZONE_DENY_DROP                 
DropID[715]               0 FW_ACL_FILTER_DENY_DROP                
DropID[736]               0 FW_GLOBAL_UDP_CONNECT_DROP             
DropID[737]               0 FW_GLOBAL_TCP_CONNECT_DROP             
DropID[738]               0 FW_GLOBAL_ICMP_CONNECT_DROP            
DropID[739]               0 FW_GLOBAL_TCP_PROXY_CONNECT_DROP       
DropID[740]               0 FW_ZONE_IN_UDP_CONNECT_DROP            
DropID[741]               0 FW_ZONE_OUT_UDP_CONNECT_DROP           
DropID[742]               0 FW_ZONE_IN_TCP_CONNECT_DROP            
DropID[743]               0 FW_ZONE_OUT_TCP_CONNECT_DROP           
DropID[744]               0 FW_ZONE_IN_ICMP_CONNECT_DROP           
DropID[745]               0 FW_ZONE_OUT_ICMP_CONNECT_DROP          
DropID[746]               0 FW_ZONE_IP_IN_UDP_CONNECT_DROP         
DropID[747]               0 FW_ZONE_IP_OUT_UDP_CONNECT_DROP        
DropID[748]               0 FW_ZONE_IP_IN_TCP_CONNECT_DROP         
DropID[749]               0 FW_ZONE_IP_OUT_TCP_CONNECT_DROP        
DropID[750]               0 FW_ZONE_IP_IN_ICMP_CONNECT_DROP        
DropID[751]               0 FW_ZONE_IP_OUT_ICMP_CONNECT_DROP       
DropID[752]               0 FW_GLOBAL_FRAG_CONNECT_DROP            
DropID[764]               0 FW_LAND_DEFEND_DROP                    
DropID[765]               0 FW_SMURF_DEFEND_DROP                   
DropID[766]               0 FW_FRAGGLE_DEFEND_DROP                 
DropID[767]               0 FW_WINNUKE_DEFEND_DROP                 
DropID[768]               0 FW_CONNECT_SYNFLOOD_DEFEND_DROP        
DropID[769]               0 FW_CONNECT_ICMPFLOOD_DEFEND_DROP       
DropID[770]               0 FW_CONNECT_UDPFLOOD_DEFEND_DROP        
DropID[771]               0 FW_ICMPREDIRECT_DEFEND_DROP            
DropID[772]               0 FW_ICMPUNREACHABLE_DEFEND_DROP         
DropID[773]               0 FW_IPSWEEP_DEFEND_DROP                 
DropID[774]               0 FW_PORTSCAN_DEFEND_DROP                
DropID[775]               0 FW_TRACERT_DEFEND_DROP                 
DropID[776]               0 FW_PINGOFDEATH_DEFEND_DROP             
DropID[777]               0 FW_TEARDROP_DEFEND_DROP                
DropID[778]               0 FW_TCPFLAG_DEFEND_DROP                 
DropID[779]               0 FW_IPFRAGMENT_DEFEND_DROP              
DropID[780]               0 FW_LARGEICMP_DEFEND_DROP               
DropID[781]               0 FW_BLACKIPLIST_DEFEND_DROP             
DropID[782]               0 FW_FLOW_SYNFLOOD_DEFEND_DROP           
DropID[783]               0 FW_FLOW_ICMPFLOOD_DEFEND_DROP          
DropID[784]               0 FW_FLOW_UDPFLOOD_DEFEND_DROP           
DropID[785]               0 FW_FRAG_SESSION_NUM_OVER_DROP          
DropID[786]               0 FW_TEARDROP_BAD_IPLEN_DROP

Table 16-58 Description of the display firewall statistics system defend command output

Item	Description
FW_INTERZONE_DENY_DROP	Number of packets rejected by the firewall.
FW_ACL_FILTER_DENY_DROP	Number of packets rejected by the ACL.
FW_GLOBAL_UDP_CONNECT_DROP	Number of discarded packets of excess global UDP connections.
FW_GLOBAL_TCP_CONNECT_DROP	Number of discarded packets of excess global TCP connections.
FW_GLOBAL_ICMP_CONNECT_DROP	Number of discarded packets of excess global ICMP connections.
FW_GLOBAL_TCP_PROXY_CONNECT_DROP	Number of discarded packets of excess global split TCP proxy connections initiated globally.
FW_ZONE_IN_UDP_CONNECT_DROP	Number of discarded incoming packets of excess UDP connections in a zone.
FW_ZONE_OUT_UDP_CONNECT_DROP	Number of discarded outgoing packets of excess UDP connections.
FW_ZONE_IN_TCP_CONNECT_DROP	Number of discarded incoming packets of excess TCP connections in a zone.
FW_ZONE_OUT_TCP_CONNECT_DROP	Number of discarded outgoing packets of excess TCP connections in a zone.
FW_ZONE_IN_ICMP_CONNECT_DROP	Number of discarded incoming packets of excess ICMP connections.
FW_ZONE_OUT_ICMP_CONNECT_DROP	Number of discarded outgoing packets of excess ICMP connections in a zone.
FW_ZONE_IP_IN_UDP_CONNECT_DROP	Number of discarded incoming packets of excess UDP connections.
FW_ZONE_IP_OUT_UDP_CONNECT_DROP	Number of discarded outgoing packets of excess UDP connections.
FW_ZONE_IP_IN_TCP_CONNECT_DROP	Number of discarded incoming packets of excess TCP connections.
FW_ZONE_IP_OUT_TCP_CONNECT_DROP	Number of discarded outgoing packets of excess TCP connections.
FW_ZONE_IP_IN_ICMP_CONNECT_DROP	Number of discarded incoming packets of excess ICMP connections.
FW_ZONE_IP_OUT_ICMP_CONNECT_DROP	Number of discarded outgoing packets of excess ICMP connections.
FW_GLOBAL_FRAG_CONNECT_DROP	Number of discarded packets of excess fragment connections initiated globally.
FW_LAND_DEFEND_DROP	Number of discarded Land attack packets.
FW_SMURF_DEFEND_DROP	Number of discarded Smurf attack packets.
FW_FRAGGLE_DEFEND_DROP	Number of discarded Fraggle attack packets.
FW_WINNUKE_DEFEND_DROP	Number of discarded Winnuke attack packets.
FW_CONNECT_SYNFLOOD_DEFEND_DROP	Number of discarded initial packets of SYN flood attacks.
FW_CONNECT_ICMPFLOOD_DEFEND_DROP	Number of discarded initial packets of ICMP flood attacks.
FW_CONNECT_UDPFLOOD_DEFEND_DROP	Number of discarded initial packets of UDP flood attacks.
FW_ICMPREDIRECT_DEFEND_DROP	Number of discarded ICMP redirection attack packets.
FW_ICMPUNREACHABLE_DEFEND_DROP	Number of discarded ICMP unreachable attack packets.
FW_IPSWEEP_DEFEND_DROP	Number of discarded IP scanning attack packets.
FW_PORTSCAN_DEFEND_DROP	Number of discarded port scanning attack packets.
FW_TRACERT_DEFEND_DROP	Number of discarded Tracert attack packets.
FW_PINGOFDEATH_DEFEND_DROP	Number of discarded ping of death attack packets.
FW_TEARDROP_DEFEND_DROP	Number of discarded Teardrop attack packets.
FW_TCPFLAG_DEFEND_DROP	Number of discarded malformed TCP attack packets.
FW_IPFRAGMENT_DEFEND_DROP	Number of discarded IP fragment attack packets.
FW_LARGEICMP_DEFEND_DROP	Number of discarded large-sized ICMP attack packets.
FW_BLACKIPLIST_DEFEND_DROP	Number of discarded blacklisted attack packets.
FW_FLOW_SYNFLOOD_DEFEND_DROP	Number of discarded non-initial SYN flood attack packets.
FW_FLOW_ICMPFLOOD_DEFEND_DROP	Number of discarded non-initial ICMP flood attack packets.
FW_FLOW_UDPFLOOD_DEFEND_DROP	Number of discarded non-initial UDP flood attack packets.
FW_FRAG_SESSION_NUM_OVER_DROP	Number of discarded excess fragments.
FW_TEARDROP_BAD_IPLEN_DROP	Number of discarded invalid packets.

display firewall statistics zone

Function

The display firewall statistics zone command displays traffic statistics and monitoring information in a zone.

Format

display firewall statistics zone zone-name { inzone | outzone } all

Parameters

Parameter	Description	Value
zone-name	Indicates the name of a zone.	The value must be the name of an existing zone.
inzone	Displays the statistics about the traffic entering the zone.	-
outzone	Displays the statistics about the traffic leaving the zone.	-
all	Displays the statistics about the traffic entering and leaving the zone.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display firewall statistics zone command displays the number of current sessions and historical sessions in the inbound or outbound direction of a zone and the number of HTTP, FTP, or DNS packets in a certain direction.

Example

# Display the inbound packet statistics of zone1.

<Huawei> display firewall statistics zone zone1 inzone all
ZoneID:0  Direction:IN
InTcpSetupTotal-----------------0
InTcpTearTotal------------------0
InUdpSetupTotal-----------------0
InUdpTearTotal------------------0
InIcmpSetupTotal----------------0
InIcmpTearTotal-----------------0

# Display the outbound packet statistics of zone1.

<Huawei> display firewall statistics zone zone1 outzone all
ZoneID:0  Direction:OUT
OutTcpSetupTotal-----------------0
OutTcpTearTotal------------------0
OutUdpSetupTotal-----------------0
OutUdpTearTotal------------------0
OutIcmpSetupTotal----------------0
OutIcmpTearTotal-----------------0

Table 16-59 Description of the display firewall statistics zone command output

Item	Description
InTcpSetupTotal / OutTcpSetupTotal	Number of TCP connections in inbound and outbound directions.
InTcpTearTotal / OutTcpTearTotal	Number of deleted TCP connections in inbound and outbound directions.
InUdpSetupTotal / OutUdpSetupTotal	Number of UDP connections in inbound and outbound directions.
InUdpTearTotal / OutUdpTearTotal	Number of deleted UDP connections in inbound and outbound directions.
InIcmpSetupTotal / OutIcmpSetupTotal	Number of ICMP connections in inbound and outbound directions.
InIcmpTearTotal / OutIcmpTearTotal	Number of deleted ICMP connections in inbound and outbound directions.

display firewall statistics zone-ip

Function

The display firewall statistics zone-ip command displays the status of traffic monitoring function and session thresholds for each protocol.

Format

display firewall statistics zone-ip zone-name

Parameters

Parameter	Description	Value
zone-name	Indicates the name of a zone.	The value must be the name of an existing zone.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the traffic monitoring function is enabled and the session thresholds of each protocol are set, you can run the display firewall statistics zone-ip command to view the traffic monitoring information of the zone.

Example

# Display the configuration of traffic monitoring in zone2.

<Huawei> display firewall statistics zone-ip zone2
 --------------------------------------------------------------------           
                 Zone statistics config information                             
 -------------------------------------------------------------------- 
 Zone in enable          0              <enable : 1  disable : 0>    
 ---------------------------------High---------------------Low-------           
 Tcp connect-number               16384                   12288                 
                                                                                
 Udp connect-number               16384                   12288                 
                                                                                
 Icmp connect-number              16384                   12288                 
                                                                                
 --------------------------------------------------------------------
 Zone out enable         0              <enable : 1  disable : 0>   
 --------------------------------------------------------------------           
 Tcp connect-number               16384                   12288                 
                                                                                
 Udp connect-number               16384                   12288                 
                                                                                
 Icmp connect-number              16384                   12288                 
                                                                                
 --------------------------------------------------------------------    
 Ip in enable           0              <enable : 1  disable : 0> 
 --------------------------------------------------------------------           
 Tcp connect-number               16384                   12288                 
                                                                                
 Udp connect-number               16384                   12288                 
                                                                                
 Icmp connect-number              16384                   12288                 
                                                                                
 --------------------------------------------------------------------   
 Ip out enable          0              <enable : 1  disable : 0>     
 --------------------------------------------------------------------           
 Tcp connect-number               16384                   12288                 
                                                                                
 Udp connect-number               16384                   12288                 
                                                                                
 Icmp connect-number              16384                   12288                 
                                                                                
 --------------------------------------------------------------------

display firewall whitelist

Function

The display firewall whitelist command displays entries in the whitelist.

Format

display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name }

Parameters

Parameter	Description	Value
all	Displays all the entries in the whitelist.	-
ip-address	Displays the whitelist entry matching the specified IP address.	The value is a valid IPv4 IP address in dotted decimal notation.
vpn-instance vpn-instance-name	Indicates the name of the VPN instance that the specified IP address belongs to.	The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display all the whitelist entries on the device.

<Huawei> display firewall whitelist all
Firewall whitelist items  :
------------------------------------------------------------------------
IP-Address     Expire-Time(m)  VPN-Instance
------------------------------------------------------------------------
10.1.1.1         3             vpn1
10.1.1.2         Permanent     vpn2
10.1.1.3         6             
 ------------------------------------------------------------------------
 Total number is : 3

Table 16-60 Description of the display firewall whitelist command output

Item	Description
IP-Address	IP address in a whitelist entry.
VPN-Instance	Name of the VPN instance that the IP address in a whitelist entry belongs to.
Expire-Time(m)	Aging time of a whitelist entry, in minutes.
Total number is : 3	There are a total of three entries in the whitelist.

display firewall zone

Function

The display firewall zone command displays the configuration of a specified zone or all zones.

Format

display firewall zone [ zone-name ] [ interface | priority ]

Parameters

Parameter	Description	Value
zone-name	Displays the configuration of a specified zone.	The value is a string of 1 to 32 case-sensitive characters. The character string cannot contain name or -.
interface	Displays the interfaces added to the zone.	-
priority	Displays the priorities of all zones.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display information about all zones configured on the device.

<Huawei> display firewall zone
zone zone1
 priority is 5
 interface of the zone is (total number 1):
 Vlanif77
 
 total number is : 1

Table 16-61 Description of the display firewall interzone command output

Item	Description
zone zone1	Security zone named zone1. To configure a security zone, run the firewall zone command.
priority is 5	Priority of a security zone: 5. To configure the priority for a security zone, run the priority command.
interface of the zone is (total number 1): Vlanif77	One interface, VLANIF 77, has been added to the zone. To add interfaces a zone, run the zone command.
total number is : 1	There is a total of one zone on the device.

display firewall-nat session aging-time

Function

The display firewall-nat session aging-time command displays the timeout interval of entries in the firewall session table or NAT session table.

Format

display firewall-nat session aging-time

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays the timeout interval of sessions on the firewall session table or NAT session table.

Example

# Display the timeout time of all entries in the session table.

<Huawei> display firewall-nat session aging-time
---------------------------------------------                                   
Protocol timeout:
  tcp protocol timeout         : 600   (s)                                      
  tcp-proxy timeout            : 10    (s)                                      
  http protocol timeout        : 120   (s)                                      
  udp protocol timeout         : 120   (s) 
  icmp protocol timeout        : 20    (s)                                      
  dns protocol timeout         : 120   (s)                                      
  ftp protocol timeout         : 120   (s)                                      
  ftp-data protocol timeout    : 120   (s)                                      
  rtsp protocol timeout        : 60    (s)                                      
  rtsp-media protocol timeout  : 120   (s)                                      
  sip protocol timeout         : 1800  (s)                                      
  sip-media protocol timeout   : 120   (s)                                      
User-define port timeout:
  tcp protocol port 10001     : 65535 (s)                                       
  tcp protocol port 1         : 111   (s)                                       
  tcp protocol port 4443      : 65535 (s)                                       
  tcp protocol port 181       : 180   (s)                                       
  udp protocol port 180       : 180   (s)                                       
  udp protocol port 182       : 208   (s)           
---------------------------------------------

Table 16-62 Description of the display firewall-nat session aging-time command output

Item	Description
Protocol timeout	Session timeout interval of each protocol.
tcp protocol timeout	Timeout interval of TCP connections. The default value is 600, in seconds.
tcp-proxy timeout	Timeout interval of the TCP proxy. The default value is 10, in seconds.
udp protocol timeout	Timeout interval of UDP connections. The default value is 120, in seconds.
icmp protocol timeout	Timeout interval of ICMP connections. The default value is 20, in seconds.
dns protocol timeout	Timeout interval of the DNS protocol. The default value is 120, in seconds.
http protocol timeout	Timeout interval of the HTTP connections. The default value is 120, in seconds.
ftp protocol timeout	Timeout interval of the FTP control connection. The default value is 120, in seconds.
ftp-data protocol timeout	Timeout interval of the FTP connections. The default value is 120, in seconds.
sip protocol timeout	Timeout interval of the SIP protocol. The default value is 1800, in seconds.
sip-media protocol timeout	Timeout interval of the SIP media protocol. The default value is 120, in seconds.
rtsp protocol timeout	Timeout interval of the RTSP protocol. The default value is 60, in seconds.
rtsp-media protocol timeout	Timeout interval of the RTSP media protocol. The default value is 120, in seconds.
User-define port timeout	Timeout interval of a connection with a user-defined port as the destination port.
tcp protocol port port-number	Timeout interval of a data connection with a user-defined TCP port as the destination port. The default value is the default data connection timeout interval of the corresponding protocol, in seconds.
udp protocol port port-number	Timeout interval of a data connection with a user-defined UDP port as the destination port. The default value is the default data connection timeout interval of the corresponding protocol, in seconds.

display port-mapping

Function

The display port-mapping command displays mappings between the specified application-layer protocols and ports.

Format

Parameters

Parameter	Description	Value
dns	Displays the mapping between the DNS protocol and port.	-
ftp	Displays the mapping between the FTP protocol and port.	-
http	Displays the mapping between the HTTP protocol and port.	-
rtsp	Displays the mapping between the RTSP protocol and port.	-
sip	Displays the mapping between the SIP protocol and port.	-
port port-number	Displays the mapping between the specified port and the application-layer protocol.	The value is an integer that ranges from 1 to 65535.
pptp	Displays the mapping between the PPTP protocol and port.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display port-mapping command displays the port mappings, including the mappings between application-layer protocols and ports, condition (ACL) in which each mapping takes effect, and the type of each mapping (defined by the system or user).

Example

# Display the mapping between the DNS protocol and port.

<Huawei> display port-mapping dns
 -------------------------------------------------
  Service    Port       Acl        Type  
 -------------------------------------------------
  dns          53                  system defined
 ------------------------------------------------- 
 Total number is : 1

Table 16-63 Description of the display port-mapping command output

Item	Description
Service	Type of the application-layer protocol.
Port	Port number.
Acl	Number of the ACL for mappings.
Type	Mapping type. system defined: default mapping. user defined: mapping defined by the user.
Total number is : 1	The total number of mappings is 1.

display session

Function

The display session command displays the session table information.

Format

display session { all [ verbose ] | number }

display session destination destination-address [ destination-port ] [ verbose ]

display session source source-address [ source-port ] [ destination destination-address [ destination-port ] ] [ verbose ]

display session protocol { protocol-number | protocol-name } [ source source-address [ source-port ] ] [ destination destination-address [ destination-port ] ] [ verbose ]

Parameters

Parameter	Description	Value
all	Displays all session table information.	-
verbose	Displays detailed information about the session table.	-
number	Displays the number of entries in the session table.	-
protocol { protocol-number \| protocol-name }	Displays entries with a specified protocol number or protocol type.	The value of protocol-number is an integer that ranges from 1 to 255. The value of protocol-name can be ICMP, TCP, or UDP.
source source-address [ source-port ]	Displays entries with a specified source IP address or both a source IP address and a source port number. source-address specifies the source IP address of packets. source-port specifies the source port number of packets.	source-address is in dotted decimal notation. The value of source-port is an integer that ranges from 1 to 65535.
destination destination-address [ destination-port ]	Displays entries with a specified destination IP address or both a destination IP address and a destination port number. destination-address specifies the destination IP addresses of packets. destination-port specifies the destination port number of packets.	destination-address is in dotted decimal notation. The value of destination-port is an integer that ranges from 1 to 65535.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check information about a firewall session table, NAT session table, or a common session table.

Example

# Display the number of entries in the session table.

<Huawei> display session number
  The total number of session tables is: 1

# Display details about all entries in the session table.

<Huawei> display session all verbose
   Session Table Information:
     Protocol          : TCP(6)
     SrcAddr  Port Vpn : 10.200.200.200 65532 vpn1
     DestAddr Port Vpn : 10.100.100.100 1024
     Time To Live      : 60 s
     NAT-Info
       New SrcAddr     : 10.10.10.10
       New SrcPort     : 10240
       New DestAddr    : 10.30.30.30
       New DestPort    : 21
     Firewall-Info        
       InZone          : a
       OutZone         : b

   Total : 1

Table 16-64 Description of the display session all verbose command output

Item	Description
Protocol	Protocol type.
SrcAddr Port Vpn	Source address, service port number, and VPN instance name.
DestAddr Port Vpn	Destination address, service port number, and VPN instance name.
Time To Live	Lifetime of the session table entries.
NAT-Info	NAT information.
New SrcAddr	Translated source IP address.
New SrcPort	Translated source port.
New DestAddr	Translated destination IP address.
New DestPort	Translated destination port.
Firewall-Info	Firewall information.
InZone	Inbound zone name.
OutZone	Outbound zone name.
Total	Number of entries in the session table.

firewall blacklist

Function

The firewall blacklist command adds an entry to the blacklist.

The undo firewall blacklist command deletes an entry from the blacklist.

Format

firewall blacklist ip-address [ vpn-instance vpn-instance-name ] [ expire-time minutes ]

undo firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name }

Parameters

Parameter	Description	Value
ip-address	Indicates the IP address that you want to add to the blacklist.	The value is a valid IPv4 IP address.
vpn-instance vpn-instance-name	Indicates the name of the VPN instance that the specified IP address belongs to.	The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.
expire-time minutes	Specifies the aging time of a blacklist entry.	The value is an integer that ranges from 1 to 1000, in minutes. NOTE: If this parameter is not set, the entry is always valid.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After an IP address is added to the blacklist by the firewall blacklist command, the firewall denies the packets from this IP address until this entry ages.

An IP address cannot exist in both the whitelist and blacklist.

The blacklist entry with an aging time is not written into the configuration file. You can view it using the display firewall blacklist command.

Example

# Add IP address 192.168.10.10 to the blacklist entry and set its aging time to 100 minutes.

<Huawei> system-view
[Huawei] firewall blacklist 192.168.10.10 expire-time 100

firewall blacklist enable

Function

The firewall blacklist enable command enables the blacklist function.

The undo firewall blacklist enable command disables the blacklist function.

By default, the blacklist function is disabled.

Format

firewall blacklist enable

undo firewall blacklist enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Configurations of the blacklist take effect only after you run the firewall blacklist enable command to enable the blacklist function.

Precautions

A blacklist entry can be manually configured or automatically generated.

After you run the firewall defend ip-sweep enable command to enable defense against address scanning attacks, the device adds attacking IP addresses to the blacklist.

After you run the firewall defend port-scan enable command to enable defense against port scanning attacks, the device adds attacking ports to the blacklist.

Example

# Enable the blacklist function.

<Huawei> system-view
[Huawei] firewall blacklist enable

firewall black-white-list load configuration-file

Function

The firewall black-white-list load configuration-file command loads the configuration file of blacklist and whitelist.

Format

firewall black-white-list load configuration-file configuration-file-name

Parameters

Parameter	Description	Value
configuration-file-name	Indicates the name of the configuration file.	The value is a string of 1 to 127 characters in the format [drive][file-name] (the default drive is flash:/). The configuration file is in txt format.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can batch configure entries in the blacklist and whitelist by loading a configuration file.

A configuration file can contain multiple entries, but the entries must be edited one by one. Blank lines are allowed between lines. A configuration file contains up to 50000 lines. The following is an example of the configuration file:

[FirewallBlacklist]
IPAddress = 10.10.10.1
VPNName = vpna
[FirewallBlacklist]
IPAddress = 10.10.10.2
VPNName = 

[FirewallWhitelist]
IPAddress = 10.10.10.3
VPNName = vpnb
[FirewallWhitelist]
IPAddress = 10.20.20.1
VPNName =

An invalid configuration file cannot be loaded. For example, if a configuration file contains an invalid IP address or excess entries, the invalid IP address cannot be added and the excess entries do not take effect; however, the valid IP addresses and the entries in the range can still take effect.

Example

# Load the configuration file named bwls.txt.

<Huawei> system-view
[Huawei] firewall black-white-list load configuration-file bwls.txt

firewall black-white-list save configuration-file

Function

The firewall black-white-list save configuration-file command saves the blacklist and whitelist to a configuration file.

Format

firewall black-white-list save configuration-file configuration-file-name

Parameters

Parameter	Description	Value
configuration-file-name	Indicates the name of the configuration file.	The value is a string of 1 to 127 characters in the format [drive][file-name] (the default drive is flash:/). The configuration file is in txt format.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By using this command, you can save the blacklist and whitelist to the configuration file configuration-file-name. Only the entries with the aging time being 0 can be saved.

The configuration file configuration-file-name must be available before this command is executed.

Example

# Save the blacklist and whitelist to the configuration file bwls.txt.

<Huawei> system-view
[Huawei] firewall black-white-list save configuration-file bwls.txt

firewall defend all enable

Function

The firewall defend all enable command enables all the attack defense functions.

The undo firewall defend all enable command disables all the attack defense functions.

By default, no attack defense function is enabled.

Format

firewall defend all enable

undo firewall defend all enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Enable all attack defense functions.

<Huawei> system-view

[Huawei] firewall defend all enable

firewall defend fraggle enable

Function

The firewall defend fraggle enable command enables the Fraggle attack defense function.

The undo firewall defend fraggle enable command disables the Fraggle attack defense function.

By default, the Fraggle attack defense function is disabled.

Format

firewall defend fraggle enable

undo firewall defend fraggle enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

A Fraggle attack is similar to a Smurf attack, except that the Fraggle attack sends UDP packets, rather than ICMP packets. Therefore, the Fraggle attack packets can traverse some firewalls that prevent ICMP packets.

A Fraggle attack can be successful because both UDP port 7 (ECHO) and port 19 (Chargen) return responses after receiving UDP packets. The details are as follows:

UDP port 7 returns a response (similar to the ICMP ECHO-Reply packet) after receiving a packet.
UDP port 19 generates a character stream after receiving the packet.

The two UDP ports send a lot of response packets, which occupy high network bandwidth.

An attacker can send a UDP packet to the target network. The source address of the UDP packet is the IP address of the attacked host and its destination address is the broadcast address or network address of the host's subnet. The destination port number of the packet is 7 or 19. All the hosts on the subnet then send response packets to the attacked host. This generates heavy traffic and hence congests the network or makes the host break down.

Example

# Enable the Fraggle attack defense function.

<Huawei> system-view

[Huawei] firewall defend fraggle enable

firewall defend icmp-flood

Function

The firewall defend icmp-flood command sets the parameters of ICMP Flood attack defense, including the protected zone or IP address and maximum connection rate.

The undo firewall defend icmp-flood command restores the default values of ICMP Flood attack defense parameters.

By default, the maximum connection rate of ICMP Flood attack defense is 1000 pps.

Format

firewall defend icmp-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ]

undo firewall defend icmp-flood [ ip [ ip-address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ]

Parameters

Parameter	Description	Value
ip ip-address	Specifies a protected IP address.	The value is a valid IPv4 IP address.
zone zone-name	Specifies a protected zone.	The value of zone-name is a string of 1 to 32 characters. It must be an existing zone name.
vpn-instance vpn-instance-name	Indicates the name of the VPN instance that the specified IP address belongs to.	The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.
max-rate rate-value	Specifies the maximum connection rate of a new flow.	The value of rate-value is an integer that ranges from 1 to 65535, in pps.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ICMP Flood attack sends a large number of ICMP packets (such as ping packets) to the attacked host in a short time and requests for responses. The host is then overloaded and cannot process normal tasks.

ICMP Flood attack defense parameters configured for an IP address take precedence over those configured for a zone. If ICMP Flood attack defense is configured for both an IP address and the zone where the IP address resides, the configuration for the IP address takes effect. If you cancel the configuration for the IP address, the configuration for the zone takes effect.

Precautions

Parameters of ICMP Flood attack defense take effect only after ICMP Flood defense is enabled using the firewall defend icmp-flood enable command.

Example

# Enable ICMP Flood attack defense for IP address 10.1.64.200 and set the maximum connection rate of ICMP packets to 500 pps.

<Huawei> system-view

[Huawei] firewall defend icmp-flood enable

[Huawei] firewall defend icmp-flood ip 10.1.64.200 max-rate 500

firewall defend icmp-flood enable

Function

The firewall defend icmp-flood enable command enables the ICMP Flood attack defense function.

The undo firewall defend icmp-flood enable command disables the ICMP Flood attack defense function.

By default, the ICMP Flood attack defense function is disabled.

Format

firewall defend icmp-flood enable

undo firewall defend icmp-flood enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Precaution

You can run firewall defend icmp-flood command to set parameters for ICMP Flood attack defense.

Example

# Enable the ICMP Flood attack defense function.

<Huawei> system-view

[Huawei] firewall defend icmp-flood enable

firewall defend icmp-redirect enable

Function

The firewall defend icmp-redirect enable command enables the ICMP-Redirect attack defense function.

The undo firewall defend icmp-redirect enable command disables the ICMP-Redirect attack defense function.

By default, the ICMP-Redirect attack defense function is disabled.

Format

firewall defend icmp-redirect enable

undo firewall defend icmp-redirect enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Enable the ICMP-Redirect attack defense function.

<Huawei> system-view

[Huawei] firewall defend icmp-redirect enable

firewall defend icmp-unreachable enable

Function

The firewall defend icmp-unreachable enable command enables the ICMP-Unreachable attack defense function.

The undo firewall defend icmp-unreachable enable command disables the ICMP-Unreachable attack defense function.

By default, the ICMP-Unreachable attack defense function is disabled.

Format

firewall defend icmp-unreachable enable

undo firewall defend icmp-unreachable enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Enable the ICMP-Unreachable attack defense function.

<Huawei> system-view

[Huawei] firewall defend icmp-unreachable enable

firewall defend ip-fragment enable

Function

The firewall defend ip-fragment enable command enables the IP fragment attack defense function.

The undo firewall defend ip-fragment enable command disables the IP fragment attack defense function.

By default, the IP fragment attack defense function is disabled.

Format

firewall defend ip-fragment enable

undo firewall defend ip-fragment enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None.

Example

# Enable the IP fragment attack defense function.

<Huawei> system-view

[Huawei] firewall defend ip-fragment enable

firewall defend ip-sweep

Function

The firewall defend ip-sweep command sets the parameters of address sweeping attack defense, including the maximum session rate and blacklist timeout interval.

The undo firewall defend ip-sweep command restores the default values of address sweeping attack defense parameters.

By default, the maximum session rate for address scanning and port scanning attack defense is 4000 pps, and the blacklist timeout interval is 20 minutes.

Format

firewall defend ip-sweep { blacklist-expire-time interval | max-rate rate-value }

undo firewall defend ip-sweep { blacklist-expire-time | max-rate }

Parameters

Parameter	Description	Value
blacklist-expire-time interval	Specifies the timeout interval of blacklist entries. After an IP address stays in the blacklist for the specified period, the firewall deletes the IP address from the blacklist. Then the IP address can initiate connections.	The value of interval is an integer that from 1 to 1000, in minutes. The default value is 20.
max-rate rate-value	Specifies the maximum session rate. When the session rate of an IP address exceeds the limit, the firewall considers that an IP address sweeping attack occurs. Then the firewall adds the IP address to the blacklist and denies the new sessions from the IP address or port.	The value of rate-value is an integer that ranges from 1 to 10000, in pps. The default value is 4000.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Parameters of address sweeping attack defense take effect only after address sweeping attack defense is enabled using the firewall defend ip-sweep enable command.

Example

# Enable the address sweeping attack defense function, set the maximum session rate to 1000 pps, and set the blacklist timeout interval to 5 minutes.

<Huawei> system-view

[Huawei] firewall defend ip-sweep enable

[Huawei] firewall defend ip-sweep max-rate 1000

[Huawei] firewall defend ip-sweep blacklist-expire-time 5

firewall defend ip-sweep enable

Function

The firewall defend ip-sweep enable command enables the IP sweeping attack defense function.

The undo firewall defend ip-sweep enable command disables the IP sweeping attack defense function.

By default, the IP sweeping attack defense function is disabled.

Format

firewall defend ip-sweep enable

undo firewall defend ip-sweep enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IP sweeping attack detects the IP addresses of the target hosts by using scanning tools. The attacker then determines the hosts that exist on the target network according to the responses received.

Precaution

You can run firewall defend ip-sweep command to set parameters for IP address sweep attack defense.

Example

# Enable the IP sweeping defense function.

<Huawei> system-view

[Huawei] firewall defend ip-sweep enable

firewall defend land enable

Function

The firewall defend land enable command enables the defense against Land attacks.

The undo firewall defend land enable command disables the defense against Land attacks.

By default, the Land attack defense function is disabled.

Format

firewall defend land enable

undo firewall defend land enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None.

Example

# Enable the defense against Land attacks.

<Huawei> system-view

[Huawei] firewall defend land enable

firewall defend large-icmp

Function

The firewall defend large-icmp command sets the maximum length of ICMP packets allowed to pass.

The undo firewall defend large-icmp command restores the default maximum length of ICMP packets allowed to pass.

By default, the maximum length of ICMP packet allowed to pass is 4000 bytes.

Format

firewall defend large-icmp max-length length

undo firewall defend large-icmp max-length

Parameters

Parameter	Description	Value
max-length length	Specifies the maximum length of ICMP packets allowed to pass.	The value of length is an integer that ranges from 28 to 65535, in bytes. The default value is 4000.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Similar to a "Ping of Death" attack, a Large-ICMP attack sends the oversized ICMP packets to attack a system. The difference is that the length of Large-ICMP packet does not exceed the maximum length of an IP packet (65535 bytes). Large-ICMP packets also have great impact on some operating systems. To prevent Large-ICMP attack, set the maximum length of ICMP packets on the firewall.

Precautions

The maximum length of ICMP packets allowed to pass takes effect only after large-ICMP attack defense is enabled using the firewall defend large-icmp enable command.

Example

# Enable Large-ICMP attack defense and set the maximum length of ICMP packet allowed to pass to 4000 bytes.

<Huawei> system-view

[Huawei] firewall defend large-icmp enable

[Huawei] firewall defend large-icmp max-length 4000

firewall defend large-icmp enable

Function

The firewall defend large-icmp enable command enables the Large-ICMP attack defense function.

The undo firewall defend large-icmp enable command disables the Large-ICMP attack defense function.

By default, the Large-ICMP attack defense function is disabled.

Format

firewall defend large-icmp enable

undo firewall defend large-icmp enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Similar to a "Ping of Death" attack, a large-ICMP attack sends the oversize ICMP packets to attack a system. The difference is that the length of Large-ICMP packet does not exceed the maximum length of an IP packet (65535 bytes). Large-ICMP packets also have great impact on some operating systems.

Precaution

You can run firewall defend large-icmp command to set Large-ICMP attack defense.

Example

# Enable the Large-ICMP attack defense function.

<Huawei> system-view

[Huawei] firewall defend large-icmp enable

firewall defend ping-of-death enable

Function

The firewall defend ping-of-death enable command enables the defense against Ping of Death attack.

The undo firewall defend ping-of-death enable command disables the defense against Ping of Death attack.

By default, the defense against Ping of Death attack is disabled.

Format

firewall defend ping-of-death enable

undo firewall defend ping-of-death enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Enable the defense against Ping of Death attack.

<Huawei> system-view

[Huawei] firewall defend ping-of-death enable

firewall defend port-scan

Function

The firewall defend port-scan command sets the parameters of port scanning attack defense, including the maximum session rate and blacklist timeout interval.

The undo firewall defend port-scan command restores the default values of port scanning attack defense parameters.

By default, the maximum session rate for port scanning attack defense is 4000 pps, and the blacklist timeout interval is 20 minutes.

Format

firewall defend port-scan { blacklist-expire-time interval | max-rate rate-value }

undo firewall defend port-scan { blacklist-expire-time | max-rate }

Parameters

Parameter	Description	Value
blacklist-expire-time interval	Specifies the timeout interval of blacklist entries. After a port stays in the blacklist for the specified period, the firewall deletes the port from the blacklist. Then the port can initiate connections.	The value of interval is an integer that from 1 to 1000, in minutes. The default value is 20.
max-rate rate-value	Specifies the maximum session rate. When the session rate of a port exceeds the limit, the firewall considers that a scanning attack occurs. Then the firewall adds the port to the blacklist and denies the new sessions from the port.	The value of rate-value is an integer that ranges from 1 to 10000, in pps. The default value is 4000.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Parameters of port scanning attack defense take effect only after port scanning attack defense is enabled using the firewall defend port-scan enable command.

Example

# Enable the port scanning attack defense function, set the maximum session rate to 1000 pps, and set the blacklist timeout interval to 5 minutes.

<Huawei> system-view

[Huawei] firewall defend port-scan enable

[Huawei] firewall defend port-scan max-rate 1000

[Huawei] firewall defend port-scan blacklist-expire-time 5

firewall defend port-scan enable

Function

The firewall defend port-scan enable command enables the port scanning attack defense function.

The undo firewall defend port-scan enable command disables the port scanning attack defense function.

By default, the port scanning attack defense function is disabled.

Format

firewall defend port-scan enable

undo firewall defend port-scan enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Port scanning attack detects the ports of the target hosts by using scanning tools. The attacker then finds out the hosts that exist on the target network according to the responses and the ports that are used to provide services.

Precaution

You can run the firewall defend port-scan command to set parameters for port scanning attack defense.

Example

# Enable the port scanning attack defense function.

<Huawei> system-view

[Huawei] firewall defend port-scan enable

firewall defend smurf enable

Function

The firewall defend smurf enable command enables the Smurf attack defense function.

The undo firewall defend smurf enable command disables the Smurf attack defense function.

By default, the Smurf attack defense function is disabled.

Format

firewall defend smurf enable

undo firewall defend smurf enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Enables the Smurf attack defense function.

<Huawei> system-view

[Huawei] firewall defend smurf enable

firewall defend syn-flood

Function

The firewall defend syn-flood command sets the parameters of SYN Flood attack defense, including the protected zone or IP address and maximum connection rate.

The undo firewall defend syn-flood command restores the default configuration of SYN Flood attack defense.

By default, the maximum connection rate of SYN Flood attack defense is 1000 pps.

Format

firewall defend syn-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ] [ tcp-proxy { auto | off | on } ]

undo firewall defend syn-flood [ ip [ ip-address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ]

Parameters

Parameter	Description	Value
ip ip-address	Specifies a protected IP address.	The value is a valid IPv4 IP address.
zone zone-name	Specifies a protected zone.	The value of zone-name is a string of 1 to 32 characters. It must be an existing zone name.
max-rate rate-value	Specifies the maximum connection rate of a new flow.	The value of rate-value is an integer that ranges from 1 to 65535. The default value is 1000, in pps.
vpn-instance vpn-instance-name	Indicates the name of the VPN instance that the specified IP address belongs to.	The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.
tcp-proxy { auto \| off \| on }	Indicates whether to use the TCP proxy. The status of TCP proxy includes: auto: The TCP proxy is enabled automatically when the actual connection rate exceeds the upper limit. off: The TCP proxy is always disabled. on: The TCP proxy is always enabled.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Flood attack defense parameters configured for an IP address take precedence over those configured for a zone. If Flood attack defense is configured for both an IP address and the zone where the IP address resides, the configuration for the IP address takes effect. If you cancel the configuration for the IP address, the configuration for the zone takes effect.

Precautions

Parameters of SYN Flood attack defense take effect only after SYN Flood attack defense is enabled using the firewall defend syn-flood enable command.

Example

# Enable SYN Flood attack defense for IP address 10.1.64.200 and set the maximum connection rate of TCP packets to 500 pps.

<Huawei> system-view

[Huawei] firewall defend syn-flood enable

[Huawei] firewall defend syn-flood ip 10.1.64.200 max-rate 500

firewall defend syn-flood enable

Function

The firewall defend syn-flood enable command enables the SYN Flood attack defense function.

The undo firewall defend syn-flood enable command disables the SYN Flood attack defense function.

By default, the SYN Flood attack defense function is disabled.

Format

firewall defend syn-flood enable

undo firewall defend syn-flood enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The TCP/IP protocol stack permits only a certain number of TCP connections due to resource restriction. SYN Flood attacks utilize this feature. The attacker forges a SYN packet with a forged or nonexistent source address to initiate a connection to the server. When receiving this packet, the server replies with a SYN-ACK message. The receiver of the SYN-ACK packet does not exist, so a half-connection is caused. If the attacker sends a large number of such packets, a lot of half-connections will be produced on the attacked host and the resources of the attacked host will be exhausted. Therefore, authorized users cannot access the host till the half-connections expire. If the number of connections is not limited, SYN Flood will consume the system resources such as memory.

Precaution

You can run firewall defend syn-flood command to set parameters for SYN Flood attack defense.

Example

# Enable the SYN Flood attack defense function.

<Huawei> system-view

[Huawei] firewall defend syn-flood enable

firewall defend tcp-flag enable

Function

The firewall defend tcp-flag enable command enables the defense against TCP flag attack.

The undo firewall defend tcp-flag enable command disables the defense against TCP flag attack.

By default, the TCP flag attack defense function is disabled.

Format

firewall defend tcp-flag enable

undo firewall defend tcp-flag enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Enable the TCP flag attack defense function.

<Huawei> system-view

[Huawei] firewall defend tcp-flag enable

firewall defend teardrop enable

Function

The firewall defend teardrop enable command enables the defense against Teardrop attack.

The undo firewall defend teardrop enable command disables the defense against Teardrop attack.

By default, the Teardrop attack defense function is disabled.

Format

firewall defend teardrop enable

undo firewall defend teardrop enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

None.

Example

# Enable the defense against Teardrop attack.

<Huawei> system-view

[Huawei] firewall defend teardrop enable

firewall defend tracert enable

Function

The firewall defend tracert enable command enables the Tracert attack defense function.

The undo firewall defend tracert enable command disables the Tracert attack defense function.

By default, the Tracert attack defense function is disabled.

Format

firewall defend tracert enable

undo firewall defend tracert enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Tracert attack traces the path of an ICMP timeout packet returned when the value of time to live (TTL) is 0 or an ICMP port-unreachable packet. In this way, the attacker obtains the network structure.

Example

# Enable the Tracert attack defense function.

<Huawei> system-view

[Huawei] firewall defend tracert enable

firewall defend udp-flood

Function

The firewall defend udp-flood command sets the parameters of UDP Flood attack defense, including the protected zone or IP address and maximum connection rate.

The undo firewall defend udp-flood command restores the default configuration of UDP Flood attack defense.

By default, the maximum connection rate of UDP Flood attack defense is 1000 pps.

Format

firewall defend udp-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ]

undo firewall defend udp-flood [ ip [ ip-address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ]

Parameters

Parameter	Description	Value
ip ip-address	Specifies a protected IP address.	The value is a valid IPv4 IP address.
zone zone-name	Specifies a protected zone.	The value of zone-name is a string of 1 to 32 characters. It must be an existing zone name.
max-rate rate-value	Specifies the maximum connection rate of a new flow.	The value of rate-value is an integer that ranges from 1 to 65535. The default value is 1000, in pps.
vpn-instance vpn-instance-name	Indicates the name of the VPN instance that the specified IP address belongs to.	The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

UDP Flood attack sends a large number of UDP packets to the attacked host in a short time and requests for responses. The host is then overloaded and cannot process normal tasks.

Precautions

Parameters of UDP Flood attack defense take effect only after UDP Flood attack defense is enabled using the firewall defend udp-flood enable command.

Example

# Enable UDP Flood attack defense for IP address 10.1.64.200 and set the maximum connection rate of UDP packets to 500 pps.

<Huawei> system-view

[Huawei] firewall defend udp-flood enable

[Huawei] firewall defend udp-flood ip 10.1.64.200 max-rate 500

firewall defend udp-flood enable

Function

The firewall defend udp-flood enable command enables the UDP Flood attack defense function.

The undo firewall defend udp-flood enable command disables the UDP Flood attack defense function.

By default, the UDP Flood attack defense function is disabled.

Format

firewall defend udp-flood enable

undo firewall defend udp-flood enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

UDP Flood attack sends a large number of UDP packets to the attacked host in a short time and requests for responses. The host is then overloaded and cannot process normal tasks.

Precaution

You can run firewall defend udp-flood command to set parameters for ICMP Flood attack defense.

Example

# Enable UDP Flood attack defense.

<Huawei> system-view

[Huawei] firewall defend udp-flood enable

firewall defend winnuke enable

Function

The firewall defend winnuke enable command enables the WinNuke attack defense function.

The undo firewall defend winnuke enable command disables the WinNuke attack defense function.

By default, the WinNuke attack defense function is disabled.

Format

firewall defend winnuke enable

undo firewall defend winnuke enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

WinNuke attack sends an out-of-band (OOB) data packet to the NetBIOS port (139) of the target host running a Windows operating system. The NetBIOS fragment then overlaps and the host stops responding. An Internet Group Management Protocol (IGMP) fragment packet can also damage the target host because the IGMP packet should not be fragmented. If a host receives an IGMP fragment packet, the host may be attacked.

Example

# Enables the WinNuke attack defense function.

<Huawei> system-view

[Huawei] firewall defend winnuke enable

firewall enable

Function

The firewall enable command enables the firewall function in an interzone.

The undo firewall enable command disables the firewall function in an interzone.

By default, the firewall function is disabled in an interzone.

Format

firewall enable

undo firewall enable

Parameters

None

Views

Interzone view

Default Level

2: Configuration level

Usage Guidelines

The packet filtering, ASPF, and attack defense functions take effect only after this command is executed. This command does not need to be executed for other advanced security features, such as IPS, AV, and URL filtering.

Example

# Enable the firewall function in the interzone between zone1 and zone2.

<Huawei> system-view
[Huawei] firewall interzone zone1 zone2
[Huawei-interzone-zone1-zone2] firewall enable

firewall interzone

Function

The firewall interzone command creates an interzone.

The undo firewall interzone command deletes an interzone.

Format

firewall interzone zone-name1 zone-name2

undo firewall interzone zone-name1 zone-name2

Parameters

Parameter	Description	Value
zone-name1	Specifies the name of a zone included in the interzone.	The name is a string of 1 to 32 characters. zone-name1 must be a zone name created by the firewall zone command.
zone-name2	Specifies the name of the other zone included in the interzone.	The name is a string of 1 to 32 characters. zone-name2 must be a zone name created by the firewall zone command.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To configure the firewall in an interzone to filter packets or application-layer services, run the firewall interzone command to enter the interzone view.

Precautions

At least two valid zones must exist on the device; otherwise, the device does not execute the firewall interzone command.

The interzone is determined by two zones, which is irrelevant to the sequence of the two zones in the command.

Example

# Create an interzone between zone1 and zone2.

<Huawei> system-view
[Huawei] firewall interzone zone1 zone2

firewall log binary-log host

Function

The firewall log binary-log host command sets parameters of a binary log server, including the IP address and port number of the binary log server, and the IP address and port number that the local device uses to communicate with the log server.

The undo firewall log binary-log host command deletes a binary log server.

Format

firewall log binary-log host host-ip-address host-port source source-ip-address source-port [ vpn-instance vpn-instance-name ]

undo firewall log binary-log host

Parameters

Parameter	Description	Value
host-ip-address	Specifies the IP address of the log server.	The value is a valid IPv4 IP address.
host-port	Specifies the port number of the log server.	The value is an integer that ranges from 1 to 65535.
source-ip-address	Specifies the source IP address that the local device uses to send logs to the log server.	The value is a valid IPv4 IP address.
source-port	Specifies the source port number that the local device uses to send logs to the log server.	The value is an integer that ranges from 10240 to 55534.
vpn-instance vpn-instance-name	Indicates the name of the VPN instance that the source IP address belongs to.	The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Only one binary log server can be configured in the system view. Any time a new binary log server is configured, the new one replaces the previous one.

Example

# Configure a binary log server whose IP address is 10.10.10.1 and port number is 3456. Set the source IP address and source port number used to communicate with the log server to 10.10.10.2 and 20000 respectively.

<Huawei> system-view
[Huawei] firewall log binary-log host 10.10.10.1 3456 source 10.10.10.2 20000

firewall log enable

Function

The firewall log enable command enables the firewall logging function.

The undo firewall log enable command disables the firewall logging function.

By default, firewall logging function is disabled.

Format

firewall log { all | blacklist | defend | session | statistics | packet-filter } enable

undo firewall log { all | blacklist | defend | session | statistics | packet-filter } enable

Parameters

Parameter	Description	Value
all	Enables all the logging functions on the firewall. NOTE: Firewall logs are classified into blacklist logs, attack defense logs, session logs, and traffic statistics logs.	-
blacklist	Enables blacklist logs.	-
defend	Enables attack defense logs.	-
session	Enables session logs.	-
statistics	Enables traffic statistics logs.	-
packet-filter	Enables packet-filter logs.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Firewall logs record the operating status of the firewall in real time. By analyzing the logs, the network administrator can find potential security threats to the network and take preventive measures to protect the network.

You can configure the following types of logs on the firewall:

Blacklist log: records the IP addresses that are added to or deleted from the blacklist.
Attack defense log: records different types of attacks detected by the firewall.
Session log: records the sessions that match the specified ACL rules and sessions processed by the NAT server.
Traffic statistics log: records the events that the traffic rate exceeds the threshold or falls below the threshold.
Packet filtering log: records information about packet filtering.

Example

# Enable blacklist logs.

<Huawei> system-view
[Huawei] firewall log blacklist enable

firewall log log-interval

Function

The firewall log log-interval command sets the interval for exporting firewall logs.

The undo firewall log log-interval command restores the default interval for exporting firewall logs.

By default, firewall logs are exported every 30 seconds.

Format

firewall log { blacklist | defend | session | statistics | packet-filter } log-interval time

undo firewall log { blacklist | defend | session | statistics | packet-filter } log-interval

Parameters

Parameter	Description	Value
blacklist	Sets the interval for sending blacklist logs to the log server.	-
defend	Sets the interval for sending attack defense logs to the log server.	-
session	Sets the interval for sending session logs to the log server.	-
statistics	Sets the interval for sending traffic statistics logs to the log server.	-
packet-filter	Sets the interval for sending packet filtering logs to the log server.	-
log-interval time	Specifies the value of the interval.	The value is an integer that ranges from 1 to 65535, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Firewall logs are classified into binary logs and text logs depending on the format. Binary logs are sent to the binary log server in real time, and text logs are sent to the text log server at intervals. The firewall log log-interval command sets the interval for sending text logs to the text log server.

Example

# Set the interval for sending attack defense logs to the log server to 200 seconds.

<Huawei> system-view
[Huawei] firewall log defend log-interval 200

firewall log session nat enable

Function

The firewall log session nat enable command enables NAT session logs.

The undo firewall log session nat enable command disables NAT session logs.

By default, NAT session logs are disabled.

Format

firewall log session nat enable

undo firewall log session nat enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Session logs record the sessions that match the specified ACL rules and sessions processed by the NAT server.

Example

# Enable NAT session logs.

<Huawei> system-view
[Huawei] firewall log session nat enable

firewall statistics system connect-number

Function

The firewall statistics system connect-number command sets the session thresholds on the firewall.

The undo firewall statistics system connect-number command restores the default session thresholds on the firewall.

Format

firewall statistics system connect-number { frag | icmp | tcp | tcp-proxy | udp } high high-threshold low low-threshold

undo firewall statistics system connect-number { frag | icmp | tcp | tcp-proxy | udp }

Parameters

Parameter	Description	Value
frag	Sets the session thresholds of IP fragment packets.	-
icmp	Sets the session thresholds of ICMP packets.	-
tcp	Sets the session thresholds of TCP packets.	-
tcp-proxy	Sets the session thresholds of TCP proxy packets.	-
udp	Sets the session thresholds of UDP packets.	-
high high-threshold	Specifies the upper threshold of a specified type of protocol packets.	The value is an integer and varies according to models.
low low-threshold	Specifies the lower threshold of a specified type of protocol packets.	The value is an integer and varies according to models.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Before setting the session thresholds on the firewall, run the firewall statistics system enable command to enable traffic statistics collection on the firewall.

Example

# Set the session thresholds of TCP packets on the firewall. Set the upper threshold to 15000 and lower threshold to 10000.

<Huawei> system-view
[Huawei] firewall statistics system enable
[Huawei] firewall statistics system connect-number tcp high 15000 low 10000

firewall statistics system enable

Function

The firewall statistics system enable command enables traffic statistics collection on the firewall.

The undo firewall statistics system enable command disables traffic statistics collection on the firewall.

By default, traffic statistics collection is disabled on the firewall.

Format

firewall statistics system enable

undo firewall statistics system enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can run the display firewall statistics system command to check whether traffic statistics collection is enabled.

After traffic statistics collection and monitoring are enabled on the firewall, the upper threshold for the number of protocol packets in the security zone of the firewall is 16384 and the lower threshold is 12288. You can run the firewall statistics system connect-number command to change the threshold of the number of connections on the firewall.

Example

# Enable traffic statistics collection on the firewall.

<Huawei> system-view
[Huawei] firewall statistics system enable

firewall whitelist

Function

The firewall whitelist command adds an entry to the whitelist.

The undo firewall whitelist command deletes an entry from the whitelist.

Format

firewall whitelist ip-address [ vpn-instance vpn-instance-name ] [ expire-time minutes ]

undo firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name }

Parameters

Parameter	Description	Value
all	Deletes all whitelist entries.	-
ip-address	Specifies the IP address to be added to the whitelist.	The value is a valid IPv4 IP address in dotted decimal notation.
expire-time minutes	Specifies the aging time of a whitelist entry.	The value is an integer that ranges from 1 to 1000, in minutes. NOTE: If this parameter is not set, the entry is always valid.
vpn-instance vpn-instance-name	Indicates the name of the VPN instance that the specified IP address belongs to.	The value of vpn-instance-name is a string of 1 to 31 case-sensitive characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

An IP address cannot exist in both the whitelist and blacklist. To move an IP address from one list to the other list, delete the corresponding entry first.

The entries in the whitelist take effect directly and you do not need to enable the whitelist function.

Example

# Add IP address 10.1.1.1 to the whitelist and set the aging time of this entry to 3 minutes.

<Huawei> system-view
[Huawei] firewall whitelist 10.1.1.1 expire-time 3

firewall zone

Function

The firewall zone command creates an interzone.

The undo firewall zone command deletes an interzone.

Format

firewall zone zone-name

undo firewall zone zone-name

Parameters

Parameter	Description	Value
zone-name	Specifies the name of a zone.	The value is a string of 1 to 32 case-sensitive characters without hyphens (-), and must start with a letter.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Before configuring a firewall, create zones. Then you can deploy security services according to the security priorities of the zones.

The device considers that the data transmission within a zone is reliable; therefore, it does not enforce any security policy on the intra-zone data transmission.

If an interface is added to a zone, the zone cannot be deleted in the system view. To delete the zone, delete the interface from the zone first.

Example

# Create the zone zone1.

<Huawei> system-view
[Huawei] firewall zone zone1

firewall-nat session aging-time

Function

The firewall-nat session aging-time command sets the timeout interval of each entry in the session table.

The undo firewall-nat session aging-time command restores the default timeout interval of each entry in the session table.

Format

firewall-nat session { { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } | { tcp | udp } user-define port-number } aging-time time-value

undo firewall-nat session { { all | dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } | { tcp | udp } user-define port-number } aging-time

Parameters

Parameter	Description	Value
dns	Sets the timeout interval of the DNS protocol.	-
ftp	Sets the timeout interval of the FTP control connection.	-
ftp-data	Sets the timeout interval of the FTP connection.	-
http	Sets the timeout interval of the HTTP connection.	-
icmp	Sets the timeout interval of the ICMP connection.	-
tcp	Sets the timeout interval of the TCP connection.	-
tcp-proxy	Sets the timeout interval of the TCP proxy.	-
udp	Sets the timeout interval of the UDP connection.	-
sip	Sets the timeout interval of the SIP connection.	-
sip-media	Sets the timeout interval of the SIP media protocol.	-
rtsp	Sets the timeout interval of the RTSP protocol.	-
rtsp-media	Sets the timeout interval of the RTSP media protocol.	-
pptp	Sets the timeout interval of the PPTP control connection.	-
pptp-data	Sets the timeout interval of the PPTP connection.	-
all	Restores the default timeout interval of all the preceding connections.	-
user-define port-number	Specifies the user-defined TCP or UDP port number and configures the timeout interval for all data connections with this port as the destination port. NOTE: This parameter only supports NAT and does not support firewall.	The value is an integer that ranges from 1 to 65535.
aging-time time-value	Specifies the timeout interval value.	The value is an integer that ranges from 10 to 65535, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The firewall-nat session aging-time command sets the timeout interval for sessions of each protocol or port. If an entry in a session table is not used within the specified period, the entry expires. For example, the user with IP address 10.110.10.10 initiates a TCP connection through port 2000. If the TCP connection is not used within the timeout interval, the system deletes the TCP connection.

The default session timeout interval of a port is the same as that of the corresponding protocol. The following table lists the default session timeout interval of each protocol.

Protocol	Default Session Timeout Interval
tcp	600 seconds
tcp-proxy	10 seconds
udp	120 seconds
icmp	20 seconds
dns	120 seconds
http	120 seconds
ftp	120 seconds
ftp-data	120 seconds
sip	1800 seconds
sip-media	120 seconds
rtsp	60 seconds
rtsp-media	120 seconds
pptp	600 seconds
pptp-data	600 seconds

When configuring the timeout interval for all sessions with a user-defined port as the destination port, you cannot set the port number to a default port number of the preceding protocols.

Precautions

For some services such as voice service, increase the TCP/UDP timeout interval to prevent service interruption.

You can set the session timeout interval for a maximum of 24 ports on the device.

Example

# Set the timeout interval of the DNS connection to 60 seconds.

<Huawei> system-view
[Huawei] firewall-nat session dns aging-time 60

packet-filter

Function

The packet-filter command configures packet filtering in an interzone.

The undo packet-filter command cancels packet filtering in an interzone.

By default, all outgoing packets are permitted and all incoming packets are denied.

Format

packet-filter { acl-number | default { deny | permit } } { inbound | outbound }

undo packet-filter acl-number { inbound | outbound }

Parameters

Parameter	Description	Value
acl-number	Indicates the number of the ACL for packet filtering. The ACLs include basic ACL and advanced ACL.	The value is an integer that ranges from 2000 to 3999: 2000-2999: basic ACLs 3000-3999: advanced ACLs
default	Indicates the default packet filtering method.	-
deny	Rejects all packets. NOTE: This parameter sets the default packet filtering method of the interzone. The default packet filtering method takes effect on all the packets not matching the ACLs.	-
permit	Allows all packets to pass. NOTE: This parameter sets the default packet filtering method of the interzone. The default packet filtering method takes effect on all the packets not matching the ACLs.	-
inbound	Filters inbound packets. An inbound packet refers to a packet sent from a low-priority zone to a high-priority zone.	-
outbound	Filters outbound packets. An outbound packet refers to a packet sent from a high-priority zone to a low-priority zone.	-

Views

Interzone view

Default Level

2: Configuration level

Usage Guidelines

The number of times the command is run cannot exceed the number of configured packet filtering interzones.

Example

# Filter the inbound packets in the interzone between zone1 and zone2 by using ACL 3000.

<Huawei> system-view
[Huawei] acl 3000 
[Huawei-acl-adv-3000] rule permit ip  
[Huawei-acl-adv-3000] quit  
[Huawei] firewall interzone zone1 zone2
[Huawei-interzone-zone1-zone2] packet-filter 3000 inbound

packet-filter logging

Function

The packet-filter logging command enables the packet filtering log in the interzone.

The undo packet-filter logging command disables the packet filtering log in the interzone.

By default, the packet filtering log is disabled in the interzone.

Format

packet-filter logging [ { inbound | outbound } [ permit | deny ] ]

undo packet-filter logging [ { inbound | outbound } [ permit | deny ] ]

Parameters

Parameter	Description	Value
inbound	Records logs for incoming packets. An incoming packet refers to a packet from a low-priority zone to a high-priority zone.	-
outbound	Records logs for outgoing packets. An outgoing packet refers to a packet from a high-priority zone to a low-priority zone.	-
permit	Records logs for packets that are allowed to pass through.	-
deny	Records logs for packets that are denied.	-

Views

Interzone view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the firewall filters packets, a log is recorded if this function is enabled. By analyzing the logs, the network administrator can find potential security threats to the network and take preventive measures to protect the network.

When [ { inbound | outbound } [ permit | deny ] ] is not configured, the device records logs for all packets. When { inbound | outbound } is configured and [ permit | deny ] is not configured, the device records logs for incoming or outgoing packets.

Precautions

This function takes effect only after the packet-filter logging and firewall log packet-filter enable commands are executed.

Example

# Enable the packet filtering log in the interzone.

<Huawei> system-view
[Huawei] firewall zone trust
[Huawei-zone-trust] priority 14 
[Huawei-zone-trust] quit
[Huawei] firewall zone untrust
[Huawei-zone-untrust] priority 12 
[Huawei-zone-untrust] quit
[Huawei] firewall log packet-filter enable
[Huawei] firewall interzone trust untrust
[Huawei-interzone-trust-untrust] packet-filter logging

port-mapping

Function

The port-mapping command configures the mappings between ports and application-layer protocols.

The undo port-mapping command deletes the mappings between ports and application-layer protocols.

Format

port-mapping { dns | ftp | http | sip | rtsp | pptp } port port-number acl acl-number

undo port-mapping { all | { dns | ftp | http | sip | rtsp | pptp } port port-number acl acl-number }

Parameters

Parameter	Description	Value
all	Deletes the mappings from all ports.	-
dns	Specifies the mapping between the DNS protocol and a port.	-
ftp	Specifies the mapping between the FTP protocol and a port.	-
http	Specifies the mapping between the HTTP protocol and a port.	-
sip	Specifies the mapping between the SIP protocol and a port.	-
rtsp	Specifies the mapping between the RTSP protocol and a port.	-
pptp	Specifies the mapping between the PPTP protocol and a port.	-
port port-number	Specifies the port mapping to a protocol.	The value of port-number is an integer that ranges from 1 to 65535.
acl acl-number	Specifies the ACL that controls the packets to which port mapping is applied.	The value of acl-number is an integer that ranges from 2000 to 2999.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Port mapping enables a server to provide various application-layer services for external systems through non-well-known ports. For example, the well-known port of the HTTP service is port 80. After port mapping is configured on the firewall, the firewall can use a non-well-known port to provide the HTTP service.

Port mapping reduces attacks to a certain service on the server.

Example

# Map the HTTP service to port 10 and apply ACL 2000 to control the packets to which the mapping takes effect.

<Huawei> system-view
[Huawei] acl 2000 
[Huawei-acl-basic-2000] rule  permit 
[Huawei-acl-basic-2000] quit  
[Huawei] port-mapping http port 10 acl 2000

priority (security zone view)

Function

The priority command sets the priority for a zone.

Format

priority security-priority

Parameters

Parameter	Description	Value
security-priority	Indicates the priority of a zone.	The value is an integer that ranges from 0 to 63. NOTE: If security-priority is set to a large value, the priority of the zone is high.

Views

Security zone view

Default Level

2: Configuration level

Usage Guidelines

After creating a zone, set a priority for the zone; otherwise, the zone is invalid.

The priority of a zone cannot be changed. If you want to change the priority, delete and re-create the zone and reconfigure the priority.

The local zone priority cannot be manually set. The priority of the local zone is the highest priority allowed by the local device plus 1.

Example

# Set the priority of zone1 to 5.

<Huawei> system-view
[Huawei] firewall zone zone1
[Huawei-zone-zone1] priority 5

reset firewall app table statistics

Function

The reset firewall app table statistics command clears statistics on firewall application entries.

Format

reset firewall app { servermap | session } table statistics

Parameters

Parameter	Description	Value
servermap	Clears statistics on Servermap entries at the application layer.	-
session	Clears statistics on session entries at the application layer.	-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run this command when you need to collect new firewall application entry statistics. After you run this command, all statistics on firewall application entries are cleared.

Precautions

Statistics on firewall application entries cannot be restored after they are cleared. Exercise caution when you use the command.

Example

# Clear statistics on firewall session entries at the application layer.

<Huawei> system-view
[Huawei] reset firewall app session table statistics

reset firewall session all

Function

The reset firewall session all command deletes all entries from the firewall session table.

Format

reset firewall session all

Parameters

None.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command will delete all entries from a firewall session table.

Precautions

After this command is executed, entries are deleted from the firewall session table and the firewall configurations are modified immediately.

After this command is executed, you must wait at least 10 seconds before running the command again; otherwise, an error message is displayed.

Example

# Delete all entries from a firewall session table.

<Huawei> system-view
[Huawei] reset firewall session all
Warning:The current all firewall sessions will be deleted.
Are you sure to continue?[Y/N]y

reset session all

Function

The reset session all command deletes entries from all session tables.

Format

reset session all

Parameters

None.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command will delete all entries from a firewall or NAT session table.

Precautions

After this command is executed, entries are deleted from session tables and the session table configurations are modified immediately. You must wait at least 10 seconds before running the command again; otherwise, an error message is displayed.

Example

# Delete entries from all session tables.

<Huawei> system-view
[Huawei] reset session all
Warning:The current all sessions will be deleted.
Are you sure to continue?[Y/N]y

reset firewall statistics system defend

Function

The reset firewall statistics system defend command deletes attack defense statistics on firewall.

Format

reset firewall statistics system defend

Parameters

None

Views

All views

Default Level

2: Configuration level

Usage Guidelines

Use Scenario

Before you run the display firewall statistics system defend command to collect attack defense statistics on a firewall, you can run this command to delete the old statistics.

Precautions

Statistics cannot be restored after they are cleared. Exercise caution when you delete them.

Example

# Delete attack defense statistics on the firewall.

<Huawei> reset firewall statistics system defend

session-log

Function

The session-log command configures a condition for recording logs about sessions in the firewall interzone.

The undo session-log command deletes a condition for recording logs about sessions in the firewall interzone.

By default, no condition is configured for recording logs about sessions in the firewall interzone.

Format

session-log acl-number { inbound | outbound }

undo session-log acl-number { inbound | outbound }

Parameters

Parameter	Description	Value
acl-number	Specifies the number of the ACL used to match sessions.	The value is an integer that ranges from 2000 to 3999.
inbound	Applies the ACL to the inbound sessions. NOTE: An inbound session refers to a session from a low-priority zone to a high-priority zone.	-
outbound	Applies the ACL to the outbound sessions. NOTE: An outbound session refers to a high-priority session sent from a zone to a low-priority zone.	-

Views

Interzone view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Create zone1 and zone2, and set their priorities to 10 and 5 respectively. Then configure an interzone between zone1 and zone2, and record logs about the inbound sessions (from zone 1 to zone 2) that match ACL 2001.

<Huawei> system-view
[Huawei] firewall zone zone1
[Huawei-zone-zone1] priority 10
[Huawei-zone-zone1] quit
[Huawei] firewall zone zone2
[Huawei-zone-zone2] priority 5
[Huawei-zone-zone2] quit
[Huawei] firewall interzone zone1 zone2
[Huawei-interzone-zone1-zone2] session-log 2001 inbound
[Huawei-interzone-zone1-zone2] quit
[Huawei] firewall log session enable

statistics connect-number ip

Function

The statistics connect-number ip command sets the session thresholds for the zone-level traffic statistics and monitoring on an IP address.

The undo statistics connect-number ip command restores the default thresholds.

Format

statistics connect-number ip [ range beginip endip ] { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold

undo statistics connect-number ip { inzone | outzone } { icmp | tcp | udp }

Parameters

Parameter	Description	Value
range	Specified an IP address segment NOTE: If the range parameter is not specified, this command takes effect on a single IP address.	-
beginip	Specifies the start IP address.	The value is in dotted decimal notation.
endip	Specified the end IP address, which cannot be smaller than the start IP address. The start and end IP addresses must be in the same IP address segment.	The value is in dotted decimal notation.
inzone	Specifies the thresholds for the number of packets entering the zone.	-
outzone	Specifies the thresholds for the number of packets leaving the zone.	-
icmp	Specifies the thresholds for the number of ICMP packets.	-
tcp	Specifies the thresholds for the number of TCP packets.	-
udp	Specifies the thresholds for the number of UDP packets.	-
high high-threshold	Specifies the upper threshold value.	The value is an integer and varies according to models.
low low-threshold	Sets the lower thresholds value.	The value is an integer and varies according to models.

Views

Security zone view

Default Level

2: Configuration level

Usage Guidelines

Before setting the thresholds for the number of packets sent to a certain IP address, run the statistics ip enable command to enable the IP address-level traffic statistics function in the zone.

Example

# Configure the thresholds for the number of inbound TCP packets sent to a certain IP address. Set the upper threshold to 15000 and lower threshold to 10000.

<Huawei> system-view
[Huawei] firewall zone zone1
[Huawei-zone-zone1] statistics ip enable inzone
[Huawei-zone-zone1] statistics connect-number ip inzone tcp high 15000 low 10000

statistics connect-number zone

Function

The statistics connect-number zone command sets the session thresholds for traffic statistics and monitoring in a zone.

The undo statistics connect-number zone command restores the default thresholds for the number of packets in a zone.

Format

statistics connect-number zone { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold

undo statistics connect-number zone { inzone | outzone } { icmp | tcp | udp }

Parameters

Parameter	Description	Value
inzone	Specifies the thresholds for the number of packets entering the zone.	-
outzone	Specifies the thresholds for the number of packets leaving the zone.	-
icmp	Specifies the thresholds for the number of ICMP packets.	-
tcp	Specifies the thresholds for the number of TCP packets.	-
udp	Specifies the thresholds for the number of UDP packets.	-
high high-threshold	Specifies the upper threshold value.	The value is an integer and varies according to models.
low low-threshold	Specifies the lower threshold value.	The value is an integer and varies according to models.

Views

Security zone view

Default Level

2: Configuration level

Usage Guidelines

Before setting the thresholds for the number of packets in a zone, run the statistics zone enable command to enable the zone-level traffic statistics function.

Example

# Configure the thresholds for the number of inbound TCP packets in a zone. Set the upper threshold to 15000 and lower threshold to 10000.

<Huawei> system-view
[Huawei] firewall zone zone1
[Huawei-zone-zone1] statistics zone enable inzone
[Huawei-zone-zone1] statistics connect-number zone inzone tcp high 15000 low 10000

statistics ip enable

Function

The statistics ip enable command enables the IP address-level traffic statistics collection in a zone.

The undo statistics ip enable command disables the IP address-level traffic statistics collection in a zone.

By default, IP address-level traffic statistics collection is disabled.

Format

statistics ip enable { inzone | outzone }

undo statistics ip enable { inzone | outzone }

Parameters

Parameter	Description	Value
inzone	Enables the IP address-level traffic statistics collection for the inbound packets of the zone.	-
outzone	Enables the IP address-level traffic statistics collection for the outbound packets of the zone.	-

Views

Security zone view

Default Level

2: Configuration level

Usage Guidelines

The IP address-based traffic statistics collection counts and monitors the TCP and UDP sessions set up by an IP address in a zone. When the number of TCP and UDP sessions set up by the IP address exceeds the threshold, the device reduces the number of sessions to the specified range.

You can enable IP address-level traffic statistics collection for inbound or outbound packets of a zone.

Inbound packets are sent from other zones to the local zone. Outbound packets are sent from the local zone to other zones.

Example

# Enable IP address-level traffic statistics collection for inbound packets and outbound packets in zone1.

<Huawei> system-view
[Huawei] firewall zone zone1
[Huawei-zone-zone1] statistics ip enable inzone
[Huawei-zone-zone1] statistics ip enable outzone

statistics zone enable

Function

The statistics zone enable command enables zone-level traffic statistics collection for the packets in a zone.

The undo statistics zone enable command disables zone-level traffic statistics collection for the packets in a zone.

By default, zone-level traffic statistics collection is disabled.

Format

statistics zone enable { inzone | outzone }

undo statistics zone enable { inzone | outzone }

Parameters

Parameter	Description	Value
inzone	Enables zone-level traffic statistics collection for the inbound packets of the zone.	-
outzone	Enables zone-level traffic statistics collection for the outbound packets of the zone.	-

Views

Security zone view

Default Level

2: Configuration level

Usage Guidelines

You can enable zone-level traffic statistics collection for inbound or outbound packets in a zone.

Example

# Enable zone-level traffic statistics collection for inbound packets and outbound packets of zone1.

<Huawei> system-view
[Huawei] firewall zone zone1
[Huawei-zone-zone1] statistics zone enable inzone
[Huawei-zone-zone1] statistics zone enable outzone

zone

Function

The zone command adds an interface to a zone.

The undo zone command deletes removes an interface from a zone.

Format

zone zone-name

undo zone

Parameters

Parameter	Description	Value
zone-name	Specifies the name of a zone.	The value is a string of 1 to 32 characters without hyphens (-), and must start with a letter.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

When you add an interface to a zone, ensure that the zone has been created using the firewall zone command.

This command can only be used on Layer 3 interfaces, except the Loopback, NULL, and Tunnel-Template interfaces.

Example

# Add GE to zone1.

<Huawei> system-view
[Huawei] interface gigabitethernet  
[Huawei-GigabitEthernet] zone zone1

Support for Firewall Feature Name
bypass
clear firewall statistics system
clear firewall statistics zone
detect aspf
display firewall app session table
display firewall app table statistics
display firewall blacklist
display firewall blacklist configuration
display firewall defend
display firewall interzone
display firewall log configuration
display firewall session
display firewall statistics system
display firewall statistics zone
display firewall statistics zone-ip
display firewall whitelist
display firewall zone
display firewall-nat session aging-time
display port-mapping
display session
firewall blacklist
firewall blacklist enable
firewall black-white-list load configuration-file
firewall black-white-list save configuration-file
firewall defend all enable
firewall defend fraggle enable
firewall defend icmp-flood
firewall defend icmp-flood enable
firewall defend icmp-redirect enable
firewall defend icmp-unreachable enable
firewall defend ip-fragment enable
firewall defend ip-sweep
firewall defend ip-sweep enable
firewall defend land enable
firewall defend large-icmp
firewall defend large-icmp enable
firewall defend ping-of-death enable
firewall defend port-scan
firewall defend port-scan enable
firewall defend smurf enable
firewall defend syn-flood
firewall defend syn-flood enable
firewall defend tcp-flag enable
firewall defend teardrop enable
firewall defend tracert enable
firewall defend udp-flood
firewall defend udp-flood enable
firewall defend winnuke enable
firewall enable
firewall interzone
firewall log binary-log host
firewall log enable
firewall log log-interval
firewall log session nat enable
firewall statistics system connect-number
firewall statistics system enable
firewall whitelist
firewall zone
firewall-nat session aging-time
packet-filter
packet-filter logging
port-mapping
priority(security zone view)
reset firewall app table statistics
reset firewall session all
reset session all
reset firewall statistics system defend
session-log
statistics connect-number ip
statistics connect-number zone
statistics ip enable
statistics zone enable
zone

Translation

Favorite

Download

Update Date：2024-05-24

Document ID：EDOC1100271769

Downloads：238

Average rating：0.0Points

Digital Signature File

digtal sigature tool