Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 14-APR configuration | 110.21 KB |
APR signature database management
Configuring a user-defined NBAR rule
Configuring application groups
Enabling application statistics on an interface
Managing the APR signature database
Scheduling an automatic update for the APR signature database
Triggering an automatic update for the APR signature database
Performing a manual update for the APR signature database
Rolling back the APR signature database
Displaying and maintaining APR
Configuring APR
Overview
The application recognition (APR) feature recognizes application protocols of packets for features such as QoS, ASPF, and bandwidth management.
APR uses the following methods to recognize an application protocol:
· Port-based application recognition (PBAR).
· Network-based application recognition (NBAR).
PBAR
PBAR maps a port to an application protocol and recognizes packets of the application protocol according to the port-protocol mapping.
PBAR supports the following port-protocol mappings:
· Predefined—An application protocol uses the port defined by the system.
· User-defined—An application protocol uses the port defined by the user.
PBAR offers the following mappings to maintain and apply user-defined port configuration:
· General port mapping—Maps a user-defined port to an application protocol. All packets destined for that port are regarded as packets of the application protocol. For example, if port 2121 is mapped to FTP, all packets destined for that port are regarded as FTP packets.
· Host-port mapping—Maps a user-defined port to an application protocol for packets to or from some specific hosts. For example, you can establish a host-port mapping so that all packets destined for the network segment 10.110.0.0/16 on port 2121 are regarded as FTP packets. To define the range of the hosts, you can specify the ACL, the host IP address range, or the subnet.
Host-port mapping can be further divided into the following categories:
¡ ACL-based host-port mapping—Maps a port to an application protocol for the packets matching the specified ACL.
¡ Subnet-based host-port mapping—Maps a port to an application protocol for the packets sent to the specified subnet.
¡ IP address-based host-port mapping—Maps a port to an application protocol for the packets destined for the specified IP addresses.
NBAR
NBAR uses predefined or user-defined NBAR rules to match packet contents to recognize the application protocols of packets that match the applied object policy. Predefined NBAR rules are automatically generated from the APR signature database.
Application group
You can add application protocols that have similar signatures or restrictions to an application group. APR recognizes packets of the application protocols by matching the packet contents with the signatures or restrictions. If a packet is recognized as the packet of an application protocol in the application group, the packet is considered to be the packet of the application group. Features such as QoS and ASPF can handle packets belonging to the same group in batch.
You can add application protocols to an application group by using the following methods:
· Add application protocols one by one to the application group.
· Copy application protocols from another application group to the application group.
APR signature database management
APR signature database
APR signature database is a resource library of character string signatures for application recognition. To meet the changing requirements for application recognition, you must update the APR signature database in a timely manner and roll back the APR signature database as needed.
APR signature database update
You can update the APR signature database by using one of the following methods:
· Automatic update.
The device automatically downloads the most up-to-date APR signature file to update its local signature database periodically.
· Triggered update.
The device downloads the most up-to-date APR signature file to update its local signature database immediately after you trigger the update operation.
· Manual update.
Use this method when the device cannot obtain the APR signature file automatically.
You must first download the most up-to-date APR signature file manually. The device then obtains the downloaded file to update its local signature database.
APR signature database rollback
You can perform the rollback operation if high error rate or abnormality occurs when the device uses the current APR signature database for application recognition.
You can roll back the current APR signature database to the factory version or to the last version.
Licensing requirements
NBAR requires a license to run on the device. After the license expires, you can still use NBAR. However, you can use only the existing signature database and cannot update the signature database. For information about licenses, see Fundamentals Configuration Guide.
APR configuration task list
|
Tasks at a glance |
|
(Optional.) Configuring PBAR |
|
(Optional.) Configuring a user-defined NBAR rule |
|
(Optional.) Configuring application groups |
|
(Optional.) Enabling application statistics on an interface |
|
(Optional.) Managing the APR signature database |
|
|
IMPORTANT: For user-defined NBAR rules to take effect, you must configure the inspect activate command. For information about the inspect activate command, see DPI Command Reference. |
Configuring PBAR
|
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure a port mapping. |
· Configure a general port mapping: · Configure an ACL-based host-port
mapping: · Configure a subnet-based host-port
mapping: · Configure an IP address-based host-port
mapping: |
By default, all application protocols map with well-known ports. You can configure these commands together. APR selects a port mapping to recognize the application protocol of a packet in the following order: · IP address-based port mapping. · Subnet-based port mapping. · ACL-based host-port mapping. · General port mapping. For the same type of mappings, the port mapping with a transport layer protocol has higher priority than the mapping without a transport layer protocol. If the specified application protocol does not exist, the system first creates the protocol. |
Configuring a user-defined NBAR rule
You can configure user-defined NBAR rules if predefined NBAR rules cannot meet the user needs. The predefined NBAR rules cannot be deleted or modified.
For all NBAR rules to take effect, create a DPI application profile on the device. For information about DPI application profiles, see DPI Configuration Guide.
A user-defined NBAR rule can contain the following match criteria:
· Signatures.
· Destination IP subnet.
· Source IP subnet.
· Direction at which the application is recognized.
· Port number.
You can configure more than one match criterion for the NBAR rule. To match the NBAR rule, packets must match all the configured match criteria in the rule.
To configure a user-defined NBAR rule:
|
Step |
Command |
Remarks |
|
3. Enter system view. |
system-view |
N/A |
|
4. Create a user-defined NBAR rule and enter its view. |
nbar application application-name protocol { http | tcp | udp } |
By default, no user-defined NBAR rules exist. |
|
5. (Optional.) Configure a description. |
description text |
By default, the user-defined NBAR rule is described as User defined application. |
|
6. Configure a signature. |
signature [ signature-id ] [ field field-name ] [ offset offset-value ] { hex hex-vector | regex regex-pattern | string string } |
By default, no signatures exist. You can repeat this command to configure multiple signatures in the rule. The logical relation for the signatures is OR, which indicates that a packet that matches any signature matches the NBAR rule. |
|
7. (Optional.) Specify a destination IP subnet. |
destination { ip ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] } |
By default, no destination IP subnet is specified. In the current software version, the ipv6 ipv6-address [ prefix-length ] option is not supported. If you specify this option, the command does not take effect. |
|
8. (Optional.) Specify a source IP subnet. |
source { ip ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] } |
By default, no source IP subnet is specified. In the current software version, the ipv6 ipv6-address [ prefix-length ] option is not supported. If you specify this option, the command does not take effect. |
|
9. (Optional.) Specify a direction. |
direction { to-client | to-server } |
By default, an NBAR rule matches packets in both directions. |
|
10. (Optional.) Specify a port number or port range. |
service-port { port-num | range start-port end-port } |
By default, an NBAR rule matches packets of all port numbers. |
|
11. (Optional.) Set the maximum detected length. |
apr set detectlen bytes |
By default, the maximum detected length is not limited for an NBAR rule. |
|
12. (Optional.) Disable the user-defined NBAR rule. |
disable |
By default, a user-defined NBAR rule is enabled. |
Configuring application groups
The device supports a maximum of 1000 application groups. Each application group can contain a maximum of 1000 user-defined application protocols and an unlimited number of predefined application protocols.
To configure an application group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an application group and enter its view. |
app-group group-name |
By default, no application groups exist. |
|
3. (Optional.) Configure a description for the application group. |
description text |
By default, the description is User-defined application group. |
|
4. Add an application protocol to the group. |
include application application-name |
By default, an application group does not contain any application protocols. Execute this command multiple times to add multiple application protocols to the group. If the specified application protocol does not exist, the device creates the protocol. |
|
5. Copy all application protocols from another group to the group. |
copy app-group group-name |
Execute this command multiple times to copy application protocols from multiple groups to the current group. |
Enabling application statistics on an interface
|
|
IMPORTANT: The application statistics feature consumes large amount of system memory. When the system generates an alarm for lack of memory, disable the application statistics feature on all interfaces. |
When the application statistics feature is enabled on an interface, the device separately counts the number of packets or bytes that the interface has received or sent for each application protocol. It also calculates the transmission rates of the interface for these protocols.
To display application statistics, use the display application statistics command.
To enable the application statistics feature on an interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter Layer 3 interface view. |
interface interface-type interface-number |
N/A |
|
3. Enable application statistics on the interface. |
application statistics enable [ inbound | outbound ] |
By default, this feature is disabled. You can enable the application statistics feature on both the inbound and outbound directions of the interface. |
Managing the APR signature database
You can update or roll back the version of the APR signature database on the device.
For a successful APR signature database update or rollback, do not delete the /dpi/ folder in the root directory on the device storage media.
Do not update or roll back the APR signature database when the remaining system memory reaches any alarm threshold. Insufficient memory causes update or rollback failure and affects the function of NBAR. For information about memory alarm thresholds, see Fundamentals Configuration Guide.
Scheduling an automatic update for the APR signature database
If the device can access the signature database services on the H3C website, you can schedule an automatic update. The automatic update enables the device to automatically update the local APR signature database at the scheduled update time.
For a successful automatic update, make sure the following requirements are met:
· The device can obtain the IP address of the H3C website through static or dynamic domain name resolution.
· The device can access the signature database services on the H3C website.
For information about DNS, see Layer 3—IP Services Configuration Guide.
To schedule an automatic update for the APR signature database:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the automatic update feature and enter auto-update configuration view. |
apr signature auto-update |
By default, the automatic update feature is disabled. |
|
3. Configure the update schedule. |
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes |
By default, the device automatically updates the APR signature database between 02:01:00 to 04:01:00 every day. |
|
4. Overwrite the current signature file. |
override-current |
By default, the current APR signature file is not overwritten for an update operation. Instead, the device will back up the current APR signature file. |
Triggering an automatic update for the APR signature database
Anytime you find a release of new signature version on the H3C website, you can trigger the device to immediately update the local APR signature database.
For a successful triggered update, make sure the following requirements are met:
· The device can obtain the IP address of the H3C website through static or dynamic domain name resolution.
· The device can access the signature database services on the H3C website.
For information about DNS, see Layer 3—IP Services Configuration Guide.
To trigger an automatic update for the APR signature database:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Trigger an automatic update for the APR signature database. |
apr signature auto-update-now |
Performing a manual update for the APR signature database
If the device cannot access the signature database services on the H3C website, use one of the following methods to manually update the APR signature database on the device:
· Local update—By using the locally stored APR signature file.
(In standalone mode.) To ensure a successful update, the APR signature file must be stored on the active MPU.
(In IRF mode.) To ensure a successful update, the APR signature file must be stored on the global active MPU.
· FTP/TFTP update—By using the APR signature file stored on the FTP or TFTP server.
To perform a manual update for the APR signature database:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Manually update the APR signature database. |
apr signature update [ override-current ] file-path |
Rolling back the APR signature database
Each time a rollback operation is performed, the device backs up the APR signature database of the current version. If you repeat the rollback to the last version operation multiple times, the APR signature database will repeatedly switch between the current version and the last version.
To roll back the APR signature database:
|
Step |
Command |
Remark |
|
1. Enter system view. |
system-view |
N/A |
|
2. Roll back the APR signature database. |
apr signature rollback { factory | last } |
To ensure that the APR signature database can be successfully rolled back to the last version, back up the current APR signature database each time you update the database. |
Displaying and maintaining APR
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display information about application protocols. |
display application [ name application-name | pre-defined | user-defined ] |
|
Display information about application groups. |
display app-group [ name group-name ] |
|
Display statistics for the specified application protocols. |
display application statistics [ direction { inbound | outbound } | interface interface-type interface-number | name application-name ] * |
|
Display statistics for application protocols on an interface in descending order based on the specified criteria. |
display application statistics top number { bps | bytes | packets | pps } interface interface-type interface-number |
|
Display information about predefined port mappings. |
display port-mapping pre-defined |
|
Display information about user-defined port mappings. |
display port-mapping user-defined [ application application-name | port port-number ] |
|
Display APR signature database information. |
display apr signature information |
|
Clear application statistics for an interface or all interfaces. |
reset application statistics [ interface interface-type interface-number ] |
APR configuration examples
PBAR configuration example
Network requirements
As shown in Figure 1, configure PBAR on the router to recognize the HTTP packets sent by the host and destined for port 8080.
The router drops the packets recognized by PBAR.
Configuration procedure
# Create an application group named group1, and enter application group view.
<Router> system-view
[Router] app-group group1
# Add HTTP to the application group.
[Router-app-group-group1] include application http
[Router-app-group-group1] quit
# Map HTTP to TCP and port 8080.
[Router] port-mapping application http port 8080 protocol tcp
# Create a traffic class named classifier_1, and match group1 to the class.
[Router] traffic classifier classifier_1
[Router-classifier-classifier_1] if-match app-group group1
[Router-classifier-classifier_1] quit
# Create a traffic behavior named bdeny, and configure the action as deny.
[Router] traffic behavior bdeny
[Router-behavior-bdeny] filter deny
[Router-behavior-bdeny] quit
# Create QoS policy 1, associate classifier_1 with traffic behavior bdeny to create a class-behavior association in the QoS policy.
[Router] qos policy 1
[Router-qospolicy-1] classifier classifier_1 behavior bdeny
[Router-qospolicy-1] quit
# Apply the QoS policy to the inbound direction of GigabitEthernet 1/1/1.
[Router] interface gigabitethernet 1/1/1
[Router-GigabitEthernet1/1/1] qos apply policy 1 inbound
[Router-GigabitEthernet1/1/1] quit
Verifying the configuration
# Verify that the host fails to establish an HTTP connection whose destination port is 8080 with the public network. (Details not shown.)
NBAR configuration example
Network requirements
As shown in Figure 2, configure NBAR on the router to recognize the packets sent by the host and destined for application BaoFeng.
The router drops the packets recognized by NBAR.
Configuration procedure
Assign IP addresses to each interface, as shown in Figure 2. (Details not shown.)
1. Create security zones and add the interfaces to the security zones:
# Create a security zone named trust and add GigabitEthernet 1/1/1 to the security zone.
<Router> system-view
[Router] security-zone name trust
[Router-security-zone-Trust] import interface gigabitethernet 1/1/1
[Router-security-zone-Trust] quit
# Create a security zone named untrust and add GigabitEthernet 1/1/2 to the security zone.
[Router] security-zone name untrust
[Router-security-zone-Untrust] import interface gigabitethernet 1/1/2
[Router-security-zone-Untrust] quit
2. Create an IPv4 address object group named ipsfilter. Configure an IPv4 address object with the subnet address of 192.168.1.0/24 for the group.
[Router] object-group ip address ipsfilter
[Router-obj-grp-ip-ipsfilter] network subnet 192.168.1.0 24
[Router-obj-grp-ip-ipsfilter] quit
3. Create a DPI application profile named sec and enter its view.
[Router] app-profile sec
4. Create an object policy and rule:
# Create an IPv4 object policy named ipsfilter and enter its view.
[Router] object-policy ip ipsfilter
# Configure a rule to apply DPI application profile sec to packets that match source IPv4 address object group ipsfilter.
[Router-object-policy-ip-ipsfilter] rule inspect sec source-ip ipsfilter destination-ip any
[Router-object-policy-ip-ipsfilter] quit
5. Apply the object policy to a zone pair:
# Create a zone pair from security zone trust to security zone untrust. Apply IPv4 object policy ipsfilter to the zone pair.
[Router] zone-pair security source trust destination untrust
[Router-zone-pair-security-Trust-Untrust] object-policy apply ip ipsfilter
[Router-zone-pair-security-Trust-Untrust] quit
# Activate the DPI service policies and rules.
[Router] inspect activate
6. Configure QoS:
# Create a traffic class named classifier_1, and match application BaoFeng to the class.
[Router] traffic classifier classifier_1
[Router-classifier-classifier_1] if-match application BaoFeng
[Router-classifier-classifier_1] quit
# Create a traffic behavior named bdeny, and configure the action as deny.
[Router] traffic behavior bdeny
[Router-behavior-bdeny] filter deny
[Router-behavior-bdeny] quit
# Create QoS policy 1, associate classifier_1 with traffic behavior bdeny to create a class-behavior association in the QoS policy.
[Router] qos policy 1
[Router-qospolicy-1] classifier classifier_1 behavior bdeny
[Router-qospolicy-1] quit
# Apply the QoS policy to the inbound direction of GigabitEthernet 1/1/1.
[Router] interface gigabitethernet 1/1/1
[Router-GigabitEthernet1/1/1] qos apply policy 1 inbound
[Router-GigabitEthernet1/1/1] quit
Verifying the configuration
# Verify that the host fails to visit the BaoFeng application. (Details not shown.)
