Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-IPS configuration | 201.69 KB |
Contents
IPS signature library management
Configuring IPS actions for an IPS policy
Specifying a parameter profile for an IPS signature action
Applying an IPS policy to a DPI application profile
Importing user-defined IPS signatures
Using a DPI application profile in an object policy rule
Using a DPI application profile in an IPv4 object policy rule
Using a DPI application profile in an IPv6 object policy rule
Applying an object policy to a zone pair
Managing the IPS signature library
Configuration restrictions and guidelines
Scheduling an IPS signature automatic update
Triggering an immediate IPS signature update
Performing an IPS signature manual update
Rolling back the IPS signature library
Activating policy and rule configurations for DPI service modules
Displaying and maintaining IPS
Default IPS policy application example
User-defined IPS policy application example
IPS signature library manual update configuration example
IPS signature library automatic update configuration example
Configuring IPS
The intrusion prevention systems (IPS) module requires a license to run on the device. If the license expires, you can still use the IPS functions but you can no longer update the IPS signature library on the device. For more information about licenses, see Fundamentals Configuration Guide.
Overview
IPS is a security feature that enables devices to monitor network traffic for malicious activity and to proactively take prevention actions.
IPS provides the following functions:
· In-depth protection—IPS inspects the application layer data of packets, performs protocol analysis and reassembly on network traffic flows, and takes actions according to the analysis results.
· Real-time protection—IPS monitors network traffic in real-time and can take actions on detected attacks.
· All-around protection—IPS can detect and prevent the following types of attacks:
? Malicious software such as worms, viruses, Trojan, bots, spyware, adware, scanners, and backdoors.
? Malicious attacks such as common gateway interface (CGI) attacks, cross-site scripting attacks, injection attacks, directory traversal attacks, information leakage attacks, remote file inclusion attacks, buffer overflow attacks, code execution attacks, and DoS attacks.
· Bidirectional protection—IPS monitors both incoming and outgoing traffic to prevent attacks arising from the internal and external networks.
IPS signatures
The device compares traffic flows with IPS signatures to detect, classify, and prevent network attacks. You can specify the actions to apply to traffic flows matching each signature.
The device supports the following types of IPS signatures:
· Predefined IPS signatures—Automatically generated by the device based on the local signature library. You cannot add, modify, or delete a predefined IPS signature, but you can enable or disable the signature, or assign actions to the signature. For more information about signature actions, see "Signature actions."
· User-defined IPS signatures—For new attacks that cannot be detected by predefined signatures, you can customize IPS signatures in a Snort file and import the file to the device.
Signature actions
When the device detects a matching packet for an IPS signature, it takes the actions specified for the signature on the packet.
The device supports the following signature actions:
· Reset—Closes the TCP connections for matching packets by sending TCP reset messages.
· Redirect—Redirects matching packets to a webpage.
· block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."
· Drop—Drops matching packets.
· Permit—Permits matching packets to pass.
· Capture—Captures matching packets.
· Logging—Logs matching packets.
IPS mechanism
As shown in Figure 1, upon receiving a packet, an IPS-capable device performs the following operations:
1. The device compares the packet with the IP blacklist rules.
? If a matching rule is found, the device drops the packet.
? If no matching rule is found, the device goes to step 2.
2. The device compares the packet with the object policy rules. The device identifies the packet application layer protocol and extracts the packet signatures if the matching object policy rule meets the following conditions:
? The object policy rule is configured with the inspect app-profile-name option. The app-profile-name argument specifies the DPI application profile.
? The specified DPI application profile uses an IPS policy.
For more information about object policy rules, see Security Configuration Guide.
3. The device determines the actions for the packet by comparing the extracted packet signatures with the IPS signatures in the IPS policy:
? If the packet does not match any IPS signatures, the device permits the packet to pass.
? If the packet matches only one IPS signature, the device takes the signature actions.
? If the packet matches multiple IPS signatures, the device uses the following rules to select the actions:
- If the matching IPS signatures have two or more actions, including block-source, redirect, drop, permit, and reset, the device takes the action of the highest priority. The actions in descending order of priority are reset, redirect, block-source/drop, and permit.
- The device will execute the block-source, capture, and logging actions if they are in the matching IPS signatures.
IPS signature library management
The device uses IPS signatures to inspect application layer traffic for malicious threats and attacks.
You can update the device IPS signature library to the latest version or roll back the library to the previous or the factory default version.
Updating the IPS signature library
The following methods are available for updating the IPS signature library on the device:
· Automatic update.
The device automatically downloads the most up-to-date IPS signature file to update its local signature library periodically.
· Triggered update.
The device downloads the most up-to-date IPS signature file to update its local signature library immediately after you trigger the operation.
· Manual update.
Use this method when the device cannot obtain the IPS signature file automatically.
You must manually download the most up-to-date IPS signature file, and then use the file to update the signature library on the device.
Rolling back the IPS signature library
If filtering false alarms or filtering exceptions occur frequently, you can roll back the IPS signature library to the previous version or to the factory default version.
IPS configuration task list
|
Tasks at a glance |
|
(Required.) Configuring an IPS policy |
|
(Optional.) Configuring IPS actions for an IPS policy |
|
(Optional.) Specifying a parameter profile for an IPS signature action |
|
(Required.) Applying an IPS policy to a DPI application profile |
|
(Optional.) Importing user-defined IPS signatures |
|
(Required.) Using a DPI application profile in an object policy rule |
|
(Required.) Applying an object policy to a zone pair |
|
(Optional.) Managing the IPS signature library |
|
(Optional.) Activating policy and rule configurations for DPI service modules |
Configuring an IPS policy
By default, an IPS policy uses all enabled IPS signatures on the device. You can set criteria such as direction, target, and severity level to filter the IPS signatures. Only IPS signatures that match the criteria are used by the IPS policy.
To view the IPS signature filtering configuration of an IPS policy, execute the display this command in IPS policy view.
To configure an IPS policy:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an IPS policy and enter its view. |
ips policy policy-name |
A default IPS policy named default exists. The default IPS policy includes all enabled IPS signatures on the device and cannot be modified or deleted. |
|
3. (Optional.) Set the target criterion to filter IPS signatures. |
protect-target { all | target [ subtarget ] } |
By default, an IPS policy uses all enabled IPS signatures on the device. |
|
4. (Optional.) Set the direction criterion to filter IPS signatures. |
object-dir { client | server } * |
By default, an IPS policy uses all enabled IPS signatures on the device. |
|
5. (Optional.) Set the severity level criterion to filter IPS signatures. |
severity-level { critical | high | low | medium } * |
By default, an IPS policy uses all enabled IPS signatures on the device. |
Configuring IPS actions for an IPS policy
By default, the system applies the default actions of an IPS signature to packets matching the signature.
You can also configure global actions for an IPS policy or change the actions for individual IPS signatures in the policy.
The system selects the actions for packets matching an IPS signature in the following order:
1. Actions configured for the IPS signature in the IPS policy.
2. Actions configured for the IPS policy.
3. Default actions of the IPS signature.
To configure packet processing actions in an IPS policy:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter the view of an IPS policy. |
ips policy policy-name |
N/A |
|
3. Specify the global IPS actions for the IPS policy. |
signature override all { { block-source | drop | permit | redirect | reset } | capture | logging } * |
By default, no actions are specified for an IPS policy and the default actions of IPS signatures are applied to matching packets. |
|
4. (Optional.) Change the status or actions for an IPS signature. |
signature override { pre-defined | user-defined } signature-id { { disable | enable } [ { block-source | drop | permit | redirect | reset } | capture | logging ] * } |
By default: · Predefined IPS signatures use the actions and states defined by the system. · User-defined IPS signatures use the actions and states defined in the IPS signature file from which the signatures are imported. |
Specifying a parameter profile for an IPS signature action
You can specify parameter profiles for IPS signature actions. A parameter profile is a set of parameters that determine how an action is executed. If you do not specify a parameter profile for an action, or if the specified profile does not exist, the default action parameter settings are used. For information about configuring parameter profiles, see "Configuring DPI engine."
To specify a parameter profile for an IPS signature action:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify a parameter profile for an IPS signature action. |
ips { block-source | capture | email | logging | redirect } parameter-profile parameter-name |
By default, no parameter profile is specified for an IPS signature action. |
Applying an IPS policy to a DPI application profile
An IPS policy must be applied to a DPI application profile to take effect.
To apply an IPS policy to a DPI application profile:
|
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter DPI application profile view. |
app-profile profilename |
For more information about this command, see DPI Command Reference. |
|
3. Apply an IPS policy to the DPI application profile. |
ips apply policy policy-name mode { protect | alert } |
By default, no IPS policy is applied to the DPI application profile. You can apply only one IPS policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect. |
Importing user-defined IPS signatures
To add your own IPS signatures, create an IPS signature file in the Snort format and import the signatures from the file to the device.
Make sure the IPS signature file contains all user-defined signatures that you want to use. All existing user-defined signatures on the device will be overwritten by the imported signatures.
To import user-defined IPS signatures:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Import user-defined IPS signatures. |
ips signature import snort file-path |
By default, no user-defined IPS signatures exist. |
Using a DPI application profile in an object policy rule
Perform this task to use a DPI application profile in an IPv4 or IPv6 object policy rule. For information about object policy rules, see Security Configuration Guide.
Using a DPI application profile in an IPv4 object policy rule
|
Step |
Command |
Remarks |
|
3. Enter system view. |
system-view |
N/A |
|
4. Enter MDC system view. |
switchto mdc mdc-name |
Required for only MDCs. |
|
5. Create an IPv4 object policy and enter its view. |
object-policy ip object-policy-name |
N/A |
|
6. Use a DPI application profile in the rule. |
By default, no DPI application profile is used in an IPv4 object policy rule. |
Using a DPI application profile in an IPv6 object policy rule
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter MDC system view. |
switchto mdc mdc-name |
Required for only MDCs. |
|
3. Create an IPv6 object policy and enter its view. |
object-policy ipv6 object-policy-name |
N/A |
|
4. Use a DPI application profile in the rule. |
rule [ rule-id ] { drop | pass | inspect app-profile-name } [ [ source-ip object-group-name | any ] [ destination-ip object-group-name | any ] [ service object-group-name | any ] [vrf vrf-name ] [ counting ] [ disable ] [ logging ] [ time-range time-range-name ] ] * |
By default, no DPI application profile is assigned to an IPv6 object policy rule. |
Applying an object policy to a zone pair
For more information about this feature, see Security Configuration Guide.
To apply an object policy to a zone pair:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter MDC system view. |
switchto mdc mdc-name |
Required for MDCs only. |
|
3. Configure the security zones. |
security-zone name zone-name |
The default security zones Local, Trust, DMZ, Management, and Untrust are automatically created when you create the first security zone on the device. |
|
4. Create a zone pair and enter its view. |
zone-pair security source source-zone-name destination destination-zone-name |
By default, no zone pairs exist. |
|
5. Apply an object policy to the zone pair. |
· Apply an IPv4 object policy to the zone
pair: · Apply an IPv6 object policy to the zone
pair: |
Use either command. By default, no object policy is applied to a zone pair. |
Managing the IPS signature library
You can update or roll back the version of the IPS signature library on the device.
Configuration restrictions and guidelines
To ensure successful IPS signature update and rollback, follow these restrictions and guidelines:
· Do not delete the /dpi/ folder in the root directory of the storage medium.
· Do not perform IPS signature update and rollback when the device's free memory is below the normal state threshold. For more information about device memory thresholds, see Fundamentals Configuration Guide.
Scheduling an IPS signature automatic update
If the device can access the signature database services on the H3C website, you can schedule an automatic update. The automatic update enables the device to automatically update the local signature library at the scheduled update time.
For successful signature update, make sure the device can resolve the domain name of the H3C website into an IP address through DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide.
To schedule an IPS signature automatic update:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable automatic IPS signature library update. |
ips signature auto-update |
By default, automatic IPS signature library update is disabled. |
|
3. Schedule the update time. |
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes |
By default, the device updates the IPS signature library at a random time between 01:00:00 and 03:00:00 every day. |
|
4. Configure the device to overwrite the current IPS signature library without backing up the library during an automatic signature library update. |
override-current |
By default, the device backs up the current IPS signature library as the previous version before performing an automatic IPS signature library update. |
Triggering an immediate IPS signature update
Anytime you find a release of new signature version on the H3C website, you can trigger the device to immediately update the local signature library.
For successful signature update, make sure the device can resolve the domain name of the H3C website into an IP address through DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide.
To trigger an immediate IPS signature update:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Trigger an automatic IPS signature library update. |
ips signature auto-update-now |
Performing an IPS signature manual update
If the device cannot access the signature database services on the H3C website, use one of the following methods to manually update the IPS signature library on the device:
· Local update—Updates the IPS signature library on the device by using the locally stored update IPS signature file.
Store the update file on the correct location for successful signature library update:
? In standalone mode, store the update file on the active MPU.
? In IRF mode, store the update file on the global active MPU.
· FTP/TFTP update—Updates the IPS signature library on the device by using the file stored on the FTP or TFTP server.
To perform a manual update:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Manually update the IPS signature library on the device. |
ips signature update [ override-current ] file-path |
Rolling back the IPS signature library
If an IPS signature library update causes exceptions or a high false alarm rate, you can roll back the IPS signature library.
Before rolling back the IPS signature library, the device backs up the current signature library as the previous version. For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.
To roll back the IPS signature library version:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Roll back the IPS signature library to the previous version or to the factory default version. |
ips signature rollback { factory | last } |
Activating policy and rule configurations for DPI service modules
This task validates the policy and rule configurations for DPI service modules without rebooting the device. The operation produces the same effect as saving the configurations and rebooting the device.
This task can cause temporary service disruptions. As a best practice, perform it after all DPI service policy and rule configurations are complete.
To activate policy and rule configurations for DPI service modules:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Activate policy and rule configurations for DPI service modules. |
inspect activate |
By default, the creation, modification, and deletion of DPI service policies and rules do not take effect. |
Displaying and maintaining IPS
Execute display commands in any view.
|
Task |
Command |
|
Display IPS signature information. |
display ips signature [ pre-defined | user-defined ] [ direction { any | to-client | to-server } ] [ category category-name | fidelity { high | low | medium } | protocol { icmp | ip | tcp | udp } | severity { critical | high | low | medium } ] * |
|
Display detailed information about an IPS signature. |
display ips signature { pre-defined | user-defined } signature-id |
|
Display IPS signature library information. |
display ips signature information |
|
Display IPS policy information. |
display ips policy policy-name |
IPS configuration examples
Default IPS policy application example
Network requirements
As shown in Figure 2, the device connects to the LAN and Internet through security zones Trust and Untrust, respectively.
Configure the device to use the default IPS policy for attack detection and prevention.
Configuration procedure
1. Assign IP addresses to interfaces, as shown in Figure 2. (Details not shown.)
2. Configure the security zones:
# Assign GigabitEthernet 1/1/1 to security zone Trust.
<Device> system-view
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/1/1
[Device-security-zone-Trust] quit
# Assign GigabitEthernet 1/1/2 to security zone Untrust.
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/1/2
[Device-security-zone-Untrust] quit
3. Create IP address object group ipsfilter and configure an IP address object with subnet 192.168.1.0/24.
[Device] object-group ip address ipsfilter
[Device-obj-grp-ip-ipsfilter] network subnet 192.168.1.0 24
[Device-obj-grp-ip-ipsfilter] quit
4. Apply the default IPS policy to a DPI application profile:
# Create DPI application profile sec and enter its view.
[Device] app-profile sec
# Apply the default IPS policy to the DPI application profile and set the policy mode to protect.
[Device-app-profile-sec] ips apply policy default mode protect
[Device-app-profile-sec] quit
5. Configure an object policy:
# Create IPv4 object policy ipsfilter, and enter its view.
[Device] object-policy ip ipsfilter
# Configure an object policy rule to apply DPI application profile sec to packets that match IP address object group urlfilter.
[Device-object-policy-ip-ipsfilter] rule inspect sec source-ip ipsfilter destination-ip any
[Device-object-policy-ip-ipsfilter] quit
6. Create a zone pair between source zone Trust and destination zone Untrust, and apply object policy ipsfilter to the zone pair.
[Device] zone-pair security source trust destination untrust
[Device-zone-pair-security-Trust-Untrust] object-policy apply ip ipsfilter
[Device-zone-pair-security-Trust-Untrust] quit
7. Activate policy and rule configurations for DPI service modules.
[Device] inspect activate
Verifying the configuration
# Verify that the device can use the default IPS policy to detect and prevent known network attacks. (Details not shown.)
For example, if an incoming attack packet matches predefined IPS signature GNU_Bash_Local_Memory_Corruption_Vulnerability(CVE-2014-718), the device automatically applies the signature actions (reset and logging) to the packet.
User-defined IPS policy application example
Network requirements
As shown in Figure 3, the device connects to the LAN and Internet through security zones Trust and Untrust, respectively.
Perform the following tasks:
1. Create IPS policy ips1 and modify its signature action and status settings as follows:
? Enable predefined IPS signature 2 and specify actions drop, capture, and logging for the signature.
? Disable predefined IPS signature 4.
? Enable predefined IPS signature 6.
2. Apply IPS policy ips1 to zone pair between source zone Trust and destination zone Untrust.
Configuration procedure
1. Assign IP addresses to interfaces, as shown in Figure 3. (Details not shown.)
2. Configure the security zones:
# Assign GigabitEthernet 1/1/1 to security zone Trust.
<Device> system-view
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/1/1
[Device-security-zone-Trust] quit
# Assign GigabitEthernet 1/1/2 to security zone Untrust.
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/1/2
[Device-security-zone-Untrust] quit
3. Create IP address object group ipsfilter and configure an IP address object with subnet 192.168.1.0/24.
[Device] object-group ip address ipsfilter
[Device-obj-grp-ip-ipsfilter] network subnet 192.168.1.0 24
[Device-obj-grp-ip-ipsfilter] quit
4. Configure an IPS policy:
# Create IPS policy ips1 and enter its view.
[Device] ips policy ips1
# Configure the IPS policy to use IPS signatures with all target and subtarget attributes.
[Device-ips-policy-ips1] protect-target all
# Enable predefined IPS signature 2 and specify actions drop, capture, and logging for the signature.
[Device-ips-policy-ips1] signature override pre-defined 2 enable drop capture logging
# Disable predefined IPS signature 4.
[Device-ips-policy-ips1] signature override pre-defined 4 disable
# Enable predefined IPS signature 6.
[Device-ips-policy-ips1] signature override pre-defined 6 enable
[Device-ips-policy-ips1] quit
5. Apply IPS policy ips1 to a DPI application profile:
# Create DPI application profile sec.
[Device] app-profile sec
# Apply IPS policy ips1 to the DPI application profile and set the policy mode to protect.
[Device-app-profile-sec] ips apply policy ips1 mode protect
[Device-app-profile-sec] quit
6. Configure an object policy:
# Create IPv4 object policy ipsfilter, and enter its view.
[Device] object-policy ip ipsfilter
# Configure an object policy rule to apply DPI application profile sec to packets that match IP address object group ipsfilter.
[Device-object-policy-ip-ipsfilter] rule inspect sec source-ip ipsfilter destination-ip any
[Device-object-policy-ip-ipsfilter] quit
7. Create a zone pair between source zone Trust and destination zone Untrust, and apply object policy ipsfilter to the zone pair.
[Device] zone-pair security source trust destination untrust
[Device-zone-pair-security-Trust-Untrust] object-policy apply ip ipsfilter
[Device-zone-pair-security-Trust-Untrust] quit
8. Activate policy and rule configurations for DPI service modules.
[Device] inspect activate
Verifying the configuration
# Verify that IPS policy ips1 is successfully configured.
<Device> display ips policy ips1
IPS signature library manual update configuration example
Network requirements
As shown in Figure 4, LAN users in security zone Trust can access the following resources:
· Internet resources in security zone Untrust.
· The FTP server at 192.168.2.1/24 in security zone DMZ. The FTP login name and password are ips and 123, respectively.
Perform the following tasks:
· Manually update the IPS signature library by using the latest IPS signature file stored on the FTP server.
· Configure the device to use the default IPS policy to detect and prevent known attacks on the network.
Configuration procedure
1. Assign IP addresses to interfaces, as shown in Figure 4. (Details not shown.)
2. Enable the device to communicate with the FTP server:
# Configure ACL 2001 to permit all traffic.
<Device> system-view
[Device] acl basic 2001
[Device-acl-ipv4-basic-2001] rule permit
[Device-acl-ipv4-basic-2001] quit
# Assign GigabitEthernet 1/1/3 to zone DMZ.
[Device] security-zone name dmz
[Device-security-zone-DMZ] import interface gigabitethernet 1/1/3
[Device-security-zone-DMZ] quit
# Create a zone pair between source zone Local and destination zone DMZ, and apply ACL 2001 to the zone pair for packet filtering.
[Device] zone-pair security source local destination dmz
[Device-zone-pair-security-Local-DMZ] packet-filter 2001
[Device-zone-pair-security-Local-DMZ] quit
# Create a zone pair between source zone DMZ and destination zone Local, and apply ACL 2001 to the zone pair for packet filtering.
[Device] zone-pair security source dmz destination local
[Device-zone-pair-security-DMZ-Local] packet-filter 2001
[Device-zone-pair-security-DMZ-Local] quit
3. Configure the security zones:
# Assign GigabitEthernet 1/1/1 to security zone Trust.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/1/1
[Device-security-zone-Trust] quit
# Assign GigabitEthernet 1/1/2 to security zone Untrust.
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/1/2
[Device-security-zone-Untrust] quit
4. Create IP address object group ipsfilter and configure an IP address object with subnet 192.168.1.0/24.
[Device] object-group ip address ipsfilter
[Device-obj-grp-ip-ipsfilter] network subnet 192.168.1.0 24
[Device-obj-grp-ip-ipsfilter] quit
5. Update the device IPS signature library by using IPS signature file ips-1.0.8-encrypt.dat stored on the FTP server.
[Device] ips signature update ftp://ips:123@192.168.2.4/ips-1.0.8-encrypt.dat
6. Apply the default IPS policy to a DPI application profile:
# Create DPI application profile sec.
[Device] app-profile sec
# Apply the default IPS policy to the DPI application profile and set the policy mode to protect.
[Device-app-profile-sec] ips apply policy default mode protect
[Device-app-profile-sec] quit
7. Configure an object policy:
# Create IPv4 object policy ipsfilter, and enter its view.
[Device] object-policy ip ipsfilter
# Configure an object policy rule to apply DPI application profile sec to packets that match IP address object group urlfilter.
[Device-object-policy-ip-ipsfilter] rule inspect sec source-ip ipsfilter destination-ip any
[Device-object-policy-ip-ipsfilter] quit
8. Create a zone pair between source zone Trust and destination zone Untrust, and apply object policy ipsfilter to the zone pair.
[Device] zone-pair security source trust destination untrust
[Device-zone-pair-security-Trust-Untrust] object-policy apply ip ipsfilter
[Device-zone-pair-security-Trust-Untrust] quit
9. Activate policy and rule configurations for DPI service modules.
[Device] inspect activate
Verifying the configuration
# Verify that the device can use the default IPS policy to detect and prevent known network attacks. (Details not shown.)
For example, if an incoming attack packet predefined IPS signature GNU_Bash_Local_Memory_Corruption_Vulnerability(CVE-2014-718), the device automatically executes the signature actions (reset and logging) on the packet.
# Verify that the device IPS signature library is updated.
<Device> display ips signature information
IPS signature library automatic update configuration example
Network requirements
As shown in Figure 5, LAN users in security zone Trust can access Internet resources in security zone Untrust.
Configure the device to automatically update the local IPS signature library at a random time between 08:30 am and 09:30 am every Saturday.
Configuration procedure
1. Assign IP addresses to interfaces, as shown in Figure 5. (Details not shown.)
2. Configure DNS for the device to resolve the domain name of the H3C website into the IP address. (Details not shown.)
3. Enable automatic IPS signature library update.
<Device> system-view
[Device] ips signature auto-update
[Device-ips-autoupdate]
# Configure the device to perform automatic update at a random time between 08:30 am and 09:30 am every Saturday.
[Device-ips-autoupdate] update schedule weekly sat start-time 9:00:00 tingle 30
[Device-ips-autoupdate] quit
Verifying the configuration
# Verify that the device IPS signature library is updated as scheduled.
<Device> display ips signature information
