- Table of Contents
-
- 04-Comware 7 CLI-based configuration examples (AC+fit AP deployment)
- 001-HTTPS Login Configuration Examples
- 002-SSH Configuration Examples
- 003-License Management Configuration Examples
- 004-AP Association with the AC at Layer 2 Configuration Examples
- 005-AP Association with the AC at Layer 2 (IPv6) Configuration Examples
- 006-Auto AP Configuration Examples
- 007-AP Association with the AC at Layer 3 Configuration Examples
- 008-AP Association with the AC at Layer 3 (IPv6) Configuration Examples
- 009-WEP Encryption Configuration Examples
- 010-PSK Encryption Configuration Examples
- 011-WPA3-SAE PSK Encryption Configuration Examples
- 012-WLAN Access (IPv6) Configuration Examples
- 013-Policy-Based Forwarding with Dual Gateways Configuration Examples
- 014-Scheduled Configuration Deployment by AP Group Configuration Examples
- 015-Inter-AC Roaming with Static Client VLAN Allocation Configuration Examples
- 016-Service Template and Radio Binding Configuration Examples
- 017-Scheduled WLAN Access Services Configuration Examples
- 018-HTTPS-Based Local Portal Authentication Configuration Examples
- 019-Remote Portal Authentication Configuration Examples
- 020-Local Portal Authentication through LDAP Server Configuration Examples
- 021-Local Portal Auth and SSID-based Auth Page Pushing Configuration Examples
- 022-Local Portal MAC-Trigger Authentication Configuration Examples
- 023-Portal MAC-Trigger Authentication Configuration Examples
- 024-Local Forwarding Mode and Local Portal MAC-Trigger Auth Configuration Examples
- 025-Local Portal Authentication (IPv6) Configuration Examples
- 026-Local Portal Authentication through LDAP Server (IPv6) Configuration Examples
- 027-Remote Portal Authentication (IPv6) Configuration Examples
- 028-Portal MAC-Trigger Authentication (IPv6) Configuration Example
- 029-Remote Portal Authentication with User Profile Authorization Configuration Examples
- 030-WiFiDog Portal Authentication Configuration Examples
- 031-Portal Fail-Permit Configuration Examples
- 032-Local MAC Authentication Configuration Examples
- 033-Remote MAC Authentication Configuration Examples
- 034-Local Portal Authentication Configuration Examples
- 035-Transparent Auth Through Remote MAC and Portal Auth Configuration Examples
- 036-Remote AP, Remote Portal, and MAC-Trigger Authentication Configuration Examples
- 037-MAC Authentication with Guest VLAN Assignment Configuration Examples
- 038-MAC Authentication with Guest VLAN Assignment (IPv6) Configuration Examples
- 039-Local MAC-And-802.1X Authentication Configuration Examples
- 040-Local 802.1X Authentication Configuration Examples
- 041-Local RADIUS-Based 802.1X Authentication in EAP Relay Mode Configuration Examples
- 042-Remote 802.1X Authentication Configuration Examples
- 043-Remote 802.1X Authentication (IPv6) Configuration Examples
- 044-Remote 802.1X Authentication in WPA3-Enterprise Mode Configuration Examples
- 045-802.1X Auth with ACL Assignment Through IMC Server Configuration Examples
- 046-802.1X Auth with User Profile Assignment Through IMC Server Configuration Examples
- 047-EAD Authentication Configuration Examples
- 048-EAD Authentication (IPv6) Configuration Examples
- 049-Local Forwarding Mode and Local Portal Authentication Configuration Examples
- 050-Local Forwarding Mode Direct Portal Authentication Configuration Examples
- 051-Local Forwarding Mode Direct Portal Authentication (IPv6) Configuration Examples
- 052-Local Forwarding Configuration Examples
- 053-Wired Port Local Forwarding through Wireless Terminator Configuration Examples
- 054-Remote AP Configuration Examples
- 055-Downlink VLAN Management for Fit-Mode APs Configuration Examples
- 056-Downlink VLAN Management for Fit APs and Cloud APs Configuration Examples
- 057-WIPS Configuration Examples
- 058-WIPS Countermeasures Against All SSIDs Configuration Examples
- 059-IP Source Guard (IPv4) Configuration Examples
- 060-IP Source Guard (IPv6) Configuration Examples
- 061-IPS Configuration Examples
- 062-URL Filtering Configuration Examples
- 063-Anti-Virus Configuration Examples
- 064-Data Filtering Configuration Examples
- 065-File Filtering Configuration Examples
- 066-Application Audit and Management Configuration Examples
- 067-Application Rate Limiting Configuration Examples
- 068-IRF Setup with LACP MAD Configuration Examples
- 069-IRF Setup with ARP MAD Configuration Examples
- 070-IRF Setup with Members Not Directly Connected Configuration Examples
- 071-IRF Setup with Members in One Chassis Configuration Examples
- 072-IRF Setup with Members in Different Chassis Configuration Examples
- 073-Dual-Link Backup Configuration Examples
- 074-Remote 802.1X Auth on an AC Hierarchy Network with Dual-Link Backup Configuration Examples
- 075-Remote Portal Auth on an AC Hierarchy Network with Dual-Link Backup Configuration Examples
- 076-OAuth-Based Portal MAC-Trigger Auth on a Local-Forwarding Dual-Link Backup Configuration Examples
- 077-Dual-Link Backup OAuth-Based Portal Authentication in Local Forwarding Configuration Examples
- 078-Dual-Link Backup Remote Portal MAC-Trigger Authentication in Local Forwarding Configuration Examples
- 079-Dual-Link Backup Remote Portal and Transparent MAC Auth in Local Forwarding Configuration Examples
- 080-Dual-Link Backup Remote Portal Authentication in Local Forwarding Configuration Examples
- 081-Dual-Link Backup Remote Portal and Transparent MAC Auth in Centralized Forwarding Configuration Examples
- 082-Dual-Link Backup Remote Portal Authentication in Centralized Forwarding Configuration Examples
- 083-Dual-Link Backup Lightweight Portal Authentication in Centralized Forwarding Configuration Examples
- 084-Dual-Link Backup OAuth-Based Portal Authentication in Centralized Forwarding Configuration Examples
- 085-Dual-Link Backup Remote Portal MAC-Trigger Auth in Centralized Forwarding Configuration Examples
- 086-Remote 802.1X Authentication on a Dual-Link AC Backup Network Configuration Examples
- 087-Remote MAC Authentication on a Dual-Link AC Backup Network Configuration Examples
- 088-AC Hierarchy Configuration Examples
- 089-Remote 802.1X Auth (Local AC Auth+AC Forwardering) Configuration Examples
- 090-Remote 802.1X Auth (Central AC Auth+AP Forwarding) Configuration Examples
- 091-AC Hierarchy (IPv6) Configuration Examples
- 092-WLAN Probe Configuration Examples
- 093-Multicast Optimization Configuration Examples
- 094-Client Rate Limiting Configuration Examples
- 095-Inter-AC Roaming Configuration Examples
- 096-Inter-AC Roaming (IPv6) Configuration Examples
- 097-Inter-AC Roaming in Local Forwarding Mode Configuration Examples
- 098-H3C Access Controllers Cooperative Roaming for 802.11v Clients Configuration Examples
- 099-WLAN Load Balancing Configuration Examples
- 100-Static Blacklist Configuration Examples
- 101-Client Quantity Control Configuration Examples
- 102-AP License Synchronization Configuration Examples
- 103-BLE Module iBeacon Transmission Configuration Examples
- 104-Medical RFID Tag Management Configuration Examples
- 105-iBeacon Management Configuration Examples
- 106-Mesh Link Establishment Between Fit APs Configuration Examples
- 107-Mesh Link Establishment Between a Fit AP and a Fat AP Configuration Examples
- 108-Auto-DFS and Auto-TPC Configuration Examples
- 109-AP Image Downloading Configuration Examples
- 110-Dual-Uplink Interfaces Configuration Guide
- 111-H3C Comware AC Cloud-Managed AP Centralized Management Configuration Examples
- 112-Internal-to-External Access Through NAT Configuration Examples
- 113-Layer 2 Static Aggregation Configuration Examples
- 114-Layer 2 Multicast Configuration Examples
- 115-Static VLAN Allocation Configuration Examples
- 116-URL Redirection Configuration Examples
- 117-IPv6 URL Redirection Configuration Examples
- Related Documents
-
Title | Size | Download |
---|---|---|
063-Anti-Virus Configuration Examples | 104.76 KB |
|
H3C Access Controllers |
Anti-Virus Configuration Examples |
|
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Introduction
The following information provides an example of configuring anti-virus.
Prerequisites
The following information applies to Comware-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of the anti-virus feature.
Example: Configuring anti-virus
Network configuration
As shown in Figure 1, the AC connects the LAN and the Internet. The client uses a Web server and a mail server on the Internet to transport files and emails.
Configure the AC to use an anti-virus policy to detect and prevent viruses in the files and emails downloaded by the client.
Restrictions and guidelines
Use the actual serial ID of an AP to uniquely identify that AP.
Configure the AC to forward client data traffic (the centralized forwarding mode).
Procedures
Configuring the AC
Configuring basic settings
1. Configure interfaces on the AC:
# Create VLAN 100. Create VLAN-interface 100 and assign an IP address to the VLAN interface. The AP will obtain this IP address to establish a CAPWAP tunnel with the AC.
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
[AC] interface vlan-interface 100
[AC-Vlan-interface100] ip address 192.1.1.1 24
[AC-Vlan-interface100] quit
# Create VLAN 200. Create VLAN-interface 200 and assign an IP address to the VLAN interface. The client will access the wireless network through this VLAN.
[AC] vlan 200
[AC-vlan200] quit
[AC] interface vlan-interface 200
[AC-Vlan-interface200] ip address 192.2.1.1 24
[AC-Vlan-interface200] quit
# Configure the interface connected to the switch as a trunk port that permits VLAN 100 and VLAN 200.
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/1] quit
2. Configure the wireless service:
# Create service template 1 and enter its view.
[AC] wlan service-template 1
# Configure the SSID as service.
[AC-wlan-st-1] ssid service
# Specify the AKM mode as PSK, and configure the preshared key as 12345678 in plain text.
[AC-wlan-st-1] akm mode psk
[AC-wlan-st-1] preshared-key pass-phrase simple 12345678
# Specify the cipher suite as CCMP and the security IE as RSN.
[AC-wlan-st-1] cipher-suite ccmp
[AC-wlan-st-1] security-ie rsn
# Configure the AC to forward client data traffic. (Skip this step if the client data traffic forwarder is the AC by default.)
[AC-wlan-st-1] client forwarding-location ac
# Assign clients coming online to VLAN 200.
[AC-wlan-st-1] vlan 200
# Enable the service template.
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
3. Configure the AP:
|
NOTE: In large-scale networks, configure AP groups instead of single APs as a best practice. |
# Create an AP named ap1 with model WA6320.
[AC] wlan ap ap1 model WA6320
# Set the serial ID of AP ap1 to 219801A28N819CE0002T.
[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T
[AC-wlan-ap-ap1] quit
# Create AP group group1 and add AP ap1 to AP group group1.
[AC] wlan ap-group group1
[AC-wlan-ap-group-group1] ap ap1
# Bind service template 1 to radio 1 in AP group group1.
[AC-wlan-ap-group-group1] ap-model WA6320
[AC-wlan-ap-group-group1-ap-model-WA6320] radio 1
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] service-template 1
# Enable radio 1.
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] radio enable
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] quit
# Bind service template 1 to radio 2 in AP group group1.
[AC-wlan-ap-group-group1-ap-model-WA6320] radio 2
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template 1
# Enable radio 2.
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] return
Configuring an object group
# Create an IP address object group named antivirus, and specify its subnet as 192.2.1.0/24.
<AC> system-view
[AC] object-group ip address antivirus
[AC-obj-grp-ip-antivirus] network subnet 192.2.1.0 24
[AC-obj-grp-ip-antivirus] quit
Configuring an anti-virus policy
# Create an anti-virus policy named down_av and enter its view.
[AC] anti-virus policy down_av
# Configure anti-virus for FTP and SMB in download direction and specify the anti-virus action as block.
[AC-anti-virus-policy-down_av]inspect ftp direction download action block
[AC-anti-virus-policy-down_av]inspect smb direction download action block
# Configure anti-virus for IMAP in download direction and specify the anti-virus action as alert.
[AC-anti-virus-policy-down_av]inspect imap direction download action alert
# Set the Alibaba application as an application exception. Specify alert as the anti-virus action for the application exception.
[AC-anti-virus-policy-down_av]exception application Alibaba action alert
[AC-anti-virus-policy-down_av] quit
Configuring a DPI application profile and activate the anti-virus policy settings
# Create a DPI application profile named sec, and enter its view.
[AC] app-profile sec
# Apply anti-virus policy down_av to DPI application profile sec. Set the anti-virus policy mode to protect.
[AC-app-profile-sec] anti-virus apply policy down_av mode protect
[AC-app-profile-sec] quit
# Activate the anti-virus policy settings.
[AC] inspect activate
Configuring an anti-virus security policy
# Enter IPv4 security policy view.
[AC] security-policy ip
# Create a security policy rule named av. Configure the matching conditions as the source IP address object group antivirus, FTP service, SMB service, IMAP service, AP ap1, AP group default-group, and SSID service.
[AC-security-policy-ip] rule name av
[AC-security-policy-ip-10-av] source-ip antivirus
[AC-security-policy-ip-10-av] service ftp
[AC-security-policy-ip-10-av] service smb
[AC-security-policy-ip-10-av] service imap
[AC-security-policy-ip-10-av] ap ap1
[AC-security-policy-ip-10-av] ap-group default-group
[AC-security-policy-ip-10-av] ssid service
# Configure the security action as pass and specify DPI application profile sec.
[AC-security-policy-ip-10-av] action pass
[AC-security-policy-ip-10-av] profile sec
[AC-security-policy-ip-10-av] quit
# Activate rule matching acceleration.
[AC-security-policy-ip] accelerate enhanced enable
[AC-security-policy-ip] quit
Configuring the switch
1. Configure interfaces on the switch:
# Create VLAN 100, VLAN-interface 100, VLAN 200, VLAN-interface 200, and assign IP addresses to the VLAN interfaces. The switch will use VLAN 100 to forward CAPWAP tunnel traffic between the AC and the AP, and use VLAN 200 to forward wireless client packets.
<Switch> system-view
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] interface vlan-interface 100
[Switch-Vlan-interface100] ip address 192.1.1.2 24
[Switch-Vlan-interface100] quit
[Switch] vlan 200
[Switch-vlan200] quit
[Switch] interface vlan-interface 200
[Switch-Vlan-interface200] ip address 192.2.1.2 24
[Switch-Vlan-interface200] quit
# Set the link type of GigabitEthernet 1/0/1 (the interface connected to the AC) to trunk. Allow traffic from VLAN 100 and VLAN 200 to pass through the interface.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Switch-GigabitEthernet1/0/1] quit
# Set the link type of GigabitEthernet 1/0/2 (the interface connected to the AP) to trunk. Allow traffic from VLAN 100 to pass through the interface.
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port access vlan 100
# Enable PoE on GigabitEthernet 1/0/2.
[Switch-GigabitEthernet1/0/2] poe enable
[Switch-GigabitEthernet1/0/2] quit
2. Configure DHCP settings:
# Enable DHCP.
[Switch] dhcp enable
# Create a DHCP address pool named vlan100 to assign IP addresses and other configuration parameters to clients on subnet 192.1.1.0/24. Exclude IP addresses 192.1.1.1 and 192.1.1.2 from dynamic allocation. Specify the gateway address as 192.1.1.1.
[Switch] dhcp server ip-pool vlan100
[Switch-dhcp-pool-vlan100] network 192.1.1.0 mask 255.255.255.0
[Switch-dhcp-pool-vlan100] forbidden-ip 192.1.1.1 192.1.1.2
[Switch-dhcp-pool-vlan100] gateway-list 192.1.1.1
[Switch-dhcp-pool-vlan100] quit
# Create a DHCP address pool named vlan200 to assign IP addresses and other configuration parameters to clients on subnet 192.2.1.0/24. Exclude IP addresses 192.2.1.1 and 192.2.1.2 from dynamic allocation. Specify a gateway and a DNS server.
[Switch] dhcp server ip-pool vlan200
[Switch-dhcp-pool-vlan200] network 192.2.1.0 mask 255.255.255.0
[Switch-dhcp-pool-vlan200] forbidden-ip 192.2.1.1 192.2.1.2
[Switch-dhcp-pool-vlan200] dns-list 192.2.1.1
[Switch-dhcp-pool-vlan200] gateway-list 192.2.1.1
[Switch-dhcp-pool-vlan200] quit
Verifying the configuration
# View anti-virus statistics by using the display anti-virus statistics command on the AC.
[AC] display anti-virus statistics
Slot 1:
Total Block: 2
Total Redirect: 0
Total Alert: 1
Type http ftp smtp pop3 imap smb nfs
Block 0 1 0 0 0 1 0
Redirect 0 0 0 0 0 0 0
Alert+Permit 0 0 0 0 1 0 0
Configuration files
· AC:
#
vlan 100
#
vlan 200
#
wlan service-template 1
ssid service
vlan 200
akm mode psk
preshared-key pass-phrase cipher $c$3$29gn1DalRVhkcyZ1CKwevH+xb6Lxopy3eq/H
cipher-suite ccmp
security-ie rsn
service-template enable
#
interface Vlan-interface100
ip address 192.1.1.1 255.255.255.0
#
interface Vlan-interface200
ip address 192.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 100 200
#
wlan ap ap1 model WA6320
serial-id 219801A28N819CE0002T
#
wlan ap-group group1
vlan 1
ap ap1
ap-model WA6320
radio 1
radio enable
service-template 1
radio 2
radio enable
service-template 1
gigabitethernet 1
#
object-group ip address antivirus
0 network subnet 192.2.1.0 255.255.255.0
#
app-profile sec
anti-virus apply policy down_av mode protect
#
security-policy ip
rule 1 name av
action pass
profile sec
source-ip antivirus
service ftp
service smb
service imap
ap ap1
ap-group default-group
ssid service
#
anti-virus policy down_av
inspect ftp direction download action block
inspect imap direction download action alert
inspect smb direction download action block
exception application Alibaba action alert
· Switch:
#
dhcp enable
#
vlan 100
#
vlan 200
#
interface Vlan-interface100
ip address 192.1.1.2 255.255.255.0
#
interface Vlan-interface200
ip address 192.2.1.2 255.255.255.0
#
dhcp server ip-pool vlan100
network 192.1.0.0 mask 255.255.255.0
forbidden-ip 192.1.1.1 192.1.1.2
gateway-list 192.1.1.1
#
dhcp server ip-pool vlan200
gateway-list 192.2.1.1
network 192.2.1.0 mask 255.255.255.0
forbidden-ip 192.2.1.1 192.2.1.2
dns-list 192.2.1.1
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 100 200
#
interface GigabitEthernet1/0/2
port link-type access
port access vlan 100
poe enable
Related documentation
· Anti-Virus Command Reference in H3C Access Controllers Command References
· Anti-Virus Configuration Guide in H3C Access Controllers Configuration Guides
· Security Policy Command Reference in H3C Access Controllers Command References
· Security Policy Configuration Guide in H3C Access Controllers Configuration Guides