The H3C SecPath AFC integrates an application security module. The primary function of this module is to analyze the data content of HTTP (HTTPS) requests, block abnormal requests, and prevent attack requests from reaching the server. This enhances business security and provides protection for web applications.

Configuration Prerequisites

The current feature is not supported in cluster application scenarios or primary/backup scenarios, nor is it supported on AFC2020 and AFC2040.

In serial connection scenarios, the current feature is not supported in multi-link access environments (including VLAN virtual links).

The current feature is not supported in working scenarios where AFC enables port aggregation.

The current feature is not supported in bypass uplink dual-exit router scenarios.

The current feature is supported starting from software version H3C i-Ware Software, Version 7.1, ESS 6401 P06.

All configurations in this document were performed and verified in a laboratory environment. Before configuration, all device parameters were set to their factory default settings. By default, this feature is disabled. To enable it, navigate to [System Config] > [Param Setting], as shown in Figure 1.

Figure 1 Enable application security configuration

Configuration Example

Transparent Forwarding Configuration in Series Mode

Transparent forwarding refers to the scenario where the IP address of the protected web application server falls within the protection scope of the AFC (Application Firewall Controller), and all upstream and downstream traffic of the server passes through the AFC device.

Networking Requirements

To implement protection against attacks targeting the protected IP 172.212.6.X on websites, the AFC device is deployed in-line within the customer's network. The AFC's in-line external interface connects to the upstream switch, while its Inline Downstream Interface connects to the downstream switch. The AFC inspects and filters the received mixed traffic before forwarding it to the downstream network. The networking topology is illustrated in Figure 2.

Figure 2 Configuration and networking diagram of AFC series deployment mode.

The specific implementation is as follows:

· Interface Connection: The AFC's Inline Upstream Interface XGE2/0 is connected in series to the upstream switch, while the AFC's Inline Downstream Interface XGE2/1 is connected in series to the downstream switch.

· Host Traffic Cleaning: The global module policy continuously filters and inspects host traffic in real time, while the application security module protects the configured domains.

Table 1: VLAN Allocation List

VLAN ID	Function Description	IP Address
1711	The core switch is connected to the Inline Upstream Interface of the AFC in series; The interconnection address between the lower-layer switch and the core switch; The gateway address of the lower-layer network.	171.0.1.1/24 171.0.1.2/24 172.212.0.1/16

VLAN ID

Function Description

IP Address

1711

The core switch is connected to the Inline Upstream Interface of the AFC in series;

The interconnection address between the lower-layer switch and the core switch;

The gateway address of the lower-layer network.

171.0.1.1/24

171.0.1.2/24

172.212.0.1/16

Table 2: AFC Interface IP Allocation List

Interface	Function Description	IP Address
XGE2/0	In series mode, no configuration is required. If configuration is needed, it must not conflict with the network address.
XGE2/1	In series mode, no configuration is required. If configuration is needed, it must not conflict with the network address.
GE0/0	AFC Manage Port	192.168.0.1/24

Table 3 Protected Server Configuration List

IP Address	Domain	Port
172.212.6.101	www.example.com	http 80
172.212.6.101	www.example.com	https 443

【AFC】The interface name is determined by the specific device model and is provided here only as a reference for guidance. For interface functions, please refer to the specific device model and configure the usage according to the default interface functions of the device. Do not modify them on your own.

Configuration Approach

To achieve the AFC series deployment mode configuration, follow the steps below:

Core Switch R2 Basic Network Configuration

Configure the XG1/0/17 interface of core switch R2 to interconnect with the XG1/0/17 interface of downstream switch R3.

Downstream Switch R3 Basic Network Configuration

Configure the XG1/0/17 interface of downstream switch R3 to interconnect with the XG1/0/17 interface of core switch R2.

AFC Basic Network Configuration

Configure the AFC network ports: set XGE2/0 as the Inline Upstream Interface and XGE2/1 as the Inline Downstream Interface. After binding them, enable communication between the upstream and downstream switches.

Application Security Configuration

Configure domain name forwarding rules and virtual routing. For HTTPS mode, add a certificate. After setting up the domain name forwarding rules, ensure that domain name requests can pass through the application security module for monitoring and protection.

Configuration Steps

Configure the basic network on the core switch R2

Create VLAN 1711 with IP address 171.0.1.0/24. This VLAN is used to place the core switch in the same subnet as the downstream terminal devices, serving as their gateway.

# Create Vlan

[R2]vlan 1711

[R2]quit

# Config VLAN IP

[R2]interface Vlan-interface1711

[R2-Vlan-interface1711]ip address 171.0.1.1 255.255.255.0

[R2-Vlan-interface1711]quit

[R2]interface XGigabitEthernet1/0/17

[R2-XGigabitEthernet1/0/17]port link-mode bridge

[R2-XGigabitEthernet1/0/17]port access vlan 1711

[R2-XGigabitEthernet1/0/17]quit

Configure the basic network on the downstream switch R3

Create VLAN 1711, which serves as the uplink port for connecting to the upper-layer network.

# Create Vlan

[R3]vlan 1711

[R3]interface Vlan-interface1711

[R3-Vlan-interface1711]ip address 171.0.1.2 255.255.255.0

[R3-Vlan-interface1711]ip address 172.212.0.1 255.255.0.0 sub

[R3-Vlan-interface1711]quit

# Add the interface connecting the switch to the host to the VLAN

[R3]interface GigabitEthernet1/0/13

# Connected to the protected host

[R3-GigabitEthernet1/0/13]port link-mode bridge

[R3-GigabitEthernet1/0/13]port access vlan 1711

[R3-GigabitEthernet1/0/13]quit

# Configure the VLAN for the interface connecting the downstream switch to the core switch

[R3]interface XGigabitEthernet1/0/17

# Connected to the upstream Layer 3 switch

[R3-XGigabitEthernet1/0/17]port link-mode bridge

[R3-XGigabitEthernet1/0/17]port access vlan 1711

[R3-XGigabitEthernet1/0/17]quit

If the upper and lower layer switches are unmanaged switches, there is no need to configure VLANs; simply ensure there are no loops.

Basic Network Configuration for AFC Equipment

To achieve cascaded transparent deployment of AFC, follow the configuration steps below:

Access the login page via browser:https://192.168.0.1:16010/, Username: admin, Password: admin, as shown in Figure 3

Figure 3 Log in to the AFC system page

AFC Address and Port Type Configuration

Navigate to [System] → [Device] → [Device Manage], click the [Setup] button on the right side of the device, select [Port Settings] in the left navigation bar, and click the [Modify] button. Set GE0/0 as the management port and configure the management address, subnet mask, and gateway. Configure XGE2/0 as the Inline Upstream Interface and XGE2/1 as the Inline Downstream Interface, while also binding the data ports mutually, as shown in Figure 4.

Figure 4 Port Settings

Click [Apply Configuration] to make the settings take effect.

After enabling application security, all service ports in the network port configuration must be of the same type; series and bypass configurations cannot be used simultaneously.

Verfy Configuration

Verify whether the communication between the client and the diversion server is normal.

Test whether the client and the protection IP route are connected via a ping test.

C:\Users\Administrator>ping 172.212.6.101

Pinging 172.212.6.101 with 32 bytes of data:

Reply from 172.212.6.101: bytes=32 time=11ms TTL=124

Reply from 172.212.6.101: bytes=32 time<1ms TTL=124

Ping statistics for 172.212.6.101:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milliseconds:

Minimum = 0ms, Maximum = 11ms, Average = 2ms

Application Security Configuration Steps

Configure Virtual Routing

Methods to Obtain MAC Address

Query via Switch

[R2]dis int Vlan-interface 1711

Vlan-interface1711

Current state: UP

Line protocol state: UP

Description: Vlan-interface1711 Interface

Bandwidth: 100000000 kbps

Maximum transmission unit: 1500

Internet address: 171.0.1.1/24 (primary)

IP packet frame type: Ethernet II, hardware address: e868-1965-f78e

IPv6 packet frame type: Ethernet II, hardware address: e868-1965-f78e

Last clearing of counters: Never

Input (total): 0 packets, 0 bytes

Output (total): 0 packets, 0 bytes

AFC Device Packet Capture

From the client, execute the command ping 172.172.69.12 -t to continuously ping the server.

Log in to the AFC management page, navigate to [Global Status] → [Server List], and initiate packet capture for the server 172.172.69.12 as shown in Figure 5.

Figure 5 Start Catch

After packet capturing, click "Stop" as shown in Figure 6.

Figure 6 Stop Catch

In the packet capture record, select the captured packets and click "Start," as shown in Figure 7.

Figure 7 Analyze Data Packets

After the analysis is completed, click "View" as shown in Figure 8.

Figure 8 View Data Packets

In the record analysis list, select the record with source IP: 172.213.9.103, click Analyze, as shown in Figure 9.

Figure 9 Analyze Data

Check the Source MAC address, as shown in Figure 10.

Figure 10 Check the MAC address

Configure Virtual Routing

Under [App Security] - [Virtual Routing], select Layer 2 mode and configure the peer MAC address of the external network interface, as shown in Figure 11.

Figure 11 Configure Virtual Routing

HTTP Domain Forwarding Rules

Add HTTP Domain Forwarding Rule

Navigate to [App Security] - [WEB Protection], click "Add," and fill in the details as shown in Figure 12.

Figure 12 Domain Forwarding Rule

The figure above defines an HTTP domain forwarding rule, with the following explanation:

Table 4 Domain Rule Explanation

Name	Function Description
Protected Domain	You can add a second-level domain, such as www.example.cn; You can add ., which matches all domains.
Access Method	Select Transparent Mode;
Protocol	Select HTTP, Port: 80;
Origin-Pulling Method	Select HTTP;
Origin Server IP and Port	IP：172.212.6.101 Port：80 ；

· For Windows clients, the manual method to modify the hosts file: Edit C:\Windows\System32\drivers\etc

· Add the entry: 172.212.6.101 www.example.com and save the configuration

· For Linux clients, the manual method to modify the hosts file: vi /etc/hosts

· Add the entry: 172.212.6.101 www.example.com and save the configuration

Configuration Verification

Client-side local hosts file domain binding

The client binds the domain name www.example.com to the IP address 172.212.6.101 via the local hosts file.

Ping www.example.com from the client, and the server IP 172.212.6.101 is displayed correctly.

C:\Users\Administrator>ping www.example.com

Pinging www.example.com [172.212.6.101] with 32 bytes of data:

Reply from 172.212.6.101: bytes=32 time<1ms TTL=124

Ping statistics for 172.212.6.101:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milliseconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

· If the client can successfully resolve the domain name through the DNS server, step a can be skipped.

Access via browser

Access via browser: http:// www.example.com can display the website content normally, as shown in Figure 13.

Figure 13 Website content display

Check Domain Status

Navigate to [App Security] - [Domain Status]. There is a request record for the domain www.example.com , as shown in Figure 14.

Figure 14: Domain Request Record

Configure HTTPS Domain Forwarding Rules

Obtain an HTTPS Certificate

Methods to Obtain the Certificate

· For certificates in .crt (public key) and .key (private key) formats:

You can directly open them with a file editor, copy the content, and paste it into the corresponding input fields on the certificate addition page.

The public key content is shown in Figure 15.

Figure 15 Public Key Information

The private key content is shown in Figure 16.

Figure 16: Private Key Information

The encrypted certificate cannot be added normally. It needs to be decrypted before being added.

· Obtaining Public and Private Keys from a PEM Format Certificate

Some PEM format certificates contain both the public and private keys together. You need to open the certificate with an editor, then copy the respective content into the input fields on the certificate addition page, as shown in Figure 17.

Figure 17: Obtaining Public Key and Private Key from PEM Certificate

· Extracting public and private keys from a PFX-format certificate

This type of certificate cannot be opened directly. It needs to be converted into a recognizable format such as PEM using commands before the keys can be copied.

[root@localhost nginx]# openssl pkcs12 -in tmm-server.pfx -nodes -out server111.pem

Enter Import Password:

MAC verified OK

[root@localhost nginx]#

Add HTTPS Certificate

Under 【App Security】-【Cert Management】, click 【Add】, then enter the certificate name, public key, and private key information, as shown in Figure 18.

Figure 18: Adding an HTTPS Certificate

Add HTTPS Domain Forwarding Rule

Navigate to [App Security] - [WEB Protection], click "Add," and fill in the details as shown in Figure 19 below.

Figure 19: Adding an HTTPS Domain Forwarding Rule

The figure above defines an HTTPS domain forwarding rule, with the content explained as follows:

Table 5 Explanation of Rule Content

Name	Function Description
Protected Domain	You can add a second-level domain, such as www.example.cn. You can add . to match all domains.
Access Method	Select Transparent Mode.
Protocol	Select HTTPS, Port: 443.
HTTPS Certificate	Select the previously added HTTPS certificate named test.
Back-to-Origin Method	Select HTTPS ；
Origin Server IP and Port	IP: 172.212.6.101, Port: 443.

· For Windows clients, the manual method to modify the hosts file: Edit C:\Windows\System32\drivers\etc

· Add the entry: 172.212.6.101 www.example.com and save the configuration

· For Linux clients, the manual method to modify the hosts file: vi /etc/hosts

· Add the entry: 172.212.6.101 www.example.com and save the configuration

Configuration Verification

Client-side local hosts file domain binding

The client binds the domain name www.example.com to the IP address 172.212.6.101 via the local hosts file.

Ping www.example.com from the client to confirm that the server IP 172.212.6.101 is displayed correctly.

C:\Users\Administrator>ping www.example.com

Pinging www.example.com [172.212.6.101] with 32 bytes of data:

Reply from 172.212.6.101: bytes=32 time<1ms TTL=124

Ping statistics for 172.212.6.101:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milliseconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

· If the client can successfully resolve the domain name through the DNS server, step a can be skipped.

Access via browser:

Accessing https:// www.example.com via a browser can display the website content normally, as shown in Figure 20.

Figure 20: Website content display：

Check Domain Status

Navigate to [App Security] - [Domain Status]. There is a request record for the domain www.example.com , as shown in Figure 21.

Figure 21 Domain Status Record

Website Protection

Navigate to 【App Security】-【WEB Protection】, locate the rules for the domain www.example.com , and click 【Protection Rule Config】 as shown in Figure 22.

Figure 22: Protection Rule Configuration

Click the [Add] button to display the rule content, as shown in Figure 23.

Figure 23: Custom Rule Page

Table 6 Description of Protection Rule Content

Name	Description
Rule Name	The name supports input in Chinese, numbers, letters, underscores, and hyphens.
Sub-rule Relationship	Supports "AND" or "OR" ,single selection.
Sub-rule	Dropdown list includes: Method, URL, Source IP, Referer, User-Agent, Content-Length, Host, HTTP Code, HTTP Version.
Logical Relationship	Dropdown list includes: Equal, Not Equal, Contains, Not Contains.
Value	Can be set via dropdown options or input field.
Action	Dropdown list includes: Rate Limiting, Block, Block and Blacklist, Allow, Allow and Trust.
Blacklist Duration	The blocking duration for the protected IP after the rule is triggered (from the client's perspective).
Trust Duration	The trusted duration for the protected IP after the rule is triggered (from the client's perspective).

· Each domain can have up to 10 protection rules;

· Each protection rule can include up to 10 sub-rules.

Series Mode Reverse Proxy Configuration

The series mode reverse proxy is primarily designed to provide HTTP (HTTPS) CC protection services for web applications that are not covered by AFC protection. The AFC device is connected in series to the current network, where it configures an idle internal IP address as both the forwarding address and the origin-pulling address. Users resolve their domain names to the forwarding address. When clients access the domain, they are actually directed to the forwarding address. The AFC device communicates with the web origin server via the origin-pulling address to retrieve web content and then returns it to the client through the forwarding address. This setup effectively hides the information of the origin server, thereby enhancing security.

Network Configuration Requirements

This configuration takes a series-connected networking setup as an example. For detailed instructions, please refer to the "AFC Series Deployment Mode Configuration Example."

As shown in Figure 24, the client accesses the network through R1 to reach the protected host at 172.212.6.X. The client traffic passes through the series-deployed AFC device. After adding a domain name forwarding rule, when the client accesses the domain name, communication with the origin server is established via the back-to-source address to retrieve web information. The information is then returned to the client through the forwarding address.

Figure 24: Configuration and networking diagram of AFC series deployment mode

The specific implementation is as follows:

· Host Traffic Cleaning: The global module policy performs real-time filtering and detection of host traffic, while the application security module provides protection for configured domains.

Table 7 VLAN Allocation List

VLAN ID	Function Description	IP Address
1711	Interface for connecting the core switch in series with the AFC's Inline Upstream Interface; Interconnection address between the lower-layer switch and the core switch; Gateway address of the lower-layer network.	171.0.1.1/24 171.0.1.2/24 172.212.0.1/16

VLAN ID

Function Description

IP Address

1711

Interface for connecting the core switch in series with the AFC's Inline Upstream Interface;

Interconnection address between the lower-layer switch and the core switch;

Gateway address of the lower-layer network.

171.0.1.1/24

171.0.1.2/24

172.212.0.1/16

Table 8 AFC Interface IP Allocation List

Interface	Function Description	IP Address
XGE2/0	In series mode, no configuration is required. If configuration is needed, it must not conflict with the network address.
XGE2/1	In series mode, no configuration is required. If configuration is needed, it must not conflict with the network address.
GE0/0	AFC Management Port	192.168.0.1/24

Table 9 Web Server Configuration List

IP Address	Domain	Interface
172.213.6.102	www.example.cn	http 80
172.213.6.102	www.example.cn	https 443

Configuration Approach

To achieve the single-channel mode configuration for AFC series deployment, follow the configuration approach outlined below:

Core Switch R2 Basic Network Configuration

Configure the XG1/0/17 interface of core switch R2 to enable interconnection with the XG1/0/17 interface of the downstream switch R3.

Downstream Switch R3 Basic Network Configuration

Configure the XG1/0/17 interface of downstream switch R3 to enable interconnection with the XG1/0/17 interface of core switch R2.

AFC Basic Network Configuration

Configure the AFC network ports: set XGE2/0 as the Inline Upstream Interface and XGE2/1 as the Inline Downstream Interface. After binding them, ensure interconnectivity between the upstream and downstream switches.

Application Security Configuration

Configure the forwarding address and origin-returning address, set up virtual routing, and add a certificate for HTTPS mode. Define domain name forwarding rules by binding the domain name to the forwarding address. Clients access the forwarding address via the domain name, while the AFC communicates with the external web server through the origin-returning address to retrieve web information. The website information is then forwarded to the client via the forwarding address.

Configuration Steps

Configure the basic network on the core switch R2

Create VLAN 1711, which corresponds to the 171.0.1.0/24 subnet, to ensure that it is in the same subnet as the downstream terminal devices and serves as the gateway for these devices.

# Create VLAN

[R2]vlan 1711

[R2]quit

# Configure VLAN IP

[R2]interface Vlan-interface1711

[R2-Vlan-interface1711]ip address 171.0.1.1 255.255.255.0

[R2-Vlan-interface1711]quit

[R2]interface XGigabitEthernet1/0/17

[R2-XGigabitEthernet1/0/17]port link-mode bridge

[R2-XGigabitEthernet1/0/17]port access vlan 1711

[R2-XGigabitEthernet1/0/17]quit

Configure the basic network on the downstream switch R3

Create VLAN 1711 , which serves as the uplink port to connect to the upper-layer network.

# Create VLAN

[R3]vlan 1711

[R3]interface Vlan-interface1711

[R3-Vlan-interface1711]ip address 171.0.1.2 255.255.255.0

[R3-Vlan-interface1711]ip address 172.212.0.1 255.255.0.0 sub

[R3-Vlan-interface1711]quit

# Add the interface connecting the host to the switch into VLAN

[R3]interface GigabitEthernet1/0/13

# Connected to the protected host

[R3-GigabitEthernet1/0/13]port link-mode bridge

[R3-GigabitEthernet1/0/13]port access vlan 1711

[R3-GigabitEthernet1/0/13]quit

# Configure the VLAN for the interface connecting the downstream switch to the core switch

[R3]interface GigabitEthernet1/0/17

# Connected to the upper-layer Layer 3 switch

[R3-XGigabitEthernet1/0/17]port link-mode bridge

[R3-XGigabitEthernet1/0/17]port access vlan 1711

[R3-XGigabitEthernet1/0/17]quit

If the upper and lower layer switches are unmanaged switches, there is no need to configure VLANs; simply ensure there are no loops.

Basic Network Configuration for AFC Equipment

To achieve transparent deployment of a single AFC device in series, follow the configuration steps below:

Access the login page via browser: https://192.168.0.1. Use the username "admin" and password "admin," as shown in Figure 25.

Figure 25: Log in to the AFC System Page

AFC Address and Port Type Configuration

Navigate to [System] → [Device] → [Device Manage], click [Setup] on the right side of the device, and select [Port Settings] in the left navigation bar. Click the [Modify] button to configure GE0/0 as the management port, setting the management address, subnet mask, and gateway. Set XGE2/0 as the Inline Upstream Interface and XGE2/1 as the Inline Downstream Interface, while also binding the data ports mutually. As shown in Figure 26.

Figure 26 Port Settings

Click [Apply Configuration] to make the settings take effect.

After enabling application security, all service ports in the network port configuration must be of the same type. Serial and bypass configurations cannot be used simultaneously.

Configuration Verification

Verify whether communication between the client and the traffic redirection server is normal.

Test whether the routing between the client and the protection IP is connected via ping.

C:\Users\Administrator>ping 172.212.6.101

Pinging 172.212.6.101 with 32 bytes of data:

Reply from 172.212.6.101: bytes=32 time=11ms TTL=124

Reply from 172.212.6.101: bytes=32 time<1ms TTL=124

Ping statistics for 172.212.6.101:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milliseconds:

Minimum = 0ms, Maximum = 11ms, Average = 2ms

Application Security Configuration Steps

Configure IP Pool

Navigate to 【App Security】-【IP Pool Management】, click 【Add】, and fill in the information as shown in Figures 27 and 28 below.

Figure 27: Add Forwarding Address

Figure 28: Add the origin-pull address

Table 10 Description of Address Pool

Name	Function Description
Forwarding Address	The website protection address in reverse proxy mode.This IP is an idle address within the AFC protection range.
Origin-Pulling Address	Address The address used for communication between AFC and the WEB origin server. This IP is an idle address within the AFC protection range.
Protocol	Select HTTP, Port: 80.
Vlan ID	This test environment is a non-VLAN environment; default to 0.

· Both the forwarding IP and the origin-returning IP are mandatory fields, and their IP ranges must not overlap.

Configure Virtual Routing

Methods to Obtain MAC Address

Query via Switch

[R2]dis int Vlan-interface 1711

Vlan-interface1711

Current state: UP

Line protocol state: UP

Description: Vlan-interface1711 Interface

Bandwidth: 100000000 kbps

Maximum transmission unit: 1500

Internet address: 171.0.1.1/24 (primary)

IP packet frame type: Ethernet II, hardware address: e868-1965-f78e

IPv6 packet frame type: Ethernet II, hardware address: e868-1965-f78e

Last clearing of counters: Never

Input (total): 0 packets, 0 bytes

Output (total): 0 packets, 0 bytes

AFC Device Packet Capture

From the client, execute the command ping 172.172.69.12 -t to continuously ping the server under the wall.

Log in to the AFC management page, navigate to [Global Status] > [Server List], and initiate packet capture for the server 172.172.69.12 as shown in Figure 29.

Figure 29: Starting Packet Capture

After packet capturing, click "Stop" as shown in Figure 30.

Figure 30 Stop Catch

In the packet capture record, select the captured packets and click "Start," as shown in Figure 31.

Figure 31 Analyze Data Packets

After the analysis is completed, click "View" as shown in Figure 32.

Figure 32 View Data Packets

In the record analysis list, select the record with source IP: 172.213.9.103, click Analyze, as shown in Figure 33.

Figure 33 Analyze Data

Check the Source MAC address, as shown in Figure 34.

Figure 34 Check the MAC address

Configure Virtual Routing

Under [App Security] - [Virtual Routing], select Layer 2 mode and configure the peer MAC address of the external network interface, as shown in Figure 35.

Figure 35 Configure Virtual Routing

HTTP Domain Forwarding Rules

Add HTTP Domain Forwarding Rule

Navigate to [App Security] - [WEB Protection], click "Add," and fill in the details as shown in Figure 36.

Figure 36: Add HTTP domain forwarding rule

The figure above defines an HTTP domain forwarding rule, with the following explanation:

Table 11 Domain Rule Explanation

Name	Function Description
Protected Domain	You can add a second-level domain, such as www.example.cn; You can add ., which matches all domains.
Access Method	Select Reverse Proxy;
Protected IP	Forwarding address from the address pool: 172.212.6.2;
Protocol	HTTP Port: 80;
X-Forwarded-For	This option is used in reverse proxy mode for the web server to obtain the client's address;
Back-to-Origin Method	Select HTTP;
Origin Server IP and Port	IP: 172.213.6.102 Port: 80;

· For Windows clients, the manual method to modify the hosts file: Edit C:\Windows\System32\drivers\etc

Add the entry: 172.212.6.101 www.example.com , as shown in Figure 38.

Figure 38: Domain Request Record

Resolution Takes Effect

After validation is passed, log in to the DNS registrar website where the domain is registered and configure the domain to resolve to the "Forwarding IP" corresponding to the rule.

If the origin server has IP access restrictions, all addresses of the "Origin-Pulling IP" must be added to the website's trusted whitelist.

Configure HTTPS Domain Forwarding Rules

Obtain an HTTPS Certificate

Methods to Obtain the Certificate

· For certificates in .crt (public key) and .key (private key) formats:

You can directly open them with a file editor, copy the content, and paste it into the corresponding input fields on the certificate addition page.

The public key content is shown in Figure 39.

Figure 39 Public Key Information

The private key content is shown in Figure 40.

Figure 40: Private Key Information

The encrypted certificate cannot be added normally. It needs to be decrypted before being added.

· Obtaining Public and Private Keys from a PEM Format Certificate

Figure 41: Obtaining Public Key and Private Key from PEM Certificate

· Extracting public and private keys from a PFX-format certificate

It needs to be converted into a recognizable format such as PEM using commands before the keys can be copied.

[root@localhost nginx]# openssl pkcs12 -in tmm-server.pfx -nodes -out server111.pem

Enter Import Password:

MAC verified OK

[root@localhost nginx]#

Add HTTPS Certificate

Under 【App Security】-【Cert Management】, click 【Add】, then enter the certificate name, public key, and private key information, as shown in Figure 42.

Figure 42: Adding an HTTPS Certificate

Add HTTPS Domain Forwarding Rule

Navigate to [App Security] - [WEB Protection], click "Add," and fill in the details as shown in Figure 43 below.

Figure 43: Adding an HTTPS Domain Forwarding Rule

The figure above defines an HTTPS domain forwarding rule, with the content explained as follows:

Table 12 Explanation of Rule Content

Name	Function Description
Protected Domain	You can add a second-level domain, such as www.example.cn. You can add . to match all domains.
Access Method	Select Reverse Proxy;
Protected IP	Forwarding address from the address pool: 172.212.6.2;
Protocol	HTTPS Port: 443；
HTTPS Certificate	Select the previously added HTTPS certificate "test";
X-Forwarded-For	This option is used in reverse proxy mode for the web server to obtain the client's address;
Back-to-Origin Method	Select HTTPS ；
Origin Server IP and Port	IP：172.213.6.102 Port：443 ；

· For Windows clients, the manual method to modify the hosts file: Edit C:\Windows\System32\drivers\etc

· Add the entry: 172.212.6.2 www.example.cn and save the configuration

· For Linux clients, the manual method to modify the hosts file: vi /etc/hosts

· Add the entry: 172.212.6.2 www.example.cn and save the configuration

Configuration Verification

Client-side local hosts file domain binding

The client binds the domain name www.example.cn to the IP address 172.212.6.2 via the local hosts file.

Ping www.example.cn from the client to confirm that the server IP 172.212.6.2 is displayed correctly.

C:\Users\Administrator>ping www.example.cn

Pinging www.example.cn [172.212.6.2] with 32 bytes of data:

Reply from 172.212.6.2: bytes=32 time=1ms TTL=62

Reply from 172.212.6.2: bytes=32 time<1ms TTL=62

Ping statistics for 172.212.6.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milliseconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

· If the client can successfully resolve the domain name through the DNS server, step a can be skipped.

Access via browser:

Accessing https:// www.example.cn via a browser can display the website content normally, as shown in Figure 44.

Figure 44: Website content display：

Check Domain Status

Navigate to [App Security] - [Domain Status]. There is a request record for the domain www.example.cn , and click 【Protection rule config】 as shown in Figure 46.

Figure 46: Protection rule config

Click the [Add] button to display the rule content, as shown in Figure 47.

Figure 47: Custom Rule Page

Table 13 Description of Protection Rule Content

Name	Description
Rule Name	The name supports input in Chinese, numbers, letters, underscores, and hyphens.
Sub-rule Relationship	Supports "AND" or "OR" ,single selection.
Sub-rule	Dropdown list includes: Method, URL, Source IP, Referer, User-Agent, Content-Length, Host, HTTP Code, HTTP Version.
Logical Relationship	Dropdown list includes: Equal, Not Equal, Contains, Not Contains.
Value	Can be set via dropdown options or input field.
Action	Dropdown list includes: Rate Limiting, Block, Block and Blacklist, Allow, Allow and Trust.
Blacklist Duration	The blocking duration for the protected IP after the rule is triggered (from the client's perspective).
Trust Duration	The trusted duration for the protected IP after the rule is triggered (from the client's perspective).

· Each domain can have up to 10 protection rules;

· Each protection rule can include up to 10 sub-rules.

Transparent Forwarding Configuration in Series VLAN Scenario

In transparent forwarding mode, the AFC device is connected in series to the current network in a transparent manner, with all server traffic passing through the AFC device.

Network Deployment Requirements

To protect the website with the protected IP 172.212.6.X from attacks, the AFC device is deployed in-line within the customer's network. The AFC's Inline Upstream Interface connects to the upstream switch, while its Inline Downstream Interface connects to the downstream switch. The AFC inspects and filters the received mixed traffic before forwarding it to the downstream network. The network deployment is illustrated in Figure 48.

Figure 48: Configuration and Networking Diagram of AFC Series Deployment Mode

The specific implementation is as follows:

· Host Traffic Cleaning: The global module policy continuously filters and inspects host traffic, while the application security module protects the configured domains.

Table 14 VLAN Allocation List

VLAN ID	Function Description	IP Address
1711	· Interface for connecting the core switch in series with the Inline Upstream Interface of the AFC; · Interconnection address between the lower-layer switch and the core switch; · Gateway address of the lower-layer network.	171.0.1.1/24 171.0.1.2/24 172.212.0.1/16

VLAN ID

Function Description

IP Address

1711

· Interface for connecting the core switch in series with the Inline Upstream Interface of the AFC;

· Interconnection address between the lower-layer switch and the core switch;

· Gateway address of the lower-layer network.

171.0.1.1/24

171.0.1.2/24

172.212.0.1/16

Table 15: AFC Interface IP Allocation List

Interface	Function Description	IP Address
XGE2/0	In series mode, no configuration is required. If configuration is needed, it must not conflict with the network address.
XGE2/1	In series mode, no configuration is required. If configuration is needed, it must not conflict with the network address.
GE0/0	AFC Manage	192.168.0.1/24

Table 16 Protected Server Configuration List

IP Address	Domain	Port
172.212.6.101	www.example.com	http 80
172.212.6.101	www.example.com	https 443

Configuration Approach

To implement the AFC series deployment mode configuration, follow the steps below:

Core Switch R2 Basic Network Configuration

Configure the XG1/0/17 interface of core switch R2 to enable interconnection with the XG1/0/17 interface of the downstream switch R3.

Downstream Switch R3 Basic Network Configuration

Configure the XG1/0/17 interface of downstream switch R3 to enable interconnection with the XG1/0/17 interface of core switch R2.

AFC Basic Network Configuration

Application Security Configuration

Configuration Steps

Configure the basic network on the core switch R2

Create VLAN 1711 with the IP address segment 171.0.1.0/24. This VLAN is used to ensure that the core switch is in the same network segment as the downstream terminal devices and serves as the gateway for these terminal devices.

# Create VLAN

[R2]vlan 1711

[R2]quit

# 配Configure VLAN IP

[R2]interface Vlan-interface1711

[R2-Vlan-interface1711]ip address 171.0.1.1 255.255.255.0

[R2-Vlan-interface1711]quit

[R2]interface XGigabitEthernet1/0/17

[R2-XGigabitEthernet1/0/17]port link-mode bridge

[R2-XGigabitEthernet1/0/17]port link-type trunk

[R2-XGigabitEthernet1/0/17]undo port trunk permit vlan 1

[R2-XGigabitEthernet1/0/17]port trunk permit vlan 1711

[R2-XGigabitEthernet1/0/17]quit

Configure the basic network on the downstream switch R3

Create VLAN 1711, which serves as the uplink port for connecting to the upper-layer network.

# Create VLAN

[R3]vlan 1711

[R3]interface Vlan-interface1711

[R3-Vlan-interface1711]ip address 171.0.1.2 255.255.255.0

[R3-Vlan-interface1711]ip address 172.212.0.1 255.255.0.0 sub

[R3-Vlan-interface1711]quit

# Add the interface connecting the switch to the host to VLAN

[R3]interface GigabitEthernet1/0/13

# Connected to the protected host

[R3-GigabitEthernet1/0/13]port link-mode bridge

[R3-GigabitEthernet1/0/13] port link-mode bridge

[R3-GigabitEthernet1/0/13] port access vlan 1711

[R3-GigabitEthernet1/0/13]quit

# Configure the VLAN for the interface connecting the downstream switch to the core switch

[R3]interface XGigabitEthernet1/0/17

# Connected to the upstream Layer 3 switch

[R3-XGigabitEthernet1/0/17]port link-mode bridge

[R3-XGigabitEthernet1/0/17]port link-type trunk

[R3-XGigabitEthernet1/0/17]undo port trunk permit vlan 1

[R3-XGigabitEthernet1/0/17]port trunk permit vlan 1711

[R3-XGigabitEthernet1/0/17]quit

Basic Network Configuration for AFC Equipment

To achieve transparent deployment of a single AFC device in series, follow the configuration steps below:

Access the login page via browser: https://192.168.0.1. Use the username "admin" and password "admin," as shown in Figure 49.

Figure 49: Log in to the AFC System Page

AFC Address and Port Type Configuration

Figure 50 Port Settings

Click [Apply Configuration] to make the settings take effect.

After enabling application security, all service ports in the network port configuration must be of the same type. Serial and bypass configurations cannot be used simultaneously.

Configuration Verification

Verify whether communication between the client and the traffic redirection server is normal.

Test whether the routing between the client and the protection IP is connected via ping.

C:\Users\Administrator>ping 172.212.6.101

Pinging 172.212.6.101 with 32 bytes of data:

Reply from 172.212.6.101: bytes=32 time=11ms TTL=124

Reply from 172.212.6.101: bytes=32 time<1ms TTL=124

Ping statistics for 172.212.6.101:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milliseconds:

Minimum = 0ms, Maximum = 11ms, Average = 2ms

Application Security Configuration Steps

Configure Virtual Routing

Methods to Obtain MAC Address

Query via Switch

[R2]dis int Vlan-interface 1711

Vlan-interface1711

Current state: UP

Line protocol state: UP

Description: Vlan-interface1711 Interface

Bandwidth: 100000000 kbps

Maximum transmission unit: 1500

Internet address: 171.0.1.1/24 (primary)

IP packet frame type: Ethernet II, hardware address: e868-1965-f78e

IPv6 packet frame type: Ethernet II, hardware address:

Last clearing of counters: Never

Input (total): 0 packets, 0 bytes

Output (total): 0 packets, 0 bytes

AFC Device Packet Capture

From the client, execute the command ping 172.172.69.12 -t to continuously ping the server under the wall.

Log in to the AFC management page, navigate to [Global Status] > [Server List], and initiate packet capture for the server 172.172.69.12 as shown in Figure 51.

Figure 51: Starting Packet Capture

After packet capturing, click "Stop" as shown in Figure 52.

Figure 52 Stop Catch

In the packet capture record, select the captured packets and click "Start," as shown in Figure 53.

Figure 53 Analyze Data Packets

After the analysis is completed, click "View" as shown in Figure 54.

Figure 54 View Data Packets

In the record analysis list, select the record with source IP: 172.213.9.106, click Analyze, as shown in Figure 55.

Figure 55 Analyze Data

Check the Source MAC address, as shown in Figure 56.

Figure 56 Check the MAC address

Configure Virtual Routing

Under [App Security] - [Virtual Routing], select Layer 2 mode and configure the peer MAC address of the external network interface, as shown in Figure57.

Figure 57 Configure Virtual Routing

HTTP Domain Forwarding Rules

Add HTTP Domain Forwarding Rule

Navigate to [App Security] - [WEB Protection], click "Add," and fill in the details as shown in Figure 58.

Figure 58: Add HTTP domain forwarding rule

The figure above defines an HTTP domain forwarding rule, with the following explanation:

Table 17 Domain Rule Explanation

Name	Function Description
Protected Domain	You can add a second-level domain, such as www.example.cn; You can add ., which matches all domains.
Access Method	Select Transparent Forwarding;
Protocol	HTTP Port: 80；
Origin-Pull Method	Select HTTP ；
Origin Server IP and Port	IP：172.212.6.101 Port：80 ；

· For Windows clients, the manual method to modify the hosts file: Edit C:\Windows\System32\drivers\etc

· Add the entry: 172.212.6.101 www.example.com and save the configuration

· For Linux clients, the manual method to modify the hosts file: vi /etc/hosts

· Add the entry: 172.212.6.101 www.example.com and save the configuration

Configuration Verification

Client-side local hosts file domain binding

The client binds the domain name www.example.com to the IP address 172.212.6.101 via the local hosts file.

Ping www.example.com from the client, and the server IP 172.212.6.101 is displayed correctly.

C:\Users\Administrator>ping www.example.com

Pinging www.example.com [172.212.6.101] with 32 bytes of data:

Reply from 172.212.6.105: bytes=32 time<1ms TTL=124

Reply from 172.212.6.105: bytes =32 time<1ms TTL=124

Ping statistics for 172.212.6.105:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milliseconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

· If the client can successfully resolve the domain name through the DNS server, step a can be skipped.

Access via browser

Access via browser: http:// www.example.com can display the website content normally, as shown in Figure 59.

Figure 59 Website content display

Check Domain Status

Navigate to [App Security] - [Domain Status]. There is a request record for the domain www.example.com , as shown in Figure 60.

Figure 60: Domain Request Record

Configure HTTPS Domain Forwarding Rules

Obtain an HTTPS Certificate

Methods to Obtain the Certificate

· For certificates in .crt (public key) and .key (private key) formats:

You can directly open them with a file editor, copy the content, and paste it into the corresponding input fields on the certificate addition page.

The public key content is shown in Figure 61.

Figure 61 Public Key Information

The private key content is shown in Figure 62.

Figure 62: Private Key Information

The encrypted certificate cannot be added normally. It needs to be decrypted before being added.

· Obtaining Public and Private Keys from a PEM Format Certificate

Figure 63: Obtaining Public Key and Private Key from PEM Certificate

· Extracting public and private keys from a PFX-format certificate

It needs to be converted into a recognizable format such as PEM using commands before the keys can be copied.

[root@localhost nginx]# openssl pkcs12 -in tmm-server.pfx -nodes -out server111.pem

Enter Import Password:

MAC verified OK

[root@localhost nginx]#

Add HTTPS Certificate

Under 【App Security】-【Cert Management】, click 【Add】, then enter the certificate name, public key, and private key information, as shown in Figure 64.

Figure 64: Adding an HTTPS Certificate

Add HTTPS Domain Forwarding Rule

Navigate to [App Security] - [WEB Protection], click "Add," and fill in the details as shown in Figure 65 below.

Figure 65: Adding an HTTPS Domain Forwarding Rule

The figure above defines an HTTPS domain forwarding rule, with the content explained as follows:

Table 18 Explanation of Rule Content

Name	Function Description
Protected Domain	You can add a second-level domain, such as www.example.cn. You can add . to match all domains.
Access Method	Select Transparent Mode;
Protocol	Select HTTPS Port: 443；
HTTPS Certificate	Select the previously added HTTPS certificate named "test";
Origin-Pull Method	Select HTTPS ；
Origin Server IP and Port	IP：172.212.6.101 Port：443 ；

· For Windows clients, the manual method to modify the hosts file: Edit C:\Windows\System32\drivers\etc

· Add the entry: 172.212.6.101 www.example.com and save the configuration

· For Linux clients, the manual method to modify the hosts file: vi /etc/hosts

· Add the entry: 172.212.6.101 www.example.com and save the configuration

Configuration Verification

Client-side local hosts file domain binding

The client binds the domain name www.example.com to the IP address 172.212.6.101 via the local hosts file.

Ping www.example.com from the client to confirm that the server IP 172.212.6.101 is displayed correctly.

C:\Users\Administrator>ping www.example.com

Pinging www.example.com [172.212.6.101] with 32 bytes of data:

Reply from 172.212.6.101: bytes=32 time<1ms TTL=124

Reply from 172.212.6.101: bytes =32 time<1ms TTL=124

Ping statistics for 172.212.6.101:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milliseconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

· If the client can successfully resolve the domain name through the DNS server, step a can be skipped.

Access via browser:

Accessing https:// www.example.com via a browser can display the website content normally, as shown in Figure 66.

Figure 66: Website content display：

Check Domain Status

Navigate to [App Security] - [Domain Status]. There is a request record for the domain www.example.com , as shown in Figure 67.

Figure 67 Domain Status Record

Website Protection

Navigate to 【App Security】-【WEB Protection】, locate the rules for the domain www.example.com , and click 【Protection Rule Configuration】 as shown in Figure 68.

Figure 68: Protection Rule Configuration

Click the [Add] button to display the rule content, as shown in Figure 69.

Figure 69: Custom Rule Page

Table 19 Description of Protection Rule Content

Name	Description
Rule Name	The name supports input in Chinese, numbers, letters, underscores, and hyphens.
Sub-rule Relationship	Supports "AND" or "OR" ,single selection.
Sub-rule	Dropdown list includes: Method, URL, Source IP, Referer, User-Agent, Content-Length, Host, HTTP Code, HTTP Version.
Logical Relationship	Dropdown list includes: Equal, Not Equal, Contains, Not Contains.
Value	Can be set via dropdown options or input field.
Action	Dropdown list includes: Rate Limiting, Block, Block and Blacklist, Allow, Allow and Trust.
Blacklist Duration	The blocking duration for the protected IP after the rule is triggered (from the client's perspective).
Trust Duration	The trusted duration for the protected IP after the rule is triggered (from the client's perspective).

· Each domain can have up to 10 protection rules;

· Each protection rule can include up to 10 sub-rules.

Reverse Proxy Forwarding Configuration in Cascaded VLAN Scenario

Networking Requirements

This configuration takes a cascaded networking setup as an example. For detailed instructions, refer to the "AFC Cascaded Deployment Mode Configuration Example."

As shown in Figure 70, the client accesses the protected host at 172.212.6.X through R1. The client traffic passes through the cascaded AFC device. After adding a domain name forwarding rule, when the client accesses this domain name, communication with the origin server is established via the back-to-source address to retrieve web information. The information is then returned to the client through the forwarding address.

Figure 70 Configuration Networking Diagram of AFC Series Deployment Mode

The specific implementation is as follows:

· Host Traffic Cleaning: The global module policy performs real-time filtering and detection of host traffic, while the application security module provides protection for configured domains.

Table 20 VLAN Assignment List

VLAN ID	Function Description	IP Address
1711	· Interface for connecting the core switch to the Inline Upstream Interface of the AFC in series; · nterconnection address between the lower-layer switch and the core switch; · Gateway address of the lower-layer network.	171.0.1.1/24 171.0.1.2/24 172.212.0.1/16

VLAN ID

Function Description

IP Address

1711

· Interface for connecting the core switch to the Inline Upstream Interface of the AFC in series;

· nterconnection address between the lower-layer switch and the core switch;

· Gateway address of the lower-layer network.

171.0.1.1/24

171.0.1.2/24

172.212.0.1/16

Table 21: AFC Interface IP Allocation List

Interface	Function Description	IP Address
XGE2/0	In series mode, no configuration is required. If configuration is needed, it must not conflict with the network address.
XGE2/1	In series mode, no configuration is required. If configuration is needed, it must not conflict with the network address.
GE0/0	AFC Manage	192.168.0.1/24

Table 22 Web Server Configuration List

IP Address	Domain	Port
172.213.6.102	www.example.com	http 80
172.213.6.102	www.example.com	https 443

Configuration Approach

To achieve the single-channel mode configuration for AFC series deployment, the following setup steps can be followed:

Core Switch R2 Basic Network Configuration

Configure the XG1/0/17 interface of core switch R2 to enable interconnection with the XG1/0/17 interface of the downstream switch R3.

Downstream Switch R3 Basic Network Configuration

Configure the XG1/0/17 interface of downstream switch R3 to enable interconnection with the XG1/0/17 interface of core switch R2.

AFC Basic Network Configuration

Configure the AFC network ports: set XGE2/0 as the Inline Upstream Interface and XGE2/1 as the Inline Downstream Interface. After binding them together, ensure connectivity between the upstream and downstream switches.

Application Security Configuration

Configure the forwarding address and origin-return address, set up virtual routing, and add an SSL certificate for HTTPS mode. Define domain forwarding rules by binding the domain to the forwarding address. Clients access the forwarding address via the domain, while the AFC communicates with the external web server through the origin-return address to retrieve web information. The website data is then forwarded to the client via the forwarding address.

Configuration Steps

Configure the basic network on the core switch R2

Create VLAN 1711, which corresponds to the 171.0.1.0/24 subnet, to ensure that it is in the same subnet as the downstream terminal devices and serves as the gateway for these devices.

# Create VLAN

[R2]vlan 1711

[R2]quit

# Configure VLAN IP

[R2]interface Vlan-interface1711

[R2-Vlan-interface1711]ip address 171.0.1.1 255.255.255.0

[R2-Vlan-interface1711]quit

[R2]interface XGigabitEthernet1/0/17

[R2-XGigabitEthernet1/0/17]port link-mode bridge

[R2-XGigabitEthernet1/0/17]port link-type trunk

[R2-XGigabitEthernet1/0/17]undo port trunk permit vlan 1

[R2-XGigabitEthernet1/0/17]port trunk permit vlan 1711

[R2-XGigabitEthernet1/0/17]quit

Configure the basic network on the downstream switch R3

Create VLAN 1711 , which serves as the uplink port to connect to the upper-layer network.

# Create VLAN

[R3]vlan 1711

[R3]interface Vlan-interface1711

[R3-Vlan-interface1711]ip address 171.0.1.2 255.255.255.0

[R3-Vlan-interface1711]ip address 172.212.0.1 255.255.0.0 sub

[R3-Vlan-interface1711]quit

# Add the interface connecting the host to the switch into VLAN

[R3]interface GigabitEthernet1/0/13

# Connected to the protected host

[R3-GigabitEthernet1/0/13]port link-mode bridge

[R3-GigabitEthernet1/0/13]port access vlan 1711

[R3-GigabitEthernet1/0/13]quit

# Configure the VLAN for the interface connecting the downstream switch to the core switch

[R3]interface GigabitEthernet1/0/17

# Connected to the upper-layer Layer 3 switch

[R3-XGigabitEthernet1/0/17]port link-mode bridge

[R3-XGigabitEthernet1/0/17]port link-type trunk

[R3-XGigabitEthernet1/0/17]undo port trunk permit vlan 1

[R3-XGigabitEthernet1/0/17]port trunk permit vlan 1711

[R3-XGigabitEthernet1/0/17]quit

If the upper and lower layer switches are unmanaged switches, there is no need to configure VLANs; simply ensure there are no loops.

Basic Network Configuration for AFC Equipment

To achieve transparent deployment of a single AFC device in series, follow the configuration steps below:

Access the login page via a browser: https://192.168.0.1. Use the username "admin" and password "admin," as shown in Figure 71.

Figure 71: Logging in to the AFC system page

AFC Address and Port Type Configuration

Figure 72 Port Settings

Click [Apply Configuration] to make the settings take effect.

After enabling application security, all service ports in the network port configuration must be of the same type; series and bypass configurations cannot be used simultaneously.

Verfy Configuration

Verify whether the communication between the client and the diversion server is normal.

Test whether the client and the protection IP route are connected via a ping test.

C:\Users\Administrator>ping 172.212.6.101

Pinging 172.212.6.101 with 32 bytes of data:

Reply from 172.212.6.101: bytes=32 time=11ms TTL=124

Reply from 172.212.6.101: bytes=32 time<1ms TTL=124

Ping statistics for 172.212.6.101:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milliseconds:

Minimum = 0ms, Maximum = 11ms, Average = 2ms

Application Security Configuration Steps

Configure IP Pool

Navigate to 【App Security】-【IP Pool Management】, click 【Add】, and fill in the information as shown in Figures 73 and 74 below.

Figure 73: Add Forwarding Address

Figure 74: Add the origin-pull address

Table 23 Description of Address Pool

Name	Function Description
Forwarding Address	The website protection address in reverse proxy mode. This IP is an idle address within the AFC protection range.
Origin-Pulling Address	Address The address used for communication between AFC and the WEB origin server. This IP is an idle address within the AFC protection range.
Protocol	Select HTTP, Port: 80.
Vlan ID	VLAN 1711, the VLAN ID of the switch interface connected to the Inline Upstream Interface.

· Both the forwarding IP and the origin-returning IP are mandatory fields, and their IP ranges must not overlap.

Configure Virtual Routing

Methods to Obtain MAC Address

Query via Switch

[R2]dis int Vlan-interface 1711

Vlan-interface1711

Current state: UP

Line protocol state: UP

Description: Vlan-interface1711 Interface

Bandwidth: 100000000 kbps

Maximum transmission unit: 1500

Internet address: 171.0.1.1/24 (primary)

IP packet frame type: Ethernet II, hardware address: e868-1965-f78e

IPv6 packet frame type: Ethernet II, hardware address: e868-1965-f78e

Last clearing of counters: Never

Input (total): 0 packets, 0 bytes

Output (total): 0 packets, 0 bytes

AFC Device Packet Capture

From the client, execute the command ping 172.172.69.12 -t to continuously ping the server under the wall.

Log in to the AFC management page, navigate to [Global Status] > [Server List], and initiate packet capture for the server 172.172.69.12 as shown in Figure 75.

Figure 75: Starting Packet Capture

After packet capturing, click "Stop" as shown in Figure 76.

Figure 76 Stop Catch

In the packet capture record, select the captured packets and click "Start," as shown in Figure 77.

Figure 77 Analyze Data Packets

After the analysis is completed, click "View" as shown in Figure 78.

Figure 78 View Data Packets

In the record analysis list, select the record with source IP: 172.213.9.103, click Analyze, as shown in Figure 79.

Figure 79 Analyze Data

Check the Source MAC address, as shown in Figure 80.

Figure 80 Check the MAC address

Configure Virtual Routing

Under [App Security] - [Virtual Routing], select Layer 2 mode and configure the peer MAC address of the external network interface, as shown in Figure 81.

Figure 81 Configure Virtual Routing

HTTP Domain Forwarding Rules

Add HTTP Domain Forwarding Rule

Navigate to [App Security] - [WEB Protection], click "Add," and fill in the details as shown in Figure 82.

Figure 82: Add HTTP domain forwarding rule

The figure above defines an HTTP domain forwarding rule, with the following explanation:

Table 24 Domain Rule Explanation

Name	Function Description
Protected Domain	You can add a second-level domain, such as www.example.cn; You can add ., which matches all domains.
Access Method	Select Reverse Proxy;
Protected IP	Forwarding address from the address pool: 172.212.6.2;
Protocol	HTTP Port: 80;
X-Forwarded-For	This option is used in reverse proxy mode for the web server to obtain the client's address;
Back-to-Origin Method	Select HTTP;
Origin Server IP and Port	IP: 172.213.6.102 Port: 80;

· For Windows clients, the manual method to modify the hosts file: Edit C:\Windows\System32\drivers\etc

Add the entry: 172.212.6.2 www.example.com can display the website content normally, as shown in Figure 83.

Figure 83 Website content display

Check Domain Status

Navigate to [App Security] - [Domain Status]. There is a request record for the domain www.example.com , as shown in Figure 84.

Figure 84: Domain Request Record

Resolution Takes Effect

After validation is passed, log in to the DNS registrar website where the domain is registered and configure the domain to resolve to the "Forwarding IP" corresponding to the rule.

If the origin server has IP access restrictions, all addresses of the "Origin-Pulling IP" must be added to the website's trusted whitelist.

Configure HTTPS Domain Forwarding Rules

Obtain an HTTPS Certificate

Methods to Obtain the Certificate

· For certificates in .crt (public key) and .key (private key) formats:

You can directly open them with a file editor, copy the content, and paste it into the corresponding input fields on the certificate addition page.

The public key content is shown in Figure 85.

Figure 85 Public Key Information

The private key content is shown in Figure 86.

Figure 86: Private Key Information

The encrypted certificate cannot be added normally. It needs to be decrypted before being added.

· Obtaining Public and Private Keys from a PEM Format Certificate

Figure 87: Obtaining Public Key and Private Key from PEM Certificate

· Extracting public and private keys from a PFX-format certificate

It needs to be converted into a recognizable format such as PEM using commands before the keys can be copied.

[root@localhost nginx]# openssl pkcs12 -in tmm-server.pfx -nodes -out server111.pem

Enter Import Password:

MAC verified OK

[root@localhost nginx]#

Add HTTPS Certificate

Under 【App Security】-【Cert Management】, click 【Add】, then enter the certificate name, public key, and private key information, as shown in Figure 88.

Figure 88: Adding an HTTPS Certificate

Add HTTPS Domain Forwarding Rule

Navigate to [App Security] - [WEB Protection], click "Add," and fill in the details as shown in Figure 89 below.

Figure 89: Adding an HTTPS Domain Forwarding Rule

The figure above defines an HTTPS domain forwarding rule, with the content explained as follows:

Table 25 Explanation of Rule Content

Name	Function Description
Protected Domain	You can add a second-level domain, such as www.example.cn. You can add . to match all domains.
Access Method	Select Reverse Proxy;
Protected IP	Forwarding address from the address pool: 172.212.6.2;
Protocol	HTTPS Port: 443；
HTTPS Certificate	Select the previously added HTTPS certificate "test";
X-Forwarded-For	This option is used in reverse proxy mode for the web server to obtain the client's address;
Back-to-Origin Method	Select HTTPS ；
Origin Server IP and Port	IP：172.213.6.102 Port：443 ；

· For Windows clients, the manual method to modify the hosts file: Edit C:\Windows\System32\drivers\etc

Add the entry: 172.212.6.2 www.example.com via a browser can display the website content normally, as shown in Figure 90.

Figure 90: Website content display：

Check Domain Status

Navigate to [App Security] - [Domain Status]. There is a request record for the domain www.example.com , as shown in Figure 91.

Figure 91 Domain Status Record

Resolution Takes Effect

After validation is passed, log in to the DNS registrar website where the domain is registered and configure the domain to resolve to the "Forwarding IP" corresponding to the rule.

If the origin server has IP access restrictions, all addresses of the "Origin-Pulling IP" must be added to the website's trusted whitelist.

Website Protection

Navigate to 【App Security】-【WEB Protection】, locate the rules for the domain www.example.com , and click 【Protection Rule Config】 as shown in Figure 92.

Figure 92: Protection Rule Config

Click the [Add] button to display the rule content, as shown in Figure 93.

Figure 93: Custom Rule Page

Table 26 Description of Protection Rule Content

Name	Description
Rule Name	The name supports input in Chinese, numbers, letters, underscores, and hyphens.
Sub-rule Relationship	Supports "AND" or "OR" ,single selection.
Sub-rule	Dropdown list includes: Method, URL, Source IP, Referer, User-Agent, Content-Length, Host, HTTP Code, HTTP Version.
Logical Relationship	Dropdown list includes: Equal, Not Equal, Contains, Not Contains.
Value	Can be set via dropdown options or input field.
Action	Dropdown list includes: Rate Limiting, Block, Block and Blacklist, Allow, Allow and Trust.
Blacklist Duration	The blocking duration for the protected IP after the rule is triggered (from the client's perspective).
Trust Duration	The trusted duration for the protected IP after the rule is triggered (from the client's perspective).

· Each domain can have up to 10 protection rules;

· Each protection rule can include up to 10 sub-rules.

Bypass Mode Reverse Proxy

In bypass mode reverse proxy, the AFC device is connected to the current network by injecting traffic back through the source port. The AFC device is configured with a forwarding address and an origin-pulling address. Users resolve their domain name to the forwarding address. When clients access the domain name, they are actually directed to the forwarding address. The web requests from the clients are then forwarded to the origin server via the origin-pulling address. After retrieving the web information, the data is returned to the AFC device, which then sends it back to the clients through the forwarding address.

Network Configuration Requirements

This configuration takes the original port return injection networking as an example. For detailed instructions, please refer to the AFC original port return injection deployment mode configuration example.

As shown in Figure 94, the client accesses the network through R1. When accessing a domain name, the client traffic passes through the AFC device deployed in bypass mode. To protect the website with the protected IP 172.212.6.101 from attacks, an abnormal traffic cleaning system is deployed in bypass mode on the core switch. The core switch R2 establishes a BGP neighbor relationship with the AFC device's interface XGE2/1 through interface XG1/0/18 to divert and clean traffic. A policy-based routing is configured on the inbound direction of interface XG1/0/18 of core switch R2 to achieve the return injection and forwarding of cleaned traffic.

Figure 94: Configuration and networking diagram of the AFC source port reinjection deployment mode.

The specific implementation is as follows:

· Host Route Advertisement: The AFC establishes a BGP neighbor relationship with the core switch R2 via the XGE2/1 interface. The AFC advertises the 32-bit route of the protected IP to the core switch R2.

· Host Traffic Scrubbing: The core switch R2 diverts the traffic of the protected host to the AFC, which then applies scrubbing policies to filter out abnormal traffic from the host traffic.

· Traffic Redirection: The core switch R2 configures policy-based routing and applies it to the input direction of the interface connecting the core switch R2 and the AFC. This ensures that the cleaned and reinjected traffic is forwarded to the designated network.

Table 27 VLAN Assignment List

VLAN ID	Function Description	IP Address
1710	· The core switch R2 establishes a BGP neighbor relationship with the AFC; · The AFC injects the cleaned traffic back into the core switch R2;	171.0.0.1/24 115.115.115.1/24
1711	· The core switch R2 connects to the three-layer VLAN interfaces of the lower-level network; · The lower-level switches connect to the three-layer VLAN interfaces of the core switch R2;	171.0.1.1/24 171.0.1.2/24
1712	· The VLAN where the protected host resides; · The gateway address of the protected host.	172.212.0.1/16

Table 28 AFC Interface IP Allocation List

Interface	Function Description	IP Address
XGE2/1	· Establish a BGP neighbor relationship between the core switch R2 and AFC; · Forwarding Address · Source Return Address	171.0.0.2/24 115.115.115.96/24 172.215.6.1/24 172.215.6.101-172.215.6.105
GE0/0	· AFC Manage	192.168.0.1/24

Interface

Function Description

IP Address

XGE2/1

· Establish a BGP neighbor relationship between the core switch R2 and AFC;

· Forwarding Address

· Source Return Address

171.0.0.2/24

115.115.115.96/24

172.215.6.1/24

172.215.6.101-172.215.6.105

GE0/0

· AFC Manage

192.168.0.1/24

Table 29 Web Server Configuration List

IP Interface	Domain	Port
172.212.6.101	www.example.cn	http 80
172.212.6.101	www.example.cn	https 443

Configuration Approach

To implement the BGP Layer 3 return flow mode with AFC bypass deployment, follow the configuration steps below:

Configure Basic Network on Core Switch R2

Configure the XG1/0/17 interface of core switch R2 to establish connectivity with the XG1/0/17 interface of downstream switch R3.

Configure BGP Neighbors on Core Switch R2

Enable the BGP process on both the AFC and core switch R2, and establish a neighbor relationship between them.

Configure Return Injection Policy on Core Switch R2

Configure a policy-based routing on the inbound direction of the interconnection port (XGE1/0/18) between the core switch and AFC device. Redirect traffic with destination addresses in the user service IP range (172.212.0.0/16) to downstream switch R3. This prevents the AFC device from sending return traffic back into itself, avoiding routing loops, and ensures the cleaned traffic is returned after scrubbing.

Configure Basic Network on Downstream Switch R3

Configure the XG1/0/17 interface of downstream switch R3 to establish connectivity with the XG1/0/17 interface of core switch R2.

Configure Basic Network on AFC Device

Set the IP address and port type of the AFC device's internet-facing interface to enable communication with R2. Configure the service port type as Single-arm Re-injection Interface mode (where traffic redirection and return injection use the same physical port).

Configure BGP Routing on AFC Device

Establish a BGP adjacency relationship between the AFC device and the core device, ensuring mutual neighbor configuration.

Configure Traffic Redirection and Scrubbing on AFC Device

The AFC device performs traffic redirection for user service addresses, scrubs the traffic based on defense policies, and returns the cleaned traffic to the core device.

（8）Apply Security Configuration

On the AFC device, add forwarding and return-source addresses, and configure domain name forwarding rules. The client accesses the forwarding address via the domain name. Upon receiving the domain request, the AFC forwards the client's request to the web server behind the firewall via the return-source address. The web server sends the response back to the AFC device, which then forwards the web resources to the client via the forwarding address.

Configuration Steps

Configure the basic network on the core switch R2

Create VLANs 1710 and 1711, where:

VLAN 1710 corresponds to the 171.0.0.0/24 subnet, used for direct communication between R2's Layer 3 switch port and AFC XGE2/1.

VLAN 1711 corresponds to the 171.0.1.0/24 subnet, used for routing with the lower layer.

# Create VLAN

[R2]vlan 1710

[R2-vlan1710]quit

[R2]vlan 1711

[R2-vlan1711]quit

# Configure VLAN IP

[R2]interface Vlan-interface1710

[R2-Vlan-interface1710]IP address 171.0.0.1 255.255.0.0

[R2-Vlan-interface1710]ip address 115.115.115.1 255.255.255.0 sub

[R2-Vlan-interface1710]quit

[R2]interface Vlan-interface1711

[R2-Vlan-interface1711]IP address 171.0.1.1 255.255.255.0

[R2-Vlan-interface1711]quit

# Configure XG1/0/17 Interface

[R2]int XGigabitEthernet 1/0/17

[R2-XGigabitEthernet1/0/17] port link-mode bridge

[R2-XGigabitEthernet1/0/17] port access vlan 1711

# Check the configuration of interface XG1/0/17.

[R2-XGigabitEthernet1/0/17] dis this

interface XGigabitEthernet1/0/17

port link-mode bridge

port access vlan 1711

# Configure XG1/0/18 Interface

[R2]int XGigabitEthernet 1/0/18

[R2-XGigabitEthernet1/0/18] port link-mode bridge

[R2-XGigabitEthernet1/0/18] port access vlan 1710

# Check the configuration of interface XG1/0/18.

[R2-XGigabitEthernet1/0/18] dis this

interface XGigabitEthernet1/0/18

port link-mode bridge

port access vlan 1710

Configure BGP neighbor on core switch R2

# Configure BGP with AS number 65535

[R2]bgp 65535

# Set the router's Router ID

[R2-bgp]router-id 171.0.0.1

[R2-bgp]undo synchronization

# Enable IPv4 unicast with the peer to allow the local router to exchange IPv4 unicast routing information with the specified peer

[R2-bgp] address-family IPv4

[R2-bgp-IPv4]peer 171.0.0.2 enable

# Configure the peer's AS number as 65534

[R2-bgp]peer 171.0.0.2 as-number 65534

# Set the peer description as "AFC"

[R2-bgp]peer 171.0.0.2 descrIPtion afc

# Assign a preference value to routes received from the peer (lower values take higher precedence)

[R2-bgp]peer 171.0.0.2 preferred-value 1

[R2-bgp]peer 171.0.0.2 keep-all-routes

# Retain all original routing information received from the peer/peer group, even if the routes do not pass the configured inbound policies

If the BGP IPv6 protocol is configured, you need to enter the BGP IPv6 unicast view.

Configure the Return Injection Policy on Core Switch R2

# Configure ACL to match the traction IP address range

[R2]acl number 3003

[R2-acl-adv-3003]rule 1 permit ip destination 172.212.6.0 0.0.255.255

[R2-acl-adv-3003]quit

# Configure Access Control List 3003 to match the destination address of the 172.212.0.0/16 network segment

# Create a policy-based route

[R2]policy-based-route p_afc_out permit node 5

[R2]if-match acl 3003

[R2]apply ip-address next-hop 171.0.1.2

# Configure the policy-based route behavior p_afc_out, with the next hop set to 171.0.1.2 (the directly connected route IP address between the upper and lower networks). Please configure according to the actual address used in your deployment.

# Apply the policy-based route on the Layer 3 interface

[R2]interface Vlan-interface1710

[R2-Vlan-interface1710]ip address 171.0.0.1 255.255.255.0

[R2-Vlan-interface1710]ip policy-based-route p_afc_out

# When applying the policy-based route, if the interface is in route mode, directly apply the policy-based route on the interface. If the interface is in bridge mode, configure the policy-based route on the Layer 3 VLAN interface to which the interface belongs, as shown above.

Configure Basic Network on Downstream Switch R3

Create VLAN 1711 and VLAN 1712, where:

VLAN 1711 corresponds to the 171.0.1.0/24 subnet, serving as the direct routing link between downstream switch R3 and core switch R2.

VLAN 1712 corresponds to the 172.212.6.0/16 subnet, which is the network segment for the downstream network.

# Create VLAN

[R3]vlan 1711

[R3-vlan1711]quit

[R3]vlan 1712

[R3-vlan1712]quit

# Configure VLAN IP

[R3]int Vlan-interface 1711

[R3-Vlan-interface1711]IP address 171.0.1.2 255.255.255.0

[R3-Vlan-interface1711]quit

[R3]int Vlan-interface 1712

[R3-Vlan-interface1712]IP address 172.212.0.1 255.255.0.0

[R3-Vlan-interface1712]quit

# Configure XG1/0/17 Interface

[R3]int XGigabitEthernet 1/0/17

[R3-XGigabitEthernet1/0/17] port link-mode bridge

[R3-XGigabitEthernet1/0/17] port access vlan 1711

# View configuration of interface XG1/0/17

[R3-GigabitEthernet1/0/17] dis this

interface XGigabitEthernet1/0/17

port link-mode bridge

port access vlan 1711

# Configure interface G1/0/13

[R3]int GigabitEthernet 1/0/13

[R3-GigabitEthernet1/0/13] port link-mode bridge

[R3-GigabitEthernet1/0/13] port access vlan 1712

# View configuration of interface G1/0/13

[R3-GigabitEthernet1/0/13] dis this

interface GigabitEthernet1/0/13

port link-mode bridge

port access vlan 1712

# Configure routing to the 172.215.6.0 subnet

[R3] ip route-static 172.215.6.0 24 171.0.1.1

Basic Network Configuration for AFC Equipment

To achieve the configuration of AFC bypass standalone deployment with BGP Layer 3 return mode, follow the steps below for configuration:

Access the login page via browser: https://192.168.0.1. Use the username "admin" and password "admin," as shown in Figure 95.

Figure 95: Log in to the AFC System Page

AFC Address and Port Type Configuration

Navigate to [System] → [Devices] → [Device Manage], click the [Setup] button on the right side of the device, select [Port Setings] in the left navigation bar, and click the [Modify] button to update the IP, subnet mask, port binding, and other settings for GE1/0. (Initial deployment requires updating the configuration to obtain the current device's network interface settings.)

For XGE2/1, set the IP to 171.0.0.2, configure the port type as Single-arm Re-injection Interface, and set the IPv4 next hop to the incoming direction of the interconnected switch port address (i.e., the core switch XG1/0/18 with IP 171.0.0.1, as shown in Figure 96).

Figure 96 Port Settings

Click [Apply Configuration] to make the settings take effect.

After enabling application security, all service ports in the network port configuration must be of the same type. Serial and bypass configurations cannot be used simultaneously.

BGP Routing Configuration for AFC Equipment

After configuring the address and port types, click the 【Routing Configuration】 menu at the bottom, select 【BGP Config】, check 【Start BGP】, and click 【Apply Config】. Follow the steps below to configure:

Local BGP Configuration:

Navigate to 【System】--【Device Manage】, click the 【Setup】 operation for the device with IP 127.0.0.1, and enter 【Routing Configuration】--【BGP Config】 to perform the following operations:

Check 【Start BGP】

Local AS: 65534 // AS number for the AFC equipment side

Local Port: 179 // Default port 179

Click 【Save】. The configuration should appear as shown in Figure 97.

Local BGP Configuration for AFC Equipment

Figure 97: Enable BGP

Neighbor BGP Configuration

Click the [Add] button to add BGP information.

Peer AS: 65535 // When the core switch is already running BGP, enter the AS number of the core switch.

Peer Port: 179 // Default port is 179.

LocalPref/MED：100 // Default 100

The peer IP is the IPv4 next-hop address of GE1/0 interface: 171.0.0.1.

Click [Save] to complete the addition of the neighbor address. As shown in Figure 98.

Figure 98: Neighbor BGP Configuration for the Abnormal Traffic Cleaning System

Apply BGP Configuration:

Click [Apply Config] to activate the BGP settings.

AFC Device Traffic Redirection and Cleansing

Log in to the AFC device, navigate to [Steer Config] > [Traffic Steering Status], and click [Manual Steering] to redirect traffic for the user's internal test address, forwarding address, and origin-returning address. In this example, the redirection addresses are 172.212.6.101, 172.215.6.1, and 172.215.6.101-172.215.6.105. Select the redirection operation "Traffic Redirection," then click [Ensure] to complete the redirection. As shown in Figures 99, 100, and 101.

Figure 99: Traction user service address 172.212.6.101

Figure 100 Traversal Forwarding Address 172.215.6.1

Figure 101 Traction source return addresses 172.215.6.101-172.215.6.105

After the traffic is directed to the AFC equipment, in the event of a DDoS attack, the AFC equipment can automatically employ default policies for cleansing and defense.

Configuration Verification

Verify whether the core switch R2 and the AFC equipment's cleaning service port are interconnected.

Test whether the core switch R2 can communicate with the AFC router via ping.

[R2]ping -a 171.0.0.1 171.0.0.2

PING 171.0.0.2: 56 data bytes, press CTRL_C to break

Reply from 171.0.0.2: bytes=56 Sequence=1 ttl=64 time=3 ms

Reply from 171.0.0.2: bytes=56 Sequence=2 ttl=64 time=3 ms

Reply from 171.0.0.2: bytes=56 Sequence=3 ttl=64 time=3 ms

Reply from 171.0.0.2: bytes=56 Sequence=4 ttl=64 time=3 ms

Reply from 171.0.0.2: bytes=56 Sequence=5 ttl=64 time=3 ms

--- 171.0.0.2 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trIP min/avg/max = 3/3/3 ms

Verify whether the BGP neighbor relationship between the core device and the AFC device is established.

[Sysname] display bgp peer

BGP local router ID : 171.0.0.1

Local AS number : 65535

Total number of peers : 1 Peers in established state : 1

Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

171.0.0.2 65534 5 3 0 0 00:01:59 Established

Verify whether the routing redirection from the core switch R2 to the AFC is successful. If the redirection is successful, there should be a 32-bit route for this host.

Check the routing table of the core switch R2.

[R2]display bgp routing-table

Total Number of Routes: 1

BGP Local router ID is 171.0.0.1

Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped,

h - history, i - internal, s - suppressed, S - Stale

Origin : i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* > 172.212.6.101/32 171.0.0.2 0 1 65534i

Verify whether the communication between the client and the traffic diversion server is normal.

Test whether the client can communicate with the service route via a ping test.

[root@AFCTest_Client ~]# ifconfig eth0

eth0 Link encap:Ethernet HWaddr 00:0C:29:9D:1B:7A

inet addr:184.0.0.75 Bcast:184.0.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe9d:1b7a/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:257120 errors:0 dropped:0 overruns:0 frame:0

TX packets:47273087 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:28882056 (27.5 MiB) TX bytes:3460908912 (3.2 GiB)

[root@AFCTest_Client ~]# ping -c 5 171.0.3.21

PING 172.212.6.101 (172.212.6.101) 56(84) bytes of data.

64 bytes from 172.212.6.101: icmp_seq=1 ttl=124 time=0.799 ms

64 bytes from 172.212.6.101: icmp_seq=2 ttl=124 time=0.736 ms

64 bytes from 172.212.6.101: icmp_seq=3 ttl=124 time=0.862 ms

64 bytes from 172.212.6.101: icmp_seq=4 ttl=124 time=1.47 ms

64 bytes from 172.212.6.101: icmp_seq=5 ttl=124 time=1.02 ms

--- 172.212.6.101 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4006ms

rtt min/avg/max/mdev = 0.736/0.977/1.470/0.266 ms

Application Security Configuration Steps

Configure IP Pool

Navigate to 【App Security】-【IP Pool Management】, click 【Add】, and fill in the information as shown in Figures 102 and 103 below.

Figure 102: Add Forwarding Address

Figure 103: Add the origin-pull address

Table 30 Description of Address Pool

Name	Function Description
Forwarding Address	The website protection address in reverse proxy mode. This IP is an idle address within the AFC protection range.
Origin-Pulling Address	Address The address used for communication between AFC and the WEB origin server. This IP is an idle address within the AFC protection range.
Protocol	Select HTTP, Port: 80.
Vlan ID	This test environment is a non-VLAN environment; default to 0.

· Both the forwarding IP and the origin-returning IP are mandatory fields, and their IP ranges must not overlap.

Configure Virtual Routing

【App Security】-【Virtual Routing】, select the three layer mode, and configure the external network address and the next-hop address for the external network route, as shown in Figure 104.

Figure 104: Configuring Virtual Routing

Table 31 Virtual Routing Configuration Instructions

Name	Function Description
External Network Address	Communication address between the AFC service port and the R2 switch;
Next-Hop Address for External Network Routing	Interface address configured on the R2 switch;

HTTP Domain Forwarding Rules

Add HTTP Domain Forwarding Rule

Navigate to [App Security] - [WEB Protection], click "Add," and fill in the details as shown in Figure 105.

Figure 105: Add HTTP domain forwarding rule

The figure above defines an HTTP domain forwarding rule, with the following explanation:

Table 31 Domain Rule Explanation

Name	Function Description
Protected Domain	You can add a second-level domain, such as www.example.cn; You can add ., which matches all domains.
Access Method	Select Reverse Proxy;
Protected IP	Forwarding address from the address pool: 172.215.6.1;
Protocol	HTTP Port: 80;
X-Forwarded-For	This option is used in reverse proxy mode for the web server to obtain the client's address;
Back-to-Origin Method	Select HTTP;
Origin Server IP and Port	IP: 172.215.6.101 Port: 80;

· For Windows clients, the manual method to modify the hosts file: Edit C:\Windows\System32\drivers\etc

Add the entry: 172.215.6.1 www.example.com , as shown in Figure 107.

Figure 107: Domain Request Record

Resolution Takes Effect

After validation is passed, log in to the DNS registrar website where the domain is registered and configure the domain to resolve to the "Forwarding IP" corresponding to the rule.

If the origin server has IP access restrictions, all addresses of the "Origin-Pulling IP" must be added to the website's trusted whitelist.

Configure HTTPS Domain Forwarding Rules

Obtain an HTTPS Certificate

Methods to Obtain the Certificate

· For certificates in .crt (public key) and .key (private key) formats:

You can directly open them with a file editor, copy the content, and paste it into the corresponding input fields on the certificate addition page.

The public key content is shown in Figure 108.

Figure 108 Public Key Information

The private key content is shown in Figure 109.

Figure 109: Private Key Information

The encrypted certificate cannot be added normally. It needs to be decrypted before being added.

· Obtaining Public and Private Keys from a PEM Format Certificate

Figure 110: Obtaining Public Key and Private Key from PEM Certificate

· Extracting public and private keys from a PFX-format certificate

It needs to be converted into a recognizable format such as PEM using commands before the keys can be copied.

[root@localhost nginx]# openssl pkcs12 -in tmm-server.pfx -nodes -out server111.pem

Enter Import Password:

MAC verified OK

[root@localhost nginx]#

Add HTTPS Certificate

Under 【App Security】-【Cert Management】, click 【Add】, then enter the certificate name, public key, and private key information, as shown in Figure 111.

Figure 111: Adding an HTTPS Certificate

Add HTTPS Domain Forwarding Rule

Navigate to [App Security] - [WEB Protection], click "Add," and fill in the details as shown in Figure 112 below.

Figure 112: Adding an HTTPS Domain Forwarding Rule

The figure above defines an HTTPS domain forwarding rule, with the content explained as follows:

Table 32 Explanation of Rule Content

Name	Function Description
Protected Domain	You can add a second-level domain, such as www.example.cn. You can add . to match all domains.
Access Method	Select Reverse Proxy;
Protected IP	Forwarding address from the address pool: 172.215.6.1;
Protocol	HTTPS Port: 443；
HTTPS Certificate	Select the previously added HTTPS certificate "test";
X-Forwarded-For	This option is used in reverse proxy mode for the web server to obtain the client's address;
Back-to-Origin Method	Select HTTPS ；
Origin Server IP and Port	IP：172.215.6.1 Port：443 ；

· For Windows clients, the manual method to modify the hosts file: Edit C:\Windows\System32\drivers\etc

Add the entry: 172.215.6.1 www.example.com , as shown in Figure 114.

Figure 114 Domain Status Record

Resolution Takes Effect

After validation is passed, log in to the DNS registrar website where the domain is registered and configure the domain to resolve to the "Forwarding IP" corresponding to the rule.

If the origin server has IP access restrictions, all addresses of the "Origin-Pulling IP" must be added to the website's trusted whitelist.

Website Protection

Navigate to 【App Security】-【WEB Protection】, locate the rules for the domain www.example.com , and click 【Protection Rule Config】 as shown in Figure 115.

Figure 115: Protection Rule Config

Click the [Add] button to display the rule content, as shown in Figure 116.

Figure 116: Custom Rule Page

Table 33 Description of Protection Rule Content

Name	Description
Rule Name	The name supports input in Chinese, numbers, letters, underscores, and hyphens.
Sub-rule Relationship	Supports "AND" or "OR" ,single selection.
Sub-rule	Dropdown list includes: Method, URL, Source IP, Referer, User-Agent, Content-Length, Host, HTTP Code, HTTP Version.
Logical Relationship	Dropdown list includes: Equal, Not Equal, Contains, Not Contains.
Value	Can be set via dropdown options or input field.
Action	Dropdown list includes: Rate Limiting, Block, Block and Blacklist, Allow, Allow and Trust.
Blacklist Duration	The blocking duration for the protected IP after the rule is triggered (from the client's perspective).
Trust Duration	The trusted duration for the protected IP after the rule is triggered (from the client's perspective).

· Each domain can have up to 10 protection rules;

· Each protection rule can include up to 10 sub-rules.

H3C SecPath AFC2000-EX0-G Series Abnormal Traffic Cleaning System Configuration Examples-5W100

Configure the basic network on the core switch R2

Configure the basic network on the downstream switch R3

Basic Network Configuration for AFC Equipment

Configure Virtual Routing

HTTP Domain Forwarding Rules

Configure HTTPS Domain Forwarding Rules

Configuration Verification

Website Protection

Configure the basic network on the core switch R2

Configure the basic network on the downstream switch R3

Basic Network Configuration for AFC Equipment

Configure IP Pool

Configure Virtual Routing

HTTP Domain Forwarding Rules

Configure HTTPS Domain Forwarding Rules

Configure the basic network on the core switch R2

Configure the basic network on the downstream switch R3

Basic Network Configuration for AFC Equipment

Configure Virtual Routing

HTTP Domain Forwarding Rules

Configure HTTPS Domain Forwarding Rules

Website Protection

Reverse Proxy Forwarding Configuration in Cascaded VLAN Scenario

Configure the basic network on the core switch R2

Configure the basic network on the downstream switch R3

Basic Network Configuration for AFC Equipment

Configure IP Pool

Configure Virtual Routing

HTTP Domain Forwarding Rules

Configure HTTPS Domain Forwarding Rules

Website Protection

Bypass Mode Reverse Proxy

Configure the basic network on the core switch R2

Configure BGP neighbor on core switch R2

Configure the Return Injection Policy on Core Switch R2

Configure Basic Network on Downstream Switch R3

Basic Network Configuration for AFC Equipment

BGP Routing Configuration for AFC Equipment

AFC Device Traffic Redirection and Cleansing

Configure IP Pool

Configure Virtual Routing

HTTP Domain Forwarding Rules

Configure HTTPS Domain Forwarding Rules

Website Protection

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us