Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-DPI engine commands | 181.09 KB |
Contents
display inspect md5-verify configuration
inspect block-source parameter-profile
inspect capture parameter-profile
inspect email parameter-profile
inspect logging parameter-profile
inspect redirect parameter-profile
inspect signature auto-update proxy
inspect source-port-identify enable
inspect stream-fixed-length disable
DPI engine commands
app-profile
Use app-profile to create a deep packet inspection (DPI) application profile and enter its view, or enter the view of an existing DPI application profile.
Use undo app-profile to delete a DPI application profile.
Syntax
app-profile profile-name
undo app-profile profile-name
Default
No DPI application profiles exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
profile-name: Specifies a DPI application profile name. The profile name is a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, and underlines (_).
Usage guidelines
The DPI application profile is a security service template that can include DPI service policies such as URL filtering policy.
A DPI application profile takes effect after an object policy rule or security policy rule uses it as the action. The DPI engine inspects the packets matching the object policy rule or security policy rule and submits the packets to the associated DPI service module for processing.
Examples
# Create a DPI application profile named abc and enter its view.
<Sysname> system-view
[Sysname] app-profile abc
[Sysname-app-profile-abc]
authentication enable
Use authentication enable to enable email client authentication.
Use undo authentication enable to disable email client authentication.
Syntax
authentication enable
undo authentication enable
Default
Email client authentication is enabled.
Views
Email parameter profile view
Predefined user roles
network-admin
context-admin
Usage guidelines
Use this command when the email server specified by the email-server command requires client authentication.
Examples
# Disable email client authentication.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] undo authentication enable
block-period
Use block-period to set the block period during which a source IP address is blocked.
Use undo block-period to restore the default.
Syntax
block-period period
undo block-period
Default
A source IP address is blocked for 1800 seconds.
Views
Block source parameter profile view
Predefined user roles
network-admin
context-admin
Parameters
period: Specifies the block period in the range of 1 to 86400 seconds.
Usage guidelines
For the block period to take effect, make sure the blacklist feature is enabled.
The device drops the packet that matches an inspection rule and adds the packet's source IP address to the IP blacklist.
· If the blacklist feature is enabled, the device directly drops subsequent packets from the source IP address during the block period.
· If the blacklist feature is disabled, the block period does not take effect. The device inspects all packets and drops the matching ones.
For more information about the blacklist feature, see attack detection and prevention in the Security Configuration Guide.
Examples
# Set the block period to 3600 seconds in block source parameter profile b1.
<Sysname> system-view
[Sysname] inspect block-source parameter-profile b1
[Sysname-inspect-block-source-b1] block-period 3600
Related commands
blacklist enable (security zone view) (Security Command Reference)
blacklist global enable (Security Command Reference)
inspect block-source parameter-profile
capture-limit
Use capture-limit to set the maximum volume of captured packets that can be cached.
Use undo capture-limit to restore the default.
Syntax
capture-limit kilobytes
undo capture-limit
Default
The device can cache a maximum of 512 Kilobytes of captured packets.
Views
Capture parameter profile view
Predefined user roles
network-admin
context-admin
Parameters
kilobytes: Specifies the maximum volume in the range of 0 to 1024 Kilobytes.
Usage guidelines
The device caches captured packets locally. It exports the cached captured packets to a URL when the volume of cached captured packets reaches the maximum, and clears the cache. After the export, the device starts to capture packets again.
If you set the maximum volume of cached captured packets to 0 Kilobytes, the device immediately exports a packet to the URL after the packet is captured.
Examples
# Set the maximum volume of cached captured packets to 1024 Kilobytes in the capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1] capture-limit 1024
Related commands
export repeating-at
export url
inspect capture parameter-profile
display inspect md5-verify configuration
Use display inspect md5-verify configuration to display information about the MD5 hash-based virus inspection for all files feature.
Syntax
display inspect md5-verify configuration
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Examples
# Display information about the MD5 hash-based virus inspection for all files feature.
<Sysname> system-view
[Sysname] display inspect md5-verify configuration
MD5 file verification for all files: Enabled
Table 1 Command output
|
Field |
Description |
|
MD5 file verification for all files |
Status of the MD5 hash-based virus inspection for all files feature: Enabled or Disabled. |
Related commands
inspect md5-verify all-files
display inspect status
Use display inspect status to display the status of the DPI engine.
Syntax
display inspect status
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Examples
# Display the status of the DPI engine.
<Sysname> display inspect status
Chassis 0 Slot 1:
Running status: normal
Table 2 Command output
|
Field |
Description |
|
Running status |
Status of the DPI engine: · bypass by configure—The DPI engine cannot process packets because of a configuration error. · bypass by cpu busy—The DPI engine cannot process packets because of an excessive CPU usage. · normal—The DPI engine is running correctly. |
dns-server
Use dns-server to specify the DNS server IPv4 address.
Use undo dns-server to restore the default.
Syntax
dns-server ip-address
undo dns-server
Default
No DNS server IPv4 address is specified.
Views
Email parameter profile view
Predefined user roles
network-admin
context-admin
Parameters
ip-address: Specifies the DNS server IPv4 address in dotted decimal notation.
Usage guidelines
If the email server is specified by host name, a DNS server is required to resolve the host name into an IP address.
Examples
# Specify the DNS server IPv4 address 192.168.0.1.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] dns-server 192.168.0.1
email-server
Use email-server to specify the email server.
Use undo email-server to restore the default.
Syntax
email-server address-string
undo email-server
Default
No email server is specified.
Views
Email parameter profile view
Predefined user roles
network-admin
context-admin
Parameters
address-string: Specifies the email server address, a case-sensitive string of 3 to 63 characters.
Usage guidelines
The email server address can be an IP address or a host name.
If you specify the email server by host name, make sure the device can resolve the host name into its IP address through static or dynamic DNS. Make sure the device and the email server can reach each other. For more information about DNS, see Layer 3—IP Services Configuration Guide.
If you execute this command multiple times for the same email parameter profile, the most recent configuration takes effect.
Examples
# Specify the email server rndcas.123.com.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] email-server rndcas.123.com
# Specify the email server at 192.168.1.1.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] email-server 192.168.1.1
export repeating-at
Use export repeating-at to set the daily export time for cached captured packets.
Use export repeating-at to restore the default.
Syntax
export repeating-at time
undo export repeating-at
Default
The system exports cached captured packets at 1:00 a.m. every day.
Views
Capture parameter profile view
Predefined user roles
network-admin
context-admin
Parameters
time: Specifies the daily export time in the format of hh:mm:ss in the range of 00:00:00 to 23:59:59.
Usage guidelines
The device exports cached captured packets to a URL and clears the cache at the daily export time, whether or not the volume of cached captured packets reaches the maximum.
Examples
# Configure the device to export cached captured packets at 2:00 a.m. every day in the capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1] export repeating-at 02:00:00
Related commands
capture-limit
export url
inspect capture parameter-profile
export url
Use export url to specify the URL to which the cached captured packets are exported.
Use export url to restore the default.
Syntax
export url url-string
undo export url
Default
No URL is specified for exporting the cached captured packets.
Views
Capture parameter profile view
Predefined user roles
network-admin
context-admin
Parameters
url-string: Specifies the URL, a string of 1 to 255 characters.
Usage guidelines
The device exports the cached captured packets to the specified URL at the daily export time or when the volume of cached captured packets reaches the maximum. After the captured packets are exported, the system clears the cache.
If you do not specify a URL, the device still exports the cached captured packets but the export fails.
Examples
# Configure the device to export cached captured packets to URL tftp://192.168.100.100/upload in the capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1]] export url tftp://192.168.100.100/upload
Related commands
capture-limit
export repeating-at
inspect capture parameter-profile
inspect activate
Use inspect activate to activate the policy and rule configurations for DPI service modules.
Syntax
inspect activate
Default
The creation, modification, and deletion of DPI service policies and rules do not take effect.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
You can use the inspect activate command to manually validate the policy and rule configurations for DPI service modules. This operation produces the same effect as saving the configurations and rebooting the device.
The inspect activate command can cause temporary service disruptions. As a best practice, execute this command after all DPI service policy and rule configurations are complete.
Examples
# Activate the policy and rule configurations for DPI service modules.
<Sysname> system-view
[Sysname] inspect activate
inspect block-source parameter-profile
Use inspect block-source parameter-profile to create a block source parameter profile and enter its view, or enter the view of an existing block source parameter profile.
Use undo inspect block-source parameter-profile to delete a block source parameter profile.
Syntax
inspect block-source parameter-profile parameter-name
undo inspect block-source parameter-profile parameter-name
Default
No block source parameter profiles exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
parameter-name: Specifies a block source parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In block source parameter profile view, you can set parameters for the block source action, such as the block period.
Examples
# Create a block source parameter profile named b1 and enter its view.
<Sysname> system-view
[Sysname] inspect block-source parameter-profile b1
[Sysname-inspect-block-source-b1]
Related commands
block-period
inspect bypass
Use inspect bypass to disable the DPI engine.
Use undo inspect bypass to enable the DPI engine.
Syntax
inspect bypass
undo inspect bypass
Default
The DPI engine is enabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Packet inspection in the DPI engine is a complex and resource-consuming process. When the CPU usage is high, you can disable the DPI engine to guarantee the device performance. After you disable the DPI engine, packets will not be processed by DPI.
Examples
# Disable the DPI engine.
<Sysname> system-view
[Sysname] inspect bypass
Related commands
display inspect status
inspect cache-option maximum
Use inspect cache-option maximum to set the maximum number of options to be cached per TCP or UDP data flow for further inspection.
Use undo inspect cache-option to restore the default.
Syntax
inspect cache-option maximum max-number
undo inspect cache-option
Default
The DPI engine can cache a maximum of 32 options per TCP or UDP data flow.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
max-number: Specifies the maximum number of options to be cached per TCP or UDP data flow. The value range is 1 to 254.
Usage guidelines
An inspection rule can contain multiple AC patterns, and each AC pattern can be associated with multiple options. A TCP or UDP data flow matches an inspection rule if the packets of the flow match all the AC patterns and options in the rule.
If a packet of a TCP or UDP data flow matches one AC pattern in an inspection rule, the DPI engine cannot determine whether the flow matches the rule. The DPI engine continues to match packets of the flow against the remaining options and AC patterns in the rule. For any options that cannot be matched, the DPI engine caches them to match subsequent packets. The DPI engines determines that the flow matches the rule when all options and AC patterns in the rule are matched.
The more options DPI engine caches, the more likely that DPI engine identifies the application information and the more accurate the DPI engine inspection. However, caching more options requires more memory. If the device has a high memory usage, configure the DPI engine to cache less options to improve the device performance.
Typically, the default setting is sufficient for most scenarios.
Examples
# Configure the DPI engine to cache a maximum of four options per TCP or UDP data flow for further inspection.
<Sysname> system-view
[Sysname] inspect cache-option maximum 4
inspect capture parameter-profile
Use inspect capture parameter-profile to create a capture parameter profile and enter its view, or enter the view of an existing capture parameter profile.
Use undo inspect capture parameter-profile to delete a capture parameter profile.
Syntax
inspect capture parameter-profile parameter-name
undo inspect capture parameter-profile parameter-name
Default
No capture parameter profiles exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
profile-name: Specifies a capture parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In capture parameter profile view, you can set parameters for the packet capture action, such as the maximum volume of cached captured packets.
Only the IPS module supports the packet capture action.
Examples
# Create a capture parameter profile named c1 and enter its view.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1]
Related commands
capture-limit
export repeating-at
export url
inspect cloud-server
Use inspect cloud-server to specify the server used by DPI services for cloud query.
Use undo inspect cloud-server to remove the cloud query server specified for DPI services.
Syntax
inspect cloud-server host-name
undo inspect cloud-server
Default
DPI services use the cloud query server with host name sec.h3c.com.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
host-name: Specifies the cloud query server by its host name, a case-insensitive string of 1 to 255 characters. Valid characters include letters, digits, underscores (_), hyphens (-), and dots (.)
Usage guidelines
The cloud query server supports URL filtering cloud query and anti-virus MD5 value cloud query.
For successful cloud query, make sure the device can resolve the host name of the cloud query server into an IP address through DNS. For more information about DNS, see DNS configuration in Layer 3—IP Services Configuration Guide.
This command is supported only on the default context. For more information about contexts, see context configuration in Virtual Technologies Configuration Guide.
Examples
# Specify the server with host name service.h3c.com for cloud query.
<Sysname> system-view
[Sysname] inspect cloud-server service.h3c.com
Related commands
cloud-query enable (anti-virus policy view)
cloud-query enable (URL filtering policy view)
inspect cpu-threshold disable
Use inspect cpu-threshold disable to disable inspection suspension upon excessive CPU usage.
Use undo inspect cpu-threshold disable to enable inspection suspension upon excessive CPU usage.
Syntax
inspect cpu-threshold disable
undo inspect cpu-threshold disable
Default
Inspection suspension upon excessive CPU usage is enabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Packet inspection in the DPI engine is a complex and resource-consuming process.
Inspection suspension upon excessive CPU usage works as follows:
· When the device's CPU usage rises to or above the CPU usage threshold, the DPI engine suspends packet inspection to guarantee the device performance.
· When the device's CPU usage drops to or below the CPU usage recovery threshold, the DPI engine resumes packet inspection.
Do not disable inspection suspension upon excessive CPU usage if the device's CPU usage is high.
Examples
# Disable inspection suspension upon excessive CPU usage.
<Sysname> system-view
[Sysname] inspect cpu-threshold disable
Related commands
display inspect status
inspect bypass
inspect stream-fixed-length disable
inspect email parameter-profile
Use inspect email parameter-profile to create an email parameter profile and enter its view, or enter the view of an existing email parameter profile.
Use undo inspect email parameter-profile to delete an email parameter profile.
Syntax
inspect email parameter-profile parameter-name
undo inspect email parameter-profile parameter-name
Default
No email parameter profiles exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
parameter-name: Specifies an email parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In email parameter profile view, you can set parameters for the email action. Email parameters include the email server, the email sender and receiver, and the username and password for logging in to the email server.
Examples
# Create an email parameter profile named c1 and enter its view.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1]
inspect file-uncompr-len
Use inspect file-uncompr-len to set the maximum data size that can be decompressed in a file.
Use undo inspect file-uncompr-len to restore the default.
Syntax
inspect file-uncompr-len max-size
undo inspect file-uncompr-len
Default
A maximum of 100 MB data can be decompressed in a file.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
max-size: Specifies the maximum data size in the range of 1 to 200 MB.
Usage guidelines
The device can decompress .zip files for file data inspection. This command specifies the maximum data size that can be decompressed in a file. The remaining file data will be ignored.
Set an appropriate maximum data size for file decompression. A large data size might make the device get stuck in decompressing large files and the device forwarding performance might be affected. A small data size will affect the accuracy of the file inspection results for DPI services (such as anti-virus and data filtering).
Examples
# Set the maximum data size that can be decompressed in a file to 150 MB.
<Sysname> system-view
[Sysname] inspect file-uncompr-len 150
inspect logging parameter-profile
Use inspect logging parameter-profile to create a logging parameter profile and enter its view, or enter the view of an existing logging parameter profile.
Use undo inspect logging parameter-profile to delete a logging parameter profile.
Syntax
inspect logging parameter-profile parameter-name
undo inspect logging parameter-profile parameter-name
Default
No logging parameter profiles exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
profile-name: Specifies a logging parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In logging parameter profile view, you can set parameters for the logging action, such as the log output method.
Examples
# Create a logging parameter profile named log1 and enter its view.
<Sysname> system-view
[Sysname] inspect logging parameter-profile log1
[Sysname-inspect-logging-log1]
Related commands
log
inspect md5-verify all-files
Use inspect md5-verify all-files to enable MD5 hash-based virus inspection for all files.
Use undo inspect md5-verify all-files to restore the default.
Syntax
inspect md5-verify all-files
undo inspect md5-verify all-files
Default
The DPI engine performs MD5 hash-based virus inspection only for executable files, office files, and compressed files.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
This feature enables the DPI engine to generate MD5 hashes for all files and to compare the generated MD5 hashes with the MD5 rules in the signature library. If the MD5 hash generated for a file matches an MD5 rule in the signature library, the file is considered to contain viruses.
This feature might degrade the processing performance of other services. Enable it only when necessary.
Examples
# Enable MD5 hash-based virus inspection for all files.
<Sysname> system-view
[Sysname] inspect md5-verify all-files
Related commands
display inspect md5-verify configuration
inspect optimization disable
Use inspect optimization disable to disable a DPI engine optimization feature.
Use undo inspect optimization disable to enable a DPI engine optimization feature.
Syntax
inspect optimization [ chunk | no-acsignature | raw | uncompress | url-normalization ] disable
undo inspect optimization [ chunk | no-acsignature | raw | uncompress | url-normalization ] disable
Default
All DPI engine optimization features are enabled.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
chunk: Specifies the chunked packet decoding feature.
no-acsignature: Specifies the inspection rules that do not contain AC patterns.
raw: Specifies the application layer payload decoding feature.
uncompress: Specifies the HTTP body uncompression feature.
url-normalization: Specifies the HTTP URL normalization feature.
Usage guidelines
If you do not specify any parameter, this command applies to all DPI engine optimization features.
DPI engine supports the following optimization features:
· Chunked packet decoding—Chunk is a packet transfer mechanism of the HTTP body. DPI engine must decode a chunked HTTP body before it inspects the HTTP body. When the device throughput is too low to ensure basic communication, you can disable DPI engine from decoding chunked packets to improve the device performance. However, when chunked packet decoding is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.
· Inspection rules that do not contain AC patterns—Inspection rules that do not contain AC patterns contain only options. These rules match packets by fields such as port numbers and error codes rather than by character strings. These rules by default are enabled to improve the inspection accuracy. However, when the device throughput is too low to ensure basic communication, you can disable these rules to improve the device performance.
· Application layer payload decoding—For application layer protocols featuring encoding and decoding, such as HTTP, SMTP, POP3, and IMAP4, DPI engine must decode the payload before inspection. When the device throughput is too low to ensure basic communication, you can disable DPI engine from decoding application layer payloads to improve the device performance. However, disabling application layer payload decoding affects the inspection accuracy of the DPI engine.
· HTTP body uncompression—If the HTTP body field is compressed, DPI engine must uncompress the body before inspection. When the device throughput is too low to ensure basic communication, you can disable DPI engine from uncompressing the HTTP body field to improve the device performance. However, when HTTP body uncompression is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.
· HTTP URL normalization—HTTP URL normalization is the process by which the absolute path in a URL is normalized and special URLs are standardized and checked. For example, the absolute path test/dpi/../index.html is normalized as test/index.html. When the device throughput is too low to ensure basic communication, you can disable DPI engine from normalizing HTTP URLs to improve the device performance. However, when HTTP URL normalization is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.
Examples
# Disable all DPI engine optimization features.
<Sysname> system-view
[Sysname] inspect all disable
inspect packet maximum
Use inspect packet maximum to set the maximum number of payload-carrying packets to be inspected per data flow.
Use undo inspect packet to restore the default.
Syntax
inspect packet maximum max-number
undo inspect packet
Default
The DPI engine can inspect a maximum of 32 payload-carrying packets per data flow.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
max-number: Specifies the maximum number of payload-carrying packets to be inspected per data flow, in the range of 1 to 254.
Usage guidelines
If DPI engine finds that the first payload-carrying packet of a data flow does not match any inspection rule, it continues to inspect the next payload-carrying packet, and so on. If DPI engine has inspected the maximum number of payload-carrying packets but finds no matching inspection rule, it determines the flow does not match any rule and allows the flow to pass.
The more payload-carrying packets DPI engine inspects, the more likely that DPI engine identifies the application information and the more accurate the DPI engine inspection.
Typically, the default setting is sufficient for most scenarios. You can adjust the setting according to your network condition.
· If the device throughput is high, increase the maximum number value.
· If the device throughput is low, decrease the maximum number value.
Examples
# Allow the DPI engine to inspect a maximum of 16 payload-carrying packets per data flow for application identification.
<Sysname> system-view
[Sysname] inspect packet maximum 16
inspect redirect parameter-profile
Use inspect redirect parameter-profile to create a redirect parameter profile and enter its view, or enter the view of an existing redirect parameter profile.
Use undo inspect redirect parameter-profile to delete a redirect parameter profile.
Syntax
inspect redirect parameter-profile parameter-name
undo inspect redirect parameter-profile parameter-name
Default
No redirect parameter profiles exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
parameter-name: Specifies a redirect parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In redirect parameter profile view, you can set parameters for the redirect action, such as the URL to which packets are redirected.
Examples
# Create a redirect parameter profile named r1 and enter its view.
<Sysname> system-view
[Sysname] inspect redirect parameter-profile r1
[Sysname-inspect-redirect-r1]
inspect signature auto-update proxy
Use inspect signature auto-update proxy to specify the proxy server used by DPI services for online signature update.
Use undo inspect signature auto-update proxy to restore the default.
Syntax
inspect signature auto-update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name password { cipher | simple } string ]
undo inspect signature auto-update proxy
Default
The proxy server used by DPI services for online signature update is not specified.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
domain domain-name: Specifies a proxy server by its domain name, a case-insensitive string of 3 to 63 characters.
ip ip-address: Specifies a proxy server by its IPv4 address.
port port-number: Specifies the port number used by the proxy server. The value range is 1 to 65535, and the default is 80.
user user-name: Specifies the username used to log in to the proxy server. The username is a case-insensitive string of 1 to 31 characters.
password: Specifies the password used to log in to the proxy server.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password in plaintext form will be stored in encrypted form.
string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 31 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.
Usage guidelines
The device must access the company's website for online signature update of DPI services such as URL filtering. If direct connectivity is not available, the device can access the company's website through the specified proxy server. For more information about online signature update, see DPI Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify server http://www.abc.com/ on port 8888 as the proxy server and set the login username and password to admin.
<Sysname> system-view
[Sysname] inspect signature auto-update proxy domain www.abc.com port 8888 user admin password simple admin
inspect source-port-identify enable
Use inspect source-port-identify enable to enable source port-based application identification.
Use undo inspect source-port-identify enable to disable source port-based application identification.
Syntax
inspect source-port-identify enable
undo inspect source-port-identify enable
Default
Source port-based application identification is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
You can use this feature to identify traffic of applications that use fixed source ports when the following conditions are true:
· The types of traffic transmitted over networks are relatively unvaried and use fixed source ports.
· Destination port-based application identification or signature-based traffic content identification is not supported.
The application identification results produced by this feature might not be accurate. Configure this feature according to your live network as a best practice.
Examples
# Enable source port-based application identification.
<sysname> system-view
[sysname] inspect source-port-identify enable
inspect stream-fixed-length disable
Use inspect stream-fixed-length disable to disable the stream fixed length inspection feature.
Use undo inspect stream-fixed-length disable to enable the stream fixed length inspection feature.
Syntax
inspect stream-fixed-length disable
undo inspect stream-fixed-length disable
Default
The stream fixed length inspection feature is enabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
The stream fixed length inspection feature enables the DPI engine to inspect only a fixed length of data for a stream instead of the whole packet data in a stream.
Examples
# Disable the stream fixed length inspection feature.
<Sysname> system-view
[Sysname] inspect stream-fixed-length disable
Related commands
inspect cpu-threshold disable
inspect stream-fixed-length
inspect stream-fixed-length
Use inspect stream-fixed-length to set the fixed data inspection length for application protocols.
Use undo inspect stream-fixed-length to restore the default.
Syntax
inspect stream-fixed-length { email | ftp | http | nfs | smb } * length
undo inspect stream-fixed-length
Default
The fixed data inspection length is 32 Kilobytes for FTP, HTTP, NFS, SMB, and email protocols.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
email: Specifies email protocols, including SMTP, POP3 and IMAP.
ftp: Specifies the FTP protocol.
http: Specifies the HTTP protocol.
nfs: Specifies the NFS protocol.
smb: Specifies the SMB protocol.
length: Specifies the fixed data length in the range of 1 to 2048 Kilobytes.
Usage guidelines
The larger the inspection length value, the lower the device throughput, and the higher the packet inspection accuracy.
Examples
# Set the fixed data inspection length to 35 Kilobytes for FTP and 40 Kilobytes for HTTP.
<Sysname> system-view
[Sysname] inspect stream-fixed-length ftp 35 http 40
Related commands
inspect cpu-threshold disable
inspect stream-fixed-length disable
inspect tcp-reassemble enable
Use inspect tcp-reassemble enable to enable the TCP segment reassembly feature.
Use undo inspect tcp-reassemble enable to disable the TCP segment reassembly feature.
Syntax
inspect tcp-reassemble enable
undo inspect tcp-reassemble enable
Default
The TCP segment reassembly feature is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
DPI engine inspection might fail if TCP segments arrive at the engine out of order. For example, the DPI engine searches for the keywords this is a secret. If the TCP segment containing a secret arrives before the one containing this is, the inspection fails.
The TCP segment reassembly feature enables the device to cache out-of-order TCP segments of the same TCP flow and reassembles the segments before submitting them to the DPI engine for inspection. This helps improve the DPI engine inspection accuracy.
The segment reassembly fails due to missing segments when the number of cached TCP segments of a flow reaches the limit. In this case, the device submits the cached segments without reassembling them and all subsequent segments of the flow to the DPI engine. This helps reduces degradation of the device performance.
Examples
# Enable the TCP segment reassembly feature.
<Sysname> system-view
[Sysname] inspect tcp-reassemble enable
Related commands
inspect tcp-reassemble max-segment
inspect tcp-reassemble max-segment
Use inspect tcp-reassemble max-segment to set the maximum number of TCP segments that can be cached per TCP flow.
Use undo inspect tcp-reassemble max-segment to restore the default.
Syntax
inspect tcp-reassemble max-segment max-number
undo inspect tcp-reassemble max-segment
Default
A maximum of 10 TCP segments can be cached for reassembly per TCP flow.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
max-number: Specifies the maximum number in the range of 10 to 50.
Usage guidelines
Set the limit for the number of TCP segments that can be cached per flow according to your network requirements. The higher the limit, the higher the inspection accuracy, and the lower the device performance.
This command takes effect only when the TCP segment reassembly feature is enabled.
Examples
# Allow the device to cache a maximum of 20 TCP segments for each TCP flow.
<Sysname> system-view
[Sysname] inspect tcp-reassemble max-segment 20
Related commands
inspect tcp-reassemble enable
log
Use log to specify the log storage method.
Use undo log to cancel the specified log storage method.
Syntax
log { email | syslog }
undo log { email | syslog }
Default
Logs are exported to the information center.
Views
Logging parameter profile view
Predefined user roles
network-admin
context-admin
Parameters
email: Emails the logs to a receiver.
syslog: Exports the logs to the information center.
Examples
# Configure the device to export logs to the information center in logging parameter profile log1.
<Sysname> system-view
[Sysname] inspect logging parameter-profile log1
[Sysname-inspect-logging-log1] log syslog
Related commands
inspect logging parameter-profile
log language
Use log language to set the language for IPS log output to Chinese.
Use undo log language to restore the default.
Syntax
log language chinese
undo log language chinese
Default
IPS logs are output in English.
Views
Logging parameter profile view
Predefined user roles
network-admin
context-admin
Usage guidelines
After you execute this command, only the attack name field of the IPS logs supports displaying in Chinese. For more information about IPS logs, see IPS in DPI Command Reference.
Examples
# Set the language for IPS log output to Chinese.
<Sysname> system-view
[Sysname] inspect logging parameter-profile log1
[Sysname-inspect-log-para-log1] log language chinese
Related commands
inspect logging parameter-profile
password
Use password to specify the password for logging in to the email server.
Use undo password to restore the default.
Syntax
password { cipher | simple } string
undo password
Default
No password is specified for logging in to the email server.
Views
Email parameter profile view
Predefined user roles
network-admin
context-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
pwd-string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
If you execute this command multiple times for the same email parameter profile, the most recent configuration takes effect.
Examples
# Specify abc123 as the plaintext password for logging in to the email server.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] password simple abc123
Related commands
authentication enable
receiver
Use receiver to specify the email receiver address.
Use undo receiver to restore the default.
Syntax
receiver address-string
undo receiver
Default
No email receiver address is specified.
Views
Email parameter profile view
Predefined user roles
network-admin
context-admin
Parameters
address-string: Specifies the address of the email receiver, a case-sensitive string of 3 to 511 characters.
Usage guidelines
You can specify multiple semicolon-separated email receiver addresses in one command.
Examples
# Specify the email receiver addresses [email protected] and [email protected].
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] receiver [email protected];[email protected]
redirect-url
Use redirect-url to specify the URL to which packets are redirected.
Use undo redirect-url to restore the default.
Syntax
redirect-url url-string
undo redirect-url
Default
No URL is specified for packet redirecting.
Views
Redirect parameter profile view
Predefined user roles
network-admin
context-admin
Parameters
url-string: Specifies the URL, a case-sensitive string of 9 to 63 characters. The URL must start with http:// or https://, for example, http://www.baidu.com.
Usage guidelines
After you specify a URL, matching packets will be redirected to the webpage that the URL identifies.
Examples
# Specify http://www.abc.com/upload as the URL for packet redirecting.
<Sysname> system-view
[Sysname] inspect redirect parameter-profile r1
[Sysname-inspect-redirect-r1] redirect-url http://www.abc.com/upload
Related commands
inspect redirect parameter-profile
secure-authentication enable
Use secure-authentication enable to enable the secure password transmission feature.
Use undo secure-authentication enable to disable the secure password transmission feature.
Syntax
secure-authentication enable
undo secure-authentication enable
Default
The secure password transmission feature is disabled.
Views
Email parameter profile view
Predefined user roles
network-admin
context-admin
Usage guidelines
After the secure password transmission feature is enabled, a security channel is established between the device and the email server to transmit the password for email server login.
Examples
# Enable the secure password transmission feature.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] secure-authentication enable
Related commands
authentication enable
sender
Use sender to specify the email sender address.
Use undo sender to restore the default.
Syntax
sender address-string
undo sender
Default
No email sender address is specified.
Views
Email parameter profile view
Predefined user roles
network-admin
context-admin
Parameters
address-string: Specifies the address of the email sender, a case-sensitive string of 3 to 63 characters.
Usage guidelines
The email sender address is the source address that the device uses to send emails to destinations.
Examples
# Specify the email sender address [email protected].
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] sender [email protected]
username
Use username to specify the username for logging in to the email server.
Use undo username to restore the default.
Syntax
username name-string
undo username
Default
No username is specified for logging in to the email server.
Views
Email parameter profile view
Predefined user roles
network-admin
context-admin
Parameters
name-string: Specifies the username, a case-sensitive string of 1 to 63 characters.
Usage guidelines
If you execute this command multiple times for the same email parameter profile, the most recent configuration takes effect.
Examples
# Specify han as the username for logging in to the email server.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] username han
Related commands
authentication enable
