Contents

WAF commands· 1

action· 1

attack-category· 2

display waf policy· 3

display waf signature· 5

display waf signature library· 7

display waf signature pre-defined· 8

object-dir 9

override-current 10

protected-target 11

severity-level 12

signature override· 13

signature override all 14

update schedule· 15

waf apply policy· 16

waf parameter-profile· 17

waf policy· 18

waf signature auto-update· 19

waf signature auto-update-now· 19

waf signature rollback· 20

waf signature update· 20

 

WAF commands

The following compatibility matrix shows the support of hardware platforms for WAF:

?

Hardware	WAF compatibility
F1000-A-G3, F1000-C-G3, F1000-E-G3, F1000-S-G3	Yes
F100-A-G3, F100-E-G3	Yes
F100-C-G3, F100-M-G3, F100-S-G3	No
F1000-E-VG	Yes
F1000-S-VG	No
F100-A-G2, F100-E-G2	Yes
F100-C-G2, F100-M-G2, F100-S-G2	No
F1000-C-EI, F100-A-EI, F100-A-SI, F100-E-EI	Yes
F100-C-EI	No
F100-A80-WiNet	Yes
F100-C80-WiNet, F100-C60-WiNet, F100-C50-WiNet, F100-S80-WiNet	No
F1000-C8180, F1000-C8170, F1000-C8160	Yes
F1000-C8150, F1000-C8130, F1000-C8120, F1000-C8110	No
F100-C-A6, F100-C-A5, F100-C-A3	No
F100-C-A6-WL, F100-C-A5-W, F100-C-A3-W	No
F1000-C-HI, F100-A-HI	Yes
F100-C-HI, F100-S-HI	No
F1000-990-AI, F1000-980-AI, F1000-970-AI, F1000-960-AI, F1000-950-AI, F1000-930-AI, F1000-920-AI	Yes
LSPM6FWD8, LSQM2FWDSC8	Yes

?

action

Use action to configure the action criterion for WAF signature filtering in a WAF policy.

Use undo action to restore the default.

Syntax

action { block-source | drop | permit | reset } *

undo action

Default

The action attribute is not used for WAF signature filtering.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

block-source: Specifies the block source action.

drop: Specifies the drop action.

permit: Specifies the permit action.

reset: Specifies the reset action.

Usage guidelines

This command filters the WAF signatures that a WAF policy uses based on the actions associated with the signatures.

You can repeat this command to specify multiple actions in an action criterion. The WAF policy uses a WAF signature if the signature is associated with any of the specified actions.

You cannot use this command during the signature update.

Examples

# Configure WAF policy test-policy to use WAF signatures associated with the drop or reset action.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy] action drop reset

Related commands

display waf policy

attack-category

Use attack-category to specify an attack category criterion to filter WAF signatures in a WAF policy.

Use undo attack-category to delete an attack category criterion.

Syntax

attack-category { category [ sub-category subcategory ] | all}

undo attack-category { category [ sub-category subcategory | all] }

Default

The attack category attribute is not used for WAF signature filtering.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

category: Specifies an attack category by its name. Category names are case insensitive. To view the names of attack categories, enter a question mark (?) after the attack-category keyword.

sub-category subcategory: Specifies a subcategory of the attack category. Subcategory names are case insensitive. To view the names of supported subcategories, enter a question mark (?) after the sub-category keyword. If you do not specify a subcategory, this command matches any WAF signature with a subcategory of the specified attack category.

all: Specifies all attack categories.

Usage guidelines

This command filters the WAF signatures that a WAF policy uses based on the attack category attribute of the signatures.

You can execute this command multiple times to specify multiple attack category criteria in a WAF policy. The WAF policy uses a WAF signature if the signature matches any of the configured ?attack category criteria.

Examples

# Configure WAF policy test-policy to use WAF signatures with the SQLInjection attack subcategory of the Vulnerability attack category.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy] attack-category Vulnerability sub-category SQLInjection

Related commands

display waf policy

display waf policy

Use display waf policy to display WAF policy information.

Syntax

display waf policy policy-name

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

policy-name: Specifies a WAF policy by its name, a case-insensitive string of 1 to 63 characters.

Examples

# Display information about WAF policy aa.

<Sysname> display waf policy aa

Protected website: a

? Domain: www.baidu.com

? IP address: 1.1.1.1

? Port: 1

?Protected website: b

? Domain: www.ali.com

? IP address: 1.1.1.2

? Port: 2

Applied CC defense policy: a

Total signature count??????? : 100

?Pre-defined signature count? : 10

?User-defined signature count: 90

 

Flags:

? B: Block-source? D: Drop? P: Permit? Rs: Reset? Rd: Redirect? C: Capture? L: L

ogging

? Pre: pre-defined? User: user-defined

 

Type SigID??? Target????????? SubTarget?????? Severity Direction Category?????

? SubCategory???? Status? Action???????????????????????????????????????????????

Pre? 23723???? OperationSystem Any???????????? High???? Any?????? Vulnerability

? RemoteCodeExecu Enable? RsL??????????????????????????????????????????????????

Pre? 24728???? OperationSystem Any???????????? Critical Server??? Malware??????

? Backdoor?? ?????Enable? DL???????????????????????????????????????????????????

Pre? 25066???? OperationSystem Any???????????? Critical Any?????? Malware??????

? Backdoor??????? Enable? DL???????????????????????????????????????????????????

Pre? 25067???? OperationSystem Any???????????? Critical Server??? Malware??????

? Backdoor??????? Enable? RsL??????????????????????????????????????????????????

Pre? 25824???? OperationSystem Any???????????? Critical Server??? Vulnerability

? Overflow??????? Enable? RsL????????? ?????????????????????????????????????????

---- More ----

Table 1 Command output

Field	Description
Protected website	Name of the protected website.
Domain	Domain name of the protected website.
IP address	IPv4 address of the protected website.
Port	Port number of the protected website.
Applied CC defense policy	CC defense policy associated in the WAF module.
Total signature count	Total number of WAF signatures.
Pre-defined signature count	Total number of predefined WAF signatures.
User-defined signature count	Total number of user-defined signatures.
Type	Type of the WAF signature: ·     Pre—Predefined WAF signatures. ·     User—User-defined signatures.
SigID	Signature ID.
Target	Attacked target
SubTarget	Attacked subtarget.
Severity	Attack severity level of the signature, Low, Medium, High, or Critical.
Category	Attack category of the signature.
SubCategory	Attack subcategory of the signature.
Status	Status of the WAF signature, Enabled or Disabled.
Action	Actions for matching packets: ·     Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. ·     Drop—Drops matching packets. ·     Permit—Permits matching packets to pass. ·     Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. ·     Redirect—Redirects matching packets to a webpage. ·     Capture—Captures matching packets. ·     Logging—Logs matching packets.

?

 

display waf signature

Use display waf signature to display brief WAF signature information.

Syntax

display waf signature [ pre-defined ] [ direction { any | to-client | to-server } ] [ category category-name | fidelity { high | low | medium } | severity { critical | high | low | medium } ] *

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

pre-defined: Specifies predefined WAF signatures.

user-defined: Specifies user-defined WAF signatures.

direction { any | to-client | to-server }: Specifies a direction attribute. If you do not specify a direction attribute, this command displays WAF signatures with any direction attribute.

·     any: Specifies both directions of a session.

·     to-server: Specifies the client to server direction of a session.

·     to-client: Specifies the server to client direction of a session.

category category-name: Specifies an attack category. To view the names of supported attack categories, enter a question mark (?) after the category keyword. If you do not specify an attack category, this command displays WAF signatures for all attack categories.

fidelity { high | low | medium }: Specifies a fidelity level. If you do not specify a fidelity level, this command displays WAF signatures of all fidelity levels. The fidelity level indicates the attack detection accuracy.

·     low: Specifies the low fidelity.

·     medium: Specifies the medium fidelity.

·     high: Specifies the high fidelity.

severity { critical | high | low | medium }: Specifies an attack severity level. If you do not specify a severity level, this command displays WAF signatures for all severity levels of attacks.

·     low: Specifies the low severity level.

·     medium: Specifies the medium severity level.

·     high: Specifies the high severity level.

·     critical: Specifies the critical severity level.

Usage guidelines

If you do not specify any options, this command displays all WAF signatures.

Examples

# Display predefined WAF signatures of the medium fidelity level.

<Sysname> display waf signature pre-defined fidelity medium

Pre-defined? signatures total:88??????? failed:0

 

Flag:

? Pre: predefined?? User: user-defined

 

Type SigID????? Direction Severity Fidelity Category????? Protocol SigName

Pre? 3295?????? To-client Critical Medium?? Vulnerability TCP

Pre? 5379?????? To-client Critical Medium?? Vulnerability TCP

Pre? 6017?????? To-client Critical Medium?? Vulnerability TCP

Pre? 7453?????? To-server High???? Medium?? Other???????? TCP

Pre? 10033????? To-client High???? Medium?? Vulnerability TCP

Pre? 23227????? To-server Medium?? Medium?? Vulnerability TCP

Pre? 23285?? ???To-server Medium?? Medium?? Vulnerability TCP

Pre? 23309????? To-server Medium?? Medium?? Vulnerability TCP

Pre? 23482????? To-server High???? Medium?? Vulnerability TCP

Pre? 23530????? To-server High???? Medium?? Vulnerability TCP

Pre? 23666????? To-server High???? Medium?? Vulnerability TCP

Pre? 23722????? To-server Medium?? Medium?? Vulnerability TCP

Pre? 23747????? To-server Medium?? Medium?? Vulnerability TCP

Pre? 24346????? To-client Medium?? Medium?? Vulnerability TCP

Pre? 25044????? To-server High???? Medium?? Vulnerability TCP

Pre? 25086????? To-server High???? Medium?? Vulnerability TCP

Pre? 25100????? To-server High???? Medium?? Vulnerability TCP

---- More ----

# Display WAF signatures of the high attack severity level.

<Sysname> display waf signature severity high

Total signatures??????? :45??????? failed:0

?Pre-defined? signatures total:45??????? failed:0

?User-defined signatures total:0???????? failed:0

 

Flag:

? Pre: predefined?? User: user-defined

 

Type SigID????? Direction Severity Fidelity Category????? Protocol SigName

Pre? 7453?????? To-server High???? Medium?? Other???????? TCP

Pre? 10033????? To-client High???? Medium?? Vulnerability TCP

Pre? 23192????? To-server High???? High???? Vulnerability TCP

Pre? 23448????? To-server High???? High???? Vulnerability TCP

Pre? 23474????? To-server High???? Low????? Vulnerability TCP

Pre? 23482????? To-server High???? Medium?? Vulnerability TCP

Pre? 23530????? To-server High???? Medium?? Vulnerability TCP

Pre? 23666????? To-server High???? Medium? ?Vulnerability TCP

Pre? 24485????? To-server High???? High???? Vulnerability TCP

Pre? 25044????? To-server High???? Medium?? Vulnerability TCP

Pre? 25086????? To-server High???? Medium?? Vulnerability TCP

Pre? 25100????? To-server High???? Medium?? Vulnerability TCP

Pre? 30781????? To-server High???? Medium?? Vulnerability TCP

Pre? 30807????? To-server High???? Medium?? Vulnerability TCP

Pre? 30851????? To-server High???? Medium?? Vulnerability TCP

---- More ----

Table 2 Command output

Field	Description
Total signatures	Total number of WAF signatures.
Pre-defined signature total	Total number of predefined WAF signatures.
User-defined signature total	Total number of user-defined WAF signatures.
Type	Type of the WAF signature: ·     Pre—Predefined WAF signatures. ·     User—User-defined signatures.
SigID	Signature ID.
Direction	Direction attribute of the signature: ·     any—Specifies both directions of a session. ·     To-server—Specifies the client to server direction of a session. ·     To-client—Specifies the server to client direction of a session.
Severity	Attack severity level of the signature, Low, Medium, High, or Critical.
Fidelity	Fidelity level of the signature, Low, Medium, or High.
Category	Attack category of the signature.
Protocol	Protocol attribute of the signature.
SigName	Predefined signature name.

?

display waf signature library

Use display waf signature library to display WAF signature library information.

Syntax

display waf signature library

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Examples

# Display WAF signature library information.

<Sysname> display waf signature library

WAF signature library information:

Type???? SigVersion???????? ReleaseTime?????????????? Size (bytes)

Current? 1.02?????????????? Fri Sep 13 09:05:35 2014? 71594

Last???? -????????????????? -???????????????????????? -

Factory? 1.00?????????????? Fri Sep 11 09:05:35 2014? 71394

Table 3 Command output

Field	Description
Type	Version type of the WAF signature library: ·     Current—Current version. ·     Last—Previous version. ·     Factory—Factory default version.
SigVersion	Version number of the WAF signature library.
ReleaseTime	Release time of the WAF signature library.
Size	Size of the WAF signature file in bytes.

?

display waf signature pre-defined

Use display waf signature pre-defined to display detailed information about a predefined WAF signature.

Syntax

display waf signature pre-defined signature-id

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

signature-id: Specifies the signature ID. The value range is 1 to 536870911.

Examples

# Display detailed information about predefined WAF signature 3295.

<Sysname> display waf signature pre-defined 3295

?Type??????? : Pre-defined

?Signature ID: 3295

?Status????? : Enable

?Action????? : Permit & Logging

?Name??????? : WEB_SERVER_Possible_HTTP_503_XSS_Attempt_(Internal_Source)

?Protocol??? : TCP

?Severity??? : Critical

?Fidelity??? : Medium

?Direction?? : To-client

?Category??? : Vulnerability

?Reference?? :

?Description : WEB_SERVER_Possible_HTTP_503_XSS_Attempt_(Internal_Source)??????

Table 4 Command output

Field	Description
Type	Type of the WAF signature: ·     Pre—Predefined WAF signatures. ·     User—User-defined signatures.
Signature ID	Signature ID.
Status	Status of the WAF signature, Enabled or Disabled.
Action	Actions for matching packets: ·     Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. ·     Drop—Drops matching packets. ·     Permit—Permits matching packets to pass. ·     Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. ·     Capture—Captures matching packets. ·     Logging—Logs matching packets.
Name	Name of the WAF signature.
Protocol	Protocol attribute of the signature.
Severity	Attack severity, Low, Medium, High, or Critical.
Fidelity	Fidelity level of the signature, Low, Medium, or High.
Direction	Direction attribute of the signature: ·     any—Specifies both directions of a session. ·     To-server—Specifies the client to server direction of a session. ·     To-client—Specifies the server to client direction of a session.
Category	Attack category of the signature.
Reference	Reference for the signature.
Description	Description for the signature.

?

object-dir

Use object-dir to specify a direction criterion to filter WAF signatures in a WAF policy.

Use undo object-dir to restore the default.

Syntax

object-dir { client | server } *

undo object-dir

Default

The direction attribute is not used for WAF signature filtering.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

client: Specifies the server to client direction.

server: Specifies the client to server direction.

Usage guidelines

Each WAF signature has a direction attribute that defines the traffic direction to which the signature applies. The direction attribute values include To-server, To-client, and Any.

WAF signatures with the Any direction attribute are always used by a WAF policy, regardless of the settings of this command. For example, if you configure the object-dir client command for a WAF policy, the policy uses WAF signatures with both the To-client and Any direction attributes.

If you execute this command in a WAF policy multiple times, the most recent configuration takes effect.

Examples

# Configure WAF policy test-policy to use WAF signatures with the To-client and Any direction attributes.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy] object-dir client

override-current

Use override-current to configure the device to overwrite the current WAF signature library without backing up the library during an automatic signature library update.

Use undo override-current to restore the default.

Syntax

override-current

undo override-current

Default

Before performing an automatic WAF signature library update, the device backs up the current WAF signature library as the previous version.

Views

Automatic WAF signature library update configuration view

Predefined user roles

network-admin

context-admin

Usage guidelines

Backing up the current WAF signature library requires additional storage space but enables signature library rollback. As a best practice, enable the backup function if there is sufficient storage space.

Examples

# Configure the device to overwrite the current WAF signature library without backing up the library during an automatic signature library update.

<Sysname> system-view

[Sysname] waf signature auto-update

[Sysname-waf-sig-autoupdate] override-current

Related commands

waf signature auto-update-now

protected-target

Use protected-target to set a target criterion to filter the WAF signatures in a WAF policy.

Use undo protected-target to remove a target criterion.

Syntax

protected-target { target [ sub-target subtarget ] | all }

undo protected-target { target [ sub-target subtarget ] | all }

Default

The protected target attribute is not used for WAF signature filtering.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

target: Specifies a target by its name. Target names are case insensitive. To view the names of supported targets, enter a question mark (?) after the protected-target keyword.

subtarget: Specifies a subtarget of the target by the subtarget name. Subtarget names are case insensitive. To view the names of supported subtargets, enter a question mark (?) after the sub-target keyword. If you do not specify a subtarget, this command matches any WAF signatures with a subtarget of the specified target.

all: Specifies all targets.

Usage guidelines

This command filters the WAF signatures that a WAF policy uses based on the protected target attribute of the signatures.

You can execute this command multiple times to specify multiple target criteria in a WAF policy. The WAF policy uses a WAF signature if the signature matches any of the configured target criteria.

Examples

# Configure WAF policy test-policy to use WAF signatures with the WebLogic subtarget of the WebServer target.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy] protected-target WebServer sub-target WebLogic

Related commands

display waf policy

severity-level

Use severity-level to set a severity level criterion to filter the WAF signatures in a WAF policy.

Use undo severity-level to restore the default.

Syntax

severity-level { critical | high | low | medium } *

undo severity-level

Default

The severity level attribute is not used for WAF signature filtering.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

critical: Specifies the critical severity level.

high: Specifies the high severity level.

low: Specifies the low severity level.

medium: Specifies the medium severity level.

Usage guidelines

Each WAF signature has a severity level attribute, which indicates the severity level of the attacks matching the signature.

This command filters the WAF signatures that a WAF policy uses based on the severity level attribute of the signatures.

You can specify multiple severity levels in a severity level criterion. The WAF policy uses a WAF signature if the signature matches any of the specified severity levels.

If you execute this command in a WAF policy multiple times, the most recent configuration takes effect.

Examples

# Configure WAF policy test-policy to use WAF signatures with the critical and medium severity levels.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy] severity-level critical medium

Related commands

waf policy

signature override

Use signature override to change the status and actions for a predefined WAF signature in a WAF policy.

Use undo signature override to restore the default status and actions for a predefined WAF signature in a WAF policy.

Syntax

signature override pre-defined signature-id { disable | enable } [ { block-source | drop | permit | redirect | reset } | capture | logging ] *

undo signature override pre-defined signature-id

Default

Predefined WAF signatures use the actions and statuses defined by the system.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

signature-id: Specifies a WAF signature ID in the range of 1 to 4294967295.

disable: Disables the WAF signature.

enable: Enables the WAF signature.

block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."

drop: Drops matching packets.

permit: Permits matching packets to pass.

redirect: Redirects matching packets to a webpage.

reset: Closes the TCP connections for matching packets by sending TCP reset messages.

capture: Captures matching packets.

logging: Logs matching packets.

Usage guidelines

This command is available only for user-defined WAF policies. The signature actions and status in the default WAF policy cannot be modified.

If you execute this command for a signature in a WAF policy multiple times, the most recent configuration takes effect.

Examples

# Enable predefined signature 2 for WAF policy test-policy. Specify the drop, capture, and logging actions for the signature.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy] signature override pre-defined 2 enable drop capture logging

Related commands

blacklist enable (security zone view) (Security Command Reference)

signature override all

signature override all

Use signature override all to specify the WAF actions for a WAF policy.

Use undo signature override all to restore the default.

Syntax

signature override all { { block-source | drop | permit | redirect | reset } | capture | logging } *

undo signature override all

Default

No actions are specified for a WAF policy and the default actions of WAF signatures are applied to matching packets.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."

drop: Drops matching packets.

permit: Permits matching packets to pass.

redirect: Redirects matching packets to a webpage.

reset: Closes the TCP connections for matching packets by sending TCP reset messages.

capture: Captures matching packets.

logging: Logs matching packets.

Usage guidelines

Use this command to specify the global packet processing actions for a WAF policy.

Each WAF signature is defined with default actions for matching packets. You can change the default actions for individual signatures in a WAF policy.

The system selects the actions for packets matching a WAF signature in the following order:

1.     Actions configured for the WAF signature in the WAF policy (by using the signature override command).

2.     Actions configured for the WAF policy.

3.     Default actions of the WAF signature.

Examples

# Specify actions drop, logging, and capture for WAF policy test-policy.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy] signature override all drop logging capture

Related commands

blacklist enable (security zone view) (Security Command Reference)

signature override

update schedule

Use update schedule to schedule the time for automatic WAF signature library update.

Use undo update schedule to restore the default.

Syntax

update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes

undo update schedule

Default

The device starts updating the WAF signature library at a random time between 01:00:00 and 03:00:00 every day.

Views

Automatic WAF signature library update configuration view

Predefined user roles

network-admin

context-admin

Parameters

daily: Updates the WAF signature library every day.

weekly: Updates the WAF signature library every week.

fri: Updates the WAF signature library every Friday.

mon: Updates the WAF signature library every Monday.

sat: Updates the WAF signature library every Saturday.

sun: Updates the WAF signature library every Sunday.

thu: Updates the WAF signature library every Thursday.

tue: Updates the WAF signature library every Tuesday.

wed: Updates the WAF signature library every Wednesday.

start-time time: Specifies the start time in the hh:mm:ss format. The value range is 00:00:00 to 23:59:59.

tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will occur at a random time between the following time points:

·     Start time minus half the tolerance time.

·     Start time plus half the tolerance time.

Examples

# Configure the device to automatically update the WAF signature library every Monday at a random time between 20:25:00 and 20:35:00.

<Sysname> system-view

[Sysname] waf signature auto-update

[Sysname-waf-autoupdate] update schedule weekly mon start-time 20:30:00 tingle 10

Related commands

waf signature auto-update

waf signature auto-update-now

waf apply policy

Use waf apply policy to apply a WAF policy to a DPI application profile.

Use undo waf apply policy to remove the application.

Syntax

waf apply policy policy-name mode { alert | protect }

undo waf apply policy

Default

No WAF policy is applied to a DPI application profile.

Views

DPI application profile view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies a WAF policy by its name, a case-insensitive string of 1 to 63 characters.

mode: Specifies a WAF policy mode.

alert: Only captures or logs matching packets.

protect: Takes all actions specified for signatures to process matching packets

Usage guidelines

A WAF policy takes effect only after it is applied to a DPI application profile.

You can apply only one WAF policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Apply WAF policy waf1 to DPI application profile sec. Set the WAF policy mode to protect.

<Sysname> system-view

[Sysname] app-profile sec

[Sysname-app-profile-sec] waf apply policy waf1 mode protect

Related commands

app-profile

waf policy

waf parameter-profile

Use waf { block-source | capture | logging | redirect } parameter-profile to specify a parameter profile for a WAF action.

Use undo waf { block-source | capture | logging | redirect } parameter-profile to remove the parameter profile from a WAF action.

Syntax

waf { block-source | capture | logging | redirect } parameter-profile parameter-name

undo waf { block-source | capture | logging | redirect } parameter-profile

Default

No parameter profile is specified for a WAF action.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

block-source: Specifies a parameter profile for the block-source action.

capture: Specifies a parameter profile for the capture action.

email: Specifies a parameter profile for the email action.

logging: Specifies a parameter profile for the logging action.

redirect: Specifies a parameter profile for the redirect action.

parameter-profile parameter-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Use this command to specify the parameter profile used by a WAF action. A parameter profile is a set of parameters that determine how the action is executed. If you do not specify a parameter profile for an action, or if the specified profile does not exist, the default action parameter settings are used.

For information about configuring parameter profiles, see DPI Configuration Guide.

Examples

# Create parameter profile waf1. Set the source IP address blocking period to 1111 seconds.

<Sysname> system-view

[Sysname] inspect block-source parameter-profile waf1

[Sysname-inspect-block-source-waf1] block-period 1111

[Sysname-inspect-block-source-waf1] quit

# Specify the parameter profile waf1 for the block-source action.

[Sysname] waf block-source parameter-profile waf1

Related commands

inspect block-source parameter-profile

inspect capture parameter-profile

inspect logging parameter-profile

inspect redirect parameter-profile

waf policy

Use waf policy to create a WAF policy and enter its view, or enter the view of an existing WAF policy.

Use undo waf policy to delete a WAF policy.

Syntax

waf policy policy-name

undo waf policy policy-name

Default

A WAF policy named default exists.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies the WAF policy name, a case-insensitive string of 1 to 63 characters. The name cannot be default or contain string protected-website.

Usage guidelines

You can configure signature filtering criteria, the actions for a signature, and the protected website, and associate a CC defense policy in a WAF policy.

A WAF policy takes effect only after it is applied to a DPI application profile. For more information about a DPI application profile, see DPI Configuration Guide.

You cannot delete WAF policy default.

Examples

# Create WAF policy test-policy and enter its view.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy]

Related commands

app-profile

display waf policy

waf signature auto-update

Use waf signature auto-update to enable automatic WAF signature library update and enter automatic WAF signature library update configuration view.

Use undo waf signature auto-update to disable automatic WAF signature library update.

Syntax

waf signature auto-update

undo waf signature auto-update

Default

Automatic WAF signature library update is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

After you enable automatic WAF signature library update, the device periodically accesses the official website to download the latest WAF signatures.

Examples

# Enable automatic WAF signature library update and enter automatic WAF signature library update configuration view.

<Sysname> system-view

[Sysname] waf signature auto-update

[Sysname-waf-autoupdate]

Related commands

update schedule

waf signature auto-update-now

Use waf signature auto-update-now to trigger an automatic signature library update manually.

Syntax

waf signature auto-update-now

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

After you execute this command, the device immediately starts the automatic signature library update process no matter whether automatic signature library update is enabled. The device automatically backs up the current signature library before overwriting it.

You can execute this command anytime you find a new version of signature library on the official website.

Examples

# Trigger an automatic signature library update manually.

<Sysname> system-view

[Sysname] waf signature auto-update-now

waf signature rollback

Use waf signature rollback to roll back the WAF signature library.

Syntax

waf signature rollback { factory | last }

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

factory: Rolls back the WAF signature library to the factory default version.

last: Rolls back the WAF signature library to the previous version.

Usage guidelines

If a WAF signature library update causes exceptions or a high false alarm rate, you can roll back the WAF signature library.

Before performing a WAF signature library rollback, the device backs up the current WAF signature library as the previous version. For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.

Examples

# Roll back the WAF signature library to the previous version.

<Sysname> system-view

[Sysname] waf signature rollback last

Related commands

override-current

waf signature update

Use waf signature update to manually update the WAF signature library.

Syntax

waf signature update [ override-current ] file-path

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

override-current: Overwrites the current WAF signature library without backing up the library. For the device to back up the current WAF signature library before overwriting the library, do not specify this keyword.

file-path: Specifies the WAF signature file path, a string of 1 to 255 characters.

Usage guidelines

If the device cannot access the official website, use one of the following methods to manually update the WAF signature library:

·     Local update—Updates the WAF signature library by using a locally stored update WAF signature file.

Store the update file on the master device for successful signature library update.

The following describes the format of the file-path argument for different update scenarios.

?

Update scenario	Format of file-path	Remarks
The update file is stored in the current working directory.	filename	To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference.
The update file is stored in a different directory on the same storage medium.	filename	Before configuring the waf signature update command, use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.
The update file is stored on a different storage medium.	path/filename	Before configuring the waf signature update command, use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.

?

·     FTP/TFTP update—Updates the WAF signature library by using the file stored on an FTP or TFTP server.

The following describes the format of the file-path argument for different update scenarios.

?

Update scenario	Format of file-path	Remarks
The update file is stored on an FTP server.	ftp://username:password@server address/filename	The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: ·     Colon (:)—%3A or %3a. ·     At sign (@)—%40. ·     Forward slash (/)—%2F or %2f.
The update file is stored on a TFTP server.	tftp://server address/filename	The server address parameter represents the IP address or host name of the TFTP server.

?

	NOTE: To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide.

?

Examples

# Manually update the WAF signature library by using a WAF signature file stored on a TFTP server.

<Sysname> system-view

[Sysname] waf signature update tftp://192.168.0.10/waf-1.0.2-en.dat

# Manually update the WAF signature library by using a WAF signature file stored on an FTP server. The FTP login username and password are user:123 and user@abc/123, respectively.

<Sysname> system-view

[Sysname] waf signature update ftp://user%3A123:user%40abc%[email protected]/waf-1.0.2-en.dat

# Manually update the WAF signature library by using a WAF signature file stored on the device. The file is stored in directory cfa0:/waf-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> system-view

[Sysname] waf signature update waf-1.0.23-en.dat

# Manually update the WAF signature library by using a WAF signature file stored on the device. The file is stored in directory cfa0:/dpi/waf-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> cd dpi

<Sysname> system-view

[Sysname] waf signature update waf-1.0.23-en.dat

# Manually update the WAF signature library by using a WAF signature file stored on the device. The file is stored in directory cfb0:/dpi/waf-1.0.23-en.dat, and the current working directory is the cfa0:.

<Sysname> cd cfb0:/

<Sysname> system-view

[Sysname] waf signature update dpi/waf-1.0.23-en.dat