Login
- Table of Contents
-
- 04-DPI Configuration Guide
- 00-Preface
- 01-DPI overview
- 02-DPI engine configuration
- 03-IPS configuration
- 04-URL filtering configuration
- 05-Data filtering configuration
- 06-File filtering configuration
- 07-Anti-virus configuration
- 08-Data analysis center configuration
- 09-Proxy policy configuration
- 10-WAF configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-Anti-virus configuration | 255.30 KB |
Virus signature library management
Configuring an anti-virus policy
Configuring MD5 value-based anti-virus cloud query
Specifying a parameter profile for an anti-virus action
Applying an anti-virus policy to a DPI application profile
Activating anti-virus policy settings
Applying a DPI application profile to a security policy rule
Applying a DPI application profile to an object policy rule
Managing the virus signature library
Scheduling automatic virus signature library update
Triggering an immediate automatic virus signature library update
Manually updating the virus signature library
Rolling back the virus signature library
Display and maintenance commands for anti-virus
Anti-virus configuration examples
Example: Using the default anti-virus policy in a security policy
Example: Using a user-defined anti-virus policy in a security policy
Example: Manually updating the virus signature library
Example: Configuring automatic virus signature library update
Example: Using the default anti-virus policy in an object policy
Example: Using a user-defined anti-virus policy in an object policy
Example: Manually updating the virus signature library
Example: Configuring automatic virus signature library update
Configuring anti-virus
About anti-virus
Anti-virus identifies viruses in the application layer of packets based on an up-to-date virus signature library and takes actions to prevent a network from being infected. This feature is typically deployed on a gateway to insulate the internal network from viruses and protect the internal data.
Anti-virus supports inspecting packets transported through FTP, HTTP, IMAP, NFS, POP3, SMB, and SMTP.
Application scenario
As shown in Figure 1, the device is the gateway of an internal network. Internal users access the external network and download data from the external network. The internal server accepts data uploaded by external users.
In this scenario, you can configure anti-virus on the gateway to protect the internal network. Anti-virus inspects incoming packets, permits legitimate packets to pass, and takes actions, such as alert, block, or redirect, on packets containing viruses.
Figure 1 Anti-virus application scenario
Terminology
Virus signature
A virus signature is a character string that uniquely identifies a specific virus. The virus signature library contains the predefined virus signatures.
MD5 rules
An MD5 rule is generated by the system based on the virus signatures in the virus signature library to identify virus-infected files.
Signature exception
Typically, anti-virus takes anti-virus actions on packets matching virus signatures. If a virus proves to be a false alarm, you can set the virus signature as a signature exception. Packets matching the signature exception are permitted to pass.
Application exception
Typically, anti-virus action is protocol specific and applies to all applications carried by the protocol. To take a different action on an application, you can set the application as an exception and specify a different anti-virus action for the application. Application exceptions use application-specific actions and the other applications use protocol-specific actions. For example, the anti-virus action for HTTP is alert. To block the games carried by HTTP, you can set the games as application exceptions and specify the block action for them.
MD5 exception
If false positives occur for a virus, you can set the MD5 value of the virus as an MD5 exception. The device will permit subsequent packets matching the MD5 exception to pass.
You can get the MD5 value of the virus through the threat log.
Anti-virus action
Anti-virus actions apply to the packets that match virus signatures. The actions include the following types:
· alert—Permits matching packets and generates logs.
· block—Blocks matching packets and generates logs.
· redirect—Redirects matching HTTP connections to a URL and generates logs. The redirection is applicable to only uploading connections.
The generated anti-virus logs can be sent to the device information center or to designated recipients by email.
Virus detection methods
The device supports the following virus detection methods:
· Virus signature-based detection—The device matches packets against virus signatures in the virus signature library, and determines that a packet contains viruses if a match is found.
· MD5 rule-based detection—The device generates an MD5 hash value for a file to be inspected and compares the value with the system-defined MD5 rules. If a match is found, the file is identified to be virus-infected.
Anti-virus mechanism
Anti-virus takes effect after you apply an anti-virus policy to a DPI application profile and use the DPI application profile in a security policy rule or object policy rule.
As shown in Figure 2, upon receiving a packet, the anti-virus device performs the following operations:
1. The device identifies whether the anti-virus supports the application layer protocol of the packet.
¡ If not, the device permits the packet to pass without anti-virus inspection.
¡ If yes, the device compares the packet with the virus signatures and MD5 rules.
2. If a matching signature or MD5 rule is found, the device performs following operations:
a. Determines if the matching signature is an exception. If yes, the device permits the packet to pass. If not, the device examines whether the application is an exception.
b. If the application is an exception, the device takes the application-specific action (alert, block, or permit). If the application is not an exception, the device takes the protocol-specific action (alert, block, or redirect).
3. If no matching signature or MD5 rule is found, the device performs the following operations:
a. Determines if the MD5 value of the file in the packet is an MD5 value exception.
- If yes, the device permits the packet to pass.
- If not, the device sends the MD5 value of the file in the packet to the cloud server.
b. If cloud query is disabled in the anti-virus policy, the device permits the packet to pass.
c. If cloud query is enabled in the anti-virus policy but the cloud server does not detect any virus, the device permits the packet to pass.
d. If cloud query is enabled in the anti-virus policy and the cloud server detects the virus, the device determines if the application is an exception.
- If yes, the device takes the application-specific action (alert, block, or permit).
- If not, the device takes the protocol-specific action (alert, block, or redirect).
Virus signature library management
The device inspects packets for viruses based on the virus signature library. You can update the virus signature library to the latest version or roll it back to the previous version or the factory default version.
Updating the virus signature library
The following methods are available for updating the virus signature library:
· Automatic update.
The device automatically and periodically downloads the most up-to-date virus signature file to update the signature library.
· Triggered update.
The device downloads the most up-to-date virus signature file to update the signature library immediately after you trigger the operation.
· Manual update.
Use this method when the device cannot obtain the virus signature file automatically.
You must manually download the most up-to-date virus signature file and then use the downloaded file to update the signature library.
Rolling back the virus signature library
If the false alarm rate is high or abnormal situations frequently occur, you can roll back the virus signature library to the previous version or to the factory default version.
Licensing requirements
The anti-virus feature requires a license to run on the device. If the license expires, the anti-virus feature is still available but you can no longer update the virus signature library on the device. For more information about licenses, see Fundamentals Configuration Guide.
Anti-virus tasks at a glance
To configure anti-virus, perform the following tasks:
1. Configuring an anti-virus policy
2. Configuring MD5 value-based anti-virus cloud query
3. Specifying a parameter profile for an anti-virus action
4. Applying an anti-virus policy to a DPI application profile
5. Activating anti-virus policy settings
6. Applying a DPI application profile to a security policy rule
7. Applying a DPI application profile to an object policy rule
8. Managing the virus signature library
Configuring an anti-virus policy
About this task
An anti-virus policy defines the virus detection criteria, anti-virus actions, virus signature exceptions, and application exceptions.
The virus signatures in the virus signature library are available to all anti-virus policies on the device.
Restrictions and guidelines
Anti-virus supports only NFSv3 of the NFS protocol, and SMBv1 and SMBv2 of the SMB protocol.
The logging keyword enables the anti-virus module to log the packet matching events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output anti-virus logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view anti-virus logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Create an anti-virus policy and enter its view.
anti-virus policy policy-name
A default anti-virus policy named default exists. The default anti-virus policy cannot be modified or deleted.
3. (Optional.) Configure a description for the anti-virus policy.
description text
4. Configure anti-virus for an application layer protocol.
inspect { ftp | http | imap | nfs | pop3 | smb | smtp } [ direction { both | download | upload } ] [ action { alert | block | redirect } ]
By default, the device performs virus detection on upload and download packets for FTP, HTTP, IMAP, NFS, and SMB, on download packets for POP3, and on upload packets for SMTP. The anti-virus action for FTP, HTTP, NFS, and SMB is block and for IMAP, SMTP, and POP3 is alert.
5. (Optional.) Set a signature as a signature exception.
exception signature signature-id
6. (Optional.) Set an application as an application exception and specify an anti-virus action for the application exception.
exception application application-name action { alert | block | permit }
7. (Optional.) Set an MD5 value as an MD5 exception.
exception md5 md5-value
8. Enable the virus signatures at and above a severity level.
signature severity { critical | high | medium } enable
By default, virus signatures of all severity levels are enabled.
Configuring MD5 value-based anti-virus cloud query
About this task
You can enable MD5 value-based anti-virus cloud query in an anti-virus policy. If the file in a packet does not match any rule in the local virus signature library, the device will send the MD5 value of the file to the cloud server for cloud query. The cloud server determines whether the MD5 value is a virus and returns the result to the device so appropriate action can be taken.
For more information about the cloud query server, see "Configuring the DPI engine."
Restrictions and guidelines
MD5 value-based anti-virus cloud query is available only for the following protocols:
· HTTP.
· IMAP.
· NFS. Only the NFS read operation is supported.
· POP3.
· SMTP.
Procedure
1. Enter system view.
system-view
2. Specify the cloud query server.
inspect cloud-server host-name
By default, cloud query server sec.h3c.com is used.
3. (Optional.) Set the anti-virus cache size.
anti-virus cache size cache-size
By default, the anti-virus cache can cache a maximum of 100000 entries.
4. (Optional.) Set the minimum cache period for an anti-virus MD5 entry.
anti-virus cache min-time value
By default, the minimum cache period of an anti-virus MD5 entry is 10 minutes.
5. Enter anti-virus policy view.
anti-virus policy policy-name
6. Enable MD5 value-based anti-virus cloud query.
cloud-query enable
By default, MD5 value-based anti-virus cloud query is disabled.
Specifying a parameter profile for an anti-virus action
About this task
Before you can specify a parameter profile for an anti-virus action, configure the parameter profile in the DPI engine. For more information, see "Configuring DPI engine."
A parameter profile defines the parameters for executing an action. For example, you can configure parameters such as the email server address and email recipients in the email parameter profile, and then apply the profile to the email action.
If no parameter profile is specified for an anti-virus action, or if the specified parameter profile does not exist, the default parameter settings of the action are used.
Procedure
1. Enter system view.
system-view
2. Specify a parameter profile for an anti-virus action.
anti-virus { email | logging | redirect } parameter-profile profile-name
By default, no parameter profile is specified for an anti-virus action.
Applying an anti-virus policy to a DPI application profile
About this task
The DPI application profile is a template for configuring DPI security services. For an anti-virus policy to take effect, you must apply it to a DPI application profile.
A DPI application profile can use only one anti-virus policy. If you apply different anti-virus policies to the same DPI application profile, only the most recent configuration takes effect.
Procedure
1. Enter system view.
system-view
2. Enter DPI application profile view.
app-profile profile-name
For more information about this command, see DPI engine commands in DPI Command Reference.
3. Apply an anti-virus policy to the DPI application profile.
anti-virus apply policy policy-name mode { alert | protect }
By default, no anti-virus policy is applied to a DPI application profile.
Activating anti-virus policy settings
After you edit the anti-virus policy settings, perform this task to activate the settings.
Restrictions and guidelines
This task can cause temporary outage for all DPI services. As a best practice, perform the task after all DPI service policy and rule settings are complete.
For more information about activating DPI service module configuration, see "Configuring the DPI engine."
Procedure
1. Enter system view.
system-view
2. Activate anti-virus policy settings.
inspect activate
By default, anti-virus policy settings do not take effect.
Applying a DPI application profile to a security policy rule
1. Enter system view.
system-view
2. Enter security policy view.
security-policy { ip | ipv6 }
3. Enter security policy rule view.
rule { rule-id | name name } *
4. Set the rule action to pass.
action pass
The default rule action is drop.
5. Use a DPI application profile in the rule.
profile app-profile-name
By default, no DPI application profile is used in a security policy rule.
Applying a DPI application profile to an object policy rule
1. Enter system view.
system-view
2. Enter object policy view.
object-policy { ip | ipv6 } object-policy-name
3. Use a DPI application profile in an object policy rule.
rule [ rule-id ] inspect app-profile-name
By default, no DPI application profile is used in an object policy rule.
4. Return to system view.
quit
5. Create a zone pair and enter zone pair view.
zone-pair security source source-zone-name destination destination-zone-name
For more information about zone pairs, see security zone configuration in Security Configuration Guide.
6. Apply the object policy to the zone pair.
object-policy apply { ip | ipv6 } object-policy-name
By default, no object policy is applied to a zone pair.
Managing the virus signature library
As viruses constantly increase and change, you must update the virus signature library in time. You can also roll back the virus signature library.
Restrictions and guidelines
· Do not delete the /dpi/ folder in the root directory of the storage medium.
· Do not perform virus signature update and rollback when the device's free memory is below the normal state threshold. For more information about device memory thresholds, see device management in Fundamentals Configuration Guide.
· For successful automatic and immediate signature update, make sure the device can resolve the domain name of the H3C website into an IP address through DNS. For more information about DNS, see DNS configuration in Layer 3—IP Services Configuration Guide.
· Update only one signature library at a time. Do not perform signature library update until the existing signature library update is completed.
Scheduling automatic virus signature library update
About this task
You can schedule automatic virus signature library update if the device can access the signature database services on the H3C website. The device periodically obtains the latest signature file from the H3C website to update its local signature library according to the update schedule.
Procedure
1. Enter system view.
system-view
2. Enable automatic virus signature library update and enter automatic virus signature library update configuration view.
anti-virus signature auto-update
By default, automatic virus signature library update is disabled.
3. Schedule the update time.
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
By default, the device updates the virus signature library at a random time between 02:01:00 and 04:01:00 every day.
Triggering an immediate automatic virus signature library update
About this task
Anytime you find a new release of virus signature file on the H3C website, you can trigger the device to immediately and automatically update the virus signature library.
Procedure
1. Enter system view.
system-view
2. Trigger an immediate virus signature library update.
anti-virus signature auto-update-now
Manually updating the virus signature library
About this task
If the device cannot access the signature database services on the H3C website, use one of the following methods to manually update the virus signature library:
· Local update—Updates the virus signature library by using the locally stored virus signature file.
Store the update file on the master device for successful signature library update.
· FTP/TFTP update—Updates the virus signature library by using the virus signature file stored on an FTP or TFTP server.
Procedure
1. Enter system view.
system-view
2. Manually update the virus signature library.
anti-virus signature update file-path
Rolling back the virus signature library
About this task
If a virus signature library update causes abnormal situations or a high false alarm rate, you can roll back the virus signature library.
Before rolling back the virus signature library, the device backs up the current signature library as the previous version. For example, the previous version is V1 and the current version is V2. If you perform a rollback to the previous version, version V1 becomes the current version and version V2 becomes the previous version. If you perform a rollback to the previous version again, version V2 becomes the current version and version V1 becomes the previous version.
Procedure
1. Enter system view.
system-view
2. Roll back the virus signature library.
anti-virus signature rollback { factory | last }
Display and maintenance commands for anti-virus
Execute the display commands in any view.
|
Task |
Command |
|
Display anti-virus cache information. |
display anti-virus cache [ slot slot-number ] |
|
Display virus signature information. |
display anti-virus signature [ severity { critical | high | low | medium } ] |
|
Display virus signature family information. |
display anti-virus signature family-info |
|
Display virus signature library information. |
display anti-virus signature library |
|
Display anti-virus statistics. |
display anti-virus statistics [ policy policy-name ] [ slot slot-number ] |
Anti-virus configuration examples
Example: Using the default anti-virus policy in a security policy
Network configuration
As shown in Figure 3, the device connects the LAN and the Internet. The LAN resides in security zone Trust and the Internet resides in security zone Untrust.
Configure the device to use the default anti-virus policy for virus detection and prevention.
Procedure
1. Assign IP addresses to interfaces. (Details not shown.)
2. Configure security zones:
# Assign GigabitEthernet 1/0/1 to security zone Trust.
<Device> system-view
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
# Assign GigabitEthernet 1/0/2 to security zone Untrust.
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
3. Create an IP address object group named antivirus and configure an IP address object with subnet address 192.168.1.0/24.
[Device] object-group ip address antivirus
[Device-obj-grp-ip-antivirus] network subnet 192.168.1.0 24
[Device-obj-grp-ip-antivirus] quit
4. Configure a DPI application profile:
# Create a DPI application profile named sec and enter its view.
[Device] app-profile sec
# Apply the default anti-virus policy to the DPI application profile and set the policy mode to protect.
[Device-app-profile-sec] anti-virus apply policy default mode protect
[Device-app-profile-sec] quit
5. Activate the anti-virus policy settings.
[Device] inspect activate
6. Configure a security policy:
# Create a security policy named ip and enter its view.
[Device] security-policy ip
# Create a security policy rule named antivirus. Configure the rule to apply DPI application profile sec to packets from security zone Trust to security zone Untrust with source IP addresses contained in IP address object group antivirus.
[Device-security-policy-ip] rule name antivirus
[Device-security-policy-ip-10-antivirus] source-zone trust
[Device-security-policy-ip-10-antivirus] source-ip antivirus
[Device-security-policy-ip-10-antivirus] destination-zone untrust
[Device-security-policy-ip-10-antivirus] action pass
[Device-security-policy-ip-10-antivirus] profile sec
[Device-security-policy-ip-10-antivirus] quit
# Activate rule matching acceleration.
[Device-security-policy-ip] accelerate enhanced enable
[Device-security-policy-ip] quit
Verifying the configuration
# Verify that the device can use the default anti-virus policy to detect and prevent known viruses. (Details not shown.)
Example: Using a user-defined anti-virus policy in a security policy
Network configuration
As shown in Figure 4, the device connects the LAN and the Internet. The LAN resides in security zone Trust and the Internet resides in security zone Untrust.
Configure the device to use a user-defined anti-virus policy for virus detection and prevention. In the user-defined anti-virus policy, set virus signature 2 as a signature exception and set the 139Email application as an application exception.
Procedure
1. Assign IP addresses to interfaces. (Details not shown.)
2. Configure security zones:
# Assign GigabitEthernet 1/0/1 to security zone Trust.
<Device> system-view
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
# Assign GigabitEthernet 1/0/2 to security zone Untrust.
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
3. Create an IP address object group named antivirus and configure an IP address object with subnet address 192.168.1.0/24.
[Device] object-group ip address antivirus
[Device-obj-grp-ip-antivirus] network subnet 192.168.1.0 24
[Device-obj-grp-ip-antivirus] quit
4. Configure anti-virus:
# Create an anti-virus policy named antivirus1 and enter its view.
[Device] anti-virus policy antivirus1
# Set virus signature 2 as a signature exception
[Device-anti-virus-policy-antivirus1] exception signature 2
# Set the 139Email application as an application exception. Specify alert as the anti-virus action for the application exception.
[Device-anti-virus-policy-antivirus1] exception application 139Email action alert
[Device-anti-virus-policy-antivirus1] quit
5. Configure a DPI application profile:
# Create a DPI application profile named sec and enter its view.
[Device] app-profile sec
# Apply anti-virus policy antivirus1 to the DPI application profile and set the policy mode to protect.
[Device-app-profile-sec] anti-virus apply policy antivirus1 mode protect
[Device-app-profile-sec] quit
6. Activate the anti-virus policy settings.
[Device] inspect activate
7. Configure a security policy:
# Create a security policy named ip and enter its view.
[Device] security-policy ip
# Create a security policy rule named antivirus. Configure the rule to apply DPI application profile sec to packets from security zone Trust to security zone Untrust with source IP addresses contained in IP address object group antivirus.
[Device-security-policy-ip] rule name antivirus
[Device-security-policy-ip-10-antivirus] source-zone trust
[Device-security-policy-ip-10-antivirus] source-ip antivirus
[Device-security-policy-ip-10-antivirus] destination-zone untrust
[Device-security-policy-ip-10-antivirus] action pass
[Device-security-policy-ip-10-antivirus] profile sec
[Device-security-policy-ip-10-antivirus] quit
# Activate rule matching acceleration.
[Device-security-policy-ip] accelerate enhanced enable
[Device-security-policy-ip] quit
Verifying the configuration
# Verify that the anti-virus policy is correctly configured. (Details not shown.)
Example: Manually updating the virus signature library
Network configuration
As shown in Figure 5, LAN users in security zone Trust can access the Internet resources in security zone Untrust and the FTP server in security zone DMZ. The username and password for logging in to the FTP server are anti-virus and 123, respectively. The latest virus signature file anti-virus-1.0.8-encrypt.dat is stored in the root directory on the FTP server.
Manually update the virus signature library on the device by using the latest virus signature file on the FTP server.
Procedure
1. Assign IP addresses to interfaces. (Details not shown.)
2. Configure a security policy to enable the device to communicate with the FTP server in security zone DMZ:
# Assign GigabitEthernet 1/0/3 to security zone DMZ.
[Device] security-zone name dmz
[Device-security-zone-DMZ] import interface gigabitethernet 1/0/3
[Device-security-zone-DMZ] quit
# Create a security policy named ip and enter its view.
[Device] security-policy ip
# Create a security policy rule named update. Configure the rule to permit bidirectional traffic between security zones Local and DMZ.
[Device-security-policy-ip] rule name update
[Device-security-policy-ip-11-update] source-zone local
[Device-security-policy-ip-11-update] source-zone dmz
[Device-security-policy-ip-11-update] destination-zone dmz
[Device-security-policy-ip-11-update] destination-zone local
[Device-security-policy-ip-11-update] action pass
[Device-security-policy-ip-11-update] quit
# Activate rule matching acceleration.
[Device-security-policy-ip] accelerate enhanced enable
[Device-security-policy-ip] quit
3. Update the virus signature library by using the virus signature file anti-virus-1.0.8-encrypt.dat on the FTP server.
[Device] anti-virus signature update ftp:// anti-virus:123@192.168.2.4/anti-virus-1.0.8-encrypt.dat
Verifying the configuration
# Verify that the virus signature library is successfully updated.
<Device> display anti-virus signature library
Example: Configuring automatic virus signature library update
Network configuration
As shown in Figure 6, LAN users in security zone Trust can access Internet resources in security zone Untrust.
Configure the device to automatically update the virus signature library at a random time between 08:30 a.m. and 09:30 a.m. every Saturday.
Procedure
1. Assign IP addresses to interfaces. (Details not shown.)
2. Configure DNS for resolving the domain name of the H3C website into an IP address. (Details not shown.)
3. Configure a security policy to allow LAN users in security zone Trust to access Internet resources in security zone Untrust. (Details not shown.)
4. Configure automatic virus signature library update:
# Enable automatic virus signature library update.
<Device> system-view
[Device] anti-virus signature auto-update
# Configure the device to perform automatic update at a random time between 08:00 a.m. and 10:00 a.m. every Saturday.
[Device-anti-virus-autoupdate] update schedule weekly sat start-time 9:00:00 tingle 60
[Device-anti-virus-autoupdate] quit
Verifying the configuration
# Verify that the virus signature library is updated as scheduled.
<Device> display anti-virus signature library
Example: Using the default anti-virus policy in an object policy
Network configuration
As shown in Figure 7, the device connects the LAN and the Internet. The LAN resides in security zone Trust and the Internet resides in security zone Untrust.
Configure the device to use the default anti-virus policy for virus detection and prevention.
Procedure
1. Assign IP addresses to interfaces. (Details not shown.)
2. Configure security zones:
# Assign GigabitEthernet 1/0/1 to security zone Trust.
<Device> system-view
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
# Assign GigabitEthernet 1/0/2 to security zone Untrust.
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
3. Create an IP address object group named antivirus and configure an IP address object with subnet address 192.168.1.0/24.
[Device] object-group ip address antivirus
[Device-obj-grp-ip-antivirus] network subnet 192.168.1.0 24
[Device-obj-grp-ip-antivirus] quit
4. Configure a DPI application profile:
# Create a DPI application profile named sec and enter its view.
[Device] app-profile sec
# Apply the default anti-virus policy to the DPI application profile and set the policy mode to protect.
[Device-app-profile-sec] anti-virus apply policy default mode protect
[Device-app-profile-sec] quit
5. Activate the anti-virus policy settings.
[Device] inspect activate
6. Configure an object policy:
# Create an IPv4 object policy named antivirus and enter its view.
[Device] object-policy ip antivirus
# Configure an object policy rule to apply DPI application profile sec to packets that match source IP address object group antivirus.
[Device-object-policy-ip-antivirus] rule inspect sec source-ip antivirus destination-ip any
[Device-object-policy-ip-antivirus] quit
7. Create a zone pair between source zone Trust and destination zone Untrust. Apply object policy antivirus to the zone pair.
[Device] zone-pair security source trust destination untrust
[Device-zone-pair-security-Trust-Untrust] object-policy apply ip antivirus
[Device-zone-pair-security-Trust-Untrust] quit
Verifying the configuration
# Verify that the device can use the default anti-virus policy to detect and prevent known viruses. (Details not shown.)
Example: Using a user-defined anti-virus policy in an object policy
Network configuration
As shown in Figure 8, the device connects the LAN and the Internet. The LAN resides in security zone Trust and the Internet resides in security zone Untrust.
Set virus signature 2 as a signature exception. Set the 139Email application as an application exception.
Procedure
1. Assign IP addresses to interfaces. (Details not shown.)
2. Configure security zones:
# Assign GigabitEthernet 1/0/1 to security zone Trust.
<Device> system-view
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
# Assign GigabitEthernet 1/0/2 to security zone Untrust.
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
3. Create an IP address object group named antivirus and configure an IP address object with subnet address 192.168.1.0/24.
[Device] object-group ip address antivirus
[Device-obj-grp-ip-antivirus] network subnet 192.168.1.0 24
[Device-obj-grp-ip-antivirus] quit
4. Configure anti-virus:
# Create an anti-virus policy named antivirus1 and enter its view.
[Device] anti-virus policy antivirus1
# Set virus signature 2 as a signature exception
[Device-anti-virus-policy-antivirus1] exception signature 2
# Set the 139Email application as an application exception. Specify alert as the anti-virus action for the application exception.
[Device-anti-virus-policy-antivirus1] exception application 139Email action alert
[Device-anti-virus-policy-antivirus1] quit
5. Configure a DPI application profile:
# Create a DPI application profile named sec and enter its view.
[Device] app-profile sec
# Apply anti-virus policy antivirus1 to the DPI application profile and set the policy mode to protect.
[Device-app-profile-sec] anti-virus apply policy antivirus1 mode protect
[Device-app-profile-sec] quit
6. Activate the anti-virus policy settings.
[Device] inspect activate
7. Configure an object policy:
# Create an IPv4 object policy named antivirus and enter its view.
[Device] object-policy ip antivirus
# Configure an object policy rule to apply DPI application profile sec to packets that match source IP address object group antivirus.
[Device-object-policy-ip-antivirus] rule inspect sec source-ip antivirus destination-ip any
[Device-object-policy-ip-antivirus] quit
8. Create a zone pair between source zone Trust and destination zone Untrust. Apply object policy antivirus to the zone pair.
[Device] zone-pair security source trust destination untrust
[Device-zone-pair-security-Trust-Untrust] object-policy apply ip antivirus
[Device-zone-pair-security-Trust-Untrust] quit
Verifying the configuration
# Verify that the anti-virus policy is correctly configured. (Details not shown.)
Example: Manually updating the virus signature library
Network configuration
As shown in Figure 9, LAN users in security zone Trust can access the Internet resources in security zone Untrust and the FTP server in security zone DMZ. The username and password for logging in to the FTP server are anti-virus and 123, respectively. The latest virus signature file anti-virus-1.0.8-encrypt.dat is stored in the root directory on the FTP server.
Manually update the virus signature library on the device by using the latest virus signature file on the FTP server.
Procedure
1. Assign IP addresses to interfaces. (Details not shown.)
2. Configure the device to communicate with the FTP server:
# Configure ACL 2001 to permit all packets.
<Device> system-view
[Device] acl basic 2001
[Device-acl-ipv4-basic-2001] rule permit
[Device-acl-ipv4-basic-2001] quit
# Assign GigabitEthernet 1/0/3 to security zone DMZ.
[Device] security-zone name dmz
[Device-security-zone-DMZ] import interface gigabitethernet 1/0/3
[Device-security-zone-DMZ] quit
# Create a zone pair between source zone Local and destination zone DMZ. Apply ACL 2001 to the zone pair for packet filtering.
[Device] zone-pair security source local destination dmz
[Device-zone-pair-security-Local-DMZ] packet-filter 2001
[Device-zone-pair-security-Local-DMZ] quit
# Create a zone pair between source zone DMZ and destination zone Local. Apply ACL 2001 to the zone pair for packet filtering.
[Device] zone-pair security source dmz destination local
[Device-zone-pair-security-DMZ-Local] packet-filter 2001
[Device-zone-pair-security-DMZ-Local] quit
3. Update the virus signature library by using the virus signature file anti-virus-1.0.8-encrypt.dat on the FTP server.
[Device] anti-virus signature update ftp:// anti-virus:123@192.168.2.4/anti-virus-1.0.8-encrypt.dat
Verifying the configuration
# Verify that the virus signature library is successfully updated.
<Device> display anti-virus signature library
Example: Configuring automatic virus signature library update
Network configuration
As shown in Figure 10, LAN users in security zone Trust can access Internet resources in security zone Untrust.
Configure the device to automatically update the virus signature library at a random time between 08:30 a.m. and 09:30 a.m. every Saturday.
Procedure
1. Assign IP addresses to interfaces. (Details not shown.)
2. Configure DNS for resolving the domain name of the H3C website into an IP address. (Details not shown.)
3. Configure an object policy to allow LAN users in security zone Trust to access Internet resources in security zone Untrust. (Details not shown.)
4. Configure automatic virus signature library update:
# Enable automatic virus signature library update.
<Device> system-view
[Device] anti-virus signature auto-update
# Configure the device to perform automatic update at a random time between 08:00 a.m. and 10:00 a.m. every Saturday.
[Device-anti-virus-autoupdate] update schedule weekly sat start-time 9:00:00 tingle 60
[Device-anti-virus-autoupdate] quit
Verifying the configuration
# Verify that the virus signature library is updated as scheduled.
<Device> display anti-virus signature library
