Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-NetShare control configuration | 107.97 KB |
Contents
NetShare control tasks at a glance
Prerequisites for NetShare control
Creating a NetShare control policy
Configuring NetShare inspection filtering criteria
Setting the maximum number of endpoints sharing an IP address
Setting the NetShare control action
Activating NetShare control policy settings
Disabling the NetShare control policy
Manually freezing and unfreezing a shared IP address
Display and maintenance commands for NetShare control
NetShare control configuration examples
Example: Configuring NetShare control
Configuring NetShare control
About NetShare control
NetShare control uses the NetShare control policy to identify and control network sharing behaviors.
The network sharing behavior is the behavior of multiple endpoints using the same IP address for network access. If an IP address is detected to be used as the source IP address in packets sent by multiple endpoints, the IP address is a shared IP address. NetShare control monitors the number of endpoints sharing the IP address and takes the NetShare control action if the number of endpoints sharing the IP address exceeds the limit.
NetShare detection methods
NetShare control uses the following methods to detect network sharing behaviors:
· APR-based detection—The device analyzes the application layer information of packets based on the Application Recognition (APR)-based packet analysis to detect NetShare behaviors of endpoints. For more information about APR, see APR configuration in Security Configuration Guide.
· IPID trail tracking—The device tracks the values of the IPID fields in packets to detect NetShare behaviors.
NetShare control mechanism
As shown in Figure 1, the NetShare control module processes a packet as follows:
1. Determines if the NetShare policy is enabled.
? If the policy is disabled, NetShare control permits the packet to pass through.
? If the policy is enabled, NetShare control proceeds to step 2.
2. Determines if the source IP address of the packet is frozen:
? If yes, NetShare control drops the packet.
? If not, NetShare control proceeds to step 3.
3. Compares the packet attributes with the NetShare inspection criteria in the NetShare control policy to determine if the packet matches the policy.
? If the packet does not match the policy, NetShare control permits the packet to pass through.
? If the packet matches the policy, NetShare control proceeds to step 4.
4. Determines if the source IP address of the packet is shared by multiple endpoints:
? If not, NetShare control permits the packet to pass through.
? If yes, NetShare control further determines whether the number of endpoints sharing the IP address exceeds the limit:
- If the limit is exceeded, NetShare control takes the NetShare control action specified in the policy.
For information about setting the NetShare control action, see "Setting the NetShare control action."
- If the limit is not exceeded, NetShare control permits the packet to pass through.
Figure 1 NetShare control mechanism
?
NetShare control tasks at a glance
To configure NetShare control, perform the following tasks:
1. Creating a NetShare control policy
2. Configuring NetShare inspection filtering criteria
3. (Optional.) Enabling IPID trail tracking
After IPID trail tracking is enabled, the device uses both APR-based detection and IPID trail tracking to detect network sharing behaviors.
4. Setting the maximum number of endpoints sharing an IP address
5. Setting the NetShare control action
6. Activating NetShare control policy settings
7. (Optional.) Disabling the NetShare control policy
8. (Optional.) Manually freezing and unfreezing a shared IP address
Prerequisites for NetShare control
Before you configure NetShare control, you must perform the following tasks:
· Upgrade the APR signature library on the device to the most recent version.
· Configure IP address object groups. For information about the configuration procedure, see object group configuration in Security Configuration Guide.
· Configure users and user groups. For information about the configuration procedures, see user identification configuration in Security Configuration Guide.
· Configure security zones. For information about the configuration procedure, see security zone configuration in Security Configuration Guide.
Creating a NetShare control policy
Restrictions and guidelines
The device supports only one NetShare control policy.
Procedure
1. Enter system view.
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Create a NetShare control policy and enter its view.
policy name policy-name
4. (Optional.) Configure a description for the NetShare control policy.
description string
By default, a NetShare control policy does not have a description.
Configuring NetShare inspection filtering criteria
About this task
In the NetShare control policy, you can configure multiple criteria of different criterion types to filter the packets to be analyzed for NetShare inspection. A packet must match a minimum of one criterion in each configured criterion type to be inspected by the NetShare control module.
The following filtering criterion types are supported:
· Source IP address.
· Destination IP address.
· Source security zone.
· Destination security zone.
· User, including username- and user group-based filtering criteria.
Procedure
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Enter NetShare control policy view.
policy name policy-name
4. Configure source and destination security zone criteria:
? Configure a source security zone criterion.
source-address { ipv4 | ipv6 } object-group-name
By default, the NetShare control policy does not contain any source security zone criterion.
? Configure a destination security zone criterion.
destination-address { ipv4 | ipv6 } object-group-name
By default, the NetShare control policy does not contain any destination security zone criterion.
5. Configure source and destination address criteria:
? Configure a source address criterion.
source-address { ipv4 | ipv6 } object-group-name
By default, the NetShare control policy does not contain any source address criterion.
? Configure a destination address criterion:
destination-address { ipv4 | ipv6 } object-group-name
By default, the NetShare control policy does not contain any destination address criterion.
6. Configure user and user group criteria:
? Configure a user criterion.
user username [ domain domain-name ]
By default, the NetShare control policy does not contain any user criterion.
? Configure a user group criterion.
user-group user-group-name [ domain domain-name ]
By default, the NetShare control policy does not contain any user group criterion.
Enabling IPID trail tracking
About this task
By default, the device uses only the APR-based detection method to detect NetShare behaviors. APR-based NetShare detection uses the APR signature library to inspect only specific applications, such as QQ and WeChat. If an application is encrypted, APR-based NetShare detection cannot inspect its packets. To meet the NetShare control requirements of various application scenarios, you can enable the IPID trail tracking method so the device can use both detection methods for NetShare behavior detection.
Restrictions and guidelines
IPID trail tracking supports detecting the endpoints that are running the Windows system, and detecting packets in which values of the IPID fields change regularly. Mobile endpoints are not supported.
IPID trail tracking supports detecting IPv4 packets.
IPID trail tracking might degrade the device performance. Enable it only when explicitly required.
Procedure
1. Enter system view.
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Enter NetShare control policy view.
policy name policy-name
4. Enable IPID trail tracking in the NetShare control policy.
ipid-trail enable
By default, IPID trail tracking is disabled in the NetShare control policy. The device uses only the APR feature to detect NetShare behaviors.
Setting the maximum number of endpoints sharing an IP address
About this task
If the number of endpoints sharing an IP address exceeds the limit, the device will take the NetShare control action set in the NetShare control policy.
Procedure
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Enter NetShare control policy view.
policy name policy-name
4. Set the maximum number of endpoints that can share an IP address.
per-ip-shared max-terminals number
By default, the number of endpoints that can share an IP address is not limited.
Setting the NetShare control action
About this task
The NetShare control action is taken when the number of endpoints sharing an IP address exceeds the limit.
The following NetShare control actions are supported:
· Freeze—Freezes the shared IP address for the specified freezing time. All packets sourced from the frozen IP address will be dropped.
· Permit—Permits the packets sourced from the IP address to pass through.
· Logging—Logs the NetShare control event.
Restrictions and guidelines
The logging keyword enables the NetShare control module to log NetStream control events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output NetShare control logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view NetShare control logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Procedure
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Enter NetShare control policy view.
policy name policy-name
4. Set the NetShare control action.
action { freeze freeze-time | permit } [ logging ]
By default, the NetShare control policy uses the permit action.
Activating NetShare control policy settings
About this task
After you create or delete a NetShare control policy, perform this task to activate the configuration.
Restrictions and guidelines
This task can cause temporary outage for all DPI services. As a best practice, perform the task after all DPI service policy and rule settings are complete.
For more information about activating DPI service module configuration, see DPI engine configuration in DPI Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Activate NetShare control policy settings.
inspect activate
By default, NetShare control policy creation and deletion do not take effect.
Disabling the NetShare control policy
About this task
If the NetShare control feature is not required on the network, disable the NetShare control policy.
Restrictions and guidelines
The device supports only one NetShare control policy. After you disable the NetShare control policy, the NetShare control feature becomes invalid.
Procedure
1. Enter system view.
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Enter NetShare control policy view.
policy name policy-name
4. Disable the NetShare control policy.
disable
By default, a NetShare control policy is enabled.
Manually freezing and unfreezing a shared IP address
About this task
You can manually unfreeze a frozen IP address or freeze a shared IP address that is not in frozen state.
Procedure
1. Enter system view.
system-view
2. Enter NetShare control configuration view.
netshare-control
3. Manually freeze a shared IP address.
freeze { ipv4 | ipv6 } ip-address [ vpn-instance vpn-instance-name ] time freeze-time
4. Manually unfreeze a frozen IP address.
unfreeze { ipv4 | ipv6 } ip-address [ vpn-instance vpn-instance-name ]
Display and maintenance commands for NetShare control
Execute display commands in any view.
|
Task |
Command |
|
Display NetShare control information about shared IP addresses. |
display netshare-control [ { ipv4 | ipv6 } ip-address | status { frozen | unfrozen } ] [ slot slot-number ] |
?
NetShare control configuration examples
Example: Configuring NetShare control
Network configuration
As shown in Figure 2, the device connects to the LAN and Internet through security zones Trust and Untrust, respectively.
Configure NetShare control on the device to meet the following requirements:
· Monitor the packets sent by the hosts on the LAN to the Internet for network sharing behavior inspection.
· If an IP address is detected to be shared by more than one host for Internet access, NetShare control will freeze the IP address for 1 hour and logs the event.
?
Procedure
1. Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and security policies. Make sure the network connections are available. (Details not shown.)
2. Configure the NetShare control policy:
# Enter NetShare control configuration view.
<Device> system-view
[Device] netshare-control
# Create a NetShare control policy named a and enter its view.
[Device-netshare-control] policy name a
# Set security zone trust as a source security zone filtering criterion in the NetShare control policy.
[Device-netshare-control-policy-a] source-zone trust
# Set security zone untrust as a destination security zone filtering criterion in the NetShare control policy.
[Device-netshare-control-policy-a] destination-zone untrust
# Set the maximum number of endpoints that can share an IP address to 1.
[Device-netshare-control-policy-a] per-ip-shared max-terminals 1
# Configure NetShare control to freeze an IP address for 1 hour if the number of endpoints sharing the IP address exceeds the limit and to log the event.
[Device-netshare-control-policy-a] action freeze 60 logging [Device-netshare-control-policy-a] quit
[Device-netshare-control] quit
# Activate the NetShare control policy settings.
[Device] inspect active
Verifying the configuration
# Verify that if a host on the LAN accesses the Internet by using a shared IP address through a proxy, the device can detect the network sharing behavior and will freeze the shared IP address for 1 hour and log the event. (Details not shown.)
