16-Security Command Reference

HomeSupportResource CenterReference GuidesCommand ReferencesH3C Access Controllers Command References(R5426P02)-6W10416-Security Command Reference
23-DPI engine commands
Title Size Download
23-DPI engine commands 102.30 KB

DPI engine commands

The following compatibility matrixes show the support of hardware platforms for the DPI engine:

 

Hardware series

Model

Product code

DPI engine compatibility

WX1800H series

WX1804H

EWP-WX1804H-PWR-CN

Yes

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2510H-F

WX2540H

WX2540H-F

WX2560H

EWP-WX2508H-PWR-LTE

EWP-WX2510H-PWR

EWP-WX2510H-F-PWR

EWP-WX2540H

EWP-WX2540H-F

EWP-WX2560H

Yes

WX3000H series

WX3010H

WX3010H-X

WX3010H-L

WX3024H

WX3024H-L

WX3024H-F

EWP-WX3010H

EWP-WX3010H-X-PWR

EWP-WX3010H-L-PWR

EWP-WX3024H

EWP-WX3024H-L-PWR

EWP-WX3024H-F

Yes:

·     WX3010H

·     WX3010H-X

·     WX3024H

·     WX3024H-F

No:

·     WX3010H-L

·     WX3024H-L

WX3500H series

WX3508H

WX3510H

WX3520H

WX3520H-F

WX3540H

EWP-WX3508H

EWP-WX3510H

EWP-WX3520H

EWP-WX3520H-F

EWP-WX3540H

Yes

WX5500E series

WX5510E

WX5540E

EWP-WX5510E

EWP-WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

EWP-WX5540H

EWP-WX5560H

EWP-WX5580H

Yes

Access controller modules

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

Yes

Hardware series

Model

Product code

DPI engine compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

EWP-WX1804H-PWR

EWP-WX1810H-PWR

EWP-WX1820H

EWP-WX1840H-GL

Yes

WX3800H series

WX3820H

WX3840H

EWP-WX3820H-GL

EWP-WX3840H-GL

No

WX5800H series

WX5860H

EWP-WX5860H-GL

No

app-profile

Use app-profile to create a deep packet inspection (DPI) application profile and enter its view, or enter the view of an existing DPI application profile.

Use undo app-profile to delete a DPI application profile.

Syntax

app-profile profile-name

undo app-profile profile-name

Default

No DPI application profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies a DPI application profile name. The profile name is a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, and underlines (_).

Usage guidelines

The DPI application profile is a security service template that can include DPI service policies such as URL filtering policy.

Examples

# Create a DPI application profile named abc and enter its view.

<Sysname> system-view

[Sysname] app-profile abc

[Sysname-app-profile-abc]

display inspect status

Use display inspect status to display the status of the DPI engine.

Syntax

display inspect status

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the status of the DPI engine.

<Sysname> display inspect status

Chassis 0 Slot 1:

 Running status: normal

Table 1 Command output

Field

Description

Running status

Status of the DPI engine:

·     bypass by configure—The DPI engine cannot process packets because of a configuration error.

·     bypass by cpu busy—The DPI engine cannot process packets because of an excessive CPU usage.

·     normal—The DPI engine is running correctly.

 

inspect activate

Use inspect activate to activate the policy and rule configurations for DPI service modules.

Syntax

inspect activate

Default

The creation, modification, and deletion of DPI service policies and rules do not take effect.

Views

System view

Predefined user roles

network-admin

Usage guidelines

You can use the inspect activate command to manually validate the policy and rule configurations for DPI service modules. This operation produces the same effect as saving the configurations and rebooting the device.

The inspect activate command can cause temporary service disruptions. As a best practice, execute this command after all DPI service policy and rule configurations are complete.

Examples

# Activate the policy and rule configurations for DPI service modules.

<Sysname> system-view

[Sysname] inspect activate

inspect bypass

Use inspect bypass to disable the DPI engine.

Use undo inspect bypass to enable the DPI engine.

Syntax

inspect bypass

undo inspect bypass

Default

The DPI engine is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Packet inspection in the DPI engine is a complex and resource-consuming process. When the CPU usage is high, you can disable the DPI engine to guarantee the device performance. After you disable the DPI engine, packets will not be processed by DPI.

Examples

# Disable the DPI engine.

<Sysname> system-view

[Sysname] inspect bypass

Related commands

display inspect status

inspect cache-option maximum

Use inspect cache-option maximum to set the maximum number of options to be cached per TCP/UDP data flow for further inspection.

Use undo inspect cache-option to restore the default.

Syntax

inspect cache-option maximum max-number

undo inspect cache-option

Default

The DPI engine can cache a maximum of 32 options per TCP/UDP data flow.

Views

System view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of options to be cached per TCP/UDP data flow. The value range is 1 to 254.

Usage guidelines

An inspection rule can contain multiple AC patterns, and each AC pattern can be associated with multiple options. A TCP/UDP data flow matches an inspection rule if the packets of the flow  match all the AC patterns and options in the rule.

If a packet of a TCP/UDP data flow matches one AC pattern in an inspection rule, the DPI engine cannot determine whether the flow matches the rule. The DPI engine continues to match packets of the flow against the remaining options and AC patterns in the rule. For any options that cannot be matched, the DPI engine caches them to match subsequent packets. The DPI engines determines that the flow matches the rule when all options and AC patterns in the rule are matched.

The more options DPI engine caches, the more likely that DPI engine identifies the application information and the more accurate the DPI engine inspection. However, caching more options requires more memory. If the device has a high memory usage, configure the DPI engine to cache less options to improve the device performance.

Typically, the default setting is sufficient for most scenarios.

Examples

# Configure the DPI engine to cache a maximum of four options per TCP/UDP data flow for further inspection.

<Sysname> system-view

[Sysname] inspect cache-option maximum 4

inspect cpu-threshold disable

Use inspect cpu-threshold disable to disable inspection suspension upon excessive CPU usage.

Use undo inspect cpu-threshold disable to enable inspection suspension upon excessive CPU usage.

Syntax

inspect cpu-threshold disable

undo inspect cpu-threshold disable

Default

Inspection suspension upon excessive CPU usage is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Packet inspection in the DPI engine is a complex and resource-consuming process. When the device's CPU usage is below the CPU usage threshold, the DPI engine inspects the whole packet data in a stream. When the device's CPU usage reaches the threshold, inspection suspension upon excessive CPU usage is triggered and the DPI engine inspects packets as follows:

·     If stream fixed length inspection is disabled, the DPI engine suspends packet inspection to guarantee the device performance.

·     If stream fixed length inspection is enabled, the DPI engine inspects only a fixed length of data for a stream and ignores the remaining stream data.

If you disable inspection suspension upon excessive CPU usage, the DPI engine continues to inspect the whole packet data in a stream even when the CPU usage threshold is reached. Disabling inspection suspension upon excessive CPU usage is not recommended if the device's CPU usage is high.

Examples

# Disable inspection suspension upon excessive CPU usage.

<Sysname> system-view

[Sysname] inspect cpu-threshold disable

Related commands

display inspect status

inspect bypass

inspect stream-fixed-length disable

inspect logging parameter-profile

Use inspect logging parameter-profile to create a logging parameter profile and enter its view, or enter the view of an existing logging parameter profile.

Use undo inspect logging parameter-profile to delete a logging parameter profile.

Syntax

inspect logging parameter-profile parameter-name

undo inspect logging parameter-profile parameter-name

Default

No logging parameter profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies a logging parameter profile name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

In logging parameter profile view, you can set parameters for the logging action, such as the log output method.

Examples

# Create a logging parameter profile named log1 and enter its view.

<Sysname> system-view

[Sysname] inspect logging parameter-profile log1

[Sysname-inspect-logging-para-log1]

Related commands

log

inspect optimization disable

Use inspect optimization disable to disable a DPI engine optimization feature.

Use undo inspect optimization disable to enable a DPI engine optimization feature.

Syntax

inspect optimization [ chunk | no-acsignature | raw | uncompress | url-normalization ] disable

undo inspect optimization [ chunk | no-acsignature | raw | uncompress | url-normalization ] disable

Default

All DPI engine optimization features are enabled.

Views

System view

Predefined user roles

network-admin

Parameters

chunk: Specifies the chunked packet decoding feature.

no-acsignature: Specifies the inspection rules that do not contain AC patterns.

raw: Specifies the application layer payload decoding feature.

uncompress: Specifies the HTTP body uncompression feature.

url-normalization: Specifies the HTTP URL normalization feature.

Usage guidelines

If you do not specify any parameter, this command applies to all DPI engine optimization features.

DPI engine supports the following optimization features:

·     Chunked packet decoding—Chunk is a packet transfer mechanism of the HTTP body. DPI engine must decode a chunked HTTP body before it inspects the HTTP body. When the device throughput is too low to ensure basic communication, you can disable DPI engine from decoding chunked packets to improve the device performance. However, when chunked packet decoding is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.

·     Inspection rules that do not contain AC patterns—Inspection rules that do not contain AC patterns contain only options. These rules match packets by fields such as port numbers and error codes rather than by character strings. These rules by default are enabled to improve the inspection accuracy. However, when the device throughput is too low to ensure basic communication, you can disable these rules to improve the device performance.

·     Application layer payload decoding—For application layer protocols featuring encoding and decoding, such as HTTP, SMTP, POP3, and IMAP4, DPI engine must decode the payload before inspection. When the device throughput is too low to ensure basic communication, you can disable DPI engine from decoding application layer payloads to improve the device performance. However, disabling application layer payload decoding affects the inspection accuracy of the DPI engine.

·     HTTP body uncompression—If the HTTP body field is compressed, DPI engine must uncompress the body before inspection. When the device throughput is too low to ensure basic communication, you can disable DPI engine from uncompressing the HTTP body field to improve the device performance. However, when HTTP body uncompression is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.

·     HTTP URL normalization—HTTP URL normalization is the process by which the absolute path in a URL is normalized and special URLs are standardized and checked. For example, the absolute path test/dpi/../index.html is normalized as test/index.html. When the device throughput is too low to ensure basic communication, you can disable DPI engine from normalizing HTTP URLs to improve the device performance. However, when HTTP URL normalization is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.

Examples

# Disable all DPI engine optimization features.

<Sysname> system-view

[Sysname] inspect all disable

inspect packet maximum

Use inspect packet maximum to set the maximum number of payload-carrying packets to be inspected per data flow.

Use undo inspect packet to restore the default.

Syntax

inspect packet maximum max-number

undo inspect packet

Default

The DPI engine can inspect a maximum of 32 payload-carrying packets per data flow.

Views

System view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of payload-carrying packets to be inspected per data flow, in the range of 1 to 254.

Usage guidelines

If DPI engine finds that the first payload-carrying packet of a data flow does not match any inspection rule, it continues to inspect the next payload-carrying packet, and so on. If DPI engine has inspected the maximum number of payload-carrying packets but finds no matching inspection rule, it determines the flow does not match any rule and allows the flow to pass.

The more payload-carrying packets DPI engine inspects, the more likely that DPI engine identifies the application information and the more accurate the DPI engine inspection.

Typically, the default setting is sufficient for most scenarios. You can adjust the setting according to your network condition.

·     If the device throughput is high, increase the maximum number value.

·     If the device throughput is low, decrease the maximum number value.

Examples

# Allow the DPI engine to inspect a maximum of 16 payload-carrying packets per data flow for application identification.

<Sysname> system-view

[Sysname] inspect packet maximum 16

inspect redirect parameter-profile

Use inspect redirect parameter-profile to create a redirect parameter profile and enter its view, or enter the view of an existing redirect parameter profile.

Use undo inspect redirect parameter-profile to delete a redirect parameter profile.

Syntax

inspect redirect parameter-profile parameter-name

undo inspect redirect parameter-profile parameter-name

Default

No redirect parameter profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

parameter-name: Specifies a redirect parameter profile name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

In redirect parameter profile view, you can set parameters for the redirect action, such as the URL to which packets are redirected.

Examples

# Create a redirect parameter profile named r1 and enter its view.

<Sysname> system-view

[Sysname] inspect redirect parameter-profile r1

[Sysname-inspect-redirect-r1]

inspect signature auto-update proxy

Use inspect signature auto-update proxy to specify the proxy server used by DPI services for online signature update.

Use undo inspect signature auto-update proxy to restore the default.

Syntax

inspect signature auto-update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name password { cipher | simple } string ]

undo inspect signature auto-update proxy

Default

The proxy server used by DPI services for online signature update is not specified.

Views

System view

Predefined user roles

network-admin

Parameters

domain domain-name: Specifies a proxy server by its domain name, a case-insensitive string of 3 to 63 characters.

ip ip-address: Specifies a proxy server by its IPv4 address.

port port-number: Specifies the port number used by the proxy server. The value range is 1 to 65535, and the default is 80.

user user-name: Specifies the username used to log in to the proxy server. The username is a case-insensitive string of 1 to 31 characters.

password: Specifies the password used to log in to the proxy server.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password in plaintext form will be stored in encrypted form.

string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 31 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.

Usage guidelines

The device must access the H3C website for online signature update of DPI services such as URL filtering. If direct connectivity is not available, the device can access the H3C website through the specified proxy server. For more information about online signature update, see DPI Configuration Guide.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify server http://www.abc.com/ on port 8888 as the proxy server and set the login username and password to admin.

<Sysname> system-view

[Sysname] inspect signature auto-update proxy domain www.abc.com port 8888 user admin password simple admin

inspect stream-fixed-length disable

Use inspect stream-fixed-length disable to disable the stream fixed length inspection feature.

Use undo inspect stream-fixed-length disable to enable the stream fixed length inspection feature.

Syntax

inspect stream-fixed-length disable

undo inspect stream-fixed-length disable

Default

The stream fixed length inspection feature is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The stream fixed length inspection feature enables the DPI engine to inspect only a fixed length of data for a stream when the CPU usage threshold is reached. When the device's CPU usage is below the threshold, the DPI engine inspects the whole packet data in a stream. For information about configuring the CPU usage threshold, see system management in System Management Configuration Guide.

This feature takes effect only when inspection suspension upon excessive CPU usage is enabled.

You can also disable this feature so the DPI engine can suspend packet inspection to guarantee the device performance when the CPU usage threshold is reached.

Examples

# Disable the stream fixed length inspection feature.

<Sysname> system-view

[Sysname] inspect stream-fixed-length disable

Related commands

inspect cpu-threshold disable

inspect stream-fixed-length

inspect stream-fixed-length

Use inspect stream-fixed-length to set the fixed data inspection length for application protocols.

Use undo inspect stream-fixed-length to restore the default.

Syntax

inspect stream-fixed-length { email | ftp | http } * length

undo inspect stream-fixed-length

Default

The fixed data inspection length is 32 Kilobytes for FTP, HTTP, and email protocols.

Views

System view

Predefined user roles

network-admin

Parameters

email: Specifies email protocols, including SMTP, POP3 and IMAP.

ftp: Specifies the FTP protocol.

http: Specifies the HTTP protocol.

length: Specifies the fixed data length in the range of 1 to 128 Kilobytes.

Usage guidelines

The larger the inspection length value, the lower the device throughput, and the higher the packet inspection accuracy.

Examples

# Set the fixed data inspection length to 35 Kilobytes for FTP and 40 Kilobytes for HTTP.

<Sysname> system-view

[Sysname] inspect stream-fixed-length ftp 35 http 40

Related commands

inspect cpu-threshold disable

inspect stream-fixed-length disable

inspect tcp-reassemble enable

Use inspect tcp-reassemble enable to enable the TCP segment reassembly feature.

Use undo inspect tcp-reassemble enable to disable the TCP segment reassembly feature.

Syntax

inspect tcp-reassemble enable

undo inspect tcp-reassemble enable

Default

The TCP segment reassembly feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

DPI engine inspection might fail if TCP segments arrive at the engine out of order. For example, the DPI engine searches for the keywords this is a secret. If the TCP segment containing a secret arrives before the one containing this is, the inspection fails.

The TCP segment reassembly feature enables the device to cache out-of-order TCP segments of the same TCP flow and reassembles the segments before submitting them to the DPI engine for inspection. This helps improve the DPI engine inspection accuracy.

The segment reassembly fails due to missing segments when the number of cached TCP segments of a flow reaches the limit. In this case, the device submits the cached segments without reassembling them and all subsequent segments of the flow to the DPI engine. This helps reduces degradation of the device performance.

Examples

# Enable the TCP segment reassembly feature.

<Sysname> system-view

[Sysname] inspect tcp-reassemble enable

Related commands

inspect tcp-reassemble max-segment

inspect tcp-reassemble max-segment

Use inspect tcp-reassemble max-segment to set the maximum number of TCP segments that can be cached per TCP flow.

Use undo inspect tcp-reassemble max-segment to restore the default.

Syntax

inspect tcp-reassemble max-segment max-number

undo inspect tcp-reassemble max-segment

Default

A maximum of 10 TCP segments can be cached for reassembly per TCP flow.

Views

System view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number in the range of 10 to 50.

Usage guidelines

Set the limit for the number of TCP segments that can be cached per flow according to your network requirements. The higher the limit, the higher the inspection accuracy, and the lower the device performance.

This command takes effect only when the TCP segment reassembly feature is enabled.

Examples

# Allow the device to cache a maximum of 20 TCP segments for each TCP flow.

<Sysname> system-view

[Sysname] inspect tcp-reassemble max-segment 20

Related commands

inspect tcp-reassemble enable

log

Use log to specify the log storage method.

Use undo log to cancel the specified log storage method.

Syntax

log { email | syslog }

undo log { email | syslog }

Default

Logs are exported to the information center.

Views

Logging parameter profile view

Predefined user roles

network-admin

Parameters

email: Emails the logs to a receiver.

syslog: Exports the logs to the information center.

Examples

# Configure the device to export logs to the information center in logging parameter profile log1.

<Sysname> system-view

[Sysname] inspect logging parameter-profile log1

[Sysname-inspect-log-para-log1] log syslog

Related commands

inspect logging parameter-profile

redirect-url

Use redirect-url to specify the URL to which packets are redirected.

Use undo redirect-url to restore the default.

Syntax

redirect-url url-string

undo redirect-url

Default

No URL is specified for packet redirecting.

Views

Redirect parameter profile view

Predefined user roles

network-admin

Parameters

url-string: Specifies the URL, a case-sensitive string of 9 to 63 characters. The URL must start with http:// or https://, for example, http://www.baidu.com.

Usage guidelines

After you specify a URL, matching packets will be redirected to the webpage that the URL identifies.

Examples

# Specify http://www.abc.com/upload as the URL for packet redirecting.

<Sysname> system-view

[Sysname] inspect redirect parameter-profile r1

[Sysname-inspect-redirect-r1] redirect-url http://www.abc.com/upload

Related commands

inspect redirect parameter-profile