Login
- Table of Contents
-
- 16-Security Configuration Guide
- 00-Preface
- 01-ACL configuration
- 02-APR configuration
- 03-ARP attack protection configuration
- 04-ASPF configuration
- 05-IP source guard configuration
- 06-IPsec configuration
- 07-ND attack defense configuration
- 08-Password control configuration
- 09-PKI configuration
- 10-SSH configuration
- 11-SSL configuration
- 12-SSL VPN configuration
- 13-URL filtering configuration
- 14-User profile configuration
- 15-Bandwidth management configuration
- 16-Public key management
- 17-Attack detection and prevention configuration
- 18-Session management
- 19-Connection limit configuration
- 20-Crypto engine configuration
- 21-Time range configuration
- 22-Protocol packet rate limit configuration
- 23-DPI engine configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-APR configuration | 133.41 KB |
APR signature library management
Restrictions: Hardware compatibility with APR
Restrictions: Licensing requirements for APR
Configuring a user-defined NBAR rule
Configuring application groups
Enabling application statistics on an interface
Managing the APR signature library
Hardware compatibility with APR signature library management
Restrictions and guidelines for APR signature library management
Scheduling an automatic update for the APR signature library
Triggering an automatic update for the APR signature library
Performing a manual update for the APR signature library
Rolling back the APR signature library
Display and maintenance commands for APR
Configuring APR
About APR
The application recognition (APR) feature recognizes application protocols of packets for application-based services.
APR uses the following methods to recognize an application protocol:
· Port-based application recognition (PBAR).
· Network-based application recognition (NBAR).
PBAR
PBAR maps a port to an application protocol and recognizes packets of the application protocol according to the port-protocol mapping.
PBAR supports the following port-protocol mappings:
· Predefined—An application protocol uses the port defined by the system.
· User-defined—An application protocol uses the port defined by the user.
PBAR offers the following mappings to maintain and apply user-defined port configuration:
· General port mapping—Maps a user-defined port to an application protocol. All packets destined for that port are regarded as packets of the application protocol. For example, if port 2121 is mapped to FTP, all packets destined for that port are regarded as FTP packets.
· Host-port mapping—Maps a user-defined port to an application protocol for packets to or from some specific hosts. For example, you can establish a host-port mapping so that all packets destined for the network segment 10.110.0.0/16 on port 2121 are regarded as FTP packets. To define the range of the hosts, you can specify the ACL, the host IP address range, or the subnet.
Host-port mapping can be further divided into the following categories:
¡ ACL-based host-port mapping—Maps a port to an application protocol for the packets matching the specified ACL.
¡ Subnet-based host-port mapping—Maps a port to an application protocol for the packets sent to the specified subnet.
¡ IP address-based host-port mapping—Maps a port to an application protocol for the packets destined for the specified IP addresses.
APR selects a port mapping to recognize the application protocol of a packet in the following order:
· IP address-based port mapping.
· Subnet-based port mapping.
· ACL-based host-port mapping.
· General port mapping.
For the same type of mappings, the port mapping with a transport layer protocol has higher priority than the mapping without a transport layer protocol.
NBAR
NBAR uses predefined or user-defined NBAR rules to match packet contents to recognize the application protocols of packets that match the applied object policy. Predefined NBAR rules are automatically generated from the APR signature library.
Application group
You can add application protocols that have similar signatures or restrictions to an application group. APR recognizes packets of the application protocols by matching the packet contents with the signatures or restrictions. If a packet is recognized as the packet of an application protocol in the application group, the packet is considered to be the packet of the application group. Application-based services can handle packets belonging to the same group in batch.
You can add application protocols to an application group by using the following methods:
· Add application protocols one by one to the application group.
· Copy application protocols from another application group to the application group.
APR signature library management
APR signature library
APR signature library is a resource library of character string signatures for application recognition. It includes PBAR and NBAR signatures. To meet the changing requirements for application recognition, you must update the APR signature library in a timely manner and roll back the APR signature library as needed.
APR signature library update
You can update the APR signature library by using one of the following methods:
· Automatic update.
The device automatically downloads the most up-to-date APR signature file to update its local signature library periodically.
· Triggered update.
The device downloads the most up-to-date APR signature file to update its local signature library immediately after you trigger the update operation.
· Manual update.
Use this method when the device cannot obtain the APR signature file automatically.
You must first download the most up-to-date APR signature file manually. The device then obtains the downloaded file to update its local signature library.
APR signature library rollback
You can perform the rollback operation if high error rate or abnormality occurs when the device uses the current APR signature library for application recognition.
You can roll back the current APR signature library to the last version or to the factory version.
Restrictions: Hardware compatibility with APR
|
Hardware series |
Model |
Product code |
APR compatibility |
|
WX1800H series |
WX1804H |
EWP-WX1804H-PWR-CN |
Yes |
|
WX2500H series |
WX2508H-PWR-LTE WX2510H WX2510H-F WX2540H WX2540H-F WX2560H |
EWP-WX2508H-PWR-LTE EWP-WX2510H-PWR EWP-WX2510H-F-PWR EWP-WX2540H EWP-WX2540H-F EWP-WX2560H |
Yes |
|
WX3000H series |
WX3010H WX3010H-X WX3010H-L WX3024H WX3024H-L WX3024H-F |
EWP-WX3010H EWP-WX3010H-X-PWR EWP-WX3010H-L-PWR EWP-WX3024H EWP-WX3024H-L-PWR EWP-WX3024H-F |
Yes |
|
WX3500H series |
WX3508H WX3510H WX3520H WX3520H-F WX3540H |
EWP-WX3508H EWP-WX3510H EWP-WX3520H EWP-WX3520H-F EWP-WX3540H |
Yes |
|
WX5500E series |
WX5510E WX5540E |
EWP-WX5510E EWP-WX5540E |
Yes |
|
WX5500H series |
WX5540H WX5560H WX5580H |
EWP-WX5540H EWP-WX5560H EWP-WX5580H |
Yes |
|
Access controller modules |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
Yes |
|
Hardware series |
Model |
Product code |
APR compatibility |
|
WX1800H series |
WX1804H WX1810H WX1820H WX1840H |
EWP-WX1804H-PWR EWP-WX1810H-PWR EWP-WX1820H EWP-WX1840H-GL |
Yes |
|
WX3800H series |
WX3820H WX3840H |
EWP-WX3820H-GL EWP-WX3840H-GL |
No |
|
WX5800H series |
WX5860H |
EWP-WX5860H-GL |
No |
Restrictions: Licensing requirements for APR
A license is required for APR signature library update. After the license expires, APR can still use the existing signature library but cannot update the signature library. For information about licenses, see license management in License Management Configuration Guide.
APR tasks at a glance
To configure APR, perform the following tasks:
2. Configuring a user-defined NBAR rule
3. (Optional.) Configuring application groups
4. (Optional.) Enabling application statistics on an interface
5. (Optional.) Managing the APR signature library
Configuring PBAR
Hardware and feature compatibility
|
Hardware series |
Model |
Product code |
Feature compatibility |
|
WX1800H series |
WX1804H |
EWP-WX1804H-PWR-CN |
Yes |
|
WX2500H series |
WX2508H-PWR-LTE WX2510H WX2510H-F WX2540H WX2540H-F WX2560H |
EWP-WX2508H-PWR-LTE EWP-WX2510H-PWR EWP-WX2510H-F-PWR EWP-WX2540H EWP-WX2540H-F EWP-WX2560H |
Yes |
|
WX3000H series |
WX3010H WX3010H-X WX3010H-L WX3024H WX3024H-L WX3024H-F |
EWP-WX3010H EWP-WX3010H-X-PWR EWP-WX3010H-L-PWR EWP-WX3024H EWP-WX3024H-L-PWR EWP-WX3024H-F |
Yes: · WX3010H-L · WX3024H-L No: · WX3010H · WX3010H-X · WX3024H · WX3024H-F |
|
WX3500H series |
WX3508H WX3510H WX3520H WX3520H-F WX3540H |
EWP-WX3508H EWP-WX3510H EWP-WX3520H EWP-WX3520H-F EWP-WX3540H |
No |
|
WX5500E series |
WX5510E WX5540E |
EWP-WX5510E EWP-WX5540E |
No |
|
WX5500H series |
WX5540H WX5560H WX5580H |
EWP-WX5540H EWP-WX5560H EWP-WX5580H |
No |
|
Access controller modules |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
No |
|
Hardware series |
Model |
Product code |
Feature compatibility |
|
WX1800H series |
WX1804H WX1810H WX1820H WX1840H |
EWP-WX1804H-PWR EWP-WX1810H-PWR EWP-WX1820H EWP-WX1840H-GL |
No |
|
WX3800H series |
WX3820H WX3840H |
EWP-WX3820H-GL EWP-WX3840H-GL |
No |
|
WX5800H series |
WX5860H |
EWP-WX5860H-GL |
No |
Procedure
1. Enter system view.
system-view
2. Configure a port mapping.
Choose the options to configure as needed:
¡ Configure a general port mapping:
port-mapping application application-name port port-number [ protocol protocol-name ]
¡ Configure an ACL-based host-port mapping:
port-mapping application application-name port port-number [ protocol protocol-name ] acl [ ipv6 ] acl-number
¡ Configure a subnet-based host-port mapping:
port-mapping application application-name port port-number [ protocol protocol-name ] subnet { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length }
¡ Configure an IP address-based host-port mapping:
port-mapping application application-name port port-number [ protocol protocol-name ] host { ip | ipv6 } start-ip-address [ end-ip-address ]
By default, all application protocols are mapped to well-known ports.
If the specified application protocol does not exist, the system first creates the protocol.
Configuring a user-defined NBAR rule
About this task
You can configure user-defined NBAR rules if predefined NBAR rules cannot meet user needs. The predefined NBAR rules cannot be deleted or modified.
For all NBAR rules to take effect, create a DPI application profile on the device. For information about DPI application profiles, see "Configuring DPI engine.".
A user-defined NBAR rule can contain the following match criteria:
· Signatures.
· Destination IP subnet.
· Source IP subnet.
· Direction at which the application is recognized.
· Port number.
You can configure more than one match criterion for the NBAR rule. To match the NBAR rule, packets must match all the configured match criteria in the rule. If multiple signatures are configured, packets must match a minimum of one signature.
Hardware and feature compatibility
|
Hardware series |
Model |
Product code |
Feature compatibility |
|
WX1800H series |
WX1804H |
EWP-WX1804H-PWR-CN |
Yes |
|
WX2500H series |
WX2508H-PWR-LTE WX2510H WX2510H-F WX2540H WX2540H-F WX2560H |
EWP-WX2508H-PWR-LTE EWP-WX2510H-PWR EWP-WX2510H-F-PWR EWP-WX2540H EWP-WX2540H-F EWP-WX2560H |
Yes |
|
WX3000H series |
WX3010H WX3010H-X WX3010H-L WX3024H WX3024H-L WX3024H-F |
EWP-WX3010H EWP-WX3010H-X-PWR EWP-WX3010H-L-PWR EWP-WX3024H EWP-WX3024H-L-PWR EWP-WX3024H-F |
Yes: · WX3010H · WX3010H-X · WX3024H · WX3024H-F No: · WX3010H-L · WX3024H-L |
|
WX3500H series |
WX3508H WX3510H WX3520H WX3520H-F WX3540H |
EWP-WX3508H EWP-WX3510H EWP-WX3520H EWP-WX3520H-F EWP-WX3540H |
Yes |
|
WX5500E series |
WX5510E WX5540E |
EWP-WX5510E EWP-WX5540E |
Yes |
|
WX5500H series |
WX5540H WX5560H WX5580H |
EWP-WX5540H EWP-WX5560H EWP-WX5580H |
Yes |
|
Access controller modules |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
Yes |
|
Hardware series |
Model |
Product code |
Feature compatibility |
|
WX1800H series |
WX1804H WX1810H WX1820H WX1840H |
EWP-WX1804H-PWR EWP-WX1810H-PWR EWP-WX1820H EWP-WX1840H-GL |
Yes |
|
WX3800H series |
WX3820H WX3840H |
EWP-WX3820H-GL EWP-WX3840H-GL |
No |
|
WX5800H series |
WX5860H |
EWP-WX5860H-GL |
No |
Procedure
1. Enter system view.
system-view
2. Create a user-defined NBAR rule and enter its view.
nbar application application-name protocol { http | tcp | udp }
3. (Optional.) Configure the description of the NBAR rule.
description text
By default, the user-defined NBAR rule is described as User defined application.
4. Configure a signature.
signature [ signature-id ] [ field field-name ] [ offset offset-value ] { hex hex-vector | regex regex-pattern | string string }
By default, no signatures are configured for an NBAR rule.
5. (Optional.) Specify a destination IP subnet.
destination { ip ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] }
By default, an NBAR rule matches packets with any destination IP address.
In the current software version, the ipv6 ipv6-address [ prefix-length ] option is not supported. If you specify this option, the command does not take effect.
6. (Optional.) Specify a source IP subnet.
source { ip ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] }
By default, an NBAR rule matches packets with any source IP address.
In the current software version, the ipv6 ipv6-address [ prefix-length ] option is not supported. If you specify this option, the command does not take effect.
7. (Optional.) Specify a direction.
direction { to-client | to-server }
By default, an NBAR rule matches packets in both directions.
8. (Optional.) Specify a port number or port range.
service-port { port-num | range start-port end-port }
By default, an NBAR rule matches packets of all port numbers.
9. (Optional.) Set the maximum detected length.
apr set detectlen bytes
By default, the maximum detected length is not set for an NBAR rule.
10. (Optional.) Disable the user-defined NBAR rule.
disable
By default, a user-defined NBAR rule is enabled.
11. Activate the user-defined NBAR rule.
inspect activate
For information about this command, see DPI engine commands in Security Command Reference.
Configuring application groups
Hardware and feature compatibility
|
Hardware series |
Model |
Product code |
Feature compatibility |
|
WX1800H series |
WX1804H |
EWP-WX1804H-PWR-CN |
Yes |
|
WX2500H series |
WX2508H-PWR-LTE WX2510H WX2510H-F WX2540H WX2540H-F WX2560H |
EWP-WX2508H-PWR-LTE EWP-WX2510H-PWR EWP-WX2510H-F-PWR EWP-WX2540H EWP-WX2540H-F EWP-WX2560H |
Yes |
|
WX3000H series |
WX3010H WX3010H-X WX3010H-L WX3024H WX3024H-L WX3024H-F |
EWP-WX3010H EWP-WX3010H-X-PWR EWP-WX3010H-L-PWR EWP-WX3024H EWP-WX3024H-L-PWR EWP-WX3024H-F |
Yes: · WX3010H-L · WX3024H-L No: · WX3010H · WX3010H-X · WX3024H · WX3024H-F |
|
WX3500H series |
WX3508H WX3510H WX3520H WX3520H-F WX3540H |
EWP-WX3508H EWP-WX3510H EWP-WX3520H EWP-WX3520H-F EWP-WX3540H |
No |
|
WX5500E series |
WX5510E WX5540E |
EWP-WX5510E EWP-WX5540E |
No |
|
WX5500H series |
WX5540H WX5560H WX5580H |
EWP-WX5540H EWP-WX5560H EWP-WX5580H |
No |
|
Access controller modules |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
No |
|
Hardware series |
Model |
Product code |
Feature compatibility |
|
WX1800H series |
WX1804H WX1810H WX1820H WX1840H |
EWP-WX1804H-PWR EWP-WX1810H-PWR EWP-WX1820H EWP-WX1840H-GL |
No |
|
WX3800H series |
WX3820H WX3840H |
EWP-WX3820H-GL EWP-WX3840H-GL |
No |
|
WX5800H series |
WX5860H |
EWP-WX5860H-GL |
No |
Procedure
1. Enter system view.
system-view
2. Create an application group and enter its view.
app-group group-name
3. (Optional.) Configure the description of the application group.
description text
By default, the description is "User-defined application group".
4. Add application protocols to the group.
Choose the options to configure as needed:
¡ Copy all application protocols from another group to the group.
copy app-group group-name
Execute this command multiple times to copy application protocols from multiple groups to the current group.
¡ Add an application protocol to the group.
include application application-name
By default, an application group does not contain any application protocols.
Enabling application statistics on an interface
About this task
When the application statistics feature is enabled on an interface, the device separately counts the number of packets or bytes that the interface has received or sent for each application protocol. It also calculates the transmission rates of the interface for these protocols.
To display application statistics, use the display application statistics command.
Hardware and feature compatibility
|
Hardware series |
Model |
Product code |
Feature compatibility |
|
WX1800H series |
WX1804H |
EWP-WX1804H-PWR-CN |
Yes |
|
WX2500H series |
WX2508H-PWR-LTE WX2510H WX2510H-F WX2540H WX2540H-F WX2560H |
EWP-WX2508H-PWR-LTE EWP-WX2510H-PWR EWP-WX2510H-F-PWR EWP-WX2540H EWP-WX2540H-F EWP-WX2560H |
Yes |
|
WX3000H series |
WX3010H WX3010H-X WX3010H-L WX3024H WX3024H-L WX3024H-F |
EWP-WX3010H EWP-WX3010H-X-PWR EWP-WX3010H-L-PWR EWP-WX3024H EWP-WX3024H-L-PWR EWP-WX3024H-F |
Yes: · WX3010H-L · WX3024H-L No: · WX3010H · WX3010H-X · WX3024H · WX3024H-F |
|
WX3500H series |
WX3508H WX3510H WX3520H WX3520H-F WX3540H |
EWP-WX3508H EWP-WX3510H EWP-WX3520H EWP-WX3520H-F EWP-WX3540H |
No |
|
WX5500E series |
WX5510E WX5540E |
EWP-WX5510E EWP-WX5540E |
No |
|
WX5500H series |
WX5540H WX5560H WX5580H |
EWP-WX5540H EWP-WX5560H EWP-WX5580H |
No |
|
Access controller modules |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
No |
|
Hardware series |
Model |
Product code |
Feature compatibility |
|
WX1800H series |
WX1804H WX1810H WX1820H WX1840H |
EWP-WX1804H-PWR EWP-WX1810H-PWR EWP-WX1820H EWP-WX1840H-GL |
No |
|
WX3800H series |
WX3820H WX3840H |
EWP-WX3820H-GL EWP-WX3840H-GL |
No |
|
WX5800H series |
WX5860H |
EWP-WX5860H-GL |
No |
Restrictions and guidelines
The application statistics feature consumes a large amount of system memory. When the system generates an alarm for lack of memory, disable the application statistics feature on all interfaces.
Procedure
1. Enter system view.
system-view
2. Enter Layer 3 interface view.
interface interface-type interface-number
3. Enable application statistics on the interface.
application statistics enable [ inbound | outbound ]
By default, this feature is disabled.
You can enable the application statistics feature in both the inbound and outbound directions of the interface.
Managing the APR signature library
Hardware compatibility with APR signature library management
|
Hardware series |
Model |
Product code |
APR signature library management compatibility |
|
WX1800H series |
WX1804H |
EWP-WX1804H-PWR-CN |
Yes |
|
WX2500H series |
WX2508H-PWR-LTE WX2510H WX2510H-F WX2540H WX2540H-F WX2560H |
EWP-WX2508H-PWR-LTE EWP-WX2510H-PWR EWP-WX2510H-F-PWR EWP-WX2540H EWP-WX2540H-F EWP-WX2560H |
Yes |
|
WX3000H series |
WX3010H WX3010H-X WX3010H-L WX3024H WX3024H-L WX3024H-F |
EWP-WX3010H EWP-WX3010H-X-PWR EWP-WX3010H-L-PWR EWP-WX3024H EWP-WX3024H-L-PWR EWP-WX3024H-F |
Yes: · WX3010H · WX3010H-X · WX3024H · WX3024H-F No: · WX3010H-L · WX3024H-L |
|
WX3500H series |
WX3508H WX3510H WX3520H WX3520H-F WX3540H |
EWP-WX3508H EWP-WX3510H EWP-WX3520H EWP-WX3520H-F EWP-WX3540H |
Yes |
|
WX5500E series |
WX5510E WX5540E |
EWP-WX5510E EWP-WX5540E |
Yes |
|
WX5500H series |
WX5540H WX5560H WX5580H |
EWP-WX5540H EWP-WX5560H EWP-WX5580H |
Yes |
|
Access controller modules |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
Yes |
|
Hardware series |
Model |
Product code |
APR signature library management compatibility |
|
WX1800H series |
WX1804H WX1810H WX1820H WX1840H |
EWP-WX1804H-PWR EWP-WX1810H-PWR EWP-WX1820H EWP-WX1840H-GL |
Yes |
|
WX3800H series |
WX3820H WX3840H |
EWP-WX3820H-GL EWP-WX3840H-GL |
No |
|
WX5800H series |
WX5860H |
EWP-WX5860H-GL |
No |
Restrictions and guidelines for APR signature library management
For a successful APR signature library update or rollback, do not delete the /dpi/ folder in the root directory on the device storage media.
Do not update or roll back the APR signature library when the remaining system memory reaches any alarm threshold. Insufficient memory causes update or rollback failure and affects the operation of NBAR. For information about memory alarm thresholds, see device management in System Management Configuration Guide.
Scheduling an automatic update for the APR signature library
About this task
If the device can access the signature library services on the official website, you can schedule an automatic update. The automatic update enables the device to automatically update the local APR signature library at the scheduled update time.
Restrictions and guidelines
For a successful automatic update, make sure the following requirements are met:
· The device can obtain the IP address of the official website through static or dynamic domain name resolution.
· The device can access the signature library services on the official website.
For information about DNS, see Network Connectivity Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable the automatic update feature and enter auto-update configuration view.
apr signature auto-update
By default, the automatic update feature is disabled.
3. Configure the update schedule.
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
By default, the device automatically updates the APR signature library between 02:01:00 to 04:01:00 every day.
4. (Optional.) Overwrite the current signature file.
override-current
By default, the current APR signature file is not overwritten for an update operation. Instead, the device will back up the current APR signature file.
Triggering an automatic update for the APR signature library
About this task
Anytime you find a release of new signature version on the official website, you can trigger the device to immediately update the local APR signature library.
Restrictions and guidelines
For a successful triggered update, make sure the following requirements are met:
· The device can obtain the IP address of the official website through static or dynamic domain name resolution.
· The device can access the signature library services on the official website.
For information about DNS, see Network Connectivity Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Trigger an automatic update for the APR signature library.
apr signature auto-update-now
Performing a manual update for the APR signature library
About this task
If the device cannot access the signature library services on the official website, use one of the following methods to manually update the APR signature library on the device:
· Local update—By using the locally stored APR signature file.
(In IRF mode.) The APR signature file must be stored on the mater device for a successful update.
· FTP/TFTP update—By using the APR signature file stored on the FTP or TFTP server.
Procedure
1. Enter system view.
system-view
2. Manually update the APR signature library.
apr signature update [ override-current ] file-path
Rolling back the APR signature library
About this task
Each time a rollback operation is performed, the device backs up the APR signature library of the current version. If you repeat the rollback to the last version operation multiple times, the APR signature library will repeatedly switch between the current version and the last version.
Restrictions and guidelines
To ensure that the APR signature library can be successfully rolled back to the last version, back up the current APR signature library each time you update the library.
Procedure
1. Enter system view.
system-view
2. Roll back the APR signature library.
apr signature rollback { factory | last }
Display and maintenance commands for APR
|
|
IMPORTANT: · Support for each command in this section depends on the device model. For more information, see the command reference. · The WX1800H series, WX2500H series, and WX3000H series access controllers do not support parameters or commands that are available only in IRF mode. |
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display information about application groups. |
display app-group [ name group-name ] |
|
Display information about application protocols. |
display application [ name application-name | pre-defined | user-defined ] |
|
Display statistics for application protocols. |
In standalone mode: display application statistics [ direction { inbound | outbound } | interface interface-type interface-number | name application-name ] * In IRF mode: display application statistics [ direction { inbound | outbound } | interface interface-type interface-number [ slot slot-number ] | name application-name ] * |
|
Display statistics for application protocols on an interface in descending order based on the specified criteria. |
In standalone mode: display application statistics top number { bps | bytes | packets | pps } interface interface-type interface-number In IRF mode: display application statistics top number { bps | bytes | packets | pps } interface interface-type interface-number [ slot slot-number ] |
|
Display APR signature library information. |
display apr signature information |
|
Display information about predefined port mappings. |
display port-mapping pre-defined |
|
Display information about user-defined port mappings. |
display port-mapping user-defined [ application application-name | port port-number ] |
|
Clear application statistics for interfaces. |
reset application statistics [ interface interface-type interface-number ] |
