09-Application security

HomeSupportResource CenterH3C Access Controllers Configuration Examples(V7)-6W10209-Application security
03-Anti-Virus Configuration Examples
Title Size Download
03-Anti-Virus Configuration Examples 85.70 KB

 

H3C Access Controllers

Comware 7 Anti-Virus Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2021 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.



Introduction

The following information provides an example of configuring anti-virus.

Prerequisites

The following information applies to Comware 7-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of the anti-virus feature.

General restrictions and guidelines

This example is supported only in E5568P01 and later.

Example: Configuring URL filtering

Network configuration

As shown in Figure 1, the AC connects the LAN and the Internet. The client uses a Web server and a mail server on the Internet to transport files and emails.

Configure the AC to use an anti-virus policy to detect and prevent viruses in the files and emails downloaded by the client.

Figure 1 Network diagram

 

Restrictions and guidelines

Use the serial ID labeled on the AP's rear panel to specify an AP.

Configure the AC to forward client data traffic (the centralized forwarding mode).

Procedures

Configuring the AC

Configuring basic settings

1.     Configure interfaces on the AC:

# Create VLAN 100. Create VLAN-interface 100 and assign an IP address to the VLAN interface. The AP will obtain this IP address to establish a CAPWAP tunnel with the AC.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 192.1.1.1 24

[AC-Vlan-interface100] quit

# Create VLAN 200. Create VLAN-interface 200 and assign an IP address to the VLAN interface. The client will access the wireless network through this VLAN.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 192.2.1.1 24

[AC-Vlan-interface200] quit

# Configure the interface connected to the switch as a trunk port that permits VLAN 100 and VLAN 200.

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[AC-GigabitEthernet1/0/1] quit

2.     Configure the wireless service:

# Create service template 1 and enter its view.

[AC] wlan service-template 1

# Configure the SSID as service.

[AC-wlan-st-1] ssid service

# Configure the AC to forward client data traffic.

[AC-wlan-st-1] client forwarding-location ac

# Assign clients coming online to VLAN 200.

[AC-wlan-st-1] vlan 200

# Enable the service template.

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

3.     Configure the AP:

# Create an AP named ap1 with model WA4320-ACN-B.

[AC] wlan ap ap1 model WA4320-ACN-B

# Set the serial ID of AP ap1 to 210235A1PRC183000006.

[AC-wlan-ap-ap1] serial-id 210235A1PRC183000006

# Enter radio 1 view for AP ap1, and bind service template 1 to radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template 1

# Enable radio 1 for AP ap1.

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

# Enter radio 2 view for AP ap1, and bind service template 1 to radio 2.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

# Enable radio 2 for AP ap1.

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

Configuring an object group

# Create an IP address object group named antivirus, and specify its subnet as 192.2.1.0/24.

[AC] object-group ip address antivirus

[AC-obj-grp-ip-antivirus] network subnet 192.2.1.0 24

[AC-obj-grp-ip-antivirus] quit

Configuring an anti-virus policy

# Create an anti-virus policy named down_av and enter its view.

[AC] anti-virus policy down_av

# Configure anti-virus for FTP and SMB in download direction and specify the anti-virus action as block.

[AC-anti-virus-policy-down_av]inspect ftp direction download action block

[AC-anti-virus-policy-down_av]inspect smb direction download action block

# Configure anti-virus for IMAP in download direction and specify the anti-virus action as alert.

[AC-anti-virus-policy-down_av]inspect imap direction download action alert

# Set the Alibaba application as an application exception. Specify alert as the anti-virus action for the application exception.

[AC-anti-virus-policy-down_av]exception application Alibaba action alert

[AC-anti-virus-policy-down_av] quit

Configuring a DPI application profile and activate the anti-virus policy settings

# Create a DPI application profile named sec, and enter its view.

[AC] app-profile sec

# Apply anti-virus policy down_av to DPI application profile sec. Set the anti-virus policy mode to protect.

[AC-app-profile-sec] anti-virus apply policy down_av mode protect

[AC-app-profile-sec] quit

# Activate the anti-virus policy settings.

[AC] inspect activate

Configuring an anti-virus security policy

# Enter IPv4 security policy view.

[AC] security-policy ip

# Create a security policy rule named av. Configure the matching conditions as the source IP address object group antivirus, FTP service, SMB service, IMAP service, AP ap1, AP group default-group, and SSID service.

[AC-security-policy-ip] rule name av

[AC-security-policy-ip-10-av] source-ip antivirus

[AC-security-policy-ip-10-av] service ftp

[AC-security-policy-ip-10-av] service smb

[AC-security-policy-ip-10-av] service imap

[AC-security-policy-ip-10-av] ap ap1

[AC-security-policy-ip-10-av] ap-group default-group

[AC-security-policy-ip-10-av] ssid service

# Configure the security action as pass and specify DPI application profile sec.

[AC-security-policy-ip-10-av] action pass

[AC-security-policy-ip-10-av] profile sec

[AC-security-policy-ip-10-av] quit

# Activate rule matching acceleration.

[AC-security-policy-ip] accelerate enhanced enable

[AC-security-policy-ip] quit

Configuring the switch

1.     Configure interfaces on the switch:

# Create VLAN 100, VLAN-interface 100, VLAN 200, VLAN-interface 200, and assign IP addresses to the VLAN interfaces. The switch will use VLAN 100 to forward CAPWAP tunnel traffic between the AC and the AP, and use VLAN 200 to forward wireless client packets.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

[Switch] interface vlan-interface 100

[Switch-Vlan-interface100] ip address 192.1.1.2 24

[Switch-Vlan-interface100] quit

[Switch] vlan 200

[Switch-vlan200] quit

[Switch] interface vlan-interface 200

[Switch-Vlan-interface200] ip address 192.2.1.2 24

[Switch-Vlan-interface200] quit

# Set the link type of GigabitEthernet 1/0/1 (the interface connected to the AC) to trunk. Allow traffic from VLAN 100 and VLAN 200 to pass through the interface.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] quit

# Set the link type of GigabitEthernet 1/0/2 (the interface connected to the AP) to trunk. Allow traffic from VLAN 100 to pass through the interface.

[Switch] interface gigabitethernet1/0/2

[Switch-GigabitEthernet1/0/2] port link-type access

[Switch-GigabitEthernet1/0/2] port access vlan 100

# Enable PoE on GigabitEthernet 1/0/2.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

2.     Configure DHCP settings:

# Enable DHCP.

[Switch] dhcp enable

# Create a DHCP address pool named vlan100 to assign IP addresses and other configuration parameters to clients on subnet 192.1.1.0/24. Exclude IP addresses 192.1.1.1 and 192.1.1.2 from dynamic allocation. Specify the gateway address as 192.1.1.1.

[Switch] dhcp server ip-pool vlan100

[Switch-dhcp-pool-vlan100] network 192.1.1.0 mask 255.255.255.0

[Switch-dhcp-pool-vlan100] forbidden-ip 192.1.1.1 192.1.1.2

[Switch-dhcp-pool-vlan100] gateway-list 192.1.1.1

[Switch-dhcp-pool-vlan100] quit

# Create a DHCP address pool named vlan200 to assign IP addresses and other configuration parameters to clients on subnet 192.2.1.0/24. Exclude IP addresses 192.2.1.1 and 192.2.1.2 from dynamic allocation. Specify a gateway and a DNS server.

[Switch] dhcp server ip-pool vlan200

[Switch-dhcp-pool-vlan200] network 192.2.1.0 mask 255.255.255.0

[Switch-dhcp-pool-vlan200] forbidden-ip 192.2.1.1 192.2.1.2

[Switch-dhcp-pool-vlan200] dns-list 192.2.1.1

[Switch-dhcp-pool-vlan200] gateway-list 192.2.1.1

[Switch-dhcp-pool-vlan200] quit

Verifying the configuration

# View anti-virus statistics by using the display anti-virus statistics command on the AC.

[AC] display anti-virus statistics

Slot 1:

Total Block:    2

Total Redirect: 0

Total Alert:    1

Type           http      ftp       smtp      pop3      imap      smb       nfs

 

Block           0         1         0         0         0         1         0

 

Redirect        0         0         0         0         0         0         0

 

Alert+Permit    0         0         0         0         1         0         0

Configuration files

·     AC:

#

vlan 100

#

vlan 200

#

wlan service-template 1

 ssid service

client forwarding-location ac

vlan 200

service-template enable

#

interface Vlan-interface100

 ip address 192.1.1.1 255.255.255.0

#

interface Vlan-interface200

 ip address 192.2.1.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 100 200

#

wlan ap ap1 model WA4320-ACN-B

 serial-id 210235A1PRC183000006

 radio 1

  radio enable

  service-template 1

 radio 2

  radio enable

  service-template 1

#

object-group ip address antivirus

 0 network subnet 192.2.1.0 255.255.255.0

#

app-profile sec

 anti-virus apply policy down_av mode protect

#

security-policy ip

 rule 1 name av

  action pass

  profile sec

  source-ip antivirus

  service ftp

  service smb

  service imap

  ap ap1

  ap-group default-group

  ssid service

#

anti-virus policy down_av

 inspect ftp direction download action block

 inspect imap direction download action alert

 inspect smb direction download action block

 exception application Alibaba action alert

·     Switch:

#

 dhcp enable

#

vlan 100

#

vlan 200

#

interface Vlan-interface100

 ip address 192.1.1.2 255.255.255.0

#

interface Vlan-interface200

 ip address 192.2.1.2 255.255.255.0

#

dhcp server ip-pool vlan100

 network 192.1.0.0 mask 255.255.255.0

 forbidden-ip 192.1.1.1 192.1.1.2

gateway-list 192.1.1.1

#

dhcp server ip-pool vlan200

 gateway-list 192.2.1.1

 network 192.2.1.0 mask 255.255.255.0

 forbidden-ip 192.2.1.1 192.2.1.2

dns-list 192.2.1.1

#

interface GigabitEthernet1/0/1

port link-type trunk

 port trunk permit vlan 100 200

#

interface GigabitEthernet1/0/2

port link-type access

 port access vlan 100

 poe enable

Related documentation

·     Anti-Virus Command Reference in H3C Access Controllers Command References

·     Anti-Virus Configuration Guide in H3C Access Controllers Configuration Guides

·     Security Policy Command Reference in H3C Access Controllers Command References

·     Security Policy Configuration Guide in H3C Access Controllers Configuration Guides