NetShare control configuration examples

The following information provides NetShare control configuration examples.

This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of the NetShare control feature.

The device supports only one NetShare control policy.

Network configuration

As shown in Figure 1, the device connects to the LAN and Internet through security zones Trust and Untrust, respectively.

Configure NetShare control on the device to meet the following requirements:

·     Monitor the packets sent by the hosts on the LAN to the Internet based on the APR-based packet analysis for network sharing behavior inspection.

·     If an IP address is detected to be shared by more than one host for Internet access, NetShare control will freeze the IP address for an hour and logs the event.

Figure 1 Network diagram

Software versions used

This configuration example was created and verified on R8860 of the CSAP-NTA-300 device.

Procedure

1.     Assign IP addresses to interfaces and add the interfaces to security zones:

# On the top navigation bar, click Network.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

a.     Select the Trust security zone.

b.     Click the IPv4 Address tab, and then enter the IP address and mask of the interface. This example uses 10.1.1.1/24.

c.     Click OK.

# Add GE 1/0/2 to the Untrust security zone and set its IP address to 20.1.1.1./24 in the same way you configure GE 1/0/1.

2.     Create a security policy:

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create, and then click Create a policy.

# In the dialog box that opens, configure a security policy:

¡     Enter policy name test-a.

¡     Select source zone Trust.

¡     Select destination zone Untrust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IP address 10.1.1.2/24.

# Click OK.

3.     Update the APR signature library to the latest version. (Details not shown.)

4.     Configure a NetShare control policy.

# On the top navigation bar, click Policies.

# From the navigation pane, select Netshare Control > Netshare Policy.

# Click Create.

# In the dialog box that appears, configure a NetShare policy:

¡     Enter policy name netsharepolicy.

¡     Select source security zone Trust.

¡     Select destination security zone Untrust.

¡     Enable APP tracking.

¡     Disable IPID trail tracking.

¡     Allow a maximum of one terminal per IP.

¡     Select action Freeze.

¡     Set the freezing times to 60.

¡     Enable logging.

¡     Enable the NetShare policy.

# Cilck OK.

Figure 2 Creating a NetShare policy

5.     Click Submit to have the NetShare policy configuration take effect.

Verifying the configuration

If a host on the LAN accesses the Internet by using a shared IP address through a proxy, the device can detect the network sharing behavior and will freeze the shared IP address for an hour and log the event.

To view the IP address with the network sharing behavior, click Policies on the top navigation bar and select Netshare Control > Netshare List from the navigation pane.