Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-Object group commands
- 04-Object policy commands
- 05-AAA commands
- 06-IPoE commands
- 07-Portal commands
- 08-User identification commands
- 09-Password control commands
- 10-Public key management commands
- 11-PKI commands
- 12-SSH commands
- 13-SSL commands
- 14-ASPF commands
- 15-APR commands
- 16-Session management commands
- 17-Connection limit commands
- 18-Attack detection and prevention commands
- 19-DDoS protection commands
- 20-uRPF commands
- 21-ARP attack protection commands
- 22-ND attack defense commands
- 23-IP-MAC binding commands
- 24-Keychain commands
- 25-Crypto engine commands
- 26-SMS commands
- 27-Terminal identification commands
- 28-Flow manager commands
- 29-Location identification commands
- 30-Server connection detection commands
- 31-Trusted access control commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 27-Terminal identification commands | 81.66 KB |
Contents
Terminal identification commands
display terminal-identification terminal predefined
Terminal identification commands
allowlist action
Use allowlist action to specify an allowlist action.
Use undo allowlist action to restore the default.
Syntax
allowlist action { drop | permit }
undo allowlist action
Default
The traffic matching the allowlist is permitted.
Views
Terminal identification view
Predefined user roles
network-admin
context-admin
Parameters
drop: Specifies a description, a case-sensitive string of 1 to 127 characters. If the description contains spaces, use quotation marks to enclose the character string.
Usage guidelines
This command takes effect only in allowlist mode.
In allowlist mode with the drop action, the system drops traffic of a terminal in the allowlist when the terminal comes online for the first time. To permits the traffic of the terminal, execute the approved command to approve it as a legal terminal.
If the allowlist action is permit, the system permit the traffic of terminals in the allowlist no matter whether the terminal information changes.
Examples
# Set the allowlist action to drop.
<Sysname> system-view
[Sysname] terminal-identification
[Sysname-terminal-identification] allowlist action drop
allowlist object-group
Use allowlist object-group to specify an address object group for generating the allowlist.
Use undo allowlist object-group to restore the default.
Syntax
allowlist object-group ipv4 object-group-name
undo allowlist object-group ipv4
Default
No address object group is specified.
Views
Terminal identification view
Predefined user roles
network-admin
context-admin
Parameters
ipv4 object-group-name: Specifies an IPv4 address object group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
This command takes effect only in allowlist mode.
The specified IPv4 address object group must already exist. For more information about address object groups, see object group configuration in Security Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify address object group aa for generating the allowlist.
<Sysname> system-view
[Sysname] terminal-identification
[Sysname-terminal-identification] allowlist object-group ipv4 aa
approved
Use approved to approve terminals as legal terminals.
Syntax
approved { all | ipv4 ipv4-address }
Default
Terminals are not approved as legal terminals.
Views
Terminal identification view
Predefined user roles
network-admin
context-admin
Parameters
all: Specifies all terminals.
ipv4 ipv4-address: Specifies a terminal by its IPv4 address.
Usage guidelines
This command takes effect only in allowlist mode.
If you are sure identified terminals are accurate and trusted, you can execute this command to approve them as legal terminals.
In allowlist mode with the drop action, the system drops traffic of a terminal in the allowlist when the terminal comes online for the first time. To permits the traffic of the terminal, you can approve it as a legal terminal.
Examples
# Approve the terminal with IPv4 address 1.1.1.1 as a legal terminal.
<Sysname> system-view
[Sysname] terminal-identification
[Sysname-terminal-identification] approved ipv4 1.1.1.1
description
Use description to configure a description for a terminal group.
Use undo description to restore the default.
Syntax
description text
undo description
Default
A terminal group is described as "User-defined terminal group".
Views
Terminal group view
Predefined user roles
network-admin
context-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters. If the description contains spaces, use quotation marks to enclose the character string.
Usage guidelines
Use this command to configure descriptions for terminal groups for easy maintenance.
Examples
# Configure the description as user defined test terminal group for terminal group test.
<Sysname> system-view
[Sysname] terminal-identification
[Sysname-terminal-identification] terminal-group test
[Sysname-terminal-identification-terminal-group-test] description "User defined test terminal group"
Related commands
terminal-group
display terminal-identification terminal predefined
Use display terminal-identification terminal predefined to display information about predefined terminals.
Syntax
display terminal-identification terminal predefined
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Usage guidelines
Use this command to view the information about terminals predefined in the signature library.
Examples
# Display information about predefined terminals.
<Sysname> system-view
[Sysname] display terminal-identification terminal predefined
display terminal-identification terminal-group
Use display terminal-identification terminal-group to display information about terminal groups.
Syntax
display terminal-identification terminal-group
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Examples
# Display information about all terminal groups.
<Sysname> system-view
[Sysname] display terminal-identification terminal-group
Pre-defined count: 2
Terminal name Type Terminal ID
DahuaIPC Pre-defined 0x0000681e
DahuaNVR Pre-defined 0x00006829
Table 1 Command output
|
Field |
Description |
|
Pre-defined count |
Number of predefined terminals. |
Related commands
terminal-group
include terminal
Use include terminal to add a terminal to a terminal group.
Use undo include terminal to remove a terminal from a terminal group.
Syntax
include terminal terminal-name
undo include terminal terminal-name
Default
No terminals exist in a terminal group.
Views
Terminal group view
Predefined user roles
network-admin
context-admin
Parameters
terminal-name: Specifies a terminal by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
Usage guidelines
You can repeat this command to add multiple terminals to a terminal group. The number of terminals in a terminal group is not limited.
Examples
# Add dahua and haikang to terminal group test.
<Sysname> system-view
[Sysname] terminal-identification
[Sysname-terminal-identification] terminal-group test
[Sysname-terminal-identification-terminal-group-test] include terminal dahua
[Sysname-terminal-identification-terminal-group-test] include terminal haikang
Related commands
display terminal-identification terminal-group
logging enable
Use logging enable to enable terminal identification logging.
Use undo logging enable to disable terminal identification logging.
Syntax
logging enable
undo logging enable
Default
Terminal identification logging is disabled.
Views
Terminal identification view
Predefined user roles
network-admin
context-admin
Usage guidelines
This feature allows the device to fast output logs to log hosts upon detecting the changes of terminal information, such as the vendor and model changes. For more information about fast log output and log hosts, see configuring fast log output in Network Management and Monitoring Configuration Guide.
Examples
# Enable terminal identification logging.
<Sysname> system-view
[Sysname] cc-defense policy news
[Sysname-cc-defense-policy-news] rule name test
[Sysname-cc-defense-policy-news-rule-test] logging enable
manage object-group
Use manage object-group to configure the manager address object group.
Use undo manage object-group to delete the manager address object group.
Syntax
manage object-group { ipv4 | ipv6 } object-group-name
undo manage object-group { ipv4 | ipv6 } object-group-name
Default
No manager address object group is configured.
Views
Terminal identification view
Predefined user roles
network-admin
context-admin
Parameters
{ ipv4 | ipv6 } object-group-name: Specifies an IPv4 or IPv6 address object group by its name, a case-insensitive string of 1 to 63 characters. The object group must already exist, and its name must be globally unique.
Usage guidelines
The manager address object group is a set of terminal manager IP addresses. For packets transmitted between managers and terminals, this object group helps you identify whether the source or destination IP is the terminal IP addresses.
· If the source IP address matches the manager address object group, the destination IP address is the terminal IP address.
· If the destination IP address matches the manager address object group, the source IP address is the terminal IP address.
For accurate terminal identification, configure the manager address object group, or the terminal address object group, or both. If you configure both, the manager address object group takes precedence.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify IPv4 address object group obgroup1 as the manager address object group.
<Sysname> system-view
[Sysname] terminal-identification
[Sysname-terminal-identification] manage object-group ipv4 obgroup1
reidentify
Use reidentify to reidentify terminals.
Syntax
reidentify { all | ipv4 ipv4-address }
Views
Terminal identification view
Predefined user roles
network-admin
context-admin
Parameters
all: Specifies all terminals.
ipv4 ipv4-address: Specifies a terminal by its IPv4 address.
Usage guidelines
This command takes effect only in allowlist mode.
If you consider that terminal information is inaccurate, you can execute this command to clear all identified terminal information and reidentifies terminals.
Examples
# Reidentify the terminal with IPv4 address 1.1.1.1.
<Sysname> system-view
[Sysname] terminal-identification
[Sysname-terminal-identification] reidentify ipv4 1.1.1.1
terminal-group
Use terminal-group to create a terminal group and enter its view, or enter the view of an existing terminal group.
Use undo terminal-group to delete a terminal group.
Syntax
terminal-group group-name
undo terminal-group group-name
Default
No terminal groups exist.
Views
Terminal identification view
Predefined user roles
network-admin
context-admin
Parameters
group-name: Specifies a terminal by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
Examples
# Create a terminal group named test and enter its view.
<Sysname> system-view
[Sysname] terminal-identification
[Sysname-terminal-identification] terminal-group test
[Sysname-terminal-identification-terminal-group-test]
Related commands
include terminal
terminal-identification
Use terminal-identification to enter terminal identification view.
Use undo terminal-identification to delete the configuration in terminal identification view.
Syntax
terminal-identification
undo terminal-identification
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
In terminal identification view, you can create a terminal group, add terminals to the terminal group, and enable terminal identification logging.
Examples
# Enter terminal identification view.
<Sysname> system-view
[Sysname] terminal-identification
[Sysname-terminal-identification]
terminal object-group
Use terminal object-group to configure the terminal address object group.
Use undo terminal object-group to delete the terminal address object group.
Syntax
terminal object-group { ipv4 | ipv6 } object-group-name
undo terminal object-group { ipv4 | ipv6 } object-group-name
Default
No terminal address object group is configured.
Views
Terminal identification view
Predefined user roles
network-admin
context-admin
Parameters
{ ipv4 | ipv6 } object-group-name: Specifies an IPv4 or IPv6 address object group by its name, a case-insensitive string of 1 to 63 characters. The object group must already exist, and its name must be globally unique.
Usage guidelines
The terminal address object group is a set of terminal IP addresses. If the packet source or destination IP address matches the object group, the source or destination IP address is the terminal address.
For accurate terminal identification, configure the manager address object group, or the terminal address object group, or both. If you configure both, the manager address object group takes precedence.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify IPv4 address object group obgroup1 as the terminal address object group.
<Sysname> system-view
[Sysname] terminal-identification
[Sysname-terminal-identification] terminal object-group ipv4 obgroup1
[Sysname-terminal-identification] manage object-group ipv4 obgroup1
work-mode
Use work-mode to specify an operating mode.
Use undo work-mode to restore the default.
Syntax
work-mode { allowlist | warning }
undo work-mode
Default
Terminal identification works in alarm mode.
Views
Terminal identification view
Predefined user roles
network-admin
context-admin
Parameters
allowlist: Specifies the allowlist mode.
warning: Specifies the alarm mode.
Usage guidelines
Terminal identification supports the following operating modes:
· Alarm—In this mode, the system permits traffic of all terminals. When the system identifies a terminal for the first time or detects a terminal information change, it sends a log message to the log host by using the fast log output feature. This mode is applicable to scenarios that do not have strict security requirements.
· Allowlist—In this mode, the system permits traffic of only terminals in the allowlist. When the system detects a terminal information change, it sends a log message to the log host by using the fast log output feature. This mode is applicable to scenarios that have strict security requirements.
Examples
# Specify the operating mode as alarm.
<Sysname> system-view
[Sysname] terminal-identification
[Sysname-terminal-identification] work-mode allowlist
