Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-Object group commands
- 04-Object policy commands
- 05-AAA commands
- 06-IPoE commands
- 07-Portal commands
- 08-User identification commands
- 09-Password control commands
- 10-Public key management commands
- 11-PKI commands
- 12-SSH commands
- 13-SSL commands
- 14-ASPF commands
- 15-APR commands
- 16-Session management commands
- 17-Connection limit commands
- 18-Attack detection and prevention commands
- 19-DDoS protection commands
- 20-uRPF commands
- 21-ARP attack protection commands
- 22-ND attack defense commands
- 23-IP-MAC binding commands
- 24-Keychain commands
- 25-Crypto engine commands
- 26-SMS commands
- 27-Terminal identification commands
- 28-Flow manager commands
- 29-Location identification commands
- 30-Server connection detection commands
- 31-Trusted access control commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 30-Server connection detection commands | 94.35 KB |
Server connection detection commands
auto-learn enable
Use auto-learn enable to enable server connection learning for the specified learning period.
Use undo auto-learn enable to disable server connection learning.
Syntax
auto-learn enable period { one-day | one-hour | seven-day | twelve-hour }
undo auto-learn enable
Default
Server connection learning is disabled.
Views
Server connection learning configuration view
Predefined user roles
network-admin
context-admin
Parameters
period: Specifies the learning period.
one-day: Specifies one day.
one-hour: Specifies one hour.
seven-day: Specifies seven days.
twelve-hour: Specifies 12 hours.
Usage guidelines
This command enables the device to learn the connections initiated by the servers specified by using the source-ip command for the specified learning period.
This command is configurable only when both of the following conditions are met:
· Servers are specified for the learning process to learn connections.
· The server connection learning process is not running on the device.
To change the learning period of an ongoing server connection learning process, first execute the undo auto-learn enable command to stop the learning process, and then execute the auto-learn enable command.
Examples
# Enable server connection learning for one day.
<Sysname> system-view
[Sysname] scd learning
[Sysname-scd-learning] auto-learn enable period one-day
Related commands
source-ip
display scd auto-learn config
Use display scd auto-learn config to display the server connection learning information.
Syntax
display scd auto-learn config
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Examples
# Display the server connection learning information.
<Sysname> display scd auto-learn config
Learning status : Active
Learning time : One-hour
Server address object groups : 146
Progress : 6%
Start time : 2018/03/27 10:50
End time : 2018/03/27 11:50
Table 1 Command output
|
Field |
Description |
|
Learning status |
Server connection learning status. If server connection learning is in progress, this field displays Active. If server connection learning is not running, this field displays a hyphen (-).. |
|
Learning time |
Learning period, which can be One-day, One-hour, Seven-day, or Twelve-hour. |
|
Server address object groups |
Number of server IP address object groups specified for server connection learning. |
|
Progress |
Progress percentage of the server connection learning. |
|
Start time |
Start time of the server connection learning. |
|
End time |
End time of the server connection learning. |
display scd learning record
Use display scd auto-learn config to display the server-initiated connections learned by server connection learning.
Syntax
display scd learning record [ protected-server ip-address ] [ destination-ip ip-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
protected-server ip-address: Specifies the IP address of the server.
destination-ip ip-address: Specifies the destination IP address of the server-initiated connections.
Usage guidelines
This command displays the server connection learning results, which provides the basis for you to create SCD policies to monitor and log illegal connections initiated by servers.
If you do not specify any parameters, this command displays the connections initiated by all servers specified for server connection learning.
Examples
# Display the connections initiated by all servers specified for server connection learning.
<Sysname> display scd learning record
Id Protected server Destination IPv4 address Protocol Port
1 192.168.102.1 192.168.101.21 TCP 443
Total entries: 1
# Display the connections initiated by server 192.168.102.1.
<Sysname> display scd learning record protected-server 192.168.102.1
Id Protected server Destination IPv4 address Protocol Port
1 192.168.102.1 192.168.101.21 TCP 443
Total entries: 1
# Display the server-initiated connections destined for 192.168.101.21.
<Sysname> display scd learning record destination-ip 192.168.101.21
Id Protected server Destination IPv4 address Protocol Port
1 192.168.102.1 192.168.101.21 TCP 443
Total entries: 1
Table 2 Command output
|
Field |
Description |
|
ID |
ID of the server connection learning record. |
|
Protected server |
IP address of the server initiated the connection. |
|
Destination IPv4 address |
IPv4 address the connection is destined for. |
|
Protocol |
Protocol used by the connection. |
|
Port |
Destination port number of the connection. |
|
Total entries |
Total number of the learned connections. |
Related commands
reset scd learning record
display scd policy
Use display scd policy to display the server connection detection (SCD) policy information.
Syntax
display scd policy [ name policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
name policy-name: Displays detailed information about an SCD policy. The policy-name: argument specifies the policy name, a case-insensitive string of 1 to 63 characters. If you do not specify an SCD policy, this command displays brief information about all SCD policies.
Examples
# Display brief information about all SCD policies.
<Sysname> display scd policy
Id Name Protected server Rules Logging Policy status
1 policy1 1.1.1.1 0 Disabled Disabled
Total entries: 1
Table 3 Command output
|
Field |
Description |
|
Id |
Row ID of the SCD policy entry. |
|
Name |
Name of the SCD policy. |
|
Protected server |
IP address of the protected server. The SCD policy will monitor connections initiated by the server. |
|
Rules |
Number of SCD rules in the SCD policy. Each SCD rule defines a set of legal connections initiated by the server. |
|
Logging |
Enabling status of the logging for illegal connections (connections that do not match any SCD rules) initiated by the server. |
|
Policy status |
Enabling status of the SCD policy. |
|
Total entries |
Total number of the SCD policies. |
# Display detailed information about SCD policy policy1.
<Sysname> display scd policy name policy1
SCD policy name: policy1
Protected server IPv4: 1.1.1.1
Logging: Enabled
Policy status: Enabled
Rule ID: 1
Permitted dest IPv4: 1.1.2.1
Protocol: TCP port 1-4
Protocol: UDP port 1,3,5,7,9,11,13,15,17,19,21,23
Protocol: ICMP
Table 4 Command output
|
Field |
Description |
|
SCD policy name |
Name of the SCD policy. |
|
Protected server IPv4 |
IP address of the protected server. The SCD policy will monitor connections initiated by the server. |
|
Rule ID |
Number of an SCD rule in the SCD policy. Each SCD rule defines a set of legal connections initiated by the server. |
|
Permitted dest IPv4 |
Destination IP address of the legal connections initiated by the server that match the SCD rule. |
|
Protocol |
Protocol used by the legal connections initiated by the server that match the SCD rule. |
|
Logging |
Enabling status of the logging for illegal connections (connections that do not match any SCD rules) initiated by the server. |
|
Policy status |
Enabling status of the SCD policy. |
logging enable
Use logging enable to enable logging for illegal server-initiated connections detected by the SCD policy.
Use undo logging enable to disable logging for illegal server-initiated connections detected by the SCD policy.
Syntax
logging enable
undo logging enable
Default
Logging is disabled for illegal server-initiated connections detected by the SCD policy.
Views
SCD policy view
Predefined user roles
network-admin
context-admin
Usage guidelines
This feature enables the device to log server-initiated connections that do not match any rules in the SCD policy and send the logs to the device information center. With the information center, you can specify log output rules to output the logs to different destinations. For more information about the information center, see information center configuration in Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for illegal server-initiated connections that are detected by SCD policy policy1.
<Sysname> system-view
[Sysname] scd policy policy1
[Sysname-scd-policy-policy1] logging enable
Related commands
display scd policy
permit-dest-ip
Use permit-dest-ip to configure the destination IP address criterion for an SCD rule.
Use undo permit-dest-ip to remove the destination IP address criterion from an SCD rule.
Syntax
permit-dest-ip ip-address
undo permit-dest-ip
Default
The destination IP address criterion is not configured in an SCD rule.
Views
SCD policy rule view
Predefined user roles
network-admin
context-admin
Parameters
ip-address: Specifies an IPv4 address, in dotted decimal notation.
Usage guidelines
Each SCD rule contains the following criteria to identify legal connections initiated by the protected server:
· A destination IP address criterion, which specifies the destination IP address for server-initiated connections.
In one SCD policy, each SCD rule must use a unique destination IP address.
· One or more protocol criteria. Each protocol criterion specifies a protocol and optionally a set of destination port numbers.
A connection initiated by the protected server matches the SCD rule if the connection matches both the destination IP address criterion and a protocol criterion. Connections initiated by the server that do not match any SCD rules are considered illegal connections.
If you execute the command multiple times for an SCD rule, the most recent configuration takes effect.
As a best practice, use the following procedure to configure an SCD policy for a server:
1. Enable server connection learning on the device to learn the connections initiated by the server.
2. Configure SCD rules for legal connections according to the server connection learning results. To view the learned connections, use the display scd learning record command.
Examples
# In SCD policy policy1, configure SCD rule 1 to match connections destined for 1.1.1.1.
<Sysname> system-view
[Sysname] scd policy policy1
[Sysname-scd-policy-policy1] rule 1
[Sysname-scd-policy-policy1-1] permit-dest-ip 1.1.1.1
Related commands
display scd policy
policy enable
Use policy enable to enable an SCD policy.
Use undo policy enable to disable an SCD policy.
Syntax
policy enable
undo policy enable
Default
An SCD policy is disabled.
Views
SCD policy view
Predefined user roles
network-admin
context-admin
Usage guidelines
An SCD policy takes effect only after it is enabled.
Examples
# Enable SCD policy policy1.
<Sysname> system-view
[Sysname] scd policy policy1
[Sysname-scd-policy-policy1] policy enable
Related commands
display scd policy
protected-server
Use protected-server to specify the IP address of the protected server in an SCD policy.
Use undo protected-server to remove the protected server IP address from an SCD policy.
Syntax
protected-server ip-address
undo protected-server
Default
No protected server IP address is specified.
Views
SCD policy view
Predefined user roles
network-admin
context-admin
Parameters
ip-address: Specifies the IPv4 address of a protected server, in dotted decimal notation.
Usage guidelines
An SCD policy monitors only the connections initiated by the specified protected server.
The protected server IP address must be unique for each SCD policy.
If you execute this command for an SCD policy multiple times, the most recent configuration takes effect.
Examples
# Configure SCD policy policy1 to monitor connections initiated by server 192.168.1.10.
<Sysname> system-view
[Sysname] scd policy policy1
[Sysname-scd-policy-policy1] protected-server 192.168.1.10
Related commands
display scd policy
protocol
Use protocol to configure a protocol criterion for an SCD rule.
Use undo protocol to remove a protocol criterion from an SCD rule.
Syntax
protocol { icmp | tcp port port-list | udp port port-list }
undo protocol { icmp | tcp | udp }
Default
No protocol criterion is configured in an SCD rule.
Views
SCD rule view
Predefined user roles
network-admin
context-admin
Parameters
icmp: Specifies the ICMP protocol.
tcp port port-list: Specifies the TCP protocol and a list of up to 20 destination TCP port numbers in the range of 1 to 65535. The port-list argument specifies a space-separated list of port number items. Each item specifies a port by its number or specifies a range of port numbers in the form of port-number1 to port-number2. The start port number must be identical to or lower than the end port number.
udp port port-list: Specifies the UDP protocol and a list of up to 20 destination UDP port numbers in the range of 1 to 65535. The port-list argument specifies a space-separated list of port number items. Each item specifies a port by its number or specifies a range of port numbers in the form of port-number1 to port- number2. The start port number must be identical to or lower than the end port number.
Usage guidelines
Each SCD rule contains the following criteria to identify legal connections initiated by the protected server:
· A destination IP address criterion, which specifies the destination IP address for server-initiated connections.
· One or more protocol criteria. Each protocol criterion specifies a protocol and optionally a set of destination port numbers.
A connection initiated by the protected server matches the SCD rule if the connection matches both the destination IP address criterion and a protocol criterion. Connections initiated by the server that do not match any SCD rules are considered illegal connections.
You can use this command multiple times to specify different protocols in an SCD rule.
If you specify the TCP or UDP protocol with different port numbers in an SCD rule, the most recent configuration takes effect.
Examples
# In SCD policy policy1, configure a protocol criterion in SCD rule 1 to match the TCP protocol with port numbers 80 and 1000 to 2000.
<Sysname> system-view
[Sysname] scd policy policy1
[Sysname-scd-policy-policy1] rule 1
[Sysname-scd-policy-policy1-1] protocol tcp port 80 1000 to 2000
Related commands
display scd policy
reset scd learning record
Use reset scd learning record to clear the server connection learning results.
Syntax
reset scd learning record
Views
User view
Predefined user roles
network-admin
context-admin
Examples
# Clear the server connection learning results.
<Sysname> reset scd learning record
Related commands
display scd learning record
rule
Use rule to create an SCD rule and enter its view, or enter the view of an existing SCD rule.
Use undo rule to remove an SCD rule.
Syntax
rule rule-id
undo rule [ rule-id ]
Default
No SCD rules exist in an SCD policy.
Views
SCD policy view
Predefined user roles
network-admin
context-admin
Parameters
rule-id: Specifies a rule ID in the range of 1 to 65535.
Usage guidelines
Each SCD rule contains the following criteria to identify legal connections initiated by the protected server:
· A destination IP address criterion, which specifies the destination IP address for server-initiated connections.
· One or more protocol criteria. Each protocol criterion specifies a protocol and optionally a set of destination port numbers.
A connection initiated by the protected server matches the SCD rule if the connection matches both the destination IP address criterion and a protocol criterion. Connections initiated by the server that do not match any SCD rules are considered illegal connections.
If you do not specify a rule ID for the undo rule command, all SCD rules in the SCD policy will be deleted.
Examples
# In SCD policy policy1, create SCD rule 1 and enter its view.
<Sysname> system-view
[Sysname] scd policy policy1
[Sysname-scd-policy-policy1] rule 1
[Sysname-scd-policy-policy1-1]
Related commands
display scd policy
scd learning
Use scd learning to enter server connection learning configuration view.
Use undo scd learning to remove all server connection learning configurations.
Syntax
scd learning
undo scd learning
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Server connection learning allows the device to learn connections initiated by given servers. The learning results provide the basis for you to create SCD policies to monitor and log illegal connections initiated by the servers.
The undo scd learning command is not configurable when server connection learning is in progress.
Examples
<Sysname> system-view
[Sysname] scd learning
[Sysname-scd-learning]
scd policy
Use scd policy to create an SCD policy and enter its view, or enter the view of an existing SCD policy.
Use undo scd policy to remove an SCD policy.
Syntax
scd policy name policy-name
undo scd policy [ name policy-name ]
Default
No SCD policies exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
name policy-name: Specifies a unique name for the SCD policy. The SCD policy name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
An SCD policy monitors the connections initiated by the specified protected server. You can configure the following settings in an SCD policy:
· Protected server IP address.
· SCD rules to identify legal connections initiated by the server.
· Logging for illegal connections initiated by the server.
· SCD policy enabling status.
If you do not specify an SCD policy for the undo scd policy command, all SCD policies will be deleted.
Examples
# Create an SCD policy named policy1 and enter its view.
<Sysname> system-view
[Sysname] scd policy name policy1
[Sysname-scd-policy-policy1]
Related commands
display scd policy
source-ip
Use source-ip to specify an IP address object group for server connection learning.
Use undo source-ip to remove an IP address object group specified for server connection learning.
Syntax
source-ip object-group-name
undo source-ip [ object-group-name ]
Default
No IP address object groups are specified for server connection learning.
Views
Server connection learning configuration view
Predefined user roles
network-admin
context-admin
Parameters
object-group-name: Specifies an IP address object group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Server connection learning will learn the connections initiated by the servers that use IP addresses in the specified IP address object groups.
You can repeat this command to specify a maximum of 1024 IP address object groups.
If you specify a nonexistent IP address object group, the system will creates an empty IP address object group with the specified name.
If you do not specify an IP address object group for the undo source-ip command, all IP address object groups specified for server connection learning will be removed.
The source-ip and undo source-ip commands are not configurable when sever connection learning is in progress.
For more information about address object groups, see object group configuration in Security Configuration Guide.
Examples
# Specify IP address object group abc for SCD learning.
<Sysname> system-view
[Sysname] scd learning
[Sysname-scd-learning] source-ip abc
Related commands
object-group
