Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-NetShare control commands | 105.61 KB |
Contents
NetShare control commands
The following compatibility matrix shows the support of hardware platforms for NetShare control:
|
Hardware platform |
Module type |
NetShare control compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
No |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
No |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-6GW |
IPv6 module |
Yes |
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X10 |
Blade VI firewall module |
Yes |
action
Use action to specify the NetShare control action to take when the number of terminals sharing an IP address exceeds the limit.
Use undo action to restore the default.
Syntax
action { freeze freeze-time | permit } [ logging ]
undo action
Default
A NetShare control policy uses the permit action.
Views
NetShare control policy view
Predefined user roles
network-admin
context-admin
Parameters
freeze: Freezes the shared IP address so all packets sourced from the IP address will be dropped.
freeze-time: Specifies the time period that an IP address will be frozen, in minutes. The value range for this argument is 2 to 720.
permit: Permits the packets sourced from the IP address to pass through.
logging: Logs the NetShare control event.
Usage guidelines
A NetShare control policy analyzes packets to track the number of terminals sharing the same source IP address. If the number of terminals sharing an IP address exceeds the limit set by using the per-ip-shared max-terminals command, the device will take the NetShare control action in the policy.
Examples
# Specify the freeze action and set the freezing time to 10 minutes in NetShare control policy abc.
<Sysname> system-view
[Sysname] netshare-control
[Sysname-netshare-control] policy name abc
[Sysname-netshare-control-policy-abc] action freeze 10
Related commands
per-ip-shared max-terminals
application-inspect enable
Use application-inspect enable to enable APR-based detection.
Use undo application-inspect enable to disable APR-based detection.
Syntax
application-inspect enable
undo application-inspect enable
Default
APR-based detection is enabled.
Views
NetShare control policy view
Predefined user roles
network-admin
context-admin
Usage guidelines
APR-based NetShare detection uses the APR signature library to inspect only specific applications, such as QQ and WeChat. If an application is encrypted, APR-based NetShare detection cannot inspect it. As a best practice, enable APR-based detection only when explicitly required, because the detection might degrade the device performance.
You can enable both APR-based detection and IPID trail tracking to detect NetShare behaviors.
Examples
# Enable APR-based detection in NetShare control policy share.
<Sysname> system-view
[Sysname] netshare-control
[Sysname-netshare-control] policy name share
[Sysname-netshare-control-policy-share] application-inspect enable
Related commands
ipid-trail enable
description
Use description to configure a description for a NetShare control policy.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for a NetShare control policy.
Views
NetShare control policy view
Predefined user roles
network-admin
context-admin
Parameters
text: Configures a description, a case-sensitive string of 1 to 127 characters.
Examples
# Configure a description for NetShare control policy abc.
<Sysname> system-view
[Sysname] netshare-control
[Sysname-netshare-control] policy name abc
[Sysname-netshare-control-policy-abc] description The Netshare Management
destination-address
Use destination-address to set a destination address filtering criterion in a NetShare control policy.
Use undo destination-address to remove a destination address filtering criterion from a NetShare control policy.
Syntax
destination-address { ipv4 | ipv6 } object-group-name
undo destination-address { ipv4 | ipv6 } object-group-name
Default
A NetShare control policy does not contain any destination address filtering criterion.
Views
NetShare control policy view
Predefined user roles
network-admin
context-admin
Parameters
ipv4: Specifies an IPv4 address object group.
ipv6: Specifies an IPv6 address object group.
object-group-name: Specifies an address object group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can execute this command multiple times in a NetShare control policy to set multiple destination address filtering criteria. A packet passes the destination address filtering if it matches any of the configured destination address filtering criteria.
Examples
# Set IPv4 address object group obgroup2 as a destination address filtering criterion in NetShare control policy abc.
<Sysname> system-view
[Sysname] netshare-control
[Sysname-netshare-control] policy name abc
[Sysname-netshare-control-policy-abc] destination-address ipv4 obgroup2
Related commands
object-group (Security Command Reference)
destination-zone
Use destination-zone to set a destination security zone filtering criterion in a NetShare control policy.
Use undo destination-zone to remove a destination security zone filtering criterion from a NetShare control policy.
Syntax
destination-zone destination-zone-name
undo destination-zone destination-zone-name
Default
A NetShare control policy does not contain any destination security zone filtering criterion.
Views
NetShare control policy view
Predefined user roles
network-admin
context-admin
Parameters
destination-zone-name: Specifies a destination security zone by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can execute this command multiple times in a NetShare control policy to set multiple destination security zone filtering criteria. A packet passes the destination security zone filtering if it matches any of the configured destination security zone filtering criteria.
Examples
# Set security zone zone2 as a destination security zone filtering criterion in NetShare control policy abc.
<Sysname> system-view
[Sysname] netshare-control
[sysname-netshare-control] policy name abc
[sysname-netshare-control-policy-abc] destination-zone zone2
Related commands
security-zone name (Security Command Reference)
disable
Use disable to disable a NetShare control policy.
Use undo disable to enable a NetShare control policy.
Syntax
disable
undo disable
Default
A NetShare control policy is enabled.
Views
NetShare control policy view
Predefined user roles
network-admin
context-admin
Usage guidelines
The device supports only one NetShare control policy.
After you disable the NetShare control policy, the NetShare control feature becomes invalid.
Examples
# Disable NetShare control policy abc.
<Sysname> system-view
[Sysname] netshare-control
[Sysname-netshare-control] policy name abc
[Sysname-netshare-control-policy-abc] disable
display netshare-control
Use display netshare-control to display NetShare control information about shared IP addresses.
Syntax
In standalone mode:
display netshare-control [ { ipv4 | ipv6 } ip-address | status { frozen | unfrozen } ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display netshare-control [ { ipv4 | ipv6 } ip-address | status { frozen | unfrozen } ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any
Predefined user roles
network-admin
context-admin
Parameters
ipv4: Specifies the IPv4 address type.
ipv6: Specifies the IPv6 address type.
ip-address: Displays NetShare control information about the specified IP address.
status: Specifies the status of the IP addresses to be displayed.
frozen: Displays NetShare control information about frozen IP addresses.
unfrozen: Displays NetShare control information about unfrozen IP addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot. (In standalone mode.) (In IRF mode.)
Usage guidelines
This command displays information about detected IP addresses that are shared by multiple terminals.
Examples
# (In standalone mode.) Displays all shared IP addresses in frozen state.
<Sysname> display netshare-control status frozen
Slot 1:
Total frozen shared IP addresses: 2
IP address VPN instance Policy Terminals Status Remaining time User
192.168.1.18 vpn1 P1 3 Frozen 20 min abc
12.12.12.1 - P1 4 Frozen 10 min kwq123
Table 1 Command output
|
Field |
Description |
|
Total frozen shared IP addresses |
Total number of shared IP address in frozen state. |
|
IP address |
Shared IP address. |
|
VPN instance |
VPN instance to which the IP address belongs. This field displays a hyphen (-) if the IP address is on the public network. |
|
Policy |
Name of the NetShare control policy. |
|
Terminals |
Number of terminals sharing the IP address. |
|
Status |
Status of the shared IP address: frozen or unfrozen. |
|
Remaining time |
Remaining time before the IP address will be released from the frozen IP address list. |
|
User |
User name. |
freeze
Use freeze to manually freeze an IP address.
Syntax
freeze { ipv4 | ipv6 } ip-address [ vpn-instance vpn-instance-name ] time freeze-time
Views
NetShare control configuration view
Predefined user roles
network-admin
context-admin
Parameters
ipv4: Specifies the IPv4 address type.
ipv6: Specifies the IPv6 address type.
ip-address: Specifies the IP address to freeze.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the IP address is on the public network, do not specify this option.
freeze-time: Specifies the time period that the IP address will be frozen, in minutes. The value range is 5 to 720.
Usage guidelines
Use this command to manually freeze an IP address that is shared by terminals. This command is not available for IP addresses that are already on frozen IP address list.
To view the shared IP addresses that can be manually frozen, use the display netshare-control command.
Examples
# Manually freeze IP address 12.12.12.1 for 15 minutes.
<Sysname> system-view
[Sysname] netshare-control
[Sysname-netshare-control] freeze ipv4 12.12.12.1 time 15
Related commands
display netshare-control
unfreeze
ipid-trail enable
Use ipid-trail enable to enable IPID trail tracking.
Use undo ipid-trail enable to disable IPID trail tracking.
Syntax
ipid-trail enable
undo ipid-trail enable
Default
IPID trail tracking is disabled.
Views
NetShare control policy view
Predefined user roles
network-admin
context-admin
Usage guidelines
By default, the device uses the Application Recognition (APR) feature to detect NetShare behaviors. APR-based detection applies only to a limited set of applications in the APR signature library. You can enable IPID trail tracking to meet the NetShare control requirements of various application scenarios.
IPID trail tracking tracks the values of the IPID fields in packets to detect NetShare behaviors. Packets sent by the same host contain incremented IPID values of a unique sequential pattern that starts at a random number. NetShare control tracks the IPID values of packets sourced from the same IP address. In a time period, if the IPID values in the packets belong to the same unique sequential pattern, only one terminal is using the IP address. If the IPID values belong to different sequential patterns, the source IP address is shared by multiple terminals.
You can enable both APR-based detection and IPID trail tracking to detect NetShare behaviors.
IPID trail tracking might degrade the device performance. Enable it only when explicitly required.
IPID trail tracking supports detecting the terminals that are running the Windows system, and detecting packets in which values of the IPID fields change regularly. Mobile terminals are not supported.
IPID trail tracking supports detecting IPv4 packets.
Examples
# Enable IPID trail tracking in NetShare control policy abc.
<Sysname> system-view
[Sysname] netshare-control
[Sysname-netshare-control] policy name abc
[Sysname-netshare-control-policy-abc] ipid-trail enable
Related commands
application-inspect enable
netshare-control
Use netshare-control to enter NetShare control configuration view.
Syntax
netshare-control
Views
System view
Predefined user roles
network-admin
context-admin
Examples
# Enter NetShare control configuration view.
<Sysname> system-view
[Sysname] netshare-control
[Sysname-netshare-control]
per-ip-shared max-terminals
Use per-ip-shared max-terminals to set the maximum number of terminals that can share an IP address.
Use undo per-ip-shared max-terminals to restore the default.
Syntax
per-ip-shared max-terminals number
undo per-ip-shared max-terminals
Default
The number of terminals that can share an IP address is not limited.
Views
NetShare control policy view
Predefined user roles
network-admin
context-admin
Parameters
number: Sets the maximum number of terminals that can share an IP address. The value range is 1 to 15. If you set the value to 1, one IP address can be used by only one terminal.
Usage guidelines
If the number of terminals sharing an IP address exceeds the limit, the device will take the NetShare control action set by using the action command in the NetShare control policy.
Examples
# Set the maximum number of terminals that can share an IP address to 3 in NetShare control policy abc.
<sysname> system-view
[sysname] netshare-control
[sysname-netshare-control] policy name abc
[sysname-netshare-control-policy-abc] per-ip-shared max-terminals 3
Related commands
action
policy name
Use policy name to create a NetShare control policy and enter its view, or enter the view of an existing NetShare control policy.
Use undo policy name to delete a NetShare control policy.
Syntax
policy name policy-name
undo policy name policy-name
Default
No NetShare control policy exists.
Views
NetShare control configuration view
Predefined user roles
network-admin
context-admin
Parameters
policy-name: Specify a name for the NetShare control policy, a case-insensitive string of 1 to 63 characters.
Usage guidelines
The device supports only one NetShare control policy.
In the NetShare control policy, you can configure the following items:
· The following types of criteria to filter the packets to be analyzed by the NetShare control policy:
¡ Source IP address.
¡ Destination IP address.
¡ Source security zone.
¡ Destination security zone.
¡ User.
¡ User group.
· Maximum number of terminals that can share an IP address.
· Action to take when the number of terminals sharing an IP address exceeds the limit.
Examples
# Create NetShare control policy abc and enter its view.
<Sysname> system-view
[Sysname] netshare-control
[Sysname-netshare-control] policy name abc
[Sysname-netshare-control-policy-abc]
source-address
Use source-address to set a source address filtering criterion in a NetShare control policy.
Use undo source-address to remove a source address filtering criterion from a NetShare control policy.
Syntax
source-address { ipv4 | ipv6 } object-group-name
undo source-address { ipv4 | ipv6 } object-group-name
Default
A NetShare control policy does not contain any source address filtering criterion.
Views
NetShare control policy view
Predefined user roles
network-admin
context-admin
Parameters
ipv4: Specifies an IPv4 address object group.
ipv6: Specifies an IPv6 address object group.
object-group-name: Specifies an address object group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can execute this command multiple times in a NetShare control policy to set multiple source address filtering criteria. A packet passes the source address filtering if it matches any of the configured source address filtering criteria.
Examples
# Set IPv4 address object group obgroup1 as a source address filtering criterion in NetShare control policy abc.
<Sysname> system-view
[Sysname] netshare-control
[Sysname-netshare-control] policy name abc
[Sysname-netshare-control-policy-abc] source-address ipv4 obgroup1
Related commands
object-group (Security Command Reference)
source-zone
Use source zone to set a source security zone filtering criterion in a NetShare control policy.
Use undo source zone to remove a source security zone filtering criterion from a NetShare control policy.
Syntax
source-zone source-zone-name
undo source-zone source-zone-name
Default
A NetShare control policy does not contain any source security zone filtering criterion.
Views
NetShare control policy view
Predefined user roles
network-admin
context-admin
Parameters
source-zone-name: Specifies a source security zone by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can execute this command multiple times in a NetShare control policy to set multiple source security zone filtering criteria. A packet passes the source security zone filtering if it matches any of the configured source security zone filtering criteria.
Examples
# Set security zone zone1 as a source security zone filtering criterion in NetShare control policy abc.
<Sysname> system-view
[Sysname] netshare-control
[Sysname-netshare-control] policy name abc
[Sysname-netshare-control-policy-abc] source-zone zone1
Related commands
security-zone name (Security Command Reference)
unfreeze
Use freeze to manually unfreeze an IP address.
Syntax
unfreeze { ipv4 | ipv6 } ip-address [ vpn-instance vpn-instance-name ]
Views
NetShare control configuration view
Predefined user roles
network-admin
context-admin
Parameters
ipv4: Specifies the IPv4 address type.
ipv6: Specifies the IPv6 address type.
ip-address: Specifies the IP address to unfreeze.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the IP address is on the public network, do not specify this option.
Usage guidelines
Use this command to manually unfreeze a frozen IP address.
To view the available frozen IP addresses, use the display netshare-control command.
Examples
# Manually unfreeze IP address 12.12.12.1.
<Sysname> system-view
[Sysname] netshare-control
[Sysname-netshare-control] unfreeze ipv4 12.12.12.1
Related commands
display netshare-control
user
Use user to set a user filtering criterion in a NetShare control policy.
Use undo user to remove a user filtering criterion from a NetShare control policy.
Syntax
user username [ domain domain-name ]
undo user username [ domain domain-name ]
Default
A NetShare control policy does not contain any user filtering criteria.
Views
NetShare control policy view
Predefined user roles
network-admin
context-admin
Parameters
username: Specify a user name, a case-sensitive string of 1 to 55 characters.
domain domain-name: Specifies the name of the identity domain to which the user belongs. The identity domain name is a case-insensitive string of 1 to 255 characters which cannot contain question marks (?). If the user name does not belong to any identity domains, do not specify this option. For more information about identity domains, see user identification configuration in Security Configuration Guide.
Usage guidelines
You can execute this command multiple times in a NetShare control policy to set multiple user filtering criteria. A packet passes the user filtering if it matches any of the configured user filtering criteria.
Examples
# Set user managers as a user filtering criterion in NetShare control policy abc.
<sysname> system-view
[sysname] netshare-control
[sysname-netshare-control] policy name abc
[sysname-netshare-control-policy-abc] user managers
Related commands
user-identity enable (Security Command Reference)
user-group
Use user-group to set a user group filtering criterion in a NetShare control policy.
Use undo user-group to remove a user group filtering criterion from a NetShare control policy.
Syntax
user-group user-group-name [ domain domain-name ]
undo user-group user-group-name [ domain domain-name ]
Default
A NetShare control policy does not contain any user group filtering criteria.
Views
NetShare control policy view
Predefined user roles
network-admin
context-admin
Parameters
user-group-name: Specify a user group by its name, a case-sensitive string of 1 to 32 characters.
domain domain-name: Specifies the name of the identity domain to which the user group belongs. The identity domain name is a case-insensitive string of 1 to 255 characters which cannot contain question marks (?). If the user group does not belong to any identity domains, do not specify this option. For more information about identity domains, see user identification configuration in Security Configuration Guide.
Usage guidelines
You can execute this command multiple times in a NetShare control policy to set multiple user group filtering criteria. A packet passes the user group filtering if it matches any of the configured user group filtering criteria.
Examples
# Set user group group1 as a user group filtering criterion in NetShare control policy abc.
<sysname> system-view
[sysname] netshare-control
[sysname-netshare-control] policy name abc
[sysname-netshare-control-policy-abc] user-group group1
Related commands
identity-group (Security Command Reference)
