Login
- Table of Contents
-
- 04-DPI Configuration Guide
- 00-Preface
- 01-DPI overview
- 02-DPI engine configuration
- 03-IPS configuration
- 04-URL filtering configuration
- 05-Data filtering configuration
- 06-File filtering configuration
- 07-Anti-virus configuration
- 08-Data analysis center configuration
- 09-WAF configuration
- 10-Proxy policy configuration
- 11-IP reputation configuration
- 12-Domain reputation configuration
- 13-APT defense configuration
- 14-DLP configuration
- 15-Content moderation configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-Anti-virus configuration | 279.23 KB |
Virus signature library management
Restrictions: Hardware compatibility with anti-virus
Restrictions and guidelines: Anti-virus
Configuring an anti-virus policy
Configuring MD5 value-based anti-virus cloud query
Specifying a parameter profile for an anti-virus action
Applying an anti-virus policy to a DPI application profile
Activating anti-virus policy and rule settings
Applying a DPI application profile to a security policy rule
Applying a DPI application profile to an object policy rule
Managing the virus signature library
Scheduling automatic virus signature library update
Triggering an immediate automatic virus signature library update
Manually updating the virus signature library
Rolling back the virus signature library
Display and maintenance commands for anti-virus
Anti-virus configuration examples
Example: Using the default anti-virus policy in a security policy
Example: Using a user-defined anti-virus policy in a security policy
Example: Manually updating the virus signature library
Example: Configuring automatic virus signature library update
Example: Using the default anti-virus policy in an object policy
Example: Using a user-defined anti-virus policy in an object policy
Example: Manually updating the virus signature library
Example: Configuring automatic virus signature library update
Configuring anti-virus
About anti-virus
Anti-virus identifies viruses in the application layer of packets based on an up-to-date virus signature library and takes actions to prevent a network from being infected. This feature is typically deployed on a gateway to insulate the internal network from viruses and protect the internal data.
Application scenario
As shown in Figure 1, the device is the gateway of an internal network. Internal users access the external network and download data from the external network. The internal server accepts data uploaded by external users.
In this scenario, you can configure anti-virus on the gateway to protect the internal network. Anti-virus inspects incoming packets, permits legitimate packets to pass, and takes actions, such as alert, block, or redirect, on packets containing viruses.
Figure 1 Anti-virus application scenario
Terminology
Virus signature
A virus signature is a character string that uniquely identifies a specific virus. The virus signature library contains the predefined virus signatures.
MD5 rules
An MD5 rule is generated by the system based on the virus signatures in the virus signature library to identify virus-infected files.
Signature exception
Typically, anti-virus takes anti-virus actions on packets matching virus signatures. If a virus proves to be a false alarm, you can set the virus signature as a signature exception. Packets matching the signature exception are permitted to pass.
Application exception
Typically, anti-virus action is protocol specific and applies to all applications carried by the protocol. To take a different action on an application, you can set the application as an exception and specify a different anti-virus action for the application. Application exceptions use application-specific actions and the other applications use protocol-specific actions. For example, the anti-virus action for HTTP is alert. To block the games carried by HTTP, you can set the games as application exceptions and specify the block action for them.
MD5 exception
If false positives occur for a virus, you can set the MD5 value of the virus as an MD5 exception. The device will permit subsequent packets matching the MD5 exception to pass.
You can get the MD5 value of the virus through the threat log.
Anti-virus action
Anti-virus actions apply to the packets that match virus signatures. The actions include the following types:
· alert—Permits matching packets and generates logs.
· block—Blocks matching packets and generates logs.
· redirect—Redirects matching HTTP connections to a URL and generates logs. The redirection is applicable to only uploading connections.
The generated anti-virus logs can be sent to the device information center or to designated recipients by email.
Virus detection methods
The device supports the following virus detection methods:
· Virus signature-based detection—The device matches packets against virus signatures in the virus signature library, and determines that a packet contains viruses if a match is found.
· MD5 rule-based detection—The device generates an MD5 hash value for a file to be inspected and compares the value with the system-defined MD5 rules. If a match is found, the file is identified to be virus-infected.
Anti-virus mechanism
Anti-virus takes effect after you apply an anti-virus policy to a DPI application profile and use the DPI application profile in a security policy rule, or object policy rule.
As shown in Figure 2, upon receiving a packet, the anti-virus device performs the following operations:
1. The device determines whether the anti-virus supports the application layer protocol of the packet.
¡ If not, the device permits the packet to pass without anti-virus inspection.
¡ If yes, the device proceeds to step 2.
2. The device compares the packet with the virus signatures and MD5 rules.
¡ If a matching signature or MD5 rule is found, the device proceeds to step 3.
¡ If no matching signature or MD5 rule is found, the device proceeds to step 4.
3. The device determines if the matching signature is an exception.
¡ If yes, the device permits the packet to pass.
¡ If not, the device examines whether the application is an exception.
- If the application is an exception, the device takes the application-specific action (alert, block, or permit).
- If the application is not an exception, the device takes the protocol-specific action (alert, block, or redirect).
4. The device examines whether the MD5 value of the file in the packet matches an MD5 value exception.
¡ If yes, the device permits the packet to pass.
¡ If not, the device proceeds to step 5.
5. The device examines whether the MD5 value of the file in the packet matches an MD5 value in the MD5 cache.
¡ If an MD5 value labeled as virus is found, the device proceeds to step 6.
¡ If an MD5 value labeled as non-virus is found, the device permits the packet to pass.
¡ If no MD5 value is found, the process goes to step 7.
6. The device determines if the application is an exception.
¡ If yes, the device takes the application-specific action (alert, block, or permit).
¡ If not, the device takes the protocol-specific action (alert, block, or redirect).
7. The device determines whether cloud query is enabled.
¡ If no cloud query is enabled, the device permits the packet to pass.
¡ If cloud query is enabled, the device permits the packet to pass and sends the MD5 value of the file to the cloud server for further virus detection.
After the virus detection, the device saves the detection results returned from the cloud server to the MD5 cache. In this way, the device can use the results to perform local virus detection on subsequent packets without sending the packets to the cloud server.
Virus signature library management
The device inspects packets for viruses based on the virus signature library. You can update the virus signature library to the latest version or roll it back to the previous version or the factory default version.
Updating the virus signature library
The following methods are available for updating the virus signature library:
· Automatic update.
The device automatically and periodically downloads the most up-to-date virus signature file to update the signature library.
· Triggered update.
The device downloads the most up-to-date virus signature file to update the signature library immediately after you trigger the operation.
· Manual update.
Use this method when the device cannot obtain the virus signature file automatically.
You must manually download the most up-to-date virus signature file and then use the downloaded file to update the signature library.
Rolling back the virus signature library
If the false alarm rate is high or abnormal situations frequently occur, you can roll back the virus signature library to the previous version or to the factory default version.
Restrictions: Hardware compatibility with anti-virus
|
Hardware platform |
Module type |
Anti-virus compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
No |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
No |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-6GW |
IPv6 module |
Yes |
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X10 |
Blade VI firewall module |
Yes |
Licensing requirements
Before using the anti-virus feature, purchase and correctly install a license on the device. If the license expires, the anti-virus feature is still available but you can no longer use the following features: virus signature library update, MD5 value cloud query, and collaboration with the sandbox to block packets. For more information about licenses, see Fundamentals Configuration Guide.
vSystem support for features
Non-default vSystems do not support the following features:
· Configuring MD5 value-based anti-virus cloud query.
· Configuring enhanced anti-virus inspection.
· Managing the virus signature library.
|
|
NOTE: For information about the support of non-default vSystems for the commands, see anti-virus command reference. For information about vSystem, see Virtual Technologies Configuration Guide. |
Restrictions and guidelines: Anti-virus
Anti-virus supports inspecting packets transported through FTP, HTTP, HTTPS, IMAP, IMAPS, NFS, POP3, POP3S, SMB, SMTP, and SMTPS. To inspect packets transported through HTTPS, IMAPS, POP3S, and SMTPS, you must use anti-virus together with SSL proxy. For information about SSL proxy, see "Configuring proxy policy."
Anti-virus tasks at a glance
To configure anti-virus, perform the following tasks:
1. Configuring an anti-virus policy
2. (Optional.) Configuring MD5 value-based anti-virus cloud query
3. Specifying a parameter profile for an anti-virus action
4. Applying an anti-virus policy to a DPI application profile
5. (Optional.) Activating anti-virus policy and rule settings
6. Applying a DPI application profile
Choose one of the following tasks:
¡ Applying a DPI application profile to a security policy rule
¡ Applying a DPI application profile to an object policy rule
7. Managing the virus signature library
Configuring an anti-virus policy
About this task
An anti-virus policy defines the virus detection criteria, anti-virus actions, virus signature exceptions, and application exceptions.
The virus signatures in the virus signature library are available to all anti-virus policies on the device.
The device supports sending the alarm message defined in the warning parameter profile applied to the policy. If an endpoint user visits a virus-infected website, the device will display the alarm message on the user's browser. For more information about configuring a warning parameter profile, see "Configuring DPI engine."
Restrictions and guidelines
Anti-virus supports only NFSv3 of the NFS protocol, and SMBv1 and SMBv2 of the SMB protocol.
The anti-virus module supports the following log output methods:
· Fast log output—You must specify a log host to receive the log messages. Log messages are sent to the specified log host.
· Syslog output—Log messages are sent to the information center. With the information center, you can set log message filtering and output rules, including output destinations. The information center can output anti-virus syslogs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect. To view anti-virus syslogs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default. For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Syslog output might affect device performance. As a best practice, use fast log output. For more information about fast log output, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Create an anti-virus policy and enter its view.
anti-virus policy policy-name
A default anti-virus policy named default exists. The default anti-virus policy cannot be modified or deleted.
3. (Optional.) Configure a description for the anti-virus policy.
description text
4. Configure anti-virus for an application layer protocol.
inspect { ftp | http | imap | nfs | pop3 | smb | smtp } direction { both | download | upload } [ cache-file-size file-size ] action { alert | block | redirect }
By default, the device performs virus detection on upload and download packets for FTP, HTTP, IMAP, NFS, and SMB, on download packets for POP3, and on upload packets for SMTP. The anti-virus action for FTP, HTTP, NFS, and SMB is block and for IMAP, SMTP, and POP3 is alert. The maximum size for the file that can be cached for inspection is 1 MB. The direction keyword is not available for the POP3 and SMTP protocols because the POP3 protocol supports only the download direction and the SMTP protocol supports only the upload direction.
5. (Optional.) Apply a warning parameter profile to an anti-virus policy and enable sending the alarm message defined in the profile.
warning parameter-profile profile-name
By default, no warning parameter profile is applied and the device does not support the sending of alarm messages.
The alarm message sending takes effect only when the HTTP protocol and the block action are configured for virus detection.
6. (Optional.) Set a signature as a signature exception.
exception signature signature-id
7. (Optional.) Set an application as an application exception and specify an anti-virus action for the application exception.
exception application application-name action { alert | block | permit }
8. (Optional.) Set an MD5 value as an MD5 exception.
exception md5 md5-value
9. Enable the virus signatures at and above a severity level.
signature severity { critical | high | medium } enable
By default, virus signatures of all severity levels are enabled.
Configuring MD5 value-based anti-virus cloud query
About this task
You can enable MD5 value-based anti-virus cloud query in an anti-virus policy. If no virus is found in the file, the device will send the MD5 value of the file to the cloud server for cloud query. The cloud server determines whether the MD5 value is a virus and returns the result to the device so appropriate action can be taken. The anti-virus module will save the result returned from the cloud server to the MD5 cache so the virus detection for subsequent packets can be performed locally.
For more information about the cloud query server, see "Configuring DPI engine."
Restrictions and guidelines
· MD5 value-based anti-virus cloud query is available only for the following protocols:
¡ FTP.
¡ HTTP.
¡ HTTPS.
¡ IMAP.
¡ IMAPS.
¡ NFS. Only the NFS read operation is supported.
¡ POP3.
¡ POP3S.
¡ SMTP.
¡ SMTPS.
To use MD5 value-based anti-virus cloud query for HTTPS, IMAPS, POP3S, and SMTPS protocols, you must use MD5 value-based anti-virus cloud query together with SSL proxy. For information about SSL proxy, see "Configuring proxy policy."
· For a compressed file, the device will first decompress the file to the maximum number of layers that can be decompressed. You can execute the inspect file-uncompr-layer command to set the maximum number of layers that can be decompressed. Then, the device will send the MD5 value of the compressed file and MD5 values of decompressed files for cloud query.
For information about maximum number of layers that can be decompressed, see "Configuring DPI engine."
Procedure
1. Enter system view.
system-view
2. Specify the cloud query server.
inspect cloud-server host-name
By default, cloud query server sec.h3c.com is used.
3. (Optional.) Set the MD5 cache size.
anti-virus cache size cache-size
By default, the MD5 cache can cache a maximum of 100000 entries.
4. (Optional.) Set the minimum cache period for an anti-virus MD5 entry.
anti-virus cache min-time value
By default, the minimum cache period of an anti-virus MD5 entry is 10 minutes.
5. Enter anti-virus policy view.
anti-virus policy policy-name
6. Enable MD5 value-based anti-virus cloud query.
cloud-query enable
By default, MD5 value-based anti-virus cloud query is disabled.
Specifying a parameter profile for an anti-virus action
About this task
Before you can specify a parameter profile for an anti-virus action, configure the parameter profile in the DPI engine. For more information, see "Configuring DPI engine."
A parameter profile defines the parameters for executing an action. For example, you can configure parameters such as the email server address and email recipients in the email parameter profile, and then apply the profile to the email action.
If no parameter profile is specified for an anti-virus action, or if the specified parameter profile does not exist, the default parameter settings of the action are used.
Procedure
1. Enter system view.
system-view
2. Specify a parameter profile for an anti-virus action.
anti-virus { email | logging | redirect } parameter-profile profile-name
By default, no parameter profile is specified for an anti-virus action.
Applying an anti-virus policy to a DPI application profile
About this task
The DPI application profile is a template for configuring DPI security services. For an anti-virus policy to take effect, you must apply it to a DPI application profile.
A DPI application profile can use only one anti-virus policy. If you apply different anti-virus policies to the same DPI application profile, only the most recent configuration takes effect.
Procedure
1. Enter system view.
system-view
2. Enter DPI application profile view.
app-profile profile-name
For more information about this command, see DPI engine commands in DPI Command Reference.
3. Apply an anti-virus policy to the DPI application profile.
anti-virus apply policy policy-name mode { alert | protect }
By default, no anti-virus policy is applied to a DPI application profile.
Activating anti-virus policy and rule settings
About this task
By default, the system will detect whether another configuration change (such as creation, modification, or deletion) occurs within a 20-second interval after a change to the anti-virus policy and rule settings:
· If no configuration change occurs within the interval, the system performs an activation operation at the end of the next interval to make the configuration take effect.
· If a configuration change occurs within the interval, the system continues to periodically check whether a configuration change occurs within the interval.
To activate the policy and rule configurations immediately, you can execute the inspect activate command.
Restrictions and guidelines
This task can cause temporary outage for all DPI services. As a best practice, perform the task after all DPI service policy and rule settings are complete.
For information about activating DPI service module configuration, see "Configuring DPI engine."
Procedure
1. Enter system view.
system-view
2. Activate anti-virus policy and rule settings.
inspect activate
By default, anti-virus policy and rule settings will be activated automatically.
|
|
CAUTION: This command can cause temporary outage for the DPI service and other services based on DPI. For example, security policies cannot perform application access control and Layer 7 LB cannot perform application-based load balancing. |
Applying a DPI application profile to a security policy rule
1. Enter system view.
system-view
2. Enter security policy view.
security-policy { ip | ipv6 }
3. Enter security policy rule view.
rule { rule-id | [ rule-id ] name rule-name }
4. Set the rule action to pass.
action pass
The default rule action is drop.
5. Use a DPI application profile in the rule.
profile app-profile-name
By default, no DPI application profile is used in a security policy rule.
Applying a DPI application profile to an object policy rule
1. Enter system view.
system-view
2. Enter object policy view.
object-policy { ip | ipv6 } object-policy-name
3. Use a DPI application profile in an object policy rule.
rule [ rule-id ] inspect app-profile-name
By default, no DPI application profile is used in an object policy rule.
4. Return to system view.
quit
5. Create a zone pair and enter zone pair view.
zone-pair security source source-zone-name destination destination-zone-name
For more information about zone pairs, see security zone configuration in Security Configuration Guide.
6. Apply the object policy to the zone pair.
object-policy apply { ip | ipv6 } object-policy-name
By default, no object policy is applied to a zone pair.
Managing the virus signature library
As viruses constantly increase and change, you must update the virus signature library in time. You can also roll back the virus signature library.
Restrictions and guidelines
· Do not delete the /dpi/ folder in the root directory of the storage medium.
· Do not perform virus signature update and rollback when the device's free memory is below the normal state threshold. For more information about device memory thresholds, see device management in Fundamentals Configuration Guide.
· For successful automatic and immediate signature update, make sure the device can resolve the domain name of the H3C website into an IP address through DNS. For more information about DNS, see DNS configuration in Layer 3—IP Services Configuration Guide.
Scheduling automatic virus signature library update
About this task
You can schedule automatic virus signature library update if the device can access the signature database services on the H3C website. The device periodically obtains the latest signature file from the H3C website to update its local signature library according to the update schedule.
Procedure
1. Enter system view.
system-view
2. Enable automatic virus signature library update and enter automatic virus signature library update configuration view.
anti-virus signature auto-update
By default, automatic virus signature library update is disabled.
3. Schedule the update time.
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
By default, the device updates the virus signature library at a random time between 02:01:00 and 04:01:00 every day.
Triggering an immediate automatic virus signature library update
About this task
Anytime you find a new release of virus signature file on the H3C website, you can trigger the device to immediately and automatically update the virus signature library.
Procedure
1. Enter system view.
system-view
2. Trigger an immediate virus signature library update.
anti-virus signature auto-update-now
Manually updating the virus signature library
About this task
If the device cannot access the signature database services on the H3C website, use one of the following methods to manually update the virus signature library:
· Local update—Updates the virus signature library by using the locally stored virus signature file.
(In standalone mode.) Store the update file on the active MPU for successful signature library update.
(In IRF mode.) Store the update file on the global active MPU for successful signature library update.
· FTP/TFTP update—Updates the virus signature library by using the virus signature file stored on an FTP or TFTP server.
Procedure
1. Enter system view.
system-view
2. Manually update the virus signature library.
anti-virus signature update file-path
|
|
CAUTION: The H3C website provides different signature libraries for devices with different memory sizes and software versions. You must obtain the signature library that is suitable for your device. If your device has a small memory (8 GB or less) but you choose a signature library that is for a large memory (more than 8 GB), the signature update might result in device anomaly. |
Rolling back the virus signature library
About this task
If a virus signature library update causes abnormal situations or a high false alarm rate, you can roll back the virus signature library.
Before rolling back the virus signature library, the device backs up the current signature library as the previous version. For example, the previous version is V1 and the current version is V2. If you perform a rollback to the previous version, version V1 becomes the current version and version V2 becomes the previous version. If you perform a rollback to the previous version again, version V2 becomes the current version and version V1 becomes the previous version.
Procedure
1. Enter system view.
system-view
2. Roll back the virus signature library.
anti-virus signature rollback { factory | last }
Display and maintenance commands for anti-virus
Execute the display commands in any view.
|
|
IMPORTANT: Non-default vSystems do not support some of the display and maintenance commands. For information about vSystem support for these commands, see anti-virus command reference. |
|
Task |
Command |
|
Display anti-virus cache information. |
In standalone mode: display anti-virus cache [ slot slot-number [ cpu cpu-number ] ] In IRF mode: display anti-virus cache [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
|
Display virus signature information. |
display anti-virus signature [ [ signature-id ] | [ severity { critical | high | low | medium } ] ] |
|
Display virus signature family information. |
display anti-virus signature family-info |
|
Display virus signature library information. |
display anti-virus signature library |
|
Display anti-virus statistics. |
In standalone mode: display anti-virus statistics [ policy policy-name ] [ slot slot-number [ cpu cpu-number ] ] In IRF mode: display anti-virus statistics [ policy policy-name ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
Anti-virus configuration examples
Example: Using the default anti-virus policy in a security policy
Network configuration
As shown in Figure 3, the device connects the LAN and the Internet. The LAN resides in security zone Trust and the Internet resides in security zone Untrust.
Configure the device to use the default anti-virus policy for virus detection and prevention.
Procedure
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures static routes, and the next hop in the routes is 2.2.2.2.
[Device] ip route-static 5.5.5.0 24 2.2.2.2
3. Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
4. Configure a DPI application profile and activate the anti-virus policy settings:
# Apply the default anti-virus policy to DPI application profile sec and set the policy mode to protect.
[Device] app-profile sec
[Device-app-profile-sec] anti-virus apply policy default mode protect
[Device-app-profile-sec] quit
# Activate the anti-virus policy settings.
[Device] inspect activate
5. Configure a security policy:
# Create a security policy rule named trust-untrust. Configure the rule to apply DPI application profile sec to packets from security zone Trust to security zone Untrust with source subnet address 192.168.1.0/24.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-10-trust-untrust] source-zone trust
[Device-security-policy-ip-10-trust-untrust] source-ip-subnet 192.168.1.0 24
[Device-security-policy-ip-10-trust-untrust] destination-zone untrust
[Device-security-policy-ip-10-trust-untrust] action pass
[Device-security-policy-ip-10-trust-untrust] profile sec
[Device-security-policy-ip-10-trust-untrust] quit
# Activate rule matching acceleration.
[Device-security-policy-ip] accelerate enhanced enable
[Device-security-policy-ip] quit
Verifying the configuration
# Verify that the device can use the default anti-virus policy to detect and prevent known viruses. (Details not shown.)
Example: Using a user-defined anti-virus policy in a security policy
Network configuration
As shown in Figure 4, the device connects the LAN and the Internet. The LAN resides in security zone Trust and the Internet resides in security zone Untrust.
Configure the device to use a user-defined anti-virus policy for virus detection and prevention. In the user-defined anti-virus policy, set virus signature 2 as a signature exception and set the 139Email application as an application exception.
Procedure
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures static routes, and the next hop in the routes is 2.2.2.2.
[Device] ip route-static 5.5.5.0 24 2.2.2.2
3. Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
4. Create anti-virus policy antivirus1, set virus signature 2 as a signature exception, set the 139Email application as an application exception, and specify alert as the anti-virus action for the application exception.
[Device] anti-virus policy antivirus1
[Device-anti-virus-policy-antivirus1] exception signature 2
[Device-anti-virus-policy-antivirus1] exception application 139Email action alert
[Device-anti-virus-policy-antivirus1] quit
5. Configure a DPI application profile and activate the anti-virus policy settings:
# Apply anti-virus policy antivirus1 to DPI application profile sec and set the policy mode to protect.
[Device] app-profile sec
[Device-app-profile-sec] anti-virus apply policy antivirus1 mode protect
[Device-app-profile-sec] quit
# Activate the anti-virus policy settings.
[Device] inspect activate
6. Configure a security policy:
# Create a security policy rule named trust-untrust. Configure the rule to apply DPI application profile sec to packets from security zone Trust to security zone Untrust with source subnet address 192.168.1.0/24.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-10-trust-untrust] source-zone trust
[Device-security-policy-ip-10-trust-untrust] source-ip-subnet 192.168.1.0 24
[Device-security-policy-ip-10-trust-untrust] destination-zone untrust
[Device-security-policy-ip-10-trust-untrust] action pass
[Device-security-policy-ip-10-trust-untrust] profile sec
[Device-security-policy-ip-10-trust-untrust] quit
# Activate rule matching acceleration.
[Device-security-policy-ip] accelerate enhanced enable
[Device-security-policy-ip] quit
Verifying the configuration
# Verify that the anti-virus policy is correctly configured. (Details not shown.)
Example: Manually updating the virus signature library
Network configuration
As shown in Figure 5, LAN users in security zone Trust can access the Internet resources in security zone Untrust and the FTP server in security zone DMZ. The username and password for logging in to the FTP server are anti-virus and 123, respectively. The latest virus signature file anti-virus-1.0.8-encrypt.dat is stored in the root directory on the FTP server.
Manually update the virus signature library on the device by using the latest virus signature file on the FTP server.
Procedure
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures static routes, and the next hop in the routes is 2.2.2.2.
[Device] ip route-static 5.5.5.0 24 2.2.2.2
3. Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
[Device] security-zone name dmz
[Device-security-zone-DMZ] import interface gigabitethernet 1/0/3
[Device-security-zone-DMZ] quit
4. Configure a security policy:
# Create a security policy rule named trust-untrust to permit traffic sent from security zone Trust to security zone Untrust.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-10-trust-untrust] source-zone trust
[Device-security-policy-ip-10-trust-untrust] source-ip-subnet 192.168.1.0 24
[Device-security-policy-ip-10-trust-untrust] destination-zone untrust
[Device-security-policy-ip-10-trust-untrust] action pass
[Device-security-policy-ip-10-trust-untrust] quit
# Create a security policy rule named trust-dmz to permit traffic sent from security zone Trust to security zone DMZ.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-dmz
[Device-security-policy-ip-11-trust-dmz] source-zone trust
[Device-security-policy-ip-11-trust-dmz] source-ip-subnet 192.168.1.0 24
[Device-security-policy-ip-11-trust-dmz] destination-zone dmz
[Device-security-policy-ip-11-trust-dmz] action pass
[Device-security-policy-ip-11-trust-dmz] quit
# Create a security policy rule named downloadlocalout to permit traffic sent from security zone Local to security zone DMZ. Thus, the internal hosts can access the FTP server to obtain the virus signature files.
[Device] security-policy ip
[Device-security-policy-ip] rule name downloadlocalout
[Device-security-policy-ip-12-downloadlocalout] source-zone local
[Device-security-policy-ip-12-downloadlocalout] destination-zone dmz
[Device-security-policy-ip-12-downloadlocalout] destination-ip-subnet 192.168.2.0 24
[Device-security-policy-ip-12-downloadlocalout] application ftp
[Device-security-policy-ip-12-downloadlocalout] application ftp-data
[Device-security-policy-ip-12-downloadlocalout] action pass
[Device-security-policy-ip-12-downloadlocalout] quit
# Activate rule matching acceleration.
[Device-security-policy-ip] accelerate enhanced enable
[Device-security-policy-ip] quit
5. Update the virus signature library by using the virus signature file anti-virus-1.0.8-encrypt.dat on the FTP server.
[Device] anti-virus signature update ftp:// anti-virus:123@192.168.2.4/anti-virus-1.0.8-encrypt.dat
Verifying the configuration
# Verify that the virus signature library is successfully updated.
<Device> display anti-virus signature library
Example: Configuring automatic virus signature library update
Network configuration
As shown in Figure 6, LAN users in security zone Trust can access Internet resources in security zone Untrust.
Configure the device to automatically update the virus signature library at a random time between 08:30 a.m. and 09:30 a.m. every Saturday.
Procedure
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures static routes, and the next hop in the routes is 2.2.2.2.
[Device] ip route-static 5.5.5.0 24 2.2.2.2
3. Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
4. Configure a DNS server to resolve the domain name of the official website into an IP address.
[Device] dns server 10.72.66.36
5. Configure a security policy:
# Create a security policy rule named trust-untrust to permit traffic sent from security zone Trust to security zone Untrust.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-10-trust-untrust] source-zone trust
[Device-security-policy-ip-10-trust-untrust] source-ip-subnet 192.168.1.0 24
[Device-security-policy-ip-10-trust-untrust] destination-zone untrust
[Device-security-policy-ip-10-trust-untrust] action pass
[Device-security-policy-ip-10-trust-untrust] quit
# Create a security policy rule named downloadlocalout to permit traffic sent from security zone Local to security zone Untrust. Thus, the internal hosts can access official website to obtain the virus signature files.
[Device] security-policy ip
[Device-security-policy-ip] rule name downloadlocalout
[Device-security-policy-ip-11-downloadlocalout] source-zone local
[Device-security-policy-ip-11-downloadlocalout] destination-zone untrust
[Device-security-policy-ip-11-downloadlocalout] action pass
[Device-security-policy-ip-11-downloadlocalout] quit
# Activate rule matching acceleration.
[Device-security-policy-ip] accelerate enhanced enable
[Device-security-policy-ip] quit
6. Configure automatic virus signature library update:
# Enable automatic virus signature library update and configure the device to perform automatic update at a random time between 08:00 a.m. and 10:00 a.m. every Saturday.
[Device] anti-virus signature auto-update
[Device-anti-virus-autoupdate] update schedule weekly sat start-time 9:00:00 tingle 60
[Device-anti-virus-autoupdate] quit
Verifying the configuration
# Verify that the virus signature library is updated as scheduled.
<Device> display anti-virus signature library
Example: Using the default anti-virus policy in an object policy
Network configuration
As shown in Figure 7, the device connects the LAN and the Internet. The LAN resides in security zone Trust and the Internet resides in security zone Untrust.
Configure the device to use the default anti-virus policy for virus detection and prevention.
Procedure
1. Assign IP addresses to interfaces. (Details not shown.)
2. Configure security zones:
# Assign GigabitEthernet 1/0/1 to security zone Trust.
<Device> system-view
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
# Assign GigabitEthernet 1/0/2 to security zone Untrust.
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
3. Create an IP address object group named antivirus and configure an IP address object with subnet address 192.168.1.0/24.
[Device] object-group ip address antivirus
[Device-obj-grp-ip-antivirus] network subnet 192.168.1.0 24
[Device-obj-grp-ip-antivirus] quit
4. Configure a DPI application profile:
# Create a DPI application profile named sec and enter its view.
[Device] app-profile sec
# Apply the default anti-virus policy to the DPI application profile and set the policy mode to protect.
[Device-app-profile-sec] anti-virus apply policy default mode protect
[Device-app-profile-sec] quit
5. Activate the anti-virus policy settings.
[Device] inspect activate
6. Configure an object policy:
# Create an IPv4 object policy named antivirus and enter its view.
[Device] object-policy ip antivirus
# Configure an object policy rule to apply DPI application profile sec to packets that match source IP address object group antivirus.
[Device-object-policy-ip-antivirus] rule inspect sec source-ip antivirus destination-ip any
[Device-object-policy-ip-antivirus] quit
7. Create a zone pair between source zone Trust and destination zone Untrust. Apply object policy antivirus to the zone pair.
[Device] zone-pair security source trust destination untrust
[Device-zone-pair-security-Trust-Untrust] object-policy apply ip antivirus
[Device-zone-pair-security-Trust-Untrust] quit
Verifying the configuration
# Verify that the device can use the default anti-virus policy to detect and prevent known viruses. (Details not shown.)
Example: Using a user-defined anti-virus policy in an object policy
Network configuration
As shown in Figure 8, the device connects the LAN and the Internet. The LAN resides in security zone Trust and the Internet resides in security zone Untrust.
Set virus signature 2 as a signature exception. Set the 139Email application as an application exception.
Procedure
1. Assign IP addresses to interfaces. (Details not shown.)
2. Configure security zones:
# Assign GigabitEthernet 1/0/1 to security zone Trust.
<Device> system-view
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
# Assign GigabitEthernet 1/0/2 to security zone Untrust.
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
3. Create an IP address object group named antivirus and configure an IP address object with subnet address 192.168.1.0/24.
[Device] object-group ip address antivirus
[Device-obj-grp-ip-antivirus] network subnet 192.168.1.0 24
[Device-obj-grp-ip-antivirus] quit
4. Configure anti-virus:
# Create an anti-virus policy named antivirus1 and enter its view.
[Device] anti-virus policy antivirus1
# Set virus signature 2 as a signature exception
[Device-anti-virus-policy-antivirus1] exception signature 2
# Set the 139Email application as an application exception. Specify alert as the anti-virus action for the application exception.
[Device-anti-virus-policy-antivirus1] exception application 139Email action alert
[Device-anti-virus-policy-antivirus1] quit
5. Configure a DPI application profile:
# Create a DPI application profile named sec and enter its view.
[Device] app-profile sec
# Apply anti-virus policy antivirus1 to the DPI application profile and set the policy mode to protect.
[Device-app-profile-sec] anti-virus apply policy antivirus1 mode protect
[Device-app-profile-sec] quit
6. Activate the anti-virus policy settings.
[Device] inspect activate
7. Configure an object policy:
# Create an IPv4 object policy named antivirus and enter its view.
[Device] object-policy ip antivirus
# Configure an object policy rule to apply DPI application profile sec to packets that match source IP address object group antivirus.
[Device-object-policy-ip-antivirus] rule inspect sec source-ip antivirus destination-ip any
[Device-object-policy-ip-antivirus] quit
8. Create a zone pair between source zone Trust and destination zone Untrust. Apply object policy antivirus to the zone pair.
[Device] zone-pair security source trust destination untrust
[Device-zone-pair-security-Trust-Untrust] object-policy apply ip antivirus
[Device-zone-pair-security-Trust-Untrust] quit
Verifying the configuration
# Verify that the anti-virus policy is correctly configured. (Details not shown.)
Example: Manually updating the virus signature library
Network configuration
As shown in Figure 9, LAN users in security zone Trust can access the Internet resources in security zone Untrust and the FTP server in security zone DMZ. The username and password for logging in to the FTP server are anti-virus and 123, respectively. The latest virus signature file anti-virus-1.0.8-encrypt.dat is stored in the root directory on the FTP server.
Manually update the virus signature library on the device by using the latest virus signature file on the FTP server.
Procedure
1. Assign IP addresses to interfaces. (Details not shown.)
2. Configure the device to communicate with the FTP server:
# Configure ACL 2001 to permit all packets.
<Device> system-view
[Device] acl basic 2001
[Device-acl-ipv4-basic-2001] rule permit
[Device-acl-ipv4-basic-2001] quit
# Assign GigabitEthernet 1/0/3 to security zone DMZ.
[Device] security-zone name dmz
[Device-security-zone-DMZ] import interface gigabitethernet 1/0/3
[Device-security-zone-DMZ] quit
# Create a zone pair between source zone Local and destination zone DMZ. Apply ACL 2001 to the zone pair for packet filtering.
[Device] zone-pair security source local destination dmz
[Device-zone-pair-security-Local-DMZ] packet-filter 2001
[Device-zone-pair-security-Local-DMZ] quit
# Create a zone pair between source zone DMZ and destination zone Local. Apply ACL 2001 to the zone pair for packet filtering.
[Device] zone-pair security source dmz destination local
[Device-zone-pair-security-DMZ-Local] packet-filter 2001
[Device-zone-pair-security-DMZ-Local] quit
3. Update the virus signature library by using the virus signature file anti-virus-1.0.8-encrypt.dat on the FTP server.
[Device] anti-virus signature update ftp:// anti-virus:123@192.168.2.4/anti-virus-1.0.8-encrypt.dat
Verifying the configuration
# Verify that the virus signature library is successfully updated.
<Device> display anti-virus signature library
Example: Configuring automatic virus signature library update
Network configuration
As shown in Figure 10, LAN users in security zone Trust can access Internet resources in security zone Untrust.
Configure the device to automatically update the virus signature library at a random time between 08:30 a.m. and 09:30 a.m. every Saturday.
Procedure
1. Assign IP addresses to interfaces. (Details not shown.)
2. Configure DNS for resolving the domain name of the H3C website into an IP address. (Details not shown.)
3. Configure an object policy to allow LAN users in security zone Trust to access Internet resources in security zone Untrust. (Details not shown.)
4. Configure automatic virus signature library update:
# Enable automatic virus signature library update.
<Device> system-view
[Device] anti-virus signature auto-update
# Configure the device to perform automatic update at a random time between 08:00 a.m. and 10:00 a.m. every Saturday.
[Device-anti-virus-autoupdate] update schedule weekly sat start-time 9:00:00 tingle 60
[Device-anti-virus-autoupdate] quit
Verifying the configuration
# Verify that the virus signature library is updated as scheduled.
<Device> display anti-virus signature library
