- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
01-Text | 566.40 KB |
Contents
inspect block-source parameter-profile
inspect capture parameter-profile
inspect email parameter-profile
inspect logging parameter-profile
inspect redirect parameter-profile
inspect signature auto-update proxy
inspect stream-fixed-length disable
inspect tcp-reassemble max-segment
display ips signature { pre-defined | user-defined }
display ips signature information
display ips signature user-defined parse-failed
display url-filter signature information
rename (URL filtering policy view)
url-filter cache deploy-interval
url-filter log except pre-defined
url-filter log except user-defined
url-filter signature auto-update
url-filter signature auto-update-now
bandwidth { per-ip | per-user }
display traffic-policy statistics bandwidth
display traffic-policy statistics connection-limit
display traffic-policy statistics rule-hit
reset traffic-policy statistics bandwidth
reset traffic-policy statistics connection-limit
DPI engine commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
The following matrix shows the feature and hardware compatibility:
Hardware |
DPI engine compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
DPI engine compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
app-profile
Use app-profile to create a deep packet inspection (DPI) application profile and enter its view, or enter the view of an existing DPI application profile.
Use undo app-profile to delete a DPI application profile.
Syntax
app-profile profile-name
undo app-profile profile-name
Default
No DPI application profiles exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
profile-name: Specifies a DPI application profile name. The profile name is a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, and underlines (_).
Usage guidelines
The DPI application profile is a security service template that can include DPI service policies such as URL filtering policy.
A DPI application profile takes effect after an object policy rule or security policy rule uses it as the action. DPI engine inspects the packets matching the object policy rule or security policy rule. DPI service modules process the packets matching the DPI engine inspection rules.
Examples
# Create a DPI application profile named abc and enter its view.
<Sysname> system-view
[Sysname] app-profile abc
[Sysname-app-profile-abc]
authentication enable
Use authentication enable to enable email client authentication.
Use undo authentication enable to disable email client authentication.
Syntax
authentication enable
undo authentication enable
Default
Email client authentication is enabled.
Views
Email parameter profile view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Use this command when the email server specified by the email-server command requires client authentication.
Examples
# Disable email client authentication.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] undo authentication enable
block-period
Use block-period to set the block period during which a source IP address is blocked.
Use undo block-period to restore the default.
Syntax
block-period period
undo block-period
Default
A source IP address is blocked for 1800 seconds.
Views
Block source parameter profile view
Predefined user roles
network-admin
mdc-admin
Parameters
period: Specifies the block period in the range of 1 to 86400 seconds.
Usage guidelines
For the block period to take effect, make sure the blacklist feature is enabled.
The device drops the packet that matches an inspection rule configured with the block source action and adds the packet's source IP address to the IP blacklist.
· If the blacklist feature is enabled, the device directly drops subsequent packets from the source IP address during the block period.
· If the blacklist feature is disabled, the block period does not take effect. The device inspects all packets and drops the matching ones.
For more information about the blacklist feature, see attack detection and prevention in the Security Configuration Guide.
Examples
# Set the block period to 3600 seconds in block source parameter profile b1.
<Sysname> system-view
[Sysname] inspect block-source parameter-profile b1
[Sysname-inspect-block-para-b1] block-period 3600
Related commands
blacklist enable (security zone view) (Security Command Reference)
blacklist global enable (Security Command Reference)
inspect block-source parameter-profile
capture-limit
Use capture-limit to set the maximum volume of captured packets that can be cached.
Use undo capture-limit to restore the default.
Syntax
capture-limit kilobytes
undo capture-limit
Default
The device can cache a maximum of 512 kilobytes of captured packets.
Views
Capture parameter profile view
Predefined user roles
network-admin
mdc-admin
Parameters
kilobytes: Specifies the maximum volume in the range of 0 to 1024 kilobytes.
Usage guidelines
The device caches captured packets locally. It exports the cached captured packets to a URL when the volume of cached captured packets reaches the maximum, and clears the cache. After the export, the device starts to capture packets again.
If you set the maximum volume of cached captured packets to 0 kilobytes, the device immediately exports a packet to the URL after the packet is captured.
Examples
# Set the maximum volume of cached captured packets to 1024 kilobytes in the capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-para-c1] capture-limit 1024
Related commands
export url
export repeating-at
inspect capture parameter-profile
display inspect status
Use display inspect status to display the status of the DPI engine.
Syntax
display inspect status
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display the status of the DPI engine.
<Sysname> display inspect status
Chassis 0 Slot 1:
Running status: normal
Table 1 Command output
Field |
Description |
Running status |
Status of the DPI engine: · bypass by configure—The DPI engine cannot process packets because of a configuration error. · bypass by cpu busy—The DPI engine cannot process packets because of an excessive CPU usage. · normal—The DPI engine is running correctly. |
dns-server
Use dns-server to specify the DNS server IPv4 address.
Use undo dns-server to restore the default.
Syntax
dns-server ip-address
undo dns-server
Default
No DNS server IPv4 address is specified.
Views
Email parameter profile view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address: Specifies the DNS server IPv4 address in dotted decimal notation.
Usage guidelines
If the email server is specified by host name, a DNS server is required to resolve the host name into an IP address.
Examples
# Specify the DNS server IPv4 address 192.168.0.1.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] dns-server 192.168.0.1
email-server
Use email-server to specify the email server.
Use undo email-server to restore the default.
Syntax
email-server address-string
undo email-server
Default
No email server is specified.
Views
Email parameter profile view
Predefined user roles
network-admin
mdc-admin
Parameters
address-string: Specifies the email server address, a case-sensitive string of 3 to 63 characters.
Usage guidelines
The email server address can be an IP address or a host name.
If you execute this command multiple times for the same email parameter profile, the most recent configuration takes effect.
If you specify the email server by host name, make sure the device can resolve the host name into an IP address through static or dynamic DNS. Make sure the device and the email server can reach each other. For more information about DNS, see Layer 3—IP Services Configuration Guide.
Examples
# Specify the email server rndcas.123.com.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] email-server rndcas.123.com
# Specify the email server at 192.168.1.1.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] email-server 192.168.1.1
export repeating-at
Use export repeating-at to set the daily export time for cached captured packets.
Use export repeating-at to restore the default.
Syntax
export repeating-at time
undo export repeating-at
Default
The system exports cached captured packets at 1:00 a.m. every day.
Views
Capture parameter profile view
Predefined user roles
network-admin
mdc-admin
Parameters
time: Specifies the daily export time in the format of hh:mm:ss in the range of 00:00:00 to 23:59:59.
Usage guidelines
The device exports cached captured packets to a URL and clears the cache at the daily export time, whether or not the volume of cached captured packets reaches the maximum.
Examples
# Configure the device to export cached captured packets at 2:00 a.m. every day in the capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-para-c1] export repeating-at 02:00:00
Related commands
capture-limit
export url
inspect capture parameter-profile
export url
Use export url to specify the URL to which the cached captured packets are exported.
Use export url to restore the default.
Syntax
export url url-string
undo export url
Default
No URL is specified for exporting the cached captured packets.
Views
Capture parameter profile view
Predefined user roles
network-admin
mdc-admin
Parameters
url-string: Specifies the URL, a string of 1 to 255 characters.
Usage guidelines
The device exports the cached captured packets to the specified URL at the daily export time or when the volume of cached captured packets reaches the maximum. After the captured packets are exported, the system clears the cache.
If you do not specify a URL, the device still exports the cached captured packets but the export fails.
Examples
# Configure the device to export cached captured packets to URL tftp://192.168.100.100/upload in the capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-para-c1] export url tftp://192.168.100.100/upload
Related commands
capture-limit
export repeating-at
inspect capture parameter-profile
inspect activate
Use inspect activate to activate the policy and rule configurations for DPI service modules.
Syntax
inspect activate
Default
The creation, modification, and deletion of DPI service policies and rules do not take effect.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
You can use the inspect activate command to manually validate the policy and rule configurations for DPI service modules. This operation produces the same effect as saving the configurations and rebooting the device.
The inspect activate command can cause temporary service disruptions. As a best practice, execute this command after all DPI service policy and rule configurations are complete.
Examples
# Activate the policy and rule configurations for DPI service modules.
<Sysname> system-view
[Sysname] inspect activate
inspect block-source parameter-profile
Use inspect block-source parameter-profile to create a block source parameter profile and enter its view, or enter the view of an existing block source parameter profile.
Use undo inspect block-source parameter-profile to delete a block source parameter profile.
Syntax
inspect block-source parameter-profile parameter-name
undo inspect block-source parameter-profile parameter-name
Default
No block source parameter profiles exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
parameter-name: Specifies a block source parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In block source parameter profile view, you can set parameters for the block source action, such as the block period.
Examples
# Create a block source parameter profile named b1 and enter its view.
<Sysname> system-view
[Sysname] inspect block-source parameter-profile b1
[Sysname-inspect-block-para-b1]
Related commands
block-period
inspect bypass
Use inspect bypass to disable the DPI engine.
Use undo inspect bypass to enable the DPI engine.
Syntax
inspect bypass
undo inspect bypass
Default
The DPI engine is enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Packet inspection in the DPI engine is a complex and resource-consuming process. When the CPU usage is high, you can disable the DPI engine to guarantee the device performance. After you disable the DPI engine, packets will not be processed by DPI.
Examples
# Disable the DPI engine.
<Sysname> system-view
[Sysname] inspect bypass
Related commands
display inspect status
inspect cache-option maximum
Use inspect cache-option maximum to set the maximum number of options to be cached per TCP/UDP data flow for further inspection.
Use undo inspect cache-option to restore the default.
Syntax
inspect cache-option maximum max-number
undo inspect cache-option
Default
The DPI engine can cache a maximum of 32 options per TCP/UDP data flow.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
max-number: Specifies the maximum number of options to be cached per TCP/UDP data flow. The value range is 1 to 254.
Usage guidelines
An inspection rule can contain multiple AC patterns, and each AC pattern can be associated with multiple options. A TCP/UDP data flow matches an inspection rule if the packets of the flow match all the AC patterns and options in the rule.
If a packet of a TCP/UDP data flow matches one AC pattern in an inspection rule, the DPI engine cannot determine whether the flow matches the rule. The DPI engine continues to match packets of the flow against the remaining options and AC patterns in the rule. For any options that cannot be matched, the DPI engine caches them to match subsequent packets. The DPI engines determines that the flow matches the rule when all options and AC patterns in the rule are matched.
The more options DPI engine caches, the more likely that DPI engine identifies the application information and the more accurate the DPI engine inspection. However, caching more options requires more memory. If the device has a high memory usage, configure the DPI engine to cache less options to improve the device performance.
Typically, the default setting is sufficient for most scenarios.
Examples
# Configure the DPI engine to cache a maximum of four options per TCP/UDP data flow for further inspection.
<Sysname> system-view
[Sysname] inspect cache-option maximum 4
inspect capture parameter-profile
Use inspect capture parameter-profile to create a capture parameter profile and enter its view, or enter the view of an existing capture parameter profile.
Use undo inspect capture parameter-profile to delete a capture parameter profile.
Syntax
inspect capture parameter-profile parameter-name
undo inspect capture parameter-profile parameter-name
Default
No capture parameter profiles exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
profile-name: Specifies a capture parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In capture parameter profile view, you can set parameters for the packet capture action, such as the maximum volume of cached captured packets.
Only the IPS module supports the packet capture action.
Examples
# Create a capture parameter profile named c1 and enter its view.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-para-b1]
Related commands
capture-limit
export repeating-at
export url
inspect cpu-threshold disable
Use inspect cpu-threshold disable to disable inspection suspension upon excessive CPU usage.
Use undo inspect cpu-threshold disable to enable inspection suspension upon excessive CPU usage.
Syntax
inspect cpu-threshold disable
undo inspect cpu-threshold disable
Default
Inspection suspension upon excessive CPU usage is enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Packet inspection in the DPI engine is a complex and resource-consuming process. When the device's CPU usage is below the CPU usage threshold, the DPI engine inspects the whole packet data in a stream. When the device's CPU usage reaches the threshold, inspection suspension upon excessive CPU usage is triggered and the DPI engine inspects packets as follows:
· If stream fixed length inspection is disabled, the DPI engine suspends packet inspection to guarantee the device performance.
· If stream fixed length inspection is enabled, the DPI engine inspects only a fixed length of data for a stream and ignores the remaining stream data.
If you disable inspection suspension upon excessive CPU usage, the DPI engine continues to inspect the whole packet data in a stream even when the CPU usage threshold is reached. Disabling inspection suspension upon excessive CPU usage is not recommended if the device's CPU usage is high.
Examples
# Disable inspection suspension upon excessive CPU usage.
<Sysname> system-view
[Sysname] inspect cpu-threshold disable
Related commands
display inspect status
inspect bypass
inspect stream-fixed-length disable
inspect email parameter-profile
Use inspect email parameter-profile to create an email parameter profile and enter its view, or enter the view of an existing email parameter profile.
Use undo inspect email parameter-profile to delete an email parameter profile.
Syntax
inspect email parameter-profile parameter-name
undo inspect email parameter-profile parameter-name
Default
No email parameter profiles exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
parameter-name: Specifies an email parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In email parameter profile view, you can set parameters for the email action. Email parameters include the email server, the email sender and receiver, and the username and password for logging in to the email server.
Examples
# Create an email parameter profile named c1 and enter its view.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1]
inspect logging parameter-profile
Use inspect logging parameter-profile to create a logging parameter profile and enter its view, or enter the view of an existing logging parameter profile.
Use undo inspect logging parameter-profile to delete a logging parameter profile.
Syntax
inspect logging parameter-profile parameter-name
undo inspect logging parameter-profile parameter-name
Default
No logging parameter profiles exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
profile-name: Specifies a logging parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In logging parameter profile view, you can set parameters for the logging action, such as the log output method.
Examples
# Create a logging parameter profile named log1 and enter its view.
<Sysname> system-view
[Sysname] inspect logging parameter-profile log1
[Sysname-inspect-logging-para-log1]
Related commands
log
inspect optimization disable
Use inspect optimization disable to disable a DPI engine optimization feature.
Use undo inspect optimization disable to enable a DPI engine optimization feature.
Syntax
inspect optimization [ chunk | no-acsignature | raw | uncompress | url-normalization ] disable
undo inspect optimization [ chunk | no-acsignature | raw | uncompress | url-normalization ] disable
Default
The default settings of DPI engine optimization features depend on the device model.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
chunk: Specifies the chunked packet decoding feature.
no-acsignature: Specifies the inspection rules that do not contain AC patterns.
raw: Specifies the application layer payload decoding feature.
uncompress: Specifies the HTTP body uncompression feature.
url-normalization: Specifies the HTTP URL normalization feature.
Usage guidelines
If you do not specify any parameter, this command applies to all DPI engine optimization features.
DPI engine supports the following optimization features:
· Chunked packet decoding—Chunk is a packet transfer mechanism of the HTTP body. DPI engine must decode a chunked HTTP body before it inspects the HTTP body. When the device throughput is too low to ensure basic communication, you can disable DPI engine from decoding chunked packets to improve the device performance. However, when chunked packet decoding is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.
· Inspection rules that do not contain AC patterns—Inspection rules that do not contain AC patterns contain only options. These rules match packets by fields such as port numbers and error codes rather than by character strings. These rules by default are enabled to improve the inspection accuracy. However, when the device throughput is too low to ensure basic communication, you can disable these rules to improve the device performance.
· Application layer payload decoding—For application layer protocols featuring encoding and decoding, such as HTTP, SMTP, POP3, and IMAP4, DPI engine must decode the payload before inspection. When the device throughput is too low to ensure basic communication, you can disable DPI engine from decoding application layer payloads to improve the device performance. However, disabling application layer payload decoding affects the inspection accuracy of the DPI engine.
· HTTP body uncompression—If the HTTP body field is compressed, DPI engine must uncompress the body before inspection. When the device throughput is too low to ensure basic communication, you can disable DPI engine from uncompressing the HTTP body field to improve the device performance. However, when HTTP body uncompression is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.
· HTTP URL normalization—HTTP URL normalization is the process by which the absolute path in a URL is normalized and special URLs are standardized and checked. For example, the absolute path test/dpi/../index.html is normalized as test/index.html. When the device throughput is too low to ensure basic communication, you can disable DPI engine from normalizing HTTP URLs to improve the device performance. However, when HTTP URL normalization is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.
Examples
# Disable all DPI engine optimization features.
<Sysname> system-view
[Sysname] inspect all disable
inspect packet maximum
Use inspect packet maximum to set the maximum number of payload-carrying packets to be inspected per data flow.
Use undo inspect packet to restore the default.
Syntax
inspect packet maximum max-number
undo inspect packet
Default
The DPI engine can inspect a maximum of 32 payload-carrying packets per data flow.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
max-number: Specifies the maximum number of payload-carrying packets to be inspected per data flow, in the range of 1 to 254.
Usage guidelines
If DPI engine finds that the first payload-carrying packet of a data flow does not match any inspection rule, it continues to inspect the next payload-carrying packet, and so on. If DPI engine has inspected the maximum number of payload-carrying packets but finds no matching inspection rule, it determines the flow does not match any rule and allows the flow to pass.
The more payload-carrying packets DPI engine inspects, the more likely that DPI engine identifies the application information and the more accurate the DPI engine inspection.
Typically, the default setting is sufficient for most scenarios. You can adjust the setting according to your network condition.
· If the device throughput is high, increase the maximum number value.
· If the device throughput is low, decrease the maximum number value.
Examples
# Allow the DPI engine to inspect a maximum of 16 payload-carrying packets per data flow for application identification.
<Sysname> system-view
[Sysname] inspect packet maximum 16
inspect redirect parameter-profile
Use inspect redirect parameter-profile to create a redirect parameter profile and enter its view, or enter the view of an existing redirect parameter profile.
Use undo inspect redirect parameter-profile to delete a redirect parameter profile.
Syntax
inspect redirect parameter-profile parameter-name
undo inspect redirect parameter-profile parameter-name
Default
No redirect parameter profiles exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
parameter-name: Specifies a redirect parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In redirect parameter profile view, you can set parameters for the redirect action, such as the URL to which packets are redirected.
Examples
# Create a redirect parameter profile named r1 and enter its view.
<Sysname> system-view
[Sysname] inspect redirect parameter-profile r1
[Sysname-inspect-redirect-r1]
inspect signature auto-update proxy
Use inspect signature auto-update proxy to specify the proxy server used by DPI services for online signature update.
Use undo inspect signature auto-update proxy to restore the default.
Syntax
inspect signature auto-update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name password { cipher | simple } string ]
undo inspect signature auto-update proxy
Default
The proxy server used by DPI services for online signature update is not specified.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain domain-name: Specifies a proxy server by its domain name, a case-insensitive string of 3 to 63 characters.
ip ip-address: Specifies a proxy server by its IPv4 address.
port port-number: Specifies the port number used by the proxy server. The value range is 1 to 65535, and the default is 80.
user user-name: Specifies the username used to log in to the proxy server. The username is a case-insensitive string of 1 to 31 characters.
password: Specifies the password used to log in to the proxy server.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password in plaintext form will be stored in encrypted form.
string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 31 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.
Usage guidelines
The device must access the H3C website for online signature update of DPI services such as URL filtering. If direct connectivity is not available, the device can access the H3C website through the specified proxy server. For more information about online signature update, see DPI Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify server www.abc.com on port 8888 as the proxy server and set the login username and password to admin.
<Sysname> system-view
[Sysname] inspect signature auto-update proxy domain www.abc.com port 8888 user admin password simple admin
inspect stream-fixed-length disable
Use inspect stream-fixed-length disable to disable the stream fixed length inspection feature.
Use undo inspect stream-fixed-length disable to enable the stream fixed length inspection feature.
Syntax
inspect stream-fixed-length disable
undo inspect stream-fixed-length disable
Default
The stream fixed length inspection feature is enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The stream fixed length inspection feature enables the DPI engine to inspect only a fixed length of data for a stream when the CPU usage threshold is reached. When the device's CPU usage is below the threshold, the DPI engine inspects the whole packet data in a stream. For information about configuring the CPU usage threshold, see Fundamentals Configuration Guide.
This feature takes effect only when inspection suspension upon excessive CPU usage is enabled.
You can also disable this feature so the DPI engine can suspend packet inspection to guarantee the device performance when the CPU usage threshold is reached.
Examples
# Disable the stream fixed length inspection feature.
<Sysname> system-view
[Sysname] inspect stream-fixed-length disable
Related commands
inspect cpu-threshold disable
inspect stream-fixed-length
inspect stream-fixed-length
Use inspect stream-fixed-length to set the fixed data inspection length for application protocols.
Use undo inspect stream-fixed-length to restore the default.
Syntax
inspect stream-fixed-length { email I ftp | http } * length
undo inspect stream-fixed-length
Default
The fixed data inspection length is 32 kilobytes for FTP, HTTP, and email protocols.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
email: Specifies email protocols, including SMTP, POP3 and IMAP.
ftp: Specifies the FTP protocol.
http: Specifies the HTTP protocol.
length: Specifies the fixed data length in the range of 1 to 128 kilobytes.
Usage guidelines
The larger the inspection length value, the lower the device throughput, and the higher the packet inspection accuracy.
Examples
# Set the fixed data inspection length to 35 kilobytes for FTP and 40 kilobytes for HTTP.
<Sysname> system-view
[Sysname] inspect stream-fixed-length ftp 35 http 40
Related commands
inspect cpu-threshold disable
inspect stream-fixed-length disable
inspect tcp-reassemble enable
Use inspect tcp-reassemble enable to enable the TCP segment reassembly feature.
Use undo inspect tcp-reassemble enable to disable the TCP segment reassembly feature.
Syntax
inspect tcp-reassemble enable
undo inspect tcp-reassemble enable
Default
The TCP segment reassembly feature is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
DPI engine inspection might fail if TCP segments arrive at the engine out of order. For example, the DPI engine searches for the keywords this is a secret. If the TCP segment containing a secret arrives before the one containing this is, the inspection fails.
The TCP segment reassembly feature enables the device to cache out-of-order TCP segments of the same TCP flow and reassembles the segments before submitting them to the DPI engine for inspection. This helps improve the DPI engine inspection accuracy.
The segment reassembly fails due to missing segments when the number of cached TCP segments of a flow reaches the limit. In this case, the device submits the cached segments without reassembling them and all subsequent segments of the flow to the DPI engine. This helps reduces degradation of the device performance.
Examples
# Enable the TCP segment reassembly feature.
<Sysname> system-view
[Sysname] inspect tcp-reassemble enable
Related commands
inspect tcp-reassemble max-segment
inspect tcp-reassemble max-segment
Use inspect tcp-reassemble max-segment to set the maximum number of TCP segments that can be cached per TCP flow.
Use undo inspect tcp-reassemble max-segment to restore the default.
Syntax
inspect tcp-reassemble max-segment max-number
undo inspect tcp-reassemble max-segment
Default
A maximum of 10 TCP segments can be cached for reassembly per TCP flow.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
max-number: Specifies the maximum number in the range of 10 to 50.
Usage guidelines
Set the limit for the number of TCP segments that can be cached per flow according to your network requirements. The higher the limit, the higher the inspection accuracy, and the lower the device performance.
This command takes effect only when the TCP segment reassembly feature is enabled.
Examples
# Allow the device to cache a maximum of 20 TCP segments for each TCP flow.
<Sysname> system-view
[Sysname] inspect tcp-reassemble max-segment 20
Related commands
inspect tcp-reassemble enable
log
Use log to specify the log storage method.
Use undo log to cancel the specified log storage method.
Syntax
log { email | syslog }
undo log { email | syslog }
Default
Logs are exported to the information center.
Views
Logging parameter profile view
Predefined user roles
network-admin
mdc-admin
Parameters
email: Emails the logs to a receiver.
syslog: Exports the logs to the information center.
Examples
# Configure the device to export logs to the information center in logging parameter profile log1.
<Sysname> system-view
[Sysname] inspect logging parameter-profile log1
[Sysname-inspect-log-para-log1] log syslog
Related commands
inspect logging parameter-profile
password
Use password to specify the password for logging in to the email server.
Use undo password to restore the default.
Syntax
password { cipher | simple } string
undo password
Default
No password is specified for logging in to the email server.
Views
Email parameter profile view
Predefined user roles
network-admin
mdc-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
pwd-string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
If you execute this command multiple times for the same email parameter profile, the most recent configuration takes effect.
Examples
# Specify abc123 as the plaintext password for logging in to the email server.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] password simple abc123
Related commands
authentication enable
receiver
Use receiver to specify the email receiver address.
Use undo receiver to restore the default.
Syntax
receiver address-string
undo receiver
Default
No email receiver address is specified.
Views
Email parameter profile view
Predefined user roles
network-admin
mdc-admin
Parameters
address-string: Specifies the address of the email receiver, a case-sensitive string of 3 to 511 characters.
Usage guidelines
You can specify multiple semicolon-separated email receiver addresses in one command.
Examples
# Specify the email receiver addresses 123@abc.com and nnn@abc.com.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] receiver 123@abc.com;nnn@abc.com
redirect-url
Use redirect-url to specify the URL to which packets are redirected.
Use undo redirect-url to restore the default.
Syntax
redirect-url url-string
undo redirect-url
Default
No URL is specified for packet redirecting.
Views
Redirect parameter profile view
Predefined user roles
network-admin
mdc-admin
Parameters
url-string: Specifies the URL, a case-sensitive string of 9 to 63 characters. The URL must start with http:// or https://, for example, http://www.baidu.com.
Usage guidelines
After you specify a URL, matching packets will be redirected to the webpage that the URL identifies.
Examples
# Specify http://www.abc.com/upload as the URL for packet redirecting.
<Sysname> system-view
[Sysname] inspect redirect parameter-profile r1
[Sysname-inspect-redirect-r1] redirect-url http://www.abc.com/upload
Related commands
inspect redirect parameter-profile
secure-authentication enable
Use secure-authentication enable to enable the secure password authentication feature.
Use undo secure-authentication enable to disable the secure password authentication feature.
Syntax
secure-authentication enable
undo secure-authentication enable
Default
The secure password authentication feature is disabled.
Views
Email parameter profile view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
After the secure password authentication feature is enabled, a security channel is established between the device and the email server to transmit the password for email server login.
Examples
# Enable the secure password authentication feature.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] secure-authentication enable
Related commands
authentication enable
sender
Use sender to specify the email sender address.
Use undo sender to restore the default.
Syntax
sender address-string
undo sender
Default
No email sender address is specified.
Views
Email parameter profile view
Predefined user roles
network-admin
mdc-admin
Parameters
address-string: Specifies the address of the email sender, a case-sensitive string of 3 to 63 characters.
Usage guidelines
The email sender address is the source address that the device uses to send emails to destinations.
Examples
# Specify the email sender address abc@123.com.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] sender abc@123.com
username
Use username to specify the username for logging in to the email server.
Use undo username to restore the default.
Syntax
username name-string
undo username
Default
No username is specified for logging in to the email server.
Views
Email parameter profile view
Predefined user roles
network-admin
mdc-admin
Parameters
name-string: Specifies the username, a case-sensitive string of 1 to 63 characters.
Usage guidelines
If you execute this command multiple times for the same email parameter profile, the most recent configuration takes effect.
Examples
# Specify han as the username for logging in to the email server.
<Sysname> system-view
[Sysname] inspect email parameter-profile c1
[Sysname-inspect-email-c1] username han
Related commands
authentication enable
IPS commands
The following matrix shows the feature and hardware compatibility:
Hardware |
IPS compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
IPS compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
action
Use action to configure the action criterion for IPS signature filtering in an IPS policy.
Use undo action to restore the default.
Syntax
action { block-source | drop | permit | reset } *
undo action
Default
The action attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
block-source: Specifies the block source action.
drop: Specifies the drop action.
permit: Specifies the permit action.
reset: Specifies the reset action.
Usage guidelines
This command filters the IPS signatures that an IPS policy uses based on the actions associated with the signatures.
You can specify multiple actions in an action criterion. The IPS policy uses an IPS signature if the signature is associated with any of the specified actions.
If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.
Examples
# Configure IPS policy test to use IPS signatures associated with the drop or reset action.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] action drop reset
attack-category
Use attack-category to specify an attack category criterion to filter IPS signatures in an IPS policy.
Use undo attack-category to delete an attack category criterion.
Syntax
attack-category { category [ subcategory ] | all }
undo attack-category { category [ subcategory | all] }
Default
The attack category attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
category-name: Specifies an attack category.
subcategory: Specifies a subcategory of the attack category. If you do not specify a subcategory, this command matches any IPS signature with a subcategory of the specified attack category.
all: Specifies all attack categories.
Usage guidelines
This command filters the IPS signatures that an IPS policy uses based on the attack category attribute of the signatures.
You can execute this command multiple times to specify multiple attack category criteria in an IPS policy. The IPS policy uses an IPS signature if the signature matches any of the configured attack category criteria.
Examples
# Configure IPS policy test to use IPS signatures with the SQLInjection attack subcategory of the Vulnerability attack category.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] attack-category Vulnerability SQLInjection
display ips policy
Use display ips policy to display IPS policy information.
Syntax
display ips policy policy-name
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies an IPS policy by its name, a case-insensitive string of 1 to 63 characters.
Examples
# Display information about IPS policy aa.
<Sysname> display ips policy aa
Total signatures :119 failed:0
Pre-defined signatures:119 failed:0
User-defined signatures:0 failed:0
Flag:
B: Block-Source D: Drop P: Permit Rs: Reset Rd: Redirect C: Capture L: L
ogging
Pre: predefined User: user-defined
Type RuleID Target SubTarget Severity Direction Category
SubCategory Status Action
Pre 1374 WebServer Other Critical Server Vulnerability
SQLInjection Enable RsL
Pre 1414 Browser InternetExplore High Client Vulnerability
XSS Enable PL
Pre 1990 WebServer Other Critical Server Vulnerability
SQLInjection Enable RsL
Pre 2643 Database MS-SQL Critical Server Vulnerability
SQLInjection Enable PL
Pre 3142 NetworkProtocol FTP Critical Server Vulnerability
SQLInjection Enable RsL
Pre 3295 NetworkProtocol HTTP Critical Client Vulnerability
XSS Enable PL
Pre 3700 NetworkDevice Cisco Critical Server Vulnerability
XSS Enable RsL
Pre 3801 WebServer Other Critical Server Vulnerability
SQLInjection Enable PL
Pre 4363 NetworkProtocol FTP Critical Server Vulnerability
SQLInjection Enable RsL
Pre 4479 NetworkProtocol FTP Critical Server Vulnerability
SQLInjection Enable RsL
Pre 4933 WebServer Other Critical Server Vulnerability
SQLInjection Enable PL
Pre 5379 NetworkProtocol HTTP Critical Client Vulnerability
XSS Enable PL
Pre 5597 WebServer Other Critical Server Vulnerability
SQLInjection Enable RsL
Pre 6017 NetworkProtocol HTTP Critical Client Vulnerability
XSS Enable RsL
…
Table 2 Command output
Field |
Description |
Total signatures |
Total number of IPS signatures. |
Pre-defined signatures |
Total number of predefined IPS signatures. |
User-defined signatures |
Total number of user-defined signatures. |
Type |
Type of the IPS signature: · Pre—Predefined IPS signatures. · User—User-defined signatures. |
RuleID |
Signature ID. |
Target |
Attacked target |
SubTarget |
Attacked subtarget. |
Severity |
Attack severity level of the signature, Low, Medium, High, or Critical. |
Direction |
Traffic direction: · Client—Server-to-client direction. · Server—Client-to-server direction. · Any. |
Category |
Attack category of the signature. |
SubCategory |
Subcategory of the signature. |
Status |
Status of the IPS signature, Enabled or Disabled. |
Action |
Actions for matching packets: · Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · Drop—Drops matching packets. · Permit—Permits matching packets to pass. · Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. · Redirect—Redirects matching packets to a webpage. · Capture—Captures matching packets. · Logging—Logs matching packets. |
Related commands
ips policy
display ips signature
Use display ips signature to display IPS signature information.
Syntax
display ips signature [ pre-defined | user-defined ] [ direction { any | to-client | to-server } ] [ category category-name | fidelity { high | low | medium } | protocol { icmp | ip | tcp | udp } | severity { critical | high | low | medium } ] *
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pre-defined: Specifies predefined IPS signatures.
user-defined: Specifies user-defined IPS signatures.
direction { any | to-client | to-server }: Specifies a direction attribute. If you do not specify a direction attribute, this command displays IPS signatures with any direction attribute.
· to-server: Specifies the client to server direction of a session.
· to-client: Specifies the server to client direction of a session.
· any: Specifies both directions of a session.
category category-name: Specifies an attack category. If you do not specify an attack category, this command displays IPS signatures for all attack categories.
fidelity { high | low | medium }: Specifies a fidelity level. If you do not specify a fidelity level, this command displays IPS signatures of all fidelity levels. The fidelity level indicates the attack detection accuracy.
· low: Specifies the low fidelity.
· medium: Specifies the medium fidelity.
· high: Specifies the high fidelity.
protocol { icmp | ip | tcp | udp }: Specifies a protocol. If you do not specify a protocol, this command displays IPS signatures for all protocols.
severity { critical | high | low | medium }: Specifies an attack severity level. If you do not specify a severity level, this command displays IPS signatures for all severity levels of attacks.
· low: Specifies the low severity level.
· medium: Specifies the medium severity level.
· high: Specifies the high severity level.
· critical: Specifies the critical severity level.
Usage guidelines
If you do not specify any options, this command displays all IPS signatures.
Examples
# Display predefined IPS signatures of the medium fidelity level for TCP.
<Sysname> display ips signature pre-defined protocol tcp fidelity medium
Pre-defined signatures total:138 failed:0
Flag:
Pre: predefined User: user-defined
Type Sig-ID Direction Severity Fidelity Category Protocol
Pre 1 To-server High Medium Vulnerability TCP
Pre 2 To-server High Medium Vulnerability TCP
Pre 4 To-client High Medium Vulnerability TCP
Pre 5 To-client High Medium Vulnerability TCP
Pre 6 To-client High Medium Vulnerability TCP
Pre 7 To-client High Medium Vulnerability TCP
Pre 8 To-client High Medium Vulnerability TCP
Pre 10 To-server High Medium Vulnerability TCP
Pre 11 To-client High Medium InformationDi TCP
Pre 12 Any Critical Medium Vulnerability TCP
Pre 13 To-client High Medium Vulnerability TCP
Pre 14 To-server High Medium Vulnerability TCP
Pre 15 To-client High Medium Vulnerability TCP
Pre 16 To-client Critical Medium Vulnerability TCP
Pre 17 To-client High Medium Vulnerability TCP
Pre 18 To-client High Medium Vulnerability TCP
Pre 19 Any Critical Medium Vulnerability TCP
…
# Display IPS signatures of the high attack severity level for UDP.
<Sysname> display ips signature severity high protocol udp
Total signatures :155 failed:0
Pre-defined signatures total:155 failed:0
User-defined signatures total:0 failed:0
Flag:
Pre: predefined User: user-defined
Type Sig-ID Direction Severity Fidelity Category Protocol
Pre 9 To-server High Medium Vulnerability UDP
Pre 45 To-server High Medium Vulnerability UDP
Pre 187 Any High Medium Vulnerability UDP
Pre 196 Any High Medium InformationDi UDP
Pre 223 To-server High Medium Malware UDP
Pre 234 To-client High Medium InformationDi UDP
Pre 338 To-client High Medium DoS UDP
Pre 577 Any High Medium NetworkMonito UDP
Pre 948 Any High Medium NetworkMonito UDP
Pre 1157 Any High Medium InformationDi UDP
Pre 1475 Any High Medium InformationDi UDP
Pre 1641 Any High Medium InformationDi UDP
Pre 2059 Any High Medium NetworkMonito UDP
Pre 2185 Any High Medium NetworkMonito UDP
Pre 2634 Any High Medium InformationDi UDP
…
Table 3 Command output
Field |
Description |
Total signatures |
Total number of IPS signatures. |
failed |
Total number of IPS signatures that failed to be imported and loaded during signature update. |
Pre-defined signatures total |
Total number of predefined IPS signatures. |
User-defined signatures total |
Total number of user-defined signatures. |
Type |
Type of the IPS signature: · Pre—Predefined IPS signatures. · User—User-defined signatures. |
Sig-ID |
Signature ID. |
Direction |
Direction attribute of the signature: · any—Specifies both directions of a session. · To-server—Specifies the client to server direction of a session. · To-client—Specifies the server to client direction of a session. |
Severity |
Attack severity level of the signature, Low, Medium, High, or Critical. |
Fidelity |
Fidelity level of the signature, Low, Medium, or High. |
Category |
Attack category of the signature. |
Protocol |
Protocol attribute of the signature. |
display ips signature { pre-defined | user-defined }
Use display ips signature { pre-defined | user-defined } to display detailed information about an IPS signature.
Syntax
display ips signature { pre-defined | user-defined } signature-id
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
pre-defined: Specifies a predefined signature.
user-defined: Specifies a user-defined signature.
signature-id: Specifies the signature ID. The value range is 1 to 4294967295.
Examples
# Display detailed information about predefined IPS signature 1.
<Sysname> display ips signature pre-defined 1
Type : Pre-defined
Signature ID: 1
Status : Enabled
Action : Reset & Logging
Name : GNU_Bash_CVE-2014-6271_Remote_Code_Execution_Vulnerability
Protocol : TCP
Severity : High
Fidelity : Medium
Direction : To-server
Category : Vulnerability
Reference : CVE-2014-6271;
Description : GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
Table 4 Command output
Field |
Description |
Type |
Type of the IPS signature: · Pre—Predefined IPS signatures. · User—User-defined signatures. |
Signature ID |
Signature ID. |
Status |
Status of the IPS signature, Enabled or Disabled. |
Action |
Actions for matching packets: · Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · Drop—Drops matching packets. · Permit—Permits matching packets to pass. · Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. · Capture—Captures matching packets. · Logging—Logs matching packets. |
Name |
Name of the IPS signature. |
Protocol |
Protocol attribute of the signature. |
Severity |
Attack severity, Low, Medium, High, or Critical. |
Fidelity |
Fidelity level of the signature, Low, Medium, or High. |
Direction |
Direction attribute of the signature: · any—Specifies both directions of a session. · To-server—Specifies the client to server direction of a session. · To-client—Specifies the server to client direction of a session. |
Category |
Attack category of the signature. |
Reference |
Reference for the signature. |
Description |
Description for the signature. |
display ips signature information
Use display ips signature information to display IPS signature library information.
Syntax
display ips signature information
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display IPS signature library information.
<Sysname> display ips signature information
IPS signature library information:
Type SigVersion ReleaseTime Size
Current 1.0.42 Tue Dec 12 10:18:46 2017 3925424
Last 1.0.38 Fri Aug 04 02:06:28 2017 2912352
Factory 1.0.0 Fri Dec 31 16:00:00 1999 21360
Table 5 Command output
Field |
Description |
Type |
Version type of the IPS signature library: · Current—Current version. · Last—Previous version. · Factory—Factory default version. |
SigVersion |
Version number of the IPS signature library. |
ReleaseTime |
Release time of the IPS signature library. |
Size |
Size of the IPS signature file in bytes. |
display ips signature user-defined parse-failed
Use display ips signature user-defined parse-failed to display information about the user-defined IPS signatures that failed to be parsed during signature import.
Syntax
display ips signature user-defined parse-failed
Views
Any view
Predefined user roles
network-admin
Examples
# Display information about the user-defined IPS signatures that failed to be imported
<Sysname> display ips signature user-defined parse-failed
LineNo SID Information
1 None Error: Invalid actions.
Tip: Only actions {alert|drop|pass|reject|sdrop|log} are supported
2 1010082 Error: Invalid signature ID.
Tip: The signature ID must be in the range of 1 to 536870912
3 1010083 Error: Invalid protocol.
Tip: Only protocols {tcp|udp|icmp|ip} are supported
4 1010084 Error: Invalid direction.
Tip: Only directions {'<>'|'->'} are supported
Table 6 Command output
Field |
Description |
LineNo |
Line number where the signature is located in the Snort file. |
SID |
Signature ID. |
Information |
Signature information: · Error—Reason for the parse failure. · Tip—Tip for editing the signature rule in the file. |
Related commands
ips signature import snort
ips apply policy
Use ips apply policy to apply an IPS policy to a DPI application profile.
Use undo ips apply policy to remove the application.
Syntax
ips apply policy policy-name mode { alert | protect }
undo ips apply policy
Default
No IPS policy is applied to a DPI application profile.
Views
DPI application profile view
Predefined user roles
network-admin
Parameters
policy-name: Specifies an IPS policy by its name, a case-insensitive string of 1 to 63 characters.
mode: Specifies an IPS policy mode.
alert: Only captures or logs matching packets.
protect: Takes all actions specified for signatures to process matching packets
Usage guidelines
An IPS policy takes effect only after it is applied to a DPI application profile.
You can apply only one IPS policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply IPS policy ips1 to DPI application profile sec. Set the IPS policy mode to protect.
<Sysname> system-view
[Sysname] app-profile sec
[Sysname-app-profile-sec] ips apply policy ips1 mode protect
Related commands
app-profile
ips policy
ips parameter-profile
Use ips parameter-profile to specify a parameter profile for an IPS action.
Use undo ips parameter-profile to remove the parameter profile from an IPS action.
Syntax
ips { block-source | capture | email | logging | redirect } parameter-profile parameter-name
undo ips { block-source | capture | email | logging | redirect } parameter-profile
Default
No parameter profile is specified for an IPS action.
Views
System view
Predefined user roles
network-admin
Parameters
block-source: Specifies a parameter profile for the block-source action.
capture: Specifies a parameter profile for the capture action.
email: Specifies a parameter profile for the email action.
logging: Specifies a parameter profile for the logging action.
redirect: Specifies a parameter profile for the redirect action.
parameter-profile parameter-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
Use this commmand to specify the parameter profile used by an IPS action. A parameter profile is a set of parameters that determine how the action is executed. If you do not specify a parameter profile for an action, or if the specified profile does not exist, the default action parameter settings are used.
For information about configuring parameter profiles, see DPI Configuration Guide.
Examples
# Create parameter profile ips1. Set the source IP address blocking period to 1111 seconds.
<Sysname> system-view
[Sysname] inspect block-source parameter-profile ips1
[Sysname-inspect-block-source-ips1] block-period 1111
[Sysname-inspect-block-source-ips1] quit
# Specify the parameter profile ips1 for the block-source action.
[Sysname] ips block-source parameter-profile ips1
Related commands
inspect block-source parameter-profile
inspect capture parameter-profile
inspect logging parameter-profile
inspect email parameter-profile
inspect redirect parameter-profile
ips policy
Use ips policy to create an IPS policy and enter its view, or enter the view of an existing IPS policy.
Use undo ips policy to delete an IPS policy.
Syntax
ips policy policy-name
undo ips policy policy-name
Default
An IPS policy named default exists.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies the IPS policy name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
An IPS policy includes all signatures on the device, whether or not the signatures are added to the device before the policy is created.
You cannot modify the signatures in the default IPS policy. In a user-defined policy, you can enable or disable a signature, or edit the actions for a signature.
Examples
# Create IPS policy ips1 and enter its view.
<Sysname> system-view
[Sysname] ips policy ips1
[Sysname-ips-policy-ips1]
ips signature auto-update
Use ips signature auto-update to enable automatic IPS signature library update and enter automatic IPS signature library update configuration view.
Use undo ips signature auto-update to disable automatic IPS signature library update.
Syntax
ips signature auto-update
undo ips signature auto-update
Default
Automatic IPS signature library update is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
After you enable automatic IPS signature library update, the device periodically accesses the H3C website to download the latest IPS signatures.
Examples
# Enable automatic IPS signature library update and enter automatic IPS signature library update configuration view.
<Sysname> system-view
[Sysname] ips signature auto-update
[Sysname-ips-autoupdate]
Related commands
update schedule
ips signature auto-update-now
Use ips signature auto-update-now to trigger an automatic signature library update manually.
Syntax
ips signature auto-update-now
Views
System view
Predefined user roles
network-admin
Usage guidelines
After you execute this command, the device immediately starts the automatic signature library update process no matter whether or not automatic signature library update is enabled. The device automatically backs up the current signature library before overwriting it.
You can execute this command anytime you find a new version of signature library on the H3C website.
Examples
# Trigger an automatic signature library update manually.
<Sysname> system-view
[Sysname] ips signature auto-update-now
ips signature import snort
Use ips signature import snort to import user-defined IPS signatures.
Syntax
ips signature import snort file-path
Default
No user-defined IPS signatures exist.
Views
System view
Predefined user roles
network-admin
Parameters
file-path: Specifies the path of the file where the IPS signatures to be imported are stored. The value for this argument is a string of 1 to 255 characters.
Usage guidelines
To add your own IPS signatures, create an IPS signature file in the Snort format and use this command to import the signatures.
Make sure the IPS signature file contains all user-defined signatures that you want to use. All existing user-defined signatures on the device will be overwritten by the imported signatures.
To view the imported IPS signatures, use the display ips signature user-defined command.
The following methods are available for IPS signature import:
· Local method—Imports IPS signatures from a local IPS signature file.
The following describes the format of the file-path parameter for different import scenarios.
Import scenario |
Format of file-path |
Remarks |
The import file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command (see file system management in Fundamentals Command Reference). |
The import file is stored in a different directory on the same storage medium. |
filename |
Before configuring the ips signature import snort command, use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
The import file is stored on a different storage medium. |
path/filename |
Before configuring the ips signature import snort command, use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP method—Imports IPS signatures from an IPS signature file stored on an FTP or TFTP server.
The following describes the format of the file-path parameter for different import scenarios.
Import scenario |
Format of file-path |
Remarks |
The import file is stored on an FTP server. |
ftp://username:password@server address/filename |
The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: · Colon (:)—%3A or %3a. · At sign (@)—%40. · Forward slash (/)—%2F or %2f. |
The import file is stored on a TFTP server. |
tftp://server address/filename |
The server address parameter represents the IP address or host name of the TFTP server. |
When you configure a Snort rule in the IPS signature file, follow these restrictions and guidelines:
· Use the correct syntax for the rule.
· Specify an SID in the range of 1 to 536870911 for the rule. Rules with larger IDs are invalid.
· The SID of the rule must be different from the SIDs of any existing Snort rules on the device.
· Be sure to configure the msg field for the rule. If the msg field is not configured, the attack name of the rule will not be displayed in the IPS syslog message.
· Make sure the application specified in the rule is identifiable. Otherwise, no packets can match the rule.
Examples
# Import IPS signatures from an IPS signature file that is stored on a TFTP server.
<Sysname> system-view
[Sysname] ips signature import snort tftp://192.168.0.1/snort.rules
Related commands
display ips signature user-defined
ips signature remove snort
ips signature remove snort
Use ips signature remove snort to delete all imported user-defined IPS signatures.
Syntax
ips signature remove snort
Views
System view
Predefined user roles
network-admin
Examples
# Delete all imported user-defined IPS signatures.
<Sysname> system-view
[Sysname] ips signature remove snort
Related commands
ips signature import snort
ips signature rollback
Use ips signature rollback to roll back the IPS signature library.
Syntax
ips signature rollback { factory | last }
Views
System view
Predefined user roles
network-admin
Parameters
factory: Rolls back the IPS signature library to the factory default version.
last: Rolls back the IPS signature library to the previous version.
Usage guidelines
If an IPS signature library update causes exceptions or a high false alarm rate, you can roll back the IPS signature library.
Before performing an IPS signature library rollback, the device backs up the current IPS signature library as the previous version. For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.
Examples
# Roll back the IPS signature library to the previous version.
<Sysname> system-view
[Sysname] ips signature rollback last
ips signature update
Use ips signature update to manually update the IPS signature library.
Syntax
ips signature update [ override-current ] file-path
Views
System view
Predefined user roles
network-admin
Parameters
override-current: Overwrites the current IPS signature library without backing up the library. For the device to back up the current IPS signature library before overwriting the library, do not specify this keyword.
file-path: Specifies the IPS signature file path, a string of 1 to 255 characters.
Usage guidelines
If the device cannot access the H3C website, use one of the following methods to manually update the IPS signature library:
· Local update—Updates the IPS signature library on the device by using the locally stored update IPS signature file.
Store the update file on the correct location for successful signature library update:
¡ For centralized devices in IRF mode, store the update file on the master device.
¡ For distributed devices in standalone mode, store the update file on the active MPU.
¡ For distributed devices in IRF mode, store the update file on the global active MPU.
The following describes the format of the file-path parameter for different update scenarios.
Update scenario |
Format of file-path |
Remarks |
The update file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command (see file system management in Fundamentals Command Reference). |
The update file is stored in a different directory on the same storage medium. |
filename |
Before configuring the ips signature update command, use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
The update file is stored on a different storage medium. |
path/filename |
Before configuring the ips signature update command, use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP update—Updates the IPS signature library on the device by using the file stored on an FTP or TFTP server.
The following describes the format of the file-path parameter for different update scenarios.
Update scenario |
Format of file-path |
Remarks |
The update file is stored on an FTP server. |
ftp://username:password@server address/filename |
The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: · Colon (:)—%3A or %3a. · At sign (@)—%40. · Forward slash (/)—%2F or %2f. |
The update file is stored on a TFTP server. |
tftp://server address/filename |
The server address parameter represents the IP address or host name of the TFTP server. |
|
NOTE: To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide. |
Examples
# Manually update the IPS signature library by using an IPS signature file stored on a TFTP server.
<Sysname> system-view
[Sysname] ips signature update tftp://192.168.0.10/ips-1.0.2-en.dat
# Manually update the IPS signature library by using an IPS signature file stored on an FTP server. The FTP login username and password are user:123 and user@abc/123, respectively.
<Sysname> system-view
[Sysname] ips signature update ftp://user%3A123:user%40abc%2F123@192.168.0.10/ips-1.0.2-en.dat
# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfa0:/ips-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> system-view
[Sysname] ips signature update ips-1.0.23-en.dat
# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfa0:/dpi/ips-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> cd dpi
<Sysname> system-view
[Sysname] ips signature update ips-1.0.23-en.dat
# Manually update the IPS signature library by using an IPS signature file stored on the device. The file is stored in directory cfb0:/dpi/ips-1.0.23-en.dat, and the current working directory is the cfa0:.
<Sysname> cd cfb0:/
<Sysname> system-view
[Sysname] ips signature update dpi/ips-1.0.23-en.dat
object-dir
Use object-dir to specify a direction criterion to filter IPS signatures in an IPS policy.
Use undo object-dir to restore the default.
Syntax
object-dir { client | server } *
undo object-dir
Default
The direction attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
client: Specifies the server to client direction.
server: Specifies the client to server direction.
Usage guidelines
Each IPS signature has a direction attribute that defines the traffic direction to which the signature applies. The direction attribute values include To-server, To-client, and Any.
IPS signatures with the Any direction attribute are always used by an IPS policy, regardless of the settings of this command. For example, if you configure the object-dir client command for an IPS policy, the policy will use IPS signatures with both the To-client and Any direction attributes.
If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.
Examples
# Configure IPS policy test to use IPS signatures with the To-client and Any direction attributes.
[Sysname] ips policy test
[Sysname-ips-policy-test] object-dir client
override-current
Use override-current to configure the device to overwrite the current IPS signature library without backing up the library during an automatic signature library update.
Use undo override-current to restore the default.
Syntax
override-current
undo override-current
Default
Before performing an automatic IPS signature library update, the device backs up the current IPS signature library as the previous version.
Views
Automatic IPS signature library update configuration view
Predefined user roles
network-admin
Usage guidelines
Backing up the current IPS signature library requires additional storage space but enables signature library rollback. As a best practice, enable the backup function if there is sufficient storage space.
Examples
# Configure the device to overwrite the current IPS signature library without backing up the library during an automatic signature library update.
<Sysname> system-view
[Sysname] ips signature auto-update
[Sysname-ips-autoupdate] override-current
Related commands
ips signature auto-update
protect-target
Use protect-target to set a target criterion to filter the IPS signatures in an IPS policy.
Use undo protect-target to remove a target criterion.
Syntax
protect-target { target [ subtarget ] | all }
undo protect-target { target [ subtarget ] | all }
Default
The protected target attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
target: Specifies a target.
subtarget: Specifies a subtarget of the target. If you do not specify a subtarget, this command matches any IPS signatures with a subtarget of the specified target.
all: Specifies all targets.
Usage guidelines
This command filters the IPS signatures that an IPS policy uses based on the protected target attribute of the signatures.
You can execute this command multiple times to specify multiple target criteria in an IPS policy. The IPS policy uses an IPS signature if the signature matches any of the configured target criteria.
Examples
# Configure IPS policy test to use IPS signatures with the WebLogic subtarget of the WebServer target.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] protected-target WebServer WebLogic
severity-level
Use severity-level to set a severity level criterion to filter the IPS signatures in an IPS policy.
Use undo severity-level to restore the default.
Syntax
severity-level { critical | high | low | medium } *
undo severity-level
Default
The severity level attribute is not used for IPS signature filtering.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
critical: Specifies the critical severity level.
high: Specifies the high severity level.
low: Specifies the low severity level.
medium: Specifies the medium severity level.
Usage guidelines
Each IPS signature has a severity level attribute, which indicates the severity level of the attacks matching the signature.
This command filters the IPS signatures that an IPS policy uses based on the severity level attribute of the signatures.
You can specify multiple severity levels in a severity level criterion. The IPS policy uses an IPS signature if the signature matches any of the specified severity levels.
If you execute this command in an IPS policy multiple times, the most recent configuration takes effect.
Examples
# Configure IPS policy test to use IPS signatures with the critical and medium severity levels.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] severity-level critical medium
signature override
Use signature override to change the status and actions for an IPS signature in an IPS policy.
Use undo signature override to restore the default status and actions for an IPS signature in an IPS policy.
Syntax
signature override { pre-defined | user-defined } signature-id { { disable | enable } [ { block-source | drop | permit | redirect | reset } | capture | logging ] * }
undo signature override { pre-defined | user-defined } signature-id
Default
Predefined IPS signatures use the actions and states defined by the system.
User-defined IPS signatures use the actions and states defined in the IPS signature file from which the signatures are imported.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
pre-defined: Specifies a predefined IPS signature.
user-defined: Specifies a user-defined IPS signature.
signature-id: Specifies an IPS signature ID in the range of 1 to 536870911.
disable: Disables the IPS signature.
enable: Enables the IPS signature.
block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."
drop: Drops matching packets.
permit: Permits matching packets to pass.
redirect: Redirects matching packets to a webpage.
reset: Closes the TCP connections for matching packets by sending TCP reset messages.
capture: Captures matching packets.
logging: Logs matching packets.
Usage guidelines
This command is available only for user-defined IPS policies. The signature actions and status in the default IPS policy cannot be modified.
If you execute this command for a signature in an IPS policy multiple times, the most recent configuration takes effect.
Examples
# Enable predefined signature 2 for IPS policy ips1. Specify the drop, capture, and logging actions for the signature.
<Sysname> system-view
[Sysname] ips policy ips1
[Sysname-ips-policy-ips1] signature override pre-defined 2 enable drop capture logging
Related commands
blacklist enable (security zone view) (Security Command Reference)
blacklist global enable (Security Command Reference)
ips parameter-profile
ips policy
signature override all
signature override all
Use signature override all to specify the IPS actions for an IPS policy.
Use undo signature override all to restore the default.
Syntax
signature override all { { block-source | drop | permit | redirect | reset } | capture | logging } *
undo signature override all
Default
No actions are specified for an IPS policy and the default actions of IPS signatures are applied to matching packets.
Views
IPS policy view
Predefined user roles
network-admin
Parameters
block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."
drop: Drops matching packets.
permit: Permits matching packets to pass.
redirect: Redirects matching packets to a webpage.
reset: Closes the TCP connections for matching packets by sending TCP reset messages.
capture: Captures matching packets.
logging: Logs matching packets.
Usage guidelines
Use this command to specify the global packet processing actions for an IPS policy.
Each IPS signature is defined with default actions for matching packets. You can change the default actions for individual signatures in an IPS policy.
The system selects the actions for packets matching an IPS signature in the following order:
1. Actions configured for the IPS signature in the IPS policy (by using the signature override command).
2. Actions configured for the IPS policy.
3. Default actions of the IPS signature.
Examples
# Specify actions drop, logging, and capture for IPS policy test.
<Sysname> system-view
[Sysname] ips policy test
[Sysname-ips-policy-test] signature override all drop logging capture
Related commands
blacklist enable (security zone view) (Security Command Reference)
blacklist global enable (Security Command Reference)
ips parameter-profile
signature override
update schedule
Use update schedule to schedule the time for automatic IPS signature library update.
Use undo update schedule to restore the default.
Syntax
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
undo update schedule
Default
The device starts updating the IPS signature library at a random time between 01:00:00 and 03:00:00 every day.
Views
Automatic IPS signature library update configuration view
Predefined user roles
network-admin
Parameters
daily: Updates the IPS signature library every day.
weekly: Updates the IPS signature library every week.
fri: Updates the IPS signature library every Friday.
mon: Updates the IPS signature library every Monday.
sat: Updates the IPS signature library every Saturday.
sun: Updates the IPS signature library every Sunday.
thu: Updates the IPS signature library every Thursday.
tue: Updates the IPS signature library every Tuesday.
wed: Updates the IPS signature library every Wednesday.
start-time time: Specifies the start time in the hh:mm:ss format. The value range is 00:00:00 to 23:59:59.
tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will occur at a random time between the following time points:
· Start time minus half the tolerance time.
· Start time plus half the tolerance time.
Examples
# Configure the device to automatically update the IPS signature library every Monday at a random time between 20:25:00 and 20:35:00.
<Sysname> system-view
[Sysname] ips signature auto-update
[Sysname-ips-autoupdate] update schedule weekly mon start-time 20:30:00 tingle 10
Related commands
ips signature auto-update
URL filtering commands
The following matrix shows the feature and hardware compatibility:
Hardware |
URL filtering compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
URL filtering compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
add
Use add to add a blacklist or whitelist rule to a URL filtering policy.
Use undo add to delete a blacklist or whitelist rule from a URL filtering policy.
Syntax
add { blacklist | whitelist } [ id ] host { regex host-regex | text host-name } [ uri { regex uri-regex | text uri-name } ]
undo add { blacklist | whitelist } { id | all }
Default
No blacklist or whitelist rules exist in a URL filtering policy.
Views
URL filtering policy view
Predefined user roles
network-admin
Parameters
blacklist: Specifies the blacklist rule type.
whitelist: Specifies the whitelist rule type.
id: Specifies a rule ID. The value must be an integer in the range of 1 to 65535. The ID of a blacklist or whitelist rule must be unique among all rules of the same type. If you do not specify a rule ID, the system automatically assigns an available ID to the rule according to the largest rule ID N used on the device:
· If N is smaller than 65535, the smallest available ID that is larger than N is used.
· If N equals to 65535, the smallest available ID is used.
host: Matches the host field in the URL.
uri: Matches the URI field in the URL.
regex regex: Specifies a case-sensitive regular expression string for fuzzy match. The string can start with only letters, digits, or underscores (_), and it must contain three consecutive non-wildcard characters.
· If the host keyword is specified, the string can contain 3 to 224 characters.
· If the uri keyword is specified, the string can contain 3 to 245 characters.
text string: Specifies a case-insensitive text string for exact match.
· If the host keyword is specified, the string can contain 3 to 224 characters. Valid characters are letters, digits, underscores (_), hyphens (-), colons (:), left square brackets ([), right square brackets (]), and dots (.).
· If the uri keyword is specified, the string can contain 3 to 245 characters.
all: Specifies all rules of the specified type.
Usage guidelines
The device supports using URL-based whitelist and blacklist rules to filter HTTP packets. If the URL in an HTTP packet matches a blacklist rule, the packet is dropped. If the URL matches a whitelist rule, the packet is permitted to pass through.
When you configure a regular expression in a blacklist or whitelist rule, follow these restrictions and guidelines:
· The regular expression pattern can contain a maximum of four branches. For example, 'abc(c|d|e|\x3D)' is valid, and 'abc(c|onreset|onselect|onchange|style\x3D)' is invalid.
· Nested braces are not allowed. For example, 'ab((abcs*?))' is invalid.
· A branch cannot be specified after another branch. For example, 'ab(a|b)(c|d)^\\r\\n]+?' is invalid.
· A minimum of four non-wildcard characters must exist before an asterisk (*) or question mark (?). For example, 'abc*' is invalid and 'abcd*DoS\x2d\d{5}\x20\x2bxi\\r\\nJOIN' is valid.
Examples
# In URL filtering policy news, add a blacklist rule to match URLs that contain games.com in the host field.
<Sysname> system-view
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news] add blacklist 1 host text games.com
# In URL filtering policy news, add a whitelist rule to match URLs that contain sina.com in the host field.
[Sysname-url-filter-policy-news] add whitelist 1 host text sina.com
category action
Use category action to specify actions for a URL category.
Use undo category action to remove the action setting from a URL category.
Syntax
category category-name action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } [ logging [ parameter-profile parameter-name ] ]
undo category category-name
Default
A URL category does not have any action specified.
Views
URL filtering policy view
Predefined user roles
network-admin
Parameters
category-name: Specifies a URL category by its name, a case-insensitive string of 1 to 63 characters.
action: Specifies the action for the matching packets.
block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."
drop: Drops matching packets.
permit: Permits matching packets to pass.
redirect: Redirects matching packets to a webpage.
reset: Disconnects the TCP connection for matching packets.
logging: Logs matching packets.
parameter-profile parameter-name: Specifies a URL filtering action parameter profile by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a profile, or if the specified profile does not exist, the default parameter settings are used. For information about configuring parameter profiles, see "DPI engine commands."
Usage guidelines
If an HTTP packet matches a URL filtering rule in a URL category, the action specified for the category applies to the packet.
If the packet matches none of URL filtering rules in the URL filtering policy, the default action specified for the policy applies to the packet. If the default action is not configured, the device permits the packet to pass.
If you execute this command for a URL category multiple times, the most recent configuration takes effect.
Examples
# In the URL filtering policy news, specify the drop action for the URL category sina.
<Sysname> system-view
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news] category sina action drop
Related commands
inspect block-source parameter-profile
inspect redirect parameter-profile
url-filter category
url-filter policy
cloud-query enable
Use cloud-query enable to enable cloud query for URL filtering.
Use undo cloud-query enable to disable cloud query for URL filtering.
Syntax
cloud-query enable
undo cloud-query enable
Default
URL filtering cloud query is disabled.
Views
URL filtering policy view
Predefined user roles
network-admin
Usage guidelines
With cloud query enabled in a URL filtering policy, URLs that do not match any URL filtering rules in the policy are sent to the cloud server for further query. The device determines the actions for an HTTP packet based on the URL query results returned from the cloud server:
· If a matching rule is found, the rule and the name of URL category to which the rule belongs are returned. The device executes the actions specified for the URL category on the packet. If no actions are specified for the URL category, the default action of the policy is executed.
· If no matching rule is found, the device executes the default action of the policy on the packet.
Examples
# Enable URL filtering cloud query in URL filtering policy cmcc.
<Sysname> system-view
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news] cloud-query enable
Related commands
url-filter policy
default-action
Use default-action to specify the default action for a URL filtering policy.
Use undo default-action to restore the default.
Syntax
default-action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } [ logging [ parameter-profile parameter-name ] ]
undo default-action
Default
A URL filtering policy does not have any default action.
Views
URL filtering policy view
Predefined user roles
network-admin
Parameters
block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."
drop: Drops matching packets.
permit: Permits packets to pass.
redirect: Redirects matching packets to a webpage.
reset: Disconnects the TCP connection for matching packets.
logging: Logs matching packets.
parameter-profile parameter-name: Specifies a block source parameter profile by its name, a case-insensitive string of 1 to 63 characters. The profile contains parameter settings such as source IP address block period. If you do not specify a profile, or if the specified profile does not exist, the default parameter settings are used. For information about configuring block source parameter profiles, see "DPI engine commands."
Usage guidelines
The default action apples to packets that do not match any URL filtering rules.
Examples
# Set the default action to drop for URL filtering policy news.
<Sysname> system-view
[Sysname] url-filter policy cmcc
[Sysname-url-filter-policy-cmcc] default-action drop
Related commands
inspect block-source parameter-profile
inspect redirect parameter-profile
url-filter policy
description
Use description to configure a description for a URL category.
Use undo description to restore the default.
Syntax
description text
undo description
Default
A user-defined URL category does not have a description.
Views
URL category view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-insensitive string of 1 to 255 characters. Spaces are allowed.
Usage guidelines
Use this command to configure descriptions for URL categories for easy maintenance.
Examples
# Configure the description as News information for URL category news.
<Sysname> system-view
[Sysname] url-filter category news
[Sysname-url-filter-category-news] description News information
display url-filter cache
Use display url-filter cache to display URL filtering cache information.
Syntax
display url-filter cache [ existence { eq | lt | gt } existence-time | category category-name | hitcount { eq | lt | gt } hit-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
existence { eq | lt | gt } existence-time: Specify an existence time period and an operator to set the existence time range for the cached rules to display. Operators include eq (equal), gt (greater than), and lt (less than). The value range for the existence-time argument is 0 to 4294967295 seconds.
category category-name: Specify a URL category by its name, a case-insensitive string of 1 to 63 characters.
hitcount { eq | lt | gt } hitnumber: Specify a hit count and an operator to set the hit count range for the cached rules to display. Operators include eq (equal), gt (greater than), and lt (less than). The value range for the hitnumber argument is 0 to 4294967295.
Examples
# Display all URL filtering rules in the URL filtering cache.
<Sysname> display url-filter cache
URL: sina.com
Category: Unknown
Hitcount: 20
Existence: 7200 seconds (cached on 2014/11/12 at 15:00:00)
URL: baidu.com
Category: Search
Hitcount: 20
Existence: 3600 seconds (cached on 2014/11/12 at 16:00:00)
Table 7 Command output
Field |
Description |
URL |
Content of the URL filtering rule. |
Category |
URL category to which the URL filtering rule belongs. This field displays Unknown if no matching URL category is found for the rule. |
Hitcount |
Number of times the URL filtering rule has been matched. |
Existence |
Time period the URL filtering rule has been cached and the UTC time when the rule was cached. |
Related commands
url-filter category
display url-filter category
Use display url-filter category to display URL category information.
Syntax
display url-filter category [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
verbose: Display detailed URL category information. If you do not specify this keyword, the command displays the URL category summary information.
Examples
# Display URL category summary information.
<Sysname> display url-filter category
URL category summary:
Predefined categories: 108
Predefined rules: 2000
User-defined categories: 0
User-defined rules: 0
URL category details:
Name: Pre-3C
Name: Pre-AdultPlace
Name: Pre-Advertisement
Name: Pre-Airplanes
Name: Pre-Alcohol
Name: Pre-Anime
Name: Pre-Arts
Name: Pre-Automobiles
Name: Pre-Bank
Name: Pre-BooksDownload
Name: Pre-Business
Name: Pre-CharityAndPublicInterest
Name: Pre-Clothes
Name: Pre-Community
Name: Pre-Divining
Name: Pre-DomainAndIDCServices
…
# Display detailed URL category information.
<Sysname> display url-filter category verbose
URL category summary:
Predefined categories: 108
Predefined rules: 2000
User-defined categories: 0
User-defined rules: 0
URL category details:
Name: Pre-3C
Type: Predefined
Severity: 23
Rules: 15
Description: 3C
Name: Pre-AdultPlace
Type: Predefined
Severity: 585
Rules: 5
Description: AdultPlace
Name: Pre-Advertisement
Type: Predefined
Severity: 500
Rules: 21
…
Table 8 Command output
Field |
Description |
URL category summary |
Summary URL category information. |
Predefined categories |
Number of predefined URL categories. |
Predefined rules |
Number of predefined URL filtering rules. |
User-defined categories |
Number of user-defined URL categories. |
User-defined rules |
Number of user-defined URL filtering rules. |
URL category details |
Detailed URL category information. |
Name |
Name of the URL category. |
Type |
Type of the URL category, Predefined or User Defined. |
Severity |
Severity level of the URL category. |
Rules |
Number of rules in the URL category. |
Description |
Description of the URL category. |
display url-filter signature information
Use display url-filter signature information to display information about the URL filtering signature library.
Syntax
display url-filter signature information
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about the URL filtering signature library.
<Sysname> display url-filter signature information
URL filter signature library information:
Type SigVersion ReleaseTime Size
Current 1.0.12 Mon Sep 07 03:01:22 2015 93488
Last 1.0.0 Fri Dec 31 16:00:00 1999 71264
Factory 1.0.0 Fri Dec 31 16:00:00 1999 71264
Table 9 Command output
Field |
Description |
Type |
Version of the URL filtering signature library: · Current—Current version. · Last—Previous version. · Factory—Factory default version. |
SigVersion |
Version number. |
ReleaseTime |
Time when the URL filtering signature library was released. |
Size |
Size of the URL filtering signature library, in bytes. |
display url-filter statistics
Use display url-filter statistics to display URL filtering statistics.
Syntax
display url-filter statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display URL filtering statistics.
<Sysname> display url-filter statistics
Total HTTP requests : 0
Total permitted HTTP requests : 0
Total denied HTTP requests : 0
Requests that matched the blacklist : 0
Requests that matched the whitelist : 0
Requests that matched a user-defined rule : 0
Requests that matched a predefined rule : 0
Requests that matched a cached rule : 0
Requests that matched the default action : 0
Predefined URL filtering rules : 2000
--------------------------------------------------------------
Table 10 Command output
Field |
Description |
Total HTTP requests |
Total number of HTTP packets. |
Total permitted HTTP requests |
Total number of permitted HTTP packets. |
Total denied HTTP requests |
Total number of denied HTTP packets. |
Requests that matched the blacklist |
Number of HTTP packets that matched a blacklist rule. |
Requests that matched the whitelist |
Number of HTTP packets that matched a whitelist rule. |
Requests that matched a user-defined rule |
Number of HTTP packets that matched a user-defined URL filtering rule. |
Requests that matched a predefined rule |
Number of HTTP packets that matched a predefined URL filtering rule. |
Requests that matched a cached rule |
Number of HTTP packets that matched a cached URL filtering rule. |
Requests that matched the default action |
Number of HTTP packets on which the default action is executed. |
Predefined URL filtering rules |
Total number of predefined URL filtering rules. |
include pre-defined
Use include pre-defined to add the URL filtering rules of a predefined URL category to a user-defined URL category.
Use undo include pre-defined to restore the default.
Syntax
include pre-defined category-name
undo include pre-defined
Default
A user-defined URL category does not contain the URL filtering rules of any predefined URL category.
Views
URL category view
Predefined user roles
network-admin
Parameters
category-name: Specifies a predefined URL category by its name, a case-sensitive string of 1 to 63 characters. The specified URL category must exist on the device.
Usage guidelines
To simplify URL category configuration, you can use this command to add all the URL filtering rules of a predefined URL category to a user-defined URL category.
You can add URL filtering rules of only one predefined URL category to a user-defined URL category. If you execute this command for a URL category multiple times, the most recent configuration takes effect.
Examples
# Add the URL filtering rules of predefined URL category Pre-News to URL category news.
<Sysname> system-view
[Sysname] url-filter category news
[Sysname-url-filter-category-news] include pre-defined Pre-News
rename (URL category view)
Use rename to rename a URL category.
Syntax
rename new-name
Views
URL category view
Predefined user roles
network-admin
Parameters
new-name: Specify a new name for the URL category, a case-insensitive string of 1 to 63 characters.
Usage guidelines
If you change the name for a URL category that is used by a URL filtering policy, the URL category name in the policy is also changed.
Examples
# Rename URL category news to hello, and enter the view of URL category hello.
<Sysname> system-view
[Sysname] url-filter category news
[Sysname-url-filter-category-news] rename hello
[Sysname-url-filter-category-hello]
rename (URL filtering policy view)
Use rename to rename a URL filtering policy.
Syntax
rename new-name
Views
URL filtering policy view
Predefined user roles
network-admin
Parameters
new-name: Specify a new name for the URL filtering policy, a case-insensitive string of 1 to 31 characters.
Usage guidelines
If you change the name of a URL filtering policy that has been assigned to a DPI application profile, the policy name in the DPI application profile is also changed.
Examples
# Rename URL filtering policy news to hello, and enter the view of URL filtering policy hello.
<Sysname> system-view
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news] rename hello
[Sysname-url-filter-policy-hello]
reset url-filter statistics
Use reset url-filter statistics to clear URL filtering statistics.
Syntax
reset url-filter statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clear URL filtering statistics.
<Sysname> reset url-filter statistics
Related commands
display url-filter statistics
rule
Use rule to create a URL filtering rule for a user-defined URL category.
Use undo rule to delete a URL filtering rule from a user-defined URL category.
Syntax
rule [ rule-id ] host { regex regex | text string } [ uri { regex regex | text string } ]
undo rule rule-id
Default
A user-defined URL category does not have any URL filtering rules.
Views
URL category view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 1 to 65535. If you do not specify a rule ID when creating a URL filtering rule, the system automatically assigns it a rule ID. The numbering step is 1 for automatic numbering of rule IDs. An automatically assigned rule ID takes the smallest integer higher than the current highest rule ID. If the current highest rule ID is 65535, the system assigns the smallest unused rule ID to the rule.
host: Matches URLs by the hostname field.
uri: Matches URLs by the URI field.
regex regex: Specifies a case-sensitive regular expression string for fuzzy match. The string can start with only letters, digits, or underscores (_), and it must contain three consecutive non-wildcard characters.
· If the host keyword is specified, the string can contain 3 to 224 characters.
· If the uri keyword is specified, the string can contain 3 to 253 characters.
text string: Specifies a case-insensitive text string for exact match.
· If the host keyword is specified, the string can contain 3 to 224 characters. Valid characters are letters, digits, underscores (_), hyphens (-), colons (:), left square brackets ([), right square brackets (]), and dots (.).
· If the uri keyword is specified, the string can contain 3 to 255 characters.
Usage guidelines
A URL filtering rule supports the following URL matching methods:
· Exact match by text—Performs an exact text string match on the hostname or URI field of the URL.
¡ If a rule is configured with the host keyword, a URL matches the rule only if it contains a host name exactly the same as the specified text sting. For example, the rule 1 host text abc.com.cn command matches URLs that carry the abc.com.cn hostname, but it does not match URLs carrying the dfabc.com.cn hostname.
¡ If a rule is configured with the uri keyword, a URL matches the rule if it contains a URI that begins with the complete text string in the rule. For example, the rule 2 uri text /sina/news command matches URLs that contain URIs /sina/news, /sina/news/sports, and /sina/news_sports. However, the command does not match URLs that contain URI /sina.
· Fuzzy match by regular expression—Performs a fuzzy regular expression match on the hostname or URI field of the URL. For example, the rule 3 host regex sina.*cn command matches URLs that carry the news.sina.com.cn hostname.
When you configure a regular expression in a URL filtering rule, follow these restrictions and guidelines:
· The regular expression pattern can contain a maximum of four branches. For example, 'abc(c|d|e|\x3D)' is valid, and 'abc(c|onreset|onselect|onchange|style\x3D)' is invalid.
· Nested braces are not allowed. For example, 'ab((abcs*?))' is invalid.
· A branch cannot be specified after another branch. For example, 'ab(a|b)(c|d)^\\r\\n]+?' is invalid.
· A minimum of four non-wildcard characters must exist before an asterisk (*) or question mark (?). For example, 'abc*' is invalid and 'abcd*DoS\x2d\d{5}\x20\x2bxi\\r\\nJOIN' is valid.
Examples
# In URL category news, create a URL filtering rule to match URLs that carry the sina.com hostname.
<Sysname> system-view
[Sysname] url-filter category news
[Sysname-url-filter-category-news] rule 10 host text sina.com
Related commands
url-filter category
update schedule
Use update schedule to configure a schedule for automatic URL filtering signature library update.
Use undo update schedule to restore the default.
Syntax
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
undo update schedule
Default
The device starts the URL filtering signature library update at a time point between 01:00:00 and 03:00:00 every day.
Views
Automatic URL filtering signature library update configuration view
Predefined user roles
network-admin
Parameters
daily: Updates the URL filtering signature library every day.
weekly: Updates the URL filtering signature library every week.
fri: Updates the URL filtering signature library every Friday.
mon: Updates the URL filtering signature library every Monday.
sat: Updates the URL filtering signature library every Saturday.
sun: Updates the URL filtering signature library every Sunday.
thu: Updates the URL filtering signature library every Thursday.
tue: Updates the URL filtering signature library every Tuesday.
wed: Updates the URL filtering signature library every Wednesday.
start-time time: Specifies the start time in hh:mm:ss format. The value range is 00:00:00 to 23:59:59.
tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will occur at a time point between the following time points:
· Start time minus half the tolerance time.
· Start time plus half the tolerance time.
Examples
# Configure the device to automatically update the URL filtering signature library every Sunday at a time point between 20:20:00 and 20:40:00.
<Sysname> system-view
[Sysname] url-filter signature auto-update
[Sysname-url-filter-autoupdate] update schedule weekly sun start-time 20:30:00 tingle 10
Related commands
url-filter signatures auto-update
url-filter apply policy
Use url-filter apply policy to apply a URL filtering policy to a DPI application profile.
Use undo url-filter apply policy to remove the URL filtering policy from a DPI application profile.
Syntax
url-filter apply policy policy-name
undo url-filter apply policy
Default
No URL filtering policy is applied to a DPI application profile.
Views
DPI application profile view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a URL filtering policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A URL filtering policy takes effect only after it is applied to a DPI application profile.
You can apply only one URL filtering policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply URL filtering policy news to DPI application profile abc.
<Sysname> system-view
[Sysname] app-profile abc
[Sysname-app-profile-abc]url-filter apply policy news
Related commands
app-profile
display app-profile
display url-filter policy
url-filter cache deploy-interval
Use url-filter cache deploy-interval to set the interval to deploy cached URL filtering rules to the DPI inspection engine.
Use undo url-filter cache deploy-interval to restore the default.
Syntax
url-filter cache deploy-interval interval
undo url-filter cache deploy-interval
Default
Cached URL filtering rules are deployed to the DPI inspection engine every 12 hours.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the deploy interval in the range of 1 to 65535 hours.
Usage guidelines
The device automatically deploys cached URL filtering rules to the DPI inspection engine at the deploy interval.
Set an appropriate deploy interval. A small interval results in frequent deployment and might cause the inspection engine to stop working, making other DPI services unavailable.
Examples
# Set the deploy interval to 24 hours for cached URL filtering rules.
<Sysname> system-view
[Sysname] url-filter cache deploy-interval 24
url-filter cache size
Use url-filter cache size to set the URL filtering cache size.
Use undo url-filter cache size to restore the default.
Syntax
url-filter cache size cache-size
undo url-filter cache size
Default
The URL filtering cache size depends on the memory size of the system.
Views
System view
Predefined user roles
network-admin
Parameters
cache-size: Specify the cache size, in the range of 1 to 65535.
Usage guidelines
The device caches the URL filtering rules and categories returned from the cloud server. The cached rules can be used directly for subsequent URL filtering.
Set an appropriate cache size. A large cache size might cause the DPI inspection engine to stop working during deployment of excessive URL filtering rules, making other DPI services unavailable.
Examples
# Set the URL filtering cache size to 20000.
<Sysname> system-view
[Sysname] url-filter cache size 20000
url-filter cache-time
Use url-filter cache-time to set the minimum cache period for a URL filtering rule.
Use undo url-filter cache-time to restore the default.
Syntax
url-filter cache-time value
undo url-filter cache-time
Default
The minimum cache period of a URL filtering rule is 43200 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
value: Specifies the minimum cache period in seconds. The value range is 1 to 4294967295.
Usage guidelines
Setting the minimum cache period for URL filtering rules ensures that the cached rules will not be deleted during the specified period of time.
When the URL filtering cache is full, the system identifies the cache period of the oldest URL filtering rule to determine whether to overwrite it:
· If the cache period of the rule is equal to or less than the minimum cache period, the system does not delete the rule. The new rule is not cached.
· If the cache period of the rule is greater than the minimum cache period, the system overwrites the rule with the new rule.
Examples
# Set the minimum cache period to 36000 seconds for URL filtering rules.
<Sysname> system-view
[Sysname] url-filter cache-time 36000
url-filter category
Use url-filter category to create a user-defined URL category and enter its view, or enter the view of an existing URL category.
Use undo url-filter category to delete a URL category.
Syntax
url-filter copy category old-name [ new-name ] severity severity-level
undo url-filter category category-name
Default
The device has only predefined URL categories with the name prefix Pre-.
Views
System view
Predefined user roles
network-admin
Parameters
category-name: Specify the URL category name, a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.). The category name cannot start with Pre-.
severity severity-value: Specifies a severity level for the URL category. The value range is 1000 to 65535. The larger the value, the higher the severity level. The severity level of each user-defined URL category must be unique. This option is required when you create a URL category.
Usage guidelines
URL filtering provides the URL categorization feature to facilitate filtering rule management.
You can classify multiple URL filtering rules into a URL category and specify an action for the category. If a matching rule is in multiple URL categories, the system takes the action for the category with the highest severity level.
URL filtering supports the following types of URL categories:
· Predefined URL categories.
The predefined URL categories contain the predefined URL filtering rules. Each predefined URL category has a unique severity level in the range of 1 to 999, and the category name begins with the Pre- prefix. You cannot modify the content or severity level of predefined URL categories.
· User-defined URL categories.
You can create user-defined URL categories and configure filtering rules for them. The severity level of a user-defined URL category is in the range of 1000 to 65535. You can edit the filtering rules and change the severity level for a user-defined URL category.
Examples
# Create a URL category named news and set its severity level to 2000.
<Sysname> system-view
[Sysname] url-filter category news severity 2000
[Sysname-url-filter-category-news]
Related commands
display url-filter category
url-filter category-server
Use url-filter category-server to specify the server to be used for URL filtering cloud query.
Use undo url-filter category-server to remove the URL filtering cloud server.
Syntax
url-filter category-server host-name
undo url-filter category-server host-name
Default
No server is specified for URL filtering cloud query.
Views
System view
Predefined user roles
network-admin
Parameters
host-name: Specifies a server by its host name, a case-insensitive string of 1 to 256 characters. The host name can contain letters, digits, underscores (_), hyphens (-), and dots (.).
Usage guidelines
For successful URL filtering cloud query, make sure the device can resolve the host name of the specified cloud query server into an IP address through DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide.
Examples
# Specify server urlservice.h3c.com for URL filtering cloud query.
<Sysname> system-view
[Sysname] url-filter category-server urlservice.h3c.com
url-filter copy category
Use url-filter copy policy to copy a URL category.
Syntax
url-filter copy category old-name [ new-name ] severity severity-level
Views
System view
Predefined user roles
network-admin
Parameters
old-name: Specifies the name of the URL category to be copied.
new-name: Specifies a name for the new URL category. If you do not specify a name, the default name old-name_n will be used, where n represents the number of times the URL category has been copied.
severity severity-level: Assigns a unique severity level to the new URL category. The value range is 1000 to 65535. The larger the value, the higher the severity level.
Usage guidelines
This command allows you to create a new URL category by copying an existing one.
Examples
# Create a URL category with a severity level of 1001 by copying URL category news.
<Sysname> system-view
[Sysname] url-filter copy category news severity 1001
Related commands
url-filter category
url-filter copy policy
Use url-filter copy policy to copy a URL filtering policy.
Syntax
url-filter copy policy old-name new-name
Views
System view
Predefined user roles
network-admin
Parameters
old-name: Specifies the name of the URL filtering policy to be copied, a case-insensitive string of 1 to 31 characters.
new-name: Specifies a name for the new URL filtering policy, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command allows you to create a new URL filtering policy by copying an existing one.
Examples
# Create two URL filtering policies by copying URL filtering policy news.
<Sysname> system-view
[Sysname] url-filter copy policy news news1
[Sysname-url-filter-policy-news1] quit
[Sysname] url-filter copy policy news news2
[Sysname-url-filter-policy-news2] quit
Related commands
url-filter policy
url-filter log directory root
Use url-filter log directory root to configure URL filtering to log only access to resources in the root directories of websites.
Use undo url-filter log directory root to restore the default.
Syntax
url-filter log directory root
undo url-filter log directory root
Default
URL filtering logs access to Web resources in all directories.
Views
System view
Predefined user roles
network-admin
Usage guidelines
After this command is configured, the url-filter log except pre-defined and url-filter log except user-defined commands become invalid.
Examples
# Configure URL filtering to log only access to resources in the root directories of websites.
<Sysname> system-view
[Sysname] url-filter log directory root
Related commands
category action logging
default-action logging
url-filter log except pre-defined
url-filter log except user-defined
url-filter log enable
Use url-filter log enable to enable DPI engine logging.
Use undo url-filter log enable to disable DPI engine logging.
Syntax
url-filter log enable
undo url-filter log enable
Default
DPI engine logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
You can enable DPI engine logging for audit. Log messages generated by DPI engine are output to the device information center. The information center then sends the messages to designated destinations based on log output rules. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable DPI engine logging.
<Sysname> system-view
[Sysname] url-filter log enable
url-filter log except pre-defined
Use url-filter log except pre-defined to disable URL filtering logging for access to resources of a predefined resource type.
Use undo url-filter log except pre-defined to enable URL filtering logging for access to resources of a predefined resource type.
Syntax
url-filter log except pre-defined { css | gif | ico | jpg | js | png | swf | xml }
undo url-filter log except pre-defined { css | gif | ico | jpg | js | png | swf | xml }
Default
URL filtering does not log access to resources of the predefined resource types (CSS, GIF, ICO, JPG, JS, PNG, SWF, and XML resources).
Views
System view
Predefined user roles
network-admin
Parameters
css: Specifies the CSS resource type.
gif: Specifies the GIF resource type.
ico: Specifies the ICO resource type.
jpg: Specifies the JPG resource type.
js: Specifies the JS resource type.
png: Specifies the PNG resource type.
swf: Specifies the SWF resource type.
xml: Specifies the XML resource type.
Usage guidelines
Repeat this command to disable URL filtering logging for access to multiple types of predefined resources.
This command does not take effect if the url-filter log directory root command is configured. To validate this command, you must execute undo url-filter log directory root command.
Examples
# Disable URL filtering logging for access to CSS resources.
<Sysname> system-view
[Sysname] url-filter log except pre-defined css
Related commands
category action logging
default-action logging
url-filter log directory root
url-filter log except user-defined
url-filter log except user-defined
Use url-filter log except user-defined to disable URL filtering logging for access to resources of a user-defined resource type.
Use undo url-filter log except user-defined to enable URL filtering logging for access to resources of a user-defined resource type.
Syntax
url-filter log except user-defined text
undo url-filter log except user-defined [ text ]
Default
URL filtering logs access to all resources except for resources of the predefined types.
Views
System view
Predefined user roles
network-admin
Parameters
text: Specifies a Web resource type. The value is a case-insensitive string of 1 to 63 characters.
Usage guidelines
Repeat this command to disable URL logging for access to multiple types of user-defined resources.
This command does not take effect if the url-filter log directory root command is configured. To validate this command, you must execute undo url-filter log directory root command.
Executing the undo url-filter log except user-defined command without the text parameter enables URL logging for access to all resources except resources of the predefined resource types.
Examples
# Disable URL filtering logging for access to HTML resources.
<Sysname> system-view
[Sysname] url-filter log except user-defined html
Related commands
category action logging
default-action logging
url-filter log directory root
url-filter log except pre-defined
url-filter policy
Use url-filter policy to create a URL filtering policy and enter its view, or enter the view of an existing URL filtering policy.
Use undo url-filter policy to delete a URL filtering policy.
Syntax
url-filter policy policy-name
undo url-filter policy policy-name
Default
No URL filtering policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Assigns a name to the URL filtering policy, a case-insensitive string of 1 to 31 characters.
Usage guidelines
In a URL filtering policy, you can specify an action for each category. You can also use the default action command to specify the default action for packets that do not match any URL filtering rules in the policy.
A URL filtering policy takes effect only after it is applied to a DPI application profile. For information DPI application profiles, see DPI Configuration Guide.
Examples
# Create a URL filtering policy named news and enter its view.
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news]
url-filter signature auto-update
Use url-filter signature auto-update to enable automatic URL filtering signature library update and enter automatic URL filtering signature library update configuration view.
Use undo url-filter signature auto-update to disable automatic URL filtering signature library update.
Syntax
url-filter signature auto-update
undo url-filter signature auto-update
Default
Automatic URL filtering signature library update is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The automatic update enables the device to periodically access the H3C website to download the latest URL filtering signatures and update the local signature library.
You can schedule the time for automatic signature update by using the update schedule command.
Examples
# Enable automatic URL filtering signature library update and enter automatic URL filtering signature library update configuration view.
<Sysname> system-view
[Sysname] url-filter signature auto-update
[Sysname-url-filter-autoupdate]
Related commands
update schedule
url-filter signature auto-update-now
Use url-filter signature auto-update-now to trigger an automatic URL filtering signature library update manually.
Syntax
url-filter signature auto-update-now
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command immediately starts the automatic signature library update process. The device accesses the H3C website to update the local URL filtering signature library.
You can execute this command anytime you find a new version of signature library on the H3C website.
Examples
# Trigger an automatic URL filtering signature library update manually.
<Sysname> system-view
[Sysname] url-filter signature auto-update-now
url-filter signature rollback
Use url-filter signature rollback to roll back the URL filtering signature library.
Syntax
url-filter signature rollback { factory | last }
Views
System view
Predefined user roles
network-admin
Parameters
factory: Rolls back the URL filtering signature library to the factory default version.
last: Rolls back the URL filtering signature library to the previous version.
Usage guidelines
If a URL filtering signature library update causes exceptions or a high false alarm rate, you can roll back the URL filtering signature library.
Before rolling back the URL filtering signature library, the device backs up the current signature library as the "previous version." For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.
Examples
# Roll back the URL filtering signature library to the previous version.
<Sysname> system-view
[Sysname] url-filter signature rollback last
url-filter signature update
Use url-filter signature update to manually update the URL filtering signature library.
Syntax
url-filter signature update file-path
Views
System view
Predefined user roles
network-admin
Parameters
file-path: Specifies the URL filtering signature file path, a string of 1 to 255 characters.
Usage guidelines
If the device cannot access the H3C website, use one of the following methods to manually update the URL filtering signature library:
· Local update—Updates the URL filtering signature library on the device by using the locally stored URL filtering signature file.
Store the update file on the correct location for successful signature library update:
¡ For centralized devices in IRF mode, store the update file on the master device.
¡ For distributed devices in standalone mode, store the update file on the active MPU.
¡ For distributed devices in IRF mode, store the update file on the global active MPU.
The following describes the format of the file-path parameter for different update scenarios.
Update scenario |
Format of file-path |
Remarks |
The update file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command (see file system management in Fundamentals Command Reference). |
The update file is stored in a different directory on the same storage medium. |
filename |
Before updating the signature library, you must first use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
The update file is stored on a different storage medium. |
path/filename |
Before updating the signature library, you must first use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP update—Updates the URL filtering signature library on the device by using the file stored on the FTP or TFTP server.
The following describes the format of the file-path parameter for different update scenarios.
Update scenario |
Format of file-path |
Remarks |
The update file is stored on an FTP server. |
ftp://username:password@server address/filename |
The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: · Colon (:)—%3A or %3a. · At sign (@)—%40. · Forward slash (/)—%2F or %2f. |
The update file is stored on a TFTP server. |
tftp://server address/filename |
The server address parameter represents the IP address or host name of the TFTP server. |
Examples
# Manually update the local URL filtering signature library by using a signature file stored on a TFTP server.
<Sysname> system-view
[Sysname] url-filter signature update tftp://192.168.0.10/url-filter-1.0.2-en.dat
# Manually update the local URL filtering signature library by using a signature file stored on an FTP server. The FTP login username and password are user:123 and user@abc/123, respectively.
<Sysname> system-view
[Sysname] url-filter signature update
ftp:// user%3A123:user%40abc%2F123@192.168.0.10/url-filter-1.0.2-en.dat
# Manually update the local URL filtering signature library by using a signature file stored on the device. The file is stored in directory cfa0:/url-filter-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> system-view
[Sysname] url-filter signature update url-filter-1.0.23-en.dat
# Manually update the local URL filtering signature library by using a signature file stored on the device. The file is stored in directory cfa0:/dpi/url-filter-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> cd dpi
<Sysname> system-view
[Sysname] url-filter signature update url-filter-1.0.23-en.dat
# Manually update the local URL filtering signature library by using a signature file stored on the device. The file is stored in directory cfb0:/dpi/url-filter-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> cd cfb0:/
<Sysname> system-view
[Sysname] url-filter signature update dpi/url-filter-1.0.23-en.dat
Bandwidth management commands
The following matrix shows the feature and hardware compatibility:
Hardware |
Bandwidth management compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
Yes |
Hardware |
Feature compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
IPv6-related parameters are not supported on the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR3600-28-SI/3600-51-SI.
action
Use action to specify a traffic profile for a traffic rule.
Use undo action to restore the default.
Syntax
action qos profile profile-name
undo action
Default
No traffic profile is specified for a traffic rule (packets matching a traffic rule are allowed to pass).
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
qos profile profile-name: Specifies a traffic profile by its name. The profile name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
If a packet matches a traffic rule, the device applies the traffic profile specified for the traffic rule to the packet.
Examples
# Create a traffic rule named rule1, and apply traffic profile profile1 to the traffic rule.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] action qos profile profile1
Related commands
profile name
rule name
application
Use application to configure an application or application group as a match criterion.
Use undo application to delete an application or application group match criterion.
Syntax
application { app application-name | app-group application-group-name }
undo application { app application-name | app-group application-group-name }
Default
No application or application group is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
app application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters.
app-group application-group-name: Specifies an application group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can configure multiple applications or application groups for a traffic rule to match packets.
This command enables the device to manage bandwidth by application type, such as email, P2P, IM, and web browsing.
If you specify a user-defined application that uses DCCP, SCTP, or UDP-Lite as the transport layer protocol, the application is not limited by bandwidth management. For information about user-defined applications, see Security Configuration Guide.
Examples
# Configure the application P2P_General_TCP_Communications as a match criterion for traffic rule rule1.
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] application app P2P_General_TCP_Communications
Related commands
app-group (Security Command Reference)
nbar application (Security Command Reference)
port-mapping (Security Command Reference)
port-mapping acl (Security Command Reference)
port-mapping host (Security Command Reference)
port-mapping subnet (Security Command Reference)
bandwidth
Use bandwidth to set the per-rule guaranteed bandwidth or maximum bandwidth in a traffic profile.
Use undo bandwidth to delete the per-rule guaranteed bandwidth or maximum bandwidth setting of a traffic profile.
Syntax
bandwidth { downstream | total | upstream } { guaranteed | maximum } bandwidth-value
undo bandwidth { downstream | total | upstream } { guaranteed | maximum }
Default
The per-rule guaranteed bandwidth and maximum bandwidth are not set in a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
downstream: Specifies downstream traffic (traffic from a server to a client).
total: Specifies both downstream traffic and upstream traffic.
upstream: Specifies upstream traffic (traffic from a client to a server).
guaranteed: Specifies the guaranteed bandwidth.
maximum: Specifies the maximum bandwidth. The maximum bandwidth must be greater than or equal to the guaranteed bandwidth.
bandwidth-value: Specifies the bandwidth value in the range of 8 to 100000000 kbps.
Usage guidelines
When you specify traffic profiles for parent and child traffic rules, following these restrictions and guidelines:
· The maximum bandwidth for the child traffic rule must be smaller than or equal to that for the parent traffic rule.
· The guaranteed bandwidth for the parent traffic rule must be greater than or equal to the sum of the guaranteed bandwidth for its child traffic rules.
· The traffic profiles cannot be the same for the child and parent traffic rules.
An interface with small default expected bandwidth might experience traffic loss if the following conditions exist:
· There is a large amount of traffic on the interface.
· The interface uses the default expected bandwidth.
To avoid traffic loss, implicitly set the expected bandwidth to a large value for such an interface. For example, you can set the expected bandwidth of a tunnel interface to a value greater than 64 kbps (the default) if there is a large amount of traffic on the interface.
Examples
# In traffic profile profile1, set both upstream and downstream maximum bandwidth to 10000 kbps, and set both upstream and downstream guaranteed bandwidth to 5000 kbps.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] bandwidth upstream maximum 10000
[Sysname-traffic-policy-profile-profile1] bandwidth downstream maximum 10000
[Sysname-traffic-policy-profile-profile1] bandwidth upstream guaranteed 5000
[Sysname-traffic-policy-profile-profile1] bandwidth downstream guaranteed 5000
Related commands
profile name
bandwidth average enable
Use bandwidth average enable to enable dynamic and even allocation for maximum bandwidth.
Use undo bandwidth average enable to disable dynamic and even allocation for maximum bandwidth.
Syntax
bandwidth average enable
undo bandwidth average enable
Default
Dynamic and even allocation for maximum bandwidth is disabled.
Views
Traffic profile view
Predefined user roles
network-admin
Usage guidelines
This command allows the device to dynamically and evenly allocate the per-rule maximum bandwidth among all online IP addresses.
This command can be enabled only after you set the per-rule maximum bandwidth.
Examples
# Enable dynamic and even allocation for maximum bandwidth in traffic profile profile1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] bandwidth total maximum 10000
[Sysname-traffic-policy-profile-profile1] bandwidth average enable
Related commands
bandwidth { downstream | total | upstream } maximum
bandwidth { per-ip | per-user }
Use bandwidth { per-ip | per-user } to set the per-IP or per-user maximum or guaranteed bandwidth for a traffic profile.
Use undo bandwidth { per-ip | per-user } to delete the per-IP or per-user maximum or guaranteed bandwidth setting of a traffic profile.
Syntax
bandwidth { downstream | total | upstream } { guaranteed | maximum } { per-ip | per-user } bandwidth-value
undo bandwidth { downstream | total | upstream } { guaranteed | maximum } { per-ip | per-user }
Default
The per-IP or per-user maximum bandwidth and guaranteed bandwidth are not set in a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
downstream: Specifies downstream traffic (traffic from a server to a client).
total: Specifies both downstream traffic and upstream traffic.
upstream: Specifies upstream traffic (traffic from a client to a server).
guaranteed: Specifies the guaranteed bandwidth.
maximum: Specifies the maximum bandwidth.
per-ip: Specifies the per-IP maximum bandwidth.
per-user: Specifies the per-user maximum bandwidth.
bandwidth-value: Specifies the bandwidth value in the range of 8 to 100000000 kbps.
Usage guidelines
This command allows you to manage bandwidth at finer granularity.
The per-IP or per-user maximum bandwidth cannot be greater than the per-rule maximum bandwidth.
The per-IP or per-user guaranteed bandwidth cannot be greater than the per-rule guaranteed bandwidth.
The per-IP or per-user guaranteed bandwidth cannot be greater than the per-IP or per-user maximum bandwidth.
Examples
# In traffic profile profile1, set both upstream and downstream per-IP maximum bandwidth to 10000 kbps.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] bandwidth upstream maximum per-ip 10000
[Sysname-traffic-policy-profile-profile1] bandwidth downstream maximum per-ip 10000
connection-limit count
Use connection-limit count to set the connection count limit for a traffic profile.
Use undo connection-limit count to delete the connection count limit setting of a traffic profile.
Syntax
connection-limit count { per-rule | per-ip | per-user } connection-number
undo connection-limit count { per-rule | per-ip | per-user }
Default
No connection count limit is set for a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
per-rule: Specifies the overall connection count limit (count limit for the traffic rule associated with the traffic profile).
per-ip: Specifies the per-IP connection count limit.
per-user: Specifies the per-user connection count limit.
connection-number: Specifies the maximum number of connections allowed, in the range of 1 to 12000000.
Usage guidelines
The per-IP or per-user connection count limit cannot be greater than the overall connection count limit.
You cannot set both per-IP and per-user connection count limits for one traffic profile.
Examples
# In traffic profile profile1, set the overall connection count limit to 1000.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] connection-limit count per-rule 1000
# In traffic profile profile1, set the per-IP connection count limit to 500.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] connection-limit count per-ip 500
connection-limit rate
Use connection-limit rate to set the connection rate limit for a traffic profile.
Use undo connection-limit rate to delete the connection rate limit setting of a traffic profile.
Syntax
connection-limit rate { per-rule | per-ip | per-user } connection-rate
undo connection-limit rate { per-rule | per-ip | per-user }
Default
No connection rate limit is set for a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
per-rule: Specifies the overall connection rate limit (rate limit for the traffic rule associated with the traffic profile).
per-ip: Specifies the per-IP connection rate limit.
per-user: Specifies the per-user connection rate limit.
connection- rate: Specifies the maximum connection rate in the range of 1 to 12000000 connections per second.
Usage guidelines
The per-IP or per-user connection rate limit cannot be greater than the overall connection rate limit.
You cannot set both per-IP and per-user connection rate limits for one traffic profile.
Examples
# In traffic profile profile1, set the overall connection rate limit to 1000 connections per second.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] connection-limit rate per-rule 1000
# In traffic profile profile1, set the per-IP connection rate limit to 500 connections per second.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] connection-limit rate per-user 500
destination-address
Use destination-address to configure a destination IP address object group as a match criterion.
Use undo destination-address to delete a destination IP address object group as a match criterion.
Syntax
destination-address address-set object-group-name
undo destination-address address-set object-group-name
Default
No destination IP address object group is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies an IPv4 or IPv6 address object group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command enables a traffic rule to use the IP addresses in the specified address object group as a destination IP address match criterion. You can specify multiple address object groups for a traffic rule to match destination IP addresses of packets.
Before rolling back configuration by using the configuration replace file filename command, check the address object group configuration of the traffic rule in the configuration file. The address object group configuration fails to be rolled back if two address object groups have the same name but are of different types (IPv4/IPv6).
Examples
# Configure IPv4 address object group obgroup2 for traffic rule rule1 to match destination IPv4 addresses of packets.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] destination-address address-set obgroup2
Related commands
object-group (Security Command Reference)
destination-zone
Use destination-zone to configure a destination security zone as a match criterion.
Use undo destination-zone to delete a destination security zone match criterion.
Syntax
destination-zone destination-zone-name
undo destination-zone destination-zone-name
Default
No destination security zone is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
destination-zone-name: Specifies a destination zone by its name, a case-insensitive string of 1 to 31 characters. The name cannot contain hyphens (-).
Examples
# Configure destination security zone zone2 as a match criterion for traffic rule rule1.
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] destination-zone zone2
Related commands
security-zone name (Security Command Reference)
disable
Use disable to disable a traffic rule.
Use undo disable to enable a traffic rule.
Syntax
disable
undo disable
Default
A traffic rule is enabled.
Views
Traffic rule view
Predefined user roles
network-admin
Usage guidelines
If a traffic rule is not used, use this command to disable it. A disabled traffic rule does not participate in traffic matching. You can copy, rename, and move a disabled traffic rule.
Examples
# Disable traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] disable
display traffic-policy statistics bandwidth
Use display traffic-policy statistics bandwidth to display traffic rate statistics for traffic rules.
Syntax
Centralized devices in standalone mode:
display traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name }
Distributed devices in standalone mode/centralized devices in IRF mode:
display traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } [ slot slot-number ]
Distributed devices in IRF mode:
display traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
downstream: Specifies downstream traffic.
total: Specifies both downstream traffic and upstream traffic.
upstream: Specifies upstream traffic.
per-ip: Displays per-IP traffic statistics.
ipv4: Displays per-IP traffic statistics for IPv4 addresses.
ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command displays per-IP traffic statistics for all IPv4 addresses of the specified traffic rule.
ipv6: Displays per-IP traffic statistics for IPv6 addresses.
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command displays per-IP traffic statistics for all IPv6 addresses of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
per-rule: Displays per-rule traffic statistics.
rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command displays per-rule traffic statistics for all traffic rules.
per-user: Displays per-user traffic statistics.
user user-name: Specifies a user by its name, a case-insensitive string of 1 to 55 characters. If you do not specify a user, this command displays per-user traffic statistics for all users of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays traffic statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays traffic statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command displays traffic statistics for all cards. (Distributed devices in IRF mode.)
Usage guidelines
You can identify whether a traffic rule works as configured by displaying the traffic statistics for the traffic rule.
Examples
# (Centralized devices in standalone mode.) Display per-rule upstream traffic statistics for traffic rule traffic_rule.
<Sysname> display traffic-policy statistics bandwidth upstream per-rule traffic_rule
Slot 0:
Codes: PP(Passed Packets), PB(Passed Bytes), DP(Dropped Packets), DB(Dropped Bytes), PR(Passed Rate:kbps), DR(Drop Rate:kbps), FPP(Final Passed Packets), FPB(Final Passed Bytes), FPR(Final Passed Rate:kbps)
----------------------------------------------------------------------------------------
Rule name State Profile name PP PB DP DB PR DR FPP FPB FPR
----------------------------------------------------------------------------------------
traffic_rule Enabled profile1 226 5550 4 2961 103 497 595 6632 664.1
--------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
# (Centralized devices in standalone mode.) Display per-IP upstream traffic statistics for all IPv4 addresses in traffic rule traffic_rule.
<Sysname> display traffic-policy statistics bandwidth upstream per-ip ipv4 rule traffic_rule
Slot 0:
Codes: PP(Passed Packets), PB(Passed Bytes), DP(Dropped Packets), DB(Dropped Bytes), PR(Passed Rate:kbps), DR(Drop Rate:kbps), FPP(Final Passed Packets), FPB(Final Passed Bytes), FPR(Final Passed Rate:kbps)
----------------------------------------------------------------------------------------
Rule name State IP PP PB DP DB PR DR FPP FPB FPR
----------------------------------------------------------------------------------------
traffic_rule Enabled 1.1.1.1 226 55502 4 2961 103.3 497 595 6632 664.1
----------------------------------------------------------------------------------------
traffic_rule2 Enabled 1.1.1.5 256 54502 4 2901 112 488 595 6632 664.1
----------------------------------------------------------------------------------------
traffic_rule3 Enabled 1.1.1.8 256 54502 4 2951 112 488 595 6632 664.1
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
# (Distributed devices in standalone mode.) (Centralized devices in IRF mode.) Display per-rule upstream traffic statistics for traffic rule traffic_rule.
<Sysname> display traffic-policy statistics bandwidth upstream per-rule traffic_rule
Slot 1:
Codes: PP(Passed Packets), PB(Passed Bytes), DP(Dropped Packets), DB(Dropped Bytes), PR(Passed Rate:kbps), DR(Drop Rate:kbps), FPP(Final Passed Packets), FPB(Final Passed Bytes), FPR(Final Passed Rate:kbps)
----------------------------------------------------------------------------------------
Rule name State Profile name PP PB DP DB PR DR FPP FPB FPR
----------------------------------------------------------------------------------------
traffic_rule Enabled profile1 226 5550 4 2961 103 497 595 6632 664.1
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
# (Distributed devices in standalone mode.) (Centralized devices in IRF mode.) Display per-IP upstream traffic statistics for all IPv4 addresses in traffic rule traffic_rule.
<Sysname> display traffic-policy statistics bandwidth upstream per-ip ipv4 rule traffic_rule
Slot 1:
Codes: PP(Passed Packets), PB(Passed Bytes), DP(Dropped Packets), DB(Dropped Bytes), PR(Passed Rate:kbps), DR(Drop Rate:kbps), FPP(Final Passed Packets), FPB(Final Passed Bytes), FPR(Final Passed Rate:kbps)
----------------------------------------------------------------------------------------
Rule name State IP PP PB DP DB PR DR FPP FPB FPR
----------------------------------------------------------------------------------------
traffic_rule Enabled 1.1.1.1 226 55502 4 2961 103.3 497 595 6632 664.1
----------------------------------------------------------------------------------------
traffic_rule2 Enabled 1.1.1.5 256 54502 4 2901 112 488 595 6632 664.1
----------------------------------------------------------------------------------------
traffic_rule3 Enabled 1.1.1.8 256 54502 4 2951 112 488 595 6632 664.1
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
Table 11 Command output
Field |
Description |
Codes |
Acronyms for fields: · PP(Passed Packets)—Number of packets permitted by the traffic rule. · PB(Passed Bytes)—Number of bytes permitted by the traffic rule. · DP(Dropped Packets)—Number of packets dropped by the traffic rule. · DB(Dropped Bytes)—Number of bytes dropped by the traffic rule. · PR(Passed Rate:kbps)—Rate of packets permitted by the traffic rule, in kbps. · DR(Drop Rate:kbps)—Rate of packets dropped by the traffic rule, in kbps. · FPP(Final Passed Packets)—Number of packets permitted by both the traffic rule and interface bandwidth. · FPB(Final Passed Bytes)—Number of bytes permitted by both the traffic rule and interface bandwidth. · FPR(Final Passed Rate:kbps)—Rate of packets permitted by both the traffic rule and interface bandwidth, in kbps. |
display traffic-policy statistics connection-limit
Use display traffic-policy statistics connection-limit to display connection limit statistics.
Syntax
Centralized devices in standalone mode:
display traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } }
Distributed devices in standalone mode/centralized devices in IRF mode:
display traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } } [ slot slot-number ]
Distributed devices in IRF mode:
display traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } } [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
per-ip: Displays per-IP connection limit statistics.
ipv4: Displays per-IP connection limit statistics for IPv4 addresses.
ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command displays connection limit statistics for all IPv4 addresses of the specified traffic rule.
ipv6: Displays per-IP connection limit statistics for IPv6 addresses.
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command displays connection limit statistics for all IPv6 addresses of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
per-rule: Specifies per-rule connection limit statistics.
rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command displays per-rule connection limit statistics for all traffic rules.
per-user: Displays per-user connection limit statistics.
user user-name: Specifies a user by its name, a case-insensitive string of 1 to 55 characters. If you do not specify a user, this command displays per-user connection limit statistics for all users of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays connection limit statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays connection limit statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command displays connection limit statistics for all cards. (Distributed devices in IRF mode.)
Usage guidelines
You can identify whether a traffic rule works as configured by displaying the connection limit statistics for the traffic rule.
Examples
# (Centralized devices in standalone mode.) Display per-rule connection limit statistics for traffic rule traffic_rule.
<Sysname> display traffic-policy statistics connection-limit per-rule traffic-rule
Slot 0:
Codes: CC(Current Connection), RC(Rejective Connection), CL(Current Limit), RRC(Rate Rejective Connection), RR(Rejective Rate), PR(Pass Rate)
----------------------------------------------------------------------------------------
Rule name State Profile name CC RC CL RRC RR PR
----------------------------------------------------------------------------------------
traffic-rule Enabled profile1 200 300 200 200 300 200
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
# (Centralized devices in standalone mode.) Display per-user connection limit statistics for all users of traffic rule traffic_rule.
<Sysname> display traffic-policy statistics connection-limit per-user rule traffic-rule
Slot 0:
CCodes: CC(Current Connection), RC(Rejective Connection), CL(Current Limit), RRC(Rate Rejective Connection), RR(Rejective Rate), PR(Pass Rate)
----------------------------------------------------------------------------------------
Rule name State Profile name User ID User name CC RC CL RRC RR PR
----------------------------------------------------------------------------------------
traffic-rule Enabled profile1 0x3d user1 200 300 200 200 300 200
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
# (Distributed devices in standalone mode.) (Centralized devices in IRF mode.) Display per-rule connection limit statistics for traffic rule rule.
<Sysname> display traffic-policy statistics connection-limit per-rule traffic-rule
Slot 1:
Codes: CC(Current Connection), RC(Rejective Connection), CL(Current Limit), RRC(Rate Rejective Connection), RR(Rejective Rate), PR(Pass Rate)
----------------------------------------------------------------------------------------
Rule name State Profile name CC RC CL RRC RR PR
----------------------------------------------------------------------------------------
traffic-rule Enabled profile1 200 300 200 200 300 200
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
# (Distributed devices in standalone mode.) (Centralized devices in IRF mode.) Display per-user connection limit statistics for all users of traffic rule traffic_rule.
<Sysname> display traffic-policy statistics connection-limit per-user rule traffic-rule
Slot 1:
Codes: CC(Current Connection), RC(Rejective Connection), CL(Current Limit), RRC(Rate Rejective Connection), RR(Rejective Rate), PR(Pass Rate)
----------------------------------------------------------------------------------------
Rule name State Profile name User ID User name CC RC CL RRC RR PR
----------------------------------------------------------------------------------------
traffic-rule Enabled profile1 0x3d user1 200 300 200 200 300 200
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
Table 12 Command output
Field |
Description |
Codes |
Acronyms for fields: · CC (current connections)—Number of current connections. · RC (rejected connections)—Number of connections rejected after the number of current connections reached the limit. · CL (connection limit)—Maximum number of connections allowed. · RRC(Rate Rejective Connection)—Number of connections rejected after the connection establishment rate reached the limit. · RR(Rejective Rate)—Rate of connections rejected, in connections per second. · PR(Pass Rate)—Rate of connections established, in connections per second. |
display traffic-policy statistics rule-hit
Use display traffic-policy statistics rule-hit to display rule-hit statistics.
Syntax
Centralized devices in standalone mode:
display traffic-policy statistics rule-hit [ rule rule-name ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display traffic-policy statistics rule-hit [ rule rule-name ] [ slot slot-number ]
Distributed devices in IRF mode:
display traffic-policy statistics rule-hit [ rule rule-name ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command displays rule-hit statistics for all traffic rules.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays rule-hit statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays rule-hit statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command displays rule-hit statistics for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display rule-hit statistics for all traffic rules.
<Sysname> display traffic-policy statistics rule-hit
Slot 0:
----------------------------------------------------------------------------------------
Rule ID Rule name State Profile ID Profile name Hit
----------------------------------------------------------------------------------------
201 traffic_rule Enabled 21 prrofile1 11111
----------------------------------------------------------------------------------------
202 traffic_rule1 Enabled 22 prrofile2 11112
----------------------------------------------------------------------------------------
203 traffic_rule2 Enabled 23 prrofile1 11565
----------------------------------------------------------------------------------------
# (Distributed devices in standalone mode.) (Centralized devices in IRF mode.) Display rule-hit statistics for all traffic rules.
<Sysname> display traffic-policy statistics rule-hit
Slot 1:
----------------------------------------------------------------------------------------
Rule ID Rule name State Profile ID Profile name Hit
----------------------------------------------------------------------------------------
201 traffic_rule Enabled 21 prrofile1 11111
----------------------------------------------------------------------------------------
202 traffic_rule1 Enabled 22 prrofile2 11112
----------------------------------------------------------------------------------------
203 traffic_rule2 Enabled 23 prrofile1 11565
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
Table 13 Command output
Field |
Description |
Hit |
Number of times that a rule is matched. |
dscp
Use dscp to configure a DSCP priority as a match criterion.
Use undo dscp to remove all DSCP priority match criteria.
Syntax
dscp dscp-value
undo dscp
Default
No DSCP priority is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies a DSCP priority, which can only be a keyword in Table 14.
Examples
# Configure DSCP priority af11 as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] dscp af11
profile name
Use profile name to create a traffic profile and enter its view, or enter the view of an existing traffic profile.
Use undo profile name to delete a traffic profile.
Syntax
profile name profile-name
undo profile name profile-name
Default
No traffic profile exists.
Views
Traffic policy view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a name for the traffic profile, a case-insensitive string of 1 to 63 characters.
Usage guidelines
A traffic profile defines the bandwidth resources that can be used and takes effect after it is specified for a traffic rule.
Examples
# Create a traffic profile named profile1 and enter traffic profile view.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1]
Related commands
action
profile reference-mode
Use profile reference-mode to set the reference mode for a traffic profile.
Use undo profile reference-mode to restore the default.
Syntax
profile reference-mode { per-rule | rule-shared }
undo profile reference-mode
Default
The reference mode for a traffic profile is per-rule.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
per-rule: Specifies that each traffic rule that uses the traffic profile can reach the bandwidth limits and connection limits specified in the profile.
rule-shared: Specifies that all traffic rules that use the traffic profile share the bandwidth limits and connection limits specified in the profile.
Usage guidelines
After a traffic profile is specified for a traffic rule, the bandwidth limits and connection limits in the profile take effect. The reference mode for a traffic profile can be per-rule or rule-shared.
Examples
# Set the reference mode to rule-shared for traffic profile profile1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] profile reference-mode rule-shared
profile rename
Use profile rename to rename a traffic profile.
Syntax
profile rename old-name new-name
Views
Traffic policy view
Predefined user roles
network-admin
Parameters
old-name: Specifies the old name of the traffic profile, a case-insensitive string of 1 to 63 characters.
new-name: Specifies a new name for the traffic profile, a case-insensitive string of 1 to 63 characters. The new name cannot be an existing traffic profile name.
Examples
# Create a traffic profile named profile1, and rename traffic profile profile1 as profile2.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] quit
[Sysname-traffic-policy] profile rename profile1 profile2
remark dscp
Use remark dscp to mark the DSCP priority for packets of a traffic profile.
Use undo remark dscp to restore the default.
Syntax
remark dscp dscp-value
undo remark dscp
Default
The DSCP priority for packets of a traffic profile is not marked.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies a DSCP priority, which can only be a keyword in Table 14.
Table 14 Keyword-value map
Keyword |
DSCP value (binary) |
DSCP value (decimal) |
default |
000000 |
0 |
af11 |
001010 |
10 |
af12 |
001100 |
12 |
af13 |
001110 |
14 |
af21 |
010010 |
18 |
af22 |
010100 |
20 |
af23 |
010110 |
22 |
af31 |
011010 |
26 |
af32 |
011100 |
28 |
af33 |
011110 |
30 |
af41 |
100010 |
34 |
af42 |
100100 |
36 |
af43 |
100110 |
38 |
cs1 |
001000 |
8 |
cs2 |
010000 |
16 |
cs3 |
011000 |
24 |
cs4 |
100000 |
32 |
cs5 |
101000 |
40 |
cs6 |
110000 |
48 |
cs7 |
111000 |
56 |
ef |
101110 |
46 |
Usage guidelines
Network devices can classify traffic by using DSCP priorities and provide different treatment for packets with different DSCP priorities.
Examples
# Mark DSCP priority af22 for packets of traffic profile profile1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] remark dscp af22
Related commands
profile name
reset traffic-policy statistics bandwidth
Use reset traffic-policy statistics bandwidth to clear traffic statistics for traffic rules.
Syntax
Centralized devices in standalone mode:
reset traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name }
Distributed devices in standalone mode/centralized devices in IRF mode:
reset traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } [ slot slot-number ]
Distributed devices in IRF mode:
reset traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
Parameters
downstream: Specifies downstream traffic.
total: Specifies both downstream traffic and upstream traffic.
upstream: Specifies upstream traffic.
per-ip: Clears per-IP traffic statistics.
ipv4: Clears per-IP traffic statistics for IPv4 addresses.
ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command clears per-IP traffic statistics for all IPv4 addresses of the specified traffic rule.
ipv6: Clears per-IP traffic statistics for IPv6 addresses.
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command clears per-IP traffic statistics for all IPv6 addresses of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
per-rule: Clears per-rule traffic statistics.
rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command clears per-rule traffic statistics for all traffic rules.
per-user: Clears per-user traffic statistics.
user user-name: Specifies a user by its name, a case-insensitive string of 1 to 55 characters. If you do not specify a user, this command clears per-user traffic statistics for all users of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears traffic statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears traffic statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command clears traffic statistics for all cards. (Distributed devices in IRF mode.)
Examples
# Clear per-rule upstream traffic statistics for traffic rule traffic_rule.
<Sysname> reset traffic-policy statistics bandwidth upstream per-rule traffic_rule
Succeeded in clearing the bandwidth statistics.
reset traffic-policy statistics connection-limit
Use reset traffic-policy statistics connection-limit to clear connection limit statistics for traffic rules.
Syntax
Centralized devices in standalone mode:
reset traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } }
Distributed devices in standalone mode/centralized devices in IRF mode:
reset traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } } [ slot slot-number ]
Distributed devices in IRF mode:
reset traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ rule-name ] | per-user [ user user-name ] rule rule-name } } [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
Parameters
per-ip: Clears per-IP connection limit statistics.
ipv4: Clears per-IP connection limit statistics for IPv4 addresses.
ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command clears connection limit statistics for all IPv4 addresses of the specified traffic rule.
ipv6: Clears per-IP connection limit statistics for IPv6 addresses.
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command clears connection limit statistics for all IPv6 addresses of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
per-rule: Clears per-rule connection limit statistics.
rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command clears per-rule connection limit statistics for all traffic rules.
per-user: Clears per-user connection limit statistics.
user user-name: Specifies a user by its name, a case-insensitive string of 1 to 55 characters. If you do not specify a user, this command clears per-user connection limit statistics for all users of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears connection limit statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears connection limit statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command clears connection limit statistics for all cards. (Distributed devices in IRF mode.)
Examples
# Clear per-rule upstream connection limit statistics for traffic rule traffic_rule.
<Sysname> reset traffic-policy statistics connection-limit per-rule traffic_rule
reset traffic-policy statistics rule-hit
Use reset traffic-policy statistics rule-hit to clear rule-hit statistics for traffic rules.
Syntax
Centralized devices in standalone mode:
reset traffic-policy statistics rule-hit [ rule rule-name ]
Distributed devices in standalone mode/centralized devices in IRF mode:
reset traffic-policy statistics rule-hit [ rule rule-name ] [ slot slot-number ]
Distributed devices in IRF mode:
reset traffic-policy statistics rule-hit [ rule rule-name ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
Parameters
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command clears rule-hit statistics for all traffic rules.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears rule-hit statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears rule-hit statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command clears rule-hit statistics for all cards. (Distributed devices in IRF mode.)
Examples
# Clear rule-hit statistics for traffic rule traffic_rule.
<Sysname> reset traffic-policy statistics rule-hit rule traffic_rule
# Clear rule-hit statistics for all traffic rules.
<Sysname> reset traffic-policy statistics rule-hit
rule copy
Use rule copy to copy a traffic rule.
Syntax
rule copy rule-name new-rule-name
Views
Traffic policy view
Predefined user roles
network-admin
Parameters
rule-name: Specifies a traffic rule to be copied by its name, a case-insensitive string of 1 to 63 characters.
new-rule-name: Specifies a name for the new traffic rule, a case-insensitive string of 1 to 63 characters. The new name cannot be an existing traffic profile name.
Usage guidelines
If a traffic rule to be created is similar to an existing traffic rule, create the traffic rule by copying the existing traffic rule and then modify it. The new traffic rule is placed next to the copied traffic rule.
If a traffic rule to be copied has child traffic rules, only the parent traffic rule is copied.
Examples
# Create a traffic rule named rule2 by copying traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule copy rule1 rule2
rule move
Use rule move to move a traffic rule to a new position.
Syntax
rule move rule-name1 { after | before } rule-name2
Views
Traffic policy view
Predefined user roles
network-admin
Parameters
rule-name1: Specifies a traffic rule to be moved by its name, a case-insensitive string of 1 to 63 characters.
after: Moves the specified traffic rule to the position after a target traffic rule.
before: Moves the specified traffic rule to the position before a target traffic rule.
rule-name2: Specifies the target traffic rule by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
The device matches traffic with traffic rules in their order of appearance on the device. When a traffic rule is matched, the matching process ends and the device applies the traffic profile specified for the traffic rule to the traffic. If no traffic rule is matched, the device forwards the traffic.
To ensure reasonable, precise bandwidth management, configure traffic rules in ascending order of granularity. If the traffic rules are not in ascending order of granularity, you can use the rule move command to change the position of them.
You can move child traffic rules only within their parent traffic rule.
Examples
# Create two traffic rules named rule1 and rule2, and move rule1 to the position after rule2.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] quit
[Sysname-traffic-policy] rule name rule2
[Sysname-traffic-policy-rule-rule2] quit
[Sysname-traffic-policy] rule move rule1 after rule2
rule name
Use rule name to create a traffic rule and enter its view, or enter the view of an existing traffic rule.
Use undo rule name to delete a traffic rule.
Syntax
rule name rule-name [ parent parent-rule-name ]
undo rule name rule-name
Default
No traffic rule exists.
Views
Traffic policy view
Predefined user roles
network-admin
Parameters
rule-name: Specifies a name for the traffic rule, a case-insensitive string of 1 to 63 characters. The name cannot be an existing traffic profile name.
parent parent-rule-name: Specifies a parent traffic rule by its name, a case-insensitive string of 1 to 63 characters. To successfully create the traffic rule, make sure the parent traffic rule already exists.
Usage guidelines
You can configure multiple traffic rules in the traffic policy. For a traffic rule, you can configure match criteria to match packets and specify the traffic profile to apply to matching packets. The device matches traffic rules in their order of appearance on the device. When a traffic rule is matched, the matching process ends and the device applies the traffic profile for the traffic rule to the traffic. If no traffic rule is matched, the device forwards the traffic.
For a new traffic rule to inherit the match criteria of an existing traffic rule, specify the existing traffic rule as the parent of the new traffic rule.
A level-4 rule cannot act as a parent rule.
You can specify a parent traffic rule only when creating a traffic rule. You cannot add or modify a parent traffic rule for an existing traffic rule.
Examples
# Create a traffic rule named rule1 and enter traffic rule view.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1]
rule rename
Use rule rename to rename a traffic rule.
Syntax
rule rename old-rule-name new-rule-name
Views
Traffic policy view
Predefined user roles
network-admin
Parameters
old-rule-name: Specifies the old name of the traffic rule, a case-insensitive string of 1 to 63 characters.
new-rule-name: Specifies a new name for the traffic rule, a case-insensitive string of 1 to 63 characters. The new name cannot be an existing traffic profile name.
Examples
# Create a traffic rule named rule1, and rename traffic rule rule1 as rule2.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] quit
[Sysname-traffic-policy] rule rename rule1 rule2
service
Use service to configure a service object group as a match criterion.
Use undo service to delete a service object group match criterion.
Syntax
service object-group-name
undo service object-group-name
Default
No service object group is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can specify multiple service object groups for a traffic rule to match packets.
Examples
# Specify predefined service object group ftp for traffic rule rule1 to match packets.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] service ftp
Related commands
object-group (Security Command Reference)
source-address
Use source-address to configure a source IP address object group as a match criterion.
Use undo source-address to delete a source IP address object group as a match criterion.
Syntax
source-address address-set object-group-name
undo source-address address-set object-group-name
Default
No source IP address object group is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies an IPv4 or IPv6 address object group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command enables a traffic rule to use the IP addresses in the specified address object group as a source IP address match criterion. You can specify multiple address object groups for a traffic rule to match source IP addresses of packets.
Before rolling back configuration by using the configuration replace file filename command, check the address object group configuration of the traffic rule in the configuration file. The address object group configuration fails to be rolled back if two address object groups have the same name but are of different types (IPv4/IPv6).
Examples
# Specify IPv4 address object group obgroup1 for traffic rule rule1 to match source IPv4 addresses of packets.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] source-address address-set obgroup1
Related commands
object-group (Security Command Reference)
source-zone
Use source-zone to configure a source security zone as a match criterion.
Use undo source-zone to delete a source security zone match criterion.
Syntax
source-zone source-zone-name
undo source-zone source-zone-name
Default
No source security zone is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
source-zone-name: Specifies a source zone by its name, a case-insensitive string of 1 to 31 characters. The name cannot contain hyphens (-).
Examples
# Configure source security zone zone1 as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] source-zone zone1
Related commands
security-zone name (Security Command Reference)
time-range
Use time-range to specify a time range during which a traffic rule is in effect.
Use undo time-range to restore the default.
Syntax
time-range time-range-name
undo time-range
Default
A traffic rule is in effect at any time.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
time-range-name: Specifies a time range by its name, a case-insensitive string of 1 to 32 characters.
Examples
# Specify time range work-time for traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] time-range work-time
Related commands
time-range (ACL and QoS Command Reference)
traffic-policy
Use traffic-policy to enter traffic policy view.
Syntax
traffic-policy
Views
System view
Predefined user roles
network-admin
Usage guidelines
In traffic policy view, you can create and manage traffic rules.
Examples
# Enter traffic policy view.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy]
traffic-priority
Use traffic-priority to set the traffic priority for a traffic profile.
Use undo traffic-priority to restore the default.
Syntax
traffic-priority priority-value
undo traffic-priority
Default
The traffic priority is 1 for a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
priority-value: Specifies the priority value in the range of 1 to 7. The larger the priority value, the higher the priority.
Usage guidelines
When an interface is congested with packets of multiple traffic profiles, packets with higher priority are sent first. Packets with the same priority have the same chance of being forwarded.
Examples
# Set the traffic priority to 7 for traffic profile profile1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] traffic-priority 7
Related commands
profile name
wlan ssid
Use wlan ssid to configure an SSID as a match criterion.
Use undo wlan ssid to delete an SSID match criterion.
Syntax
wlan ssid ssid-name
undo wlan ssid ssid-name
Default
No SSID is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
mdc-admin
Parameters
ssid-name: Specifies an SSID by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
No |
Hardware |
Command compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
This command matches the packets of users that use the specified SSID. You can configure this command multiple times to specify multiple SSIDs.
Examples
# Configure SSID service as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] wlan ssid service
wlan user-profile
Use wlan user-profile to configure a user profile as a match criterion.
Use undo wlan user-profile to delete a user profile match criterion.
Syntax
wlan user-profile profile-name
undo wlan user-profile profile-name
Default
No user profile is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
mdc-admin
Parameters
profile-name: Specifies a user profile by its name, a case-sensitive string of 1 to 31 characters. The name must begin with a letter and can only contain letters, digits, and underscores (_).
Usage guidelines
The following matrix shows the command and hardware compatibility:
Hardware |
Command compatibility |
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
MSR810-LMS/810-LUS |
No |
MSR2600-6-X1/2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28/3600-51 |
Yes |
MSR3600-28-SI/3600-51-SI |
No |
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
MSR5620/5660/5680 |
No |
Hardware |
Command compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
No |
When a user accesses the device, the authentication server first authenticates the user. If the user passes authentication, the authentication server sends to the device the name of the user profile bound to the user account. Then, the device can perform bandwidth management on the user according to the settings of the user profile.
This command takes effect only on wireless users. You can configure this command multiple times to specify multiple user profiles.
Examples
# Configure user profile user as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] wlan user-profile user
action,26
action,77
add,50
application,78
app-profile,1
attack-category,27
authentication enable,2
bandwidth,79
bandwidth { per-ip | per-user },81
bandwidth average enable,80
block-period,3
capture-limit,3
category action,51
cloud-query enable,52
connection-limit count,82
connection-limit rate,83
default-action,53
description,54
destination-address,84
destination-zone,84
disable,85
display inspect status,4
display ips policy,27
display ips signature,29
display ips signature { pre-defined | user-defined },32
display ips signature information,33
display ips signature user-defined parse-failed,34
display traffic-policy statistics bandwidth,86
display traffic-policy statistics connection-limit,89
display traffic-policy statistics rule-hit,92
display url-filter cache,55
display url-filter category,56
display url-filter signature information,58
display url-filter statistics,58
dns-server,5
dscp,93
email-server,5
export repeating-at,6
export url,7
include pre-defined,59
inspect activate,8
inspect block-source parameter-profile,8
inspect bypass,9
inspect cache-option maximum,10
inspect capture parameter-profile,10
inspect cpu-threshold disable,11
inspect email parameter-profile,12
inspect logging parameter-profile,13
inspect optimization disable,13
inspect packet maximum,15
inspect redirect parameter-profile,16
inspect signature auto-update proxy,16
inspect stream-fixed-length,18
inspect stream-fixed-length disable,17
inspect tcp-reassemble enable,19
inspect tcp-reassemble max-segment,19
ips apply policy,35
ips parameter-profile,36
ips policy,37
ips signature auto-update,37
ips signature auto-update-now,38
ips signature import snort,38
ips signature remove snort,40
ips signature rollback,40
ips signature update,41
log,20
object-dir,43
override-current,44
password,21
profile name,94
profile reference-mode,95
profile rename,95
protect-target,44
receiver,21
redirect-url,22
remark dscp,96
rename (URL category view),60
rename (URL filtering policy view),60
reset traffic-policy statistics bandwidth,97
reset traffic-policy statistics connection-limit,98
reset traffic-policy statistics rule-hit,99
reset url-filter statistics,61
rule,61
rule copy,100
rule move,101
rule name,102
rule rename,102
secure-authentication enable,23
sender,23
service,103
severity-level,45
signature override,46
signature override all,47
source-address,104
source-zone,104
time-range,105
traffic-policy,106
traffic-priority,106
update schedule,63
update schedule,48
url-filter apply policy,64
url-filter cache deploy-interval,64
url-filter cache size,65
url-filter cache-time,66
url-filter category,66
url-filter category-server,67
url-filter copy category,68
url-filter copy policy,69
url-filter log directory root,69
url-filter log enable,70
url-filter log except pre-defined,70
url-filter log except user-defined,71
url-filter policy,72
url-filter signature auto-update,73
url-filter signature auto-update-now,74
url-filter signature rollback,74
url-filter signature update,75
username,24
wlan ssid,107
wlan user-profile,108