F1000 series	Models	Deception compatibility
F1000-X-G5 series	F1000-A-G5, F1000-C-G5, F1000-C-G5-LI, F1000-E-G5, F1000-H-G5, F1000-S-G5	Yes
F1000-X-XI series	F1000-E-XI	Yes

F100 series	Models	Deception compatibility
F100-X-G5 series	F100-A-G5, F100-C-G5, F100-E-G5, F100-M-G5, F100-S-G5	Yes
F100-C-A series	F100-C-A2, F100-C-A1	No
F100-X-XI series	F100-A-XI	No
F100-X-XI series	F100-C-XI, F100-S-XI	Yes

‌

allowlist

Use allowlist to configure a deception allowlist entry.

Use undo allowlist to delete a deception allowlist entry.

Syntax

allowlist [ id id-number ] { destination | source } ip-address [ mask | mask-length ] [ vpn-instance vpn-instance-name ]

undo allowlist [ id id-number ]

Default

Deception allowlist entries do not exist.

Views

Deception view

Predefined user roles

network-admin

context-admin

Parameters

id id-number: Specifies a deception allowlist entry ID in the value range of 1 to 50. If you do not specify an ID, the device automatically assigns an ID for the entry.

destination: Configure a destination address allowlist entry.

source: Configure a source address allowlist entry.

ip-address: IP address in the allowlist entry.

mask: Mask for the IP address.

mask-length: Mask length for the IP address, in the range of 1 to 32.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the deception allowlist entry belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the allowlisted IP address is on the public network, do not specify this option.

Usage guidelines

The deception allowlist specifies the deception exceptions. It can contain source address allowlist entries and destination address allowlist entries.

· For the IP addresses in the destination address allowlist entries, the device will not decoy the traffic accessing these IP addresses.

· For the IP addresses in the source address allowlist entries, the device will not decoy the traffic initiated by these IP addresses.

For devices that do not respond to ARP requests (some legacy printers for example), you can add their IP addresses to the destination address allowlist to prevent normal access traffic from being decoyed.

For devices that will periodically send probe packets (some NMS devices for example), you can add their IP addresses to the source address allowlist to prevent their traffic from being decoyed as intrusion traffic.

The deception allowlist cannot contain IP address 0.0.0.0 or 255.255.255.255.

If you do not specify an ID in the undo allowlist command, the device will delete all deception allowlist entries.

Examples

# Configure a deception allowlist entry: set the entry ID to 1 and destination address as 1.1.1.1.

<Sysname> system-view

[Sysname] deception

[Sysname-deception] allowlist id 1 destination 1.1.1.1

Related commands

deception enable

arp-scan threshold

Use arp-scan threshold to set the ARP request sending rate that triggers deception, hereinafter referred to as the deception threshold.

Use undo arp-scan threshold to restore the default.

Syntax

arp-scan threshold threshold-value

undo arp-scan threshold

Default

By default, the deception threshold is 10 ARP requests per 10 seconds.

Views

Deception view

Predefined user roles

network-admin

context-admin

Parameters

threshold-value: Specifies the deception threshold, in the range of 1 to 20000. This value represents the number of ARP requests sent per 10 seconds.

Usage guidelines

After deception is enabled (by using the deception enable command) and strict deception mode is used, the device enters deception state when it detects that the following conditions are met:

· The ARP request sending rate to a detection network (configured by using the detect-network command) reaches the deception threshold.

· A scanned IP address in a detection network is in offline state.

If you execute the arp-scan threshold command multiple times, the most recent configuration takes effect.

Examples

# Configure the ARP request sending rate that triggers deception as 500 ARP requests per 10 seconds.

<Sysname> system-view

[Sysname] deception

[Sysname-deception] arp-scan threshold 500

Related commands

deception enable

decoy

detect-network

deception

Use deception to enter deception view.

Use undo deception to delete all deception configuration.

Syntax

deception

undo deception

Views

Enter system view.

Predefined user roles

network-admin

context-admin

Usage guidelines

Enter deception view to configure deception settings.

Executing the undo deception command deletes all deception settings. Use caution when you perform this operation.

Examples

# Enter deception view.

<Sysname> system-view

[Sysname] deception

[Sysname-deception]

deception enable

Use deception enable to enable the deception feature.

Use undo deception enable to disable the deception feature.

Syntax

deception enable

undo deception enable

Default

The deception feature is disabled.

Views

Deception view

Predefined user roles

network-admin

context-admin

Usage guidelines

After attackers intrude into an internal network, typically they will perform multiple scans to obtain the internal IP address status. Deception technology detects scanning behaviors on the intranet to find out intrusion threats. Besides, it forges the responses of the victims to entice the attackers into deep interactions with the decoy server. In this way, it can misdirect the attackers from their true targets, analyze and traceback the attacks, so as to protect the intranet security.

After deception is enabled, the device lures suspicious traffic to the decoy server for in-depth analysis. Incorrect deception settings might misdirect normal network traffic to the decoy server. Before enabling deception, use the display this command in deception view to verify the deception settings.

Examples

# Enable deception.

<Sysname> system-view

[Sysname] deception

[Sysname-deception] deception enable

Related commands

arp-scan threshold

deception mode strict

decoy

decoy-network

ip-state detect rate

allowlist

deception mode strict

Use deception mode strict to enable the strict deception mode.

Use undo deception mode to restore the default.

Syntax

deception mode strict

undo deception mode

Default

The strict deception mode is disabled. The non-strict mode is used for deception.

Views

Deception view

Predefined user roles

network-admin

context-admin

Usage guidelines

Use the strict deception mode on a network where devices use static ARP entries instead of sending ARP requests. In strict mode, when the device detects an ARP request for an offline IP address on a detection network (see the detect-network command), it immediately lures the attacker's subsequent traffic destined for the IP address to the decoy server.

Use the non-strict deception mode on networks where ARP entries can be aged. In non-strict mode, the device periodically detects the rate of ARP requests sent to a detection network. When the rate reaches the deception threshold, the subsequent traffic sent from the attackers to the offline IP addresses in the detection network will be lured to the decoy server for further analysis.

Examples

# Enable the strict mode for deception.

<Sysname> system-view

[Sysname] deception

[Sysname-deception] deception mode strict

decoy

Use decoy to configure the IP address of the decoy server.

Use undo decoy to restore the default.

Syntax

decoy destination destination-ip [ source source-ip ] [ dest-port destination-port ] [ vpn-instance vpn-instance-name ]

undo decoy

Default

No decoy server IP address is configured.

Views

Deception view

Predefined user roles

network-admin

context-admin

Parameters

destination destination-ip: Specifies the IP address of the decoy server.

source source-ip: Specifies the source IP address used by the device to connect to the decoy server. If you do not specify this option, the device randomly uses the IP address of an up interface as the source IP address. Do not configure this option in an RBM network.

dest-port destination-port: Specifies the service port number of the decoy server. The value range is 1 to 65535, and the default value is 5555.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the decoy server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the decoy server is on the public network, do not specify this option.

Usage guidelines

A decoy server is a threat perception and traceability system, which can decoy attackers to interact with it deeply in the well-constructed simulation environment, analyze and trace the attack behaviors, and protect the real network from attacks.

After deception is enabled (see the deception enable command), the device acts as the proxy of the decoy server to interact the attacker. It lures the attack traffic to the decoy server for analysis, and forwards the response traffic from the decoy server to the attacker.

The value for the destination-ip or source-ip argument cannot be 0.0.0.0 or 255.255.255.255.

If you execute the decoy command multiple times, the most recent configuration takes effect.

Examples

# Configure the IP address of the decoy server as 1.1.1.2, and the source IP address used by the device to connect to the decoy server as 1.1.1.1.

<Sysname> system-view

[Sysname] deception

[Sysname-deception] decoy destination 1.1.1.2 source 1.1.1.1

Related commands

· deception enable

decoy-network

Use decoy-network to configure a decoy network.

Use undo decoy-network to delete decoy networks.

Syntax

decoy-network [ id id-number ] destination ip-address [ mask | mask-length ] [ vpn-instance vpn-instance-name ]

undo decoy-network [ id id-number ]

Default

No decoy networks exist.

Views

Deception view

Predefined user roles

network-admin

context-admin

Parameters

id id-number: Specifies a decoy network ID in the value range of 1 to 50. If you do not specify an ID, the device automatically assigns an ID for the decoy network.

destination ip-address: Specifies the decoy network address.

mask: Specifies the mask of the decoy network.

mask-length: Specifies the mask length for the decoy network, in the range of 1 to 32.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the decoy network belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the decoy network belongs to the public network.

Usage guidelines

Decoy networks are used for static deception. When the device detects that an attacker initiates scanning or any form of access to an IP address in a decoy network, no matter whether the IP address is online or not, the device will immediately enter the deception state and lure the attacker's subsequent traffic to the decoy server for in-depth analysis.

If a decoy network overlaps with the addresses in the deception allowlist (see the allowlist command), the device will treat the overlapping IP addresses as allowlisted IP addresses. If a decoy network overlaps with a detection network, the device will treat the overlapping IP addresses as the IP addresses in the decoy network.

A decoy network cannot contain IP address 0.0.0.0 or 255.255.255.255.

If you do not specify an ID in the undo decoy-network command, the device will delete all decoy networks.

Examples

# Configure decoy network 1 as 1.1.1.0/24.

<Sysname> system-view

[Sysname] deception

[Sysname-deception] decoy-network id 1 destination 1.1.1.0 24

Related commands

· deception enable

· allowlist

detect-network

Use detect-network to configure a detection network.

Use undo detect-network to delete detection networks.

Syntax

detect-network [ id id-number ] ip-address [ mask | mask-length ] [ vpn-instance vpn-instance-name ]

undo detect-network [ id id-number ]

Default

No detection networks exist.

Views

Deception view

Predefined user roles

network-admin

context-admin

Parameters

id id-number: Specifies a detection network ID in the value range of 1 to 50. If you do not specify an ID, the device automatically assigns an ID for the detection network.

ip-address: Specifies the detection network address.

mask: Specifies the mask of the detection network.

mask-length: Specifies the mask length for the detection network, in the range of 1 to 32.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the detection network belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the allowlisted IP address is on the public network, do not specify this option.

Usage guidelines

Detection networks are used for offline IP deception. Make sure the device can reach the detection networks.

If detection networks are configured and deception is enabled, the device constantly monitors the ARP requests sent to the detection networks. The device processes deception differently in different deception modes.

· In strict mode, when the device detects an ARP request for an offline IP address on a detection network, it immediately lures the attacker's subsequent traffic destined for the IP address to the decoy server for in-depth analysis.

· In non-strict mode, the device periodically detects the rate of the ARP requests sent by attackers to the detection networks. When the rate reaches the deception threshold and the scanned IP address is offline, the subsequent traffic sent from the attackers to the offline IP address will be lured to the decoy server for further analysis.

If a detection network overlaps with a decoy network, the device will treat the overlapping IP addresses as the IP addresses in the decoy network. If a detection network overlaps with the addresses in the deception allowlist, the device will treat the overlapping IP addresses as allowlisted IP addresses.

The total number of IP addresses in all detection networks cannot exceed 10240.

A detection network cannot contain IP address 0.0.0.0 or 255.255.255.255.

If you do not specify an ID in the undo detect-network command, the device will delete all detection networks.

Examples

# Configure detection network 1 as 1.1.1.0/24.

<Sysname> system-view

[Sysname] deception

[Sysname-deception] detect-network id 1 1.1.1.0 24

Related commands

arp-scan threshold

deception enable

deception mode strict

decoy-network

allowlist

display deception arp-scan statistics

Use display deception arp-scan statistics to display ARP scanning statistics.

Syntax

display deception arp-scan [ source ip-address ] statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

source ip-address: Specifies the IP address that initiates the ARP scanning.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ARP scanning statistics on all member devices.

Examples

# Display ARP scanning statistics.

<Sysname> display deception arp-scan statistics

Slot 1:

Source IP Rate(packets/10s) Count VPN instance

1.1.1.1 300 2310 --

1.1.1.2 100 2800 --

Total IPs: 2

Slot 2:

Source IP Rate(packets/10s) Count VPN instance

1.1.1.1 300 2310 --

1.1.1.2 100 2800 --

Total IPs: 2

Table 1 Command output

Field	Description
Source IP	IP address that initiates ARP scanning.
Rate(num/10s)	ARP scanning rate, which represents the number of ARP requests sent per 10 seconds.
Count	Total number of ARP requests sent for scanning.
VPN instance	VPN instance to which the scanning source IP address belongs. If the address belongs to the public network, this field displays two hyphens (--).
Total IPs	Number of IP addresses that initiate ARP scanning.

Related commands

arp-scan threshold

display deception decoy status

Use display deception decoy status to display the decoy server status.

Syntax

display deception decoy status

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Usage guidelines

The registration status of the device on the decoy server can be init or alive.

· init—The device has not registered to the decoy server.

· alive—The device has registered to the decoy server successfully.

The device connects to the decoy server every 5 minutes and updates the port list. If it fails consecutively twice to connect to the decoy server, it changes the decoy server status from alive to init. When the connection succeeds again, the device sets the decoy server status back to alive. The device drops the decoyed traffic if the decoy server status is init. The normal deception process resumes when the decoy server status becomes alive.

Examples

# Display the decoy server status.

<Sysname> display deception decoy status

Decoy register status information:

Online duration : 25510(s)

Available decoy service ports:

21 22 80 443 3306

4855 15554

Table 2 Command output

Field	Description
Decoy register status information	Decoy server status information.
Register status	Registration status of the device on the decoy server. · init—Unregistered. · alive—Registered.
Online duration	Period of time that the device has connected to the decoy server.
Available decoy service ports	Destination port numbers that support deception.

Related commands

deception enable

decoy

display deception ip-state

Use display deception ip-state to display the online status of the IP addresses in detection networks.

Syntax

display deception ip-state [ ip-address ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

ip-address: Specifies an IP address. If you do not specify an IP address, this command displays the online status of all IP addresses in detection networks.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IP status information on all member devices.

Usage guidelines

After deception is enabled, the deception device initiates IP address scanning on the detection networks at intervals of 30 minutes to obtain the IP address online status. You can execute this command to display the real-time online status of the IP addresses in detection networks.

For the decoy IP addresses (packets destined for the IP addresses will be lured to the decoy server), the IP scanning interval can be decreased to 10 seconds, depending on the decoy IP addresses quantity, to improve the scanning efficiency.

Examples

# Display the online status of the IP addresses in detection networks.

<Sysname> display deception ip-state

Slot 1:

IP address State VPN instance

1.1.1.1 Online --

1.1.1.2 Offline --

1.1.1.3 Offline --

1.1.1.255 Online --

Total IPs: 4

Slot 2:

IP address State VPN instance

1.1.1.1 Online --

1.1.1.2 Offline --

1.1.1.3 Offline --

1.1.1.255 Online --

Total IPs: 4

Table 3 Command output

Field	Description
State	IP address status: · Online · Offline
VPN instance	VPN instance to which the IP address belongs. If the address belongs to the public network, this field displays two hyphens (--).
Total IPs	Total number of IP addresses in the detection networks.

Related commands

deception enable

detect-network

reset deception ip-state

display deception redirect

Use display deception redirect to display deception redirect entries.

Syntax

display deception redirect [ source-ip ip-address ] [ destination-ip ip-address ] [ destination-port port ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

source-ip ip-address: Specifies the source IP address of the decoyed traffic.

destination - ip-address: Specifies the destination address of the decoyed traffic.

destination-port port: Specifies the destination port number of the decoyed traffic, in the range of 1 to 65535.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays deception redirect entries on all member devices.

Usage guidelines

The device creates a deception redirect entry when it lures traffic to the decoy server. Before the entry ages, all the traffic that matches the entry will be redirected to the decoy server.

Examples

# Display deception redirect entries.

<Sysname> display deception redirect

Slot 1:

SrcIP SrcPort DstIP DstPort VPN instance Type Aging Count

1.1.1.1 1123 1.1.1.2 80 -- Decoy 12 100

1.1.1.3 1223 1.1.1.4 80 -- Off-IP 12 100

Total entries: 2

Slot 2:

SrcIP SrcPort DstIP DstPort VPN instance Type Aging Count

1.1.1.1 1123 1.1.1.2 80 -- Decoy 12 100

1.1.1.3 1223 1.1.1.4 80 -- Off-IP 12 100

Total entries: 2

Table 4 Command output

Field	Description
SrcIP	Source IP address of the decoyed traffic
SrcPort	Source port number of the decoyed traffic
DstIP	Destination IP address of the decoyed traffic
Dstport	Destination port number of the decoyed traffic
VPN instance	VPN instance to which the decoyed traffic belongs. If the traffic belongs to the public network, this field displays two hyphens (--).
Type	Deception type: · Decoy—Static deception. · Off-IP—Offline IP deception.
Aging(s)	Remaining lifetime of the entry, in seconds. The initial value is 120 seconds. The aging timer of an entry will be reset each time the entry is hit by traffic.
Count	Total number of packets of the decoyed traffic.
Total entries	Total number of deception redirect entries.

Related commands

reset deception redirect

ip-state detect rate

Use ip-state detect rate to configure the IP scanning rate for deception.

Use undo ip-state detect rate to restore the default.

Syntax

ip-state detect rate rate-number

undo ip-state detect rate

Default

The deception device performs IP scanning at a rate of 30 ARP requests per second.

Views

Deception view

Predefined user roles

network-admin

context-admin

Parameters

rate-number: Specifies the IP scanning rate, in the range of 10 to 200 (number of ARP requests sent per second).

Usage guidelines

The device needs to maintain the online status of all the IP addresses in the detection networks for offline IP deception.

After deception is enabled, the device initiates IP address scanning on the detection networks at intervals of 30 minutes.

Within an interval, the device sends ARP requests to the IP addresses on the detection networks at the specified rate (set by the rate-number argument), and then updates the IP address online status according to the responses. If the IP scanning rate is too big, the scanning might affect the internal network. If the IP scanning rate is too small, the device might take a long time to obtain the online status of the IP addresses in the detection networks. Please set a proper IP scanning rate according to your network conditions.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the deception device to perform IP scanning at a rate of 100 ARP requests per second.

<Sysname> system-view

[Sysname] deception

[Sysname-deception] ip-state detect rate 100

Related commands

· deception enable

· detect-network

reset deception ip-state

Use reset deception ip-state to reset the online status information of the IP addresses in detection networks.

Syntax

reset deception ip-state

Views

User view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Usage guidelines

This command clears the online status information for the IP addresses not in decoy state in the detection networks and re-detects the online status of these addresses. An IP address in not in decoy state if the traffic destined for the IP address is not lured to the decoy server.

Examples

# Reset the online status information for the IP addresses in detection networks.

<Sysname> reset deception ip-state

Related commands

display deception ip-state

reset deception redirect

Use reset deception redirect to clear the specified deception redirect entries.

Syntax

reset deception redirect [ source-ip ip-address ] [ destination-ip ip-address ] [ destination-port port ]

Views

User view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

source-ip ip-address: Specifies the source IP address of the decoyed traffic.

destination - ip-address: Specifies the destination address of the decoyed traffic.

destination-port port: Specifies the destination port number of the decoyed traffic, in the range of 1 to 65535.

Usage guidelines

After this command is executed, the device does not redirect the traffic matching the deleted entries any longer but monitors and decoys the traffic again.

If you do not specify any parameters, this command clears all deception redirect entries.

Examples

# Clear the specified deception redirect entry to terminate the deception on the matching traffic.

<Sysname> reset deception redirect source-ip 1.1.1.1 destination-ip 1.1.1.2 port 80

Related commands

display deception redirect

03-Security Command Reference

Deception commands

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us