Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-DPI engine commands | 287.60 KB |
display inspect smb-breakpoint-resume table
inspect block-source parameter-profile
inspect capture parameter-profile
inspect file-fixed-length enable
inspect ips log-details enable
inspect logging parameter-profile
inspect record-filename nfs maximum
inspect redirect parameter-profile
inspect signature auto-update proxy
inspect signature auto-update source
inspect source-port-identify enable
inspect stream-fixed-length disable
inspect tcp-reassemble max-segment
inspect url-filter warning parameter-profile
inspect warning parameter-profile
DPI engine commands
app-profile
Use app-profile to create a deep packet inspection (DPI) application profile and enter its view, or enter the view of an existing DPI application profile.
Use undo app-profile to delete a DPI application profile.
Syntax
app-profile profile-name
undo app-profile profile-name
Default
No DPI application profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a DPI application profile name. The profile name is a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, and underscores (_).
Usage guidelines
The DPI application profile is a security service template that can include DPI service policies such as URL filtering policy.
A DPI application profile takes effect after a security policy rule uses it as the action. The DPI engine inspects the packets matching the rule and submits the packets to the associated DPI service module for processing.
Examples
# Create a DPI application profile named abc and enter its view.
<Sysname> system-view
[Sysname] app-profile abc
[Sysname-app-profile-abc]
block-period
Use block-period to set the block period during which a source IP address is blocked.
Use undo block-period to restore the default.
Syntax
block-period period
undo block-period
Default
A source IP address is blocked for 1800 seconds.
Views
Block source parameter profile view
Predefined user roles
network-admin
Parameters
period: Specifies the block period in the range of 1 to 86400 seconds.
Usage guidelines
For the block period to take effect, make sure the blacklist feature is enabled.
The device drops the packet that matches an inspection rule and adds the packet's source IP address to the IP blacklist.
· If the blacklist feature is enabled, the device directly drops subsequent packets from the source IP address during the block period.
· If the blacklist feature is disabled, the block period does not take effect. The device inspects all packets and drops the matching ones.
For more information about the blacklist feature, see attack detection and prevention in the Security Configuration Guide.
Examples
# Set the block period to 3600 seconds in block source parameter profile b1.
<Sysname> system-view
[Sysname] inspect block-source parameter-profile b1
[Sysname-inspect-block-source-b1] block-period 3600
Related commands
blacklist global enable (Security Command Reference)
inspect block-source parameter-profile
capture-limit
Use capture-limit to set the maximum volume of captured packets that can be cached.
Use undo capture-limit to restore the default.
Syntax
capture-limit kilobytes
undo capture-limit
Default
The device can cache a maximum of 512 Kilobytes of captured packets.
Views
Capture parameter profile view
Predefined user roles
network-admin
Parameters
kilobytes: Specifies the maximum volume in the range of 0 to 102400 Kilobytes.
Usage guidelines
The device caches captured packets locally. It exports the cached captured packets to a URL when the volume of cached captured packets reaches the maximum, and clears the cache. After the export, the device starts to capture packets again.
If you set the maximum volume of cached captured packets to 0 Kilobytes, the device immediately exports a packet to the URL after the packet is captured.
Examples
# Set the maximum volume of cached captured packets to 1024 Kilobytes in the capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1] capture-limit 1024
Related commands
export repeating-at
export url
inspect capture parameter-profile
capture-storage
Use capture-storage to configure the storage space limits for captured packets.
Use undo capture-storage to restore the default.
Syntax
capture-storage { max-cache-percentage percent-number | max-session-size session-size } *
undo capture-storage [ max-cache-percentage | max-session-size ]
Default
The maximum storage space is 5% of the total memory size, and the maximum captured packet size for a single session is 64 KB.
Views
Capture parameter profile view
Predefined user roles
network-admin
mdc-admin
Parameters
max-cache-percentage percent-number: Specifies the maximum storage space as a percentage of the total memory size, in the range of 5 to 20.
max-session-size session-size: Specifies the maximum captured packet size for a single session, in the range of 64 to 10240 KB.
Usage guidelines
The process for caching captured packets is as follows:
· When the total byte count of cached packets for a session reaches the maximum captured packet size, the system saves the packets to a capture file and clears the cache.
· When the total byte count of cached packets reaches the maximum storage space, the system stops caching packets of new sessions.
Administrators should adjust packet storage space limits based on actual needs and device memory. If you want to cache more packets or the device memory is sufficient, increase the storage space limits.
This command takes effect only on IPS.
Examples
# Set the maximum storage space to 10% of the total memory size and the maximum captured packet size for a single session to 1024 KB in the capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1] capture-storage max-cache-percentage 10 max-session-size 1024
Related commands
inspect capture parameter-profile
capture-upload zip
Use capture-upload zip to set the .zip export format for capture files.
Use undo capture-upload zip to restore the default.
Syntax
capture-upload zip
undo capture-upload
Default
Capture files are exported in .pcap format one by one.
Views
Capture parameter profile view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This command enables the device to export capture files in ,zip format, enhancing exporting efficiency and facilitating security event tracking and analysis.
This command takes effect only on IPS.
Examples
# Set the .zip export format for capture files in the capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1] capture-upload zip
Related commands
inspect capture parameter-profile
ips capture-cache
description
Use description to configure a description for a capture parameter profile.
Use undo description to restore the default.
Syntax
description text
undo description
Default
A capture parameter profile does not have a description.
Views
Capture parameter profile view
Predefined user roles
network-admin
mdc-admin
Parameters
text: Specifies a description, a case-insensitive string of 1 to 127 characters..
Usage guidelines
A description helps you understand what a capture parameter profile is used for.
Examples
# Configure the description as capture for capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1] description capture
Related commands
inspect capture parameter-profile
display inspect smb-breakpoint-resume table
Use display inspect smb-breakpoint-resume table to display the breakpoint resumption table for the SMB protocol.
Syntax
display inspect smb-breakpoint-resume table { ipv4 | ipv6 }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
Usage guidelines
The SMB protocol supports breakpoint resumption. When a file is interrupted during transmission, SMB can transfer subsequent files by creating a new session. When a file transferred via the SMB protocol is processed by the drop, block source, redirect, or reset DPI action, the device creates a breakpoint resumption table to record the source IP, destination IP, source VRF, destination VRF, and file name of the file. When the device receives a subsequent file of the SMB protocol, it matches the file information with the breakpoint resumption table. If a match is found, the device takes the same action on the file. In this manner, subsequent files can be blocked.
You can use this command to analyze the files dropped.
Examples
# Display the breakpoint resumption table for the SMB protocol.
<Sysname> display inspect smb-breakpoint-resume table ipv4
Slot 1:
Smb-breakpoint-resume table information:
Source IP: 1.1.1.1
Destination IP: 2.2.2.2
Source VRF: public
Destination VRF: public
MDC ID: 1
File name: test.txt
Table 1 Command output
|
Field |
Description |
|
Source VRF |
If the file is from the public network, this field displays public. |
|
Destination VRF |
If the file is destined for the public network, this field displays public. |
display inspect status
Use display inspect status to display the status of the DPI engine.
Syntax
display inspect status
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the status of the DPI engine.
<Sysname> display inspect status
Chassis 0 Slot 1:
Running status: Normal
Table 2 Command output
|
Field |
Description |
|
Running status |
Status of the DPI engine: · DPI administratively disabled. · DPI auto-bypass for protocol xxx. · DPI disabled due to high CPU usage. · Normal—The DPI engine is running correctly. |
|
Usage threshold has already been reached for the following CPU cores: xxx |
This sentence appears when one or more CPU cores reach the CPU core usage alarm threshold. DPI will not use these CPU cores to process services. |
Related commands
monitor cpu-usage threshold core (Fundamentals Command Reference)
export repeating-at
Use export repeating-at to set the daily export time for cached captured packets.
Use export repeating-at to restore the default.
Syntax
export repeating-at time
undo export repeating-at
Default
The system exports cached captured packets at 1:00 a.m. every day.
Views
Capture parameter profile view
Predefined user roles
network-admin
Parameters
time: Specifies the daily export time in the format of hh:mm:ss in the range of 00:00:00 to 23:59:59.
Usage guidelines
The device exports cached captured packets to a URL and clears the cache at the daily export time, whether or not the volume of cached captured packets reaches the maximum.
Examples
# Configure the device to export cached captured packets at 2:00 a.m. every day in the capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1] export repeating-at 02:00:00
Related commands
capture-limit
export url
inspect capture parameter-profile
export url
Use export url to specify the URL to which the cached captured packets are exported.
Use export url to restore the default.
Syntax
export url url-string
undo export url
Default
No URL is specified for exporting the cached captured packets.
Views
Capture parameter profile view
Predefined user roles
network-admin
Parameters
url-string: Specifies the URL, a string of 1 to 255 characters. Only FTP, TFTP, and HTTPS are supported.
Usage guidelines
The device exports the cached captured packets to the specified URL at the daily export time or when the volume of cached captured packets reaches the maximum. After the captured packets are exported, the system clears the cache.
If you do not specify a URL, the device still exports the cached captured packets but the export fails.
Only IPS supports exporting captured packets to a URL through HTTPS.
Examples
# Configure the device to export cached captured packets to URL tftp://192.168.100.100/upload in the capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1] export url tftp://192.168.100.100/upload
Related commands
capture-limit
export repeating-at
inspect capture parameter-profile
import block warning-file
Use import block warning-file to import a user-defined alarm message from an anti-virus warning file.
Syntax
import block warning-file file-path
Default
The device uses the default alarm message "The site you are accessing has a security risk and thereby is blocked."
Views
Anti-virus warning parameter profile view
Predefined user roles
network-admin
Parameters
file-path: Specifies the anti-virus warning file path, a string of 1 to 200 characters.
Usage guidelines
After you execute the inspect warning parameter-profile command, the system automatically generates an anti-virus warning file named av-httpDeclare-xxx in the dpi/av/warning directory. The xxx represents the name of the warning parameter profile.
A default alarm message is predefined in the warning file. If an end-point user visits a virus-infected website, the device will block the website access and displays the alarm message on the browser of the end-point user.
You can execute the import block warning-file command to specify a user-defined alarm message from a file. Only HTML and TXT files are supported.
The device supports the following import methods:
· Local import—Imports the message from the warning file that is stored locally.
The format of the file-path argument varies by the location of the warning file to be imported.
|
The warning file is stored… |
Format of file-path |
Remarks |
|
In the current working directory |
filename |
To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference. |
|
In a directory different from the working directory on the same storage medium |
filename |
Before importing the warning file, you must first use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
|
On a storage medium different from the working directory |
path/filename |
Before importing the warning file, you must first use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP import—Imports the message from the warning file that is stored on an FTP or TFTP server.
The format of the file-path argument varies by the location of the warning file to be imported.
|
The warning file is stored on |
Format of file-path |
Remarks |
|
An FTP server |
ftp://username:password@server/filename |
The username and password arguments represent the FTP login username and password, respectively. The server argument represents the IP address or host name of the FTP server. If a colon (:), at sign (@), or forward slash (/) exists in the username or password, you must convert it into its escape characters. The escape characters are %3A or %3a for a colon, %40 for an at sign, and %2F or %2f for a forward slash. |
|
A TFTP server. |
tftp://server/filename |
The server argument represents the IP address or host name of the TFTP server. |
|
|
NOTE: To specify a warning file on an FTP or TFTP server, make sure the device and the server can reach each other. If you specify the server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see DNS configuration in Network Connectivity Configuration Guide. |
Examples
# Import a user-defined alarm message from the anti-virus warning file on a TFTP server.
<Sysname> system-view
[Sysname] inspect warning parameter-profile warn
[Sysname-inspect-warning-warn] import block warning-file tftp://192.168.0.1/warning.txt
# Import a user-defined alarm message from the anti-virus warning file on an FTP server. The FTP login username and password are user and password, respectively.
<Sysname> system-view
[Sysname] inspect warning parameter-profile warn
[Sysname-inspect-warning-warn] import block warning-file ftp://user:[email protected]/warning.txt
# Import a user-defined alarm message from the anti-virus warning file stored locally. The file is stored in directory cfa0:/warning.txt, and the current working directory is cfa0.
<Sysname> system-view
[Sysname] inspect warning parameter-profile warn
[Sysname-inspect-warning-warn] import block warning-file warning.txt
import warning-file
Use import warning-file to import a user-defined alarm message from a warning file for URL filtering.
Syntax
import warning-file file-path
Default
The device uses the default alarm message in the warning file named uflt-xxx.html. The xxx in the file name is the profile name.
Views
URL filtering warning parameter profile view
Predefined user roles
network-admin
Parameters
file-path: Specifies the warning file path, a string of 1 to 200 characters.
Usage guidelines
The default alarm message is as follows:
Web Access Blocked
Your access to this website was denied. To access this webpage, contact Technical Support.
· Reason: XXX
· Category: XXX
· URL: XXX
The Reason field has the following values:
· The URL of the website hit the URL blacklist.
· The URL of the website hit a user-defined URL category.
· The URL of the website hit a predefined URL category.
· No matching whitelist entry was found for the website in whitelist mode.
· The URL of the website did not match any accessible URL category.
· The URL of the website hit the URL reputation signature library.
The Category field displays the user-defined or predefined URL category, or the attack category of URL reputation.
The URL field displays the URL accessed by the client.
If an end-point user visits a virus-infected website, the device will block the website access and displays the alarm message on the browser of the end-point user.
You can execute the import warning-file command to specify a user-defined alarm message from a file. Only HTML and TXT files are supported.
The device supports the following import methods:
· Local import—Imports the message from the warning file that is stored locally.
The format of the file-path argument varies by the location of the warning file to be imported.
|
The warning file is stored… |
Format of file-path |
Remarks |
|
In the current working directory |
filename |
To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference. |
|
In a directory different from the working directory on the same storage medium |
filename |
Before importing the warning file, you must first use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
|
On a storage medium different from the working directory |
path/filename |
Before importing the warning file, you must first use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP import—Imports the message from the warning file that is stored on an FTP or TFTP server.
The format of the file-path argument varies by the location of the warning file to be imported.
|
The warning file is stored on |
Format of file-path |
Remarks |
|
An FTP server |
ftp://username:password@server/filename |
The username and password arguments represent the FTP login username and password, respectively. The server argument represents the IP address or host name of the FTP server. If a colon (:), at sign (@), or forward slash (/) exists in the username or password, you must convert it into its escape characters. The escape characters are %3A or %3a for a colon, %40 for an at sign, and %2F or %2f for a forward slash. |
|
A TFTP server. |
tftp://server/filename |
The server argument represents the IP address or host name of the TFTP server. |
|
|
NOTE: To specify a warning file on an FTP or TFTP server, make sure the device and the server can reach each other. If you specify the server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see DNS configuration in Network Connectivity Configuration Guide. |
Examples
# Import a user-defined alarm message from the warning file on a TFTP server.
<Sysname> system-view
[Sysname] inspect url-filter warning parameter-profile warn
[Sysname-inspect-url-filter-warning-warn] import warning-file tftp://192.168.0.1/warning.txt
# Import a user-defined alarm message from the warning file on an FTP server. The FTP login username and password are user and password, respectively.
<Sysname> system-view
[Sysname] inspect url-filter warning parameter-profile warn
[Sysname-inspect-url-filter-warning-warn] import warning-file ftp://user:[email protected]/warning.txt
# Import a user-defined alarm message from the warning file stored locally. The file is stored in directory cfa0:/warning.txt, and the current working directory is cfa0.
<Sysname> system-view
[Sysname] inspect url-filter warning parameter-profile warn
[Sysname-inspect-url-filter-warning-warn] import warning-file warning.txt
inspect activate
Use inspect activate to activate the policy and rule configurations for DPI service modules.
Syntax
inspect activate
Default
The creation, modification, and deletion of DPI service policies and rules will be activated automatically.
Views
System view
Predefined user roles
network-admin
Usage guidelines
|
|
CAUTION: This command causes transient DPI service interruption. DPI-based services might also be interrupted. For example, security policies cannot control access to applications. |
By default, the system will detect whether another configuration change (such as creation, modification, or deletion) occurs within a 20-second interval after a configuration change for DPI service modules such as URL filtering:
· If no configuration change occurs within the interval, the system performs an activation operation at the end of the next interval to make the configuration take effect.
· If a configuration change occurs within the interval, the system continues to periodically check whether a configuration change occurs within the interval.
To activate the policy and rule configurations for DPI service modules immediately, you can execute the inspect activate command.
Examples
# Activate the policy and rule configurations for DPI service modules.
<Sysname> system-view
[Sysname] inspect activate
inspect auto-bypass
Use inspect auto-bypass enable to enable automatic bypass of the DPI engine.
Use undo inspect auto-bypass enable to disable automatic bypass of the DPI engine.
Syntax
inspect auto-bypass enable
undo inspect auto-bypass enable
Default
Automatic bypass of the DPI engine is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
With this feature enabled, the DPI engine automatically disables inspection on packets of the specified protocol after a device reboot caused by packet inspection errors.
Examples
# Enable automatic bypass of the DPI engine.
<Sysname> system-view
[Sysname] inspect auto-bypass enable
This feature might cause some functions of the DPI engine to be unavailable. Continue? [Y/N]:y
inspect block-source parameter-profile
Use inspect block-source parameter-profile to create a block source parameter profile and enter its view, or enter the view of an existing block source parameter profile.
Use undo inspect block-source parameter-profile to delete a block source parameter profile.
Syntax
inspect block-source parameter-profile parameter-name
undo inspect block-source parameter-profile parameter-name
Default
No block source parameter profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
parameter-name: Specifies a block source parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In block source parameter profile view, you can set parameters for the block source action, such as the block period.
Examples
# Create a block source parameter profile named b1 and enter its view.
<Sysname> system-view
[Sysname] inspect block-source parameter-profile b1
[Sysname-inspect-block-source-b1]
Related commands
block-period
inspect bypass
Use inspect bypass to disable the DPI engine.
Use undo inspect bypass to enable the DPI engine.
Syntax
inspect bypass
undo inspect bypass
Default
The DPI engine is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
|
|
CAUTION: This command causes packets of any protocols not to be processed by DPI. DPI-based services might also be interrupted. For example, security policies cannot control access to applications. |
Packet inspection in the DPI engine is a complex and resource-consuming process. When the CPU usage is high, you can disable the DPI engine to guarantee the device performance.
Examples
# Disable the DPI engine.
<Sysname> system-view
[Sysname] inspect bypass
Related commands
display inspect status
inspect bypass protocol
Use inspect bypass protocol to specify the protocols to bypass the DPI engine.
Use undo inspect bypass protocol to disable DPI engine bypass for protocols.
Syntax
inspect bypass protocol { dns | ftp | ftp-data | http | https | ibm-db2 | imap | mongodb-protocol | ms-sql-s | mysql-protocol | nfs | pop3 | postgresql-protocol | rtmp | sip | smb | smtp | sqlnet | telnet | tftp } *
undo inspect bypass protocol [ dns | ftp | ftp-data | http | https | ibm-db2 | imap | mongodb-protocol | ms-sql-s | mysql-protocol | nfs | pop3 | postgresql-protocol | rtmp | sip | smb | smtp | sqlnet | telnet | tftp ] *
Default
The DPI engine inspects all supported protocols.
Views
System view
Predefined user roles
network-admin
Parameters
dns: Specifies the DNS protocol.
ftp: Specifies the FTP protocol.
ftp-data: Specifies the FTP data protocol.
http: Specifies the HTTP protocol.
https: Specifies the HTTPS protocol.
ibm-db2: Specifies the IBM DB2 protocol.
imap: Specifies the IMAP protocol.
mongodb-protocol: Specifies the MongoDB protocol.
ms-sql-s: Specifies the Microsoft SQL Server protocol.
mysql-protocol: Specifies the MySQL protocol.
nfs: Specifies the NFS protocol.
pop3: Specifies the POP3 protocol.
postgresql-protocol: Specifies the PostgreSQL protocol.
rtmp: Specifies the RTMP protocol.
sip: Specifies the SIP protocol.
smb: Specifies the SMB protocol.
smtp: Specifies the SMTP protocol.
sqlnet: Specifies the SQLNet protocol.
telnet: Specifies the Telnet protocol.
tftp: Specifies the TFTP protocol.
Usage guidelines
If you do not specify any keyword when executing the undo inspect bypass protocol command, the DPI engine inspects all supported protocols.
As a best practice, you can specify the protocols to bypass the DPI engine when either of the following conditions is met:
· Inspection on packets of the specified protocols is not required. You can disable the DPI engine for the specified protocols to reduce the occupation of device resources and improve the device performance.
· Inspection on packets of the specified protocols causes device reboot. You can specify the protocols to bypass the DPI engine to avoid device reboot caused by inspection error and ensure the inspection on packets of other protocols.
Examples
# Specify the HTTP protocol to bypass the DPI engine.
<Sysname> system-view
[Sysname] inspect bypass protocol http
This feature might cause the DPI engine to be unavailable for the specified protocols. Continue? [Y/N]:y
Related commands
display inspect status
inspect cache-option maximum
Use inspect cache-option maximum to set the maximum number of options to be cached per TCP or UDP data flow for further inspection.
Use undo inspect cache-option to restore the default.
Syntax
inspect cache-option maximum max-number
undo inspect cache-option
Default
The DPI engine can cache a maximum of 32 options per TCP or UDP data flow.
Views
System view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of options to be cached per TCP or UDP data flow. The value range is 1 to 254.
Usage guidelines
An inspection rule can contain multiple AC patterns, and each AC pattern can be associated with multiple options. A TCP or UDP data flow matches an inspection rule if the packets of the flow match all the AC patterns and options in the rule.
If a packet of a TCP or UDP data flow matches one AC pattern in an inspection rule, the DPI engine cannot determine whether the flow matches the rule. The DPI engine continues to match packets of the flow against the remaining options and AC patterns in the rule. For any options that cannot be matched, the DPI engine caches them to match subsequent packets. The DPI engines determines that the flow matches the rule when all options and AC patterns in the rule are matched.
The more options DPI engine caches, the more likely that DPI engine identifies the application information and the more accurate the DPI engine inspection. However, caching more options requires more memory. If the device has a high memory usage, configure the DPI engine to cache less options to improve the device performance.
Typically, the default setting is sufficient for most scenarios.
Examples
# Configure the DPI engine to cache a maximum of four options per TCP or UDP data flow for further inspection.
<Sysname> system-view
[Sysname] inspect cache-option maximum 4
inspect capture parameter-profile
Use inspect capture parameter-profile to create a capture parameter profile and enter its view, or enter the view of an existing capture parameter profile.
Use undo inspect capture parameter-profile to delete a capture parameter profile.
Syntax
inspect capture parameter-profile parameter-name
undo inspect capture parameter-profile parameter-name
Default
No capture parameter profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a capture parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In capture parameter profile view, you can set parameters for the packet capture action, such as the maximum volume of cached captured packets.
Only the IPS module supports the packet capture action.
Examples
# Create a capture parameter profile named c1 and enter its view.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1]
Related commands
capture-limit
export repeating-at
export url
inspect coverage
Use inspect coverage to configure a DPI engine inspection mode.
Use undo inspect coverage to restore the default.
Syntax
inspect coverage { balanced | large-coverage | high-performance | user-defined }
undo inspect coverage
Default
The DPI engine uses the balanced mode.
Views
System view
Predefined user roles
network-admin
Parameters
balanced: Specifies the balanced mode. This mode makes a tradeoff between the device performance and inspection coverage.
large-coverage: Specifies the large coverage mode. This mode appropriately reduces device performance to achieve the best inspection coverage.
high-performance: Specifies the high performance mode. This mode appropriately reduces the inspection coverage to ensure the best device performance.
user-defined: Specifies the user-defined mode. This mode allows you to adjust the inspection length of the DPI engine as required.
Usage guidelines
Select an inspection mode as required:
· Balanced mode—Applicable to most scenarios. This mode makes a tradeoff between the device performance and inspection coverage. The maximum length is 64 Kilobytes for FTP, HTTP, SMB, NFS, and email streams, and the maximum file length for MD5 inspection is 2048 Kilobytes.
· Large coverage mode—Applicable to the scenarios that require large inspection coverage. This mode improves the inspection coverage at the cost of device performance. The maximum length is 128 Kilobytes for FTP, HTTP, SMB, NFS, and email streams, and the maximum file length for MD5 inspection is 5120 Kilobytes.
· High performance mode—Applicable to the scenarios that requires high device performance. This mode improves the device performance while ensuring a certain inspection coverage. The maximum length is 32 Kilobytes for FTP, HTTP, SMB, NFS, and email streams, and the maximum file length for MD5 inspection is 32 Kilobytes.
· User-defined mode—Applicable to the scenarios that have specific requirements for inspection coverage and device performance. In this mode, you can execute the inspect stream-fixed-length command to set the maximum stream length for inspection.
Examples
# Configure the user-defined mode as the DPI engine inspection mode.
<Sysname> system-view
[Sysname] inspect coverage user-defined
Related commands
inspect stream-fixed-length enable
inspect file-fixed-length enable
inspect cpu-threshold disable
Use inspect cpu-threshold disable to disable inspection suspension upon excessive CPU usage.
Use undo inspect cpu-threshold disable to enable inspection suspension upon excessive CPU usage.
Syntax
inspect cpu-threshold disable
undo inspect cpu-threshold disable
Default
Inspection suspension upon excessive CPU usage is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Packet inspection in the DPI engine is a complex and resource-consuming process.
Inspection suspension upon excessive CPU usage works as follows:
· When the device's CPU usage rises to or above the CPU usage threshold, the DPI engine suspends packet inspection to guarantee the device performance.
· When the device's CPU usage drops to or below the CPU usage recovery threshold, the DPI engine resumes packet inspection.
Do not disable inspection suspension upon excessive CPU usage if the device's CPU usage is high.
Examples
# Disable inspection suspension upon excessive CPU usage.
<Sysname> system-view
[Sysname] inspect cpu-threshold disable
Related commands
display inspect status
inspect bypass
inspect stream-fixed-length disable
inspect file-fixed-length
Use inspect file-fixed-length to set the fixed length for file inspection.
Use undo inspect file-fixed-length to restore the default.
Syntax
inspect file-fixed-length { email | ftp | http | nfs | smb } * length-value
undo inspect file-fixed-length
Default
The fixed length is 64 Kilobytes for FTP, HTTP, NFS, SMB, and email files.
Views
System view
Predefined user roles
network-admin
Parameters
email: Specifies email protocols, including SMTP, POP3, and IMAP.
ftp: Specifies the FTP protocol.
http: Specifies the HTTP protocol.
nfs: Specifies the NFS protocol.
smb: Specifies the SMB protocol.
length-value: Specifies the fixed length in the range of 1 to 2048 Kilobytes.
Usage guidelines
This command can be executed only if the DPI engine inspection mode is user-defined mode.
Typically, virus signatures are embedded in the first half of a file. Narrowing the inspection scope of each file improves the file inspection efficiency.
If a data stream contains multiple files, this feature inspects only the fixed length data of each file.
Because files are transmitted in a data stream, the fixed length of files must not be longer than that of the data stream configured by the inspect stream-fixed-length command.
Examples
# Set the fixed length to 128 Kilobytes for inspecting each HTTP file.
<Sysname> system-view
[Sysname] inspect file-fixed-length http 128
Related commands
inspect coverage user-defined
inspect file-fixed-length enable
inspect stream-fixed-length
inspect file-fixed-length enable
Use inspect file-fixed-length enable to enable file fixed length inspection.
Use undo inspect file-fixed-length enable to disable file fixed length inspection.
Syntax
inspect file-fixed-length enable
undo inspect file-fixed-length enable
Default
The file fixed length inspection is disabled and the file inspection length is not limited.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command can be executed only if the DPI engine inspection mode is user-defined mode.
The file fixed length inspection feature enables the DPI engine to inspect only a fixed length of file data instead of the entire file in each data stream.
With this feature configured, the DPI engine cannot identify the remaining file data that exceeds the defined fixed length, affecting the data filtering service.
Examples
# Enable file fixed length inspection.
<Sysname> system-view
[Sysname] inspect file-fixed-length enable
Related commands
inspect coverage user-defined
inspect file-fixed-length
inspect file-uncompr-layer
Use inspect file-uncompr-layer to set the maximum number of layers that can be decompressed.
Use undo inspect file-uncompr-layer to restore the default.
Syntax
inspect file-uncompr-layer max-layer
undo inspect file-uncompr-layer
Default
A maximum of three layers can be decompressed in a file.
Views
System view
Predefined user roles
network-admin
Parameters
max-layer: Specifies the maximum number of layers that can be decompressed in a file. The value range is 0 to 8. Value 0 indicates tha the file will not be decompressed.
Usage guidelines
DPI engine can decompress only .zip and .gzip files for signature matching. This command specifies the maximum number of layers that can be decompressed in a file. DPI engine decompresses only the layers within the decompression layer limit.
Set an appropriate decompression layer limit.
· If you set a large limit, DPI engine might get stuck in decompressing a multi-layer compressed file, affecting the decompression of subsequent files and consuming a large amount of the memory.
· If you set a small limit, DPI engine might not identify the original file content correctly, affecting the accuracy of the file inspection results for DPI services (such as anti-virus and data filtering).
Examples
# Set the maximum number of layers that can be decompressed in a file to 5.
<Sysname> system-view
[Sysname] inspect file-uncompr-layer 5
Related commands
inspect file-uncompr-len
inspect file-uncompr-len
Use inspect file-uncompr-len to set the maximum data size that can be decompressed in a file.
Use undo inspect file-uncompr-len to restore the default.
Syntax
inspect file-uncompr-len max-size
undo inspect file-uncompr-len
Default
A maximum of 100 MB data can be decompressed in a file.
Views
System view
Predefined user roles
network-admin
Parameters
max-size: Specifies the maximum data size in the range of 1 to 200 MB.
Usage guidelines
The device can decompress .zip files for file data inspection. This command specifies the maximum data size that can be decompressed in a file. The remaining file data will be ignored.
Set an appropriate maximum data size for file decompression. A large data size might make the device get stuck in decompressing large files and the device forwarding performance might be affected. A small data size will affect the accuracy of the file inspection results for DPI services (such as anti-virus and data filtering).
Examples
# Set the maximum data size that can be decompressed in a file to 150 MB.
<Sysname> system-view
[Sysname] inspect file-uncompr-len 150
inspect ips log-details enable
Use inspect ips log-details enable to enable IPS logging to record HTTP packet details.
Use undo inspect ips log-details enable to disable this feature.
Syntax
inspect ips log-details enable
undo inspect ips log-details enable
Default
This feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature enables the device to cache HOST, URI, and other fields and record them in IPS logs. For example, when an HTTP response matches an IPS policy, the device records the HOST field in the HTTP request and the status line and some header fields in the HTTP response.
To save memory resources, enable this feature only when necessary.
Examples
# Enable IPS logging to record HTTP packet details.
<Sysname> system-view
[Sysname] inspect ips log-details enable
inspect log-details max-size
Use inspect log-details max-size to set the maximum memory size for storing the HTTP fields in IPS logs.
Use undo inspect log-details max-size to restore the default.
Syntax
inspect packet maximum max-number
undo inspect packet
Default
The maximum memory size is calculated according to the device memory.
Views
System view
Predefined user roles
network-admin
Parameters
max-size-value: Specifies the maximum memory size for storing the HTTP fields in IPS logs, in the range of 1 to 524288 MB.
Usage guidelines
Operating mechanism
If a large number of HTTP packets exist in the network, recording HTTP packet details in IPS logs can consume a large amount of memory and degrade the device performance. You can set the maximum memory size to limit the amount of memory used to store the fields in IPS logs. A smaller maximum memory size might cause fields in some IPS logs to fail to be displayed.
Examples
# Set the maximum memory size for storing the HTTP fields in IPS logs to 524288 MB.
<Sysname> system-view
[Sysname] inspect log-details max-size 524288
inspect logging parameter-profile
Use inspect logging parameter-profile to create a logging parameter profile and enter its view, or enter the view of an existing logging parameter profile.
Use undo inspect logging parameter-profile to delete a logging parameter profile.
Syntax
inspect logging parameter-profile parameter-name
undo inspect logging parameter-profile parameter-name
Default
No logging parameter profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a logging parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In logging parameter profile view, you can set parameters for the logging action, such as the log output method.
Examples
# Create a logging parameter profile named log1 and enter its view.
<Sysname> system-view
[Sysname] inspect logging parameter-profile log1
[Sysname-inspect-logging-log1]
Related commands
log
inspect optimization disable
Use inspect optimization disable to disable a DPI engine optimization feature.
Use undo inspect optimization disable to enable a DPI engine optimization feature.
Syntax
inspect optimization [ chunk | no-acsignature | raw | uncompress | url-normalization ] disable
undo inspect optimization [ chunk | no-acsignature | raw | uncompress | url-normalization ] disable
Default
All DPI engine optimization features are enabled.
Views
System view
Predefined user roles
network-admin
Parameters
chunk: Specifies the chunked packet decoding feature.
no-acsignature: Specifies the inspection rules that do not contain AC patterns.
raw: Specifies the application layer payload decoding feature.
uncompress: Specifies the HTTP body uncompression feature.
url-normalization: Specifies the HTTP URL normalization feature.
Usage guidelines
If you do not specify any parameter, this command applies to all DPI engine optimization features.
DPI engine supports the following optimization features:
· Chunked packet decoding—Chunk is a packet transfer mechanism of the HTTP body. DPI engine must decode a chunked HTTP body before it inspects the HTTP body. When the device throughput is too low to ensure basic communication, you can disable DPI engine from decoding chunked packets to improve the device performance. However, when chunked packet decoding is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.
· Inspection rules that do not contain AC patterns—Inspection rules that do not contain AC patterns contain only options. These rules match packets by fields such as port numbers and error codes rather than by character strings. These rules by default are enabled to improve the inspection accuracy. However, when the device throughput is too low to ensure basic communication, you can disable these rules to improve the device performance.
· Application layer payload decoding—For application layer protocols featuring encoding and decoding, such as HTTP, SMTP, POP3, and IMAP4, DPI engine must decode the payload before inspection. When the device throughput is too low to ensure basic communication, you can disable DPI engine from decoding application layer payloads to improve the device performance. However, disabling application layer payload decoding affects the inspection accuracy of the DPI engine.
· HTTP body uncompression—If the HTTP body field is compressed, DPI engine must uncompress the body before inspection. When the device throughput is too low to ensure basic communication, you can disable DPI engine from uncompressing the HTTP body field to improve the device performance. However, when HTTP body uncompression is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.
· HTTP URL normalization—HTTP URL normalization is the process by which the absolute path in a URL is normalized and special URLs are standardized and checked. For example, the absolute path test/dpi/../index.html is normalized as test/index.html. When the device throughput is too low to ensure basic communication, you can disable DPI engine from normalizing HTTP URLs to improve the device performance. However, when HTTP URL normalization is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.
Examples
# Disable all DPI engine optimization features.
<Sysname> system-view
[Sysname] inspect all disable
inspect packet maximum
Use inspect packet maximum to set the maximum number of payload-carrying packets to be inspected per data flow.
Use undo inspect packet to restore the default.
Syntax
inspect packet maximum max-number
undo inspect packet
Default
The DPI engine can inspect a maximum of 32 payload-carrying packets per data flow.
Views
System view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of payload-carrying packets to be inspected per data flow, in the range of 1 to 254.
Usage guidelines
If DPI engine finds that the first payload-carrying packet of a data flow does not match any inspection rule, it continues to inspect the next payload-carrying packet, and so on. If DPI engine has inspected the maximum number of payload-carrying packets but finds no matching inspection rule, it determines the flow does not match any rule and allows the flow to pass.
The more payload-carrying packets DPI engine inspects, the more likely that DPI engine identifies the application information and the more accurate the DPI engine inspection.
Typically, the default setting is sufficient for most scenarios. You can adjust the setting according to your network condition.
· If the device throughput is high, increase the maximum number value.
· If the device throughput is low, decrease the maximum number value.
Examples
# Allow the DPI engine to inspect a maximum of 16 payload-carrying packets per data flow for application identification.
<Sysname> system-view
[Sysname] inspect packet maximum 16
inspect record-filename nfs maximum
Use inspect record-filename nfs maximum to set the maximum number of NFS file names recorded.
Use undo inspect record-filename nfs maximum to restore the default.
Syntax
inspect record-filename nfs maximum max-number
undo inspect record-filename nfs maximum
Default
The maximum number of NFS file names recorded is calculated according to the actual memory size of the device.
Views
System view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of NFS file names recorded, in the range of 0 to 4294967295. The value 0 indicates that the number of NFS file names recorded is not limited.
Usage guidelines
The DPI engine records file names during file detection for users to obtain file information in logs. The record process occupies memory resources. The more files detected, the more memory resources occupied. In an environment using NFS to transfer a large number of files, Execute this command to limit the memory resources consumed by recording file names.
In scenarios requiring high performance, you can set a small limit to reduce memory consumption. In scenarios not requiring high performance, you can set a great limit to enable users to obtain more file information.
Examples
# Set the maximum number of NFS file names recorded to 110000.
<Sysname> system-view
[Sysname] inspect record-filename nfs maximum 110000
inspect redirect parameter-profile
Use inspect redirect parameter-profile to create a redirect parameter profile and enter its view, or enter the view of an existing redirect parameter profile.
Use undo inspect redirect parameter-profile to delete a redirect parameter profile.
Syntax
inspect redirect parameter-profile parameter-name
undo inspect redirect parameter-profile parameter-name
Default
No redirect parameter profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
parameter-name: Specifies a redirect parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In redirect parameter profile view, you can set parameters for the redirect action, such as the URL to which packets are redirected.
Examples
# Create a redirect parameter profile named r1 and enter its view.
<Sysname> system-view
[Sysname] inspect redirect parameter-profile r1
[Sysname-inspect-redirect-r1]
inspect signature auto-update proxy
Use inspect signature auto-update proxy to specify the proxy server used by DPI services for online signature update.
Use undo inspect signature auto-update proxy to restore the default.
Syntax
inspect signature auto-update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name password { cipher | simple } string ]
undo inspect signature auto-update proxy
Default
The proxy server used by DPI services for online signature update is not specified.
Views
System view
Predefined user roles
network-admin
Parameters
domain domain-name: Specifies a proxy server by its domain name, a case-sensitive string of 3 to 63 characters.
ip ip-address: Specifies a proxy server by its IPv4 address.
port port-number: Specifies the port number used by the proxy server. The value range is 1 to 65535, and the default is 80.
user user-name: Specifies the username used to log in to the proxy server. The username is a case-sensitive string of 1 to 31 characters.
password: Specifies the password used to log in to the proxy server.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password in plaintext form will be stored in encrypted form.
string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 31 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.
Usage guidelines
The device must access the company's website for online signature update of DPI services such as URL filtering. If direct connectivity is not available, the device can access the company's website through the specified proxy server. For more information about online signature update, see DPI Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify server http://www.example.com/ on port 8888 as the proxy server and set the login username and password to admin.
<Sysname> system-view
[Sysname] inspect signature auto-update proxy domain www.example.com port 8888 user admin password simple admin
inspect signature auto-update source
Use inspect signature auto-update source to specify the source address for the request packet for online DPI service signature update.
Use undo inspect signature auto-update source to restore the default.
Syntax
inspect signature auto-update source { ip | ipv6 } { ip-address | interface interface-type interface-number }
undo inspect signature auto-update source
Default
The source address of the request packet is the IP address of the outgoing interface in the matching route.
Views
System view
Predefined user roles
network-admin
Parameters
ip ip-address: Specifies the source IPv4 address.
ipv6 ip-address: Specifies the source IPv6 address.
interface interface-type interface-number: Uses the primary IPv4 address or the lowest IPv6 address of the interface as the source IP address.
Usage guidelines
You can execute this command to specify the source IP address for the request packet sent from the device to the library server for online DPI service signature update. For example, if the packet sent by the device must be NATed, you must specify a source IP address that matches the NAT rule. If the packet traverses an independent NAT device, the specified source IP address must be able to reach the NAT device.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify 1.1.1.1 as the source address for the request packet for online DPI service signature update.
<Sysname> system-view
[Sysname] inspect signature auto-update source ip 1.1.1.1
inspect smb-reassemble enable
Use inspect smb-reassemble enable to enable SMB protocol packet reassembly.
Use undo inspect smb-reassemble enable to disable SMB protocol packet reassembly.
Syntax
inspect smb-reassemble enable
undo inspect smb-reassemble enable
Default
SMB protocol packet reassembly is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
A large number of out-of-order packets of the SMB protocol might cause the DPI engine to fail to detect this protocol. This command can improve the accuracy of the DPI engines to detect SMB protocol packets.
When the device receives out-of-order SMB packets, it temporarily saves these packets and subsequent packets from the same flow to the buffer for packet reassembly. After being reassembled, the packets are forwarded for further processing.
Examples
# Enable SMB protocol packet reassembly.
<Sysname> system-view
[Sysname] inspect smb-reassemble enable
inspect source-port-identify enable
Use inspect source-port-identify enable to enable source port-based application identification.
Use undo inspect source-port-identify enable to disable source port-based application identification.
Syntax
inspect source-port-identify enable
undo inspect source-port-identify enable
Default
Source port-based application identification is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
You can use this feature to identify traffic of applications that use fixed source ports when the following conditions are true:
· The types of traffic transmitted over networks are relatively unvaried and use fixed source ports.
· Destination port-based application identification or signature-based traffic content identification is not supported.
The application identification results produced by this feature might not be accurate. Configure this feature according to your live network as a best practice.
Examples
# Enable source port-based application identification.
<sysname> system-view
[sysname] inspect source-port-identify enable
inspect stream-fixed-length
Use inspect stream-fixed-length to set the maximum length for stream inspection.
Use undo inspect stream-fixed-length to restore the default.
Syntax
inspect stream-fixed-length { audio-video | dns | email | ftp | http | https | imaps | nfs | pop3s | rtmp | sip | smb | smtps | telnet | tftp } * length
undo inspect stream-fixed-length
Default
The maximum length is 32 Kilobytes for FTP, HTTP, NFS, SMB, SMTP, POP3, and IMAP protocols (including SMTP, POP3, and IMAP). For audio/video applications and DNS, HTTPS, IMAPS, POP3S, RTMP, SIP, SMTPS, Telnet, and TFTP protocols, the length for stream inspection is not limited.
Views
System view
Predefined user roles
network-admin
Parameters
audio-video: Specifies audio/video applications.
dns: Specifies the DNS protocol.
email: Specifies email protocols, including SMTP, POP3 and IMAP.
ftp: Specifies the FTP protocol.
http: Specifies the HTTP protocol.
https: Specifies the HTTPS protocol.
imaps: Specifies the IMAPS protocol.
nfs: Specifies the NFS protocol.
pop3s: Specifies the POP3S protocol.
rtmp: Specifies the RTMP protocol.
smb: Specifies the SMB protocol.
sip: Specifies the SIP protocol.
smtps: Specifies the SMTPS protocol.
telnet: Specifies the Telnet protocol.
tftp: Specifies the TFTP protocol.
length: Specifies the fixed length in the range of 1 to 2048 Kilobytes.
Usage guidelines
This command can be executed only if the DPI engine inspection mode is user-defined mode.
The larger the inspection length value, the lower the device throughput, and the higher the packet inspection accuracy.
Examples
# Set the maximum length to 35 Kilobytes for inspecting each FTP stream and 40 Kilobytes for inspecting each HTTP stream.
<Sysname> system-view
[Sysname] inspect stream-fixed-length ftp 35 http 40
Related commands
inspect coverage user-defined
inspect cpu-threshold disable
inspect stream-fixed-length disable
inspect stream-fixed-length disable
Use inspect stream-fixed-length disable to disable stream maximum length inspection.
Use undo inspect stream-fixed-length disable to enable stream maximum length inspection.
Syntax
inspect stream-fixed-length disable
undo inspect stream-fixed-length disable
Default
The stream maximum length inspection feature is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command can be executed only if the DPI engine inspection mode is user-defined mode.
The stream maximum length inspection feature enables the DPI engine to inspect only a specified stream length for a protocol or an audio/video application instead of the whole packet data in a stream.
Disable this feature if your network requires high packet inspection accuracy.
Examples
# Disable stream maximum length inspection.
<Sysname> system-view
[Sysname] inspect stream-fixed-length disable
Related commands
inspect coverage user-defined
inspect cpu-threshold disable
inspect stream-fixed-length
inspect tcp-reassemble enable
Use inspect tcp-reassemble enable to enable the TCP segment reassembly feature.
Use undo inspect tcp-reassemble enable to disable the TCP segment reassembly feature.
Syntax
inspect tcp-reassemble enable
undo inspect tcp-reassemble enable
Default
The TCP segment reassembly feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
DPI engine inspection might fail if TCP segments arrive at the engine out of order. For example, the DPI engine searches for the keywords this is a secret. If the TCP segment containing a secret arrives before the one containing this is, the inspection fails.
The TCP segment reassembly feature enables the device to cache out-of-order TCP segments of the same TCP flow and reassembles the segments before submitting them to the DPI engine for inspection. This helps improve the DPI engine inspection accuracy.
The segment reassembly fails due to missing segments when the number of cached TCP segments of a flow reaches the limit. In this case, the device submits the cached segments without reassembling them and all subsequent segments of the flow to the DPI engine. This helps reduces degradation of the device performance.
Examples
# Enable the TCP segment reassembly feature.
<Sysname> system-view
[Sysname] inspect tcp-reassemble enable
Related commands
inspect tcp-reassemble max-segment
inspect tcp-reassemble max-segment
Use inspect tcp-reassemble max-segment to set the maximum number of TCP segments that can be cached per TCP flow.
Use undo inspect tcp-reassemble max-segment to restore the default.
Syntax
inspect tcp-reassemble max-segment max-number
undo inspect tcp-reassemble max-segment
Default
A maximum of 10 TCP segments can be cached for reassembly per TCP flow.
Views
System view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number in the range of 10 to 50.
Usage guidelines
Set the limit for the number of TCP segments that can be cached per flow according to your network requirements. The higher the limit, the higher the inspection accuracy, and the lower the device performance.
This command takes effect only when the TCP segment reassembly feature is enabled.
Examples
# Allow the device to cache a maximum of 20 TCP segments for each TCP flow.
<Sysname> system-view
[Sysname] inspect tcp-reassemble max-segment 20
Related commands
inspect tcp-reassemble enable
inspect transparent enable
Use inspect transparent enable to enable DPI engine to transparently transmit DPI service traffic.
Use undo inspect transparent enable to disable DPI engine from transparently transmitting DPI service traffic.
Syntax
inspect transparent enable
undo inspect transparent enable
Default
DPI engine is enabled to transparently transmitting DPI service traffic.
Views
System view
Predefined user roles
network-admin
Usage guidelines
When asymmetric traffic exists in the network environment (that is, the forward and backward paths are inconsistent for packets of the same flow), the forward and backward packets of the flow might be sent to different devices. As a result, DPI services might fail to be processed correctly. For example, antivirus services cannot detect virus files. To solve this problem, the DPI engine transparently transmits DPI service traffic between devices by default. This ensures that the forward and backward packets of the same flow are sent to the same device.
Transparent traffic transmission consumes device resources and reduces device performance. When the network environment requires high device performance and can accept the risk of losing some DPI service detection accuracy, you can disable the DPI engine from transparently transmitting DPI service traffic to reduce the impact on device performance.
Examples
# Disable DPI engine from transparently transmitting DPI service traffic.
<Sysname> system-view
[Sysname] undo inspect transparent enable
inspect uncompress maximum
Use inspect uncompress maximum to set the maximum number of file decompression operations.
Use undo inspect uncompress maximum to restore the default.
Syntax
inspect uncompress maximum max-number
undo inspect uncompress maximum
Default
The maximum number of file decompression operations is calculated according to the actual memory size of the device.
Views
System view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of file decompression operations, in the range of 0 to 4294967295. The value 0 indicates that the number of file decompression operations is not limited.
Usage guidelines
The DPI engine consumes memory resources each time it performs a file decompression operation. A large number of file decompression operations might consume a large number of memory resources. Execute this command to limit the memory resources consumed by file decompression operations.
Examples
# Set the maximum number of file decompression operations to 120000.
<Sysname> system-view
[Sysname] inspect uncompress maximum 120000
inspect url-filter warning parameter-profile
Use inspect url-filter warning parameter-profile to create a warning parameter profile for URL filtering and enter its view, or enter the view of an existing warning parameter profile for URL filtering.
Use undo inspect url-filter warning parameter-profile to delete a warning parameter profile for URL filtering.
Syntax
inspect url-filter warning parameter-profile profile-name
undo inspect url-filter warning parameter-profile profile-name
Default
No warning parameter profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a warning parameter profile name, a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, underscores (_).
Usage guidelines
After you create a warning parameter profile for URL filtering, you can import a user-defined alarm message from a file.
Examples
# Create a warning parameter profile for URL filtering named c1 and enter its view.
<Sysname> system-view
[Sysname] inspect url-filter warning parameter-profile c1
[Sysname-inspect-url-filter-warning-c1]
Related commands
import warning-file
inspect warning parameter-profile
Use inspect warning parameter-profile to create an anti-virus warning parameter profile and enter its view, or enter the view of an existing anti-virus warning parameter profile.
Use undo inspect warning parameter-profile to delete an anti-virus warning parameter profile.
Syntax
inspect warning parameter-profile profile-name
undo inspect warning parameter-profile profile-name
Default
No anti-virus warning parameter profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies an anti-virus warning parameter profile name, a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, underscores (_).
Usage guidelines
After you create an anti-virus warning parameter profile, you can import a user-defined alarm message from a file.
Examples
# Create an anti-virus warning parameter profile named w1 and enter its view.
<Sysname> system-view
[Sysname] inspect warning parameter-profile w1
[Sysname-inspect-warning-w1]
Related commands
import block warning-file
reset block warning-file
warning parameter-profile
log
Use log to specify the log storage method.
Use undo log to cancel the specified log storage method.
Syntax
log syslog
undo log syslog
Default
Logs are exported to the information center.
Views
Logging parameter profile view
Predefined user roles
network-admin
Parameters
syslog: Exports the logs to the information center.
Examples
# Configure the device to export logs to the information center in logging parameter profile log1.
<Sysname> system-view
[Sysname] inspect logging parameter-profile log1
[Sysname-inspect-logging-log1] log syslog
Related commands
inspect logging parameter-profile
log language
Use log language to set the language for IPS log output to Chinese.
Use undo log language to restore the default.
Syntax
log language chinese
undo log language chinese
Default
IPS logs are output in English.
Views
Logging parameter profile view
Predefined user roles
network-admin
Usage guidelines
After you execute this command, only the attack name field of the IPS logs supports displaying in Chinese. For more information about IPS logs, see "IPS commands."
Examples
# Set the language for IPS log output to Chinese.
<Sysname> system-view
[Sysname] inspect logging parameter-profile log1
[Sysname-inspect-log-para-log1] log language chinese
Related commands
inspect logging parameter-profile
redirect-url
Use redirect-url to specify the URL to which packets are redirected.
Use undo redirect-url to restore the default.
Syntax
redirect-url url-string
undo redirect-url
Default
No URL is specified for packet redirecting.
Views
Redirect parameter profile view
Predefined user roles
network-admin
Parameters
url-string: Specifies the URL, a case-sensitive string of 9 to 63 characters. The URL must start with http:// or https://, for example, https://www.example.com.
Usage guidelines
After you specify a URL, matching packets will be redirected to the webpage that the URL identifies.
Examples
# Specify https://www.example.com/upload as the URL for packet redirecting.
<Sysname> system-view
[Sysname] inspect redirect parameter-profile r1
[Sysname-inspect-redirect-r1] redirect-url https://www.example.com/upload
Related commands
inspect redirect parameter-profile
reset block warning-file
Use reset block warning-file to restore the default anti-virus alarm message.
Syntax
reset block warning-file
Views
Anti-virus warning parameter profile view
Predefined user roles
network-admin
Usage guidelines
This command allows you to clear the user-defined anti-virus alarm message and restore the default message.
Examples
# Restore the default alarm message in the anti-virus warning parameter profile w1.
<Sysname> system-view
[Sysname] inspect warning parameter-profile w1
[Sysname-inspect-warning-w1] reset block warning-file
Related commands
import block warning-file
reset inspect smb-breakpoint-resume table
Use reset inspect smb-breakpoint-resume table to clear the breakpoint resumption table for the SMB protocol.
Syntax
reset inspect smb-breakpoint-resume table { ipv4 | ipv6 }
Views
User view
Predefined user roles
network-admin
network-operator
Parameters
Examples
# Clear the breakpoint resumption table for the SMB protocol.
<Sysname> reset inspect smb-breakpoint-resume table ipv4
Related commands
display inspect smb-breakpoint-resume table
reset warning-file
Use reset warning-file to restore the default alarm message for URL filtering.
Syntax
reset warning-file
Views
URL filtering warning parameter profile view
Predefined user roles
network-admin
Usage guidelines
This command allows you to clear the user-defined alarm message and restore the default message for URL filtering.
Examples
# Restore the default alarm message in the warning parameter profile for URL filtering c1.
<Sysname> system-view
[Sysname] inspect url-filter warning parameter-profile c1
[Sysname-inspect-url-filter-warning-c1] reset warning-file
Related commands
import warning-file
