Login
- Table of Contents
-
- 19-Security Configuration Guide
- 00-Preface
- 01-Object group configuration
- 02-Keychain configuration
- 03-Public key management
- 04-PKI configuration
- 05-Crypto engine configuration
- 06-SSH configuration
- 07-SSL configuration
- 08-Security zone configuration
- 09-Packet filter configuration
- 10-ASPF configuration
- 11-Security policy configuration
- 12-Session management
- 13-ARP attack protection configuration
- 14-ND attack defense configuration
- 15-Attack detection and prevention configuration
- 16-mGRE configuration
- 17-Connection limit configuration
- 18-IP-based attack prevention configuration
- 19-IP source guard configuration
- 20-uRPF configuration
- 21-APR configuration
- 22-FIPS configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 21-APR configuration | 154.59 KB |
APR signature library management
Restrictions: Licensing requirements for APR
Configuring a user-defined NBAR application
Creating a user-defined NBAR application
Configuring a user-defined NBAR rule
Configuring application groups
Enabling application statistics on an interface
Managing the APR signature library
Restrictions and guidelines for APR signature library management
Scheduling an automatic update for the APR signature library
Triggering an automatic update for the APR signature library
Performing a manual update for the APR signature library
Display and maintenance commands for APR
Verifying application and application group configurations
Displaying and clearing application statistics
Displaying APR signature library information
Configuring APR
About APR
The application recognition (APR) feature recognizes applications of packets for features such as application audit and management.
APR uses the following methods to recognize an application:
· Port-based application recognition (PBAR).
· Network-based application recognition (NBAR).
PBAR
PBAR maps a port to an application and recognizes packets of the application according to the port-protocol mapping.
PBAR provides predefined port-application mappings. You can modify the predefined port-application mappings.
PBAR offers the following mappings to maintain and apply user-defined port configuration:
· General port mapping—Maps a user-defined port to an application. All packets destined for that port are regarded as packets of the application. For example, if port 53222 is mapped to BitTorrent, all packets destined for that port are regarded as BitTorrent packets.
· Host-port mapping—Maps a user-defined port to an application for packets to or from some specific hosts. For example, you can establish a host-port mapping so that all packets destined for the network segment 10.110.0.0/16 on port 53222 are regarded as BitTorrent packets. To define the range of the hosts, you can specify the ACL, the host IP address range, or the subnet.
Host-port mapping can be further divided into the following categories:
¡ ACL-based host-port mapping—Maps a port to an application for the packets matching the specified ACL.
¡ Subnet-based host-port mapping—Maps a port to an application for the packets sent to the specified subnet.
¡ IP address-based host-port mapping—Maps a port to an application for the packets destined for the specified IP addresses.
APR selects a port mapping to recognize the application of a packet in the following order:
· IP address-based port mapping.
· Subnet-based port mapping.
· ACL-based host-port mapping.
· General port mapping.
For the same type of mappings, the port mapping with a transport layer protocol has higher priority than the mapping without a transport layer protocol.
NBAR
NBAR uses NBAR rules to match packet contents to recognize the applications of packets that match the applied object policy.
NBAR application types
NBAR can recognize the following application types:
· Predefined—Defined by NBAR rules in the APR signature library.
· User-defined—Defined by user-configured NBAR rules.
NBAR risk types
A user-defined application can have multiple or no risk types.
The more risk types a user-defined application has, the higher risk level the application has. You can configure protection policies (such as security policies) according to the risk level.
The risk types for predefined applications are automatically generated by the APR signature library.
NBAR application priority
When a packet matches multiple applications with different priorities, the application with the highest priority applies. When a packet matches multiple applications with the same priority, the application first configured applies.
Application group
You can add applications that have similar signatures or restrictions to an application group. APR recognizes packets of the applications by matching the packet contents with the signatures or restrictions. If a packet is recognized as the packet of an application in the application group, the packet is considered to be the packet of the application group. Features such as application audit and management can handle packets belonging to the same group in batch.
APR signature library management
APR signature library
APR signature library is a resource library of character string signatures for application recognition. It includes PBAR and NBAR signatures. To meet the changing requirements for application recognition, you must update the APR signature library in a timely manner.
APR signature library update
You can update the APR signature library by using one of the following methods:
· Automatic update.
The device automatically downloads the most up-to-date APR signature file to update its local signature library periodically.
· Triggered update.
The device downloads the most up-to-date APR signature file to update its local signature library immediately after you trigger the update operation.
· Manual update.
Use this method when the device cannot obtain the APR signature file automatically.
You must first download the most up-to-date APR signature file manually. The device then obtains the downloaded file to update its local signature library.
Restrictions: Licensing requirements for APR
To update the APR signature library, you must purchase and install the appropriate license. After the license expires, APR can still use the existing signature library but cannot update the signature library. For information about licenses, see license management in Fundamentals Configuration Guide.
APR tasks at a glance
To configure APR, perform the following tasks:
2. Configuring a user-defined NBAR application
3. Configuring application groups
4. (Optional.) Enabling application statistics on an interface
5. Managing the APR signature library
Configuring PBAR
1. Enter system view.
system-view
2. Configure a port mapping. Choose the options to configure as needed:
¡ Configure a general port mapping:
port-mapping application application-name port port-number [ protocol protocol-name ]
¡ Configure an ACL-based host-port mapping:
port-mapping application application-name port port-number [ protocol protocol-name ] acl [ ipv6 ] acl-number
¡ Configure a subnet-based host-port mapping:
port-mapping application application-name port port-number [ protocol protocol-name ] subnet { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ]
¡ Configure an IP address-based host-port mapping:
port-mapping application application-name port port-number [ protocol protocol-name ] host { ip | ipv6 } start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]
By default, all applications are mapped to well-known ports.
If the specified application does not exist, the system first creates the mapping.
Configuring a user-defined NBAR application
Creating a user-defined NBAR application
About this task
You can configure a user-defined NBAR application if predefined NBAR applications cannot meet user needs.
A user-defined NBAR application can contain the following content:
· Application description.
· Rules (number-type and keyword-type).
· Match logic between rules.
· Application priority.
· Risk type of the application.
· Maximum detected length.
When the match logic is AND, a packet matches a user-defined NBAR application if it matches all rules of the application. When the match logic is OR, a packet matches a user-defined NBAR application if it matches any one of the rules of the application.
Restrictions and guidelines
Before configuring risk types, you must update the APR signature library to the latest version.
Procedure
1. Enter system view.
system-view
2. Create a user-defined NBAR rule and enter its view.
nbar application application-name
3. Configure a priority for the application.
priority priority-level
By default, no priority is configured. The smaller the priority value, the higher the priority.
The smaller the priority value, the higher the priority.
4. Configure the rule match logic of the application.
rule match-logic { and | or }
By default, the rule match logic is or.
5. (Optional.) Configure the description of the application.
description text
By default, the user-defined NBAR application is described as User defined application.
6. Configure a risk type for the user-defined application.
risk type risk-type
By default, a user-defined application does not have any risk type.
7. (Optional.) Set the maximum detected length.
apr set detectlen bytes
By default, the maximum detected length is not set for an application.
Configuring a user-defined NBAR rule
About this task
You can configure rules for a user-defined NBAR application. A user-defined NBAR rule can contain the following contents:
· Rule description.
· Signatures.
· Match criteria, including source and destination IP subnets, packet direction, and source and destination port numbers.
You can configure more than one match criterion for the NBAR rule. To match the NBAR rule, packets must match all the configured match criteria in the rule. If multiple signatures are configured, packets must match a minimum of one signature.
User-defined NBAR rules include integer-type rules and keyword-type rules. An integer-type rule matches numbers, and a keyword-type rule matches strings.
Procedure
1. Enter system view.
system-view
2. Create a user-defined NBAR application and enter its view.
nbar application application-name
3. Create a user-defined NBAR rule and enter its view.
rule rule-id l4-protocol l4-protocol-name l5-protocol l5-protocol-name pattern-type { keyword | integer }
4. Configure match criteria for the NBAR rule.
¡ Specify a source port number or source port range.
source port { port-num | range start-port to end-port }
By default, an NBAR rule matches packets with any source port number.
¡ Specify a destination port number or destination port range.
destination port { port-num | range start-port to end-port }
By default, an NBAR rule matches packets with any destination port number.
¡ Specify a source IP subnet.
source address ip ipv4-address [ mask-length ]
By default, an NBAR rule matches packets with any source IP address.
¡ Specify a destination IP subnet.
destination address ip ipv4-address [ mask-length ]
By default, an NBAR rule matches packets with any destination IP address.
¡ Specify a direction.
direction { to-client | to-server }
By default, an NBAR rule matches packets in both directions.
5. Configure an integer-type signature.
integer-signature field field-name { { eq | nequ } number | range start-number to end-number }
By default, no signatures are configured for an NBAR rule.
This command is supported only for an integer-type NBAR rule.
6. Configure a keyword-type signature.
a. Create a keyword-type signature and enter NBAR rule signature view
keyword-signature signature-id field field-name include { hex hex-vector | text text-string } [ [ offset offset-value ] [ depth depth-value ] ]
b. Configure a detection item for the signature.
detection detection-id field field-name match-type { exclude | include } { hex hex-vector | regex regex-pattern | text text-string } [ offset offset-value [ depth depth-value ] | relative-offset relative-offset-value [ relative-depth relative-depth-value ] ]
By default, no detection items are configured for a signature.
c. Return to user-defined NBAR rule view.
quit
This function is supported only for a keyword-type NBAR rule.
7. Return to user-defined NBAR application view.
quit
8. (Optional.) Configure the description of the NBAR rule.
description text
By default, the user-defined NBAR rule is described as User defined rule.
9. (Optional.) Disable the user-defined NBAR rule.
disable
By default, a user-defined NBAR rule is enabled.
10. Return to user-defined NBAR rule view.
quit
11. Activate the user-defined NBAR rule.
inspect activate
For information about this command, see DPI engine commands in DPI Command Reference.
Configuring application groups
1. Enter system view.
system-view
2. Create an application group and enter its view.
app-group group-name
3. (Optional.) Configure the description of the application group.
description text
By default, the description is "User-defined application group".
4. Add applications to the group.
Choose the options to configure as needed:
¡ Copy all applications from another group to the group.
copy app-group group-name
Execute this command multiple times to copy applications from multiple groups to the current group.
¡ Add an application to the group.
include application application-name
By default, an application group does not contain any applications.
Enabling application statistics on an interface
About this task
When the application statistics feature is enabled on an interface, the device separately counts the number of packets or bytes that the interface has received or sent for each application. It also calculates the transmission rates of the interface for these protocols.
To display application statistics, use the display application statistics command.
Restrictions and guidelines
The application statistics feature consumes a large amount of system memory. When the system generates an alarm for lack of memory, disable the application statistics feature on all interfaces.
Procedure
1. Enter system view.
system-view
2. Enter Layer 3 interface view.
interface interface-type interface-number
3. Enable application statistics on the interface.
application statistics enable [ inbound | outbound ]
By default, this feature is disabled.
If you do not specify the inbound or outbound keyword, this command enables the application statistics feature in both the inbound and outbound directions of the interface.
Managing the APR signature library
Restrictions and guidelines for APR signature library management
For a successful APR signature library update, do not delete the /dpi/ folder in the root directory on the device storage media.
Do not update the APR signature library when the remaining system memory reaches any alarm threshold. Insufficient memory causes update failure and affects the operation of NBAR. For information about memory alarm thresholds, see hardware resource management in System Configuration Guide.
You can update only one APR signature library at a time. If an APR signature library is being updated, please wait for the update to complete before updating another APR signature library.
Scheduling an automatic update for the APR signature library
About scheduling an APR signature library automatic update
If the device can access the signature library services on the official website, you can schedule an automatic update. The automatic update enables the device to automatically update the local APR signature library at the scheduled update time.
Restrictions and guidelines
For a successful automatic update, make sure the following requirements are met:
· The device can obtain the IP address of the official website through static or dynamic domain name resolution.
· The device can access the signature library services on the official website.
For information about DNS, see Layer 3—IP Services Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable the automatic update feature and enter auto-update configuration view.
apr signature auto-update
By default, the automatic update feature is disabled.
3. Configure the update schedule.
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
By default, the device automatically updates the APR signature library between 02:01:00 to 04:01:00 every day.
4. (Optional.) Overwrite the current signature file.
override-current
By default, the current APR signature file is not overwritten for an update operation. Instead, the device will back up the current APR signature file.
Triggering an automatic update for the APR signature library
About triggering an automatic update for the APR signature library
Anytime you find a release of new signature version on the official website, you can trigger the device to immediately update the local APR signature library.
Restrictions and guidelines
For a successful triggered update, make sure the following requirements are met:
· The device can obtain the IP address of the official website through static or dynamic domain name resolution.
· The device can access the signature library services on the official website.
For information about DNS, see Layer 3—IP Services Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Trigger an automatic update for the APR signature library.
apr signature auto-update-now
Performing a manual update for the APR signature library
About performing a manual update for the APR signature library
If the device cannot access the signature library services on the official website, use one of the following methods to manually update the APR signature library on the device:
· Local update—By using the locally stored APR signature file.
To ensure a successful update, the APR signature file must be stored on the active MPU.
· FTP/TFTP update—By using the APR signature file stored on the FTP or TFTP server.
Procedure
1. Enter system view.
system-view
2. Manually update the APR signature library.
apr signature update [ override-current ] file-path
Display and maintenance commands for APR
Displaying PBAR port mappings
Perform display tasks in any view.
· Display predefined port mappings.
display port-mapping pre-defined
· Display user-defined port mappings.
display port-mapping user-defined [ application application-name | port port-number ]
Verifying application and application group configurations
Perform display tasks in any view.
· Display the application group configuration.
display app-group [ name group-name ]
· Display the application configuration.
display application [ name application-name | pre-defined | user-defined ]
Displaying and clearing application statistics
Displaying application statistics
Perform display tasks in any view.
· Display statistics for applications.
display application statistics [ direction { inbound | outbound } | interface interface-type interface-number [ slot slot-number ] | name application-name ] *
· Display statistics for applications on an interface in descending order based on the specified criteria.
display application statistics top number { bps | bytes | packets | pps } interface interface-type interface-number [ slot slot-number ]
Clearing application statistics
To clear application statistics for interfaces, execute the following command in user view:
reset application statistics [ interface interface-type interface-number ]
Displaying APR signature library information
To display APR signature library information, execute the following command in any view:
display apr signature library
APR configuration examples
Example: Configuring PBAR
Network configuration
As shown in Figure 1, configure PBAR on the router to recognize the HTTP packets sent by the host and destined for port 8080.
The router drops the packets recognized by PBAR.
Procedure
# Create an application group named group1, and enter application group view.
<Router> system-view
[Router] app-group group1
# Add HTTP to the application group.
[Router-app-group-group1] include application http
[Router-app-group-group1] quit
# Map HTTP to TCP and port 8080.
[Router] port-mapping application http port 8080 protocol tcp
# Create a traffic class named classifier_1, and match group1 to the class.
[Router] traffic classifier classifier_1
[Router-classifier-classifier_1] if-match app-group group1
[Router-classifier-classifier_1] quit
# Create a traffic behavior named bdeny, and configure the action as deny.
[Router] traffic behavior bdeny
[Router-behavior-bdeny] filter deny
[Router-behavior-bdeny] quit
# Create QoS policy 1, associate classifier_1 with traffic behavior bdeny to create a class-behavior association in the QoS policy.
[Router] qos policy 1
[Router-qospolicy-1] classifier classifier_1 behavior bdeny
[Router-qospolicy-1] quit
# Apply the QoS policy to the inbound direction of GigabitEthernet 1/0/1.
[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] qos apply policy 1 inbound
[Router-GigabitEthernet1/0/1] quit
Verifying the configuration
# Verify that the host fails to establish an HTTP connection whose destination port is 8080 with the public network. (Details not shown.)
