Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-DPI engine commands | 135.34 KB |
Contents
inspect block-source parameter-profile
inspect capture parameter-profile
inspect logging parameter-profile
inspect real-ip detect-field priority
inspect real-ip detect-field tcp-option
inspect real-ip detect-field xff
inspect redirect parameter-profile
inspect stream-fixed-length disable
DPI engine commands
app-profile
Use app-profile to create a deep packet inspection (DPI) application profile and enter its view, or enter the view of an existing DPI application profile.
Use undo app-profile to delete a DPI application profile.
Syntax
app-profile profile-name
undo app-profile profile-name
Default
No DPI application profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a DPI application profile name. The profile name is a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, and underscores (_).
Usage guidelines
The DPI application profile is a security service template that can include DPI service policies such as URL filtering policy.
A DPI application profile takes effect after an object policy rule or a security policy rule uses it as the action. The DPI engine inspects the packets matching the object policy rule or security policy rule and submits the packets to the associated DPI service module for processing.
Examples
# Create a DPI application profile named abc and enter its view.
<Sysname> system-view
[Sysname] app-profile abc
[Sysname-app-profile-abc]
block-period
Use block-period to set the block period during which a source IP address is blocked.
Use undo block-period to restore the default.
Syntax
block-period period
undo block-period
Default
A source IP address is blocked for 1800 seconds.
Views
Block source parameter profile view
Predefined user roles
network-admin
Parameters
period: Specifies the block period in the range of 1 to 86400 seconds.
Usage guidelines
For the block period to take effect, make sure the blacklist feature is enabled.
The device drops the packet that matches an inspection rule and adds the packet's source IP address to the IP blacklist.
· If the blacklist feature is enabled, the device directly drops subsequent packets from the source IP address during the block period.
· If the blacklist feature is disabled, the block period does not take effect. The device inspects all packets and drops the matching ones.
For more information about the blacklist feature, see attack detection and prevention in the Security Configuration Guide.
Examples
# Set the block period to 3600 seconds in block source parameter profile b1.
<Sysname> system-view
[Sysname] inspect block-source parameter-profile b1
[Sysname-inspect-block-source-b1] block-period 3600
Related commands
blacklist global enable (Security Command Reference)
inspect block-source parameter-profile
capture-limit
Use capture-limit to set the maximum volume of captured packets that can be cached.
Use undo capture-limit to restore the default.
Syntax
capture-limit Kilobytes
undo capture-limit
Default
The device can cache a maximum of 512 Kilobytes of captured packets.
Views
Capture parameter profile view
Predefined user roles
network-admin
Parameters
Kilobytes: Specifies the maximum volume in the range of 0 to 1024 Kilobytes.
Usage guidelines
The device caches captured packets locally. It exports the cached captured packets to a URL when the volume of cached captured packets reaches the maximum, and clears the cache. After the export, the device starts to capture packets again.
If you set the maximum volume of cached captured packets to 0 Kilobytes, the device immediately exports a packet to the URL after the packet is captured.
Examples
# Set the maximum volume of cached captured packets to 1024 Kilobytes in the capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1] capture-limit 1024
Related commands
export repeating-at
export url
inspect capture parameter-profile
display inspect status
Use display inspect status to display the status of the DPI engine.
Syntax
display inspect status
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the status of the DPI engine.
<Sysname> display inspect status
Chassis 0 Slot 1:
Running status: normal
Table 1 Command output
|
Field |
Description |
|
Running status |
Status of the DPI engine: · bypass by configure—The DPI engine cannot process packets because of a configuration error. · bypass by cpu busy—The DPI engine cannot process packets because of an excessive CPU usage. · normal—The DPI engine is running correctly. |
export repeating-at
Use export repeating-at to set the daily export time for cached captured packets.
Use export repeating-at to restore the default.
Syntax
export repeating-at time
undo export repeating-at
Default
The system exports cached captured packets at 1:00 a.m. every day.
Views
Capture parameter profile view
Predefined user roles
network-admin
Parameters
time: Specifies the daily export time in the format of hh:mm:ss in the range of 00:00:00 to 23:59:59.
Usage guidelines
The device exports cached captured packets to a URL and clears the cache at the daily export time, whether or not the volume of cached captured packets reaches the maximum.
Examples
# Configure the device to export cached captured packets at 2:00 a.m. every day in the capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1] export repeating-at 02:00:00
Related commands
capture-limit
export url
inspect capture parameter-profile
export url
Use export url to specify the URL to which the cached captured packets are exported.
Use export url to restore the default.
Syntax
export url url-string
undo export url
Default
No URL is specified for exporting the cached captured packets.
Views
Capture parameter profile view
Predefined user roles
network-admin
Parameters
url-string: Specifies the URL, a string of 1 to 255 characters.
Usage guidelines
The device exports the cached captured packets to the specified URL at the daily export time or when the volume of cached captured packets reaches the maximum. After the captured packets are exported, the system clears the cache.
If you do not specify a URL, the device still exports the cached captured packets but the export fails.
Examples
# Configure the device to export cached captured packets to URL tftp://192.168.100.100/upload in the capture parameter profile c1.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1] export url tftp://192.168.100.100/upload
Related commands
capture-limit
export repeating-at
inspect capture parameter-profile
inspect activate
Use inspect activate to activate the policy and rule configurations for DPI service modules.
Syntax
inspect activate
Default
The creation, modification, and deletion of DPI service policies and rules do not take effect.
Views
System view
Predefined user roles
network-admin
Usage guidelines
|
|
CAUTION: This command causes transient DPI service interruption. DPI-based services might also be interrupted. For example, security policies cannot control access to applications. |
You can use the inspect activate command to manually validate the policy and rule configurations for DPI service modules. This operation produces the same effect as saving the configurations and rebooting the device.
Examples
# Activate the policy and rule configurations for DPI service modules.
<Sysname> system-view
[Sysname] inspect activate
inspect block-source parameter-profile
Use inspect block-source parameter-profile to create a block source parameter profile and enter its view, or enter the view of an existing block source parameter profile.
Use undo inspect block-source parameter-profile to delete a block source parameter profile.
Syntax
inspect block-source parameter-profile parameter-name
undo inspect block-source parameter-profile parameter-name
Default
No block source parameter profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
parameter-name: Specifies a block source parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In block source parameter profile view, you can set parameters for the block source action, such as the block period.
Examples
# Create a block source parameter profile named b1 and enter its view.
<Sysname> system-view
[Sysname] inspect block-source parameter-profile b1
[Sysname-inspect-block-source-b1]
Related commands
block-period
inspect bypass
Use inspect bypass to disable the DPI engine.
Use undo inspect bypass to enable the DPI engine.
Syntax
inspect bypass
undo inspect bypass
Default
The DPI engine is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
|
|
CAUTION: This command causes transient DPI service interruption. DPI-based services might also be interrupted. For example, security policies cannot control access to applications. |
Packet inspection in the DPI engine is a complex and resource-consuming process. When the CPU usage is high, you can disable the DPI engine to guarantee the device performance.
Examples
# Disable the DPI engine.
<Sysname> system-view
[Sysname] inspect bypass
Related commands
display inspect status
inspect capture parameter-profile
Use inspect capture parameter-profile to create a capture parameter profile and enter its view, or enter the view of an existing capture parameter profile.
Use undo inspect capture parameter-profile to delete a capture parameter profile.
Syntax
inspect capture parameter-profile parameter-name
undo inspect capture parameter-profile parameter-name
Default
No capture parameter profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a capture parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In capture parameter profile view, you can set parameters for the packet capture action, such as the maximum volume of cached captured packets.
Only the IPS module supports the packet capture action.
Examples
# Create a capture parameter profile named c1 and enter its view.
<Sysname> system-view
[Sysname] inspect capture parameter-profile c1
[Sysname-inspect-capture-c1]
Related commands
capture-limit
export repeating-at
export url
inspect logging parameter-profile
Use inspect logging parameter-profile to create a logging parameter profile and enter its view, or enter the view of an existing logging parameter profile.
Use undo inspect logging parameter-profile to delete a logging parameter profile.
Syntax
inspect logging parameter-profile parameter-name
undo inspect logging parameter-profile parameter-name
Default
No logging parameter profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a logging parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In logging parameter profile view, you can set parameters for the logging action, such as the log output method.
Examples
# Create a logging parameter profile named log1 and enter its view.
<Sysname> system-view
[Sysname] inspect logging parameter-profile log1
[Sysname-inspect-logging-log1]
Related commands
log
inspect real-ip detect-field priority
Use inspect real-ip detect-field priority to set the priority of an inspected field for real source IP inspection.
Use undo inspect real-ip detect-field priority to cancel the priority of an inspected field for real source IP inspection.
Syntax
inspect real-ip detect-field { cdn-src-ip | tcp-option | x-real-ip | xff } priority priority-value
undo inspect real-ip detect-field { cdn-src-ip | tcp-option | x-real-ip | xff } priority
Default
No priority is specified for any inspected field in the real source IP inspection, and all inspected fields use priority value 0. The device inspects the fields in the order of the xff, cdn-src-ip, x-real-ip, and tcp-option fields.
Views
System view
Predefined user roles
network-admin
Parameters
cdn-src-ip: Specifies the Cdn-Src-Ip field in the HTTP header.
tcp-option: Specifies the TCP Options field.
xff: Specifies the X-Forwarded-For field in the HTTP header.
x-real-ip: Specifies the X-Real-IP field in the HTTP header.
priority priority-value: Specifies a priority for an inspected field, in the range of 1 to 100. The larger the priority value, the higher the priority. Each inspected filed must have a unique priority value.
Usage guidelines
With real source IP inspection enabled, the device obtains the real source IP address of the client by inspecting multiple fields in the packets by default.
When multiple IP addresses are detected, the devices uses the IP address obtained from the field with the highest priority as the final real source IP address.
Examples
# Set the priority to 10 for the X-Forwarded-For field.
<Sysname> system-view
[Sysname] inspect real-ip detect-field xff priority 10
inspect real-ip detect-field tcp-option
Use inspect real-ip detect-field tcp-option to configure real source IP inspection for the TCP Options field.
Use undo inspect real-ip detect-field tcp-option to restore the default.
Syntax
inspect real-ip detect-field tcp-option hex hex-vector [ offset offset-value ] [ depth depth-value ] [ ip-offset ip-offset-value ]
undo inspect real-ip detect-field tcp-option
Default
Real source IP inspection is not configured for the TCP Options field, and the device does not obtain the real source IP address from the TCP Options field.
Views
System view
Predefined user roles
network-admin
Parameters
hex hex-vector: Specifies a case-sensitive hexadecimal string of 6 to 66 characters. Specify an even number of characters, and enclose the string with two vertical bars (|), for example |1234f5b6|.
offset offset-value: Specifies an offset in bytes after which the hexadecimal string lookup starts, in the range of 0 to 32. If you do not specify this option, the lookup starts from the beginning of the TCP Options field.
depth depth-value: Specifies the number of bytes to locate the hexadecimal string, in the range of 2 to 40. If you do not specify this option, the device searches the whole TCP Options field for the hexadecimal string.
ip-offset ip-offset-value: Specifies an offset in bytes after which the real source IP address is, in the range of 0 to 32. If you do not specify this option, the data after the hexadecimal string is the real source IP address.
Usage guidelines
To enable the device to locate the real source IP address in the TCP Option field, you must first define a hexadecimal string. If no hexadecimal string is found, the device will stop searching the TCP Options field for the real IP address.
Examples
# Configure the device to search bytes 3 to 12 for the hexadecimal string |0102| in the TCP Options field, and define that the real source IP address is 2 bytes away from the hexadecimal string.
<Sysname> system-view
[Sysname] inspect real-ip detect-field tcp-option hex |0102| offset 2 depth 10 ip-offset 2
inspect real-ip detect-field xff
Use inspect real-ip detect-field xff to configure real source IP address inspection for the X-Forwarded-For field.
Use undo inspect real-ip detect-field xff to restore the default.
Syntax
inspect real-ip detect-field xff { head | tail }
undo inspect real-ip detect-field xff
Default
The rightmost IP address in the X-Forwarded-For field is the real source IP address.
Views
System view
Predefined user roles
network-admin
Parameters
head: Specifies the first IP address in the X-Forwarded-For field as the real source IP address.
tail: Specifies the last IP address in the X-Forwarded-For field as the real source IP address.
Usage guidelines
When a client connects to a Web server through an HTTP proxy, the HTTP header might contain the X-Forwarded-For field that carries multiple IP addresses. The standard syntax of the X-Forwarded-For field is <client>, <proxy1>, <proxy2>,…<proxyn>. If a request goes through multiple proxies, the IP addresses of each successive proxy are listed. The rightmost IP address is the IP address of the most recent proxy and the leftmost IP address is the IP address of the originating client.
Examples
# Specify the leftmost IP address in the X-Forwarded-For field as the real source IP address.
<Sysname> system-view
[Sysname] inspect real-ip detect-field xff head
Related commands
inspect real-ip enable
inspect real-ip enable
Use inspect real-ip enable to enable real source IP inspection.
Use undo inspect real-ip enable to disable real source IP inspection.
Syntax
inspect real-ip enable
undo inspect real-ip enable
Default
Real source IP inspection is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
When a client connects to a Web server through HTTP proxies, the source IP address of the request packet will change. To identify the source IP attacks accurately, you can enable this feature to obtain the real source IP address from the corresponding fields in the request.
Examples
# Enable real source IP inspection.
<Sysname> system-view
[Sysname] inspect real-ip enable
inspect redirect parameter-profile
Use inspect redirect parameter-profile to create a redirect parameter profile and enter its view, or enter the view of an existing redirect parameter profile.
Use undo inspect redirect parameter-profile to delete a redirect parameter profile.
Syntax
inspect redirect parameter-profile parameter-name
undo inspect redirect parameter-profile parameter-name
Default
No redirect parameter profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
parameter-name: Specifies a redirect parameter profile name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
In redirect parameter profile view, you can set parameters for the redirect action, such as the URL to which packets are redirected.
Examples
# Create a redirect parameter profile named r1 and enter its view.
<Sysname> system-view
[Sysname] inspect redirect parameter-profile r1
[Sysname-inspect-redirect-r1]
inspect stream-fixed-length
Use inspect stream-fixed-length to set the fixed length for stream inspection.
Use undo inspect stream-fixed-length to restore the default.
Syntax
inspect stream-fixed-length { email | ftp } * length
undo inspect stream-fixed-length
Default
The fixed length is 32 Kilobytes for FTP and email protocols.
Views
System view
Predefined user roles
network-admin
Parameters
email: Specifies email protocols, including SMTP, POP3 and IMAP.
ftp: Specifies the FTP protocol.
length: Specifies the fixed length in the range of 1 to 2048 Kilobytes.
Usage guidelines
The longer the inspection length, the lower the device throughput, and the higher the packet inspection accuracy.
Examples
# Set the fixed length to 35 Kilobytes for inspecting each FTP stream and 40 Kilobytes for inspecting each HTTP stream.
<Sysname> system-view
[Sysname] inspect stream-fixed-length ftp 35 http 40
Related commands
inspect cpu-threshold disable
inspect stream-fixed-length disable
inspect stream-fixed-length disable
Use inspect stream-fixed-length disable to disable stream fixed length inspection.
Use undo inspect stream-fixed-length disable to enable stream fixed length inspection.
Syntax
inspect stream-fixed-length disable
undo inspect stream-fixed-length disable
Default
The stream fixed length inspection feature is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The stream fixed length inspection feature enables the DPI engine to inspect only a fixed length of data for a stream instead of the whole packet data in a stream.
Examples
# Disable stream fixed length inspection.
<Sysname> system-view
[Sysname] inspect stream-fixed-length disable
Related commands
inspect cpu-threshold disable
inspect stream-fixed-length
inspect tcp-reassemble enable
Use inspect tcp-reassemble enable to enable the TCP segment reassembly feature.
Use undo inspect tcp-reassemble enable to disable the TCP segment reassembly feature.
Syntax
inspect tcp-reassemble enable
undo inspect tcp-reassemble enable
Default
The TCP segment reassembly feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
DPI engine inspection might fail if TCP segments arrive at the engine out of order. For example, the DPI engine searches for the keywords this is a secret. If the TCP segment containing a secret arrives before the one containing this is, the inspection fails.
The TCP segment reassembly feature enables the device to cache out-of-order TCP segments of the same TCP flow and reassembles the segments before submitting them to the DPI engine for inspection. This helps improve the DPI engine inspection accuracy.
The segment reassembly fails due to missing segments when the number of cached TCP segments of a flow reaches the limit. In this case, the device submits the cached segments without reassembling them and all subsequent segments of the flow to the DPI engine. This helps reduces degradation of the device performance.
Examples
# Enable the TCP segment reassembly feature.
<Sysname> system-view
[Sysname] inspect tcp-reassemble enable
Related commands
inspect tcp-reassemble max-segment
inspect tcp-reassemble max-segment
Use inspect tcp-reassemble max-segment to set the maximum number of TCP segments that can be cached per TCP flow.
Use undo inspect tcp-reassemble max-segment to restore the default.
Syntax
inspect tcp-reassemble max-segment max-number
undo inspect tcp-reassemble max-segment
Default
A maximum of 10 TCP segments can be cached for reassembly per TCP flow.
Views
System view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number in the range of 10 to 50.
Usage guidelines
Set the limit for the number of TCP segments that can be cached per flow according to your network requirements. The higher the limit, the higher the inspection accuracy, and the lower the device performance.
This command takes effect only when the TCP segment reassembly feature is enabled.
Examples
# Allow the device to cache a maximum of 20 TCP segments for each TCP flow.
<Sysname> system-view
[Sysname] inspect tcp-reassemble max-segment 20
Related commands
inspect tcp-reassemble enable
log
Use log to specify the log storage method.
Use undo log to cancel the specified log storage method.
Syntax
log { email | syslog }
undo log { email | syslog }
Default
Logs are exported to the information center.
Views
Logging parameter profile view
Predefined user roles
network-admin
Parameters
email: Emails the logs to a receiver.
syslog: Exports the logs to the information center.
Examples
# Configure the device to export logs to the information center in logging parameter profile log1.
<Sysname> system-view
[Sysname] inspect logging parameter-profile log1
[Sysname-inspect-logging-log1] log syslog
Related commands
inspect logging parameter-profile
log language
Use log language to set the language for IPS log output to Chinese.
Use undo log language to restore the default.
Syntax
log language chinese
undo log language chinese
Default
IPS logs are output in English.
Views
Logging parameter profile view
Predefined user roles
network-admin
Usage guidelines
After you execute this command, only the attack name field of the IPS logs supports displaying in Chinese. For more information about IPS logs, see "IPS commands."
Examples
# Set the language for IPS log output to Chinese.
<Sysname> system-view
[Sysname] inspect logging parameter-profile log1
[Sysname-inspect-log-para-log1] log language chinese
Related commands
inspect logging parameter-profile
redirect-url
Use redirect-url to specify the URL to which packets are redirected.
Use undo redirect-url to restore the default.
Syntax
redirect-url url-string
undo redirect-url
Default
No URL is specified for packet redirecting.
Views
Redirect parameter profile view
Predefined user roles
network-admin
Parameters
url-string: Specifies the URL, a case-sensitive string of 9 to 63 characters. The URL must start with http:// or https://, for example, http://www.example.com.
Usage guidelines
After you specify a URL, matching packets will be redirected to the webpage that the URL identifies.
Examples
# Specify http://www.example.com/upload as the URL for packet redirecting.
<Sysname> system-view
[Sysname] inspect redirect parameter-profile r1
[Sysname-inspect-redirect-r1] redirect-url http://www.example.com/upload
Related commands
inspect redirect parameter-profile
