Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-DPI engine configuration | 156.63 KB |
Contents
Configure a DPI application profile
Activating policy and rule settings for DPI service modules
Configuring action parameter profiles
Configuring a block source parameter profile
Configuring a capture parameter profile
Configuring a logging parameter profile
Configuring a redirect parameter profile
Enabling inspection suspension upon excessive CPU usage
Configuring DPI engine parameters
Configuring the TCP segment reassembly feature
Configuring stream fixed length inspection
Configuring real source IP inspection
Enabling real source IP inspection
Setting the priority of an inspected field for real source IP inspection
Configuring real source IP address inspection for the X-Forwarded-For field
Configuring real source IP inspection for the TCP Options field
Configuring DPI engine
About DPI engine
DPI engine is an inspection module shared by DPI service modules. DPI engine uses inspection rules to identify the application layer information, including the application layer protocol and behavior. DPI service modules process packets based on the inspection results.
DPI functions
DPI engine provides the following functions:
· Protocol parsing—Identifies the application layer protocols and analyzes the application layer information. Information analysis includes recognizing, normalizing, and uncompressing application layer fields.
· AC pattern matching—Matches packet payloads by the Aho-Corasick (AC) patterns in inspection rules. AC pattern matching is fast and it is the core function of the DPI engine.
· Option matching—Matches packet payloads by the options in the inspection rules whose AC patterns have been matched. Option matching is slower than AC pattern matching.
DPI engine inspection rules
DPI engine uses inspection rules to match packets. Inspection rules are transformed from the rules or signatures of the DPI service modules. The match criteria in an inspection rule can contain the following types:
· AC pattern—Criteria that identify packet signatures. An AC pattern is a character string that is three or more bytes long.
· Option—Criteria other than AC patterns. For example, an option can be the port number or protocol type.
An inspection rule can contain both AC patterns and options. A packet must match both the AC patterns and options to match the rule.
An inspection rule can also contain only options. A packet matches the rule if it matches the options in the rule.
DPI engine mechanism
As shown in Figure 1, DPI engine works as follows:
1. The DPI engine performs protocol parsing for the packet and searches for applicable inspection rules according to the parsing results.
2. If an applicable inspection rule contains AC patterns, DPI engine performs AC pattern matching first. If an applicable inspection rule does not contain AC patterns, DPI engine directly performs option matching. The packet matches the rule if it matches the options.
3. If the packet matches an AC pattern in an applicable inspection rule, the DPI engine further compares the packet against the options associated with the AC pattern. The packet matches the rule if it matches the both the AC pattern and its associated options. If the packet matches an AC pattern but does not match its associated options, the DPI engine permits the packet to pass.
4. If the packet matches an inspection rule, the DPI engine submits the packet to the corresponding DPI service module for processing. If the packet does not match any rule, the DPI engine permits the packet to pass.
DPI engine tasks at a glance
To configure the DPI engine, perform the following tasks:
1. Configure a DPI application profile
2. Activating policy and rule settings for DPI service modules
3. (Optional.) Configuring action parameter profiles
4. (Optional.) Enabling inspection suspension upon excessive CPU usage
5. (Optional.) Configuring DPI engine parameters
6. (Optional.) Configuring real source IP inspection
7. (Optional.) Disabling the DPI engine
Configure a DPI application profile
About this task
A DPI application profile includes a set of DPI service policies, such as an IPS policy. It can be applied to a security policy rule to specify the DPI service policy for packets that match the rule.
Procedure
1. Enter system view.
system-view
2. Create a DPI application profile and enter its view.
app-profile profile-name
3. Apply DPI service policies to the DPI application profile.
¡ Specify an IPS policy.
ips apply policy policy-name mode { protect | alert }
For more information about this command, see IPS commands in DPI Command Reference.
By default, no DPI service policies are applied to a DPI application profile.
Activating policy and rule settings for DPI service modules
About this task
After editing the policy and rule settings for DPI service modules such as IPS, you must manually activate the settings by using either of the following methods:
· Reboot the device.
· Execute the inspect activate command.
Procedure
1. Enter system view.
system-view
2. Activate policy and rule settings for DPI service modules.
inspect activate
By default, the creation, modification, and deletion of DPI service policies and rules do not take effect.
|
|
CAUTION: This command causes transient DPI service interruption. DPI-based services might also be interrupted. For example, security policies cannot control access to applications. |
Configuring action parameter profiles
Configuring a block source parameter profile
About this task
A block source parameter profile defines the block period for the block source action in DPI service modules.
Restrictions and guidelines
The block source action takes effect only after the blacklist feature is enabled.
With the blacklist feature is enabled, the device drops the matching packet and adds the packet's source IP address to the IP blacklist. Subsequent packets from the source IP address will be dropped directly during the block period.
For more information about the blacklist feature, see attack detection and prevention configuration in the Security Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Create a block source parameter profile and enter its view.
inspect block-source parameter-profile parameter-name
3. Set the block period during which a source IP address is blocked.
block-period period
The default setting is 1800 seconds.
Configuring a capture parameter profile
About this task
A capture parameter profile defines the following parameters for the capture action in DPI service modules:
· Maximum number of bytes that can be cached.
· Daily export time for cached packets.
· URL to which cached packets are exported.
The device caches captured packets locally and exports the cached packets to the designated URL at the daily export time or when the number of cached bytes reaches the limit. After the export, the device clears the local cache and starts to capture new packets.
Procedure
1. Enter system view.
system-view
2. Create a capture parameter profile and enter its view.
inspect capture parameter-profile parameter-name
3. Set the maximum volume of captured packets that can be cached.
capture-limit kilobytes
By default, the device can cache a maximum of 512 Kilobytes of captured packets.
4. Set the daily export time for cached captured packets.
export repeating-at time
By default, the cached captured packets are exported at 1:00 a.m. every day.
5. Specify the URL to which cached captured packets are exported
export url url-string
By default, no URL is specified for exporting the cached captured packets.
Configuring a logging parameter profile
About this task
A logging parameter profile defines the log output method and log output language for the logging action in DPI service modules.
Restrictions and guidelines
After setting the IPS log language to Chinese, only the attack name field of the IPS logs supports displaying in Chinese.
Procedure
1. Enter system view.
system-view
2. Create a logging parameter profile and enter its view.
inspect logging parameter-profile parameter-name
3. Specify the log export method.
log { email | syslog }
By default, logs are exported to the information center.
4. Set the language for IPS log output to Chinese.
log language chinese
By default, IPS logs are output in English.
Configuring a redirect parameter profile
About this task
A redirect parameter profile defines the URL to which packets are redirected for the redirect action in DPI service modules.
Procedure
1. Enter system view.
system-view
2. Create a redirect parameter profile and enter its view.
inspect redirect parameter-profile parameter-name
3. Specify the URL to which packets are redirected.
redirect-url url-string
By default, no URL is specified for packet redirecting.
Enabling inspection suspension upon excessive CPU usage
About this task
Packet inspection of the DPI engine is a complex and resource-consuming process.
Inspection suspension upon excessive CPU usage works as follows:
· When the device's CPU usage rises to or above the CPU usage threshold, the DPI engine suspends packet inspection to guarantee the device performance.
· When the device's CPU usage drops to or below the CPU usage recovery threshold, the DPI engine resumes packet inspection.
For information about configuring the CPU usage thresholds, see hardware resource management in System Management Configuration Guide.
Restrictions and guidelines
Do not disable inspection suspension upon excessive CPU usage if the device's CPU usage is high.
When the device's CPU usage is low, you can disable this feature to improve inspection accuracy.
Procedure
1. Enter system view.
system-view
2. Enable inspection suspension upon excessive CPU usage.
undo inspect cpu-threshold disable
By default, inspection suspension upon excessive CPU usage is enabled.
Configuring DPI engine parameters
Configuring the TCP segment reassembly feature
1. Enable TCP segment reassembly.
inspect tcp-reassemble enable
By default, the TCP segment reassembly feature is disabled.
2. Set the maximum number of TCP segments that can be cached for reassembly per TCP flow.
inspect tcp-reassemble max-segment max-number
By default, a maximum of 10 TCP segments can be cached for reassembly per TCP flow.
Configuring stream fixed length inspection
About this task
This feature enables the DPI engine to inspect only a fixed length of data for a stream instead of the whole packet data in a stream.
Procedure
1. Enter system view.
system-view
2. Enable stream fixed length inspection.
undo inspect stream-fixed-length disable
By default, stream fixed length inspection is enabled.
3. Set the fixed length for stream inspection.
inspect stream-fixed-length { email I ftp } * length
The default length is 32 Kilobytes for FTP and email streams.
The longer the inspection length, the lower the device throughput, and the higher the packet inspection accuracy.
Configuring real source IP inspection
Enabling real source IP inspection
About this task
When a client connects to a Web server through HTTP proxies, the source IP address of the request will change. To identify the source IP attacks accurately, you can enable real source IP inspection to obtain the real source IP address from the corresponding fields in the request.
Procedure
1. Enter system view.
system-view
2. Enable real source IP inspection.
inspect real-ip enable
By default, real source IP inspection is disabled.
Setting the priority of an inspected field for real source IP inspection
About this task
With real source IP inspection enabled, the device obtains the real source IP address of the client by inspecting multiple fields in the packets by default.
When multiple IP addresses are detected, the devices uses the IP address obtained from the field with the highest priority as the final real source IP address.
Procedure
1. Enter system view.
system-view
2. Set the priority of an inspected field for real source IP inspection.
inspect real-ip detect-field { cdn-src-ip | tcp-option | x-real-ip | xff } priority priority-value
By default, no priority is specified for any inspected field in the real source IP inspection, and all inspected fields use priority value 0. The device inspects the fields in the order of the xff, cdn-src-ip, x-real-ip, and tcp-option fields.
Configuring real source IP address inspection for the X-Forwarded-For field
About this task
When a client connects to a Web server through an HTTP proxy, the HTTP header might contain the X-Forwarded-For field that carries multiple IP addresses. The standard syntax of the X-Forwarded-For field is <client>, <proxy1>, <proxy2>,…<proxyn>. If a request goes through multiple proxies, the IP addresses of each successive proxy are listed. The rightmost IP address is the IP address of the most recent proxy and the leftmost IP address is the IP address of the originating client.
Procedure
1. Enter system view.
system-view
2. Configure real source IP address inspection for the X-Forwarded-For field.
inspect real-ip detect-field xff { head | tail }
By default, the rightmost IP address in the X-Forwarded-For field is the real source IP address.
Configuring real source IP inspection for the TCP Options field
About this task
To enable the device to locate the real source IP address in the TCP Option field, you must first define a hexadecimal string. If no hexadecimal string is found, the device will stop searching the TCP Options field for the real IP address.
Restrictions and guidelines
With real source IP inspection enabled, the device does not obtain the real source IP address from the TCP Options field by default. The device searches the real source IP from the TCP Options field only after the parameters are configured.
Procedure
1. Enter system view.
system-view
2. Configure real source IP inspection for the TCP Options field.
inspect real-ip detect-field tcp-option hex hex-vector [ offset offset-value ] [ depth depth-value ] [ ip-offset ip-offset-value ]
By default, real source IP inspection is not configured for the TCP Options field, and the device does not obtain the real source IP address from the TCP Options field.
Disabling the DPI engine
About this task
Packet inspection in the DPI engine is a complex and resource-consuming process. When the CPU usage is too high, you can disable the DPI engine to guarantee the device performance.
Procedure
1. Enter system view.
system-view
2. Disable the DPI engine.
inspect bypass
By default, the DPI engine is enabled.
|
|
CAUTION: This command causes packets of any protocols not to be processed by DPI. DPI-based services might also be interrupted. For example, security policies cannot control access to applications. |
Verifying DPI engine
To display the status of the DPI engine, execute the following command in any view:
display inspect status
