Hardware platform	Module type	DPI engine compatibility
M9006 M9010 M9014	Blade IV firewall module	Yes
	Blade V firewall module	Yes
	NAT module	No
M9010-GM	Encryption module	Yes
M9016-V	Blade V firewall module	Yes
M9008-S M9012-S	Blade IV firewall module	Yes
	Intrusion prevention service (IPS) module	Yes
	Video network gateway module	Yes
M9008-S-V	Blade IV firewall module	Yes
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16	Blade V firewall module	Yes
M9000-AK001	Blade V firewall module	Yes
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10	Blade VI firewall module	Yes
M9000-AI-X06 M9000-AI-X10	Blade VI firewall module	Yes

‌

Non-default vSystems do not support some of the DPI engine commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.

app-profile

Use app-profile to create a deep packet inspection (DPI) application profile and enter its view, or enter the view of an existing DPI application profile.

Use undo app-profile to delete a DPI application profile.

Syntax

app-profile profile-name

undo app-profile profile-name

Default

No DPI application profiles exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

profile-name: Specifies a DPI application profile name. The profile name is a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, and underscores (_).

Usage guidelines

The DPI application profile is a security service template that can include DPI service policies such as URL filtering policy.

A DPI application profile takes effect after an object policy rule or a security policy rule uses it as the action. The DPI engine inspects the packets matching the object policy rule or security policy rule and submits the packets to the associated DPI service module for processing.

Examples

# Create a DPI application profile named abc and enter its view.

<Sysname> system-view

[Sysname] app-profile abc

[Sysname-app-profile-abc]

authentication enable

Use authentication enable to enable email client authentication.

Use undo authentication enable to disable email client authentication.

Syntax

authentication enable

undo authentication enable

Default

Email client authentication is enabled.

Views

Email parameter profile view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

Use this command when the email server specified by the email-server command requires client authentication.

Examples

# Disable email client authentication.

<Sysname> system-view

[Sysname] inspect email parameter-profile c1

[Sysname-inspect-email-c1] undo authentication enable

block-period

Use block-period to set the block period during which a source IP address is blocked.

Use undo block-period to restore the default.

Syntax

block-period period

undo block-period

Default

A source IP address is blocked for 1800 seconds.

Views

Block source parameter profile view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

period: Specifies the block period in the range of 1 to 86400 seconds.

Usage guidelines

For the block period to take effect, make sure the blacklist feature is enabled.

The device drops the packet that matches an inspection rule and adds the packet's source IP address to the IP blacklist.

· If the blacklist feature is enabled, the device directly drops subsequent packets from the source IP address during the block period.

· If the blacklist feature is disabled, the block period does not take effect. The device inspects all packets and drops the matching ones.

For more information about the blacklist feature, see attack detection and prevention in the Security Configuration Guide.

Examples

# Set the block period to 3600 seconds in block source parameter profile b1.

<Sysname> system-view

[Sysname] inspect block-source parameter-profile b1

[Sysname-inspect-block-source-b1] block-period 3600

Related commands

blacklist enable (security zone view) (Security Command Reference)

blacklist global enable (Security Command Reference)

inspect block-source parameter-profile

capture-limit

Use capture-limit to set the maximum volume of captured packets that can be cached.

Use undo capture-limit to restore the default.

Syntax

capture-limit Kilobytes

undo capture-limit

Default

The device can cache a maximum of 512 Kilobytes of captured packets.

Views

Capture parameter profile view

Predefined user roles

network-admin

context-admin

Parameters

Kilobytes: Specifies the maximum volume in the range of 0 to 1024 Kilobytes.

Usage guidelines

Non-default vSystems do not support this command.

The device caches captured packets locally. It exports the cached captured packets to a URL when the volume of cached captured packets reaches the maximum, and clears the cache. After the export, the device starts to capture packets again.

If you set the maximum volume of cached captured packets to 0 Kilobytes, the device immediately exports a packet to the URL after the packet is captured.

Examples

# Set the maximum volume of cached captured packets to 1024 Kilobytes in the capture parameter profile c1.

<Sysname> system-view

[Sysname] inspect capture parameter-profile c1

[Sysname-inspect-capture-c1] capture-limit 1024

Related commands

export repeating-at

export url

inspect capture parameter-profile

display inspect md5-verify configuration

Use display inspect md5-verify configuration to display information about the MD5 hash-based virus inspection for all files feature.

Syntax

display inspect md5-verify configuration

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Examples

# Display information about the MD5 hash-based virus inspection for all files feature.

<Sysname> system-view

[Sysname] display inspect md5-verify configuration

MD5 file verification for all files: Enabled

Table 1 Command output

Field	Description
MD5 file verification for all files	Status of the MD5 hash-based virus inspection for all files feature: Enabled or Disabled.

‌

Related commands

inspect md5-verify all-files

display inspect status

Use display inspect status to display the status of the DPI engine.

Syntax

display inspect status

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Usage guidelines

Non-default vSystems do not support this command.

Examples

# Display the status of the DPI engine.

<Sysname> display inspect status

Chassis 0 Slot 1:

Running status: Normal

Table 2 Command output

Field	Description
Running status	Status of the DPI engine: · DPI administratively disabled—The DPI engine is administratively disabled. · DPI auto-bypass for protocol xxx—The DPI engine automatically disables inspection on packets of a protocol. · DPI disabled due to high CPU usage—The DPI engine cannot process packets because of an excessive CPU usage. · Normal—The DPI engine is running correctly.
Usage threshold has already been reached for the following CPU cores: xxx	This sentence appears when one or more CPU cores reach the CPU core usage alarm threshold. DPI will not use these CPU cores to process services.

Field

Description

Running status

Status of the DPI engine:

· DPI administratively disabled—The DPI engine is administratively disabled.

· DPI auto-bypass for protocol xxx—The DPI engine automatically disables inspection on packets of a protocol.

· DPI disabled due to high CPU usage—The DPI engine cannot process packets because of an excessive CPU usage.

· Normal—The DPI engine is running correctly.

Usage threshold has already been reached for the following CPU cores: xxx

This sentence appears when one or more CPU cores reach the CPU core usage alarm threshold. DPI will not use these CPU cores to process services.

‌

Related commands

monitor cpu-usage threshold core (Fundamentals Command Reference)

email-limit

Use email-limit to configure output limit for log entries sent to the email server.

Use undo email-limit to restore the default.

Syntax

email-limit interval interval max-number value

undo email-limit

Default

The device allows sending a maximum of 10 log entries within five minutes.

Views

Email parameter profile view

Predefined user roles

network-admin

context-admin

Parameters

interval interval: Specifies email sending interval in the range of 1 to 10 minutes.

max-number max-number: Specifies the maximum number of emails per interval, in the range of 1 to 100.

Usage guidelines

Non-default vSystems do not support this command.

This command prevents the device from frequently sending too many log entries to the email server.

The device caches the log entries and sends them when the specified interval is reached.

If the number of cached log entries has reached the upper limit, the device compares the severity level of a new log entry with the severity levels of the cached log entries. If the severity level of the new log entry is higher than that of a cached log entry, the new log entry will overwrite the most recently cached log entry with the lowest severity level. The severity level of a new log entry is the severity level of the matching IPS signatures.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Allow the device to send a maximum of 20 log entries within five minutes to the email server.

<Sysname> system-view

[Sysname] inspect email parameter-profile test

[Sysname-inspect-email-test] email-limit interval 5 max-number 20

email-server

Use email-server to specify the email server.

Use undo email-server to restore the default.

Syntax

email-server address-string

undo email-server

Default

No email server is specified.

Views

Email parameter profile view

Predefined user roles

network-admin

context-admin

Parameters

address-string: Specifies the email server address, a case-sensitive string of 3 to 63 characters.

Usage guidelines

Non-default vSystems do not support this command.

The email server address can be an IP address or a host name.

If you specify the email server by host name, make sure the device can resolve the host name into its IP address through static or dynamic DNS. Make sure the device and the email server can reach each other. For more information about DNS, see DNS configuration in Layer 3—IP Services Configuration Guide.

If you execute this command multiple times for the same email parameter profile, the most recent configuration takes effect.

Examples

# Specify the email server rndcas.example.com.

<Sysname> system-view

[Sysname] inspect email parameter-profile c1

[Sysname-inspect-email-c1] email-server rndcas.example.com

# Specify the email server at 192.168.1.1.

<Sysname> system-view

[Sysname] inspect email parameter-profile c1

[Sysname-inspect-email-c1] email-server 192.168.1.1

export repeating-at

Use export repeating-at to set the daily export time for cached captured packets.

Use export repeating-at to restore the default.

Syntax

export repeating-at time

undo export repeating-at

Default

The system exports cached captured packets at 1:00 a.m. every day.

Views

Capture parameter profile view

Predefined user roles

network-admin

context-admin

Parameters

time: Specifies the daily export time in the format of hh:mm:ss in the range of 00:00:00 to 23:59:59.

Usage guidelines

Non-default vSystems do not support this command.

The device exports cached captured packets to a URL and clears the cache at the daily export time, whether or not the volume of cached captured packets reaches the maximum.

Examples

# Configure the device to export cached captured packets at 2:00 a.m. every day in the capture parameter profile c1.

<Sysname> system-view

[Sysname] inspect capture parameter-profile c1

[Sysname-inspect-capture-c1] export repeating-at 02:00:00

Related commands

capture-limit

export url

inspect capture parameter-profile

export url

Use export url to specify the URL to which the cached captured packets are exported.

Use export url to restore the default.

Syntax

export url url-string

undo export url

Default

No URL is specified for exporting the cached captured packets.

Views

Capture parameter profile view

Predefined user roles

network-admin

context-admin

Parameters

url-string: Specifies the URL, a string of 1 to 255 characters.

Usage guidelines

Non-default vSystems do not support this command.

The device exports the cached captured packets to the specified URL at the daily export time or when the volume of cached captured packets reaches the maximum. After the captured packets are exported, the system clears the cache.

If you do not specify a URL, the device still exports the cached captured packets but the export fails.

When the device detects a hard disk or USB disk, it will export cached packets to the disk instead of to the specified URL.

When the device detects that captured packet receiving is enabled on a Threat Discovery and Security Operations Platform that it interoperates, it will export cached packets to the Platform instead of to the specified URL.

If a hard disk or USB disk exists and captured packet receiving is also enabled on the Platform, the device will export cached packets to both the disk and the Platform. For more information about the Platform, see the guide for the Platform.

Examples

# Configure the device to export cached captured packets to URL tftp://192.168.100.100/upload in the capture parameter profile c1.

<Sysname> system-view

[Sysname] inspect capture parameter-profile c1

[Sysname-inspect-capture-c1] export url tftp://192.168.100.100/upload

Related commands

capture-limit

export repeating-at

inspect capture parameter-profile

import block warning-file

Use import block warning-file to import a user-defined alarm message from an anti-virus warning file.

Syntax

import block warning-file file-path

Default

The device uses the default alarm message "The site you are accessing has a security risk and thereby is blocked."

Views

Anti-virus warning parameter profile view

Predefined user roles

network-admin

context-admin

Parameters

file-path: Specifies the anti-virus warning file path, a string of 1 to 200 characters.

Usage guidelines

Non-default vSystems do not support this command.

After you execute the inspect warning parameter-profile command, the system automatically generates an anti-virus warning file named av-httpDeclare-xxx in the dpi/av/warning directory. The xxx represents the name of the warning parameter profile.

A default alarm message is predefined in the warning file. If an end-point user visits a virus-infected website, the device will block the website access and displays the alarm message on the browser of the end-point user.

You can execute the import block warning-file command to specify a user-defined alarm message from a file. Only HTML and TXT files are supported.

The device supports the following import methods:

· Local import—Imports the message from the warning file that is stored locally.

(In standalone mode.) Store the warning file on the active MPU for successful import.

(In IRF mode.) Store the warning file on the global active MPU for successful import.

The format of the file-path argument varies by the location of the warning file to be imported.

The warning file is stored…	Format of file-path	Remarks
In the current working directory	filename	To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference.
In a directory different from the working directory on the same storage medium	filename	Before importing the warning file, you must first use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.
On a storage medium different from the working directory	path/filename	Before importing the warning file, you must first use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.

‌

· FTP/TFTP import—Imports the message from the warning file that is stored on an FTP or TFTP server.

The format of the file-path argument varies by the location of the warning file to be imported.

The warning file is stored on

Format of file-path

Remarks

An FTP server

ftp://username:password@server/filename

The username and password arguments represent the FTP login username and password, respectively.

The server argument represents the IP address or host name of the FTP server.

If a colon (:), at sign (@), or forward slash (/) exists in the username or password, you must convert it into its escape characters. The escape characters are %3A or %3a for a colon, %40 for an at sign, and %2F or %2f for a forward slash.

A TFTP server.

tftp://server/filename

The server argument represents the IP address or host name of the TFTP server.

‌

NOTE:

To specify a warning file on an FTP or TFTP server, make sure the device and the server can reach each other. If you specify the server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see DNS configuration in Layer 3—IP Services Configuration Guide.

‌

Examples

# Import a user-defined alarm message from the anti-virus warning file on a TFTP server.

<Sysname> system-view

[Sysname] inspect warning parameter-profile warn

[Sysname-inspect-warning-warn] import block warning-file tftp://192.168.0.1/warning.txt

# Import a user-defined alarm message from the anti-virus warning file on an FTP server. The FTP login username and password are user and password, respectively.

<Sysname> system-view

[Sysname] inspect warning parameter-profile warn

[Sysname-inspect-warning-warn] import block warning-file ftp://user:[email protected]/warning.txt

# Import a user-defined alarm message from the anti-virus warning file stored locally. The file is stored in directory cfa0:/warning.txt, and the current working directory is cfa0.

<Sysname> system-view

[Sysname] inspect warning parameter-profile warn

[Sysname-inspect-warning-warn] import block warning-file warning.txt

import warning-file

Use import warning-file to import a user-defined alarm message from a warning file for URL filtering.

Syntax

import warning-file file-path

Default

The device uses the default alarm message in the warning file named uflt-xxx.html. The xxx in the file name is the profile name.

Views

URL filtering warning parameter profile view

Predefined user roles

network-admin

context-admin

Parameters

file-path: Specifies the warning file path, a string of 1 to 200 characters.

Usage guidelines

Non-default vSystems do not support this command.

The default alarm message is as follows:

Web Access Blocked

Your access to this website was denied. To access this webpage, contact Technical Support.

· Reason: XXX

· Category: XXX

· URL: XXX

The Reason field has the following values:

· The URL of the website hit the URL blacklist.

· The URL of the website hit a user-defined URL category.

· The URL of the website hit a predefined URL category.

· No matching whitelist entry was found for the website in whitelist mode.

· The URL of the website did not match any accessible URL category.

· The URL of the website hit the URL reputation signature library.

The Category field displays the user-defined or predefined URL category, or the attack category of URL reputation.

The URL field displays the URL accessed by the client.

If an end-point user visits a virus-infected website, the device will block the website access and displays the alarm message on the browser of the end-point user.

You can execute the import warning-file command to specify a user-defined alarm message from a file. Only HTML and TXT files are supported.

The device supports the following import methods:

· Local import—Imports the message from the warning file that is stored locally.

(In standalone mode.) Store the warning file on the active MPU for successful import.

(In IRF mode.) Store the warning file on the global active MPU for successful import.

The format of the file-path argument varies by the location of the warning file to be imported.

The warning file is stored…	Format of file-path	Remarks
In the current working directory	filename	To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference.
In a directory different from the working directory on the same storage medium	filename	Before importing the warning file, you must first use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.
On a storage medium different from the working directory	path/filename	Before importing the warning file, you must first use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.

‌

· FTP/TFTP import—Imports the message from the warning file that is stored on an FTP or TFTP server.

The format of the file-path argument varies by the location of the warning file to be imported.

The warning file is stored on

Format of file-path

Remarks

An FTP server

ftp://username:password@server/filename

The username and password arguments represent the FTP login username and password, respectively.

The server argument represents the IP address or host name of the FTP server.

A TFTP server.

tftp://server/filename

The server argument represents the IP address or host name of the TFTP server.

‌

NOTE:

‌

Examples

# Import a user-defined alarm message from the warning file on a TFTP server.

<Sysname> system-view

[Sysname] inspect url-filter warning parameter-profile warn

[Sysname-inspect-url-filter-warning-warn] import warning-file tftp://192.168.0.1/warning.txt

# Import a user-defined alarm message from the warning file on an FTP server. The FTP login username and password are user and password, respectively.

<Sysname> system-view

[Sysname] inspect url-filter warning parameter-profile warn

[Sysname-inspect-url-filter-warning-warn] import warning-file ftp://user:[email protected]/warning.txt

# Import a user-defined alarm message from the warning file stored locally. The file is stored in directory cfa0:/warning.txt, and the current working directory is cfa0.

<Sysname> system-view

[Sysname] inspect url-filter warning parameter-profile warn

[Sysname-inspect-url-filter-warning-warn] import warning-file warning.txt

inspect activate

Use inspect activate to activate the policy and rule configurations for DPI service modules.

Syntax

inspect activate

Default

The creation, modification, and deletion of DPI service policies and rules will be activated automatically.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

CAUTION:

This command causes transient DPI service interruption. DPI-based services might also be interrupted. For example, security policies cannot control access to applications, or server load balancing services cannot load share traffic based on applications.

By default, the system will detect whether another configuration change (such as creation, modification, or deletion) occurs within a 20-second interval after a configuration change for DPI service modules such as URL filtering:

· If no configuration change occurs within the interval, the system performs an activation operation at the end of the next interval to make the configuration take effect.

· If a configuration change occurs within the interval, the system continues to periodically check whether a configuration change occurs within the interval.

To activate the policy and rule configurations for DPI service modules immediately, you can execute the inspect activate command.

Examples

# Activate the policy and rule configurations for DPI service modules.

<Sysname> system-view

[Sysname] inspect activate

inspect auto-bypass

Use inspect auto-bypass enable to enable automatic bypass of the DPI engine.

Use undo inspect auto-bypass enable to disable automatic bypass of the DPI engine.

Syntax

inspect auto-bypass enable

undo inspect auto-bypass enable

Default

Automatic bypass of the DPI engine is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

With this feature enabled, the DPI engine automatically disables inspection on packets of the specified protocol after a device reboot caused by packet inspection errors.

Examples

# Enable automatic bypass of the DPI engine.

<Sysname> system-view

[Sysname] inspect auto-bypass enable

This feature might cause some functions of the DPI engine to be unavailable. Continue? [Y/N]:y

inspect block-source parameter-profile

Use inspect block-source parameter-profile to create a block source parameter profile and enter its view, or enter the view of an existing block source parameter profile.

Use undo inspect block-source parameter-profile to delete a block source parameter profile.

Syntax

inspect block-source parameter-profile parameter-name

undo inspect block-source parameter-profile parameter-name

Default

No block source parameter profiles exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

parameter-name: Specifies a block source parameter profile name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

In block source parameter profile view, you can set parameters for the block source action, such as the block period.

Examples

# Create a block source parameter profile named b1 and enter its view.

<Sysname> system-view

[Sysname] inspect block-source parameter-profile b1

[Sysname-inspect-block-source-b1]

Related commands

block-period

inspect bypass

Use inspect bypass to disable the DPI engine.

Use undo inspect bypass to enable the DPI engine.

Syntax

inspect bypass

undo inspect bypass

Default

The DPI engine is enabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

CAUTION:

This command causes packets of any protocols not to be processed by DPI. DPI-based services might also be interrupted. For example, security policies cannot control access to applications, or server load balancing services cannot load share traffic based on applications.

Non-default vSystems do not support this command.

Packet inspection in the DPI engine is a complex and resource-consuming process. When the CPU usage is high, you can disable the DPI engine to guarantee the device performance.

Examples

# Disable the DPI engine.

<Sysname> system-view

[Sysname] inspect bypass

Related commands

display inspect status

inspect bypass protocol

Use inspect bypass protocol to specify the protocols to bypass the DPI engine.

Use undo inspect bypass protocol to disable DPI engine bypass for protocols.

Syntax

inspect bypass protocol { dns | ftp | ftp-data | http | https | imap | nfs | pop3 | rtmp | sip | smb | smtp | telnet | tftp } *

Default

The DPI engine inspects all supported protocols.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

dns: Specifies the DNS protocol.

ftp: Specifies the FTP protocol.

ftp-data: Specifies the FTP data protocol.

http: Specifies the HTTP protocol.

https: Specifies the HTTPS protocol.

imap: Specifies the IMAP protocol.

nfs: Specifies the NFS protocol.

pop3: Specifies the POP3 protocol.

rtmp: Specifies the RTMP protocol.

sip: Specifies the SIP protocol.

smb: Specifies the SMB protocol.

smtp: Specifies the SMTP protocol.

telnet: Specifies the Telnet protocol.

tftp: Specifies the TFTP protocol.

Usage guidelines

Non-default vSystems do not support this command.

If you do not specify any keyword when executing the undo inspect bypass protocol command, the DPI engine inspects all supported protocols.

As a best practice, you can specify the protocols to bypass the DPI engine when either of the following conditions is met:

· Inspection on packets of the specified protocols is not required. You can disable the DPI engine for the specified protocols to reduce the occupation of device resources and improve the device performance.

· Inspection on packets of the specified protocols causes device reboot. You can specify the protocols to bypass the DPI engine to avoid device reboot caused by inspection error and ensure the inspection on packets of other protocols.

Examples

# Specify the HTTP protocol to bypass the DPI engine.

<Sysname> system-view

[Sysname] inspect bypass protocol http

This feature might cause the DPI engine to be unavailable for the specified protocol. Continue? [Y/N]:y

Related commands

display inspect status

inspect cache-option maximum

Use inspect cache-option maximum to set the maximum number of options to be cached per TCP or UDP data flow for further inspection.

Use undo inspect cache-option to restore the default.

Syntax

inspect cache-option maximum max-number

undo inspect cache-option

Default

The DPI engine can cache a maximum of 32 options per TCP or UDP data flow.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

max-number: Specifies the maximum number of options to be cached per TCP or UDP data flow. The value range is 1 to 254.

Usage guidelines

An inspection rule can contain multiple AC patterns, and each AC pattern can be associated with multiple options. A TCP or UDP data flow matches an inspection rule if the packets of the flow match all the AC patterns and options in the rule.

If a packet of a TCP or UDP data flow matches one AC pattern in an inspection rule, the DPI engine cannot determine whether the flow matches the rule. The DPI engine continues to match packets of the flow against the remaining options and AC patterns in the rule. For any options that cannot be matched, the DPI engine caches them to match subsequent packets. The DPI engines determines that the flow matches the rule when all options and AC patterns in the rule are matched.

The more options DPI engine caches, the more likely that DPI engine identifies the application information and the more accurate the DPI engine inspection. However, caching more options requires more memory. If the device has a high memory usage, configure the DPI engine to cache less options to improve the device performance.

Typically, the default setting is sufficient for most scenarios.

Examples

# Configure the DPI engine to cache a maximum of four options per TCP or UDP data flow for further inspection.

<Sysname> system-view

[Sysname] inspect cache-option maximum 4

inspect capture parameter-profile

Use inspect capture parameter-profile to create a capture parameter profile and enter its view, or enter the view of an existing capture parameter profile.

Use undo inspect capture parameter-profile to delete a capture parameter profile.

Syntax

inspect capture parameter-profile parameter-name

undo inspect capture parameter-profile parameter-name

Default

No capture parameter profiles exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

profile-name: Specifies a capture parameter profile name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Non-default vSystems do not support this command.

In capture parameter profile view, you can set parameters for the packet capture action, such as the maximum volume of cached captured packets.

Only the IPS module supports the packet capture action.

Examples

# Create a capture parameter profile named c1 and enter its view.

<Sysname> system-view

[Sysname] inspect capture parameter-profile c1

[Sysname-inspect-capture-c1]

Related commands

capture-limit

export repeating-at

export url

inspect cloud-server

Use inspect cloud-server to specify the server used by DPI services for cloud query.

Use undo inspect cloud-server to remove the cloud query server specified for DPI services.

Syntax

inspect cloud-server host-name

undo inspect cloud-server

Default

DPI services use the cloud query server with host name sec.h3c.com.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

host-name: Specifies the cloud query server by its host name, a case-insensitive string of 1 to 255 characters. Valid characters include letters, digits, underscores (_), hyphens (-), and dots (.).

Usage guidelines

Non-default vSystems do not support this command.

The cloud query server supports URL filtering cloud query and anti-virus MD5 value cloud query.

For successful cloud query, make sure the device can resolve the host name of the cloud query server into an IP address through DNS. For more information about DNS, see DNS configuration in Layer 3—IP Services Configuration Guide.

This command is supported only on the default context. For more information about contexts, see context configuration in Virtual Technologies Configuration Guide.

Examples

# Specify the server with host name service.example.com for cloud query.

<Sysname> system-view

[Sysname] inspect cloud-server service.example.com

Related commands

cloud-query enable (anti-virus policy view)

cloud-query enable (URL filtering policy view)

inspect coverage

Use inspect coverage to configure a DPI engine inspection mode.

Use undo inspect coverage to restore the default.

Syntax

inspect coverage { balanced | large-coverage | high-performance | user-defined }

undo inspect coverage

Default

The DPI engine uses the balanced mode.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

balanced: Specifies the balanced mode. This mode makes a tradeoff between the device performance and inspection coverage.

large-coverage: Specifies the large coverage mode. This mode appropriately reduces device performance to achieve the best inspection coverage.

high-performance: Specifies the high performance mode. This mode appropriately reduces the inspection coverage to ensure the best device performance.

user-defined: Specifies the user-defined mode. This mode allows you to adjust the inspection length of the DPI engine as required.

Usage guidelines

Non-default vSystems do not support this command.

Select an inspection mode as required:

· Balanced mode—Applicable to most scenarios. This mode makes a tradeoff between the device performance and inspection coverage. The maximum length is 32 Kilobytes for FTP, HTTP, SMB, NFS, and email streams, and the maximum file length for MD5 inspection is 2048 Kilobytes.

· Large coverage mode—Applicable to the scenarios that require large inspection coverage. This mode improves the inspection coverage at the cost of device performance. The maximum length is 128 Kilobytes for FTP, HTTP, SMB, NFS, and email streams, and the maximum file length for MD5 inspection is 5120 Kilobytes.

· High performance mode—Applicable to the scenarios that requires high device performance. This mode improves the device performance while ensuring a certain inspection coverage. The maximum length is 32 Kilobytes for FTP, HTTP, SMB, NFS, and email streams, and the maximum file length for MD5 inspection is 32 Kilobytes.

· User-defined mode—Applicable to the scenarios that have specific requirements for inspection coverage and device performance. In this mode, you can execute the inspect stream-fixed-length and inspect md5-fixed-length commands to set the maximum stream length for inspection and maximum file length for MD5 value calculation, respectively.

Examples

# Configure the user-defined mode as the DPI engine inspection mode.

<Sysname> system-view

[Sysname] inspect coverage user-defined

Related commands

inspect stream-fixed-length enable

inspect file-fixed-length enable

inspect cpu-threshold disable

Use inspect cpu-threshold disable to disable inspection suspension upon excessive CPU usage.

Use undo inspect cpu-threshold disable to enable inspection suspension upon excessive CPU usage.

Syntax

inspect cpu-threshold disable

undo inspect cpu-threshold disable

Default

Inspection suspension upon excessive CPU usage is enabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

Packet inspection in the DPI engine is a complex and resource-consuming process.

Inspection suspension upon excessive CPU usage works as follows:

· When the device's CPU usage rises to or above the CPU usage threshold, the DPI engine suspends packet inspection to guarantee the device performance.

· When the device's CPU usage drops to or below the CPU usage recovery threshold, the DPI engine resumes packet inspection.

Do not disable inspection suspension upon excessive CPU usage if the device's CPU usage is high.

When a sudden CPU overload occurs, the DPI engine suspends packet inspection for certain types of traffic to guarantee device performance, even though the CPU usage threshold is not reached.

Examples

# Disable inspection suspension upon excessive CPU usage.

<Sysname> system-view

[Sysname] inspect cpu-threshold disable

Related commands

display inspect status

inspect bypass

inspect stream-fixed-length disable

inspect dual-active enable

Use inspect dual-active enable to enable support for HA dual-active mode.

Use undo inspect dual-active enable to disable support for HA dual-active mode.

Syntax

inspect dual-active enable

undo inspect dual-active enable

Default

Support for HA dual-active mode is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

The feature ensures the device in dual-active mode can correctly process DPI services in a network with asymmetric forwarding of flows.

This feature takes effect only when the device operates in HA dual-active mode HA HA .

This feature takes effect only after you enable transparent service traffic transmission between the remote backup group members (see RBM configuration in High Availability Configuration Guide).

For more information about HA dual-active mode, see RBM-based hot backup configuration in High Availability Configuration Guide.

Examples

# Enable support for HA dual-active mode.

<Sysname> system-view

[Sysname] inspect dual-active enable

Related commands

backup-mode dual-active (High Availability Command Reference)

transparent-transmit enable (High Availability Command Reference)

inspect email parameter-profile

Use inspect email parameter-profile to create an email parameter profile and enter its view, or enter the view of an existing email parameter profile.

Use undo inspect email parameter-profile to delete an email parameter profile.

Syntax

inspect email parameter-profile parameter-name

undo inspect email parameter-profile parameter-name

Default

No email parameter profiles exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

parameter-name: Specifies an email parameter profile name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Non-default vSystems do not support this command.

In email parameter profile view, you can set parameters for the email action. Email parameters include the email server, the email sender and receiver, and the username and password for logging in to the email server.

Examples

# Create an email parameter profile named c1 and enter its view.

<Sysname> system-view

[Sysname] inspect email parameter-profile c1

[Sysname-inspect-email-c1]

inspect file-fixed-length

Use inspect file-fixed-length to set the fixed length for file inspection.

Use undo inspect file-fixed-length to restore the default.

Syntax

inspect file-fixed-length { email | ftp | http | nfs | smb } * length-value

undo inspect file-fixed-length

Default

The fixed length is 32 Kilobytes for FTP, HTTP, NFS, SMB, and email files.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

email: Specifies email protocols, including SMTP, POP3, and IMAP.

ftp: Specifies the FTP protocol.

http: Specifies the HTTP protocol.

nfs: Specifies the NFS protocol.

smb: Specifies the SMB protocol.

length-value: Specifies the fixed length in the range of 1 to 2048 Kilobytes.

Usage guidelines

Non-default vSystems do not support this command.

This command can be executed only if the DPI engine inspection mode is user-defined mode.

Typically, virus signatures are embedded in the first half of a file. Narrowing the inspection scope of each file improves the file inspection efficiency.

If a data stream contains multiple files, this feature inspects only the fixed length data of each file.

Because files are transmitted in a data stream, the fixed length of files must not be longer than that of the data stream configured by the inspect stream-fixed-length command.

Examples

# Set the fixed length to 128 Kilobytes for inspecting each HTTP file.

<Sysname> system-view

[Sysname] inspect file-fixed-length http 128

Related commands

inspect coverage user-defined

inspect file-fixed-length enable

inspect stream-fixed-length

inspect file-fixed-length enable

Use inspect file-fixed-length enable to enable file fixed length inspection.

Use undo inspect file-fixed-length enable to disable file fixed length inspection.

Syntax

inspect file-fixed-length enable

undo inspect file-fixed-length enable

Default

The file fixed length inspection is disabled and the file inspection length is not limited.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This command can be executed only if the DPI engine inspection mode is user-defined mode.

The file fixed length inspection feature enables the DPI engine to inspect only a fixed length of file data instead of the entire file in each data stream.

With this feature configured, the DPI engine cannot identify the remaining file data that exceeds the defined fixed length, affecting the data filtering service.

Examples

# Enable file fixed length inspection.

<Sysname> system-view

[Sysname] inspect file-fixed-length enable

Related commands

inspect coverage user-defined

inspect file-fixed-length

inspect file-uncompr-layer

Use inspect file-uncompr-layer to set the maximum number of layers that can be decompressed.

Use undo inspect file-uncompr-layer to restore the default.

Syntax

inspect file-uncompr-layer max-layer

undo inspect file-uncompr-layer

Default

A maximum of three layers can be decompressed in a file.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

max-layer: Specifies the maximum number of layers that can be decompressed in a file. The value range is 0 to 8. Value 0 indicates tha the file will not be decompressed.

Usage guidelines

Non-default vSystems do not support this command.

DPI engine can decompress only .zip and .gzip files for signature matching. This command specifies the maximum number of layers that can be decompressed in a file. DPI engine decompresses only the layers within the decompression layer limit.

Set an appropriate decompression layer limit.

· If you set a large limit, DPI engine might get stuck in decompressing a multi-layer compressed file, affecting the decompression of subsequent files and consuming a large amount of the memory.

· If you set a small limit, DPI engine might not identify the original file content correctly, affecting the accuracy of the file inspection results for DPI services (such as anti-virus and data filtering).

Examples

# Set the maximum number of layers that can be decompressed in a file to 5.

<Sysname> system-view

[Sysname] inspect file-uncompr-layer 5

Related commands

inspect file-uncompr-len

Use inspect file-uncompr-len to set the maximum data size that can be decompressed in a file.

Use undo inspect file-uncompr-len to restore the default.

Syntax

inspect file-uncompr-len max-size

undo inspect file-uncompr-len

Default

A maximum of 100 MB data can be decompressed in a file.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

max-size: Specifies the maximum data size in the range of 1 to 200 MB.

Usage guidelines

Non-default vSystems do not support this command.

The device can decompress .zip files for file data inspection. This command specifies the maximum data size that can be decompressed in a file. The remaining file data will be ignored.

Set an appropriate maximum data size for file decompression. A large data size might make the device get stuck in decompressing large files and the device forwarding performance might be affected. A small data size will affect the accuracy of the file inspection results for DPI services (such as anti-virus and data filtering).

Examples

# Set the maximum data size that can be decompressed in a file to 150 MB.

<Sysname> system-view

[Sysname] inspect file-uncompr-len 150

inspect ips log-details enable

Use inspect ips log-details enable to enable IPS logging to record HTTP packet details.

Use undo inspect ips log-details enable to disable this feature.

Syntax

inspect ips log-details enable

undo inspect ips log-details enable

Default

This feature is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This feature enables the device to cache HOST, URI, and other fields and record them in IPS logs. For example, when an HTTP response matches an IPS policy, the device records the HOST field in the HTTP request and the status line and some header fields in the HTTP response.

To save memory resources, enable this feature only when necessary.

Examples

# Enable IPS logging to record HTTP packet details.

<Sysname> system-view

[Sysname] inspect ips log-details enable

inspect log-details max-size

Use inspect log-details max-size to set the maximum memory size for storing the HTTP fields in IPS logs.

Use undo inspect log-details max-size to restore the default.

Syntax

inspect packet maximum max-number

undo inspect packet

Default

The maximum memory size is calculated according to the device memory.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

max-size-value: Specifies the maximum memory size for storing the HTTP fields in IPS logs, in the range of 1 to 524288 MB.

Usage guidelines

Non-default vSystems do not support this command.

If a large number of HTTP packets exist in the network, recording HTTP packet details in IPS logs can consume a large amount of memory and degrade the device performance. You can set the maximum memory size to limit the amount of memory used to store the fields in IPS logs. A smaller maximum memory size might cause fields in some IPS logs to fail to be displayed.

This command is supported only on the default context. For more information about contexts, see Virtual Technologies Configuration Guide.

Examples

# Set the maximum memory size for storing the HTTP fields in IPS logs to 524288 MB.

<Sysname> system-view

[Sysname] inspect log-details max-size 524288

inspect log-statistics-report

Use inspect log-statistics-report to configure a destination IP address to report log statistics.

Use undo inspect log-statistics-report to remove the configured the IP address.

Syntax

inspect log-statistics-report { ip-address ip-address | ipv6-address ipv6-address } port port uri uri [ vpn-instance vpn-instance-name ] kafka-server kafka-server

undo inspect log-statistics-report { ip-address ip-address | ipv6-address ipv6-address } port port uri uri [ vpn-instance vpn-instance-name ] kafka-server kafka-server

Default

No destination IP address is configured for reporting log statistics.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

ip-address ip-address: Specifies an IPv4 address.

ipv6-address ipv6-address: Specifies an IPv6 address.

port port: Specifies a port number in the range of 1 to 65535.

uri uri: Specifies a URI, a case-insensitive string of 1 to 127 characters. The URI must start with a forward slash (/).

vpn-instance vpn-instance-name: Specifies the VPN instance to which the specified IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

kafka-server kafka-server: Specifies a Kafka server cluster by its name, a case-sensitive string of 1 to 15 characters.

Usage guidelines

Non-default vSystems do not support this command.

This command allows you to specify the IP address of a Threat Discovery and Security Operations Platform to monitor the logs the device sends to a Kafka server cluster.

This command enables the device to report the following information to the Platform at 1-hour intervals:

· The number of logs sent from the device to the Kafka server cluster.

· The total number of logs generated by the device.

You can configure a maximum of four IPv4 addresses and four IPv6 addresses by repeating this command.

Examples

# Configure a destination IP address to report log statistics.

<Sysname> system-view

[Sysname] inspect log-statistics-report ip-address 192.12.26.118 port 8080 uri /aabbcc vpn-instance bbb kafka-server aaa

inspect logging parameter-profile

Use inspect logging parameter-profile to create a logging parameter profile and enter its view, or enter the view of an existing logging parameter profile.

Use undo inspect logging parameter-profile to delete a logging parameter profile.

Syntax

inspect logging parameter-profile parameter-name

undo inspect logging parameter-profile parameter-name

Default

No logging parameter profiles exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

profile-name: Specifies a logging parameter profile name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

In logging parameter profile view, you can set parameters for the logging action, such as the log output method.

Examples

# Create a logging parameter profile named log1 and enter its view.

<Sysname> system-view

[Sysname] inspect logging parameter-profile log1

[Sysname-inspect-logging-log1]

Related commands

log

inspect md5-fixed-length

Use inspect md5-fixed-length to set the fixed file length for MD5 inspection.

Use undo inspect md5-fixed-length to restore the default.

Syntax

inspect md5-fixed-length { email | ftp | http | nfs | smb } * length

undo inspect md5-fixed-length

Default

The fixed length of FTP, HTTP, SMB, NFS, and email files for MD5 inspection is 2048 Kilobytes.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

email: Specifies email protocols, including SMTP, POP3, and IMAP.

ftp: Specifies the FTP protocol.

http: Specifies the HTTP protocol.

nfs: Specifies the NFS protocol.

smb: Specifies the SMB protocol.

length: Specifies the fixed file length for MD5 inspection in the range of 1 to 5120 Kilobytes. Make sure the fixed file length for MD5 inspection is longer than the fixed length for stream inspection.

Usage guidelines

Non-default vSystems do not support this command.

This command can be executed only if the DPI engine inspection mode is user-defined mode.

For some DPI services, such as anti-virus services, the DPI engine inspects the packet signatures and MD5 values at the same time. After reaching the fixed length for stream inspection, the DPI engine will stop the packet signature inspection but will not stop the MD5 inspection until the fixed MD5 inspection length is reached.

The increase of the file length for MD5 inspection will reduce the device performance but improve the success rate of the MD5 inspection. The decrease of the file length for MD5 inspection will improve the device performance but reduce the success rate of the MD5 inspection.

Examples

# Set the fixed lengths of FTP and HTTP files for MD5 inspection to 1024 and 512 Kilobytes, respectively.

<Sysname> system-view

[Sysname] inspect md5-fixed-length ftp 1024 http 512

Related commands

inspect coverage user-defined

inspect md5-fixed-length enable

Use inspect md5-fixed-length enable to enable MD5 fixed-length file inspection.

Use undo inspect md5-fixed-length enable to disable MD5 fixed-length file inspection.

Syntax

inspect md5-fixed-length enable

undo inspect md5-fixed-length enable

Default

MD5 fixed-length file inspection is enabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This command can be executed only if the DPI engine inspection mode is user-defined mode.

This MD5 fixed-length file inspection feature enables the DPI engine to calculate the MD5 values of files of fixed lengths. When a file length reaches the defined file length for MD5 inspection, the DPI engine stops calculating the MD5 value for the file.

Examples

# Disable MD5 fixed-length file inspection.

<Sysname> system-view

[Sysname] undo inspect md5-fixed-length enable

Related commands

inspect coverage user-defined

inspect md5-fixed-length

inspect md5-verify all-files

Use inspect md5-verify all-files to enable MD5 hash-based virus inspection for all files.

Use undo inspect md5-verify all-files to restore the default.

Syntax

inspect md5-verify all-files

undo inspect md5-verify all-files

Default

The DPI engine performs MD5 hash-based virus inspection only for executable files, office files, and compressed files.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

This feature enables the DPI engine to generate MD5 hashes for all files and to compare the generated MD5 hashes with the MD5 rules in the signature library. If the MD5 hash generated for a file matches an MD5 rule in the signature library, the file is considered to contain viruses.

This feature might degrade the processing performance of other services. Enable it only when necessary.

Examples

# Enable MD5 hash-based virus inspection for all files.

<Sysname> system-view

[Sysname] inspect md5-verify all-files

Related commands

display inspect md5-verify configuration

inspect optimization disable

Use inspect optimization disable to disable a DPI engine optimization feature.

Use undo inspect optimization disable to enable a DPI engine optimization feature.

Syntax

inspect optimization [ chunk | no-acsignature | raw | uncompress | url-normalization ] disable

undo inspect optimization [ chunk | no-acsignature | raw | uncompress | url-normalization ] disable

Default

All DPI engine optimization features are disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

chunk: Specifies the chunked packet decoding feature.

no-acsignature: Specifies the inspection rules that do not contain AC patterns.

raw: Specifies the application layer payload decoding feature.

uncompress: Specifies the HTTP body decompression feature.

url-normalization: Specifies the HTTP URL normalization feature.

Usage guidelines

If you do not specify any parameter, this command applies to all DPI engine optimization features.

DPI engine supports the following optimization features:

· Chunked packet decoding—Chunk is a packet transfer mechanism of the HTTP body. DPI engine must decode a chunked HTTP body before it inspects the HTTP body. When the device throughput is too low to ensure basic communication, you can disable DPI engine from decoding chunked packets to improve the device performance. However, when chunked packet decoding is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.

· Inspection rules that do not contain AC patterns—Inspection rules that do not contain AC patterns contain only options. These rules match packets by fields such as port numbers and error codes rather than by character strings. These rules by default are enabled to improve the inspection accuracy. However, when the device throughput is too low to ensure basic communication, you can disable these rules to improve the device performance.

· Application layer payload decoding—For application layer protocols featuring encoding and decoding, such as HTTP, SMTP, POP3, and IMAP4, DPI engine must decode the payload before inspection. When the device throughput is too low to ensure basic communication, you can disable DPI engine from decoding application layer payloads to improve the device performance. However, disabling application layer payload decoding affects the inspection accuracy of the DPI engine. The DPI engine might not be able to identify the applications that need to be decoded, such as DingTalk. The auditing function based on those applications cannot take effect.

· HTTP body decompression—If the HTTP body field is compressed, DPI engine must decompress the body before inspection. When the device throughput is too low to ensure basic communication, you can disable DPI engine from decompressing the HTTP body field to improve the device performance. However, when HTTP body decompression is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.

· HTTP URL normalization—HTTP URL normalization is the process by which the absolute path in a URL is normalized and special URLs are standardized and checked. For example, the absolute path test/dpi/../index.html is normalized as test/index.html. When the device throughput is too low to ensure basic communication, you can disable DPI engine from normalizing HTTP URLs to improve the device performance. However, when HTTP URL normalization is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.

Examples

# Disable all DPI engine optimization features.

<Sysname> system-view

[Sysname] inspect all disable

inspect packet maximum

Use inspect packet maximum to set the maximum number of payload-carrying packets to be inspected per data flow.

Use undo inspect packet to restore the default.

Syntax

inspect packet maximum max-number

undo inspect packet

Default

The DPI engine can inspect a maximum of 32 payload-carrying packets per data flow.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

max-number: Specifies the maximum number of payload-carrying packets to be inspected per data flow, in the range of 1 to 254.

Usage guidelines

If DPI engine finds that the first payload-carrying packet of a data flow does not match any inspection rule, it continues to inspect the next payload-carrying packet, and so on. If DPI engine has inspected the maximum number of payload-carrying packets but finds no matching inspection rule, it determines the flow does not match any rule and allows the flow to pass.

The more payload-carrying packets DPI engine inspects, the more likely that DPI engine identifies the application information and the more accurate the DPI engine inspection.

Typically, the default setting is sufficient for most scenarios. You can adjust the setting according to your network condition.

· If the device throughput is high, increase the maximum number value.

· If the device throughput is low, decrease the maximum number value.

Examples

# Allow the DPI engine to inspect a maximum of 16 payload-carrying packets per data flow for application identification.

<Sysname> system-view

[Sysname] inspect packet maximum 16

inspect real-ip detect-field priority

Use inspect real-ip detect-field priority to set the priority of an inspected field for real source IP inspection.

Use undo inspect real-ip detect-field priority to cancel the priority of an inspected field for real source IP inspection.

Syntax

inspect real-ip detect-field { cdn-src-ip | tcp-option | x-real-ip | xff } priority priority-value

undo inspect real-ip detect-field { cdn-src-ip | tcp-option | x-real-ip | xff } priority

Default

No priority is specified for any inspected field in the real source IP inspection, and all inspected fields use priority value 0. The device inspects the fields in the order of the xff, cdn-src-ip, x-real-ip, and tcp-option fields.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

cdn-src-ip: Specifies the Cdn-Src-Ip field in the HTTP header.

tcp-option: Specifies the TCP Options field.

xff: Specifies the X-Forwarded-For field in the HTTP header.

x-real-ip: Specifies the X-Real-IP field in the HTTP header.

priority priority-value: Specifies a priority for an inspected field, in the range of 1 to 100. The larger the priority value, the higher the priority. Each inspected filed must have a unique priority value.

Usage guidelines

Non-default vSystems do not support this command.

With real source IP inspection enabled, the device obtains the real source IP address of the client by inspecting multiple fields in the packets by default.

When multiple IP addresses are detected, the devices uses the IP address obtained from the field with the highest priority as the final real source IP address.

Examples

# Set the priority to 10 for the X-Forwarded-For field.

<Sysname> system-view

[Sysname] inspect real-ip detect-field xff priority 10

inspect real-ip detect-field tcp-option

Use inspect real-ip detect-field tcp-option to configure real source IP inspection for the TCP Options field.

Use undo inspect real-ip detect-field tcp-option to restore the default.

Syntax

inspect real-ip detect-field tcp-option hex hex-vector [ offset offset-value ] [ depth depth-value ] [ ip-offset ip-offset-value ]

undo inspect real-ip detect-field tcp-option

Default

Real source IP inspection is not configured for the TCP Options field, and the device does not obtain the real source IP address from the TCP Options field.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

hex hex-vector: Specifies a case-sensitive hexadecimal string of 6 to 66 characters. Specify an even number of characters, and enclose the string with two vertical bars (|), for example |1234f5b6|.

offset offset-value: Specifies an offset in bytes after which the hexadecimal string lookup starts, in the range of 0 to 32. If you do not specify this option, the lookup starts from the beginning of the TCP Options field.

depth depth-value: Specifies the number of bytes to locate the hexadecimal string, in the range of 2 to 40. If you do not specify this option, the device searches the whole TCP Options field for the hexadecimal string.

ip-offset ip-offset-value: Specifies an offset in bytes after which the real source IP address is, in the range of 0 to 32. If you do not specify this option, the data after the hexadecimal string is the real source IP address.

Usage guidelines

Non-default vSystems do not support this command.

To enable the device to locate the real source IP address in the TCP Option field, you must first define a hexadecimal string. If no hexadecimal string is found, the device will stop searching the TCP Options field for the real IP address.

Examples

# Configure the device to search bytes 3 to 12 for the hexadecimal string |0102| in the TCP Options field, and define that the real source IP address is 2 bytes away from the hexadecimal string.

<Sysname> system-view

[Sysname] inspect real-ip detect-field tcp-option hex |0102| offset 2 depth 10 ip-offset 2

inspect real-ip detect-field xff

Use inspect real-ip detect-field xff to configure real source IP address inspection for the X-Forwarded-For field.

Use undo inspect real-ip detect-field xff to restore the default.

Syntax

inspect real-ip detect-field xff { head | tail [ number ] }

undo inspect real-ip detect-field xff

Default

The rightmost IP address in the X-Forwarded-For field is the real source IP address.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

head: Specifies the first IP address in the X-Forwarded-For field as the real source IP address.

tail: Specifies the last IP address in the X-Forwarded-For field as the real source IP address.

number: Extracts the last number addresses in the X-Forwarded-For field. The value range for this argument is 2 to 10. If you do not specify this argument, the last IP address in the X-Forwarded-For field is extracted.

Usage guidelines

Non-default vSystems do not support this command.

When a client connects to a Web server through an HTTP proxy, the HTTP header might contain the X-Forwarded-For field that carries multiple IP addresses. The standard syntax of the X-Forwarded-For field is <client>, <proxy1>, <proxy2>,…<proxyn>. If a request goes through multiple proxies, the IP addresses of each successive proxy are listed. The rightmost IP address is the IP address of the most recent proxy and the leftmost IP address is the IP address of the originating client.

You can specify the number argument to extract multiple IP addresses for proxy analysis for clients.

Examples

# Specify the leftmost IP address in the X-Forwarded-For field as the real source IP address.

<Sysname> system-view

[Sysname] inspect real-ip detect-field xff head

Related commands

inspect real-ip enable

Use inspect real-ip enable to enable real source IP inspection.

Use undo inspect real-ip enable to disable real source IP inspection.

Syntax

inspect real-ip enable

undo inspect real-ip enable

Default

Real source IP inspection is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

When a client connects to a Web server through HTTP proxies, the source IP address of the request packet will change. To identify the source IP attacks accurately, you can enable this feature to obtain the real source IP address from the corresponding fields in the request.

Examples

# Enable real source IP inspection.

<Sysname> system-view

[Sysname] inspect real-ip enable

inspect real-ip extraction mode

Use inspect real-ip extraction mode to specify the extraction mode for real source IP inspection.

Use undo inspect real-ip extraction mode to restore the default.

Syntax

inspect real-ip extraction mode { cdn-src-ip-only | priority | tcp-option-only | x-real-ip-only | xff-only }

undo inspect real-ip extraction mode

Default

The extraction mode for real source IP inspection is xff-only.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

cdn-src-ip-only: Extracts the IP address only in the Cdn-Src-IP field as the real source IP address.

priority: Extracts the IP addresses in the Cdn-Src-IP, TCP-Option, X-Real-IP, and X-Forwarded-For fields and uses the IP address in the field with the highest priority as the real source IP address.

tcp-option-only: Extracts the IP address only in the TCP-Option field as the real source IP address.

x-real-ip-only: Extracts the IP address only in the X-Real-IP field as the real source IP address.

xff-only: Extracts the IP address only in the X-Forwarded-For field as the real source IP address.

Usage guidelines

Non-default vSystems do not support this command.

You can configure one of the following extraction modes for real source IP inspection:

· Extract from a single field—If you know from which filed to extract the real source IP address, you can configure extracting the real source IP address from that field (XXX-only mode).

· Extract based on field priorities—If you do not know from which filed to extract the real source IP address, use this mode. This mode allows the device to extract the real source IP address of the client by inspecting multiple fields in the packets in priority order. The device uses the IP address extracted from the field with the highest priority as the final real source IP address. You can adjust the priority of each field as needed.

Examples

# Specify x-real-ip-only as the extraction mode for real source IP inspection.

<Sysname> system-view

[Sysname] inspect real-ip extraction mode x-real-ip-only

Related commands

inspect real-ip detect-field priority

inspect real-ip reuse enable

Use inspect real-ip reuse enable to enable real source IP reuse.

Use undo inspect real-ip reuse enable to disable real source IP reuse.

Syntax

inspect real-ip reuse enable

undo inspect real-ip reuse enable

Default

Real source IP reuse is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

If a session has multiple requests, the device extracts a real source IP address from each request and records the extraction result. By default, if the device fails to extract a real source IP address from a request, it considers that the real source IP address is empty in the request. In some proxy scenarios, a proxy server carries the real source IP address only in the first HTTP request of a session. In this case, the device can extract the real source IP address only in the first HTTP request, and therefore the IPS whitelist service is affected. To solve this problem, you can execute this command. The device will use the real source IP address extracted from the first request for the subsequent requests to successfully match the IPS whitelist.

Examples

# Enable real source IP reuse.

<Sysname> system-view

[Sysname] inspect real-ip reuse enable

inspect record-filename nfs maximum

Use inspect record-filename nfs maximum to set the maximum number of NFS file names recorded.

Use undo inspect record-filename nfs maximum to restore the default.

Syntax

inspect record-filename nfs maximum max-number

undo inspect record-filename nfs maximum

Default

The maximum number of NFS file names recorded is calculated according to the actual memory size of the device.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

max-number: Specifies the maximum number of NFS file names recorded, in the range of 0 to 4294967295. The value 0 indicates that the number of NFS file names recorded is not limited.

Usage guidelines

Non-default vSystems do not support this command.

The DPI engine records file names during file detection for users to obtain file information in logs. The record process occupies memory resources. The more files detected, the more memory resources occupied. In an environment using NFS to transfer a large number of files, Execute this command to limit the memory resources consumed by recording file names.

In scenarios requiring high performance, you can set a small limit to reduce memory consumption. In scenarios not requiring high performance, you can set a great limit to enable users to obtain more file information.

This command is supported only on the default context. For more information about contexts, see Virtual Technologies Configuration Guide.

Examples

# Set the maximum number of NFS file names recorded to 110000.

<Sysname> system-view

[Sysname] inspect record-filename nfs maximum 110000

inspect redirect parameter-profile

Use inspect redirect parameter-profile to create a redirect parameter profile and enter its view, or enter the view of an existing redirect parameter profile.

Use undo inspect redirect parameter-profile to delete a redirect parameter profile.

Syntax

inspect redirect parameter-profile parameter-name

undo inspect redirect parameter-profile parameter-name

Default

No redirect parameter profiles exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

parameter-name: Specifies a redirect parameter profile name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

In redirect parameter profile view, you can set parameters for the redirect action, such as the URL to which packets are redirected.

Examples

# Create a redirect parameter profile named r1 and enter its view.

<Sysname> system-view

[Sysname] inspect redirect parameter-profile r1

[Sysname-inspect-redirect-r1]

inspect signature auto-update proxy

Use inspect signature auto-update proxy to specify the proxy server used by DPI services for online signature update.

Use undo inspect signature auto-update proxy to restore the default.

Syntax

inspect signature auto-update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name password { cipher | simple } string ]

undo inspect signature auto-update proxy

Default

The proxy server used by DPI services for online signature update is not specified.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

domain domain-name: Specifies a proxy server by its domain name, a case-insensitive string of 3 to 63 characters.

ip ip-address: Specifies a proxy server by its IPv4 address.

port port-number: Specifies the port number used by the proxy server. The value range is 1 to 65535, and the default is 80.

user user-name: Specifies the username used to log in to the proxy server. The username is a case-insensitive string of 1 to 31 characters.

password: Specifies the password used to log in to the proxy server.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password in plaintext form will be stored in encrypted form.

string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 31 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.

Usage guidelines

Non-default vSystems do not support this command.

The device must access the company's website for online signature update of DPI services such as URL filtering. If direct connectivity is not available, the device can access the company's website through the specified proxy server. For more information about online signature update, see DPI Configuration Guide.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify server http://www.example.com/ on port 8888 as the proxy server and set the login username and password to admin.

<Sysname> system-view

[Sysname] inspect signature auto-update proxy domain www.example.com port 8888 user admin password simple admin

inspect signature auto-update source

Use inspect signature auto-update source to specify the source address for the request packet for online DPI service signature update.

Use undo inspect signature auto-update source to restore the default.

Syntax

inspect signature auto-update source { ip | ipv6 } { ip-address | interface interface-type interface-number }

undo inspect signature auto-update source

Default

The source address of the request packet is the IP address of the outgoing interface in the matching route.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

ip ip-address: Specifies the source IPv4 address.

ipv6 ip-address: Specifies the source IPv6 address.

interface interface-type interface-number: Uses the primary IPv4 address or the lowest IPv6 address of the interface as the source IP address.

Usage guidelines

Non-default vSystems do not support this command.

You can execute this command to specify the source IP address for the request packet sent from the device to the library server for online DPI service signature update. For example, if the packet sent by the device must be NATed, you must specify a source IP address that matches the NAT rule. If the packet traverses an independent NAT device, the specified source IP address must be able to reach the NAT device.

If you also specify a VPN instance by using the inspect signature auto-update vpn-instance command, make sure the specified VPN instance is the VPN instance to which the source address belongs.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify 1.1.1.1 as the source address for the request packet for online DPI service signature update.

<Sysname> system-view

[Sysname] inspect signature auto-update source ip 1.1.1.1

Related commands

inspect signature auto-update vpn-instance

Use inspect signature auto-update vpn-instance to specify a VPN instance for online DPI service signature update.

Use undo inspect signature auto-update vpn-instance to restore the default.

Syntax

inspect signature auto-update vpn-instance vpn-instance-name

undo inspect signature auto-update vpn-instance

Default

The VPN instance used by DPI services for online signature update is not specified.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

vpn-instance-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Non-default vSystems do not support this command.

The device must access the company's website for online signature update of DPI services. If the device accesses the company's website through a VPN instance, perform this task to avoid update failures.

If you also specify the source address by using the inspect signature auto-update source command, make sure the specified VPN instance is the VPN instance to which the source address belongs.

Examples

# Specify a VPN instance for online DPI service signature update.

<Sysname> system-view

[Sysname] inspect signature auto-update vpn-instance vpn1

Related commands

inspect signature auto-update source

inspect signature version-report

Use inspect signature version-report to configure a destination IP address to report IPS signature library versions.

Use undo inspect signature version-report to remove the configured the IP address.

Syntax

inspect signature version-report { ip-address ip-address | ipv6-address ipv6-address } port port uri uri [ vpn-instance vpn-instance-name ]

undo inspect signature version-report { ip-address ip-address | ipv6-address ipv6-address } port port uri uri [ vpn-instance vpn-instance-name ]

Default

No destination IP address is configured for reporting IPS signature library versions.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

ip-address ip-address: Specifies an IPv4 address.

ipv6-address ipv6-address: Specifies an IPv6 address.

port port: Specifies a port number in the range of 1 to 65535.

uri uri: Specifies a URI, a case-insensitive string of 1 to 127 characters. The URI must start with a forward slash (/).

vpn-instance vpn-instance-name: Specifies the VPN instance to which the specified IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

Usage guidelines

Non-default vSystems do not support this command.

This command allows you to specify the IP address of a Threat Discovery and Security Operations Platform to monitor the IPS signature library version changes on the device.

This command enables the device to perform the following operations:

· Report the latest version information to the Platform through HTTP upon each IPS signature library update or rollback.

· Report the latest version information to the Platform at 10-day intervals.

You can configure a maximum of two IPv4 addresses and two IPv6 addresses by repeating this command.

This command is supported only on the default context. For more information about contexts, see Virtual Technologies Configuration Guide.

Examples

# Configure a destination IP address to report IPS signature library versions.

<Sysname> system-view

[Sysname] inspect signature version-report ip-address 192.12.26.118 port 8080 uri /aabbcc vpn-instance test

inspect source-port-identify enable

Use inspect source-port-identify enable to enable source port-based application identification.

Use undo inspect source-port-identify enable to disable source port-based application identification.

Syntax

inspect source-port-identify enable

undo inspect source-port-identify enable

Default

Source port-based application identification is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

You can use this feature to identify traffic of applications that use fixed source ports when the following conditions are true:

· The types of traffic transmitted over networks are relatively unvaried and use fixed source ports.

· Destination port-based application identification or signature-based traffic content identification is not supported.

The application identification results produced by this feature might not be accurate. Configure this feature according to your live network as a best practice.

Examples

# Enable source port-based application identification.

<sysname> system-view

[sysname] inspect source-port-identify enable

inspect stream-fixed-length

Use inspect stream-fixed-length to set the maximum number of bytes inspected for protocol packets and audio/video packets.

Use undo inspect stream-fixed-length to restore the default.

Syntax

inspect stream-fixed-length { audio-video | dns | email | ftp | http | https | imaps | nfs | pop3s | rtmp | sip | smb | smtps | telnet | tftp } * length

undo inspect stream-fixed-length

Default

The maximum inspection size is 32 Kilobytes for FTP, HTTP, NFS, SMB, SMTP, POP3, and IMAP. The inspection size is not limited for audio/video packets or the following protocols: DNS, HTTPS, IMAPS, POP3S, RTMP, SIP, SMTPS, Telnet, and TFTP.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

audio-video: Specifies audio/video applications.

dns: Specifies the DNS protocol.

email: Specifies email protocols, including SMTP, POP3 and IMAP.

ftp: Specifies the FTP protocol.

http: Specifies the HTTP protocol.

https: Specifies the HTTPS protocol.

imaps: Specifies the IMAPS protocol.

nfs: Specifies the NFS protocol.

pop3s: Specifies the POP3S protocol.

rtmp: Specifies the RTMP protocol.

smb: Specifies the SMB protocol.

sip: Specifies the SIP protocol.

smtps: Specifies the SMTPS protocol.

telnet: Specifies the Telnet protocol.

tftp: Specifies the TFTP protocol.

length: Specifies the fixed length in the range of 1 to 2048 Kilobytes.

Usage guidelines

Non-default vSystems do not support this command.

This command can be executed only if the DPI engine inspection mode is user-defined mode.

The larger the inspection length value, the lower the device throughput, and the higher the packet inspection accuracy.

Examples

# Set the maximum inspection size to 35 Kilobytes for inspecting each FTP stream and 40 Kilobytes for inspecting each HTTP stream.

<Sysname> system-view

[Sysname] inspect stream-fixed-length ftp 35 http 40

Related commands

inspect coverage user-defined

inspect cpu-threshold disable

inspect stream-fixed-length disable

Use inspect stream-fixed-length disable to disable inspection size limitation.

Use undo inspect stream-fixed-length disable to enable inspection size limitation.

Syntax

inspect stream-fixed-length disable

undo inspect stream-fixed-length disable

Default

Inspection size limitation is enabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This command can be executed only if the DPI engine inspection mode is user-defined mode.

Inspection size limitation enables the device to inspect only a maximum of the specified inspection size for protocol packets and audio/video packets.

Disable inspection size limitation if your network requires high inspection success rate.

Examples

# Disable inspection size limitation.

<Sysname> system-view

[Sysname] inspect stream-fixed-length disable

Related commands

inspect coverage user-defined

inspect cpu-threshold disable

inspect stream-fixed-length

inspect tcp-reassemble enable

Use inspect tcp-reassemble enable to enable the TCP segment reassembly feature.

Use undo inspect tcp-reassemble enable to disable the TCP segment reassembly feature.

Syntax

inspect tcp-reassemble enable

undo inspect tcp-reassemble enable

Default

The TCP segment reassembly feature is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

DPI engine inspection might fail if TCP segments arrive at the engine out of order. For example, the DPI engine searches for the keywords this is a secret. If the TCP segment containing a secret arrives before the one containing this is, the inspection fails.

The TCP segment reassembly feature enables the device to cache out-of-order TCP segments of the same TCP flow and reassembles the segments before submitting them to the DPI engine for inspection. This helps improve the DPI engine inspection accuracy.

The segment reassembly fails due to missing segments when the number of cached TCP segments of a flow reaches the limit. In this case, the device submits the cached segments without reassembling them and all subsequent segments of the flow to the DPI engine. This helps reduces degradation of the device performance.

Examples

# Enable the TCP segment reassembly feature.

<Sysname> system-view

[Sysname] inspect tcp-reassemble enable

Related commands

inspect tcp-reassemble max-segment

Use inspect tcp-reassemble max-segment to set the maximum number of TCP segments that can be cached per TCP flow.

Use undo inspect tcp-reassemble max-segment to restore the default.

Syntax

inspect tcp-reassemble max-segment max-number

undo inspect tcp-reassemble max-segment

Default

A maximum of 10 TCP segments can be cached for reassembly per TCP flow.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

max-number: Specifies the maximum number in the range of 10 to 50.

Usage guidelines

Non-default vSystems do not support this command.

Set the limit for the number of TCP segments that can be cached per flow according to your network requirements. The higher the limit, the higher the inspection accuracy, and the lower the device performance.

This command takes effect only when the TCP segment reassembly feature is enabled.

Examples

# Allow the device to cache a maximum of 20 TCP segments for each TCP flow.

<Sysname> system-view

[Sysname] inspect tcp-reassemble max-segment 20

Related commands

inspect tcp-reassemble enable

inspect transparent enable

Use inspect transparent enable to enable DPI engine to transparently transmit DPI service traffic.

Use undo inspect transparent enable to disable DPI engine from transparently transmitting DPI service traffic.

Syntax

inspect transparent enable

undo inspect transparent enable

Default

DPI engine is enabled to transparently transmitting DPI service traffic.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Non-default vSystems do not support this command.

When asymmetric traffic exists in the network environment (that is, the forward and backward paths are inconsistent for packets of the same flow), the forward and backward packets of the flow might be sent to different devices (or event to different security service modules for distributed devices). As a result, DPI services might fail to be processed correctly. For example, antivirus services cannot detect virus files. To solve this problem, the DPI engine transparently transmits DPI service traffic between devices and security service modules by default. This ensures that the forward and backward packets of the same flow are sent to the same device or service module.

Transparent traffic transmission consumes device resources and reduces device performance. When the network environment requires high device performance and can accept the risk of losing some DPI service detection accuracy, you can disable the DPI engine from transparently transmitting DPI service traffic to reduce the impact on device performance.

This command is supported only on the default context. For more information about contexts, see Virtual Technologies Configuration Guide.

Examples

# Disable DPI engine from transparently transmitting DPI service traffic.

<Sysname> system-view

[Sysname] undo inspect transparent enable

inspect uncompress maximum

Use inspect uncompress maximum to set the maximum number of file decompression operations.

Use undo inspect uncompress maximum to restore the default.

Syntax

inspect uncompress maximum max-number

undo inspect uncompress maximum

Default

The maximum number of file decompression operations is calculated according to the actual memory size of the device.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

max-number: Specifies the maximum number of file decompression operations, in the range of 0 to 4294967295. The value 0 indicates that the number of file decompression operations is not limited.

Usage guidelines

Non-default vSystems do not support this command.

The DPI engine consumes memory resources each time it performs a file decompression operation. A large number of file decompression operations might consume a large number of memory resources. Execute this command to limit the memory resources consumed by file decompression operations.

This command is supported only on the default context. For more information about contexts, see Virtual Technologies Configuration Guide.

Examples

# Set the maximum number of file decompression operations to 120000.

<Sysname> system-view

[Sysname] inspect uncompress maximum 120000

inspect url-filter warning parameter-profile

Use inspect url-filter warning parameter-profile to create a warning parameter profile for URL filtering and enter its view, or enter the view of an existing warning parameter profile for URL filtering.

Use undo inspect url-filter warning parameter-profile to delete a warning parameter profile for URL filtering.

Syntax

inspect url-filter warning parameter-profile profile-name

undo inspect url-filter warning parameter-profile profile-name

Default

No warning parameter profiles exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

profile-name: Specifies a warning parameter profile name, a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, underscores (_).

Usage guidelines

Non-default vSystems do not support this command.

After you create a warning parameter profile for URL filtering, you can import a user-defined alarm message from a file.

Examples

# Create a warning parameter profile for URL filtering named c1 and enter its view.

<Sysname> system-view

[Sysname] inspect url-filter warning parameter-profile c1

[Sysname-inspect-url-filter-warning-c1]

Related commands

import warning-file

inspect waf http-log-details enable

Use inspect waf http-log-details enable to enable WAF logging to record HTTP packet details.

Use undo inspect waf http-log-details enable to disable this feature.

Syntax

inspect waf http-log-details enable

undo inspect waf http-log-details enable

Default

HTTP packet details are not recorded.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

The feature enables the device to record more fields of HTTP packets in WAF logs.

· For HTTP requests, when this feature is disabled, the device records only the request line and request method. When this feature is enabled, the device records all fields.

· For HTTP requests, when this feature is disabled, the device does not record any fields. When this feature is enabled, the device records the status line information.

This feature does not take effect on WAF logs generated before it is enabled.

To save system resources, enable this feature only when necessary.

Examples

# Enable WAF logging to record HTTP packet details.

<Sysname> system-view

[Sysname] inspect waf http-log-details enable

inspect warning parameter-profile

Use inspect warning parameter-profile to create an anti-virus warning parameter profile and enter its view, or enter the view of an existing anti-virus warning parameter profile.

Use undo inspect warning parameter-profile to delete an anti-virus warning parameter profile.

Syntax

inspect warning parameter-profile profile-name

undo inspect warning parameter-profile profile-name

Default

No anti-virus warning parameter profiles exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

profile-name: Specifies an anti-virus warning parameter profile name, a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, underscores (_).

Usage guidelines

Non-default vSystems do not support this command.

After you create an anti-virus warning parameter profile, you can import a user-defined alarm message from a file.

Examples

# Create an anti-virus warning parameter profile named w1 and enter its view.

<Sysname> system-view

[Sysname] inspect warning parameter-profile w1

[Sysname-inspect-warning-w1]

Related commands

import block warning-file

reset block warning-file

warning parameter-profile

language

Use language to set the language for log emails.

Use undo language to restore the default.

Syntax

language { chinese | english }

undo language

Default

Log emails are are sent in Chinese.

Views

Email parameter profile view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Only IPS, anti-virus, and WAF support Chinese log emails, and only the following fields in a log email support Chinese:

· IPS: application, attack name, attack category, and attack subcategory.

· Anti-virus: application.

· WAF: application, signature name, attack category, attack subcategory, and source location.

Examples

# Set the language for log emails to English.

<Sysname> system-view

[Sysname] inspect email parameter-profile test

[Sysname-inspect-email-test] language english

log

Use log to specify the log storage method.

Use undo log to cancel the specified log storage method.

Syntax

log { email | syslog }

undo log { email | syslog }

Default

Logs are exported to the information center.

Views

Logging parameter profile view

Predefined user roles

network-admin

context-admin

Parameters

email: Emails the logs to a receiver.

syslog: Exports the logs to the information center.

Usage guidelines

Non-default vSystems do not support this command.

Examples

# Configure the device to export logs to the information center in logging parameter profile log1.

<Sysname> system-view

[Sysname] inspect logging parameter-profile log1

[Sysname-inspect-logging-log1] log syslog

Related commands

inspect logging parameter-profile

log language

Use log language to set the language for IPS log output to Chinese.

Use undo log language to restore the default.

Syntax

log language chinese

undo log language chinese

Default

IPS logs are output in English.

Views

Logging parameter profile view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

After you execute this command, only the attack name field of the IPS logs supports displaying in Chinese. For more information about IPS logs, see "IPS commands."

Examples

# Set the language for IPS log output to Chinese.

<Sysname> system-view

[Sysname] inspect logging parameter-profile log1

[Sysname-inspect-log-para-log1] log language chinese

Related commands

inspect logging parameter-profile

password

Use password to specify the password for logging in to the email server.

Use undo password to restore the default.

Syntax

password { cipher | simple } string

undo password

Default

No password is specified for logging in to the email server.

Views

Email parameter profile view

Predefined user roles

network-admin

context-admin

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

pwd-string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

Non-default vSystems do not support this command.

If you execute this command multiple times for the same email parameter profile, the most recent configuration takes effect.

Examples

# Specify abc123 as the plaintext password for logging in to the email server.

<Sysname> system-view

[Sysname] inspect email parameter-profile c1

[Sysname-inspect-email-c1] password simple abc123

Related commands

authentication enable

receiver

Use receiver to specify the email receiver address.

Use undo receiver to restore the default.

Syntax

receiver address-string

undo receiver

Default

No email receiver address is specified.

Views

Email parameter profile view

Predefined user roles

network-admin

context-admin

Parameters

address-string: Specifies the address of the email receiver, a case-sensitive string of 3 to 502 characters.

Usage guidelines

Non-default vSystems do not support this command.

You can specify multiple semicolon-separated email receiver addresses in one command.

Examples

# Specify the email receiver addresses [email protected] and [email protected].

<Sysname> system-view

[Sysname] inspect email parameter-profile c1

[Sysname-inspect-email-c1] receiver [email protected];[email protected]

redirect-url

Use redirect-url to specify the URL to which packets are redirected.

Use undo redirect-url to restore the default.

Syntax

redirect-url url-string

undo redirect-url

Default

No URL is specified for packet redirecting.

Views

Redirect parameter profile view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

url-string: Specifies the URL, a case-sensitive string of 9 to 63 characters. The URL must start with http:// or https://, for example, http://www.example.com.

Usage guidelines

After you specify a URL, matching packets will be redirected to the webpage that the URL identifies.

Examples

# Specify https://www.example.com/upload as the URL for packet redirecting.

<Sysname> system-view

[Sysname] inspect redirect parameter-profile r1

[Sysname-inspect-redirect-r1] redirect-url https://www.example.com/upload

Related commands

inspect redirect parameter-profile

reset block warning-file

Use reset block warning-file to restore the default anti-virus alarm message.

Syntax

reset block warning-file

Views

Anti-virus warning parameter profile view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This command allows you to clear the user-defined anti-virus alarm message and restore the default message.

Examples

# Restore the default alarm message in the anti-virus warning parameter profile w1.

<Sysname> system-view

[Sysname] inspect warning parameter-profile w1

[Sysname-inspect-warning-w1] reset block warning-file

Related commands

import warning-file

reset warning-file

Use reset warning-file to restore the default alarm message for URL filtering.

Syntax

reset warning-file

Views

URL filtering warning parameter profile view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This command allows you to clear the user-defined alarm message and restore the default message for URL filtering.

Examples

# Restore the default alarm message in the warning parameter profile for URL filtering c1.

<Sysname> system-view

[Sysname] inspect url-filter warning parameter-profile c1

[Sysname-inspect-url-filter-warning-c1] reset warning-file

Related commands

import warning-file

secure-authentication enable

Use secure-authentication enable to enable the secure password transmission feature.

Use undo secure-authentication enable to disable the secure password transmission feature.

Syntax

secure-authentication enable

undo secure-authentication enable

Default

The secure password transmission feature is disabled.

Views

Email parameter profile view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

After the secure password transmission feature is enabled, a security channel is established between the device and the email server to transmit the password for email server login.

Examples

# Enable the secure password transmission feature.

<Sysname> system-view

[Sysname] inspect email parameter-profile c1

[Sysname-inspect-email-c1] secure-authentication enable

Related commands

authentication enable

sender

Use sender to specify the email sender address.

Use undo sender to restore the default.

Syntax

sender address-string

undo sender

Default

No email sender address is specified.

Views

Email parameter profile view

Predefined user roles

network-admin

context-admin

Parameters

address-string: Specifies the address of the email sender, a case-sensitive string of 3 to 63 characters.

Usage guidelines

Non-default vSystems do not support this command.

The email sender address is the source address that the device uses to send emails to destinations.

Examples

# Specify the email sender address [email protected].

<Sysname> system-view

[Sysname] inspect email parameter-profile c1

[Sysname-inspect-email-c1] sender [email protected]

username

Use username to specify the username for logging in to the email server.

Use undo username to restore the default.

Syntax

username name-string

undo username

Default

No username is specified for logging in to the email server.

Views

Email parameter profile view

Predefined user roles

network-admin

context-admin

Parameters

name-string: Specifies the username, a case-sensitive string of 1 to 63 characters.

Usage guidelines

Non-default vSystems do not support this command.

If you execute this command multiple times for the same email parameter profile, the most recent configuration takes effect.

Examples

# Specify han as the username for logging in to the email server.

<Sysname> system-view

[Sysname] inspect email parameter-profile c1

[Sysname-inspect-email-c1] username han

Related commands

authentication enable

04-DPI Command Reference

DPI engine commands

capture-limit

display inspect md5-verify configuration

inspect bypass protocol

Related commands

inspect md5-fixed-length enable

inspect packet maximum

Syntax

inspect tcp-reassemble max-segment

inspect waf http-log-details enable

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us