Hardware platform	Module type	WAF compatibility
M9006 M9010 M9014	Blade IV firewall module	Yes
	Blade V firewall module	Yes
	NAT module	No
M9010-GM	Encryption module	Yes
M9016-V	Blade V firewall module	Yes
M9008-S M9012-S	Blade IV firewall module	Yes
	Intrusion prevention service (IPS) module	Yes
	Video network gateway module	Yes
M9008-S-V	Blade IV firewall module	Yes
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16	Blade V firewall module	Yes
M9000-AK001	Blade V firewall module	Yes
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10	Blade VI firewall module	Yes
M9000-AI-X06 M9000-AI-X10	Blade VI firewall module	Yes

‌

action (CC defense rule view)

Use action to specify the action on packets matching a CC defense rule.

Use undo action to restore the default.

Syntax

action { block-source [ block-time ] | permit }

undo action

Default

The action is permit in a CC defense rule.

Views

CC defense rule view

Predefined user roles

network-admin

context-admin

Parameters

block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources is blocked for the period specified by the block-time argument. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the blacklist feature, see attack detection and prevention in Security Command Reference.

block-time: Specifies the block period. The value range for the block-time argument is 1 to 86400 seconds, and the default value is 300 seconds. If you do not specify the block-time argument for the block-source keyword, the default value is used.

permit: Permits matching packets to pass through.

Usage guidelines

The device executes the specified action on packets matching the rule.

Examples

# Specify the block source action for CC defense rule test and set the block time to 350 seconds.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] rule name test

[Sysname-cc-defense-policy-news-rule-test] action block-source 350

action (WAF policy view)

Use action to configure the action criterion for WAF signature filtering in a WAF policy.

Use undo action to restore the default.

Syntax

action { block-source | drop | permit | reset } *

undo action

Default

The action attribute is not used for WAF signature filtering.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

block-source: Specifies the block source action.

drop: Specifies the drop action.

permit: Specifies the permit action.

reset: Specifies the reset action.

Usage guidelines

This command filters the WAF signatures that a WAF policy uses based on the actions associated with the signatures.

You can repeat this command to specify multiple actions in an action criterion. The WAF policy uses a WAF signature if the signature is associated with any of the specified actions.

You cannot use this command during the signature update.

Examples

# Configure WAF policy test-policy to use WAF signatures associated with the drop or reset action.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy] action drop reset

Related commands

display waf policy

action (WAF signature view)

Use action to specify the actions on packets matching a user-defined WAF signature.

Use undo action to restore the default.

Syntax

action { block-source | drop | permit | reset } [ capture | logging ] *

undo action

Default

The action for a user-defined WAF signature is permit.

Views

User-defined WAF signature view

Predefined user roles

network-admin

context-admin

Parameters

block-source: Specifies the block source action. The action will drop matching packets and adds the sources of the packets to the IP blacklist.

drop: Specifies the drop action.

permit: Specifies the permit action.

reset: Specifies the reset action. The action will close the TCP connections for matching packets by sending TCP reset messages.

capture: Specifies the capture action.

logging: Specifies the logging action.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the action as permit for user-defined WAF signature mysignature.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature] action permit

apply cc-defense policy

Use apply cc-defense policy to apply a CC defense policy to a WAF policy.

Use undo apply cc-defense policy to restore the default.

Syntax

apply cc-defense policy policy-name

undo apply cc-defense policy

Default

No CC defense policy is applied to a WAF policy.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies a CC defense policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A CC defense policy takes effect only after it is applied to a WAF policy.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Apply CC defense policy news to WAF policy master.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] quit

[Sysname] waf policy master

[Sysname-waf-policy-master] apply cc-defense policy news

attack-category

Use attack-category to specify an attack category criterion to filter WAF signatures in a WAF policy.

Use undo attack-category to delete an attack category criterion.

Syntax

attack-category { category [ sub-category subcategory ] | all}

undo attack-category { category [ sub-category subcategory | all] }

Default

The attack category attribute is not used for WAF signature filtering.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

category: Specifies an attack category by its name. Category names are case insensitive. To view the names of attack categories, enter a question mark (?) after the attack-category keyword.

sub-category subcategory: Specifies a subcategory of the attack category. Subcategory names are case insensitive. To view the names of supported subcategories, enter a question mark (?) after the sub-category keyword. If you do not specify a subcategory, this command matches any WAF signature with a subcategory of the specified attack category.

all: Specifies all attack categories.

Usage guidelines

This command filters the WAF signatures that a WAF policy uses based on the attack category attribute of the signatures.

You can execute this command multiple times to specify multiple attack category criteria in a WAF policy. The WAF policy uses a WAF signature if the signature matches any of the configured attack category criteria.

Examples

# Configure WAF policy test-policy to use WAF signatures with the SQLInjection attack subcategory of the Vulnerability attack category.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy] attack-category Vulnerability sub-category SQLInjection

Related commands

display waf policy

cc-defense policy

Use cc-defense policy to create a CC defense policy and enter its view, or enter the view of an existing CC defense policy.

Use undo cc-defense policy to delete a CC defense policy.

Syntax

cc-defense policy policy-name

undo cc-defense policy policy-name

Default

No CC defense policy exists.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies the CC defense policy name, a case-insensitive string of 1 to 31 characters. The name cannot contain hyphens (-).

Usage guidelines

A CC defense policy takes effect only after it is applied to a WAF policy.

Examples

# Create CC defense policy news.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news]

Related commands

apply cc-defense policy

cc-detection-item

Use cc-detection-item to configure the CC defense detection items in a CC defense rule.

Use undo cc-detection-item to restore the default.

Syntax

cc-detection-item { request-concentration [ concentration-value ] [ request-number number ] | request-rate [ rate-value ] }

undo cc-detection-item { request-concentration | request-rate }

Default

No detection items are configured in a CC defense rule.

Views

CC defense rule view

Predefined user roles

network-admin

context-admin

Parameters

request-concentration [ concentration-value ]: Detects the request concentration ratio and specifies the threshold in percentage. The value range for the concentration-value argument is 1 to 100, and the default value is 25.

request-number number: Specifies the number of requests. The value range for the number argument is 10 to 65535, and the default value is 100.

request-rate [ rate-value ]: Detects the number of requests within a detection interval and specifies the request rate threshold. The value range for the rate-value argument is 1 to 65535, and the default value is 150.

Usage guidelines

The detection items include the following:

· Request rate—Identifies whether a client is accessing a website too frequently.

· Request concentration ratio—Identifies whether a URL is most frequently visited. It is the percentage of the requests to the most frequently visited URL to total requests to all URLs.

The request concentration detection is triggered only when the request number reaches the specified value.

The device compares the calculated statistics with the detection item thresholds. A CC attack occurs if a threshold is reached.

If protected paths are specified, the device collects statistics for only URLs matching these paths . If no protected paths are specified, the device collects statistics for all URLs.

If you execute this command for a detection item multiple times, the most recent configuration takes effect.

Examples

# Set the request rate to 10 times per detection interval for CC defense rule test.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] rule name test

[Sysname-cc-defense-policy-news-rule-test] cc-detection-item request-rate 10

Related commands

detection-interval

protected-url

description (CC defense policy view)

Use description to configure the description for a CC defense policy.

Use undo description to restore the default.

Syntax

description text-string

undo description

Default

A CC defense policy does not have any description.

Views

CC defense policy view

Predefined user roles

network-admin

context-admin

Parameters

text-string: Specifies a description, a case-insensitive string of 1 to 255 characters. The description can contain spaces.

Usage guidelines

A description allows easy identification of a CC defense policy.

Examples

# Configure a description for CC defense policy news.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] description News information

description (WAF signature view)

Use description to configure the description for a user-defined WAF signature.

Use undo description to restore the default.

Syntax

description text-string

undo description

Default

A user-defined WAF signature does not have any description.

Views

User-defined WAF signature view

Predefined user roles

network-admin

context-admin

Parameters

text-string: Specifies a description, a case-sensitive string of 1 to 127 characters. The description can contain spaces.

Usage guidelines

A description allows easy identification of a user-defined WAF signature.

Examples

# Configure a description for user-defined WAF signature mysignature.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature] description Http protocol check

description (WAF whitelist entry view)

Use description to configure the description for a WAF whitelist entry.

Use undo description to restore the default.

Syntax

description text

undo description

Default

A WAF whitelist entry does not have any description.

Views

WAF whitelist entry view

Predefined user roles

network-admin

context-admin

Parameters

text: Specifies a description, a case-insensitive string of 1 to 255 characters. The description can contain spaces.

Usage guidelines

A description allows easy identification of a WAF whitelist entry.

Examples

# Specify the description as News information for WAF whitelist entry 1.

<Sysname> system-view

[Sysname] waf whitelist 1

[Sysname-waf-whitelist-1] description News information

Related commands

waf whitelist

destination-address (CC defense rule view)

Use destination-address to specify destination IP addresses as the filtering criteria in a CC defense rule.

Use undo destination-address to remove destination IP address filtering criteria from a CC defense rule.

Syntax

destination-address { ipv4 ipv4-address | ipv6 ipv6-address }

undo destination-address { ipv4 ipv4-address | ipv6 ipv6-address }

Default

No destination IP addresses are specified as the filtering criteria in a CC defense rule.

Views

CC defense rule view

Predefined user roles

network-admin

context-admin

Parameters

ipv4 ipv4-address: Specifies an IPv4 address.

ipv6 ipv6-address: Specifies an IPv6 address.

Usage guidelines

This command specifies the IP addresses of the protected Web servers.

Repeat the command to specify multiple destination IP address filtering criteria in a CC defense rule.

Examples

# Specify destination IPv4 address 192.168.4.83 as a filtering criterion for CC defense rule test.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] rule name test

[Sysname-cc-defense-policy-news-rule-test] destination-address ipv4 192.168.4.83

destination-address (WAF signature rule view)

Use destination-address to specify a destination IP address filtering criterion in a user-defined WAF signature rule.

Use undo destination-address to restore the default.

Syntax

destination-address ip ip-address

undo destination-address

Default

No destination IP address is specified as the filtering criterion in a user-defined signature rule.

Views

User-defined WAF signature rule view

Predefined user roles

network-admin

context-admin

Parameters

ip-address: Specifies an IPv4 address. It is used to match the packet destination IPv4 address.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# In rule 1 of user-defined WAF signature mysignature, specify the keyword type as the match pattern type and specify destination IP address 10.1.1.1 as a filtering criterion.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature] rule 1 pattern-type keyword

[Sysname-waf-signature-mysignature-rule-1] destination-address ip 10.1.1.1

destination-port (CC defense rule view)

Use destination-port to specify a destination port filtering criterion in a CC defense rule.

Use undo destination-port to remove a destination port filtering criterion from a CC defense rule.

Syntax

destination-port port-number

undo destination-port port-number

Default

No destination ports are specified as the filtering criteria in a CC defense rule.

Views

CC defense rule view

Predefined user roles

network-admin

context-admin

Parameters

port-number: Specifies a destination port number, in the range of 1 to 65535.

Usage guidelines

Repeat this command to specify multiple destination port filtering criteria for a CC defense rule.

Examples

# Specify destination port 8080 as a filtering criterion for CC defense rule test.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] rule name test

[Sysname-cc-defense-policy-news-rule-test] destination-port 8080

destination-port (WAF signature rule view)

Use destination-port to specify a destination port filtering criterion in a user-defined signature rule.

Use undo destination-port to restore the default.

Syntax

destination-port start-port [ to end-port ]

undo destination-port

Default

No destination ports are specified as the filtering criteria in a user-defined signature rule.

Views

User-defined WAF signature rule view

Predefined user roles

network-admin

context-admin

Parameters

start-port: Specifies the start port number of a destination port range, in the range of 1 to 65535.

to end-port: Specifies the end port number of a destination port range, in the range of 1 to 65535. If you do not specify this option, only the start port number is specified.

Usage guidelines

The port numbers are used to match the destination port numbers of the TCP protocol.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# In user-defined WAF signature mysignature, create rule 1. Specify the keyword type as the match pattern type and specify the destination port range as 1 to 3550.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature] rule 1 pattern-type keyword

[Sysname-waf-signature-mysignature-rule-1] destination-port 1 to 3550

detection-integer

Use detection-integer to configure an integer detection item in a user-defined signature rule.

Use undo detection-integer to remove an integer detection item from a user-defined signature rule.

Syntax

detection-integer field field-name match-type { eq | gt | gt-eq | lt | lt-eq | nequ } number

undo detection-integer

Default

No integer detection items are configured in a user-defined signature rule.

Views

User-defined WAF signature rule view

Predefined user roles

network-admin

context-admin

Parameters

field-name: Specifies a protocol field by its name, a case-insensitive string. To view the names of supported protocol fields, enter a question mark (?) after the field keyword.

match-type { eq | gt | gt-eq | lt | lt-eq | nequ }: Specifies a match operator in the detection item.

· eq: Matches numbers that are equal to the specified number.

· gt: Matches numbers that are greater than the specified number.

· gt-eq: Matches numbers that are greater than or equal to the specified number.

· lt: Matches numbers that are less than the specified number.

· lt-eq: Matches numbers that are less than or equal to the specified number.

· nequ: Matches numbers that are not equal to the specified number.

number: Specifies a number in the range of 1 to 4294967295.

Usage guidelines

A user-defined WAF signature rule can contain multiple detection items. A packet matches a rule only when the packet matches all detection items in the rule. The match order of the detection items is their configuration order. To avoid detection errors, configure the detection items based on the sequence of the protocol fields in the HTTP protocol.

Examples

# In user-defined WAF signature mysignature, create rule 1 of the integer match pattern type. Create a detection item in the rule to match packets whose http-uri field value is 123456.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature] rule 1 pattern-type integer

[Sysname-waf-signature-mysignature-rule-1] detection-integer field http-uri match-type eq 123456

Related commands

trigger

detection-interval

Use detection-interval to set the CC attack detection interval.

Use undo detection-interval to restore the default.

Syntax

detection-interval interval

undo detection-interval

Default

The CC attack detection interval is 30 seconds.

Views

CC defense policy view

Predefined user roles

network-admin

context-admin

Parameters

interval: Specifies the detection interval, in the range of 10 to 720 seconds.

Usage guidelines

The detection interval starts when a CC defense rule is first matched.

During a detection interval, the device calculates statistics every time it receives a matching packet and compares the result with the detection item thresholds in real time.

· If no threshold is reached, the device permits the packet to pass through.

· If a threshold is reached, the device executes the action on the matching packet.

Examples

# Set the CC attack detection interval to 10 seconds.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] detection-interval 10

Related commands

detection

detection-keyword

Use detection-keyword to configure a keyword detection item in a user-defined signature rule.

Use undo detection-keyword to remove a keyword detection item from a user-defined signature rule.

Syntax

detection-keyword detection-id field field-name match-type { exclude | include } { hex hex-string | regex regex-pattern | text text-string } [ offset offset-value [ depth depth-value ] | relative-offset relative-offset-value [ relative-depth relative-depth-value ] ]

undo detection-keyword detection-id

Default

No keyword detection items are configured in a user-defined signature rule.

Views

User-defined WAF signature rule view

Predefined user roles

network-admin

context-admin

Parameters

detection-id: Specifies a detection item ID, in the range of 1 to 10.

field field-name: Specifies a protocol field by its name, in a case-insensitive string. To view the names of supported protocol fields, enter a question mark (?) after the field keyword.

match-type { exclude | include }: Specifies a match operator in the detection item.

· include: Matches contents that include the specified string.

· exclude: Matches contents that do not include the specified string.

hex hex-string: Specifies a case-sensitive hexadecimal string of 8 to 254 characters. Valid characters contain integers, and letters of A to F and a to f. An even number of characters are required, and enclose the characters with two vertical bars (|), for example |1234f5b6|.

regex regex-pattern: Specifies a case-sensitive regular expression string of 3 to 255 characters. The string can only start with letters, digits, and underscores (_), and must contain 3 consecutive non-wildcard characters.

text text-string: Specifies a case-insensitive text string of 3 to 255 characters.

offset offset-value: Specifies an offset in bytes after which the match operation starts, in the range of 1 to 65535. The offset starts from the beginning of the protocol field. If you do not specify the offset-value argument, the match operation starts from the beginning of the protocol field.

depth depth-value: Specifies the number of bytes to match, in the range of 3 to 65535. If you do not specify depth-value argument, the detection item detects the whole protocol field.

relative-offset relative-offset-value: Specifies an offset in bytes after which the match operation starts, in the range of –32767 to –1 and 1 to 32767. The offset starts from the end of the previous detection item. For a positive offset value, it counts backwards. For a negative offset value, it counts forward.

relative-depth relative-depth-value: Specifies the number of bytes to be matched, in the range of 3 to 65535.

Usage guidelines

This command is available only after the detection trigger condition is configured.

A user-defined WAF signature rule can contain multiple detection items. A packet matches a rule only when the packet matches all detection items in the rule. The match order of detection items is their configuration order.

An detection item compares its keyword with the contents in the specified protocol field. To define the start and end positions for the match operation, use either the offset and depth, or the relative offset and relative depth.

To avoid detection errors, configure detection items based on the sequence of protocol fields in the HTTP protocol.

Examples

# In user-defined WAF signature mysignature, create rule 1 of the keyword match pattern type. Create a detection item in the rule to match packets whose http-uri field includes abc. Specify the offset and depth as 10 bytes and 50 bytes, respectively.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature] rule 1 pattern-type keyword

[Sysname-waf-signature-mysignature-rule-1] detection-keyword 1 field http-uri match-type include text abc offset 10 depth 50

Related commands

trigger

direction

Use direction to specify the direction attribute in a user-defined signature.

Use undo direction to restore the default.

Syntax

direction { any | to-client | to-server }

undo direction

Default

The direction attribute of a user-defined WAF signature is any.

Views

User-defined WAF signature view

Predefined user roles

network-admin

context-admin

Parameters

any: Specifies both directions.

to-client: Specifies the server-to-client direction.

to-server: Specifies the client-to-server direction.

Usage guidelines

You cannot execute this command multiple times to change the direction attribute. To change the direction attribute, first execute undo direction. Use the undo command with caution because the undo command also deletes all rules in the signature.

Examples

# Specify user-defined WAF signature mysignature to match packets in the server-to-client direction.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature] direction to-client

display waf policy

Use display waf policy to display WAF policy information.

Syntax

display waf policy policy-name

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

policy-name: Specifies a WAF policy by its name, a case-insensitive string of 1 to 63 characters.

Examples

# Display information about WAF policy aa.

<Sysname> display waf policy aa

Semantic-analysis status : enabled

Total signatures : 100

Pre-defined signatures : 10

User-defined signatures : 90

Flags:

B: Block-source D: Drop P: Permit Rs: Reset Rd: Redirect C: Capture L: L

ogging

Pre: pre-defined User: user-defined

Type SigID Target SubTarget Severity Direction Category

SubCategory Status Action

Pre 23723 OperationSystem Any High Any Vulnerability

RemoteCodeExecu Enable RsL

Pre 24728 OperationSystem Any Critical Server Malware

Backdoor Enable DL

Pre 25066 OperationSystem Any Critical Any Malware

Backdoor Enable DL

Pre 25067 OperationSystem Any Critical Server Malware

Backdoor Enable RsL

Pre 25824 OperationSystem Any Critical Server Vulnerability

Overflow Enable RsL

---- More ----

Table 1 Command output

Field	Description
Semantic-analysis status	Status of semantic analysis: · enabled. · disabled.
Total signatures	Total number of WAF signatures.
Pre-defined signatures	Total number of predefined WAF signatures.
User-defined signatures	Total number of user-defined signatures.
Type	Type of the WAF signature: · Pre—Predefined WAF signatures. · User—User-defined signatures.
SigID	Signature ID.
Target	Attacked target
SubTarget	Attacked subtarget.
Severity	Attack severity level of the signature, Low, Medium, High, or Critical.
Category	Attack category of the signature.
SubCategory	Attack subcategory of the signature.
Status	Status of the WAF signature, Enabled or Disabled.
Action	Actions for matching packets: · Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · Drop—Drops matching packets. · Permit—Permits matching packets to pass. · Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. · Redirect—Redirects matching packets to a webpage. · Capture—Captures matching packets. · Logging—Logs matching packets.

‌

display waf signature

Use display waf signature to display brief WAF signature information.

Syntax

display waf signature [ pre-defined | user-defined ] [ direction { any | to-client | to-server } ] [ category category-name | fidelity { high | low | medium } | severity { critical | high | low | medium } ] *

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

pre-defined: Specifies predefined WAF signatures.

user-defined: Specifies user-defined WAF signatures.

direction { any | to-client | to-server }: Specifies a direction attribute. If you do not specify a direction attribute, this command displays WAF signatures with any direction attribute.

· any: Specifies both directions of a session.

· to-server: Specifies the client to server direction of a session.

· to-client: Specifies the server to client direction of a session.

category category-name: Specifies an attack category. To view the names of supported attack categories, enter a question mark (?) after the category keyword. If you do not specify an attack category, this command displays WAF signatures for all attack categories.

fidelity { high | low | medium }: Specifies a fidelity level. If you do not specify a fidelity level, this command displays WAF signatures of all fidelity levels. The fidelity level indicates the attack detection accuracy.

· low: Specifies the low fidelity.

· medium: Specifies the medium fidelity.

· high: Specifies the high fidelity.

severity { critical | high | low | medium }: Specifies an attack severity level. If you do not specify a severity level, this command displays WAF signatures for all severity levels of attacks.

· low: Specifies the low severity level.

· medium: Specifies the medium severity level.

· high: Specifies the high severity level.

· critical: Specifies the critical severity level.

Usage guidelines

If you do not specify any options, this command displays all WAF signatures.

Examples

# Display predefined WAF signatures of the medium fidelity level.

<Sysname> display waf signature pre-defined fidelity medium

Pre-defined signatures total:88 failed:0

Flag:

Pre: predefined User: user-defined

Type SigID Direction Severity Fidelity Category Protocol SigName

Pre 3295 To-client Critical Medium Vulnerability TCP

Pre 5379 To-client Critical Medium Vulnerability TCP

Pre 6017 To-client Critical Medium Vulnerability TCP

Pre 7453 To-server High Medium Other TCP

Pre 10033 To-client High Medium Vulnerability TCP

Pre 23227 To-server Medium Medium Vulnerability TCP

Pre 23285 To-server Medium Medium Vulnerability TCP

Pre 23309 To-server Medium Medium Vulnerability TCP

Pre 23482 To-server High Medium Vulnerability TCP

Pre 23530 To-server High Medium Vulnerability TCP

Pre 23666 To-server High Medium Vulnerability TCP

Pre 23722 To-server Medium Medium Vulnerability TCP

Pre 23747 To-server Medium Medium Vulnerability TCP

Pre 24346 To-client Medium Medium Vulnerability TCP

Pre 25044 To-server High Medium Vulnerability TCP

Pre 25086 To-server High Medium Vulnerability TCP

Pre 25100 To-server High Medium Vulnerability TCP

---- More ----

# Display WAF signatures of the high attack severity level.

<Sysname> display waf signature severity high

Total signatures :45 failed:0

Pre-defined signatures total:45 failed:0

User-defined signatures total:0 failed:0

Flag:

Pre: predefined User: user-defined

Type SigID Direction Severity Fidelity Category Protocol SigName

Pre 7453 To-server High Medium Other TCP

Pre 10033 To-client High Medium Vulnerability TCP

Pre 23192 To-server High High Vulnerability TCP

Pre 23448 To-server High High Vulnerability TCP

Pre 23474 To-server High Low Vulnerability TCP

Pre 23482 To-server High Medium Vulnerability TCP

Pre 23530 To-server High Medium Vulnerability TCP

Pre 23666 To-server High Medium Vulnerability TCP

Pre 24485 To-server High High Vulnerability TCP

Pre 25044 To-server High Medium Vulnerability TCP

Pre 25086 To-server High Medium Vulnerability TCP

Pre 25100 To-server High Medium Vulnerability TCP

Pre 30781 To-server High Medium Vulnerability TCP

Pre 30807 To-server High Medium Vulnerability TCP

Pre 30851 To-server High Medium Vulnerability TCP

---- More ----

Table 2 Command output

Field	Description
Total signatures	Total number of WAF signatures.
Pre-defined signature total	Total number of predefined WAF signatures.
User-defined signature total	Total number of user-defined WAF signatures.
Type	Type of the WAF signature: · Pre—Predefined WAF signatures. · User—User-defined signatures.
SigID	Signature ID.
Direction	Direction attribute of the signature: · any—Specifies both directions of a session. · To-server—Specifies the client to server direction of a session. · To-client—Specifies the server to client direction of a session.
Severity	Attack severity level of the signature, Low, Medium, High, or Critical.
Fidelity	Fidelity level of the signature, Low, Medium, or High.
Category	Attack category of the signature.
Protocol	Protocol attribute of the signature.
SigName	Predefined signature name.

‌

display waf signature library

Use display waf signature library to display WAF signature library information.

Syntax

display waf signature library

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Examples

# Display WAF signature library information.

<Sysname> display waf signature library

WAF signature library information:

Type SigVersion ReleaseTime Size (bytes)

Current 1.02 Fri Sep 13 09:05:35 2014 71594

Last - - -

Factory 1.00 Fri Sep 11 09:05:35 2014 71394

Table 3 Command output

Field	Description
Type	Version type of the WAF signature library: · Current—Current version. · Last—Previous version. · Factory—Factory default version.
SigVersion	Version number of the WAF signature library.
ReleaseTime	Release time of the WAF signature library.
Size	Size of the WAF signature file in bytes.

‌

display waf signature pre-defined

Use display waf signature pre-defined to display detailed information about a predefined WAF signature.

Syntax

display waf signature pre-defined signature-id

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

signature-id: Specifies the signature ID. The value range is 1 to 536870911.

Examples

# Display detailed information about predefined WAF signature 3295.

<Sysname> display waf signature pre-defined 3295

Type : Pre-defined

Signature ID: 3295

Status : Enable

Action : Permit & Logging

Name : WEB_SERVER_Possible_HTTP_503_XSS_Attempt_(Internal_Source)

Protocol : TCP

Severity : Critical

Fidelity : Medium

Direction : To-client

Category : Vulnerability

Reference :

Description : WEB_SERVER_Possible_HTTP_503_XSS_Attempt_(Internal_Source)

Table 4 Command output

Field	Description
Type	Type of the WAF signature: · Pre—Predefined WAF signatures. · User—User-defined signatures.
Signature ID	Signature ID.
Status	Status of the WAF signature, Enabled or Disabled.
Action	Actions for matching packets: · Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · Drop—Drops matching packets. · Permit—Permits matching packets to pass. · Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages. · Capture—Captures matching packets. · Logging—Logs matching packets.
Name	Name of the WAF signature.
Protocol	Protocol attribute of the signature.
Severity	Attack severity, Low, Medium, High, or Critical.
Fidelity	Fidelity level of the signature, Low, Medium, or High.
Direction	Direction attribute of the signature: · any—Specifies both directions of a session. · To-server—Specifies the client to server direction of a session. · To-client—Specifies the server to client direction of a session.
Category	Attack category of the signature.
Reference	Reference for the signature.
Description	Description for the signature.

‌

display waf signature user-defined

Use display waf signature user-defined to display detailed information about a user-defined WAF signature.

Syntax

display waf signature user-defined signature-id

Views

Any view

Predefined user roles

network-admin

context-admin

Parameters

signature-id: Specifies the signature ID, in the range of 536870928 to 1073741808.

Examples

# Display detailed information about user-defined signature 536870944.

<Sysname> display waf signature user-defined 536870944

Signature ID: 536870944

Signature name: mysignature

Status: Enabled

Action: Permit & Logging

Severity: High

Fidelity: Medium

Direction: To-server

Rulelogic: Or

Description: Http method check

Total rules: 2

Rule list:

Rule ID: 1

Match-type: Keyword

HTTP method: Get

Source address: 10.1.1.1

Source port: 1-35560

Destination address: 20.1.1.1

Destination port: 1-35560

trigger entry:

Field: Http_Uri

Value: abcksdhosihendsid

Offset: 20

Depth: 1000

Detection entry list:

Entry ID Field Match type Content-type Content

1 http_cookie include text sduhskdjs

Rule ID: 2

---- More ----.

Table 5 Command output

Field	Description
Signature ID	Signature ID.
Signature name	Name of the WAF signature.
Status	Status of the WAF signature, Enabled or Disabled.
Action	Actions for matching packets: · Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · Drop—Drops matching packets. · Permit—Permits matching packets to pass. · Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages. · Capture—Captures matching packets. · Logging—Logs matching packets.
Severity	Attack severity, Low, Medium, High, or Critical.
Fidelity	Fidelity level of the signature, Low, Medium, or High.
Direction	Direction attribute of the signature: · Any—Specifies both directions. · To-client—Specifies the server-to-client direction. · To-server—Specifies the client-to-server direction.
Rulelogic	Logical operator between rules in the WAF signature.
Description	Description for the signature.
Total rules	Total number of rules.
Rule ID	Rule ID.
Match-type	Signature match pattern type, Keyword or Integer.
HTTP method	HTTP request method as a filtering criterion.
Source address	Source address as a filtering criterion.
Source port	Source port range as a filtering criterion.
Destination address	Destination address as a filtering criterion.
Destination port	Destination port range as a filtering criterion.
trigger entry	Detection trigger condition in the rule.
Field	Protocol field to inspect in the detection trigger condition.
Value	Contents to inspect in the detection trigger condition.
Offset	Offset after which the inspection starts.
Depth	Number of bytes to be inspected.
Detection entry list	Detection item list.
Entry ID	Detection item ID.
Field	Protocol field to inspect in the detection item.
Match type	Match operation in the detection item, include and exclude.
Content-type	Type of the content pattern: · hex—Specifies a hexadecimal string. · regex—Specifies a regular expression string. · text—Specifies a text string.
Content	Contents to inspect in the detection item.

‌

entry enable

Use entry enable to enable a WAF whitelist entry.

Use undo entry enable to disable a WAF whitelist entry.

Syntax

entry enable

undo entry enable

Default

WAF whitelist entries are enabled.

Views

WAF whitelist entry view

Predefined user roles

network-admin

context-admin

Usage guidelines

A WAF whitelist entry is enabled automatically after creation. To disable a WAF whitelist entry that is not in use, use the undo entry enable command.

Examples

#Disable WAF whitelist entry 1.

<Sysname> system-view

[Sysname] waf whitelist 1

[Sysname-waf-whitelist-1] undo entry enable

Related commands

waf whitelist

exception

Use exception to specify IP exceptions in a CC defense policy.

Use undo exception to delete IP exceptions.

Syntax

exception { ipv4 ipv4-address | ipv6 ipv6-address }

undo exception { all | ipv4 ipv4-address | ipv6 ipv6-address }

Default

No IP exceptions are specified in a CC defense policy.

Views

CC defense policy view

Predefined user roles

network-admin

context-admin

Parameters

ipv4 ipv4-address: Specifies an IPv4 address.

ipv6 ipv6-address: Specifies an IPv6 address.

all: Deletes all IP exceptions.

Usage guidelines

The device permits an HTTP packet to pass through if the source IP address of the packet is on the IP exception list. If the source IP address is not on the list, the device continues the CC attack detection.

Examples

# Specify 192.168.4.83 as an IP exception in CC defense policy news.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] exception ipv4 192.168.4.83

http-method

Use http-method to specify a request method filtering criterion in a user-defined signature rule.

Use undo http-method to restore the default.

Syntax

http-method method-name

undo http-method

Default

No request method filtering criterion is specified in a user-defined signature rule.

Views

User-defined WAF signature rule view

Predefined user roles

network-admin

context-admin

Parameters

method-name: Specifies the name of an HTTP request method, a case-insensitive string, such as GET and POST. To view the supported request methods, enter a question mark (?) after the http-method keyword.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# In user-defined WAF signature mysignature, create rule 1 of the keyword match pattern type and specify the GET request method as a filtering criterion.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature] rule 1 pattern-type keyword

[Sysname-waf-signature-mysignature-rule-1] http-method get

logging enable

Use logging enable to enable CC defense logging.

Use undo logging enable disable CC defense logging.

Syntax

logging enable

undo logging enable

Default

CC defense logging is disabled.

Views

CC defense rule view

Predefined user roles

network-admin

context-admin

Usage guidelines

This feature allows the device to fast output logs to log hosts when CC attacks are detected. For more information, see fast log output commands in Network Management and Monitoring Command Reference.

Examples

# Enable CC defense logging for CC defense rule test.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] rule name test

[Sysname-cc-defense-policy-news-rule-test] logging enable

method

Use method to specify request method filtering criteria in a CC defense rule.

Use undo method delete a request method filtering criterion from a CC defense rule.

Syntax

method { connect | delete | get | head | options | post | put | trace } *

undo method { connect | delete | get | head | options | post | put | trace }

Default

No request method filtering criteria are specified in a CC defense rule.

Views

CC defense rule view

Predefined user roles

network-admin

context-admin

Parameters

connect: Specifies the CONNECT request method. A CONNECT request method establishes a tunnel to the server identified by the target resource.

delete: Specifies the DELETE request method. A DELETE request method removes all current representation of the target resource.

get: Specifies the GET request method. A GET request method transfers a current representation of the target resource.

head: Specifies the HEAD request method. A HEAD request method is the same as the GET request method, but only transfers the status line and header section.

options: Specifies the OPTIONS request method. An OPTIONS request method describes the communication options for the target resource.

post: Specifies the POST request method. A POST request method performs resource-specific processing on the request payload.

put: Specifies the PUT request method. A PUT request method replaces all current representations of the target resource with the request payload.

trace: Specifies the TRACE request method. A TRACE request method performs a message loop-back test along the path to the target resource.

Usage guidelines

Repeat this command to specify multiple request method filtering criteria.

Examples

# Specify the POST request method as a filtering criterion in CC defense rule test.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] rule name test

[Sysname-cc-defense-policy-news-rule-test] method post

object-dir

Use object-dir to specify a direction criterion to filter WAF signatures in a WAF policy.

Use undo object-dir to restore the default.

Syntax

object-dir { client | server } *

undo object-dir

Default

The direction attribute is not used for WAF signature filtering.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

client: Specifies the server-to-client direction.

server: Specifies the client-to-server direction.

Usage guidelines

Each WAF signature has a direction attribute that defines the traffic direction to which the signature applies. The direction attribute values include To-server, To-client, and Any.

WAF signatures with the Any direction attribute are always used by a WAF policy, regardless of the settings of this command. For example, if you configure the object-dir client command for a WAF policy, the policy uses WAF signatures with both the To-client and Any direction attributes.

If you execute this command in a WAF policy multiple times, the most recent configuration takes effect.

Examples

# Configure WAF policy test-policy to use WAF signatures with the To-client and Any direction attributes.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy] object-dir client

override-current

Use override-current to configure the device to overwrite the current WAF signature library without backing up the library during an automatic signature library update.

Use undo override-current to restore the default.

Syntax

override-current

undo override-current

Default

Before performing an automatic WAF signature library update, the device backs up the current WAF signature library as the previous version.

Views

Automatic WAF signature library update configuration view

Predefined user roles

network-admin

context-admin

Usage guidelines

Backing up the current WAF signature library requires additional storage space but enables signature library rollback. As a best practice, enable the backup function if there is sufficient storage space.

Examples

# Configure the device to overwrite the current WAF signature library without backing up the library during an automatic signature library update.

<Sysname> system-view

[Sysname] waf signature auto-update

[Sysname-waf-sig-autoupdate] override-current

Related commands

waf signature auto-update-now

protected-target

Use protected-target to set a target criterion to filter the WAF signatures in a WAF policy.

Use undo protected-target to remove a target criterion.

Syntax

protected-target { target [ sub-target subtarget ] | all }

undo protected-target { target [ sub-target subtarget ] | all }

Default

The protected target attribute is not used for WAF signature filtering.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

target: Specifies a target by its name. Target names are case insensitive. To view the names of supported targets, enter a question mark (?) after the protected-target keyword.

subtarget: Specifies a subtarget of the target by the subtarget name. Subtarget names are case insensitive. To view the names of supported subtargets, enter a question mark (?) after the sub-target keyword. If you do not specify a subtarget, this command matches any WAF signatures with a subtarget of the specified target.

all: Specifies all targets.

Usage guidelines

This command filters the WAF signatures that a WAF policy uses based on the protected target attribute of the signatures.

You can execute this command multiple times to specify multiple target criteria in a WAF policy. The WAF policy uses a WAF signature if the signature matches any of the configured target criteria.

Examples

# Configure WAF policy test-policy to use WAF signatures with the WebLogic subtarget of the WebServer target.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy] protected-target WebServer sub-target WebLogic

Related commands

display waf policy

protected-url

Use protected-url to specify a protected path in a CC defense rule.

Use undo severity-level to remove a protected path from a CC defense rule.

Syntax

protected-url url

undo protected-url url

Default

No protected paths are specified to in a CC defense rule.

Views

CC defense rule view

Predefined user roles

network-admin

context-admin

Parameters

url: Specifies a protected path, a case-insensitive string of 1 to 255 characters. A protected path is part of a URL. The path cannot contain domain names or parameters, and it must start with a slash (/), for example, /portal/release/ir/default.jsp.

Usage guidelines

Repeat this command to specify multiple protected paths in a CC defense rule.

If protected paths are specified, the device collects statistics for only URLs matching these paths. If no protected paths are specified, the device collects statistics for all URLs.

Examples

# Specify protected path /portal/release/ir/default.jsp in CC defense test.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] rule name test

[Sysname-cc-defense-policy-news-rule-test] protected-url /portal/release/ir/default.jsp

rule (CC defense policy view)

Use rule to create a CC defense rule and enter its view, or enter the view of an existing CC defense rule.

Use undo rule to delete a CC defense rule.

Syntax

rule name rule-name

undo rule name rule-name

Default

No CC defense rules exist.

Views

CC defense policy view

Predefined user roles

network-admin

context-admin

Parameters

name rule-name: Specifies the CC defense rule name, a case-insensitive string of 1 to 31 characters. The name cannot contain hyphens (-).

Usage guidelines

You can configure the following items in a CC defense rule:

· Packet filtering criteria, such as destination IP addresses, destination ports, and request methods.

· Protected paths to website resources.

· Detection items and their thresholds.

· Action on matching packets.

The match order of CC defense rules is the rule configuration order. If a packet matches one CC defense rule, the device stops the matching process for the packet.

Examples

# Create CC defense rule test and enter the view of the CC defense rule.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] rule name test

[Sysname-cc-defense-policy-news-rule-test]

rule (WAF signature view)

Use rule to create a user-defined WAF signature rule and enter its view, or enter the view of an existing user-defined WAF signature rule.

Use undo rule to delete a user-defined WAF signature rule.

Syntax

rule rule-id pattern-type { integer | keyword }

undo rule { rule-id | all }

Default

No user-defined WAF signature rules exist.

Views

User-defined WAF signature view

Predefined user roles

network-admin

context-admin

Parameters

rule-id: Specifies the rule ID, in the range of 1 to 8.

pattern-type: Specifies the match pattern type for the rule.

keyword: Specifies the keyword type.

integer: Specifies the integer type.

all: Deletes all user-defined WAF signature rules.

Usage guidelines

You can configure multiple rules in a user-defined signature. To configure the logical operator between rules, use the rule-logic command.

You cannot execute this command multiple times to change the match pattern type. If you want to change the match pattern type, you must use the undo rule command first.

Examples

# In user-defined WAF signature mysignature, create rule 1 of the keyword match pattern type.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature] rule 1 pattern-type keyword

[Sysname-waf-signature-mysignature-rule-1]

rule copy

Use rule copy to create a CC defense rule by copying an existing CC defense rule.

Syntax

rule copy rule-name new-rule-name

Views

CC defense policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-name: Specifies an existing CC defense rule by its name, a case-insensitive string of 1 to 31 characters.

new-rule-name: Specifies the name of the new CC defense rule, a case-insensitive string of 1 to 31 characters.

Usage guidelines

The new rule has the same attributes and content as the source rule, but uses a different name from the source rule. You can then modify the new rule as needed.

Examples

# Create CC defense rule testmp by copying CC defense rule test.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] rule copy test testtmp

rule move

Use rule move to rearrange CC defense rules to change their match order.

Syntax

rule move rule-name1 { after | before } rule-name2

Views

CC defense policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-name1: Specifies the name of the rule to be moved. The name is a case-insensitive string of 1 to 31 characters.

after: Places the rule rule-name1 after the rule rule-name2 (called the reference rule)..

before: Places the rule rule-name1 before the reference rule.

rule-name2: Specifies a reference rule. The name is a case-insensitive string of 1 to 31 characters.

Usage guidelines

By default, the CC defense rules are matched in the rule configuration order. You can use this command to change their match order.

Examples

# In CC defense policy news, place rule rule2 before rule rule1.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] rule move rule2 before rule1

rule-logic

Use rule-logic to define the logical operator between the rules in a user-defined WAF signature.

Use undo rule-logic to restore the default.

Syntax

rule-logic { and | or }

undo rule-logic

Default

The logical operator between the rules in a user-defined WAF signature is or.

Views

User-defined WAF signature view

Predefined user roles

network-admin

context-admin

Parameters

and: Specifies the logical AND operator.

or: Specifies the logical OR operator.

Usage guidelines

In a user-defined signature, if the logical operator is AND between rules, a packet matches the signature only when the packet matches all rules in the signature. If the logical operator is OR between rules, a packet matches the signature when the packet matches any rule in the signature.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# In user-defined WAF signature mysignature, specify the logical AND operator between the rules.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature] rule-logic and

semantic-analysis enable

Use semantic-analysis enable to enable semantic analysis.

Use undo semantic-analysis enable to disable semantic analysis.

Syntax

semantic-analysis enable

undo semantic-analysis enable

Default

Semantic analysis is disabled.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Usage guidelines

Semantic analysis analyzes the semantics of SQL statements to detect SQL injection attacks.

If semantic analysis is enabled, the device uses both semantic analysis and signature matching to improve the detection rate of SQL injection attacks. You can enable semantic analysis as needed because this feature might affect the device performance.

If a packet is identified as an attack packet by semantic analysis, the device performs the WAF actions specified by the signature override all command on the packet. If no WAF actions are specified for the WAF policy, the device permits the packet to pass through and sends a WAF log for the packet to the fast log output server.

Examples

# Enable semantic analysis in WAF policy test.

<Sysname> system-view

[Sysname] waf policy test

[Sysname-waf-policy-test] semantic-analysis enable

Related commands

signature override all

severity-level (WAF policy view)

Use severity-level to set a severity level criterion to filter the WAF signatures in a WAF policy.

Use undo severity-level to restore the default.

Syntax

severity-level { critical | high | low | medium } *

undo severity-level

Default

The severity level attribute is not used for WAF signature filtering.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

critical: Specifies the critical severity level.

high: Specifies the high severity level.

low: Specifies the low severity level.

medium: Specifies the medium severity level.

Usage guidelines

Each WAF signature has a severity level attribute, which indicates the severity level of the attacks matching the signature.

This command filters the WAF signatures that a WAF policy uses based on the severity level attribute of the signatures.

You can specify multiple severity levels in a severity level criterion. The WAF policy uses a WAF signature if the signature matches any of the specified severity levels.

If you execute this command in a WAF policy multiple times, the most recent configuration takes effect.

Examples

# Configure WAF policy test-policy to use WAF signatures with the critical and medium severity levels.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy] severity-level critical medium

Related commands

waf policy

severity-level (WAF signature view)

Use severity-level to set a severity level attribute for a user-defined WAF signature.

Use undo severity-level to restore the default.

Syntax

severity-level { critical | high | low | medium } *

undo severity-level

Default

The severity level of a user-defined WAF signature is low.

Views

User-defined WAF signature view

Predefined user roles

network-admin

context-admin

Parameters

critical: Specifies the critical severity level.

high: Specifies the high severity level.

low: Specifies the low severity level.

medium: Specifies the medium severity level.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the severity level to low for user-defined WAF signature mysignature.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature] severity low

signature override

Use signature override to change the status and actions for a predefined WAF signature in a WAF policy.

Use undo signature override to restore the default status and actions for a predefined WAF signature in a WAF policy.

Syntax

signature override pre-defined signature-id { disable | enable } [ { block-source | drop | permit | redirect | reset } | capture | logging ] *

undo signature override pre-defined signature-id

Default

Predefined WAF signatures use the actions and statuses defined by the system.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

signature-id: Specifies a WAF signature ID in the range of 1 to 536870911.

disable: Disables the WAF signature.

enable: Enables the WAF signature.

block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."

drop: Drops matching packets.

permit: Permits matching packets to pass.

redirect: Redirects matching packets to a webpage.

reset: Closes the TCP connections for matching packets by sending TCP reset messages.

capture: Captures matching packets.

logging: Logs matching packets.

Usage guidelines

This command is available only for user-defined WAF policies. The signature actions and status in the default WAF policy cannot be modified.

If you execute this command for a signature in a WAF policy multiple times, the most recent configuration takes effect.

Examples

# Enable predefined signature 2 for WAF policy test-policy. Specify the drop, capture, and logging actions for the signature.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy] signature override pre-defined 2 enable drop capture logging

Related commands

blacklist enable (security zone view) (Security Command Reference)

signature override all

Use signature override all to specify the WAF actions for a WAF policy.

Use undo signature override all to restore the default.

Syntax

signature override all { { block-source | drop | permit | redirect | reset } | capture | logging } *

undo signature override all

Default

No actions are specified for a WAF policy.

Views

WAF policy view

Predefined user roles

network-admin

context-admin

Parameters

drop: Drops matching packets.

permit: Permits matching packets to pass.

redirect: Redirects matching packets to a webpage.

reset: Closes the TCP connections for matching packets by sending TCP reset messages.

capture: Captures matching packets.

logging: Logs matching packets.

Usage guidelines

If an attack packet is detected, the device determines the action for the packet as follows:

· If the device uses only WAF signatures to detect attack packets, the system selects the actions for an attack packet in the following order:

a. Actions configured for the WAF signature in the WAF policy (by using the signature override command).

b. Actions configured for the WAF policy.

c. Default actions of the WAF signature.

· If the device uses only semantic analysis for the SOL injection attacks to detect attack packets, the system selects the actions for an attack packet as follows:

¡ If WAF actions are specified for the WAF policy, the device takes the specified WAF actions.

¡ If no WAF action is specified for the WAF policy, the device permits the packet to pass through and sends a WAF log for the packet to the fast log output server.

· If an attack packet is identified by both signature matching and semantic analysis, the device takes the higher-severity action of the two methods. If logging is enabled for either method, the device will send a log for the packet.

Examples

# Specify actions drop, logging, and capture for WAF policy test-policy.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy] signature override all drop logging capture

Related commands

blacklist enable (security zone view) (Security Command Reference)

signature override

signature-id

Use signature-id to add a WAF signature ID to a WAF whitelist entry.

Use undo signature-id to restore the default.

Syntax

signature-id [ serial-number ] sig-id

undo signature-id [ serial-number ]

Default

No signature ID exists in a WAF whitelist entry.

Views

WAF whitelist entry view

Predefined user roles

network-admin

context-admin

Parameters

serial-number: Specifies the serial number of a WAF whitelist entry, in the range of 1 to 10. If you do not specify this argument, the system automatically assigns a minimum number larger than the existing maximum number to the WAF whitelist entry, starting from 1 and incrementing by 1.

sig-id: Specifies a WAF signature ID, in the range of 1 to 4294967294. ID 4294967294 is used to identify all the attacks detected by semantic analysis.

Usage guidelines

If false alarms exist in WAF logs, use this command to add a WAF signature ID to a WAF whitelist entry. The WAF signature ID is recorded in the WAF log. The device permits packets matching the WAF signatures on the WAF whitelist to pass through, reducing false alarms.

If a signature ID, URL, and source IP address exist in the WAF whitelist entry, a packet matches the WAF whitelist entry only when the signature ID, URL, and source IP address are all matched.

To add WAF attack information detected by semantic analysis to a WAF whitelist entry, perform the following steps:

1. Add the source IP address or URL to the whitelist entry.

2. Add ID 4294967295 as a signature ID.

To delete all signature IDs, do not specify any parameters when you execute the undo signature-id command.

Examples

# Add WAF signature 936 to WAF whitelist entry 1.

<Sysname> system-view

[Sysname] waf whitelist 1

[Sysname-waf-whitelist-1] signature-id 936

Related commands

source-address (WAF whitelist entry view)

url

source-address

Use source-address to specify a source address filtering criterion in a user-defined WAF signature rule.

Use undo source-address to restore the default.

Syntax

source-address ip ip-address

undo source-address

Default

No source IP address exists.

Views

User-defined WAF signature rule view

Predefined user roles

network-admin

context-admin

Parameters

ip-address: Specifies an IPv4 address. It is used to match the packet source IPv4 address.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# In user-defined WAF signature mysignature, create rule 1. Specify the keyword type as the match pattern type and specify source IP address 10.1.1.1 as a filtering criterion.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature] rule 1 pattern-type keyword

[Sysname-waf-signature-mysignature-rule-1] source-address ip 10.1.1.1

source-address (WAF whitelist entry view)

Use source-address to add a source IP address to a WAF whitelist entry.

Use undo source-address to restore the default.

Syntax

source-address { ip ipv4-address | ipv6 ipv6-address }

undo source-address

Default

No source IP address exists in a WAF whitelist entry.

Views

WAF whitelist entry view

Predefined user roles

network-admin

context-admin

Parameters

ip ipv4-address: Specifies an IPv4 address.

ipv6 ipv6-address: Specifies an IPv6 address.

Usage guidelines

If false alarms exist in WAF logs, use this command to add a source IP address to a WAF whitelist entry. The source IP address is recorded in the WAF log. The device permits packets matching the source IP addresses on the WAF whitelist to pass through, reducing false alarms.

If a WAF whitelist entry contains a signature ID, URL, and source IP address, or two of them, a packet matches this entry only when it matches all configured criteria.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Add source IP address 192.168.0.1 to WAF whitelist entry 1.

<Sysname> system-view

[Sysname] waf whitelist 1

[Sysname-waf-whitelist-1] source-address ip 192.168.0.1

Related commands

signature-id

url

source-port

Use source-port to specify a source port filtering criterion in a user-defined signature rule.

Use undo source-port to restore the default.

Syntax

source-port start-port [ to end-port ]

undo source-port

Default

No source ports are specified as the filtering criteria in a user-defined signature rule.

Views

User-defined WAF signature rule view

Predefined user roles

network-admin

context-admin

Parameters

start-port: Specifies the start port number of a source port range, in the range of 1 to 65535.

to end-port: Specifies the end port number of a source port range, in the range of 1 to 65535. If you do not specify this option, only the start port number is specified.

Usage guidelines

The port numbers are used to match the destination port numbers of the TCP protocol.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# In user-defined WAF signature mysignature, create rule1. Specify the keyword type as the match pattern type and specify the source port range as 1 to 3550.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature] rule 1 pattern-type keyword

[Sysname-waf-signature-mysignature-rule-1] source-port 1 to 3550

trigger

Use trigger to create a detection trigger condition in a user-defined WAF signature rule.

Use undo trigger to restore the default.

Syntax

trigger field field-name include { hex hex-string | text text-string } [ offset offset-value ] [ depth depth-value ]

undo trigger

Default

No detection trigger condition exists.

Views

User-defined WAF signature rule view

Predefined user roles

network-admin

context-admin

Parameters

field-name: Specifies a protocol field by its name, in a case-insensitive string. To view the names of supported protocol fields, enter a question mark (?) after the field keyword.

include: Matches contents that include the specified string.

text text-string: Specifies a case-insensitive text string of 3 to 255 characters.

offset offset-value: Specifies an offset in bytes after which the match operation starts, in the range of 1 to 65535. The offset starts from the beginning of the protocol field. If you do not specify this option, the match operation starts from the beginning of the protocol field.

depth depth-value: Specifies the number of bytes to match, in the range of 3 to 65535. If you do not specify this option, the detection trigger condition detects the whole protocol field.

Usage guidelines

This command is available only for a user-defined signature rule of the keyword match pattern type.

Only after a packet matches the detection trigger condition in a rule, the device continues to compare the packet with detection items. If a packet does not match the detection trigger condition, the packet does not match the rule, and the detection items will not be compared.

In a signature rule of the keyword match pattern type, a detection trigger condition must be configured before detection item configuration.

If you delete the detection trigger condition, all detection items in the rule will also be deleted.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# In user-defined WAF signature mysignature, create rule 1 of the keyword match pattern type. Create a detection trigger condition in the rule to match packets whose http-uri field includes abc. Specify the offset and depth as 10 bytes and 50 bytes, respectively.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature] rule 1 pattern-type keyword

[Sysname-waf-signature-mysignature-rule-1] trigger field http-uri include text abc offset 10 depth 50

update schedule

Use update schedule to schedule the time for automatic WAF signature library update.

Use undo update schedule to restore the default.

Syntax

update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes

undo update schedule

Default

The device starts updating the WAF signature library at a random time between 01:00:00 and 03:00:00 every day.

Views

Automatic WAF signature library update configuration view

Predefined user roles

network-admin

context-admin

Parameters

daily: Updates the WAF signature library every day.

weekly: Updates the WAF signature library every week.

fri: Updates the WAF signature library every Friday.

mon: Updates the WAF signature library every Monday.

sat: Updates the WAF signature library every Saturday.

sun: Updates the WAF signature library every Sunday.

thu: Updates the WAF signature library every Thursday.

tue: Updates the WAF signature library every Tuesday.

wed: Updates the WAF signature library every Wednesday.

start-time time: Specifies the start time in the hh:mm:ss format. The value range is 00:00:00 to 23:59:59.

tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will occur at a random time between the following time points:

· Start time minus half the tolerance time.

· Start time plus half the tolerance time.

Examples

# Configure the device to automatically update the WAF signature library every Monday at a random time between 20:25:00 and 20:35:00.

<Sysname> system-view

[Sysname] waf signature auto-update

[Sysname-waf-sig-autoupdate] update schedule weekly mon start-time 20:30:00 tingle 10

Related commands

waf signature auto-update

waf signature auto-update-now

url

Use url to add a URL to a WAF whitelist entry.

Use undo url to restore the default.

Syntax

url match-type { accurate | substring } url-text

undo url

Default

No URL exists in a WAF whitelist entry.

Views

WAF whitelist entry view

Predefined user roles

network-admin

context-admin

Parameters

match-type: Specifies the match type.

accurate: Specifies the exact match. A match is found if the URL in the packet is exactly the same as the configured URL.

substring: Specifies the substring match. A match is found if the URL in the packet contains the configured URL.

url-text: Specifies a URL, a case-insensitive string of 3 to 460 characters.

Usage guidelines

If false alarms exist in WAF logs, use this command to add a URL to a WAF whitelist entry. The URL is recorded in the WAF log. The device permits packets matching the URLs on the WAF whitelist to pass through, reducing false alarms.

If a WAF whitelist entry contains a signature ID, URL, and source IP address, or two of them, a packet matches this entry only when it matches all configured criteria.

If you execute this command multiple times, the most recent configuration takes effect.

After using url, execute the waf whitelist activate command to have the WAF whitelist entry configuration take effect.

Examples

# Add URL example.com to WAF whitelist entry 1, and specify the exact match type as the match type.

<Sysname> system-view

[Sysname] waf whitelist 1

[Sysname-waf-whitelist-1] url match-type accurate example.com

Related commands

signature-id

source-address (WAF whitelist entry view)

waf whitelist activate

waf apply policy

Use waf apply policy to apply a WAF policy to a DPI application profile.

Use undo waf apply policy to remove the application.

Syntax

waf apply policy policy-name mode { alert | protect }

undo waf apply policy

Default

No WAF policy is applied to a DPI application profile.

Views

DPI application profile view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies a WAF policy by its name, a case-insensitive string of 1 to 63 characters.

mode: Specifies a WAF policy mode.

alert: Only captures or logs matching packets.

protect: Takes all actions specified for signatures to process matching packets

Usage guidelines

A WAF policy takes effect only after it is applied to a DPI application profile.

You can apply only one WAF policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Apply WAF policy waf1 to DPI application profile sec. Set the WAF policy mode to protect.

<Sysname> system-view

[Sysname] app-profile sec

[Sysname-app-profile-sec] waf apply policy waf1 mode protect

Related commands

app-profile

waf policy

waf parameter-profile

Use waf { block-source | capture | email | logging | redirect } parameter-profile to specify a parameter profile for a WAF action.

Use undo waf { block-source | capture | email | logging | redirect } parameter-profile to remove the parameter profile from a WAF action.

Syntax

waf { block-source | capture | email | logging | redirect } parameter-profile parameter-name

undo waf { block-source | capture | email | logging | redirect } parameter-profile

Default

No parameter profile is specified for a WAF action.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

block-source: Specifies a parameter profile for the block-source action.

capture: Specifies a parameter profile for the capture action.

email: Specifies a parameter profile for the email action.

logging: Specifies a parameter profile for the logging action.

redirect: Specifies a parameter profile for the redirect action.

parameter-profile parameter-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Use this command to specify the parameter profile for a WAF action. A parameter profile is a set of parameters that determine how the action is executed. If you do not specify a parameter profile for an action, or if the specified profile does not exist, the default action parameter settings are used.

For information about configuring parameter profiles, see DPI Configuration Guide.

Examples

# Create parameter profile waf1. Set the source IP address blocking period to 1111 seconds.

<Sysname> system-view

[Sysname] inspect block-source parameter-profile waf1

[Sysname-inspect-block-source-waf1] block-period 1111

[Sysname-inspect-block-source-waf1] quit

# Specify the parameter profile waf1 for the block-source action.

[Sysname] waf block-source parameter-profile waf1

Related commands

inspect block-source parameter-profile

inspect capture parameter-profile

inspect email parameter-profile

inspect logging parameter-profile

inspect redirect parameter-profile

waf policy

Use waf policy to create a WAF policy and enter its view, or enter the view of an existing WAF policy.

Use undo waf policy to delete a WAF policy.

Syntax

waf policy policy-name

undo waf policy policy-name

Default

A WAF policy named default exists.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies the WAF policy name, a case-insensitive string of 1 to 63 characters. The name cannot be default or contain string protected-website.

Usage guidelines

You can configure signature filtering criteria, the actions for a signature, and the protected website, and associate a CC defense policy in a WAF policy.

A WAF policy takes effect only after it is applied to a DPI application profile. For more information about a DPI application profile, see DPI Configuration Guide.

You cannot delete WAF policy default.

Examples

# Create WAF policy test-policy and enter its view.

<Sysname> system-view

[Sysname] waf policy test-policy

[Sysname-waf-policy-test-policy]

Related commands

app-profile

display waf policy

waf signature

Use waf signature create a user-defined WAF signature and enter its view, or enter the view of an existing user-defined WAF signature.

Use undo waf signature to delete user-defined WAF signatures.

Syntax

waf signature user-defined name signature-name

undo waf signature user-defined { all | name signature-name }

Default

No user-defined WAF signatures exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

signature-name: Specifies the WAF signature name, a case-insensitive string of 1 to 63 characters.

all: Deletes all user-defined WAF signatures.

Usage guidelines

Repeat this command to create multiple user-defined WAF signatures.

When you delete a user-defined signature, all configurations for the signature will also be deleted.

Examples

# Create user-defined WAF signature mysignature and enter its view.

<Sysname> system-view

[Sysname] waf signature user-defined name mysignature

[Sysname-waf-signature-mysignature]

Related commands

display waf signature user-defined

waf signature auto-update

Use waf signature auto-update to enable automatic WAF signature library update and enter automatic WAF signature library update configuration view.

Use undo waf signature auto-update to disable automatic WAF signature library update.

Syntax

waf signature auto-update

undo waf signature auto-update

Default

Automatic WAF signature library update is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

After you enable automatic WAF signature library update, the device periodically accesses the official website to download the latest WAF signatures.

Examples

# Enable automatic WAF signature library update and enter automatic WAF signature library update configuration view.

<Sysname> system-view

[Sysname] waf signature auto-update

[Sysname-waf-sig-autoupdate]

Related commands

update schedule

waf signature auto-update-now

Use waf signature auto-update-now to trigger an automatic signature library update manually.

Syntax

waf signature auto-update-now

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

After you execute this command, the device immediately starts the automatic signature library update process no matter whether automatic signature library update is enabled. The device automatically backs up the current signature library before overwriting it.

You can execute this command anytime you find a new version of signature library on the official website.

Examples

# Trigger an automatic signature library update manually.

<Sysname> system-view

[Sysname] waf signature auto-update-now

waf signature rollback

Use waf signature rollback to roll back the WAF signature library.

Syntax

waf signature rollback { factory | last }

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

factory: Rolls back the WAF signature library to the factory default version.

last: Rolls back the WAF signature library to the previous version.

Usage guidelines

If a WAF signature library update causes exceptions or a high false alarm rate, you can roll back the WAF signature library.

Before performing a WAF signature library rollback, the device backs up the current WAF signature library as the previous version. For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.

Examples

# Roll back the WAF signature library to the previous version.

<Sysname> system-view

[Sysname] waf signature rollback last

Related commands

override-current

waf signature update

Use waf signature update to manually update the WAF signature library.

Syntax

waf signature update [ override-current ] file-path [ vpn-instance vpn-instance-name ] [ source { ip | ipv6 } { ip-address | interface interface-type interface-number } ]

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

override-current: Overwrites the current WAF signature library without backing up the library. For the device to back up the current WAF signature library before overwriting the library, do not specify this keyword.

file-path: Specifies the WAF signature file path, a string of 1 to 255 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the FTP or TFTP server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server belongs to the public network, do not specify this option.

source: Specifies the source IP address of the request packets sent to the TFTP or FTP server for the manual signature library update. If you do not specify a source IP address, the system uses the IP address of the outgoing routed interface as the source IP address.

ip ip-address: Specifies a source IPv4 address.

ipv6 ip-address: Specifies a source IPv6 address.

interface interface-type interface-number: Specifies an interface by its type and number. The primary IPv4 address or the lowest IPv6 address of the specified interface is used as the source IP address.

Usage guidelines

If the device cannot access the official website, use one of the following methods to manually update the WAF signature library:

· Local update—Updates the WAF signature library by using a locally stored update WAF signature file.

(In standalone mode.) Store the update file on the active MPU for successful signature library update.

(In IRF mode.) Store the update file on the global active MPU for successful signature library update.

The following describes the format of the file-path argument for different update scenarios.

‌

Update scenario	Format of file-path	Remarks
The update file is stored in the current working directory.	filename	To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference.
The update file is stored in a different directory on the same storage medium.	filename	Before configuring the waf signature update command, use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.
The update file is stored on a different storage medium.	path/filename	Before configuring the waf signature update command, use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.

‌

· FTP/TFTP update—Updates the WAF signature library by using the file stored on an FTP or TFTP server.

The following describes the format of the file-path argument for different update scenarios.

‌

Update scenario	Format of file-path	Remarks
The update file is stored on an FTP server.	ftp://username:password@server address/filename	The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: · Colon (:)—%3A or %3a. · At sign (@)—%40. · Forward slash (/)—%2F or %2f.
The update file is stored on a TFTP server.	tftp://server address/filename	The server address parameter represents the IP address or host name of the TFTP server.

Update scenario

Format of file-path

Remarks

The update file is stored on an FTP server.

ftp://username:password@server address/filename

The username parameter represents the FTP login username.

The password parameter represents the FTP login password.

The server address parameter represents the IP address or host name of the FTP server.

Replace the following special characters in the FTP login username and password with their respective escape characters:

· Colon (:)—%3A or %3a.

· At sign (@)—%40.

· Forward slash (/)—%2F or %2f.

The update file is stored on a TFTP server.

tftp://server address/filename

The server address parameter represents the IP address or host name of the TFTP server.

‌

NOTE:

To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide.

‌

To execute the waf signature update command, you also need to follow these restrictions and guidelines:

· To use a specific source IP address for request packets sent to the TFTP or FTP server for manual signature library update, specify the source keyword. For example, if packets from the device must be translated by NAT before accessing the TFTP or FTP server, you must specify a source IP address complied with NAT rules for NAT translation. If NAT translation is performed by an independent NAT device, make sure the IP address specified by this command can reach the NAT device at Layer 3.

· If you specify both source and vpn-instance keywords, make sure the VPN instance to which the specified source IP or interface belongs is the same as that specified by the vpn-instance keyword.

Examples

# Manually update the WAF signature library by using a WAF signature file stored on a TFTP server.

<Sysname> system-view

[Sysname] waf signature update tftp://192.168.0.10/waf-1.0.2-en.dat

# Manually update the WAF signature library by using a WAF signature file stored on an FTP server. The FTP login username and password are user:123 and user@abc/123, respectively.

<Sysname> system-view

[Sysname] waf signature update ftp://user%3A123:user%40abc%[email protected]/waf-1.0.2-en.dat

# Manually update the WAF signature library by using a WAF signature file stored on the device. The file is stored in directory cfa0:/waf-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> system-view

[Sysname] waf signature update waf-1.0.23-en.dat

# Manually update the WAF signature library by using a WAF signature file stored on the device. The file is stored in directory cfa0:/dpi/waf-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> cd dpi

<Sysname> system-view

[Sysname] waf signature update waf-1.0.23-en.dat

# Manually update the WAF signature library by using a WAF signature file stored on the device. The file is stored in directory cfb0:/dpi/waf-1.0.23-en.dat, and the current working directory is the cfa0:.

<Sysname> cd cfb0:/

<Sysname> system-view

[Sysname] waf signature update dpi/waf-1.0.23-en.dat

waf whitelist

Use waf whitelist to create a WAF whitelist entry and enter its view, or enter the view of an existing WAF whitelist entry.

Use undo waf whitelist to delete a WAF whitelist entry.

Syntax

waf whitelist entry-id

undo waf whitelist entry-id

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

entry-id: Specifies the WAF whitelist entry ID, in the range of 1 to 2048.

Usage guidelines

If false alarms exist in WAF logs, you can enable the WAF whitelist feature, and add the detected WAF signature IDs or URLs to the WAF whitelist. The device permits packets matching the WAF signatures, source IP addresses, or URLs on the WAF whitelist to pass through, reducing false alarms.

Examples

# Create WAF whitelist entry 1 and enter its view.

<Sysname> system-view

[Sysname] waf whitelist 1

[Sysname-waf-whitelist-1]

waf whitelist activate

Use waf whitelist activate to activate the WAF whitelist configuration.

Syntax

waf whitelist activate

Default

The creation, editing, or deletion of a WAF whitelist entry does not take effect immediately if the entry contains a URL.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

By default, when you create, edit, or delete a WAF whitelist entry that contains a URL, the system automatically activate the configuration 10 seconds later to have the configuration take effect. To have the configuration take effect immediately, execute the waf whitelist activate command.

Examples

# Activate the WAF whitelist configuration.

<Sysname> system-view

[Sysname] waf whitelist activate

Related commands

url

waf whitelist enable

Use waf whitelist enable to enable the WAF whitelist feature.

Use undo waf whitelist enable to disable the WAF whitelist feature.

Syntax

waf whitelist enable

undo waf whitelist enable

Default

The WAF whitelist feature is enabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

If false alarms exist in WAF logs, you can enable the WAF whitelist feature, and add the detected WAF signature IDs, source IP addresses, or URLs to the WAF whitelist. The device permits packets matching the WAF signatures, source IP addresses, or URLs on the WAF whitelist to pass through, reducing false alarms.

Examples

# Disable the WAF whitelist feature.

<Sysname> system-view

[Sysname] undo waf whitelist enable

xff-detection enable

Use xff-detection enable to enable X-Forwarded-For inspection.

Use undo xff-detection enable to restore the default.

Syntax

xff-detection enable

undo x-forwarded-for enable

Default

X-Forwarded-For inspection is disabled.

Views

CC defense rule view

Predefined user roles

network-admin

context-admin

Usage guidelines

The X-Forwarded-For inspection feature is applicable to scenarios where a client uses a proxy to access servers.

The device needs to inspect the client source IP addresses. When a client uses a proxy to access servers, the source IP address will change and the device cannot obtain the authentic one. The X-Forwarded-For inspection enables the device to obtain the real source IP address from HTTP packets.

Examples

# Enable X-Forwarded-For inspection for CC defense rule test.

<Sysname> system-view

[Sysname] cc-defense policy news

[Sysname-cc-defense-policy-news] rule name test

[Sysname-cc-defense-policy-news-rule-test] xff-detection enable

04-DPI Command Reference

WAF commands

action (WAF policy view)

cc-detection-item

destination-port (WAF signature rule view)

object-dir

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us