Login
- Table of Contents
-
- 04-DPI Command Reference
- 00-Preface
- 01-DPI engine commands
- 02-IPS commands
- 03-URL filtering commands
- 04-Data filtering commands
- 05-File filtering commands
- 06-Anti-virus commands
- 07-Data analysis center commands
- 08-WAF commands
- 09-Proxy policy commands
- 10-IP reputation commands
- 11-Domain reputation commands
- 12-APT defense commands
- 13-DLP commands
- 14-Content moderation commands
- 15-Network asset scan commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 11-Domain reputation commands | 132.20 KB |
display domain-reputation attack-category
display domain-reputation domain
display domain-reputation exception
display domain-reputation signature library
display domain-reputation top-hit-statistics
domain-reputation signature auto-update
domain-reputation signature auto-update-now
domain-reputation signature rollback
domain-reputation signature update
Domain reputation commands
attack-category
Use attack-category to configure actions for an attack category.
Use undo attack-category to restore the default.
Syntax
attack-category attack-id { action { deny | permit } | logging { disable | enable } }*
undo attack-category attack-id
Default
No actions are configured for an attack category, and the device allows the matching packets to pass through and generates logs for the matching events.
Views
Domain reputation view
Predefined user roles
network-admin
context-admin
Parameters
attack-id: Specifies an attack category ID, in the range of 1 to 65535. To obtain the attack category ID corresponding to the attack category name, enter a question mark (?) for the attack-id argument or execute the display domain-reputation attack-category command.
action: Specifies an action.
deny: Drops matching packets.
permit: Allows matching packets to pass through.
logging: Sets the logging status for the attack category. When a packet matches the attack category with logging enabled, the device generates logs for the matching events.
disable: Disables logging for the matching events.
enable: Enables logging for the matching events.
Usage guidelines
The command configuration takes effect after you enable domain reputation.
On the domain reputation signature library, a domain name can belong to multiple attack categories. Each attack category has its own actions.
If a domain name belongs to only one attack category, the device takes the actions in this attack category. If a domain name belongs to multiple attack categories, the device takes an action that has higher priority among all actions in those attack categories. The drop action has higher priority than the permit action.
If logging is enabled for any one of attack categories to which a domain name belongs, the device generates a log when the domain name is matched.
Examples
# Set the action to deny for attack category 1 and enable logging for the attack category.
<Sysname> system-view
[Sysname] domain-reputation
[Sysname-domain-reputation] attack-category 1 action deny logging enable
Related commands
display domain-reputation attack-category
global enable
display domain-reputation attack-category
Use display domain-reputation attack-category to display information about attack categories for domain reputation.
Syntax
display domain-reputation attack-category
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Usage guidelines
The command displays attack category information after domain reputation is enabled.
If you do not specify actions for an attack category, the device allows the matching packets to pass through and generates logs for the matching events.
Examples
# Display information about attack categories for domain reputation.
<Sysname> display domain-reputation attack-category
Attack id Attack name Action Logging
----------------------------------------------------------
1 C&C deny enable
2 Network_Worm permit enable
3 Risk_Software permit enable
4 Malware permit enable
5 Trojan deny enable
6 Infectious_Virus permit enable
7 Trojan_the_Thief permit enable
8 Ransomware permit enable
9 miner permit enable
10 Botnet permit enable
15 tor permit enable
16 Porn_Website permit enable
17 Gambling_Website permit enable
18 Phishing_Website permit enable
19 Fraud_Website permit enable
20 spam permit enable
21 Malicious_Email permit enable
22 DGA permit enable
23 APT permit enable
Figure 1 Command output
|
Field |
Description |
|
Attack id |
Attack category ID. |
|
Attack name |
Attack category name. |
|
Action |
Action that the device takes on packets matching the attack category. · permit—Forwards the packets. · deny—Discards the packets. |
|
Logging |
Logging status, enable or disable. |
Related commands
attack-category
global enable
display domain-reputation domain
Use display domain-reputation domain to display domain reputation information about a domain name.
Syntax
display domain-reputation domain domain-name
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
domain-name: Specifies a domain name, a case-insensitive string of 3 to 255 characters. Only letters, digits, hyphens (-), and dots (.) are allowed. You can execute the display domain-reputation top-hit-statistics command to obtain the domain name.
Usage guidelines
The command displays domain reputation information about a domain name after domain reputation is enabled globally.
The domain reputation signature library contains the following attribute information for a domain name: attack category, actions on matching packets, and the hit count.
If a domain name belongs to multiple attack categories that are configured with actions, the command displays information about the domain name based on the attack category ID.
Examples
# Display domain reputation information about domain name movimet.com.
<Sysname> display domain-reputation domain movimet.com
Domain name Attack id Attack name Action Logging Hit count
-------------------------------------------------------------------------------------
movimet.com 18 Phishing_Website deny enable 48
Figure 2 Command output
|
Field |
Description |
|
Domain name |
Domain name on the domain reputation signature library. |
|
Attack id |
ID of the attack category to which the domain name belongs. |
|
Attack name |
Name of the attack category to which the domain name belongs. |
|
Action |
Action on matching packets: · permit—Allows the packets to pass through. · deny—Drops the packets. |
|
Logging |
Logging status, enable or disable. |
|
Hit count |
Number of times that the domain name is matched. |
Related commands
display domain-reputation top-hit-statistics
global enable
display domain-reputation exception
Use display domain-reputation exception to display exception domain names.
Syntax
display domain-reputation exception
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Usage guidelines
The command displays exception domain names, if any, when the domain reputation is enabled globally.
Examples
# Display exception domain names.
<Sysname> display domain-reputation exception
domain names
movimet.com
www.abcsd.com
Related commands
exception
global enable
display domain-reputation signature library
Use display domain-reputation signature library to display information about domain reputation signature library.
Syntax
display domain-reputation signature library
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Examples
# Display information about domain reputation signature library.
<Sysname> display domain-reputation signature library
domain-reputation signature library information:
Type SigVersion ReleaseTime Size
Current 1.0.6 Tue Jul 28 12:35:15 2020 560208
Last 1.0.7 Tue Aug 11 08:06:31 2020 399104
Factory - - -
Figure 3 Command output
|
Field |
Description |
|
Type |
Version type of the domain reputation signature library. · Current—Current version. · Last—Previous version. · Factory—Factory default version. (not supported currently) |
|
SigVersion |
Version number of the domain reputation signature library. |
|
ReleaseTime |
Release time of the domain reputation signature library. |
|
Size |
Size of the domain reputation signature library file, in bytes. |
display domain-reputation top-hit-statistics
Use display domain-reputation top-hit-statistics to display statistics for domain names with the highest hits on the domain reputation signature library.
Syntax
In standalone mode:
display domain-reputation top-hit-statistics [ top-number ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display domain-reputation top-hit-statistics [ top-number] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
top-number: Specifies the number of top ranking domain names. The value range is 10 to 100, and the default is 10.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics for domain names with the highest hits on the domain reputation list for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays statistics for domain names with the highest hits on the domain reputation list for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This command displays statistics for domain names with the highest hits on the domain reputation signature library when the top hit ranking feature is enabled.
This command does not display domain names with no hits. Therefore, the number of domain names in the command output might be less than the value of the top-number argument.
Examples
# (In standalone mode.) Display statistics for 10 domain names with the highest hits on the domain reputation signature library.
<Sysname> display domain-reputation top-hit-statistics 10 slot 1
Slot 1:
Domain name Hit count
--------------------------------
www.sina.com.cn 1000
movimet.com 999
www.h3c.com 996
www.yahoo.com.cn 995
www.hao123.com 992
Figure 4 Command output
|
Field |
Description |
|
Domain name |
Domain name on the domain reputation signature library. |
|
Hit count |
Number of times that the domain name is hit. |
Related commands
global enable
top-hit-statistics enable
domain-reputation
Use domain-reputation to enter domain reputation view.
Use undo domain-reputation to delete all configuration in domain reputation view.
Syntax
domain-reputation
undo domain-reputation
Views
System view
Predefined user roles
network-admin
context-admin
Examples
# Enter domain reputation view.
<Sysname> system-view
[Sysname] domain-reputation
[Sysname-domain-reputation]
domain-reputation signature auto-update
Use domain-reputation signature auto-update to enable automatic update of the domain reputation signature library and enter automatic domain reputation signature library update configuration view.
Use undo domain-reputation signature auto-update to disable automatic update of domain reputation signature library.
Syntax
domain-reputation signature auto-update
undo domain-reputation signature auto-update
Default
Automatic update of the domain reputation signature library is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
After you enable automatic update of the domain reputation signature library, the device periodically accesses the signature database services on the official website to download the latest domain reputation signature library.
Examples
# Enable automatic update of the domain reputation signature library and enter automatic domain reputation signature library update configuration view.
<Sysname> system-view
[Sysname] domain-reputation signature auto-update
[Sysname-domain-reputation-autoupdate]
Related commands
update schedule
domain-reputation signature auto-update-now
Use domain-reputation signature auto-update-now to trigger an automatic update of the domain reputation signature library manually.
Syntax
domain-reputation signature auto-update-now
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
After you execute this command, the device immediately starts the automatic update process of the domain reputation signature library no matter whether or not automatic signature library update is enabled. The device automatically backs up the current signature library before overwriting it.
You can execute this command anytime you find a new version of signature library on the official website.
Examples
# Trigger an automatic update of the domain reputation signature library manually.
<Sysname> system-view
[Sysname] domain-reputation signature auto-update-now
domain-reputation signature rollback
Use domain-reputation signature rollback to roll back the domain reputation signature library.
Syntax
domain-reputation signature rollback last
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
last: Rolls back the domain reputation signature library to the previous version.
Usage guidelines
If a domain reputation signature library update causes exceptions or a high false alarm rate, you can roll back the domain reputation signature library.
Before performing a domain reputation signature library rollback, the device backs up the current domain reputation signature library as the previous version. For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.
Examples
# Roll back the domain reputation signature library to the previous version.
<Sysname> system-view
[Sysname] domain-reputation signature rollback last
Related commands
display domain-reputation signature library
domain-reputation signature update
Use domain-reputation signature update to manually update the domain reputation signature library.
Syntax
domain-reputation signature update file-path [ vpn-instance vpn-instance-name ] [ source { ip | ipv6 } { ip-address | interface interface-type interface-number } ]
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
file-path: Specifies the domain reputation signature library file path, a string of 1 to 255 characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the FTP or TFTP server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server belongs to the public network, do not specify this option.
source: Specifies the source IP address of the request packets sent to the TFTP or FTP server for the manual signature library update. If you do not specify a source IP address, the system uses the IP address of the outgoing routed interface as the source IP address.
ip ip-address: Specifies a source IPv4 address.
ipv6 ip-address: Specifies a source IPv6 address.
interface interface-type interface-number: Specifies an interface by its type and number. The primary IPv4 address or the lowest IPv6 address of the specified interface is used as the source IP address.
Usage guidelines
If the device cannot access the signature database services on the official website, use one of the following methods to manually update the domain reputation signature library:
· Local update—Updates the domain reputation signature library by using a locally stored domain reputation signature library file. To use this method, first obtain the signature library file from the official website and import it to the device.
(In standalone mode.) Store the update file on the active MPU for successful signature library update.
(In IRF mode.) Store the update file on the global active MPU for successful signature library update.
The following describes the format of the file-path parameter for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference. |
|
The update file is stored in a different directory on the same storage medium. |
filename |
Before configuring the domain-reputation signature update command, use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
|
The update file is stored on a different storage medium. |
path/filename |
Before configuring the domain-reputation signature update command, use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP update—Updates the domain reputation signature library by using the file stored on an FTP or TFTP server.
The following describes the format of the file-path parameter for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored on an FTP server. |
ftp://username:password@server/filename |
The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: · Colon (:)—%3A or %3a. · At sign (@)—%40. · Forward slash (/)—%2F or %2f. |
|
The update file is stored on a TFTP server. |
tftp://server/filename |
The server parameter represents the IP address or host name of the TFTP server. |
|
|
NOTE: To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide. |
To execute the domain-reputation signature update command, you also need to follow these restrictions and guidelines:
· To use a specific source IP address for request packets sent to the TFTP or FTP server for manual signature library update, specify the source keyword. For example, if packets from the device must be translated by NAT before accessing the TFTP or FTP server, you must specify a source IP address complied with NAT rules for NAT translation. If NAT translation is performed by an independent NAT device, make sure the IP address specified by this command can reach the NAT device at Layer 3.
· If you specify both source and vpn-instance keywords, make sure the VPN instance to which the specified source IP or interface belongs is the same as that specified by the vpn-instance keyword.
Examples
# Manually update the domain reputation signature library by using a domain reputation signature library file stored on a TFTP server.
<Sysname> system-view
[Sysname] domain-reputation signature update tftp://192.168.0.10/domain-1.0.2-en.dat
# Manually update the domain reputation signature library by using a domain reputation signature library file stored on the device. The file is stored in directory cfb0:/dpi/domain-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> cd cfb0:/
<Sysname> system-view
[Sysname] domain-reputation signature update dpi/domain-1.0.23-en.dat
exception
Use exception to specify an exception domain name.
Use undo exception to remove an exception domain name.
Syntax
exception domain domain-name
undo exception domain domain-name
Default
No exception domain name is specified.
Views
Domain reputation view
Predefined user roles
network-admin
context-admin
Parameters
domain-name: Specifies a domain name, a case-insensitive string of 3 to 255 characters. Only letters, digits, hyphens (-), and dots (.) are allowed. You can execute the display domain-reputation top-hit-statistics command to obtain the domain name.
Usage guidelines
The command takes effect after you enable domain reputation globally.
The device forwards a packet if the domain name of the packet is an exception domain name.
Repeat this command to add multiple exception domain names.
Examples
# Specify movimet.com as an exception domain name.
<Sysname> system-view
[Sysname] domain-reputation
[Sysname-domain-reputation] exception domain movimet.com
Related commands
display domain-reputation exception
display domain-reputation top-hit-statistics
global enable
global enable
Use global enable to enable domain reputation globally.
Use undo global enable to disable domain reputation globally.
Syntax
global enable
undo global enable
Default
Domain reputation is disabled globally.
Views
Domain reputation view
Predefined user roles
network-admin
context-admin
Usage guidelines
With domain reputation enabled globally, the device takes the corresponding actions on the packets whose domain names match the domain names in the domain reputation signature library.
Examples
# Enable domain reputation globally.
<Sysname> system-view
[Sysname] domain-reputation
[Sysname-domain-reputation] global enable
top-hit-statistics enable
Use top-hit-statistics enable to enable the top hit ranking feature for domain names.
Use undo top-hit-statistics enable to disable the top hit ranking feature.
Syntax
top-hit-statistics enable
undo top-hit-statistics enable
Default
The top hit ranking feature is disabled for domain names on the domain reputation signature library.
Views
Domain reputation view
Predefined user roles
network-admin
context-admin
Usage guidelines
This feature takes effect after you enable domain reputation globally.
This feature enables the device to collect hit statistics for domain names on the domain reputation signature library and rank them. After you disable this feature, the device clears hit statistics for domain reputation.
Examples
# Enable the top hit ranking feature for domain names on the domain reputation signature library.
<Sysname> system-view
[Sysname] domain-reputation
[Sysname-domain-reputation] top-hit-statistics enable
Related commands
display domain-reputation top-hit-statistics
update schedule
Use update schedule to schedule the time for automatic domain reputation signature library update.
Use undo update schedule to restore the default.
Syntax
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
undo update schedule
Default
The device starts updating the domain reputation signature library at a random time between 01:00:00 and 03:00:00 every day.
Views
Automatic domain reputation signature library update configuration view
Predefined user roles
network-admin
context-admin
Parameters
daily: Updates the domain reputation signature library every day.
weekly: Updates the domain reputation signature library every week.
fri: Updates the domain reputation signature library every Friday.
mon: Updates the domain reputation signature library every Monday.
sat: Updates the domain reputation signature library every Saturday.
sun: Updates the domain reputation signature library every Sunday.
thu: Updates the domain reputation signature library every Thursday.
tue: Updates the domain reputation signature library every Tuesday.
wed: Updates the domain reputation signature library every Wednesday.
start-time time: Specifies the start time in the hh:mm:ss format. The value range is 00:00:00 to 23:59:59.
tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will occur at a random time between the following time points:
· Start time minus half the tolerance time.
· Start time plus half the tolerance time.
Examples
# Configure the device to automatically update the domain reputation signature library every Monday at a random time between 20:25:00 and 20:35:00.
<Sysname> system-view
[Sysname] domain-reputation signature auto-update
[Sysname-domain-reputation-autoupdate] update schedule weekly mon start-time 20:30:00 tingle 10
Related commands
domain-reputation signature auto-update
