Login
- Table of Contents
-
- 04-DPI Command Reference
- 00-Preface
- 01-DPI engine commands
- 02-IPS commands
- 03-URL filtering commands
- 04-Data filtering commands
- 05-File filtering commands
- 06-Anti-virus commands
- 07-Data analysis center commands
- 08-WAF commands
- 09-Proxy policy commands
- 10-IP reputation commands
- 11-Domain reputation commands
- 12-APT defense commands
- 13-DLP commands
- 14-Content moderation commands
- 15-Network asset scan commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 12-APT defense commands | 124.96 KB |
APT defense commands
application
Use application to specify the application layer protocols for sandbox inspection.
Use undo application to remove application layer protocols from the sandbox inspection.
Syntax
application { all | type { ftp | http | https | imap | nfs | pop3 | smb | smtp } * }
undo application { all | type { ftp | http | https | imap | nfs | pop3 | smb | smtp } * }
Default
No application layer protocols are specified for sandbox inspection.
Views
APT defense policy view
Predefined user roles
network-admin
context-admin
Parameters
all: Specifies all application layer protocols.
type: Specifies specific types of application layer protocols.
ftp: Specifies the FTP protocol.
http: Specifies the HTTP protocol.
https: Specifies the HTTPS protocol.
imap: Specifies the IMAP protocol.
nfs: Specifies the NFS protocol. Only NFSv3 is supported.
pop3: Specifies the POP3 protocol.
smb: Specifies the SMB protocol. Only SMBv1 and SMBv2 are supported.
smtp: Specifies the SMTP protocol.
Usage guidelines
This command defines packets of the specified application layer protocols to be sent to the sandbox.
Repeat this command to specify multiple application layer protocols.
Examples
# In APT defense policy policy1, configure the device to send the HTTP protocol packets to the sandbox.
[Sysname] apt policy policy1
[Sysname-apt-policy-policy1] application type http
apt apply policy
Use apt apply policy to apply an APT defense policy to a DPI application profile.
Use undo apt apply policy to remove the APT defense policy from a DPI application profile.
Syntax
apt apply policy policy-name
undo apt apply policy
Default
No APT defense policy is applied to a DPI application profile.
Views
DPI application profile view
Predefined user roles
network-admin
context-admin
Parameters
policy-name: Specifies an APT defense policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
An APT defense policy takes effect only after it is applied to a DPI application profile.
You can apply only one APT defense policy to a DPI application profile, and the applied APT defense policy must already exist.
If you execute this command for a DPI application profile multiple times, the most recent configuration takes effect.
Examples
# Apply APT defense policy policy1 to DPI application profile profile1.
<Sysname> system-view
[Sysname] app-profile profile1
[Sysname-app-profile-profile1] apt apply policy policy1
apt cache size
Use apt cache size to set the APT defense cache size.
Use undo apt cache size to restore the default.
Syntax
apt cache size cache-size
undo apt cache size
Default
The APT defense cache allows a maximum of 100000 entries.
Views
System view
Predefined user roles
network-admin
Parameters
cache-size: Specifies the cache size in the range of 100000 to 200000 entries.
Usage guidelines
This command is supported only by the default context. For more information about contexts, see context configuration in Virtual Technologies Configuration Guide.
The device caches the inspection result returned from the sandbox in the APT defense cache for matching subsequent traffic.
If you set an APT defense cache size smaller than the existing APT cache size, the system will delete the existing oldest entries.
Examples
# Set the APT defense cache size to 200000 entries.
<Sysname> system-view
[Sysname] apt cache size 200000
apt policy
Use apt policy to create an APT defense policy and enter its view, or enter the view of an existing APT defense policy.
Use undo apt policy to delete an APT defense policy.
Syntax
apt policy policy-name
undo apt policy policy-name
Default
An APT defense policy named default exists.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
policy-name: Specifies the APT defense policy name, a case-insensitive string of 1 to 31 characters. The new APT defense policy name cannot be default.
Usage guidelines
An APT defense policy takes effect only after it is applied to a DPI application profile.
Examples
# Create APT defense policy policy1 and enter its view.
<Sysname> system-view
[Sysname] apt policy policy1
[Sysname-apt-policy-policy1]
Related commands
apt apply policy
description
Use description to configure a description for an APT defense policy.
Use undo description to restore the default.
Syntax
description description-string
undo description
Default
An APT defense policy does not have a description.
Views
APT defense policy view
Predefined user roles
network-admin
context-admin
Parameters
description-string: Specifies a description, a case-insensitive string of 1 to 255 characters.
Usage guidelines
A description allows easy identification of an APT defense policy.
Examples
# Configure the description as description1 for APT defense policy policy1.
[Sysname] apt policy policy1
[Sysname-apt-policy-policy1] description description1
display apt cache
Use display apt cache to display APT defense cache information.
Syntax
In standalone mode:
display apt cache [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display apt cache [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays APT defense cache information on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays APT defense cache information on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This command displays information in the APT defense cache. The MD5 values of files in the APT defense cache indicate the sandbox inspection results. The APT defense module caches the sandbox inspection results in the following lists:
· Hit list—Cache the MD5 values of files that are identified as threats.
· Non-hit list—Cache the MD5 values of files that are not threats or cannot be identified as threats.
Examples
# Display APT defense cache information.
<Sysname> display apt cache
CPU 1 on Slot 3:
APT cache information:
Sandbox-query state : Disabled
Total cached non-hit entries : 0
Total cached hit entries : 0
Non-hit list min update interval : 0 seconds
Hit list min update interval : 0 seconds
Table 1 Command output
|
Field |
Description |
|
APT cache information |
Information in the APT defense cache. |
|
Sandbox-query state |
Status of the sandbox inspection: · Enabled. · Disabled. |
|
Total cached non-hit entries |
Number of entries on the non-hit list. |
|
Total cached hit entries |
Number of entries on the hit list. |
|
Non-hit list min update interval |
Time elapsed since the last update on the non-hit list, in seconds. |
|
Hit list min update interval |
Time elapsed since the last update on the hit list, in seconds. |
display apt linkage state
Use display apt linkage state to display the connection status between the device and sandbox.
Syntax
display apt linkage state
Views
Any view
Predefined user roles
network-admin
context-admin
Examples
# Display the connection status between the device and sandbox.
<Sysname> display apt linkage state
The sandbox state is connected
file max-size
Use file max-size to set the maximum file size supported in the sandbox inspection.
Use undo file max-size to restore the default.
Syntax
file file-type max-size max-file-size
undo file file-type max-size
Default
No maximum file size is set for sandbox inspection. The system uses the default file size limit on a per-file type basis.
Views
Sandbox view
Predefined user roles
network-admin
context-admin
Parameters
file-type: Specifies the supported file type name, a case-insensitive string. To obtain the supported file types, enter the question mark (?).
max-file-size: Specifies the maximum file size in KB. The maximum file size supported in the sandbox inspection varies by file type. To obtain the maximum file sizes for supported various file types, enter the question mark (?).
Usage guidelines
The files exceeding the maximum file size will not be sent to the sandbox.
Examples
# Set the maximum file size to 10240 KB for EXE files.
<Sysname> system-view
[Sysname] sandbox
[Sysname-sandbox] file exe max-size 10240
file-direction
Use file-direction to specify a file transfer direction for sandbox inspection.
Use undo file-direction to restore the default.
Syntax
file-direction { both | download | upload }
undo file-direction
Default
Both the uploaded and downloaded files are sent to the sandbox.
Views
APT defense policy view
Predefined user roles
network-admin
context-admin
Parameters
both: Specifies both the uploaded and downloaded files.
download: Specifies the downloaded files.
upload: Specifies the uploaded files.
Usage guidelines
The device sends only the files of the specified direction to the sandbox.
If you execute this command multiple times for an APT defense policy, the most recent configuration takes effect.
Examples
# Configure the device to send uploaded files to the sandbox in APT defense policy policy1.
<Sysname> system-view
[Sysname] apt policy policy1
[Sysname-apt-policy-policy1] file-direction upload
file-type
Use file-type to specify the file type for sandbox inspection.
Use undo file-type to remove the file type from the sandbox inspection.
Syntax
file-type { all | name &<1-8> }
undo file-type { all | name &<1-8> }
Default
No file type is specified for sandbox inspection.
Views
APT defense policy view
Predefined user roles
network-admin
context-admin
Parameters
all: Specifies all file types.
name &<1-8>: Specifies a space-separated list of up to eight file type names. Each name is a case-insensitive string. To obtain the supported file types, enter the question mark (?).
Usage guidelines
The device sends files of the specified types to the sandbox.
Repeat this command to specify multiple file types for sandbox inspection.
If you specify the following file types that contain multiple file formats, the configuration takes effect on all file formats:
· BMP—BMP and DIB formats.
· JPG—JPG, JPE, JPEG, and JFIF formats.
· XML—MSC and XML formats.
· RMVB—RMVB and RM formats.
· TGZ—TGZ and TAR.GZ formats.
Examples
# Configure the device to send the doc files to the sandbox in APT defense policy policy1.
<Sysname> system-view
[Sysname] apt policy policy1
[Sysname-apt-policy-policy1] file-type doc
linkage enable
Use linkage enable to enable the linkage to the sandbox.
Use undo linkage enable to disable the linkage to the sandbox.
Syntax
linkage enable
undo linkage enable
Default
The linkage to the sandbox is disabled.
Views
Sandbox view
Predefined user roles
network-admin
context-admin
Usage guidelines
This command does not initiate a connection request to the sandbox. It only allows the linkage between the device and the sandbox. To establish a connection between the device and sandbox, execute the linkage try command.
Examples
# Enable the linkage to the sandbox.
<Sysname> system-view
[Sysname-sandbox] linkage enable
Related commands
linkage try
password
sandbox-address
username
linkage try
Use linkage try to establish a connection between the device and sandbox.
Syntax
linkage try
Views
Sandbox view
Predefined user roles
network-admin
context-admin
Usage guidelines
This command takes effect only after the following conditions are met:
· Sandbox parameters (including sandbox address, username, and password) are configured.
· The linkage to the sandbox is enabled.
After you execute this command, the device initiates a connection request to the sandbox. After the connection is established, the device sends files to the sandbox for inspection.
Examples
# Establish a connection between the device and sandbox.
<Sysname> system-view
[Sysname] sandbox
[Sysname-sandbox] linkage try
Related commands
linkage enable
password
sandbox-address
username
password
Use password to set the password for logging in to the sandbox.
Use undo password to restore the default.
Syntax
password { cipher | simple } string
undo password
Default
No password is set for logging in to the sandbox.
Views
Sandbox view
Predefined user roles
network-admin
context-admin
Parameters
cipher: Specifies the password in encrypted form.
simple: Specifies the password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. The plaintext form is a case-sensitive string of 6 to 32 characters, and the string must contain any combination of letters, digits, and special characters. The encrypted form is a case-sensitive string of 32 characters, and the string must contain letters and digits.
Usage guidelines
If you change the login password when the device is connected to the sandbox, the connection will be terminated. You need to execute the linkage try command to re-establish the connection.
Examples
# Set the password for logging in to the sandbox to 123456abc in plaintext format.
<Sysname> system-view
[Sysname] sandbox
[Sysname-sandbox] password simple 123456abc
Related commands
sandbox-address
username
sandbox
Use sandbox to enter sandbox view.
Use undo sandbox to delete the configuration in sandbox view.
Syntax
sandbox
undo sandbox
Views
System view
Predefined user roles
network-admin
context-admin
Examples
# Enter sandbox view.
<Sysname> system-view
[Sysname] sandbox
[Sysname-sandbox]
sandbox-address
Use sandbox-address to specify the sandbox address.
Use undo sandbox-address to restore the default.
Syntax
sandbox-address address-string
undo sandbox-address
Default
No sandbox address is specified.
Views
Sandbox view
Predefined user roles
network-admin
context-admin
Parameters
address-string: Specifies the IP address or domain name of the sandbox, a case-insensitive string of 1 to 64 characters. Valid characters include letters, digits, underscores, hyphens (-), dots (.), and colons (:).
Usage guidelines
If you change the sandbox address when the device is connected to the sandbox, the connection will be terminated. You need to execute the linkage try command to re-establish the connection.
Examples
# Specify www.example.com as the sandbox address.
[Sysname] sandbox
[Sysname-sandbox] sandbox-address www.example.com
Related commands
password
username
sandbox-local
Use sandbox-local to enter local sandbox view.
Use undo sandbox-local to delete the configurations in local sandbox view.
Syntax
sandbox-local
undo sandbox-local
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
No |
|
Blade V firewall module |
No |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
No |
|
M9016-V |
Blade V firewall module |
No |
|
M9008-S M9012-S |
Blade IV firewall module |
No |
|
Intrusion prevention service (IPS) module |
No |
|
|
Video network gateway module |
No |
|
|
M9008-S-V |
Blade IV firewall module |
No |
|
M9000-AI-E4 |
Blade V firewall module |
No |
|
M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
No |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
No |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
No |
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Operating mechanism
Depending on support for sandbox configuration in RBM configuration synchronization, the device provides the following types of sandbox views:
· Sandbox view—When the device performs RBM configuration synchronization, all configurations in this view are supported for synchronization.
· Local sandbox view—When the device performs RBM configuration synchronization, none of the configurations in this view are not supported for synchronization.
The configurations supported in both views are identical, such as the sandbox address and sandbox username.
Application scenarios
You can decide whether to synchronize sandbox-related parameters in RBM configuration synchronization. If synchronization is required, you must configure the parameters in sandbox view. If synchronization is not required, you must configure the parameters in local sandbox view. For example, in an RBM active-standby environment, two devices (configured with different sandbox parameters) connect to different sandboxes to enhance APT defense capabilities. Sandbox configuration does not need to be synchronized in RBM configuration synchronization. You must configure sandbox-related parameters in local sandbox view.
For more information about RBM, see High Availability Configuration Guide.
Restrictions and guidelines
The two sandbox views are mutually exclusive. You can perform the following operations to switch between them:
· To switch to local sandbox view when you have configured sandbox parameters in sandbox view:
a. Execute the undo sandbox command in sandbox view to delete the configurations in this view, and then return to system view.
b. Execute the sandbox-local command to enter local sandbox view and configure the parameters.
· To switch to sandbox view when you have configured sandbox parameters in local sandbox view:
a. Execute the sandbox command in system view.
b. Enter Y to confirm deletion of the configurations in local sandbox view when the system prompts All sandbox local settings will be lost. Continue? [Y/N]:Y.
c. Configure the parameters in sandbox view.
Examples
# Enter local sandbox view.
<Sysname> system-view
[Sysname] sandbox-local
Related commands
sandbox
username
Use username to set the username for logging in to the sandbox.
Use undo username to restore the default.
Syntax
username user-name
undo username
Default
No username is set for logging in to the sandbox.
Views
Sandbox view
Predefined user roles
network-admin
context-admin
Parameters
user-name: Specifies the login username, a case-insensitive string of 5 to 12 characters.
Usage guidelines
If you change the login username when the device is connected to the sandbox, the connection will be terminated. You need to execute the linkage try command to re-establish the connection.
Examples
# Set the username for logging in to the sandbox to userabc.
<Sysname> system-view
[Sysname] sandbox
[Sysname-sandbox] username userabc
Related commands
password
sandbox-address
