Login
- Table of Contents
-
- 04-DPI Command Reference
- 00-Preface
- 01-DPI engine commands
- 02-IPS commands
- 03-URL filtering commands
- 04-Data filtering commands
- 05-File filtering commands
- 06-Anti-virus commands
- 07-Data analysis center commands
- 08-WAF commands
- 09-Proxy policy commands
- 10-IP reputation commands
- 11-Domain reputation commands
- 12-APT defense commands
- 13-DLP commands
- 14-Content moderation commands
- 15-Network asset scan commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-Network asset scan commands | 94.71 KB |
Network asset scan commands
asset-scan
Use asset-scan to enter asset scan view.
Use undo asset-scan to delete all configurations in asset scan view.
Syntax
asset-scan
undo asset-scan
Views
System view
Predefined user roles
network-admin
context-admin
Examples
# Enter asset scan view.
<Sysname> system-view
[Sysname] asset-scan
[Sysname-asset-scan]
auto-scan enable
Use auto-scan enable to enable automatic asset scan.
Use undo auto-scan enable to disable automatic asset scan.
Syntax
auto-scan enable
undo auto-scan enable
Default
Automatic asset scan is disabled.
Views
Asset scan view
Predefined user roles
network-admin
context-admin
Usage guidelines
Use this command to scan and analyze the hosts, servers and devices at the specified IP addresses or in the specified IP address ranges to detect risks such as open ports and weak passwords. You can harden the security configuration of devices according to the scanning results. For example, close ports that do not need to be opened, and enhance the security strength of passwords.
When automatic asset scan is enabled, the device automatically scans the network assets at the specified IP addresses or in the specified IP address ranges according to the network asset scan schedule.
Examples
# Enable automatic asset scan.
<Sysname> system-view
[Sysname] asset-scan
[Sysname-asset-scan] auto-scan enable
Related commands
ip
ipv6
schedule every
tcp-port
udp-port
weak-password-scan enable
ip
Use ip to specify a target IPv4 address range for network asset scan.
Use undo ip to delete a target IPv4 address range for network asset scan.
Syntax
ip { subnet ip-address mask-length | range start-address end-address }
undo ip { subnet ip-address mask-length | range start-address end-address }
Default
No target IPv4 address range for network asset scan exists.
Views
Asset scan view
Predefined user roles
network-admin
context-admin
Parameters
subnet ip-address mask-length: Specifies an IPv4 subnet. The ip-address argument specifies an IPv4 network address. The mask-length argument specifies the subnet mask length, in the range of 1 to 32.
range start-address end-address: Specifies an IPv4 address range. The start-address argument specifies the start IPv4 address. The end-address argument specifies the end IPv4 address. The end address must be higher than the start address. If they are the same, the address range has only one IP address.
Usage guidelines
A target IPv4 address range is a set of IPv4 addresses. When network asset scan is enabled, the device performs network asset scans on all addresses in the target IPv4 address ranges.
You can specify multiple target IPv4 address ranges. Make sure the address ranges do not overlap.
For network asset scan to take effect, you must specify the target IPv4 or IPv6 address ranges.
Examples
# Specify a target IPv4 address range for network asset scan.
<Sysname> system-view
[Sysname] asset-scan
[Sysname-asset-scan] ip subnet 192.168.1.1 24
Related commands
auto-scan enable
ipv6
weak-password-scan enable
ipv6
Use ipv6 to specify a target IPv6 address range for network asset scan.
Use undo ipv6 to delete a target IPv6 address range for network asset scan.
Syntax
ipv6 { subnet ipv6-address prefix-length | range start-address end-address }
undo ipv6 { subnet ipv6-address prefix-length | range start-address end-address }
Default
No target IPv6 address range for network asset scan exists.
Views
Asset scan view
Predefined user roles
network-admin
context-admin
Parameters
subnet ipv6-address prefix-length: Specifies an IPv6 subnet. The ipv6-address argument specifies an IPv6 address prefix. The prefix-length argument specifies the prefix length, in the range of 112 to 128.
range start-address end-address: Specifies an IPv6 address range. The start-address argument specifies the start IPv6 address. The end-address argument specifies the end IPv6 address. The first 112 bits of the start IPv6 address and the end IPv6 address must be the same. The end address must be higher than the start address. If they are the same, the address range has only one IP address.
Usage guidelines
A target IPv6 address range is a set of IPv6 addresses. When network asset scan is enabled, the device performs network asset scans on all addresses in the target IPv6 address ranges.
You can specify multiple target IPv6 address ranges. Make sure the address ranges do not overlap.
For network asset scan to take effect, you must specify the target IPv4 or IPv6 address ranges.
Examples
# Specify a target IPv6 address range for network asset scan.
<Sysname> system-view
[Sysname] asset-scan
[Sysname-asset-scan] ipv6 subnet 192:168::1:1 120
schedule every
Use schedule every to configure an automatic asset scan schedule.
Use undo schedule every to restore the default.
Syntax
schedule every { day start-time | hour start-hour | week week-days start-time }
undo schedule every { day start-time | hour start-hour | week week-days start-time }
Default
The device performs automatic asset scans every 12 hours.
Views
Asset scan view
Predefined user roles
network-admin
context-admin
Parameters
day start-time: Performs a scan every day. The start-time argument specifies the scan start time, in the format of HH:MM.
hour hour: Performs a scan every specific hours starting from the configuration time. The value range for the hour argument is 1 to 12.
week week-days start-time: Performs a scan every week on a specific day and time. The week-days argument specifies the start day of the scan, which can be Mon, Tue, Wed, Thu, Fri, Sat, and Sun. The start-time argument specifies the start time of the scan in the format of HH:MM.
Usage guidelines
When automatic asset scan is enabled, the device automatically initiates network asset scans to the addresses in the target IP address ranges according to the scan schedule.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the device to start asset scans at 12:30 every Friday.
<Sysname> system-view
[Sysname] asset-scan
[Sysname-asset-scan] schedule every week Fri 12:30
Related commands
auto-scan enable
ip
ipv6
tcp-port
udp-port
weak-password-scan enable
tcp-port
Use tcp-port to configure a target TCP port for network asset scan.
Use undo tcp-port to delete a target TCP port for network asset scan.
Syntax
tcp-port port-number
undo tcp-port [ port-number ]
Default
The target TCP ports are 23, 80, 139, 443, 445, 554, 631, 3389, 3872, 5800, 7080, 8000, 8080, 8088, 8180 and 8443.
Views
Asset scan view
Predefined user roles
network-admin
context-admin
Parameters
port-number: Specifies a TCP port for network asset scan, in the range of 1 to 65535.
Usage guidelines
You can configure multiple target TCP ports. When automatic asset scan is enabled, the device scans the target TCP ports.
Executing the undo tcp-port command without specifying the port-number argument deletes all the configured target TCP ports.
If you configure neither target TCP ports nor target UDP ports for network asset scan, the device scans the default target TCP ports and target UDP port. If you configure target ports for network asset scan, the device scans only the configured target ports.
Examples
# Configure a target TCP port for network asset scan.
<Sysname> system-view
[Sysname] asset-scan
[Sysname-asset-scan] tcp-port 80
Related commands
auto-scan enable
udp-port
udp-port
Use udp-port to configure a target UDP port for network asset scan.
Use undo udp-port to delete a target UDP port for network asset scan.
Syntax
udp-port port-number
undo udp-port [ port-number ]
Default
The target UDP port is 137.
Views
Asset scan view
Predefined user roles
network-admin
context-admin
Parameters
port-number: Specifies a UDP port for network asset scan, in the range of 1 to 65535.
Usage guidelines
You can configure multiple target UDP ports. When automatic asset scan is enabled, the device scans the target UDP ports.
Executing the undo udp-port command without specifying the port-number argument deletes all the configured target UDP ports.
If you configure neither target TCP ports nor target UDP ports for network asset scan, the device scans the default target TCP ports and target UDP ports. If you configure target ports for network asset scan, the device scans only the configured target ports.
Examples
# Configure a target UDP port for network asset scan.
<Sysname> system-view
[Sysname] asset-scan
[Sysname-asset-scan] udp-port 138
Related commands
auto-scan enable
tcp-port
weak-password-scan enable
Use weak-password-scan enable to enable weak password scan.
Use undo weak-password-scan enable to disable weak password scan.
Syntax
weak-password-scan enable
undo weak-password-scan enable
Default
Weak password scan is disabled.
Views
Asset scan view
Predefined user roles
network-admin
context-admin
Usage guidelines
Use this command to detect the weak password risks of users for the specified services. When automatic asset scan is enabled, the device examines whether the user passwords for the services on the hosts, servers and devices at the specified IP addresses or in the specified IP address range are unsafe. Users can change passwords with higher security according to the scanning results.
This command takes effect only after automatic asset scan is enabled.
Examples
# Enable weak password scan.
<Sysname> system-view
[Sysname] asset-scan
[Sysname-asset-scan] weak-password-scan enable
Related commands
auto-scan enable
weak-password-scan mode
weak-password-scan password
weak-password-scan service
weak-password-scan user
weak-password-scan mode
Use weak-password-scan mode to specify a weak password scan mode.
Use undo weak-password-scan mode to delete the specified weak password scan mode.
Syntax
weak-password-scan mode { custom | dict } *
undo weak-password-scan mode
Default
No weak password scan mode is specified.
Views
Asset scan view
Predefined user roles
network-admin
context-admin
Parameters
custom: Specifies the custom mode. The device uses the custom weak password dictionary for scanning.
dict: Specifies the predefined mode. The device uses the predefined weak password dictionary for scanning.
Usage guidelines
The device performs weak password scan by traversing the weak password dictionary. The passwords in the weak password dictionary are selected in turn in combination with specified usernames to try to log in to various services. If a login is successful, a weak password risk of the user is detected.
The device supports two types of weak password dictionaries:
· Custom weak password dictionary—Weak passwords configured by executing the weak-password-scan password command.
· Predefined weak password dictionary.
If you specify both the custom and dict keywords, the device uses both the custom and predefined weak password dictionaries for scanning.
This command takes effect only after weak password scan is enabled.
Examples
# Configure weak password scan to use the custom weak password dictionary for scanning.
<Sysname> system-view
[Sysname] asset-scan
[Sysname-asset-scan] weak-password-scan mode custom
Related commands
auto-scan enable
weak-password-scan enable
weak-password-scan password
weak-password-scan service
weak-password-scan user
weak-password-scan password
Use weak-password-scan password to configure a custom weak password.
Use undo weak-password-scan password to a delete custom weak password.
Syntax
weak-password-scan password password
undo weak-password-scan password [ password ]
Default
No custom weak password is configured.
Views
Asset scan view
Predefined user roles
network-admin
context-admin
Parameters
password: Specifies a custom weak password in plaintext form. The password argument is a case-sensitive string of 1 to 31 characters.
Usage guidelines
This command can be used to generate a weak password dictionary for weak password scan in the custom mode.
You can configure multiple custom weak passwords.
For weak password scan in custom mode to take effect, you must specify the custom weak passwords.
Executing the undo weak-password-scan password command without specifying the password argument deletes all custom weak passwords.
Examples
# Configure a custom weak password as 1234.
<Sysname> system-view
[Sysname] asset-scan
[Sysname-asset-scan] weak-password-scan password 1234
Related commands
auto-scan enable
weak-password-scan enable
weak-password-scan mode
weak-password-scan service
weak-password-scan user
weak-password-scan service
Use weak-password-scan service to configure a service type for weak password scan.
Use undo weak-password-scan service to restore the default.
Syntax
weak-password-scan service { ftp | http | mysql | sql-server | ssh } *
undo weak-password-scan service
Default
No service type for weak password scan is configured.
Views
Asset scan view
Predefined user roles
network-admin
context-admin
Parameters
ftp: Specifies the FTP service.
http: Specifies the HTTP service.
mysql: Specifies the MYSQL service.
sql-server: Specifies the SQL Server service.
ssh: Specifies the SSH service.
Usage guidelines
When weak password scan is enabled, the device examines whether the passwords of the user for the specified services are unsafe.
If you execute this command multiple times, the most recent configuration takes effect.
Week password scan takes effect only after the service types for weak password scan are configured.
Examples
# Configure the service types for weak password scan as FTP, SQL Server, and HTTP.
<Sysname> system-view
[Sysname] asset-scan
[Sysname-asset-scan] weak-password-scan service ftp sql-server http
Related commands
auto-scan enable
weak-password-scan enable
weak-password-scan mode
weak-password-scan password
weak-password-scan user
weak-password-scan user
Use weak-password-scan user to configure a username for weak password scan.
Use undo weak-password-scan user to delete a username for weak password scan.
Syntax
weak-password-scan user username
undo weak-password-scan user [ username ]
Default
No username for weak password scan is configured.
Views
Asset scan view
Predefined user roles
network-admin
context-admin
Parameters
username: Specifies a username, a case-sensitive string of 1 to 60 characters.
Usage guidelines
When weak password scan is enabled, the device examines whether the passwords of the user for the specified services are unsafe.
You can specify multiple usernames for weak password scan.
For weak password scan in custom mode to take effect, you must specify the usernames for weak password scan.
Executing the undo weak-password-scan user command without specifying the username argument deletes all usernames for weak password scan.
Examples
# Configure a username for weak password scan as admin.
<Sysname> system-view
[Sysname] asset-scan
[Sysname-asset-scan] weak-password-scan user admin
Related commands
auto-scan enable
weak-password-scan enable
weak-password-scan mode
weak-password-scan password
weak-password-scan service
