Login
- Table of Contents
-
- 04-DPI Configuration Guide
- 00-Preface
- 01-DPI overview
- 02-URL filtering configuration
- 03-Data filtering configuration
- 04-File filtering configuration
- 05-IPS configuration
- 06-DPI engine configuration
- 07-DLP configuration
- 08-Content moderation configuration
- 09-Network asset scan configuration
- 10-APT defense configuration
- 11-IP reputation configuration
- 12-Domain reputation configuration
- 13-URL reputation configuration
- 14-Data analysis center configuration
- 15-Anti-virus configuration
- 16-Proxy policy configuration
- 17-WAF configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 11-IP reputation configuration | 138.45 KB |
Restrictions and guidelines: IP reputation configuration
Restrictions: Licensing requirements for IP reputation
IP reputation tasks at a glance
Enabling IP reputation globally
Specifying actions for an attack category
Specifying an exception IP address
Enabling cloud query for IP reputation
Managing the IP reputation signature library
Restrictions and guidelines for IP reputation signature library management
Scheduling automatic IP reputation signature library update
Triggering an immediate IP reputation signature update
Performing an IP reputation signature manual update
Enabling the top hit ranking feature
Deleting the IP reputation signature library
Display and maintenance commands for IP reputation
IP reputation configuration examples
Example: Configuring IP reputation
Configuring IP reputation
About IP reputation
The IP reputation feature uses IP addresses on the IP reputation signature library and those recorded on the cloud server to filter network traffic.
IP reputation signature library
The IP reputation signature library contains IP addresses with poor reputation, which are vulnerable to DDoS attacks, command injection attacks, Trojan virus download attacks, and port scan attacks. Each IP address entry on the reputation signature library contains the attributes of the attack category, match field, and actions for matching packets.
Cloud server
The cloud server provides IP reputation cloud query to expand the locally loaded IP reputation signature library. When the library cannot match the IP address information in packets, IP reputation cloud query is used to send the IP address information to the cloud server for inspection. After the cloud server completes the inspection, it sends the results to the device. Then, the device stores the results in the local IP reputation cache for subsequent packet matching without the need to send queries to the cloud server.
Local IP reputation
Local IP reputation includes the IP reputation signature library loaded on the device and the historical query results from the cloud server, also known as the local IP reputation cache.
IP reputation workflow
Figure 1 describes the IP reputation workflow.
Figure 1 IP reputation workflow
After receiving a packet, the device performs the following operations:
1. Determines whether the source or destination IP address of the packet matches an exception IP address.
¡ If a match is found, the device forwards the packet.
¡ If no match exists, the device proceeds to the next step.
2. Determines whether the packet matches an IP address on the local IP reputation.
Whether an IP address on the local IP reputation is compared to the source or destination IP address in the packet depends on the match field attribute of the IP address entry. If the match field attribute is bidirectional, the reputation IP address is compared with both the source and destination IP addresses in the packet. A match is found when this reputation IP address is the same as either the source or destination IP address in the packet.
¡ If a match is found, the device takes actions for the attack category of the IP address. The device supports the following actions:
- Permit—Allows packets to pass through.
- Drop—Drops packets.
- Logging—Generates IP reputation logs for the matching IP address.
¡ If no match is found, the device identify whether cloud query is enabled.
- If cloud query is enabled, the device permits the packet to pass through and send IP information to the cloud server. The device will store the query results returned from the cloud server to the local IP reputation cache for subsequent IP reputation matching without further query from the cloud server.
- If cloud query is disabled, the device permits the packet to pass through.
Restrictions and guidelines: IP reputation configuration
The NSQM1FWEFGA0 service module does not support IP reputation.
Restrictions: Licensing requirements for IP reputation
To use the IP reputation feature, you must purchase a license for the feature and install it on the device. If the license expires, you can use still IP reputation with the existing IP reputation signature library on the device but you cannot upgrade the signature library to the version released after the expiration time or use the cloud query feature. For more information about licenses, see license management in Fundamentals Configuration Guide.
IP reputation tasks at a glance
To configure IP reputation, perform the following tasks:
1. Enabling IP reputation globally
2. Specifying actions for an attack category
3. (Optional.) Specifying an exception IP address
4. (Optional.) Enabling cloud query for IP reputation
5. Managing the IP reputation signature library
6. (Optional.) Enabling the top hit ranking feature
Enabling IP reputation globally
About this task
This feature identifies packets based on the source or destination IP address on the reputation signature library and processes the matching packets based on the attack category of the IP address.
Procedure
1. Enter system view.
system-view
2. Enter IP reputation view.
ip-reputation
3. Enable IP reputation globally.
global enable
By default, IP reputation is disabled globally.
Specifying actions for an attack category
About this task
On the IP reputation signature library, an IP address can belong to multiple attack categories. Each attack category has its own actions.
If an IP address belongs to only one attack category, the device takes the actions in this attack category. If an IP address belongs to multiple attack categories, the device takes an action that has higher priority among all actions in those attack categories. The drop action has higher priority than the permit action.
If logging is enabled for one of attack categories to which an IP address belongs, the device generates a log when the IP address is matched.
The device supports fast output of IP reputation logs. For more information about fast log output, see fast log output configuration in Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter IP reputation view.
ip-reputation
3. Specify actions for an attack category.
attack-category attack-id { action { deny | permit } | logging { disable | enable } } *
By default, no actions are configured for an attack category and each attack category has its own pre-defined actions.
Specifying an exception IP address
About this task
The device forwards a packet if the source or destination IP address of the packet is an exception IP address.
Procedure
1. Enter system view.
system-view
2. Enter IP reputation view.
ip-reputation
3. Specify an exception IP address.
exception ipv4 ipv4-address
By default, no exception IP address is specified.
Enabling cloud query for IP reputation
About this task
IP reputation cloud query enhances the device ability to detect risks such as DDoS attacks, Trojan downloads, and port scans. When the device's loaded IP reputation signature library is insufficient or the signature library is not loaded, you can enable cloud query to enhance IP reputation inspection capabilities on the device.
After IP reputation cloud query is enabled, the device will encapsulate the source and destination IP addresses of the packets that fail to match the local IP reputation signature library into query packets. Then, the query packets are sent to the cloud server for inspection. When the cloud server completes the query, it sends the results back to the device. The query results include the following information:
· Whether an IP address is flagged for risks such as DDoS attacks, Trojan downloads, and port scans.
· Attack category to which a risk belongs.
Restrictions and guidelines
Before you configuring this feature, make sure the cloud server for reputation services is connected. You can access the cloud server page on the Web interface to obtain the connection status of the cloud server for reputation services. For more information about how to configure the cloud server for reputation services, see "Configuring DPI engine."
Procedure
1. Enter system view.
system-view
2. Enter IP reputation view.
ip-reputation
3. Enable cloud query for IP reputation.
cloud-query enable
By default, cloud query is disabled for IP reputation.
Managing the IP reputation signature library
Restrictions and guidelines for IP reputation signature library management
· Do not delete the /dpi/ folder in the root directory of the storage medium.
· Do not perform update of the IP reputation signature library when the device's free memory is below the normal state threshold. For more information about device memory thresholds, see device management in Fundamentals Configuration Guide.
· For successful automatic and immediate signature library update, make sure the device can resolve the IP name of the company's website into an IP address through DNS. For more information about DNS, see DNS configuration in Layer 3—IP Services Configuration Guide.
· Update only one signature library at a time. Do not perform signature library update until the existing signature library update is completed.
Scheduling automatic IP reputation signature library update
About this task
You can schedule automatic IP reputation signature library update if the device can access the signature database services on the official website to update its local signature library according to the update schedule.
Procedure
1. Enter system view.
system-view
2. Enable automatic update of the IP reputation signature library and enter automatic IP reputation signature library update configuration view.
ip-reputation signature auto-update
By default, automatic update of the IP reputation signature library is disabled.
3. Schedule the update time.
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
By default, the device starts updating the IP reputation signature library at a random time between 01:00:00 and 03:00:00 every day.
Triggering an immediate IP reputation signature update
About this task
Anytime you find a release of new signature library version on the official website, you can trigger the device to immediately update the local signature library.
After you perform this task, the device immediately starts the automatic update process of the IP reputation signature library. Before overwriting the current signature library file, the device automatically backs it up to the ipreputation_sigpack_curr.dat file in the device storage medium.
Restrictions and guidelines
This feature can take effect no matter whether or not automatic signature library update is enabled.
Procedure
1. Enter system view.
system-view
2. Trigger an immediate IP reputation signature library update.
ip-reputation signature auto-update-now
Performing an IP reputation signature manual update
About this task
If the device cannot access the signature database services on the official website, use one of the following methods to manually update the IP reputation signature library on the device:
· Local update—Updates the IP reputation signature library by using a locally stored IP reputation signature library file. To use this method, first obtain the signature library file from the official website and import it to the device.
(In standalone mode.) Store the update file on the active MPU for successful signature library update.
(In IRF mode.) Store the update file on the global active MPU for successful signature library update.
· FTP/TFTP update—Updates the IP reputation signature library by using the file stored on an FTP or TFTP server. The device automatically downloads the signature file from the server before using it to update the signature library.
To specify the source IP address of request packets to the TFTP or FTP server for manual signature library update, specify the source keyword in the ip-reputation signature update command. For example, if packets from the device must be translated by NAT before accessing the TFTP or FTP server, you must specify a source IP address complied with NAT rules for NAT translation. If NAT translation is performed by an independent NAT device, make sure the IP address specified by the ip-reputation signature update command can reach the NAT device at Layer 3.
Restrictions and guidelines
If you specify both source and vpn-instance in the ip-reputation signature update command, make sure the VPN instance to which the specified source IP or interface belongs is the same as that specified by the vpn-instance keyword.
Prerequisites
To use the local update method, first obtain the signature library file from the official website and import it to the device.
To use the FTP/TFTP update method, make sure the device and the FTP/TFTP server can reach each other.
Procedure
1. Enter system view.
system-view
2. Manually update the IP reputation signature library on the device.
ip-reputation signature update file-path [ vpn-instance vpn-instance-name ] [ source { ip | ipv6 } { ip-address | interface interface-type interface-number } ]
Enabling the top hit ranking feature
About this task
This feature enables the device to collect hit statistics for IP addresses on the IP reputation signature library and rank them. After you disable this feature, the device clears hit statistics for IP reputation.
Procedure
1. Enter system view.
system-view
2. Enter IP reputation view.
ip-reputation
3. Enabling the top hit ranking feature.
top-hit-statistics enable
By default, the top hit ranking feature is disabled.
Deleting the IP reputation signature library
About this task
If the memory on the device is insufficient or the current IP reputation signature library is unnecessary, you can delete the IP reputation signature library of the current version to free up memory space.
Procedure
1. Enter system view.
system-view
2. Delete the IP reputation signature library.
ip-reputation signature rollback factory
Display and maintenance commands for IP reputation
Execute display commands in any view.
|
Task |
Command |
|
Display information about attack categories for IP reputation. |
display ip-reputation attack-category |
|
Display exception IP addresses. |
display ip-reputation exception |
|
Display IP reputation signature library information. |
display ip-reputation signature library |
|
Display statistics for IP addresses with the highest hits on the IP reputation signature library. |
In standalone mode: display ip-reputation top-hit-statistics [ top-number ] [ slot slot-id ] In IRF mode: display ip-reputation top-hit-statistics [ top-number ] [chassis chassis-number slot slot-id [ cpu cpu-id ] ] |
|
Display IP reputation information about an IP address. |
display ip-reputation ipv4 ipv4-address |
IP reputation configuration examples
Example: Configuring IP reputation
Network configuration
As shown in Figure 2, the device connects to the LAN and Internet through security zones Trust and Untrust, respectively. Configure IP reputation on the device to filter incoming and outgoing traffic on the device, and enable the top hit ranking feature to collect hit statistics.
Procedure
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures static routes, and the next hop in the routes is 2.2.2.2 to the external Web server.
[Device] ip route-static 5.5.5.0 24 2.2.2.2
3. Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
4. Configure a security policy:
# Create security policy ip and enter its view. Create a rule named trust-untrust to allow the internal users to access the Internet.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-10-trust-untrust] source-zone trust
[Device-security-policy-ip-10-trust-untrust] source-ip-subnet 192.168.1.0 24
[Device-security-policy-ip-10-trust-untrust] destination-zone untrust
[Device-security-policy-ip-10-trust-untrust] action pass
[Device-security-policy-ip-10-trust-untrust] quit
[Device] security-policy ip
[Device-security-policy-ip] rule na
# Activate the security policy configuration.
[Device-security-policy-ip] accelerate enhanced enable
[Device-security-policy-ip] quit
5. Configure IP reputation.
# Enable IP reputation.
[Device] ip-reputation
[Device-ip-reputation] global enable
# Enable the top hit ranking feature.
[Device-ip-reputation] top-hit-statistics enable
# Specify actions deny and logging for attack category 1.
[Device-ip-reputation] attack-category 1 action deny logging enable
Verifying the configuration
Verify that the device drops packets that match attack category 1 and generates logs for IP addresses that are matched. You can view the top hit ranks for IP addresses on the IP reputation signature library on the Web interface.
