Contents

DPI engine commands· 1

app-profile· 1

block-period· 2

capture-limit 2

display inspect file-category· 3

display inspect file-type· 4

display inspect md5-verify configuration· 5

display inspect smb-breakpoint-resume table· 5

display inspect status· 7

export repeating-at 7

export url 8

inspect activate· 9

inspect block-source parameter-profile· 9

inspect bypass· 10

inspect capture parameter-profile· 11

inspect coverage· 11

inspect file-fixed-length enable· 12

inspect file-fixed-length· 13

inspect file-uncompr-layer 14

inspect file-uncompr-len· 15

inspect logging parameter-profile· 15

inspect md5-fixed-length enable· 16

inspect md5-fixed-length· 17

inspect md5-verify all-files· 18

inspect optimization disable· 18

inspect real-ip detect-field priority· 20

inspect real-ip detect-field tcp-option· 21

inspect real-ip detect-field xff 21

inspect real-ip enable· 22

inspect redirect parameter-profile· 23

inspect smb-reassemble enable· 23

inspect stream-fixed-length· 24

inspect stream-fixed-length disable· 25

inspect tcp-reassemble enable· 26

inspect tcp-reassemble max-segment 26

log· 27

log language· 28

redirect-url 28

reset inspect smb-breakpoint-resume table· 29

DPI engine commands

The following compatibility matrixes show the support of hardware platforms for DPI engine:

 

Hardware series	Model	Product code	DPI engine compatibility
WX3500X series	WX3510X WX3520X WX3540X	EWP-WX3510X EWP-WX3520X EWP-WX3540X	Yes
WX3500X-E series	WX3508X-E	EWP-WX3508X-E	Yes
Access controller modules	LSEM1WBC120G0	LSEM1WBC120G0	No

 

Hardware series	Model	Product code	DPI engine compatibility
WX3500X-G series	WX3520X-G	EWP-WX3520X-G	Yes

 

Hardware series	Model	Product code	DPI engine compatibility
WX3800X series	WX3820X WX3840X	EWP-WX3820X EWP-WX3840X	Yes

 

app-profile

Use app-profile to create a deep packet inspection (DPI) application profile and enter its view, or enter the view of an existing DPI application profile.

Use undo app-profile to delete a DPI application profile.

Syntax

app-profile profile-name

undo app-profile profile-name

Default

No DPI application profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies a DPI application profile name. The profile name is a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, and underscores (_).

Usage guidelines

The DPI application profile is a security service template that can include DPI service policies such as IPS policy.

A DPI application profile takes effect after a security policy rule uses it as the action. The DPI engine inspects the packets matching the security policy rule and submits the packets to the associated DPI service module for processing.

Examples

# Create a DPI application profile named abc and enter its view.

<Sysname> system-view

[Sysname] app-profile abc

[Sysname-app-profile-abc]

block-period

Use block-period to set the block period during which a source IP address is blocked.

Use undo block-period to restore the default.

Syntax

block-period period

undo block-period

Default

A source IP address is blocked for 1800 seconds.

Views

Block source parameter profile view

Predefined user roles

network-admin

Parameters

period: Specifies the block period in the range of 1 to 86400 seconds.

Usage guidelines

For the block period to take effect, make sure the blacklist feature is enabled.

The device drops the packet that matches an inspection rule and adds the packet's source IP address to the IP blacklist.

·     If the blacklist feature is enabled, the device directly drops subsequent packets from the source IP address during the block period.

·     If the blacklist feature is disabled, the block period does not take effect. The device inspects all packets and drops the matching ones.

For more information about the blacklist feature, see attack detection and prevention in the Security Configuration Guide.

Examples

# Set the block period to 3600 seconds in block source parameter profile b1.

<Sysname> system-view

[Sysname] inspect block-source parameter-profile b1

[Sysname-inspect-block-source-b1] block-period 3600

Related commands

blacklist global enable (Security Command Reference)

inspect block-source parameter-profile

capture-limit

Use capture-limit to set the maximum volume of captured packets that can be cached.

Use undo capture-limit to restore the default.

Syntax

capture-limit Kilobytes

undo capture-limit

Default

The device can cache a maximum of 512 Kilobytes of captured packets.

Views

Capture parameter profile view

Predefined user roles

network-admin

Parameters

Kilobytes: Specifies the maximum volume in the range of 0 to 1024 Kilobytes.

Usage guidelines

The device caches captured packets locally. It exports the cached captured packets to a URL when the volume of cached captured packets reaches the maximum, and clears the cache. After the export, the device starts to capture packets again.

If you set the maximum volume of cached captured packets to 0 Kilobytes, the device immediately exports a packet to the URL after the packet is captured.

Examples

# Set the maximum volume of cached captured packets to 1024 Kilobytes in capture parameter profile c1.

<Sysname> system-view

[Sysname] inspect capture parameter-profile c1

[Sysname-inspect-capture-c1] capture-limit 1024

Related commands

export repeating-at

export url

inspect capture parameter-profile

display inspect file-category

Use display inspect file-category to display information about file categories that the DPI engine supports.

Syntax

display inspect file-category { all | name category-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all supported file categories.

name category-name: Specifies the detailed information about the specified file category by its name. Category names are case insensitive. To view the supported file categories, enter a question mark (?) after the name keyword.

Usage guidelines

This command displays all file categories and file category IDs that the DPI engine supports.

With file category specified, you can view all file information contained in the specified category, including the total number, names and IDs.

Examples

# Display information about file categories that the DPI engine supports.

<Sysname> display inspect file-category all

File category count:10

 File category name        File category ID

 Windows_Executable_File  0x00000001

 Unix_Executable_File    0x00000002

 Document_File           0x00000003

 Compressed_File         0x00000004

 Video_File              0x00000005

 Image_File              0x00000006

 Web_File                0x00000007

 Script_File             0x00000008

 Other                   0x00000009

 Code_File               0x0000000a

display inspect file-type

Use display inspect file-type to display information about file types that the DPI engine supports.

Syntax

display inspect file-type { all | name file-type-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all supported file types.

name category-name: Specifies the detailed information about the specified file type by its name. Type names are case insensitive. To view the supported file categories, enter a question mark (?) after the name keyword.

Usage guidelines

This command displays all file types and file type IDs that the DPI engine supports.

With file type specified, you can view all file information contained in the specified type, including the total number, descriptions and IDs.

Examples

# Display information about file types that the DPI engine supports.

<Sysname> system-view

[Sysname] display inspect file-type all

File count:7

 File type name               File type ID

 PE                      0x00000001

 ZIP                     0x00000002

 DOC                     0x00000003

 JPE,JFIF,JPEG,JPG       0x00000004

 PNG                     0x00000005

 DIB,BMP                 0x00000006

 PSD                     0x00000007

display inspect md5-verify configuration

Use display inspect md5-verify configuration to display information about the MD5 hash-based virus inspection for all files feature.

Syntax

display inspect md5-verify configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about the MD5 hash-based virus inspection for all files feature.

<Sysname> system-view

[Sysname] display inspect md5-verify configuration

MD5 file verification for all files: Enabled

Table 1 Command output

Field	Description
MD5 file verification for all files	Status of the MD5 hash-based virus inspection for all files feature: Enabled or Disabled.

 

Related commands

inspect md5-verify all-files

display inspect smb-breakpoint-resume table

Use display inspect smb-breakpoint-resume table to display the breakpoint resumption table for the SMB protocol.

Syntax

display inspect smb-breakpoint-resume table { ipv4 | ipv6 } [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a cloud cluster member device by its member ID. If you do not specify a member device, this command displays the breakpoint resumption table for all member devices.

Usage guidelines

The SMB protocol supports breakpoint resumption. When a file is interrupted during transmission, SMB can transfer subsequent files by creating a new session. When a file transferred via the SMB protocol is processed by the drop, block source, redirect, or reset DPI action, the device creates a breakpoint resumption table to record the source IP, destination IP, source VRF, destination VRF, and file name of the file. When the device receives a subsequent file of the SMB protocol, it matches the file information with the breakpoint resumption table. If a match is found, the device takes the same action on the file. In this manner, subsequent files can be blocked.

You can use this command to analyze the files dropped.

Examples

# Display the breakpoint resumption table for the SMB protocol.

<Sysname> display inspect smb-breakpoint-resume table ipv4

Slot 1:

Smb-breakpoint-resume table information:

Source IP: 1.1.1.1

Destination IP: 2.2.2.2

Source VRF: public

Destination VRF: public

MDC ID: 1

File name: test.txt

 

Source IP: 3.3.3.3

Destination IP: 4.4.4.4

Source VRF: public

Destination VRF: public

MDC ID: 2

File name: test.doc

Table 2 Command output

Field	Description
Source VRF	If the file is from the public network, this field displays public.
Destination VRF	If the file is destined for the public network, this field displays public.

 

Related commands

reset inspect smb-breakpoint-resume table

display inspect status

Use display inspect status to display the status of the DPI engine.

Syntax

display inspect status

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the status of the DPI engine.

<Sysname> display inspect status

Chassis 0 Slot 1:

 Running status: normal

Table 3 Command output

Field	Description
Running status	Status of the DPI engine: ·     bypass by configure—The DPI engine cannot process packets because of a configuration error. ·     bypass by cpu busy—The DPI engine cannot process packets because of an excessive CPU usage. ·     normal—The DPI engine is running correctly.

‌

export repeating-at

Use export repeating-at to set the daily export time for cached captured packets.

Use export repeating-at to restore the default.

Syntax

export repeating-at time

undo export repeating-at

Default

The system exports cached captured packets at 1:00 a.m. every day.

Views

Capture parameter profile view

Predefined user roles

network-admin

Parameters

time: Specifies the daily export time in the format of hh:mm:ss in the range of 00:00:00 to 23:59:59.

Usage guidelines

The device exports cached captured packets to a URL and clears the cache at the daily export time, whether or not the volume of cached captured packets reaches the maximum.

Examples

# Configure the device to export cached captured packets at 2:00 a.m. every day in the capture parameter profile c1.

<Sysname> system-view

[Sysname] inspect capture parameter-profile c1

[Sysname-inspect-capture-c1] export repeating-at 02:00:00

Related commands

capture-limit

export url

inspect capture parameter-profile

export url

Use export url to specify the URL to which the cached captured packets are exported.

Use export url to restore the default.

Syntax

export url url-string

undo export url

Default

No URL is specified for exporting the cached captured packets.

Views

Capture parameter profile view

Predefined user roles

network-admin

Parameters

url-string: Specifies the URL, a string of 1 to 255 characters.

Usage guidelines

The device exports the cached captured packets to the specified URL at the daily export time or when the volume of cached captured packets reaches the maximum. After the captured packets are exported, the system clears the cache.

If you do not specify a URL, the device still exports the cached captured packets but the export fails.

Examples

# Configure the device to export cached captured packets to URL tftp://192.168.100.100/upload in the capture parameter profile c1.

<Sysname> system-view

[Sysname] inspect capture parameter-profile c1

[Sysname-inspect-capture-c1] export url tftp://192.168.100.100/upload

Related commands

capture-limit

export repeating-at

inspect capture parameter-profile

inspect activate

Use inspect activate to activate the policy and rule configurations for DPI service modules.

Syntax

inspect activate

Default

The creation, modification, and deletion of DPI service policies and rules do not take effect.

Views

System view

Predefined user roles

network-admin

Usage guidelines

CAUTION: This command causes transient DPI service interruption. DPI-based services might also be interrupted. For example, security policies cannot control access to applications.

 

You can use the inspect activate command to manually validate the policy and rule configurations for DPI service modules (for example, IPS). This operation produces the same effect as saving the configurations and rebooting the device.

Examples

# Activate the policy and rule configurations for DPI service modules.

<Sysname> system-view

[Sysname] inspect activate

inspect block-source parameter-profile

Use inspect block-source parameter-profile to create a block source parameter profile and enter its view, or enter the view of an existing block source parameter profile.

Use undo inspect block-source parameter-profile to delete a block source parameter profile.

Syntax

inspect block-source parameter-profile parameter-name

undo inspect block-source parameter-profile parameter-name

Default

No block source parameter profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

parameter-name: Specifies a block source parameter profile name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

In block source parameter profile view, you can set parameters for the block source action, such as the block period.

Examples

# Create a block source parameter profile named b1 and enter its view.

<Sysname> system-view

[Sysname] inspect block-source parameter-profile b1

[Sysname-inspect-block-source-b1]

Related commands

block-period

inspect bypass

Use inspect bypass to disable the DPI engine.

Use undo inspect bypass to enable the DPI engine.

Syntax

inspect bypass

undo inspect bypass

Default

The DPI engine is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

CAUTION: This command causes transient DPI service interruption. DPI-based services might also be interrupted. For example, security policies cannot control access to applications.

 

Packet inspection in the DPI engine is a complex and resource-consuming process. When the CPU usage is high, you can disable the DPI engine to guarantee the device performance.

Examples

# Disable the DPI engine.

<Sysname> system-view

[Sysname] inspect bypass

Related commands

display inspect status

inspect capture parameter-profile

Use inspect capture parameter-profile to create a capture parameter profile and enter its view, or enter the view of an existing capture parameter profile.

Use undo inspect capture parameter-profile to delete a capture parameter profile.

Syntax

inspect capture parameter-profile parameter-name

undo inspect capture parameter-profile parameter-name

Default

No capture parameter profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies a capture parameter profile name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

In capture parameter profile view, you can set parameters for the packet capture action, such as the maximum volume of cached captured packets.

Only the IPS module supports the packet capture action.

Examples

# Create a capture parameter profile named c1 and enter its view.

<Sysname> system-view

[Sysname] inspect capture parameter-profile c1

[Sysname-inspect-capture-c1]

Related commands

capture-limit

export repeating-at

export url

inspect coverage

Use inspect coverage to configure a DPI engine inspection mode.

Use undo inspect coverage to restore the default.

Syntax

inspect coverage { balanced | large-coverage | high-performance | user-defined }

undo inspect coverage

Default

The DPI engine uses the balanced mode.

Views

System view

Predefined user roles

network-admin

Parameters

balanced: Specifies the balanced mode. This mode makes a tradeoff between the device performance and inspection coverage.

large-coverage: Specifies the large coverage mode. This mode appropriately reduces device performance to achieve the best inspection coverage.

high-performance: Specifies the high performance mode. This mode appropriately reduces the inspection coverage to ensure the best device performance.

user-defined: Specifies the user-defined mode. This mode allows you to adjust the inspection length of the DPI engine as required.

Usage guidelines

Select an inspection mode as required:

·     Balanced mode—Applicable to most scenarios. This mode makes a tradeoff between the device performance and inspection coverage. The maximum length is 32 Kilobytes for FTP, HTTP, SMB, NFS, and email streams, and the maximum file length for MD5 inspection is 2048 Kilobytes.

·     Large coverage mode—Applicable to the scenarios that require large inspection coverage. This mode improves the inspection coverage at the cost of device performance. The maximum length is 128 Kilobytes for FTP, HTTP, SMB, NFS, and email streams, and the maximum file length for MD5 inspection is 5120 Kilobytes.

·     High performance mode—Applicable to the scenarios that requires high device performance. This mode improves the device performance while ensuring a certain inspection coverage. The maximum length is 32 Kilobytes for FTP, HTTP, SMB, NFS, and email streams, and the maximum file length for MD5 inspection is 32 Kilobytes.

·     User-defined mode—Applicable to the scenarios that have specific requirements for inspection coverage and device performance. In this mode, you can execute the inspect stream-fixed-length and inspect md5-fixed-length commands to set the maximum stream length for inspection and maximum file length for MD5 value calculation, respectively.

Examples

# Configure the user-defined mode as the DPI engine inspection mode.

<Sysname> system-view

[Sysname] inspect coverage user-defined

Related commands

inspect stream-fixed-length enable

inspect file-fixed-length enable

inspect file-fixed-length enable

Use inspect file-fixed-length enable to enable file fixed length inspection.

Use undo inspect file-fixed-length enable to disable file fixed length inspection.

Syntax

inspect file-fixed-length enable

undo inspect file-fixed-length enable

Default

The file fixed length inspection is disabled and the file inspection length is not limited.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command can be executed only if the DPI engine inspection mode is user-defined mode.

The file fixed length inspection feature enables the DPI engine to inspect only a fixed length of file data instead of the entire file in each data stream.

With this feature configured, the DPI engine cannot identify the remaining file data that exceeds the defined fixed length, affecting the data filtering service.

Examples

# Enable file fixed length inspection.

<Sysname> system-view

[Sysname] inspect file-fixed-length enable

Related commands

inspect coverage user-defined

inspect file-fixed-length

inspect file-fixed-length

Use inspect file-fixed-length to set the fixed length for file inspection.

Use undo inspect file-fixed-length to restore the default.

Syntax

inspect file-fixed-length { email | ftp | http | nfs | smb } * length-value

undo inspect file-fixed-length

Default

The fixed length is 32 Kilobytes for FTP, HTTP, NFS, SMB, and email files.

Views

System view

Predefined user roles

network-admin

Parameters

email: Specifies email protocols, including SMTP, POP3, and IMAP.

ftp: Specifies the FTP protocol.

http: Specifies the HTTP protocol.

nfs: Specifies the NFS protocol.

smb: Specifies the SMB protocol.

length-value: Specifies the fixed length in the range of 1 to 2048 Kilobytes.

Usage guidelines

This command can be executed only if the DPI engine inspection mode is user-defined mode.

Typically, virus signatures are embedded in the first half of a file. Narrowing the inspection scope of each file improves the file inspection efficiency.

If a data stream contains multiple files, this feature inspects only the fixed length data of each file.

Because files are transmitted in a data stream, the fixed length of files must not be longer than that of the data stream configured by the inspect stream-fixed-length command.

Examples

# Set the fixed length to 128 Kilobytes for inspecting each HTTP file.

<Sysname> system-view

[Sysname] inspect file-fixed-length http 128

Related commands

inspect coverage user-defined

inspect file-fixed-length enable

inspect stream-fixed-length

inspect file-uncompr-layer

Use inspect file-uncompr-layer to set the maximum number of layers that can be decompressed.

Use undo inspect file-uncompr-layer to restore the default.

Syntax

inspect file-uncompr-layer max-layer

undo inspect file-uncompr-layer

Default

A maximum of three layers can be decompressed in a file.

Views

System view

Predefined user roles

network-admin

Parameters

max-layer: Specifies the maximum number of layers that can be decompressed in a file. The value range is 0 to 8. Value 0 indicates that the file will not be decompressed.

Usage guidelines

DPI engine can decompress only .zip and .gzip files for signature matching. This command specifies the maximum number of layers that can be decompressed in a file. DPI engine decompresses only the layers within the decompression layer limit.

Set an appropriate decompression layer limit.

·     If you set a large limit, DPI engine might get stuck in decompressing a multi-layer compressed file, affecting the decompression of subsequent files and consuming a large amount of the memory.

·     If you set a small limit, DPI engine might not identify the original file content correctly, affecting the accuracy of the file inspection results for DPI services.

Examples

# Set the maximum number of layers that can be decompressed in a file to 5.

<Sysname> system-view

[Sysname] inspect file-uncompr-layer 5

Related commands

inspect file-uncompr-len

inspect file-uncompr-len

Use inspect file-uncompr-len to set the maximum data size that can be decompressed in a file.

Use undo inspect file-uncompr-len to restore the default.

Syntax

inspect file-uncompr-len max-size

undo inspect file-uncompr-len

Default

A maximum of 100 MB data can be decompressed in a file.

Views

System view

Predefined user roles

network-admin

Parameters

max-size: Specifies the maximum data size in the range of 1 to 200 MB.

Usage guidelines

The device can decompress .zip files for file data inspection. This command specifies the maximum data size that can be decompressed in a file. The remaining file data will be ignored.

Set an appropriate maximum data size for file decompression. A large data size might make the device get stuck in decompressing large files and the device forwarding performance might be affected. A small data size will affect the accuracy of the file inspection results for DPI services.

Examples

# Set the maximum data size that can be decompressed in a file to 150 MB.

<Sysname> system-view

[Sysname] inspect file-uncompr-len 150

inspect logging parameter-profile

Use inspect logging parameter-profile to create a logging parameter profile and enter its view, or enter the view of an existing logging parameter profile.

Use undo inspect logging parameter-profile to delete a logging parameter profile.

Syntax

inspect logging parameter-profile parameter-name

undo inspect logging parameter-profile parameter-name

Default

No logging parameter profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies a logging parameter profile name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

In logging parameter profile view, you can set parameters for the logging action, such as the log output method.

Examples

# Create a logging parameter profile named log1 and enter its view.

<Sysname> system-view

[Sysname] inspect logging parameter-profile log1

[Sysname-inspect-logging-log1]

Related commands

log

inspect md5-fixed-length enable

Use inspect md5-fixed-length enable to enable MD5 fixed-length file inspection.

Use undo inspect md5-fixed-length enable to disable MD5 fixed-length file inspection.

Syntax

inspect md5-fixed-length enable

undo inspect md5-fixed-length enable

Default

MD5 fixed-length file inspection is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command can be executed only if the DPI engine inspection mode is user-defined mode.

This MD5 fixed-length file inspection feature enables the DPI engine to calculate the MD5 values of files of fixed lengths. When a file length reaches the defined file length for MD5 inspection, the DPI engine stops calculating the MD5 value for the file.

Examples

# Disable MD5 fixed-length file inspection.

<Sysname> system-view

[Sysname] undo inspect md5-fixed-length enable

Related commands

inspect coverage user-defined

inspect md5-fixed-length

inspect md5-fixed-length

Use inspect md5-fixed-length to set the fixed file length for MD5 inspection.

Use undo inspect md5-fixed-length to restore the default.

Syntax

inspect md5-fixed-length { email | ftp | http | nfs | smb } * length

undo inspect md5-fixed-length

Default

The fixed length of FTP, HTTP, SMB, NFS, and email files for MD5 inspection is 2048 Kilobytes.

Views

System view

Predefined user roles

network-admin

Parameters

email: Specifies email protocols, including SMTP, POP3, and IMAP.

ftp: Specifies the FTP protocol.

http: Specifies the HTTP protocol.

nfs: Specifies the NFS protocol.

smb: Specifies the SMB protocol.

length: Specifies the fixed file length for MD5 inspection in the range of 1 to 5120 Kilobytes. Make sure the fixed file length for MD5 inspection is longer than the fixed length for stream inspection.

Usage guidelines

This command can be executed only if the DPI engine inspection mode is user-defined mode.

For some DPI services, the DPI engine inspects the packet signatures and MD5 values at the same time. After reaching the fixed length for stream inspection, the DPI engine will stop the packet signature inspection but will not stop the MD5 inspection until the fixed MD5 inspection length is reached.

The increase of the file length for MD5 inspection will reduce the device performance but improve the success rate of the MD5 inspection. The decrease of the file length for MD5 inspection will improve the device performance but reduce the success rate of the MD5 inspection.

Examples

# Set the fixed lengths of FTP and HTTP files for MD5 inspection to 1024 and 512 Kilobytes, respectively.

<Sysname> system-view

[Sysname] inspect md5-fixed-length ftp 1024 http 512

Related commands

inspect coverage user-defined

inspect md5-fixed-length enable

inspect md5-verify all-files

Use inspect md5-verify all-files to enable MD5 hash-based virus inspection for all files.

Use undo inspect md5-verify all-files to restore the default.

Syntax

inspect md5-verify all-files

undo inspect md5-verify all-files

Default

The DPI engine performs MD5 hash-based virus inspection only for executable files, office files, and compressed files.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the DPI engine to generate MD5 hashes for all files and to compare the generated MD5 hashes with the MD5 rules in the signature library. If the MD5 hash generated for a file matches an MD5 rule in the signature library, the file is considered to contain viruses.

This feature might degrade the processing performance of other services. Enable it only when necessary.

Examples

# Enable MD5 hash-based virus inspection for all files.

<Sysname> system-view

[Sysname] inspect md5-verify all-files

Related commands

display inspect md5-verify configuration

inspect optimization disable

Use inspect optimization disable to disable a DPI engine optimization feature.

Use undo inspect optimization disable to enable a DPI engine optimization feature.

Syntax

inspect optimization [ chunk | no-acsignature | raw | uncompress | url-normalization ] disable

undo inspect optimization [ chunk | no-acsignature | raw | uncompress | url-normalization ] disable

Default

All DPI engine optimization features are enabled.

Views

System view

Predefined user roles

network-admin

Parameters

chunk: Specifies the chunked packet decoding feature.

no-acsignature: Specifies the inspection rules that do not contain AC patterns.

raw: Specifies the application layer payload decoding feature.

uncompress: Specifies the HTTP body uncompression feature.

url-normalization: Specifies the HTTP URL normalization feature.

Usage guidelines

If you do not specify any parameter, this command applies to all DPI engine optimization features.

DPI engine supports the following optimization features:

·     Chunked packet decoding—Chunk is a packet transfer mechanism of the HTTP body. DPI engine must decode a chunked HTTP body before it inspects the HTTP body. When the device throughput is too low to ensure basic communication, you can disable DPI engine from decoding chunked packets to improve the device performance. However, when chunked packet decoding is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.

·     Inspection rules that do not contain AC patterns—Inspection rules that do not contain AC patterns contain only options. These rules match packets by fields such as port numbers and error codes rather than by character strings. These rules by default are enabled to improve the inspection accuracy. However, when the device throughput is too low to ensure basic communication, you can disable these rules to improve the device performance.

·     Application layer payload decoding—For application layer protocols featuring encoding and decoding, such as HTTP, SMTP, POP3, and IMAP4, DPI engine must decode the payload before inspection. When the device throughput is too low to ensure basic communication, you can disable DPI engine from decoding application layer payloads to improve the device performance. However, disabling application layer payload decoding affects the inspection accuracy of the DPI engine.

·     HTTP body uncompression—If the HTTP body field is compressed, DPI engine must uncompress the body before inspection. When the device throughput is too low to ensure basic communication, you can disable DPI engine from uncompressing the HTTP body field to improve the device performance. However, when HTTP body uncompression is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.

·     HTTP URL normalization—HTTP URL normalization is the process by which the absolute path in a URL is normalized and special URLs are standardized and checked. For example, the absolute path test/dpi/../index.html is normalized as test/index.html. When the device throughput is too low to ensure basic communication, you can disable DPI engine from normalizing HTTP URLs to improve the device performance. However, when HTTP URL normalization is disabled, the DPI engine cannot identify some attacks that exploit security vulnerabilities.

Examples

# Disable all DPI engine optimization features.

<Sysname> system-view

[Sysname] inspect optimization disable

inspect real-ip detect-field priority

Use inspect real-ip detect-field priority to set the priority of an inspected field for real source IP inspection.

Use undo inspect real-ip detect-field priority to cancel the priority of an inspected field for real source IP inspection.

Syntax

inspect real-ip detect-field { cdn-src-ip | tcp-option | x-real-ip | xff } priority priority-value

undo inspect real-ip detect-field { cdn-src-ip | tcp-option | x-real-ip | xff } priority

Default

No priority is specified for any inspected field in the real source IP inspection, and all inspected fields use priority value 0. The device inspects the fields in the order of the xff, cdn-src-ip, x-real-ip, and tcp-option fields.

Views

System view

Predefined user roles

network-admin

Parameters

cdn-src-ip: Specifies the Cdn-Src-Ip field in the HTTP header.

tcp-option: Specifies the TCP Options field.

xff: Specifies the X-Forwarded-For field in the HTTP header.

x-real-ip: Specifies the X-Real-IP field in the HTTP header.

priority priority-value: Specifies a priority for an inspected field, in the range of 1 to 100. The larger the priority value, the higher the priority. Each inspected filed must have a unique priority value.

Usage guidelines

With real source IP inspection enabled, the device obtains the real source IP address of the client by inspecting multiple fields in the packets by default.

When multiple IP addresses are detected, the devices uses the IP address obtained from the field with the highest priority as the final real source IP address.

Examples

# Set the priority to 10 for the X-Forwarded-For field.

<Sysname> system-view

[Sysname] inspect real-ip detect-field xff priority 10

inspect real-ip detect-field tcp-option

Use inspect real-ip detect-field tcp-option to configure real source IP inspection for the TCP Options field.

Use undo inspect real-ip detect-field tcp-option to restore the default.

Syntax

inspect real-ip detect-field tcp-option hex hex-vector [ offset offset-value ] [ depth depth-value ] [ ip-offset ip-offset-value ]

undo inspect real-ip detect-field tcp-option

Default

Real source IP inspection is not configured for the TCP Options field, and the device does not obtain the real source IP address from the TCP Options field.

Views

System view

Predefined user roles

network-admin

Parameters

hex hex-vector: Specifies a case-sensitive hexadecimal string of 6 to 66 characters. Specify an even number of characters, and enclose the string with two vertical bars (|), for example |1234f5b6|.

offset offset-value: Specifies an offset in bytes after which the hexadecimal string lookup starts, in the range of 0 to 32. If you do not specify this option, the lookup starts from the beginning of the TCP Options field.

depth depth-value: Specifies the number of bytes to locate the hexadecimal string, in the range of 2 to 40. If you do not specify this option, the device searches the whole TCP Options field for the hexadecimal string.

ip-offset ip-offset-value: Specifies an offset in bytes after which the real source IP address is, in the range of 0 to 32. If you do not specify this option, the data after the hexadecimal string is the real source IP address.

Usage guidelines

To enable the device to locate the real source IP address in the TCP Option field, you must first define a hexadecimal string. If no hexadecimal string is found, the device will stop searching the TCP Options field for the real IP address.

Examples

# Configure the device to search bytes 3 to 12 for the hexadecimal string |0102| in the TCP Options field, and define that the real source IP address is 2 bytes away from the hexadecimal string.

<Sysname> system-view

[Sysname] inspect real-ip detect-field tcp-option hex |0102| offset 2 depth 10 ip-offset 2

inspect real-ip detect-field xff

Use inspect real-ip detect-field xff to configure real source IP address inspection for the X-Forwarded-For field.

Use undo inspect real-ip detect-field xff to restore the default.

Syntax

inspect real-ip detect-field xff { head | tail }

undo inspect real-ip detect-field xff

Default

The rightmost IP address in the X-Forwarded-For field is the real source IP address.

Views

System view

Predefined user roles

network-admin

Parameters

head: Specifies the first IP address in the X-Forwarded-For field as the real source IP address.

tail: Specifies the last IP address in the X-Forwarded-For field as the real source IP address.

Usage guidelines

When a client connects to a Web server through an HTTP proxy, the HTTP header might contain the X-Forwarded-For field that carries multiple IP addresses. The standard syntax of the X-Forwarded-For field is <client>, <proxy1>, <proxy2>,…<proxyn>. If a request goes through multiple proxies, the IP addresses of each successive proxy are listed. The rightmost IP address is the IP address of the most recent proxy and the leftmost IP address is the IP address of the originating client.

Examples

# Specify the leftmost IP address in the X-Forwarded-For field as the real source IP address.

<Sysname> system-view

[Sysname] inspect real-ip detect-field xff head

Related commands

inspect real-ip enable

inspect real-ip enable

Use inspect real-ip enable to enable real source IP inspection.

Use undo inspect real-ip enable to disable real source IP inspection.

Syntax

inspect real-ip enable

undo inspect real-ip enable

Default

Real source IP inspection is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

When a client connects to a Web server through HTTP proxies, the source IP address of the request packet will change. To identify the source IP attacks accurately, you can enable this feature to obtain the real source IP address from the corresponding fields in the request.

Examples

# Enable real source IP inspection.

<Sysname> system-view

[Sysname] inspect real-ip enable

inspect redirect parameter-profile

Use inspect redirect parameter-profile to create a redirect parameter profile and enter its view, or enter the view of an existing redirect parameter profile.

Use undo inspect redirect parameter-profile to delete a redirect parameter profile.

Syntax

inspect redirect parameter-profile parameter-name

undo inspect redirect parameter-profile parameter-name

Default

No redirect parameter profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

parameter-name: Specifies a redirect parameter profile name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

In redirect parameter profile view, you can set parameters for the redirect action, such as the URL to which packets are redirected.

Examples

# Create a redirect parameter profile named r1 and enter its view.

<Sysname> system-view

[Sysname] inspect redirect parameter-profile r1

[Sysname-inspect-redirect-r1]

inspect smb-reassemble enable

Use inspect smb-reassemble enable to enable SMB protocol packet reassembly.

Use undo inspect smb-reassemble enable to disable SMB protocol packet reassembly.

Syntax

inspect smb-reassemble enable

undo inspect smb-reassemble enable

Default

SMB protocol packet reassembly is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A large number of out-of-order packets of the SMB protocol might cause the DPI engine to fail to detect this protocol. This command can improve the accuracy of the DPI engines to detect SMB protocol packets.

When the device receives out-of-order SMB packets, it temporarily saves these packets and subsequent packets from the same flow to the buffer for packet reassembly. After being reassembled, the packets are forwarded for further processing.

Examples

# Enable SMB protocol packet reassembly.

<Sysname> system-view

[Sysname] inspect smb-reassemble enable

inspect stream-fixed-length

Use inspect stream-fixed-length to set the maximum length for stream inspection.

Use undo inspect stream-fixed-length to restore the default.

Syntax

inspect stream-fixed-length { dns | email | ftp | http | https | nfs | sip | smb | telnet | tftp } * length

undo inspect stream-fixed-length

Default

The maximum length is 32 Kilobytes for FTP, HTTP, NFS, SMB, and email protocols. For DNS, HTTPS, SIP, Telnet, and TFTP protocols, the length for stream inspection is not limited.

Views

System view

Predefined user roles

network-admin

Parameters

email: Specifies email protocols, including SMTP, POP3 and IMAP.

ftp: Specifies the FTP protocol.

http: Specifies the HTTP protocol.

dns: Specifies the DNS protocol.

https: Specifies the HTTPS protocol.

nfs: Specifies the NFS protocol.

smb: Specifies the SMB protocol.

sip: Specifies the SIP protocol.

telnet: Specifies the Telnet protocol.

tftp: Specifies the TFTP protocol.

length: Specifies the maximum length in the range of 1 to 2048 Kilobytes.

Usage guidelines

This command can be executed only if the DPI engine inspection mode is user-defined mode.

The longer the inspection length, the lower the device throughput, and the higher the packet inspection accuracy.

Examples

# Set the maximum length to 35 Kilobytes for inspecting each FTP stream and 40 Kilobytes for inspecting each HTTP stream.

<Sysname> system-view

[Sysname] inspect stream-fixed-length ftp 35 http 40

 

 

Related commands

inspect coverage user-defined

inspect cpu-threshold disable

inspect stream-fixed-length disable

inspect stream-fixed-length disable

Use inspect stream-fixed-length disable to disable stream maximum length inspection.

Use undo inspect stream-fixed-length disable to enable stream maximum length inspection.

Syntax

inspect stream-fixed-length disable

undo inspect stream-fixed-length disable

Default

The stream maximum length inspection feature is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command can be executed only if the DPI engine inspection mode is user-defined mode.

The stream maximum length inspection feature enables the DPI engine to inspect only a specified stream length for a protocol or an audio/video application instead of the whole packet data in a stream.

Examples

# Disable stream maximum length inspection.

<Sysname> system-view

[Sysname] inspect stream-fixed-length disable

Related commands

inspect coverage user-defined

inspect cpu-threshold disable

inspect stream-fixed-length

inspect tcp-reassemble enable

Use inspect tcp-reassemble enable to enable the TCP segment reassembly feature.

Use undo inspect tcp-reassemble enable to disable the TCP segment reassembly feature.

Syntax

inspect tcp-reassemble enable

undo inspect tcp-reassemble enable

Default

The TCP segment reassembly feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

DPI engine inspection might fail if TCP segments arrive at the engine out of order. For example, the DPI engine searches for the keywords this is a secret. If the TCP segment containing a secret arrives before the one containing this is, the inspection fails.

The TCP segment reassembly feature enables the device to cache out-of-order TCP segments of the same TCP flow and reassembles the segments before submitting them to the DPI engine for inspection. This helps improve the DPI engine inspection accuracy.

The segment reassembly fails due to missing segments when the number of cached TCP segments of a flow reaches the limit. In this case, the device submits the cached segments without reassembling them and all subsequent segments of the flow to the DPI engine. This helps reduces degradation of the device performance.

Examples

# Enable the TCP segment reassembly feature.

<Sysname> system-view

[Sysname] inspect tcp-reassemble enable

Related commands

inspect tcp-reassemble max-segment

inspect tcp-reassemble max-segment

Use inspect tcp-reassemble max-segment to set the maximum number of TCP segments that can be cached per TCP flow.

Use undo inspect tcp-reassemble max-segment to restore the default.

Syntax

inspect tcp-reassemble max-segment max-number

undo inspect tcp-reassemble max-segment

Default

A maximum of 10 TCP segments can be cached for reassembly per TCP flow.

Views

System view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number in the range of 10 to 50.

Usage guidelines

Set the limit for the number of TCP segments that can be cached per flow according to your network requirements. The higher the limit, the higher the inspection accuracy, and the lower the device performance.

This command takes effect only when the TCP segment reassembly feature is enabled.

Examples

# Allow the device to cache a maximum of 20 TCP segments for each TCP flow.

<Sysname> system-view

[Sysname] inspect tcp-reassemble max-segment 20

Related commands

inspect tcp-reassemble enable

log

Use log to specify the log storage method.

Use undo log to cancel the specified log storage method.

Syntax

log { email | syslog }

undo log { email | syslog }

Default

Logs are exported to the information center.

Views

Logging parameter profile view

Predefined user roles

network-admin

Parameters

email: Emails the logs to a receiver.

syslog: Exports the logs to the information center.

Examples

# Configure the device to export logs to the information center in logging parameter profile log1.

<Sysname> system-view

[Sysname] inspect logging parameter-profile log1

[Sysname-inspect-logging-log1] log syslog

Related commands

inspect logging parameter-profile

log language

Use log language to set the language for IPS log output to Chinese.

Use undo log language to restore the default.

Syntax

log language chinese

undo log language chinese

Default

IPS logs are output in English.

Views

Logging parameter profile view

Predefined user roles

network-admin

Usage guidelines

After you execute this command, only the attack name field of the IPS logs supports displaying in Chinese. For more information about IPS logs, see "IPS commands."

Examples

# Set the language for IPS log output to Chinese.

<Sysname> system-view

[Sysname] inspect logging parameter-profile log1

[Sysname-inspect-log-para-log1] log language chinese

Related commands

inspect logging parameter-profile

redirect-url

Use redirect-url to specify the URL to which packets are redirected.

Use undo redirect-url to restore the default.

Syntax

redirect-url url-string

undo redirect-url

Default

No URL is specified for packet redirecting.

Views

Redirect parameter profile view

Predefined user roles

network-admin

Parameters

url-string: Specifies the URL, a case-sensitive string of 9 to 63 characters. The URL must start with http:// or https://, for example, https://www.example.com.

Usage guidelines

After you specify a URL, matching packets will be redirected to the webpage that the URL identifies.

Examples

# Specify https://www.example.com/upload as the URL for packet redirecting.

<Sysname> system-view

[Sysname] inspect redirect parameter-profile r1

[Sysname-inspect-redirect-r1] redirect-url https://www.example.com/upload

Related commands

inspect redirect parameter-profile

reset inspect smb-breakpoint-resume table

Use reset inspect smb-breakpoint-resume table to clear the breakpoint resumption table for the SMB protocol.

Syntax

reset inspect smb-breakpoint-resume table { ipv4 | ipv6 } [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number Specifies a cloud cluster member device by its member ID. If you do not specify a member device, this command clears the breakpoint resumption table for all member devices.

Examples

# Clear the breakpoint resumption table for the SMB protocol.

<Sysname> reset inspect smb-breakpoint-resume table ipv4

Related commands

display inspect smb-breakpoint-resume table