CLI example: Using a user-defined IPS policy in a security policy

Network configuration

As shown in Figure 1, the device connects to the LAN and Internet through security zones Trust and Untrust, respectively.

Perform the following tasks:

Create IPS policy ips1 and modify its signature action and status settings as follows:

• Enable predefined IPS signature 2 and specify actions drop, capture, and logging for the signature.

• Disable predefined IPS signature 4.

• Enable predefined IPS signature 6.

Apply IPS policy ips1 to the zone pair between source security zone Trust and destination security zone Untrust.

Figure 1 Network diagram

‌

Software versions used

This configuration example was created and verified on R9071 of the M9000-AI-E8 device.

Procedures

1.        Assign IP addresses to interfaces:

# Assign an IP address to interface GigabitEthernet 1/0/1.

<Device> system-view

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0

[Device-GigabitEthernet1/0/1] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

2.        Configure settings for routing.

This example configures a static route to reach the Web server, and the next hop in the route is 2.2.2.2.

[Device] ip route-static 5.5.5.0 24 2.2.2.2

3.        Add interfaces to security zones.

[Device] security-zone name trust

[Device-security-zone-Trust] import interface gigabitethernet 1/0/1

[Device-security-zone-Trust] quit

[Device] security-zone name untrust

[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2

[Device-security-zone-Untrust] quit

4.        Configure an IPS policy:

# Create an IPS policy named ips1 and enter its view. Configure the IPS policy to use all IPS signatures without discrimination of the target attribute. Enable predefined IPS signature 2 and specify actions drop, capture, and logging for the signature, disable predefined IPS signature 4, and enable predefined IPS signature 6.

[Device] ips policy ips1

[Device-ips-policy-ips1] protect-target all

[Device-ips-policy-ips1] signature override pre-defined 2 enable drop capture logging

[Device-ips-policy-ips1] signature override pre-defined 4 disable

[Device-ips-policy-ips1] signature override pre-defined 6 enable

[Device-ips-policy-ips1] quit

5.        Apply IPS policy ips1 to a DPI application profile, and activate the IPS policy settings:

# Create a DPI application profile named sec. Apply IPS policy ips1 to the DPI application profile and set the policy mode to protect.

[Device] app-profile sec

[Device-app-profile-sec] ips apply policy ips1 mode protect

[Device-app-profile-sec] quit

# Activate the IPS policy settings.

[Device] inspect activate

6.        Configure a security policy:

# Enter IPv4 security policy view. Create a rule named trust-untrust to permit the traffic from internal users to the external network and apply the IPS policy to the traffic between the internal users and the Internet.

[Device] security-policy ip

[Device-security-policy-ip] rule name trust-untrust

[Device-security-policy-ip-10-trust-untrust] source-zone trust

[Device-security-policy-ip-10-trust-untrust] source-ip-subnet 192.168.1.0 24

[Device-security-policy-ip-10-trust-untrust] destination-zone untrust

[Device-security-policy-ip-10-trust-untrust] action pass

[Device-security-policy-ip-10-trust-untrust] profile sec

[Device-security-policy-ip-10-trust-untrust] quit

# Activate rule matching acceleration.

[Device-security-policy-ip] accelerate enhanced enable

[Device-security-policy-ip] quit

Verifying the configuration

# Verify that IPS policy ips1 is configured correctly.

<Device> display ips policy ips1

Configuration files

#

interface GigabitEthernet1/0/1

 port link-mode route

 ip address 192.168.1.1 255.255.255.0

#

interface GigabitEthernet1/0/2

 port link-mode route

 ip address 2.2.2.1 255.255.255.0

#

security-zone name Trust

 import interface GigabitEthernet1/0/1

#

security-zone name Untrust

 import interface GigabitEthernet1/0/2

#

 ip route-static 5.5.5.0 24 2.2.2.2

#

app-profile sec

 ips apply policy ips1 mode protect

#

security-policy ip

 rule 10 name trust-untrust

  action pass

  profile sec

  source-zone trust

  destination-zone untrust

  source-ip-subnet 192.168.1.0 255.255.255.0

#

ips policy ips1

 signature override pre-defined 2 enable drop logging capture

 signature override pre-defined 4 disable

 signature override pre-defined 6 enable

 protect-target ApplicationSoftware IM

 protect-target ApplicationSoftware MailClient

 protect-target Browser InternetExplorer

 protect-target Database ACCESS

 protect-target Database MS-SQL

 protect-target Database MySQL

 protect-target Database Oracle

 protect-target Database Other

 protect-target FTPServer Any

 protect-target MailServer LotusNotes

 protect-target NetworkDevice Cisco

 protect-target NetworkProtocol FTP

 protect-target NetworkProtocol HTTP

 protect-target NetworkProtocol TELNET

 protect-target OfficeSoftware MicrosoftOffice

 protect-target Other Other

 protect-target WebApplication Any

 protect-target WebApplication Blog

 protect-target WebApplication CMS

 protect-target WebApplication JSP

 protect-target WebApplication Other

 protect-target WebApplication PHP

 protect-target WebServer Any

 protect-target WebServer Other

 protect-target WebServer WebLogic

#