HP Firewalls and UTM Devices Attack Protection Command Reference Part number: 5998-4177 Software version: F1000-A-EI: Feature 3722 F1000-S-EI: Feature 3722 F5000: Feature 3211 F1000-E: Feature 3174 Firewall module: Feature 3174 Enhanced firewall module: ESS 3807 U200-A: ESS 5132 U200-S: ESS 5132 Document version: 6PW100-20121228
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Attack detection and protection configuration commands························································································ 1 attack-defense apply policy ····································································································································· 1 attack-defense logging enable ································································································································ 1 attack-defense policy ···········
ARP ARP ARP ARP arp anti-attack source-mac exclude-mac ············································································································· 42 arp anti-attack source-mac threshold ··················································································································· 42 display arp anti-attack source-mac ······················································································································ 43 packet source MAC consistency
content-filtering policy-template ···························································································································· 76 content-filtering pop3-policy ································································································································· 77 content-filtering smtp-policy ·································································································································· 77 content-filtering telne
Attack detection and protection configuration commands attack-defense apply policy Use attack-defense apply policy to apply an attack protection policy to a security zone. Use undo attack-defense apply policy to restore the default. Syntax attack-defense apply policy policy-number undo attack-defense apply policy Default No attack protection policy is applied to a security zone.
Syntax attack-defense logging enable undo attack-defense logging enable Default Attack protection logging is disabled. Views System view Default 2: System level Parameters None Examples # Enable attack protection logging. system-view [Sysname] attack-defense logging enable attack-defense policy Use attack-defense policy to create an attack protection policy and enter attack protection policy view. Use undo attack-defense policy to delete an attack protection policy.
blacklist enable Use blacklist enable to enable the blacklist function. Use undo blacklist enable to restore the default. Syntax blacklist enable undo blacklist enable Default The blacklist function is disabled. Views System view, VD system view Default command level 2: System level Usage guidelines After the blacklist function is enabled, you can add blacklist entries manually or configure the device to add blacklist entries automatically.
Parameters source-ip-address: IP address to be added to the blacklist, used to match the source IP address of packets. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address. all: Specifies all blacklist entries. timeout minutes: Specifies an aging time for the blacklist entry. minutes indicates the aging time and ranges from 1 to 1000, in minutes.
Related commands • defense dns-flood rate-threshold • defense dns-flood ip defense dns-flood ip Use defense dns-flood ip to configure the action and silence thresholds for DNS flood attack protection of a specific IP address. Use undo defense dns-flood ip to remove the configuration.
Related commands defense dns-flood enable defense dns-flood rate-threshold Use defense dns-flood rate-threshold to configure the global action and global silence thresholds for DNS flood attack protection. The device uses the global attack protection thresholds to protect IP addresses for which you do not specifically configure attack protection parameters. Use undo defense dns-flood rate-threshold to restore the default.
Related commands defense dns-flood enable defense icmp-flood action drop-packet Use defense icmp-flood action drop-packet to configure the device to drop ICMP flood attack packets. Use undo defense icmp-flood action to restore the default. Syntax defense icmp-flood action drop-packet undo defense icmp-flood action Default The device only outputs alarm logs if detecting an ICMP flood attack.
Examples # Enable ICMP flood attack protection in attack protection policy 1. system-view [Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense icmp-flood enable Related commands • defense icmp-flood action drop-packet • defense icmp-flood ip • defense icmp-flood rate-threshold • display attack-defense policy defense icmp-flood ip Use defense icmp-flood ip to configure the action and silence thresholds for ICMP flood attack protection of a specific IP address.
Examples # Enable ICMP flood attack protection for IP address 192.168.1.2, and set the action threshold to 2000 packets per second and the silence threshold to 1000 packets per second. system-view [Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense icmp-flood ip 192.168.1.
bandwidth of the protected network is small, set a smaller silence threshold to help release the traffic pressure. Examples # Set the global action threshold to 3000 packets per second and the global silence threshold to 1000 packets per second for ICMP flood attack.
[Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense scan enable # Set the connection rate threshold for triggering scanning attack protection to 2000 connections per second. [Sysname-attack-defense-policy-1] defense scan max-rate 2000 # Enable the blacklist function for scanning attack protection, and specify the blacklist entry aging time as 20 minutes.
• defense scan enable • defense scan max-rate defense scan enable Use defense scan enable to enable scanning attack protection. Use undo defense scan enable to restore the default. Syntax defense scan enable undo defense scan enable Default Scanning attack protection is disabled. Views Attack protection policy view Default command level 2: System level Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address.
Views Attack protection policy view Default command level 2: System level Parameters rate-number: Threshold of the connection establishment rate (number of connections established in a second) that triggers scanning attack protection, in the range of 1 to 10000. Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address.
Parameters drop-packet: Drops all subsequence connection requests to the attacked IP address. trigger-tcp-proxy: Adds a protected IP address entry for the attacked IP address and triggers the TCP proxy function. Examples # Configure the SYN flood protection policy to drop SYN flood attack packets.
Syntax defense syn-flood ip ip-address rate-threshold high rate-number [ low rate-number ] undo defense syn-flood ip ip-address [ rate-threshold ] Default No SYN flood attack protection thresholds are configured for an IP address. Views Attack protection policy view Default command level 2: System level Parameters ip-address: IP address to be protected. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address.
Syntax defense syn-flood rate-threshold high rate-number [ low rate-number ] undo defense syn-flood rate-threshold Default The global action threshold is 1000 packets per second and the global silence threshold is 750 packets per second. Views Attack protection policy view Default command level 2: System level Parameters high rate-number: Sets the global action threshold for SYN flood attack protection.
Syntax defense udp-flood action drop-packet undo defense udp-flood action Default The device only outputs alarm logs if it detects a UDP flood attack. Views Attack protection policy view Default command level 2: System level Examples # Configure attack protection policy 1 to drop UDP flood packets.
Related commands • defense udp-flood action drop-packet • defense udp-flood rate-threshold • defense udp-flood ip • display attack-defense policy defense udp-flood ip Use defense udp-flood ip to configure the action and silence thresholds for UDP flood attack protection of a specific IP address. Use undo defense udp-flood ip to remove the configuration.
Related commands • defense udp-flood action drop-packet • defense udp-flood enable • display attack-defense policy defense udp-flood rate-threshold Use defense udp-flood rate-threshold to configure the global action and silence thresholds for UDP flood attack protection. The device uses the global attack protection thresholds to protect the IP addresses for which you do not specifically configure attack protection parameters. Use undo defense udp-flood rate-threshold to restore the default.
[Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense udp-flood rate-threshold high 3000 low 1000 Related commands • defense udp-flood action drop-packet • defense udp-flood enable • display attack-defense policy display attack-defense policy Use display attack-defense policy to display the configuration information about one or all attack protection policies.
Large ICMP attack-defense Max-length : Enabled : 250 bytes TCP flag attack-defense : Enabled Tracert attack-defense : Enabled Fraggle attack-defense : Enabled WinNuke attack-defense : Enabled LAND attack-defense : Enabled Source route attack-defense : Enabled Route record attack-defense : Enabled Scan attack-defense : Enabled Add to blacklist : Enabled Blacklist timeout : 10 minutes Max-rate : 1000 connections/s Signature-detect action : Drop-packet --------------------------------
192.168.2.1 2000 1000 Table 1 Command output Filed Description Policy number Sequence number of the attack protection policy. Bound zones Security zones to which the attack protection policy is applied. Smurf attack-defense Indicates whether Smurf attack protection is enabled. ICMP redirect attack-defense Indicates whether ICMP redirect attack protection is enabled. ICMP unreachable attack-defense Indicates whether ICMP unreachable attack protection is enabled.
Filed Description UDP flood action Action to be taken when a UDP flood attack is detected. It can be Drop-packet (dropping subsequent packets) or Syslog (outputting an alarm log). UDP flood high-rate Global action threshold for UDP flood attack protection. UDP flood low-rate Global silence threshold for UDP flood attack protection. UDP flood attack on IP UDP flood attack protection settings for specific IP addresses. SYN flood attack-defense Indicates whether SYN flood attack is enabled.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. Include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Table 2 Command output Field Description Zone Security zone name applied by an attack protection policy. Attack policy number Sequence number of attack protection policy. Fraggle attacks Number of Fraggle attacks. Fraggle packets dropped Number of Fraggle packets dropped. ICMP redirect attacks Number of ICMP redirect attacks. ICMP redirect packets dropped Number of ICMP redirect packets dropped. ICMP unreachable attacks Number of ICMP unreachable attacks.
Related commands • attack-defense policy • attack-defense apply policy display blacklist Use display blacklist to display information about one or all blacklist entries. Syntax display blacklist { all | ip source-ip-address } [ vd vd-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Displays information about all blacklist entries. ip source-ip-address: Displays information about the blacklist entry for an IP address.
Table 3 Command output Field Description Blacklist Indicates whether the blacklist function is enabled. Blacklist items Number of blacklist entries. IP IP address of the blacklist entry. Type of the blacklist entry: Type • manual—The entry was added manually. • auto—The entry was added automatically by the scanning attack protection function. Aging started Time when the blacklist entry is added. Aging finished Aging time of the blacklist entry. Never means that the entry never gets aged.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display the traffic statistics of source IP address 192.168.1.2. display flow-statistics statistics source-ip 192.168.1.2 Flow Statistics Information ----------------------------------------------------------IP Address : 192.168.1.
Field Description RAWIP sessions Number of RAWIP connections. RAWIP session establishment rate RAWIP connection establishment rate. TCP packet count Number of TCP packets. TCP byte count Number of TCP bytes. UDP packet count Number of UDP packets. UDP byte count Number of UDP bytes. ICMP packet count Number of ICMP packets. ICMP byte count Number of ICMP bytes. RAWIP packet count Number of RAWIP packets. RAWIP byte count Number of RAWIP bytes.
display flow-statistics statistics zone trust inbound Flow Statistics Information -----------------------------------------------------------Zone : trust -----------------------------------------------------------Total number of existing sessions : 70 Session establishment rate : 10/s TCP sessions : 10 Half-open TCP sessions : 10 Half-close TCP sessions : 10 TCP session establishment rate : 10/s UDP sessions : 10 UDP session establishment rate : 10/s ICMP sessions : 10
Default command level 1: Monitor level Parameters vd vd-name: Displays the protected IP addresses of the specified VD. The vd-name argument refers to the VD name, a case-insensitive string of 1 to 20 characters. If you do not specify this option, this command displays the protected IP addresses of the default VD. Examples # Display information about all IP addresses protected by the TCP proxy function.
inbound: Collects statistics on packets to the security zone. outbound: Collects statistics on packets sent out of the security zone. source-ip: Collects statistics on packets to the security zone by source IP address. Usage guidelines Multiple types of traffic statistics collections can be enabled for a security zone. The collection results can be viewed by related display commands. Examples # In security zone trust, enable traffic statistics collection by destination IP address.
signature-detect Use signature-detect to enable signature detection of a single-packet attack. Use undo signature-detect to disable signature detection of a single-packet attack.
Syntax signature-detect action drop-packet undo signature-detect action Default The device only outputs alarm logs if it detects a single-packet attack. Views Attack protection policy view Default command level 2: System level Examples # Configure attack protection policy 1 to drop single-packet attack packets.
Examples # Enable signature detection of large ICMP attack, set the ICMP packet length threshold that triggers large ICMP attack protection to 5000 bytes, and configure the device to drop ICMP packets longer than the specified maximum length.
• display tcp-proxy protected-ip tcp-proxy mode Use tcp-proxy mode to set the TCP proxy operating mode. Use undo tcp-proxy mode to restore the default. Syntax tcp-proxy mode unidirection undo tcp-proxy mode Default TCP proxy operates in bidirectional mode when enabled. Views System view Default command level 2: System level Parameters unidirection: Operates in the unidirectional mode. Examples # Set the TCP proxy operating mode to unidirectional.
Parameters destination-ip-address: Specifies the IP address protected by TCP proxy. port: Specifies the port number protected by TCP proxy. port-number: Destination port number of a TCP connection, in the range of 1 to 65535. any: Specifies TCP connections with the specified destination IP address and any destination port number. Usage guidelines You can add multiple IP addresses protected by TCP proxy. Examples # Configure a TCP proxy entry to protect IP address 2.2.2.5 and port number 25.
ARP attack protection configuration commands IP flood protection configuration commands arp resolving-route enable Use arp resolving-route enable to enable ARP black hole routing. Use undo arp resolving-route enable to disable the function. Syntax arp resolving-route enable undo arp resolving-route enable Default The ARP black hole routing function is disabled. Views System view Default command level 2: System level Examples # Enable ARP black hole routing.
Examples # Enable the ARP source suppression function. system-view [Sysname] arp source-suppression enable Related commands display arp source-suppression arp source-suppression limit Use arp source-suppression limit to set the maximum number of unresolvable IP packets that be received from a device in five seconds. Unresolvable IP packets refer to packets that cannot be resolved by ARP. Use undo arp source-suppression limit to restore the default value, which is 10.
Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
arp anti-attack source-mac Use arp anti-attack source-mac to enable the source MAC address based ARP attack detection and specify a handling method. Use undo arp anti-attack source-mac to restore the default. Syntax arp anti-attack source-mac { filter | monitor } undo arp anti-attack source-mac [ filter | monitor ] Default Source MAC address-based ARP attack detection is disabled.
Default command level 2: System level Parameters time: Age time for ARP attack entries, in the range of 60 to 6000 seconds. Examples # Set the age time for ARP attack entries to 60 seconds. system-view [Sysname] arp anti-attack source-mac aging-time 60 arp anti-attack source-mac exclude-mac Use arp anti-attack source-mac exclude-mac to exclude specific MAC addresses from source MAC address based ARP attack detection.
Syntax arp anti-attack source-mac threshold threshold-value undo arp anti-attack source-mac threshold Default The threshold for source MAC address-based ARP attack detection is 50. Views System view Default command level 2: System level Parameters threshold-value: Specified the threshold for source MAC address-based ARP attack detection. The value ranges from 10 to 100. Examples # Configure the threshold for source MAC address-based ARP attack detection as 30.
Examples # Display the ARP attack entries detected by source MAC address-based ARP attack detection.
Examples # Enable ARP packet source MAC address consistency check.
ARP detection configuration commands The following matrix shows the feature and hardware compatibility: Hardware ARP detection compatible F1000-A-EI/F1000-S-EI Yes F1000-E No F5000 No Firewall module No U200-A Yes U200-S Yes arp detection Use arp detection to configure an user validity check rule. Use undo arp detection to restore the default.
• mac-address-mask: Specifies the mask for the sender MAC address, in the format of H-H-H. • vlan vlan-id: Specifies the ID of a VLAN where this rule applies, in the range of 1 to 4094. Usage guidelines Upon receiving an ARP packet, user validity check first compares the sender IP and MAC addresses of the ARP packet against user validity check rules. If a matching rule is found, the ARP packet is processed according to the rule. If no matching rule is found, the packet is invalid and discarded.
Default The port is an ARP untrusted port. Views Layer 2 Ethernet interface view, Layer 2 aggregate interface view Default command level 2: System level Examples # Configure GigabitEthernet 0/1 as an ARP trusted port. system-view [Sysname] interface gigabitethernet 0/1 [Sysname-GigabitEthernet0/1] arp detection trust arp detection validate Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line.
[Sysname] arp detection validate dst-mac src-mac ip arp restricted-forwarding enable Use arp restricted-forwarding enable to enable ARP restricted forwarding. Use undo arp restricted-forwarding enable to disable ARP restricted forwarding. Syntax arp restricted-forwarding enable undo arp restricted-forwarding enable Default ARP restricted forwarding is disabled. Views VLAN view Default command level 2: System level Examples # Enable ARP restricted forwarding in VLAN 1.
ARP detection is enabled in the following VLANs: 1, 2, 4-5 Related commands arp detection enable display arp detection statistics Use display arp detection statistics to display statistics about ARP detection. This command only displays numbers of discarded packets. If no interface is specified, the statistics of all interfaces is displayed.
Field Description Inspect Number of ARP packets that failed to pass ARP detection (based on static IP Source Guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses). reset arp detection statistics Use reset arp detection statistics to clear ARP detection statistics of a specific interface. If you do not specify any interface, this command clears the statistics of all interfaces.
Suppose that the number of dynamic ARP entries is D and that of the existing static ARP entries is S. When the dynamic ARP entries are changed into static, new dynamic ARP entries may be created (suppose the number is M) and some of the dynamic ARP entries may be aged out (suppose the number is N). After the process is complete, the number of static ARP entries is D + S + M – N. To delete a specific static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command.
[Sysname] interface gigabitethernet 0/1 [Sysname-GigabitEthernet0/1] arp scan # Configure the device to scan the specific address range for neighbors. system-view [Sysname] interface gigabitethernet 0/1 [Sysname-GigabitEthernet0/1] arp scan 1.1.1.1 to 1.1.1.20 # Configure the device to scan the network where the primary IP address of VLAN-interface 2 resides for neighbors.
TCP attack protection configuration commands display tcp status Use display tcp status to display status of all TCP connections for monitoring TCP connections. Syntax display tcp status [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Use undo tcp anti-naptha enable to disable the protection against Naptha attack. Syntax tcp anti-naptha enable undo tcp anti-naptha enable Default The protection against Naptha attack is disabled. Views System view Default command level 2: System level Usage guidelines The configurations made by using the tcp state and tcp timer check-state commands are removed after the protection against Naptha attack is disabled. Examples # Enable the protection against Naptha attack.
last-ack: LAST_ACK state of a TCP connection. syn-received: SYN_RECEIVED state of a TCP connection. connection-number number: Maximum number of TCP connections in a certain state. The argument number is in the range of 0 to 500. Usage guidelines You need to enable the protection against Naptha attack before executing this command. Otherwise, an error is prompted. You can respectively configure the maximum number of TCP connections in each state.
Syntax tcp timer check-state time-value undo tcp timer check-state Default The TCP connection state check interval is 30 seconds. Views System view Default command level 2: System level Parameters time-value: TCP connection state check interval in seconds, in the range of 1 to 60. Usage guidelines The device periodically checks the number of TCP connections in each state.
ND attack defense configuration commands The following matrix shows the feature and hardware compatibility: Hardware ND attack defense compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Source MAC consistency check commands ipv6 nd mac-check enable Use ipv6 nd mac-check enable to enable source MAC consistency check for ND packets. Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND packets.
[Sysname] ipv6 nd mac-check enable 59
Firewall configuration commands IPv6 packet-filter firewall configuration commands The following matrix shows the feature and hardware compatibility: Hardware IPv6 packet-filter firewall compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No display firewall ipv6 statistics Use display firewall ipv6 statistics to view the packet filtering statistics of the IPv6 firewall.
Interface: gigabitethernet0/1 In-bound Policy: acl6 2000 From 2008-06-04 10:25:21 to 2008-06-04 10:35:57 0 packets, 0 bytes, 0% permitted 0 packets, 0 bytes, 0% denied 0 packets, 0 bytes, 0% permitted default 0 packets, 0 bytes, 0% denied default Totally 0 packets, 0 bytes, 0% permitted Totally 0 packets, 0 bytes, 0% denied Table 10 Command output Field Description Interface Interface configured with the IPv6 packet filtering function.
Views System view Default command level 2: System level Parameters deny: Specifies the filtering action as denying packets to pass the firewall. permit: Specifies the filtering action as permitting packets to pass the firewall. Examples # Specify the default filtering action of the IPv6 firewall as denying packets to pass. system-view [Sysname] firewall ipv6 default deny firewall ipv6 enable Use firewall ipv6 enable to enable the IPv6 firewall function.
Views Interface view Default command level 2: System level Parameters acl-number: Basic ACL number, in the range of 2000 to 2999; advanced ACL number, in the range of 3000 to 3999. name acl6-name: Specifies the name of a basic or advanced IPv6 ACL; a case-insensitive string of 1 to 32 characters that must start with an English letter a to z or A to Z. To avoid confusion, the word "all" cannot be used as the ACL name. inbound: Specifies to filter packets received by the interface.
ASPF configuration commands display port-mapping Use display port-mapping to view port mapping information. Syntax display port-mapping [ application-name | port port-number ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters application-name: Name of the application to be used for port mapping.
Table 11 Command output Field Description SERVICE Application layer protocol that is mapped to a port. PORT Number of the port for the application layer protocol. ACL Number of the ACL specifying the host range. TYPE Port mapping type, system predefined or user customized. Related commands port-mapping firewall aspf enable Use firewall aspf enable to enable ASPF for an interzone instance. Use undo firewall aspf enable to restore the default.
Syntax port-mapping application-name port port-number [ acl acl-number ] undo port-mapping [ application-name port port-number [ acl acl-number ] ] Default There is no mapping between the port and the application layer. Views System view Default command level 2: System level Parameters application-name: Name of the application for port mapping. Available applications include FTP, GTP-C, GTP-U, GTP-V0, H323, HTTP, RTSP, SCCP, SIP, SMTP and SQLNET.
Content filtering configuration commands activex-blocking enable Use activex-blocking enable to enable ActiveX blocking. Use undo activex-blocking enable to restore the default. Syntax activex-blocking enable undo activex-blocking enable Default ActiveX blocking is disabled.
Views POP3 filtering policy view, SMTP filtering policy view Default command level 2: System level Parameters keyword-entry-name: Specifies the name of the keyword filtering entry, a case-sensitive string of 1 to 32 characters. The keyword filtering entry must already exist. Usage guidelines You can specify multiple keyword filtering entries for attachment content filtering. Examples # Create a keyword filtering entry Job and add a keyword recruitment to the entry.
Views POP3 filtering policy view, SMTP filtering policy view Default command level 2: System level Parameters filename-entry-name: Specifies the name of the filename filtering entry, a case-sensitive string of 1 to 32 characters. The filename filtering entry must already exist. Usage guidelines You can specify multiple filename filtering entries for attachment content filtering. Examples # Create a filename filtering entry ExeFile and add a filename exef to the entry.
Views HTTP filtering policy view, POP3 filtering policy view, SMTP filtering policy view Default command level 2: System level Parameters keyword-entry-name: Specifies the name of the keyword filtering entry, a case-sensitive string or 1 to 32 characters. The keyword filtering entry must already exist. Usage guidelines You can specify multiple keyword filtering entries for body filtering. Examples # Create a keyword filtering entry WordofGame and add a keyword CounterStrike to the entry.
Syntax command-filtering keyword-entry keyword-entry-name undo command-filtering keyword-entry keyword-entry-name Default No keyword filtering entry is specified for command word filtering. Views FTP filtering policy view, Telnet filtering policy view Default command level 2: System level Parameters keyword-entry-name: Specifies the name of the keyword filtering entry, a case-sensitive string or 1 to 32 characters. The keyword filtering entry must already exist.
Syntax content-filtering activex-blocking suffix keywords undo content-filtering activex-blocking suffix keywords Views System view Default command level 2: System level Parameters keywords: Specifies a blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters. Usage guidelines You can add a maximum of five ActiveX blocking suffix keywords.
[Sysname] content-filtering email-address-entry students [Sysname-contflt-email-students] Related commands email-address content-filtering filename-entry Use content-filtering filename-entry to create a filename filtering entry and enter its view. Use undo content-filtering filename-entry to remove a filename filtering entry. Syntax content-filtering filename-entry filename-entry-name undo content-filtering filename-entry filename-entry-name Default No filename filtering entry exists.
Default command level 2: System level Parameters policy-name: Specifies the name of the FTP filtering policy, a case-sensitive string of 1 to 32 characters. Usage guidelines Deleting an FTP filtering policy that has been applied in a content filtering policy template also deletes the policy application configuration (performed with the ftp-policy command) of the template. Examples # Create an FTP filtering policy FTPBanned and enter its view.
content-filtering http-policy Use content-filtering http-policy to create an HTTP filtering policy and enter its view. Use undo content-filtering http-policy to delete an HTTP filtering policy. Syntax content-filtering http-policy policy-name undo content-filtering http-policy policy-name Default No HTTP filtering policy exists.
Parameters keyword-entry-name: Specifies the name of the keyword filtering entry, a case-sensitive string of 1 to 32 characters. Examples # Create a keyword filtering entry WordofGame and enter its view. system-view [Sysname] content-filtering keyword-entry WordofGame [Sysname-contflt-keyword-WordofGame] Related commands keyword fix-string content-filtering policy-template Use content-filtering policy-template to create a content filtering policy template and enter its view.
• ftp-policy • telnet-policy content-filtering pop3-policy Use content-filtering pop3-policy to create a POP3 filtering policy and enter is view. Use undo content-filtering pop3-policy to delete a POP3 filtering policy. Syntax content-filtering pop3-policy policy-name undo content-filtering pop3-policy policy-name Default No POP3 filtering policy exists.
Default command level 2: System level Parameters policy-name: Specifies the name of the SMTP filtering policy, a case-sensitive string of 1 to 32 characters. Usage guidelines Deleting an SMTP filtering policy that has been applied in a content filtering policy template also deletes the policy application configuration (performed with the smtp-policy command) of the template. Examples # Create an SMTP filtering policy SMTPBanned and enter its view.
content-filtering url-filter parameter Use content-filtering url-filter parameter to add URL parameter filtering keywords to the URL parameter filtering entry list. Use undo content-filtering url-filter parameter to remove URL parameter filtering keywords from the list.
Usage guidelines If you do not specify any parameters, this command removes all URL parameter filtering keywords in the list. The device supports a maximum of 256 URL parameter filtering keywords, including the predefined ones. You cannot enable the same URL filtering keywords as the predefined ones in the command content-filtering url-filter parameter keywords or undo content-filtering url-filter parameter keywords. Examples # Add select to the parameter filtering entry list.
Syntax display content-filtering activex-blocking [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all ActiveX blocking suffix keywords. item keywords: Specifies a blocking suffix keyword. It is a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters. verbose: Specifies detailed information.
display content-filtering activex-blocking verbose ActiveX blocking is enabled. No ACL group has been configured. There are 5 packet(s) being filtered. There are 0 packet(s) being passed. display content-filtering java-blocking Use display content-filtering java-blocking to display information about java blocking.
2 0 .JAR 3 0 .java Table 14 Command output Field Description SN Serial number. Match-Times Number of times that the suffix keyword has been matched. Keywords Java blocking suffix keyword. # Display detailed information about java blocking. display content-filtering java-blocking verbose Java blocking is enabled. No ACL group has been configured. There are 10 packet(s) being filtered. There are 0 packet(s) being passed.
Examples # Display brief information about URL parameter filtering. display content-filtering url-filter parameter URL-filter parameter is enabled. # Display URL parameter filtering information about a specific keyword. display content-filtering url-filter parameter item ^select$ The HTTP request packet including "^select$" had been matched for 10 times. # Display URL parameter filtering information about all keywords.
Parameters vd vd-name: Displays the content filtering statistics of the specified VD. The vd-name argument specifies the name of the VD, a case-insensitive string of 1 to 20 characters. If this option is not specified, this command displays content filtering statistics of the default VD. Examples # Display the content filtering statistics of the VD test.
Views FTP filtering policy view Default command level 2: System level Parameters filename-entry-name: Specifies the name of the filename filtering entry for download filename filtering, a case-sensitive string of 1 to 32 characters. The filename filtering entry must already exist. Usage guidelines You can specify multiple filename filtering entries for download filename filtering. Examples # Create a filename filtering entry ExeFile and add a filename exef to the entry.
Usage guidelines You can add up to 16 email addresses to an email address filtering entry. You can use one or two wildcard asterisk (*) to replace any characters except for the dot (.). An email address containing wildcards can only be in the format of *@domain name or *@*domain name. Examples # Add an email address hanmeimei@sina.com to the email address filtering entry students.
ftp-policy Use ftp-policy to apply an FTP filtering policy to a content filtering policy template. Use undo ftp-policy to remove the application of an FTP filtering policy. Syntax ftp-policy policy-name undo ftp-policy policy-name Default No FTP filtering policy is applied to a content filtering policy template.
Parameters keyword-entry-name: Specifies the name of the keyword filtering entry, a case-sensitive string of 1 to 32 characters. The keyword filtering entry must already exist. Usage guidelines You can specify multiple keyword filtering entries for HTTP header filtering. Examples # Create a keyword filtering entry HttpChunked and add a keyword chunked to the entry.
Related commands content-filtering http-policy illegal-command-blocking enable Use illegal-command-blocking enable to enable illegal command word blocking in an SMTP filtering policy. Use undo illegal-command-blocking enable to restore the default. Syntax illegal-command-blocking enable undo illegal-command-blocking enable Default Illegal command word blocking is disabled in an SMTP filtering policy.
Examples # Enable java applet blocking in the HTTP filtering policy HTTPBanned. system-view [Sysname] content-filtering http-policy HTTPBanned [Sysname-contflt-http-policy-HTTPBanned] java-applet-blocking enable keyword fix-string Use keyword fix-string to add a keyword to a keyword filtering entry. Use undo keyword fix-string to remove a keyword from a keyword filtering entry.
Views FTP filtering policy view, HTTP filtering policy view, POP3 filtering policy view, SMTP filtering policy view, Telnet filtering policy view Default command level 2: System level Usage guidelines Content filtering logging takes effect only when interzone policy rule logging (specified by the logging keyword) is enabled. Examples # Enable logging in the HTTP filtering policy HTTPBanned.
system-view [Sysname] content-filtering smtp-policy SMTPBanned [Sysname-contflt-smtp-policy-SMTPBanned] oversize-mail-blocking enable maxsize 2100 pop3-policy Use pop3-policy to apply a POP3 filtering policy to a content filtering policy template. Use undo pop3-policy to remove the application of POP3 filtering policy. Syntax pop3-policy policy-name undo pop3-policy policy-name Default No POP3 filtering policy is applied to a content filtering policy template.
Views POP3 filtering policy view, SMTP filtering policy view Default command level 2: System level Parameters email-entry-name: Specifies the name of the email address filtering entry for receiver filtering, a case-sensitive string of 1 to 32 characters. The email address filtering entry must already exist. Usage guidelines You can specify multiple email address filtering entries for receiver filtering.
Parameters vd vd-name: Clears the content filtering statistics of the specified VD. The vd-name argument specifies the name of the VD, a case-insensitive string of 1 to 20 characters. Without this option, this command clears the content filtering statistics of the default VD. Examples # Clear content filtering statistics of the VD test.
# Apply the email address filtering entry Anysuspicious for sender filtering in the POP3 filtering policy POP3Banned. [Sysname] content-filtering pop3-policy POP3Banned [Sysname-contflt-pop3-policy-POP3Banned] sender-filtering email-entry Anysuspicious Related commands • content-filtering email-address-entry • content-filtering smtp-policy • content-filtering pop3-policy smtp-policy Use smtp-policy to apply an SMTP filtering policy to a content filtering policy template.
undo subject-filtering keyword-entry keyword-entry-name Default No keyword filtering entry is specified for subject filtering. Views POP3 filtering policy view, SMTP filtering policy view Default command level 2: System level Parameters keyword-entry-name: Specifies the name of the keyword filtering entry for subject filtering, a case-sensitive string of 1 to 32 characters. The keyword filtering entry must already exist.
Views Content filtering policy template view Default command level 2: System level Parameters policy-name: Specifies the name of the Telnet filtering policy, a case-sensitive string of 1 to 32 characters. The Telnet filtering policy must already exist. Usage guidelines This command enables Telnet content filtering based on the Telnet filtering policy. Examples # Apply an SMTP filtering policy TelnetBanned to the content filtering policy template StrictRule.
[Sysname] content-filtering filename-entry ExeFile [Sysname-contflt-filename-ExeFile] filename exe [Sysname-contflt-filename-ExeFile] quit # Apply the filename filtering entry ExeFile for upload filename filtering in the FTP filtering policy FTPBanned.
url-hostname fix-string Use url-hostname fix-string to add a URL hostname to a URL hostname filtering entry. Use undo url-hostname fix-string to remove a URL hostname from a URL hostname filtering entry. Syntax url-hostname fix-string url-hostname undo url-hostname fix-string url-hostname Default A URL hostname filtering entry does not have any URL hostname.
Examples # Add a hostname www.CounterStrike.com to the URL hostname filtering entry HostofGame. system-view [Sysname] content-filtering url-hostname-entry HostofGame [Sysname-contflt-url-hostname-HostofGame] url-hostname fix-string www.CounterStrike.com url-ip-blocking enable Use url-ip-blocking enable to enable URL IP address blocking. Use undo url-ip-blocking enable to restore the default. Syntax url-ip-blocking enable undo url-ip-blocking enable Default URL IP address blocking is disabled.
Usage guidelines When URL parameter blocking is enabled in an HTTP filtering policy, the system checks whether HTTP packets contain illegal URL parameters. Examples # Enable URL parameter blocking in the HTTP filtering policy HTTPBanned.
URPF configuration commands ip urpf Use ip urpf to enable URPF check for a security zone to prevent source address spoofing attacks. Use undo ip urpf to disable URPF check. Syntax ip urpf { loose | strict } [ allow-default-route ] [ acl acl-number ] undo ip urpf Default URPF check is disabled. Views Security zone view Default command level 2: System level Parameters loose: Enables loose URPF check.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall product or a UTM device. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ABCDEFHIJKLOPRSTUW content-filtering pop3-policy,77 A content-filtering smtp-policy,77 activex-blocking enable,67 content-filtering telnet-policy,78 arp anti-attack active-ack enable,45 content-filtering url-filter parameter,79 arp anti-attack source-mac,41 content-filtering url-hostname-entry,80 arp anti-attack source-mac aging-time,41 arp anti-attack source-mac exclude-mac,42 D arp anti-attack source-mac threshold,42 defense dns-flood enable,4 arp anti-attack valid-ack enable,44 defens
display flow-statistics statistics zone,29 pop3-policy,93 display port-mapping,64 port-mapping,65 display tcp status,54 R display tcp-proxy protected-ip,30 receiver-filtering email-entry,93 Documents,104 reset arp detection statistics,51 download-filename-filtering filename-entry,85 reset attack-defense statistics zone,32 E reset content-filtering statistics,94 email-address,86 reset firewall ipv6 statistics,63 F S filename,87 sender-filtering email-entry,95 firewall aspf enable,65 sign
