HP VPN Firewall Appliances Attack Protection Command Reference Part number: 5998-4177 Software version: F1000-A-EI/F1000-S-EI (Feature 3726) F1000-E (Release 3177) F5000 (Feature 3211) F5000-S/F5000-C (Release 3808) VPN firewall modules (Release 3177) 20-Gbps VPN firewall modules (Release 3817) Document version: 6PW101-20130923
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Attack detection and protection commands ··············································································································· 1 attack-defense apply policy ····································································································································· 1 attack-defense logging enable ································································································································ 1 attack-defense policy ·
ARP ARP ARP ARP arp anti-attack source-mac exclude-mac ············································································································· 42 arp anti-attack source-mac threshold ··················································································································· 43 display arp anti-attack source-mac ······················································································································ 43 packet source MAC consistency
content-filtering pop3-policy ································································································································· 76 content-filtering smtp-policy ·································································································································· 77 content-filtering telnet-policy ································································································································· 77 content-filtering ur
Attack detection and protection commands attack-defense apply policy Use attack-defense apply policy to apply an attack protection policy to a security zone. Use undo attack-defense apply policy to restore the default. Syntax attack-defense apply policy policy-number undo attack-defense apply policy Default No attack protection policy is applied to a security zone.
undo attack-defense logging enable Default Attack protection logging is disabled. Views System view Default 2: System level Examples # Enable attack protection logging. system-view [Sysname] attack-defense logging enable attack-defense policy Use attack-defense policy to create an attack protection policy and enter attack protection policy view. Use undo attack-defense policy to delete an attack protection policy.
Use undo blacklist enable to restore the default. Syntax blacklist enable undo blacklist enable Default The blacklist function is disabled. Views System view, VD system view Default command level 2: System level Usage guidelines After the blacklist function is enabled, you can add blacklist entries manually or configure the device to add blacklist entries automatically. The auto-blacklist function must cooperate with the scanning attack protection function or the user login authentication function.
all: Specifies all blacklist entries. timeout minutes: Specifies an aging time for the blacklist entry. minutes indicates the aging time in the range of 1 to 1000, in minutes. If you do not specify the aging time, the blacklist entry never gets aged and always exists unless you delete it manually. Usage guidelines You can use the undo blacklist ip source-ip-address timeout command to cancel the aging time specified for a manually added blacklist entry.
defense dns-flood ip Use defense dns-flood ip to configure the action and silence thresholds for DNS flood attack protection of a specific IP address. Use undo defense dns-flood ip to remove the configuration. Syntax defense dns-flood ip ip-address rate-threshold high rate-number [ low rate-number ] undo defense dns-flood ip ip-address [ rate-threshold ] Default No DNS flood attack protection thresholds are configured for an IP address.
defense dns-flood rate-threshold Use defense dns-flood rate-threshold to configure the global action and global silence thresholds for DNS flood attack protection. The device uses the global attack protection thresholds to protect IP addresses for which you do not specifically configure attack protection parameters. Use undo defense dns-flood rate-threshold to restore the default.
defense icmp-flood action drop-packet Use defense icmp-flood action drop-packet to configure the device to drop ICMP flood attack packets. Use undo defense icmp-flood action to restore the default. Syntax defense icmp-flood action drop-packet undo defense icmp-flood action Default The device only outputs alarm logs if detecting an ICMP flood attack.
Examples # Enable ICMP flood attack protection in attack protection policy 1. system-view [Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense icmp-flood enable Related commands • defense icmp-flood action drop-packet • defense icmp-flood ip • defense icmp-flood rate-threshold • display attack-defense policy defense icmp-flood ip Use defense icmp-flood ip to configure the action and silence thresholds for ICMP flood attack protection of a specific IP address.
Examples # Enable ICMP flood attack protection for IP address 192.168.1.2, and set the action threshold to 2000 packets per second and the silence threshold to 1000 packets per second. system-view [Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense icmp-flood ip 192.168.1.
bandwidth of the protected network is small, set a smaller silence threshold to help release the traffic pressure. Examples # Set the global action threshold to 3000 packets per second and the global silence threshold to 1000 packets per second for ICMP flood attack.
[Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense scan enable # Set the connection rate threshold for triggering scanning attack protection to 2000 connections per second. [Sysname-attack-defense-policy-1] defense scan max-rate 2000 # Enable the blacklist function for scanning attack protection, and specify the blacklist entry aging time as 20 minutes.
• defense scan enable • defense scan max-rate defense scan enable Use defense scan enable to enable scanning attack protection. Use undo defense scan enable to restore the default. Syntax defense scan enable undo defense scan enable Default Scanning attack protection is disabled. Views Attack protection policy view Default command level 2: System level Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address.
undo defense scan max-rate Views Attack protection policy view Default command level 2: System level Parameters rate-number: Specifies the threshold of the connection establishment rate (number of connections established in a second) that triggers scanning attack protection, in the range of 1 to 10000. Usage guidelines With scanning attack protection enabled, a device checks the connection rate by IP address.
Parameters drop-packet: Drops all subsequence connection requests to the attacked IP address. trigger-tcp-proxy: Adds a protected IP address entry for the attacked IP address and triggers the TCP proxy function. Examples # Configure the SYN flood protection policy to drop SYN flood attack packets.
Use undo defense syn-flood ip to remove the configuration. Syntax defense syn-flood ip ip-address rate-threshold high rate-number [ low rate-number ] undo defense syn-flood ip ip-address [ rate-threshold ] Default No SYN flood attack protection thresholds are configured for an IP address. Views Attack protection policy view Default command level 2: System level Parameters ip-address: Specifies the IP address to be protected. This IP address cannot be a broadcast address, 127.0.0.
Use undo defense syn-flood rate-threshold to restore the default. Syntax defense syn-flood rate-threshold high rate-number [ low rate-number ] undo defense syn-flood rate-threshold Default The global action threshold is 1000 packets per second and the global silence threshold is 750 packets per second. Views Attack protection policy view Default command level 2: System level Parameters high rate-number: Sets the global action threshold for SYN flood attack protection.
Use undo defense udp-flood action to restore the default. Syntax defense udp-flood action drop-packet undo defense udp-flood action Default The device only outputs alarm logs if it detects a UDP flood attack. Views Attack protection policy view Default command level 2: System level Examples # Configure attack protection policy 1 to drop UDP flood packets.
Related commands • defense udp-flood action drop-packet • defense udp-flood rate-threshold • defense udp-flood ip • display attack-defense policy defense udp-flood ip Use defense udp-flood ip to configure the action and silence thresholds for UDP flood attack protection of a specific IP address. Use undo defense udp-flood ip to remove the configuration.
Related commands • defense udp-flood action drop-packet • defense udp-flood enable • display attack-defense policy defense udp-flood rate-threshold Use defense udp-flood rate-threshold to configure the global action and silence thresholds for UDP flood attack protection. The device uses the global attack protection thresholds to protect the IP addresses for which you do not specifically configure attack protection parameters. Use undo defense udp-flood rate-threshold to restore the default.
[Sysname] attack-defense policy 1 [Sysname-attack-defense-policy-1] defense udp-flood rate-threshold high 3000 low 1000 Related commands • defense udp-flood action drop-packet • defense udp-flood enable • display attack-defense policy display attack-defense policy Use display attack-defense policy to display the configuration information about one or all attack protection policies.
Large ICMP attack-defense Max-length : Enabled : 250 bytes TCP flag attack-defense : Enabled Tracert attack-defense : Enabled Fraggle attack-defense : Enabled WinNuke attack-defense : Enabled LAND attack-defense : Enabled Source route attack-defense : Enabled Route record attack-defense : Enabled Scan attack-defense : Enabled Add to blacklist : Enabled Blacklist timeout : 10 minutes Max-rate : 1000 connections/s Signature-detect action : Drop-packet --------------------------------
192.168.2.1 2000 1000 Table 1 Command output Filed Description Policy number Sequence number of the attack protection policy. Bound zones Security zones to which the attack protection policy is applied. Smurf attack-defense Whether Smurf attack protection is enabled. ICMP redirect attack-defense Whether ICMP redirect attack protection is enabled. ICMP unreachable attack-defense Whether ICMP unreachable attack protection is enabled.
Filed Description UDP flood action Action to be taken when a UDP flood attack is detected. It can be Drop-packet (dropping subsequent packets) or Syslog (outputting an alarm log). UDP flood high-rate Global action threshold for UDP flood attack protection. UDP flood low-rate Global silence threshold for UDP flood attack protection. UDP flood attack on IP UDP flood attack protection settings for specific IP addresses. SYN flood attack-defense Whether SYN flood attack is enabled.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. Include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Table 2 Command output Field Description Zone Security zone name applied by an attack protection policy. Attack policy number Sequence number of attack protection policy. Fraggle attacks Number of Fraggle attacks. Fraggle packets dropped Number of Fraggle packets dropped. ICMP redirect attacks Number of ICMP redirect attacks. ICMP redirect packets dropped Number of ICMP redirect packets dropped. ICMP unreachable attacks Number of ICMP unreachable attacks.
Related commands • attack-defense policy • attack-defense apply policy display blacklist Use display blacklist to display information about one or all blacklist entries. Syntax display blacklist { all | ip source-ip-address } [ vd vd-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Displays information about all blacklist entries. ip source-ip-address: Displays information about the blacklist entry for an IP address.
Table 3 Command output Field Description Blacklist Whether the blacklist function is enabled. Blacklist items Number of blacklist entries. IP IP address of the blacklist entry. Type of the blacklist entry: Type • manual—The entry was added manually. • auto—The entry was added automatically by the scanning attack protection function. Aging started Time when the blacklist entry is added. Aging finished Aging time of the blacklist entry. Never means that the entry never gets aged.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display the traffic statistics of source IP address 192.168.1.2. display flow-statistics statistics source-ip 192.168.1.2 Flow Statistics Information ----------------------------------------------------------IP Address : 192.168.1.
Field Description ICMP session establishment rate ICMP connection establishment rate. RAWIP sessions Number of RAWIP connections. RAWIP session establishment rate RAWIP connection establishment rate. TCP packet count Number of TCP packets. TCP byte count Number of TCP bytes. UDP packet count Number of UDP packets. UDP byte count Number of UDP bytes. ICMP packet count Number of ICMP packets. ICMP byte count Number of ICMP bytes. RAWIP packet count Number of RAWIP packets.
Examples # Display the inbound traffic statistics for security zone trust.
Views Any view Default command level 1: Monitor level Parameters vd vd-name: Displays the protected IP addresses of the specified VD. The vd-name argument refers to the VD name, a case-insensitive string of 1 to 20 characters. If you do not specify this option, this command displays the protected IP addresses of the default VD. Examples # Display information about all IP addresses protected by the TCP proxy function.
Default command level 2: System view Parameters destination-ip: Collects statistics on packets sent out of the security zone by destination IP address. inbound: Collects statistics on packets to the security zone. outbound: Collects statistics on packets sent out of the security zone. source-ip: Collects statistics on packets to the security zone by source IP address. Usage guidelines Multiple types of traffic statistics collections can be enabled for a security zone.
reset attack-defense statistics vd vdtest zone trust Related commands display attack-defense statistics zone signature-detect Use signature-detect to enable signature detection of a single-packet attack. Use undo signature-detect to disable signature detection of a single-packet attack.
signature-detect action drop-packet Use signature-detect action drop-packet to configure the device to drop single-packet attack packets. Use undo signature-detect action to restore the default. Syntax signature-detect action drop-packet undo signature-detect action Default The device only outputs alarm logs if it detects a single-packet attack. Views Attack protection policy view Default command level 2: System level Examples # Configure attack protection policy 1 to drop single-packet attack packets.
Usage guidelines With signature detection of large ICMP attack enabled, a device considers all ICMP packets longer than the specified maximum length as large ICMP attack packets. This command is effective only when signature detection of large ICMP attack is enabled. Examples # Enable signature detection of large ICMP attack, set the ICMP packet length threshold that triggers large ICMP attack protection to 5000 bytes, and configure the device to drop ICMP packets longer than the specified maximum length.
[Sysname] zone name untrust [Sysname-zone-untrust] tcp-proxy enable Related commands • defense syn-flood action • tcp-proxy mode • display tcp-proxy protected-ip tcp-proxy mode Use tcp-proxy mode to set the TCP proxy operating mode. Use undo tcp-proxy mode to restore the default. Syntax tcp-proxy mode unidirection undo tcp-proxy mode Default TCP proxy operates in bidirectional mode when enabled.
Default No IP address is protected by TCP proxy. Views System view, VD system view Default command level 2: System level Parameters destination-ip-address: Specifies the IP address protected by TCP proxy. port: Specifies the port number protected by TCP proxy. port-number: Specifies the destination port number of a TCP connection, in the range of 1 to 65535. any: Specifies TCP connections with the specified destination IP address and any destination port number.
ARP attack protection commands IP flood protection configuration commands arp resolving-route enable Use arp resolving-route enable to enable ARP blackhole routing. Use undo arp resolving-route enable to disable the function. Syntax arp resolving-route enable undo arp resolving-route enable Default The ARP blackhole routing function is disabled. Views System view Default command level 2: System level Examples # Enable ARP blackhole routing.
Examples # Enable the ARP source suppression function. system-view [Sysname] arp source-suppression enable Related commands display arp source-suppression arp source-suppression limit Use arp source-suppression limit to set the maximum number of unresolvable IP packets that be received from a device in 5 seconds. Unresolvable IP packets refer to packets that cannot be resolved by ARP. Use undo arp source-suppression limit to restore the default value, which is 10.
Default command level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
arp anti-attack source-mac Use arp anti-attack source-mac to enable the source MAC-based ARP attack detection and specify a handling method. Use undo arp anti-attack source-mac to restore the default. Syntax arp anti-attack source-mac { filter | monitor } undo arp anti-attack source-mac [ filter | monitor ] Default Source MAC-based ARP attack detection is disabled.
Views System view Default command level 2: System level Parameters time: Age time for ARP attack entries, in the range of 60 to 6000 seconds. Examples # Set the age time for ARP attack entries to 60 seconds. system-view [Sysname] arp anti-attack source-mac aging-time 60 arp anti-attack source-mac exclude-mac Use arp anti-attack source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection.
arp anti-attack source-mac threshold Use arp anti-attack source-mac threshold to configure the threshold for source MAC-based ARP attack detection. If the number of ARP packets from a MAC address within 5 seconds exceeds this threshold, the device recognizes this as an attack. Use undo arp anti-attack source-mac threshold to restore the default.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any interface, the display arp anti-attack source-mac command displays ARP attack entries detected on all interfaces. Examples # Display the ARP attack entries detected by source MAC-based ARP attack detection.
Views System view Default command level 2: System level Usage guidelines After you execute the arp anti-attack valid-check enable command, the gateway device can filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message. Examples # Enable ARP packet source MAC address consistency check.
Default command level 2: System level Usage guidelines This feature is configured on gateway devices to identify invalid ARP packets. Examples # Enable the ARP active acknowledgement function.
permit: Permits the matching ARP packets. ip { any | ip-address [ ip-address-mask ] }: Specifies the sender IP address range. • any: Matches any sender IP address. • ip-address: Matches a sender IP address. • ip-address-mask: Specifies the mask for the sender IP address in dotted decimal format. If no mask is specified, the ip-address argument specifies a host IP address. mac { any | mac-address [ mac-address-mask ] }: Specifies the sender MAC address range. • any: Matches any sender MAC address.
[Sysname] vlan 2 [Sysname-Vlan2] arp detection enable arp detection trust Use arp detection trust to configure the port as an ARP trusted port. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust Default The port is an ARP untrusted port. Views Layer 2 Ethernet interface view, Layer 2 aggregate interface view Default command level 2: System level Examples # Configure GigabitEthernet 0/1 as an ARP trusted port.
Parameters dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded. ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one, or multicast IP addresses are considered invalid and the corresponding packets are discarded.
Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Examples # Display the ARP detection statistics of all interfaces. display arp detection statistics State: U-Untrusted T-Trusted ARP packets dropped by ARP inspect checking: Interface(State) IP Src-MAC Dst-MAC Inspect GE0/1(U) 40 0 0 78 GE0/2(U) 0 0 0 0 GE0/3(T) 0 0 0 0 GE0/4(U) 0 0 30 0 Table 8 Command output Field Description Interface(State) State T or U identifies a trusted or untrusted port.
ARP automatic scanning and fixed ARP configuration commands arp fixup Use arp fixup to change the existing dynamic ARP entries into static ARP entries. You can use this command again to change the dynamic ARP entries learned later into static. Syntax arp fixup Views System view Default command level 2: System level Usage guidelines The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries.
Default command level 2: System level Parameters start-ip-address: Start IP address of the scanning range. end-ip-address: End IP address of the scanning range. The end IP address must be higher than or equal to the start IP address. Usage guidelines If the start IP and end IP addresses are specified, the device scans the specific address range for neighbors and learns their ARP entries, so that the scanning time is reduced.
TCP attack protection commands display tcp status Use display tcp status to display status of all TCP connections for monitoring TCP connections. Syntax display tcp status [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Use undo tcp anti-naptha enable to disable the protection against Naptha attack. Syntax tcp anti-naptha enable undo tcp anti-naptha enable Default The protection against Naptha attack is disabled. Views System view Default command level 2: System level Usage guidelines The configurations made by using the tcp state and tcp timer check-state commands are removed after the protection against Naptha attack is disabled. Examples # Enable the protection against Naptha attack.
last-ack: Specifies the LAST_ACK state of a TCP connection. syn-received: Specifies the SYN_RECEIVED state of a TCP connection. connection-number number: Specifies the maximum number of TCP connections in a certain state. The argument number is in the range of 0 to 500. Usage guidelines You must enable the protection against Naptha attack before executing this command. Otherwise, an error is prompted. You can configure the maximum number of TCP connections in each state.
Use undo tcp timer check-state to restore the default. Syntax tcp timer check-state time-value undo tcp timer check-state Default The TCP connection state check interval is 30 seconds. Views System view Default command level 2: System level Parameters time-value: Specifies the TCP connection state check interval in seconds, in the range of 1 to 60. Usage guidelines The device periodically checks the number of TCP connections in each state.
ND attack defense commands ipv6 nd mac-check enable Use ipv6 nd mac-check enable to enable source MAC consistency check for ND packets. Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND packets. Syntax ipv6 nd mac-check enable undo ipv6 nd mac-check enable Default Source MAC consistency check is disabled for ND packets.
Firewall commands IPv6 packet-filter firewall configuration commands display firewall ipv6 statistics Use display firewall ipv6 statistics to view the packet filtering statistics of the IPv6 firewall. Syntax display firewall ipv6 statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Displays the packet filtering statistics of all interfaces of the IPv6 firewall.
Table 10 Command output Field Description Interface Interface configured with the IPv6 packet filtering function. In-bound Policy IPv6 ACL configured in the inbound direction of the interface. Out-bound Policy IPv6 ACL configured in the outbound direction of the interface. acl6 IPv6 ACL number. 0 packets, 0 bytes, 0% permitted Statistics for packets permitted by IPv6 ACL rules: the number of packets and bytes, and the percentage of the permitted to the total.
Examples # Specify the default filtering action of the IPv6 firewall as denying packets to pass. system-view [Sysname] firewall ipv6 default deny firewall ipv6 enable Use firewall ipv6 enable to enable the IPv6 firewall function. Use undo firewall ipv6 enable to disable the IPv6 firewall function. Syntax firewall ipv6 enable undo firewall ipv6 enable Default The IPv6 firewall function is disabled.
name acl6-name: Specifies the name of a basic or an advanced IPv6 ACL. The ACL name is a case-insensitive string of 1 to 32 characters that must start with an alphabetical character. To avoid confusion, do not specify the word all for the ACL name. inbound: Filters inbound packets. outbound: Filters outbound packets. Usage guidelines You can apply only one IPv6 ACL in one direction of an interface for packet filtering. Examples # Apply IPv6 ACL 2500 to GigabitEthernet 0/1 to filter outbound packets.
Views Any view Default command level 1: Monitor level Parameters application-name: Name of the application to be used for port mapping. Available applications include FTP, GPRS Tunneling Protocol Control (GTP-C), GPRS Tunneling Protocol User (GTP-U), GPRS Tunneling Protocol V0 (GTP-V0), H323, HTTP, HTTPS, IKE, RTSP, SCCP, SIP, SMTP, SQLNET, SSH, and VAM. port port-number: Specifies to display port mapping information on the specified port. The port number is in the range of 0 to 65535.
Related commands port-mapping firewall aspf enable Use firewall aspf enable to enable ASPF for an interzone instance. Use undo firewall aspf enable to restore the default. Syntax firewall aspf enable [ icmp-error drop | tcp syn-check ] undo firewall aspf enable [ icmp-error drop | tcp syn-check ] Default ASPF inspection is disabled for an interzone instance. Views Interzone instance view Default command level 2: System level Parameters icmp-error drop: Drops ICMP error packets.
Default command level 2: System level Parameters application-name: Name of the application for port mapping. Available applications include FTP, GTP-C, GTP-U, GTP-V0, H323, HTTP, RTSP, SCCP, SIP, SMTP and SQLNET. port port-number: Specifies the port that the application layer protocol is mapped to. The port number is in the range of 0 to 65535. acl acl-number: Specifies the IPv4 ACL for indicating the host range. The ACL number is in the range of 2000 to 2999. Examples # Map port 3456 to the FTP protocol.
Content filtering commands activex-blocking enable Use activex-blocking enable to enable ActiveX blocking. Use undo activex-blocking enable to restore the default. Syntax activex-blocking enable undo activex-blocking enable Default ActiveX blocking is disabled. Views HTTP filtering policy view Default command level 2: System level Usage guidelines When ActiveX blocking is enabled in an HTTP filtering policy, the system checks whether HTTP packets contain specified ActiveX blocking controls.
Default No keyword filtering entry is specified for attachment content filtering. Views POP3 filtering policy view, SMTP filtering policy view Default command level 2: System level Parameters keyword-entry-name: Specifies the name of the keyword filtering entry, a case-sensitive string of 1 to 32 characters. The keyword filtering entry must already exist. Usage guidelines You can specify multiple keyword filtering entries for attachment content filtering.
Default No filename filtering entry is specified for attachment name filtering. Views POP3 filtering policy view, SMTP filtering policy view Default command level 2: System level Parameters filename-entry-name: Specifies the name of the filename filtering entry, a case-sensitive string of 1 to 32 characters. The filename filtering entry must already exist. Usage guidelines You can specify multiple filename filtering entries for attachment content filtering.
Default No keyword filtering entry is specified for body filtering. Views HTTP filtering policy view, POP3 filtering policy view, SMTP filtering policy view Default command level 2: System level Parameters keyword-entry-name: Specifies the name of the keyword filtering entry, a case-sensitive string or 1 to 32 characters. The keyword filtering entry must already exist. Usage guidelines You can specify multiple keyword filtering entries for body filtering.
Use undo command-filtering keyword-entry to remove a keyword filtering entry for command word filtering from a content filtering policy. Syntax command-filtering keyword-entry keyword-entry-name undo command-filtering keyword-entry keyword-entry-name Default No keyword filtering entry is specified for command word filtering.
Use undo content-filtering activex-blocking suffix to remove an ActiveX blocking suffix keyword from the ActiveX blocking suffix list. Syntax content-filtering activex-blocking suffix keywords undo content-filtering activex-blocking suffix keywords Views System view Default command level 2: System level Parameters keywords: Specifies a blocking suffix keyword, a case-insensitive string of 2 to 32 characters. Its starting character must be a dot (.
Examples # Create an email address filtering entry students and enter its view. system-view [Sysname] content-filtering email-address-entry students [Sysname-contflt-email-students] Related commands email-address content-filtering filename-entry Use content-filtering filename-entry to create a filename filtering entry and enter its view. Use undo content-filtering filename-entry to remove a filename filtering entry.
Default No FTP filtering policy exists. Views System view, VD view Default command level 2: System level Parameters policy-name: Specifies the name of the FTP filtering policy, a case-sensitive string of 1 to 32 characters. Usage guidelines Deleting an FTP filtering policy that has been applied in a content filtering policy template also deletes the policy application configuration (performed with the ftp-policy command) of the template.
Examples # Add .js to the java blocking suffix list. system-view [Sysname] content-filtering java-blocking suffix .js Related commands display content-filtering java-blocking content-filtering http-policy Use content-filtering http-policy to create an HTTP filtering policy and enter its view. Use undo content-filtering http-policy to delete an HTTP filtering policy.
undo content-filtering keyword-entry keyword-entry-name Default No keyword filtering entry exists. Views System view, VD view Default command level 2: System level Parameters keyword-entry-name: Specifies the name of the keyword filtering entry, a case-sensitive string of 1 to 32 characters. Examples # Create a keyword filtering entry WordofGame and enter its view.
Examples # Create a content filtering policy template StrictRule and enter its view. system-view [Sysname] content-filtering policy-template StrictRule [Sysname-contflt-policy-template-StrictRule] Related commands • http-policy • smtp-policy • pop3-policy • ftp-policy • telnet-policy content-filtering pop3-policy Use content-filtering pop3-policy to create a POP3 filtering policy and enter is view. Use undo content-filtering pop3-policy to delete a POP3 filtering policy.
content-filtering smtp-policy Use content-filtering smtp-policy to create an SMTP filtering policy and enter its view. Use undo content-filtering smtp-policy to delete an SMTP filtering policy. Syntax content-filtering smtp-policy policy-name undo content-filtering smtp-policy policy-name Default No SMTP filtering policy exists.
Default command level 2: System level Parameters policy-name: Specifies the name of the Telnet filtering policy, a case-sensitive string of 1 to 32 characters. Usage guidelines Deleting a Telnet filtering policy that has been applied in a content filtering policy template also deletes the policy application configuration (performed with the telnet-policy command) of the template. Examples # Create a Telnet filtering policy TelnetBanned and enter its view.
Wildcard Meaning Usage guidelines $ Matches parameters ending with the keyword It can be present once at the end of a filtering entry. & Stands for one valid character It can be present multiple times at any position of a filtering entry, consecutively or inconsecutively, and cannot be used next to an asterisk (*). If it is present at the beginning or end of a filtering entry, it must be next to a caret (^) or a dollar sign ($).
Default command level 2: System level Parameters url-hostname-entry-name: Specifies the name of the URL hostname filtering entry, a case-sensitive string of 1 to 32 characters. Examples # Create a URL hostname filtering entry HostofGame and enter its view.
# Display ActiveX blocking information about a specific suffix keyword. display content-filtering activex-blocking item .ocx The HTTP request packet including ".ocx" had been matched for 5 times. # Display ActiveX blocking information about all suffix keywords. display content-filtering activex-blocking all SN Match-Times Keywords ---------------------------------------------1 5 .OCX 2 0 .vbs Table 13 Command output Field Description SN Serial number.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameters, the command displays brief information about java blocking. Examples # Display brief information about java blocking. display content-filtering java-blocking Java blocking is enabled. # Display java blocking information about a specific suffix keyword.
Parameters all: Specifies all filtering keywords. item keywords: Specifies a filtering keyword. The keywords argument is a case-insensitive string of 1 to 80 characters. Valid characters include numerals, English letters, wildcards caret (^), dollar sign ($), ampersand (&), and asterisk (*), and other ASCII characters with values in the range of 31 to 127. verbose: Specifies detailed information. |: Filters command output by specifying a regular expression.
# Display detailed information about URL parameter filtering. display content-filtering url-filter parameter verbose URL-filter parameter is enabled. There are 10 packet(s) being filtered. There are 0 packet(s) being passed. display content-filtering statistics Use display content-filtering statistics to display content filtering statistics.
FTP command filtering 0 FTP upload filename filtering 0 FTP download filename filtering 0 Telnet command filtering 0 download-filename-filtering filename-entry Use download-filename-filtering filename-entry to specify a filename filtering entry for download filename filtering. Use undo download-filename-filtering filename-entry to remove a filename filtering entry for download filename filtering from an FTP filtering policy.
Use undo email-address to remove an email address from an email address filtering entry. Syntax email-address mail-address undo email-address mail-address Default An email address filtering entry does not have any email address. Views Email address filtering entry view Default command level 2: System level Parameters mail-address: Specifies an email address, a case-insensitive string of 1 to 129 characters. The argument supports the wildcard asterisk (*).
Usage guidelines You can add up to 16 filenames to a filename filtering entry. A filename keyword can be in either of the following formats: • filename. extension, used for exact matching. You can use a wildcard asterisk (*) as the filename or extension, or use it to replace a string of less than six characters in the filename or extension. Only one asterisk (*) can be used in the filename or the extension part. If a filename keyword has multiple dots (.), the last dot (.
head-filtering keyword-entry Use head-filtering keyword-entry to specify a keyword filtering entry for HTTP header filtering. Use undo head-filtering keyword-entry to remove a keyword filtering entry for HTTP header filtering. Syntax head-filtering keyword-entry keyword-entry-name undo head-filtering keyword-entry keyword-entry-name Default No keyword filtering entry is specified for HTTP header filtering.
Default No HTTP filtering policy is applied to a content filtering policy template. Views Content filtering policy template view Default command level 2: System level Parameters policy-name: Specifies the name of the HTTP filtering policy, a case-sensitive string of 1 to 32 characters. The HTTP filtering policy must already exist. Usage guidelines This command enables HTTP content filtering based on the HTTP filtering policy.
java-applet-blocking enable Use java-applet-blocking enable to enable java applet blocking in an HTTP filtering policy. Use undo java-applet-blocking enable to restore the default. Syntax java-applet-blocking enable undo java-applet-blocking enable Default Java applet blocking is disabled.
Usage guidelines You can add up to 16 keywords to a keyword filtering entry. A keyword can contain one wildcard asterisk (*) that stands for a string of less than six characters. The wildcard cannot be at the beginning or end of the keyword. Examples # Add a keyword CounterStrike to the keyword filtering entry WordofGame.
oversize-mail-blocking enable Use oversize-mail-blocking enable to enable oversize email blocking and set the maximum size in an SMTP filtering policy. Use undo oversize-mail-blocking enable to restore the default. Syntax oversize-mail-blocking enable [ maxsize max-bytes ] undo oversize-mail-blocking enable [ maxsize ] Default Oversize email blocking is disabled in an SMTP filtering policy.
Parameters policy-name: Specifies the name of the POP3 filtering policy, a case-sensitive string of 1 to 32 characters. The POP3 filtering policy must already exist. Usage guidelines This command enables POP3 content filtering based on the POP3 filtering policy. Examples # Apply a POP3 filtering policy POP3Banned to the content filtering policy template StrictRule.
[Sysname] content-filtering smtp-policy SMTPBanned [Sysname-contflt-smtp-policy-SMTPBanned] receiver-filtering email-entry Anysuspicious [Sysname-contflt-smtp-policy-SMTPBanned] quit # Apply the email address filtering entry Anysuspicious for receiver filtering in the POP3 filtering policy POP3Banned.
Views POP3 filtering policy view, SMTP filtering policy view Default command level 2: System level Parameters email-entry-name: Specifies the name of the email address filtering entry for sender filtering, a case-sensitive string of 1 to 32 characters. The email address filtering entry must already exist. Usage guidelines You can specify multiple email address filtering entries for sender filtering.
Default command level 2: System level Parameters policy-name: Specifies the name of the SMTP filtering policy, a case-sensitive string of 1 to 32 characters. The SMTP filtering policy must already exist. Usage guidelines This command enables SMTP content filtering based on the SMTP filtering policy. Examples # Apply an SMTP filtering policy SMTPBanned to the content filtering policy template StrictRule.
[Sysname] content-filtering smtp-policy SMTPBanned [Sysname-contflt-smtp-policy-SMTPBanned] subject-filtering keyword-entry Job [Sysname-contflt-smtp-policy-SMTPBanned] quit # Apply the keyword filtering entry Job for subject filtering in the POP3 filtering policy POP3Banned.
upload-filename-filtering filename-entry Use upload-filename-filtering filename-entry to specify a filename filtering entry for upload filename filtering. Use undo upload-filename-filtering filename-entry to remove a filename filtering entry for upload filename filtering. Syntax upload-filename-filtering filename-entry filename-entry-name undo upload-filename-filtering filename-entry filename-entry-name Default No filename filtering entry is specified for upload filename filtering.
Default No URL hostname filtering entry is specified for URL filtering. Views HTTP filtering policy view Default command level 2: System level Parameters url-hostname-entry-name: Specifies the name of the URL hostname filtering entry, a case-sensitive string of 1 to 32 characters. The URL hostname filtering entry must already exist. Usage guidelines You can specify multiple URL hostname filtering entries for URL filtering.
Parameters url-hostname: Specifies the URL hostname, a case-insensitive string of 1 to 80 characters. The argument supports the wildcards caret (^), asterisk (*), ampersand (&), and dollar sign ($). Usage guidelines You can add up to 16 hostnames to a URL hostname filtering entry. Follow these wildcard usage rules to configure URL hostnames: • The caret (^) identifies the beginning of a hostname. Make sure that the caret (^) is the first character of a hostname.
Views HTTP filtering policy view Default command level 2: System level Examples # Enable URL IP address blocking in the HTTP filtering policy HTTPBanned. system-view [Sysname] content-filtering http-policy HTTPBanned [Sysname-contflt-http-policy-HTTPBanned] url-ip-blocking enable url-parameter-filtering enable Use url-parameter-filtering enable to enable URL parameter blocking. Use undo url-parameter-filtering enable to restore the default.
URPF commands ip urpf Use ip urpf to enable URPF check for a security zone to prevent source address spoofing attacks. Use undo ip urpf to disable URPF check. Syntax ip urpf { loose | strict } [ allow-default-route ] [ acl acl-number ] undo ip urpf Default URPF check is disabled. Views Security zone view Default command level 2: System level Parameters loose: Enables loose URPF check.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device.
Index ABCDEFHIJKLOPRSTUW content-filtering pop3-policy,76 A content-filtering smtp-policy,77 activex-blocking enable,66 content-filtering telnet-policy,77 arp anti-attack active-ack enable,45 content-filtering url-filter parameter,78 arp anti-attack source-mac,41 content-filtering url-hostname-entry,79 arp anti-attack source-mac aging-time,41 arp anti-attack source-mac exclude-mac,42 D arp anti-attack source-mac threshold,43 defense dns-flood enable,4 arp anti-attack valid-ack enable,44 defens
display flow-statistics statistics zone,29 pop3-policy,92 display port-mapping,62 port-mapping,64 display tcp status,54 R display tcp-proxy protected-ip,30 receiver-filtering email-entry,93 Documents,103 reset arp detection statistics,51 download-filename-filtering filename-entry,85 reset attack-defense statistics zone,32 E reset content-filtering statistics,94 email-address,85 reset firewall ipv6 statistics,62 F S filename,86 sender-filtering email-entry,94 firewall aspf enable,64 sign
