09-Configuration Examples

HomeSupportConfigure & DeployH3C Firewall Products Comware 7 Web Configuration Guide-6W60009-Configuration Examples
Table of Contents
Related Documents
22-Anti-Virus Configuration Examples
Title Size Download
22-Anti-Virus Configuration Examples 81.60 KB

Anti-virus configuration examples

Contents

 

·     Introduction

·     Prerequisites

·     Restrictions and guidelines

·     Example: Configuring anti-virus

 

The following information provides anti-virus configuration examples.

The anti-virus feature supports the following application protocols:

·     FTP.

·     HTTP.

·     IMAP.

·     NFS.

·     POP3.

·     SMB.

·     SMTP.

 

This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of the anti-virus feature.

 

For anti-virus to inspect HTTPS protocol packets, you must also configure the application proxy feature. To configure the application proxy feature, access the Policies > Application Proxy page.

The anti-virus feature requires a license to run on the device. After the license expires, anti-virus can use the existing virus signature library on the device, but the library cannot be updated.

Network configuration

As shown in Figure 1, a security gateway device is deployed at the border of the enterprise network. Internal users need to transfer files and emails by using the Web server and email server on the Internet.

Configure anti-virus on the device to perform virus detection on the files and emails transferred by the internal users to protect the enterprise network.

Figure 1 Network diagram

 

Software versions used

This configuration example was created and verified on R8860 of the F1000-AI-55 device.

Procedure

1.     Assign IP addresses to interfaces and add the interfaces to security zones:

# On the top navigation bar, click Network.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

a.     Select the Trust security zone.

b.     Click the IPv4 Address tab, and then enter the IP address and mask length of the interface. In this example, use 10.1.1.1/24.

c.     Use the default settings for other parameters.

d.     Click OK.

# Add GE 1/0/2 to the Untrust security zone and set its IP address to 20.1.1.1./24 in the same way you configure GE 1/0/1.

2.     Configure settings for routing:

This example configures a static route. If dynamic routes are used, configure a routing protocol.

# On the top navigation bar, click Network.

# From the navigation pane, select Routing > Static Routing.

# On the IPv4 Static Routing tab, click Create.

# In the dialog box that opens, create an IPv4 static route:

¡     Enter destination address 0.0.0.0.

¡     Enter mask length 0.

¡     Enter next hop address 20.1.1.2.

¡     Use the default settings for other parameters.

# Click OK.

3.     Update the virus signature library to the latest version. (Details not shown.)

4.     Configure an anti-virus profile.

# On the top navigation bar, click Objects.

# From the navigation pane, select APP Security > Anti-Virus > Profile.

# Click Create.

# In the dialog box that opens, configure an anti-virus profile:

a.     Enter the name antivirus.

b.     In the Protocols area, configure anti-virus protection for file transfer protocols and mail protocols, as shown in Figure 2.

-     Clear the check boxes for the Upload and Download options of the FTP protocol.

-     Set the action to Block for the SMTP and POP3 mail protocols.

c.     Click OK.

Figure 2 Creating an anti-virus profile

 

5.     Configure security policies:

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create, and then click Create a policy.

# In the dialog box that opens, configure a security policy:

¡     Enter policy name trust-untrust.

¡     Select source zone Trust.

¡     Select destination zone Untrust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IP address 10.1.1.0/24.

¡     Select anti-virus profile antivirus in the Content security area.

# Click OK.

# Create security policy untrust-trust in the same way you create security policy trust-untrust:

¡     Enter policy name untrust-trust.

¡     Select source zone Untrust.

¡     Select destination zone Trust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select destination IP address 10.1.1.0/24.

¡     Select anti-virus profile antivirus in the Content security area.

# Click OK.

6.     On the Anti-Virus Profile page, click Submit to make the anti-virus profile take effect.

Verifying the configuration

Verify that anti-virus detect and block virus-infected files and emails transmitted by internal users to protect the enterprise network.

To view the threat logs generated by anti-virus, click Monitor on the top navigation bar, and then select Security Logs > Threat Logs from the navigation pane.

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become A Partner
  • Partner Policy & Program
  • Global Learning
  • Partner Sales Resources
  • Partner Business Management
  • Service Business
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网