Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-Object group commands
- 04-Object policy commands
- 05-AAA commands
- 06-IPoE commands
- 07-Portal commands
- 08-User identification commands
- 09-Password control commands
- 10-Public key management commands
- 11-PKI commands
- 12-SSH commands
- 13-SSL commands
- 14-ASPF commands
- 15-APR commands
- 16-Session management commands
- 17-Connection limit commands
- 18-Attack detection and prevention commands
- 19-DDoS protection commands
- 20-uRPF commands
- 21-ARP attack protection commands
- 22-ND attack defense commands
- 23-IP-MAC binding commands
- 24-Keychain commands
- 25-Crypto engine commands
- 26-SMS commands
- 27-Terminal identification commands
- 28-Flow manager commands
- 29-Trusted access control commands
- 30-Location identification commands
- 31-Server connection detection commands
- 32-MAC authentication commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-APR commands | 411.89 KB |
apr protocol detection-threshold application-other
description (application group view)
display application statistics
display application statistics top
display apr protocol detection-threshold-other
display port-mapping pre-defined
APR commands
app-group
Use app-group to create an application group and enter its view, or enter the view of an existing application group.
Use undo app-group to delete the specified application group.
Syntax
app-group group-name
undo app-group group-name
Default
No application groups exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
group-name: Specifies the application group name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
Usage guidelines
You can create a maximum of 1000 application groups on the device.
Examples
# Create an application group named aaa and enter its view.
<Sysname> system-view
[Sysname] app-group aaa
[Sysname-app-group-aaa]
Related commands
copy app-group
description
include application
application statistics enable
Use application statistics enable to enable the application statistics feature on the specified direction of an interface.
Use undo application statistics enable to disable the application statistics feature on the specified direction of an interface.
Syntax
application statistics enable [ inbound | outbound ]
undo application statistics enable [ inbound | outbound ]
Default
The application statistics feature is disabled on both directions of an interface.
Views
Layer 2 interface view/Layer 3 interface view
Predefined user roles
network-admin
context-admin
Parameters
inbound: Specifies the inbound direction of the interface.
outbound: Specifies the outbound direction of the interface.
Usage guidelines
|
|
IMPORTANT: The application statistics feature consumes a large amount of system memory. When the system generates a low-memory alarm, disable the application statistics feature on interfaces. |
If no direction is specified, application statistics is enabled in both the inbound and outbound directions.
When this feature is enabled, the device separately counts the number of packets or bytes that the interface has received or sent for each application. It also calculates the transmission rates of the interface for these protocols.
To display application statistics, use the display application statistics command.
Examples
# Enable application statistics in the inbound direction of GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] application statistics enable inbound
# Enable application statistics in the outbound direction of GigabitEthernet 1/0/2.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/2
[Sysname-GigabitEthernet1/0/2] application statistics enable outbound
# Enable application statistics in the inbound and outbound directions of GigabitEthernet 1/0/3.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/3
[Sysname-GigabitEthernet1/0/3] application statistics enable
# Enable application statistics in the inbound direction of Vlan-interface 2.
<Sysname> system-view
[Sysname] interface Vlan-interface 2
[Sysname-Vlan-interface2] application statistics enable inbound
Related commands
display application statistics
apr protocol detection-threshold application-other
Use apr protocol detection-threshold application-other to configure detection thresholds for categorizing an application as type other.
Use undo apr protocol detection-threshold application-other to restore the default.
Syntax
apr protocol protocol-name detection-threshold { packet-count count | payload-length length } application-other
undo apr protocol protocol-name detection-threshold { packet-count | payload-length } application-other
Default
The device uses predefined detection thresholds in the signature library for categorizing an application as type other.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
protocol-name: Specifies a protocol by its name, a case-insensitive string of 1 to 63 characters.
packet-count count: Specifies the maximum number of packets to be detected, in the range of 1 to 128.
payload-length length: Specify the maximum payload length to be detected, in the range of 64 to 65536 bytes.
Usage guidelines
If the device cannot identify the application to which the packets of a protocol belongs after detection thresholds are reached, it categorizes the packets as belonging to type other.
You can configure both the packet count threshold and the payload length threshold for the same protocol.
To display the detection threshold settings, use the display apr protocol detection-threshold-other command.
Examples
# Configure the payload length threshold as 2500 bytes for HTTP and use the predefined packet count threshold.
<Sysname> system-view
[Sysname] apr protocol http detection-threshold payload-length 2500 application-other
Related commands
display apr protocol detection-threshold-other
apr set detectlen
Use apr set detectlen to set the maximum detected length for an NBAR rule.
Use undo apr set detectlen to restore the default.
Syntax
apr set detectlen bytes
undo apr set detectlen
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
The maximum detected length is not set for an NBAR rule.
Views
NBAR rule view
Predefined user roles
network-admin
context-admin
Parameters
bytes: Specifies the maximum detected length in bytes for an NBAR rule. The value range is 0 to 4294967295.
Usage guidelines
The maximum detected length determines whether to inspect subsequent packets after the device recognizes an application:
· If the inspected byte count already reaches the maximum number, the device will not inspect subsequent packets.
· If the inspected byte count does not reach the maximum number, the device will inspect subsequent packets until the maximum number is reached.
If no maximum detected length is configured, the device continues to inspect subsequent packets for application recognition after recognizing an application. Inspection of subsequent packets affects device performance.
When you set the maximum detected length, make sure you fully understand its impact on system performance.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the maximum detected length to 100000 bytes for NBAR rule abcd.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] apr set detectlen 100000
Related commands
nbar application
apr signature auto-update
Use apr signature auto-update to enable automatic update for the APR signature library and enter auto-update configuration view.
Use undo apr signature auto-update to disable automatic update for the APR signature library.
Syntax
apr signature auto-update
undo apr signature auto-update
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
Automatic update is disabled for the APR signature library.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Use this command to update the APR signature library if the device can access the signature library services at the H3C website.
Examples
# Enable automatic update for the APR signature library and enter auto-update configuration view.
<Sysname> system-view
[Sysname] apr signature auto-update
[Sysname-apr-autoupdate]
Related commands
override-current
update schedule
apr signature auto-update-now
Use apr signature auto-update-now to manually trigger an automatic update for the APR signature library.
Syntax
apr signature auto-update-now
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
This command starts the automatic APR signature library update process and backs up the current APR signature file. This command is independent of the apr signature auto-update command.
Use this command to update the APR signature library if you find a new version of APR signature library at the H3C website.
Examples
# Manually trigger an automatic update for the APR signature library.
<Sysname> system-view
[Sysname] apr signature auto-update-now
apr signature rollback
Use apr signature rollback to roll back the APR signature library.
Syntax
apr signature rollback { factory | last }
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
factory: Rolls back the APR signature library to the factory version.
last: Rolls back the APR signature library to the last version.
Usage guidelines
You can use this command if you find that high error rate or abnormality occurs when the device uses the current APR signature library for application recognition.
Each time a rollback operation is performed, the device backs up the current version of the APR signature library. If you repeat the apr signature rollback last command multiple times, the APR signature library will repeatedly switch between the current version and the last version.
To ensure that the APR signature library can be successfully rolled back to the last version, back up the current APR signature library each time you update the library.
Examples
# Roll back the APR signature library to the last version.
<Sysname> system-view
[Sysname] apr signature rollback last
apr signature update
Use apr signature update to manually update the APR signature library.
Syntax
apr signature update [ override-current ] file-path
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
override-current: Overwrites the old APR signature file. If you do not specify this keyword, the old APR signature file will be saved as a backup signature file on the device after the update.
file-path: Specifies the path of the new APR signature file, a case-insensitive string of 1 to 255 characters.
Usage guidelines
Use this command to update APR signature library if the device cannot access the signature library services at the H3C website.
You can use either of the following methods to manually update the APR signature library:
· Local update—By using the locally stored APR signature file.
(In standalone mode.) To ensure a successful update, the APR signature file must be stored on the active MPU.
(In IRF mode.) To ensure a successful update, the APR signature file must be stored on the global active MPU.
The following table describes the formats of the file-path argument for different update scenarios:
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command (see file system management in Fundamentals Command Reference). |
|
The update file is stored in a different directory on the same storage medium. |
filename |
Before updating the signature library, you must use the cd command to open the directory where the update file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
|
The update file is stored on a different storage medium. |
path/filename |
Before updating the signature library, you must first use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP update—By using the APR signature file stored on an FTP or TFTP server.
The following table describes the formats of the file-path argument for different update scenarios:
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored on an FTP server. |
ftp://username:password@server address/filename |
The username argument represents the FTP login username. The password argument represents the FTP login password. The server address argument represents the IP address or host name of the FTP server. If an FTP login username or password includes colons (:), at signs (@), or slashes (/), you must replace these special characters with the corresponding escape characters. · The escape character for the colon (:) character is %3A or %3a. · The escape character for the at sign (@) character is %40. · The escape character for the slash (/) character is %2F or %2f. |
|
The update file is stored on a TFTP server. |
tftp://server address/filename |
The server address argument represents the IP address or host name of the TFTP server. |
If you specify the host name, make sure the following requirements are met:
¡ The device can resolve the IP address of the FTP or TFTP server through static or dynamic domain name resolution.
¡ The device and server can reach each other.
- For information about DNS, see Layer 3—IP Services Configuration Guide.
Examples
# Manually update the APR signature library by using an APR signature file stored on a TFTP server.
<Sysname> system-view
[Sysname] apr signature update tftp://192.168.0.1/apr-1.0.2-en.dat
# Manually update the APR signature library by using an APR signature file stored on an FTP server.
<Sysname> system-view
[Sysname] apr signature update ftp://user%3A123:user%40abc%[email protected]/apr-1.0.2-en.dat
# Manually update the APR signature library by using an APR signature file stored on the device, The file is stored in directory cfa0:/apr-1.0.23-en.dat. In this example, the working directory is cfa0:.
<Sysname> system-view
[Sysname] apr signature update apr-1.0.23-en.dat
# Manually update the APR signature library by using an APR signature file stored on the device, The file is stored in directory cfa0:/dpi/apr-1.0.23-en.dat. In this example, the working directory is cfa0:.
<Sysname> cd dpi
<Sysname> system-view
[Sysname] apr signature update apr-1.0.23-en.dat
# Manually update the APR signature library by using an APR signature file stored on the device, The file is stored in directory cfb0:/dpi/apr-1.0.23-en.dat. In this example, the working directory is cfa0:.
<Sysname> cd cfb0:/
<Sysname> system-view
[Sysname] apr signature update dpi/apr-1.0.23-en.dat
copy app-group
Use copy app-group to copy all applications in an application group to another group.
Syntax
copy app-group group-name
Views
Application group view
Predefined user roles
network-admin
context-admin
Parameters
group-name: Specifies the name of the source application group, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
Usage guidelines
Execute this command multiple times to copy applications in different groups to the current group.
Examples
# Copy applications in group bcd to group abc.
<Sysname> system-view
[Sysname] app-group abc
[Sysname-app-group-abc] copy app-group bcd
Related commands
app-group
include application
description (application group view)
Use description to configure the description of an application group.
Use undo description to restore the default.
Syntax
description text
undo description
Default
An application group is described as "User-defined application group".
Views
Application group view
Predefined user roles
network-admin
context-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters. If the string includes spaces, use a pair of quotation marks ("") to enclose all characters.
Usage guidelines
Configure descriptions for different application groups for identification and management purposes.
Examples
# Configure a description for application group aaa.
<Sysname> system-view
[Sysname] app-group aaa
[Sysname-app-group-aaa] description "User defined aaa group"
Related commands
app-group
description (NBAR rule view)
Use description to configure the description of a user-defined NBAR rule.
Use undo description to restore the default.
Syntax
description text
undo description
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
A user-defined NBAR rule is described as "User defined application".
Views
NBAR rule view
Predefined user roles
network-admin
context-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Usage guidelines
Configure descriptions for different user-defined NBAR rules for identification and management purposes.
Examples
# Configure a description for user-defined NBAR rule abcd.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] description "A user-defined application based on HTTP"
Related commands
nbar application
destination
Use destination to specify a destination IP address or subnet as a match criterion in a user-defined NBAR rule.
Use undo destination to restore the default.
Syntax
destination ip ipv4-address [ mask-length ]
undo destination
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
A user-defined NBAR rule matches packets destined for all IP addresses.
Views
NBAR rule view
Predefined user roles
network-admin
context-admin
Parameters
ip ipv4-address: Specifies a destination IPv4 address or IPv4 subnet, in dotted decimal notation.
mask-length: Specifies the mask length for IPv4 addresses, in the range of 0 to 32. If you do not specify this argument, the default mask length is 32.
Usage guidelines
If you execute this command multiple times for the same NBAR rule, the most recent configuration takes effect.
Examples
# Configure user-defined NBAR rule abcd to match packets destined for IPv4 subnet 192.168.1.0/24.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] destination ip 192.168.1.0 24
Related commands
nbar application
detection
Use detection to configure a detection item for a signature.
Use undo detection to delete detection items for a signature.
Syntax
detection detection-id field field-name match-type { exclude | include } { hex hex-vector | regex regex-pattern | text text-string } [ offset offset-value [ depth depth-value ] | relative-offset relative-offset-value [ relative-depth relative-depth-value ] ]
undo detection { all | detection-id }
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
No detection items are configured for a signature.
Views
NBAR rule signature view
Predefined user roles
network-admin
context-admin
Parameters
detection-id: Specifies a detection item ID in the range of 1 to 255.
field field-name: Specifies a protocol field by its name, a case-sensitive string of 1 to 31 characters. The detection item is matched in the scope of the specified protocol field. You can enter a question mark to obtain a list of supported protocol fields.
match-type { exclude | include }: Specifies the match type as exclude or include.
hex hex-vector: Specifies a hexadecimal vector as the match pattern. The hex-vector argument is a string of 8 to 256 characters. The argument must start and end with a vertical bar (|).
regex regex-pattern: Specifies a regular expression as the match pattern. The regex-pattern argument is a case-sensitive string of 3 to 253 characters.
text text-string: Specifies a string as the match pattern. The string argument is a case-sensitive string of 3 to 256 characters.
offset offset-value: Specifies the offset from the beginning of the specified protocol field, in the range of 0 to 65535 bytes. A packet matches the signature after the offset. If you do not specify this option, a packet matches the signature from the beginning of the specified protocol field.
depth depth-value: Specifies the depth of the detection item, in the range of 3 to 65535 bytes.
relative-offset relative-offset-value: Specifies the offset from the end of the previous detection item, in the range of -32767 to 32767 bytes. A packet matches the signature after the offset. If the offset value is minus, the detection item is before the previous detection item.
relative-depth relative-depth-value: Specifies the relative depth of the detection item, in the range of 3 to 65535 bytes.
all: Specifies all detection items.
Usage guidelines
You can configure multiple detection items for an NBAR rule signature. The relationship among detection items is logic AND, and the match order is the configuration order. A packet matches a signature only if all detection items are matched.
As a best practice to ensure correct detection results, configure the protocol fields in the order they appear in HTTP packets.
Examples
# Configure a detection item in user-defined NBAR rule app_http.
<Sysname> system-view
[Sysname] nbar application app_http protocol http
[Sysname-nbar-application-app_http] signature 1 field uri string abcdefg
[Sysname-nbar-application-signature-app_http-1] detection 1 field uri match-type include text abc offset 10 depth 50
direction
Use direction to specify a direction as a match criterion in a user-defined NBAR rule.
Use undo direction to restore the default.
Syntax
direction { to-client | to-server }
undo direction
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
A user-defined NBAR rule matches packets in both directions.
Views
NBAR rule view
Predefined user roles
network-admin
context-admin
Parameters
to-client: Specifies the direction from server to client.
to-server: Specifies the direction from client to server.
Usage guidelines
If you execute this command multiple times for the same NBAR rule, the most recent configuration takes effect.
Examples
# Configure user-defined NBAR rule abcd to match packets from client to server.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] direction to-server
Related commands
nbar application
disable
Use disable to disable a user-defined NBAR rule.
Use undo disable to restore the default.
Syntax
disable
undo disable
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
A user-defined NBAR rule is enabled.
Views
NBAR rule view
Predefined user roles
network-admin
context-admin
Usage guidelines
Use this command to disable a user-defined NBAR rule if the following conditions exist:
· The NBAR rule will not be used in the foreseeable future.
· You do not want to delete the NBAR rule.
Examples
# Disable user-defined NBAR rule abcd.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] disable
Related commands
nbar application
display app-group
Use display app-group to display information about the specified application groups.
Syntax
display app-group [ name group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
name group-name: Specifies an application group by its name. The group-name argument is a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed. If you do not specify an application group, this command displays information about all application groups.
Examples
# Display information about all application groups.
<Sysname> display app-group
User-defined count:3
Group Name Type Group ID
6767 User-defined 0x00800002
er User-defined 0x00800001
hbc User-defined 0x00800003
# Display information about application group er.
<Sysname> display app-group name er
Group English name: er
Group Chinese name: er
Group ID: 0x00800001
Type: User-defined
Application count: 2
Include application list:
Application name Type App ID
114Travel Pre-defined 0x0000542c
banc User-defined 0x00800001
pre-defined app-group count:0
Include pre-defined app-group list:
App-group name Type App-group ID
Table 1 Command output
|
Field |
Description |
|
User-defined count |
Number of application groups. |
|
Group Name |
Name of the application group. |
|
Group English name |
English name of the application group. |
|
Type |
Application attribute: · Pre-defined. · User-defined. This filed always displays User-defined for application groups. |
|
Application count |
Number of applications in the application group. |
|
Include application list |
Application list. |
|
Application name |
Application name. |
|
App ID |
Application ID. |
|
pre-defined app-group count |
Number of predefined application groups in the application group. This field is not supported in the current software version. |
|
Include pre-defined app-group list |
List of predefined application groups. This field is not supported in the current software version. |
|
App-group name |
Name of a predefined application group. This field is not supported in the current software version. |
|
App-group ID |
ID of a predefined application group. This field is not supported in the current software version. |
Related commands
app-group
include
display application
Use display application to display information about the specified applications.
Syntax
display application [ name application-name | pre-defined | user-defined ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
name application-name: Specifies an application by its name. The application-name argument is a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
pre-defined: Specifies the predefined applications.
user-defined: Specifies the user-defined applications.
Usage guidelines
If you do not specify any parameters, this command displays information about all applications.
Examples
# Display information about all predefined applications.
<Sysname> display application pre-defined
Pre-defined count: 817
Application name Type App ID Tunnel Encrypted DetectLen
12530WAP_Application_We Pre-defined 0x000003ac No No 0
b_HTTP
12580_Application_HTTP Pre-defined 0x00000312 No No 0
126_Web_Email_Download_ Pre-defined 0x000002b7 No No 0
HTTP
126_Web_Email_Login_HTT Pre-defined 0x000002b3 No No 0
P
126_Web_Email_Read_Emai Pre-defined 0x000002b4 No No 0
l_HTTP
126_Web_Email_Receive_E Pre-defined 0x000002b6 No No 0
mail_HTTP
126_Web_Email_Send_Emai Pre-defined 0x000002b5 No No 0
l_HTTP
126_Web_Email_Upload_HT Pre-defined 0x000002b8 No No 0
TP
139_mobile_weibo_commen Pre-defined 0x000001da No No 0
t_HTTP
139_mobile_weibo_login_ Pre-defined 0x000001d9 No No 0
HTTP
139_mobile_weibo_login_ Pre-defined 0x00000444 No No 0
---- More ----
# Display information about all user-defined applications.
<Sysname> display application user-defined
User-defined count: 4
Application name Type App ID Tunnel Encrypted DetectLen
def User-defined 0x00800002 No No 0
dfer User-defined 0x00800003 No No 0
efer User-defined 0x00800004 No No 0
fdfad User-defined 0x00800001 No No 0
# Display information about all applications.
<Sysname> display application
Total count: 821
Pre-defined count: 817
User-defined count: 4
Application name Type App ID Tunnel Encrypted DetectLen
12530WAP_Application_We Pre-defined 0x000003ac No No 0
b_HTTP
12580_Application_HTTP Pre-defined 0x00000312 No No 0
126_Web_Email_Download_ Pre-defined 0x000002b7 No No 0
HTTP
126_Web_Email_Login_HTT Pre-defined 0x000002b3 No No 0
P
126_Web_Email_Read_Emai Pre-defined 0x000002b4 No No 0
l_HTTP
126_Web_Email_Receive_E Pre-defined 0x000002b6 No No 0
mail_HTTP
126_Web_Email_Send_Emai Pre-defined 0x000002b5 No No 0
l_HTTP
126_Web_Email_Upload_HT Pre-defined 0x000002b8 No No 0
TP
139_mobile_weibo_commen Pre-defined 0x000001da No No 0
t_HTTP
139_mobile_weibo_login_ Pre-defined 0x000001d9 No No 0
HTTP
139_mobile_weibo_login_ Pre-defined 0x00000444 No No 0
HTTPS
139Mail_Login_HTTP Pre-defined 0x000001cb No No 0
139Mail_Login_HTTPS Pre-defined 0x0000038c No No 0
139Mail_Login_TCP Pre-defined 0x0000044b No No 0
163TV_HTTP Pre-defined 0x000004c3 No No 0
17173_Application_HTTP Pre-defined 0x00000350 No No 0
178Game_Application_HTT Pre-defined 0x00000222 No No 0
P
17K_fiction_Application Pre-defined 0x00000330 No No 0
_HTTP
19lou_Login_http_stream Pre-defined 0x000002c0 No No 0
19lou_Publish_Or_Reply_ Pre-defined 0x000002c2 No No 0
http_stream1
19lou_Publish_Or_Reply_ Pre-defined 0x000002c3 No No 0
http_stream2
19lou_View_http_stream Pre-defined 0x000002c1 No No 0
1ting_Music_Application Pre-defined 0x000001bc No No 0
_Mobile_HTTP
21CN_Email_Read_HTTP Pre-defined 0x000003fb No No 0
21CN_Email_Send_HTTP Pre-defined 0x000003fc No No 0
---- More ----
# Display information about application Telnet.
<Sysname> display application name telnet
Application English Name: telnet
Application Chinese Name: telnet
Application ID: 0x0000000e
Tunnel: No
Encrypted: No
Table 2 Command output
|
Field |
Description |
|
Total count |
Total number of applications. |
|
Pre-defined count |
Number of predefined applications. |
|
User-defined count |
Number of user-defined applications. |
|
Application name |
Name of the application. |
|
Type |
Application type: · Pre-defined. · User-defined. |
|
App ID/Application ID |
ID of the application. |
|
Tunnel |
Whether or not the protocol is a tunnel protocol, such as L2TP: · Yes. · No. |
|
Encrypted |
Whether or not the protocol is a cryptographic protocol: · Yes. · No. |
|
DetectLen |
Length of data to be inspected for application recognition. The length can be predefined or user defined. The measurement unit is byte. |
Related commands
app-group
include
display application statistics
Use display application statistics to display statistics for the specified applications.
Syntax
In standalone mode:
display application statistics [ direction { inbound | outbound } | interface interface-type interface-number [ slot slot-number [ cpu cpu-number ] ] | name application-name ] *
In IRF mode:
display application statistics [ direction { inbound | outbound } | interface interface-type interface-number [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] | name application-name ] *
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
direction: Specifies the direction of the interface.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. This option is available only for global interfaces, such as VLAN interfaces and tunnel interfaces. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only for global interfaces, such as VLAN interfaces and tunnel interfaces. (In IRF mode.)
cpu cpu-number : Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
name application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
Usage guidelines
If you do not specify any options or keywords, this command displays statistics for applications on all interfaces in both inbound and outbound directions.
This command displays statistics for applications only after the application statistics feature is enabled on the specified interfaces. Disabling the application statistics feature on the specified interfaces deletes the corresponding application statistics.
You can display statistics for applications based on certain criteria, including application names, interface directions, interface names, or a combination of the criteria.
Examples
# Display application statistics for GigabitEthernet 1/0/1.
<Sysname> display application statistics interface gigabitethernet 1/0/1
Interface : GigabitEthernet1/0/1
Application In/Out Packets Bytes PPS BPS
Slot 1 :
http IN 275 78631 0 275
OUT 357 255251 0 101
https IN 403 39267 0 44
OUT 681 623501 0 32
netbios-dgm IN 3 729 0 32
OUT 0 0 0 0
netbios-ns IN 248 22816 2 1423
OUT 0 0 0 0
telnet IN 801 43374 10 4509
OUT 1519 65388 20 6774
Table 3 Command output
|
Field |
Description |
|
Interface |
Interface name. |
|
Application |
Name of the application. |
|
In/Out |
Interface direction: · In—Inbound. · Out—Outbound. |
|
Packets |
Number of packets received or sent by the interface. |
|
Bytes |
Number of bytes received or sent by the interface. |
|
PPS |
Packets received or sent per second. |
|
BPS |
Bytes received or sent per second. |
Related commands
app-group
application statistics enable
display application statistics top
Use display application statistics top to display statistics for applications on an interface in descending order, based on the specified criteria.
Syntax
In standalone mode:
display application statistics top number { bps | bytes | packets | pps } interface interface-type interface-number [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display application statistics top number { bps | bytes | packets | pps } interface interface-type interface-number [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
number: Specifies the number of application statistics entries to be displayed. The value range is 0 to 4294967295.
bytes: Sorts applications by traffic size in bytes.
bps: Sorts applications by traffic rate in bps.
packets: Sorts applications by traffic size in packet count.
pps: Sorts applications by traffic rate in pps.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. This option is available only for global interfaces, such as VLAN interfaces and tunnel interfaces. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only for global interfaces, such as VLAN interfaces and tunnel interfaces. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This command displays application statistics only after the application statistics feature is enabled on the specified interface. Disabling the application statistics feature on the interface deletes the existing statistics.
The system uses the sum of inbound and outbound statistics to rank the applications. If the sum statistics for multiple applications is the same, the system displays these protocols in alphabetical order.
Examples
# Display the top three applications that have received and sent the most packets on GigabitEthernet 1/0/1.
<Sysname> display application statistics top 3 packets interface gigabitethernet 1/0/1
Interface : GigabitEthernet1/0/1
Application In/Out Packets Bytes PPS BPS
Slot 1 :
telnet IN 1389 75219 0 44
OUT 2626 112745 0 54
https IN 468 42830 0 123
OUT 746 626101 0 91
netbios-ns IN 965 88780 2 1411
OUT 0 0 0 0
Table 4 Command output
|
Field |
Description |
|
Interface |
Interface name. |
|
Application |
Name of the application. |
|
In/Out |
Interface direction: · In—Inbound. · Out—Outbound. |
|
Packets |
Number of packets received or sent by the interface. |
|
Bytes |
Number of bytes received or sent by the interface. |
|
PPS |
Packets received or sent per second. |
|
BPS |
Bytes received or sent per second. |
Related commands
app-group
application statistics enable
display apr protocol detection-threshold-other
Use display apr protocol detection-threshold-other to display detection threshold settings for applications categorized as type other.
Syntax
display protocol [ protocol-name ] detection-threshold-other
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
protocol-name: Specifies a protocol by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a protocol, this command displays the detection threshold settings for all protocols.
Examples
# Display the detection threshold settings for all protocols.
<Sysname> display apr protocol detection-threshold-other
Detection threshold information:
Protocol: general_udp
Packet count: 45
Payload length: 3200 bytes
Protocol: general_tcp
Packet count: 40
Payload length: 3000 bytes
Protocol: http
Packet count: 10
Payload length: 2500 bytes
Protocol: https
Packet count: 20
Payload length: 2800 bytes
display apr signature library
Use display apr signature library to display APR signature library information.
Syntax
display apr signature library
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Examples
# Display APR signature library information.
<Sysname> display apr signature library
APR signature library information:
Type SigVersion ReleaseTime Size
Current 1.0.49 Tue Sep 13 06:54:01 2016 659744
Last 1.0.52 Wed Nov 02 07:14:03 2016 702640
Factory 1.0.0 Fri Dec 31 16:00:00 1999 77040
Table 5 Command output
|
Field |
Description |
|
Type |
Version type of the APR signature library: · Current. · Last. · Factory. |
|
SigVersion |
Version of the APR signature library. |
|
ReleaseTime |
Release time of the APR signature library. |
|
Size |
Size of the APR signature library, in bytes. |
display port-mapping pre-defined
Use display port-mapping pre-defined to display information about the predefined port-mappings.
Syntax
display port-mapping pre-defined
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Examples
# Display information about all predefined port mappings.
<Sysname> display port-mapping pre-defined
Application Protocol Port
afs3-kaserver TCP 7004
UDP 7004
aol TCP 5190, 5191, 5192, 5193
UDP 5190, 5191, 5192, 5193
appleqtc TCP 458
UDP 458
bgp TCP 179
UDP 179
Table 6 Command output
|
Field |
Description |
|
Application |
Application using the port mapping. |
|
Protocol |
Transport layer protocol. |
|
Port |
Port number of the application. |
Related commands
display port-mapping
port-mapping
display port-mapping user-defined
Use display port-mapping user-defined to display information about the user-defined port mappings.
Syntax
display port-mapping user-defined [ application application-name | port port-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
application application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
port port-number: Specifies a port by its number, in the range of 0 to 65535.
Usage guidelines
If you do not specify an application or a port number, this command displays all user-defined port mappings on the device.
Examples
# Display all user-defined port mappings on the device.
<Sysname> display port-mapping user-defined
Application Port Protocol Match Type Match Condition
-------------------------------------------------------------
FTP 21 TCP --- ---
FTP 21 UDP IPv4 host 10.10.10.1(vpn1)
FTP 2121 UDP IPv4 host [11.10.10.1, 11.10.10.10](vpn2)
FTP 21 UDP IPv4 subnet 10.10.10.1/24
FTP 21 SCTP IPv6 host 2000:fdb8::1:00ab:853c:39ab
HTTP 899 TCP IPv4 ACL 2002
HTTP 999 SCTP IPv6 ACL 2002
Table 7 Command output
|
Field |
Description |
|
Application |
Application using port mapping. |
|
Port |
Port number to which the application is mapped. |
|
Protocol |
Transport layer protocol. |
|
Match Type |
Match types: · ---—No match types or match conditions are specified, and all packets that have the specified port are recognized as the packets of the specified application. · IPv4 host—A match based on the destination IPv4 addresses of the packet. · IPv6 host—A match based on the destination IPv6 addresses of the packet. · IPv4 subnet—A match based on the destination IPv4 subnet of the packet. · IPv6 subnet—A match based on the destination IPv6 subnet of the packet. · IPv4 ACL—A match based on the IPv4 ACL. · IPv6 ACL—A match based on the IPv6 ACL. |
|
Match Condition |
Match conditions: · For the match type of IPv4 host or IPv6 host, the destination IP addresses of the packets are displayed. · For the match type of IPv4 subnet or IPv6 subnet, the destination subnet addresses of the packets are displayed. · For the match type of IPv4 ACL or IPv6 ACL, the correct ACL number is displayed. For IP address-based and subnet-based host-port mappings, the MPLS L3VPN instance names are displayed if you configured them. |
include application
Use include application to add applications to an application group.
Use undo include application to remove applications from an application group.
Syntax
include application application-name
undo include application application-name
Default
No applications exist in an application group.
Views
Application group view
Predefined user roles
network-admin
context-admin
Parameters
application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
Usage guidelines
Execute this command multiple times to add multiple predefined or user-defined applications to an application group. The number of applications in an application group is not limited.
If you add a nonexistent application to the application group, the system first creates the protocol before adding it to the application group. Whether the device can recognize the packets of this protocol depends on your configuration.
Examples
# Add HTTP and FTP to group abc.
<Sysname> system-view
[Sysname] app-group abc
[Sysname-app-group-abc] include application http
[Sysname-app-group-abc] include application ftp
Related commands
app-group
copy app-group
nbar application
Use nbar application to create a user-defined NBAR rule and enter its view, or enter the view of an existing NBAR rule.
Use undo nbar application to delete a user-defined NBAR rule.
Syntax
nbar application application-name protocol { http | tcp | udp }
undo nbar application application-name
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
No user-defined NBAR rules exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The following names are not allowed:
· invalid.
· other.
· Names of predefined applications.
http: Specifies HTTP packets to which the NBAR rule is applied.
tcp: Specifies TCP packets to which the NBAR rule is applied.
udp: Specifies UDP packets to which the NBAR rule is applied.
Usage guidelines
By default, predefined NBAR rules exist, and these NBAR rules cannot be deleted or modified. If the predefined NBAR rules cannot meet the user needs, use this command to create user-defined NBAR rules.
Examples
# Create a user-defined NBAR rule named abcd and apply the rule to HTTP packets.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd]
override-current
Use override-current to overwrite the current signature file for an update operation if the APR signature library is automatically updated at a regular basis.
Use undo override-current to restore the default.
Syntax
override-current
undo override-current
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
If the APR signature library is automatically updated at a regular basis, the current APR signature file is not overwritten for an update operation. Instead, the device will back up the current APR signature file.
Views
Auto-update configuration view
Predefined user roles
network-admin
context-admin
Usage guidelines
Use this command only if the device memory is insufficient.
This command disables the APR signature library from being rolled back to the last version. Do not use this command if the device memory is sufficient.
Examples
# Overwrite the current APR signature file for a regular online auto-update operation.
<Sysname> system-view
[Sysname] apr signature auto-update
[Sysname-apr-autoupdate] override-current
Related commands
apr signatures auto-update
port-mapping
Use port-mapping to configure a general port mapping.
Use undo port-mapping to remove a general port mapping.
Syntax
port-mapping application application-name port port-number [ protocol protocol-name ]
undo port-mapping application application-name port port-number [ protocol protocol-name ]
Default
An application is mapped to a common port.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
application application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
port port-number: Specifies a port by its number, in the range of 0 to 65535.
protocol protocol-name: Specifies a transport layer protocol by its name, including:
· dccp: Specifies DCCP.
· sctp: Specifies SCTP.
· tcp: Specifies TCP.
· udp: Specifies UDP.
· udp-lite: Specifies UDP-Lite.
Usage guidelines
If no transport layer protocol is specified, packets that meet the following conditions are recognized as the specified application's packets:
· Packets are encapsulated by any transport layer protocol.
· Packets have the specified port.
If the destination port of a packet matches a general port mapping, APR recognizes the packet as the specified application's packet.
A mapping with the transport layer protocol specified has a higher priority than one without it.
If two port mappings are configured with the same port number and transport layer protocol, but with different applications, the most recent configuration takes effect.
To change the port number mapped to an application, perform the following tasks:
1. Use the undo port-mapping application command to remove the existing general port mapping.
2. Use the port-mapping application command to specify a different port number for the application.
Examples
# Create a general port mapping of port 3456 to FTP.
<Sysname> system-view
[Sysname] port-mapping application ftp port 3456
Related commands
display port-mapping user-defined
port-mapping acl
Use port-mapping acl to configure an ACL-based host-port mapping.
Use undo port-mapping acl to remove an ACL-based host-port mapping.
Syntax
port-mapping application application-name port port-number [ protocol protocol-name ] acl [ ipv6 ] acl-number
undo port-mapping application application-name port port-number [ protocol protocol-name ] acl [ ipv6 ] acl-number
Default
An application is mapped to a common port.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
application application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
port port-number: Specifies a port by its number in the range of 0 to 65535.
protocol protocol-name: Specifies a transport layer protocol by its name, including:
· dccp: Specifies DCCP.
· sctp: Specifies SCTP.
· tcp: Specifies TCP.
· udp: Specifies UDP.
· udp-lite: Specifies UDP-Lite.
acl [ ipv6 ] acl-number: Specifies the number of an ACL, in the range of 2000 to 2999. To specify an IPv6 ACL, include the ipv6 keyword. To specify an IPv4 ACL, do not include the ipv6 keyword. The ACL will not count traffic that matches this ACL-based host-port mapping even if match counting is enabled for the ACL.
Usage guidelines
APR uses ACL-based host-port mappings to recognize packets. A packet is recognized as an application packet when it matches all the following conditions in a mapping:
· The packet's destination IP address matches the specified source IP address defined in the ACL.
· The packet's destination port matches the specified port in the mapping.
· The transport layer protocol that encapsulates the packet matches the specified transport layer protocol if you specify a transport layer protocol in the mapping.
If two port mappings are configured with the same port number, transport layer protocol, and ACL, but with different applications, the most recent configuration takes effect.
A mapping with the transport layer protocol specified has a higher priority than one without it.
Examples
# Create a port mapping of port 3456 to FTP for the packets matching ACL 2000.
<Sysname> system-view
[Sysname] port-mapping application ftp port 3456 acl 2000
Related commands
display port-mapping user-defined
port-mapping host
Use port-mapping host to configure an IP address-based host-port mapping.
Use undo port-mapping host to remove an IP address-based host-port mapping.
Syntax
port-mapping application application-name port port-number [ protocol protocol-name ] host { ip | ipv6 } start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]
undo port-mapping application application-name port port-number [ protocol protocol-name ] host { ip | ipv6 } start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]
Default
An application is mapped to a common port.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
application application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
port port-number: Specifies a port by its number, in the range of 0 to 65535.
protocol protocol-name: Specifies a transport layer protocol by its name, including:
· dccp: Specifies DCCP.
· sctp: Specifies SCTP.
· tcp: Specifies TCP.
· udp: Specifies UDP.
· udp-lite: Specifies UDP-Lite.
ip: Specifies IPv4 addresses.
ipv6: Specifies IPv6 addresses.
start-ip-address [ end-ip-address ]: Specifies a range of IPv4 or IPv6 addresses. The start-ip-address argument represents the start IP address, and the end-ip-address argument represents the end IP address. To specify only one IP address, provide only the start IP address. To specify a range of IP addresses, provide both the start and end IP addresses, and make sure the end IP address is higher than the start IP address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you configure a mapping for the public network, do not specify this option.
Usage guidelines
APR uses IP address-based host-port mappings to recognize packets. A packet is recognized as an application packet when it matches all the following conditions in a mapping:
· The packet is destined for the specified IP address or IP subnet in the mapping.
· The packet's destination port matches the specified port in the mapping.
· The transport layer protocol that encapsulates the packet matches the specified transport layer protocol if you specify a transport layer protocol in the mapping.
No overlapping of IP addresses is tolerable for the host-port mappings configured with the same application, port number, and transport layer protocol.
If two port mappings are configured with the same port number, transport layer protocol, and IP address or IP address ranges, but with different applications, the most recent configuration takes effect.
A mapping with the transport layer protocol specified has a higher priority than one without it.
Examples
# Create a mapping of port 3456 to FTP for the IPv4 packets sent to the host at 1.1.1.1 to 1.1.1.10.
<Sysname> system-view
[Sysname] port-mapping application ftp port 3456 host ip 1.1.1.1 1.1.1.10
# Create a mapping of port 3456 to FTP for the IPv6 packets sent to 1::1.
<Sysname> system-view
[Sysname] port-mapping application ftp port 3456 host ipv6 1::1
Related commands
display port-mapping user-defined
port-mapping subnet
Use port-mapping subnet to configure a subnet-based host-port mapping.
Use undo port-mapping subnet to remove a subnet-based host-port mapping.
Syntax
port-mapping application application-name port port-number [ protocol protocol-name ] subnet { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ]
undo port-mapping application application-name port port-number [ protocol protocol-name ] subnet { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ]
Default
An application is mapped to a common port.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
application application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
port port-number: Specifies a port by its number, in the range of 0 to 65535.
protocol protocol-name: Specifies a transport layer protocol by its name, including:
· dccp: Specifies DCCP.
· sctp: Specifies SCTP.
· tcp: Specifies TCP.
· udp: Specifies UDP.
· udp-lite: Specifies UDP-Lite.
ip ipv4-address { mask-length | mask }: Specifies an IPv4 subnet.
· The ipv4-address argument specifies the IPv4 network address.
· The mask-length argument specifies the mask length of the IPv4 subnet, in the range of 1 to 32.
· The mask argument specifies the subnet mask in dotted decimal notation.
ipv6 ipv6-address prefix-length: Specifies an IPv6 subnet. The ipv6-address argument specifies the IPv6 network address, and the prefix-length argument specifies the length of the IPv6 prefix, in the range of 1 to 128.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you configure a mapping for the public network, do not specify this option.
Usage guidelines
APR uses subnet-based host-port mappings to recognize packets. A packet is recognized as an application packet when it matches all the following conditions in a mapping:
· The packet is destined for the specified IP subnet in the mapping.
· The packet's destination port matches the specified port in the mapping.
· The transport layer protocol that encapsulates the packet matches the specified transport layer protocol if you specify a transport layer protocol in the mapping.
If multiple subnet-based mappings are applied to packets and these subnets overlap, APR matches the packets destined for the overlapped segment with the port mapping of the subnet that has the smallest range.
If two port mappings are configured with the same port number, transport layer protocol, and subnet, but with different applications, the most recent configuration takes effect.
A mapping with the transport layer protocol specified has a higher priority than one without it.
Examples
# Create a mapping of port 3456 to FTP for the packets sent to the IPv4 hosts on subnet 1.1.1.0/24.
<Sysname> system-view
[Sysname] port-mapping application ftp port 3456 subnet ip 1.1.1.0 24
# Create a mapping of port 3456 to FTP for the packets sent to the IPv6 hosts on subnet 1:: /120.
<Sysname> system-view
[Sysname] port-mapping application ftp port 3456 subnet ipv6 1:: 120
Related commands
display port-mapping user-defined
reset application statistics
Use reset application statistics to clear application statistics for interfaces.
Syntax
reset application statistics [ interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
context-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears application statistics for all interfaces.
Examples
# Clear application statistics for GigabitEthernet 1/0/1.
<Sysname> reset application statistics interface gigabitethernet 1/0/1
# Clear application statistics for all interfaces.
<Sysname> reset application statistics
Related commands
application statistics enable
display application statistics
risk type
Use risk type to configure a risk type for a user-defined application.
Use undo risk type to remove a risk type of a user-defined application.
Syntax
risk type risk-type
undo risk type [ risk-type ]
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
A user-defined application does not have any risk type.
Views
User-defined application view
Predefined user roles
network-admin
context-admin
Parameters
risk-type: Specifies a risk type by its name, a case-insensitive string of 1 to 63 characters. You can enter a question mark (?) to obtain a list of supported risk types.
Usage guidelines
You can configure this command multiple times to specify multiple risk types for a user-defined application. The more risk types a user-defined application has, the higher risk level the application has. You can configure security policies according to the risk level.
If you do not specify a risk type when executing the undo risk type command, all risk types of the user-defined application are removed.
Examples
# Configure risk types Tunneling and Misoperation for user-defined application app1.
<Sysname> system-view
[Sysname] user-defined-application app1
[Sysname-user-defined-app-app1] risk type Tunneling
[Sysname-user-defined-app-app1] risk type Misoperation
service-port
Use service-port to specify a port number or a port range as a match criterion in a user-defined NBAR rule.
Use undo service-port to restore the default.
Syntax
service-port { port-num | range start-port end-port }
undo service-port
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
A user-defined NBAR rule matches packets of all port numbers.
Views
NBAR rule view
Predefined user roles
network-admin
context-admin
Parameters
port-num: Specifies the port number in the range of 0 to 65535.
range: Specifies a port range.
start-port: Specifies the start port number for the port range, in the range of 0 to 65535.
end-port: Specifies the end port number for the port range, in the range of 0 to 65535. The end port number cannot be smaller than the start port number.
Usage guidelines
The specified port number or port range is used to match the packets' destination ports.
If you execute this command multiple times for the same NBAR rule, the most recent configuration takes effect.
Examples
# Configure user-defined NBAR rule abcd to match packets with port numbers 2001 through 2004.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] service-port range 2001 2004
Related commands
direction
signature
Use signature to create an NBAR rule signature and enter its view, or enter the view of an existing NBAR rule signature.
Use undo signature to cancel the signature configuration.
Syntax
signature [ signature-id ] [ field field-name ] [ offset offset-value ] { hex hex-vector | regex regex-pattern | string string }
undo signature signature-id
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
No signatures are configured for a user-defined NBAR rule.
Views
NBAR rule view
Predefined user roles
network-admin
context-admin
Parameters
signature-id: Specifies the signature ID in the range of 1 to 65535. If you do not specify this argument when creating a signature, the system automatically assigns the signature a signature ID and records the signature ID. The increment of automatically assigned signature IDs is 5. A new signature ID is the nearest unassigned multiple of the increment to the latest automatically assigned signature ID. For example, if the system automatically assigns ID 5 to a signature, the next signature ID to be assigned automatically will be 10. If signature ID 10 has been assigned manually to a signature, the next signature ID to be assigned automatically will be 15.
field field-name: Specifies a protocol field by its name. The specified protocol field must be predefined. This option is available for configuration only if the NBAR rule is applied to HTTP packets. If you do not specify this option, the configured signature takes effect on all fields in HTTP packets.
offset offset-value: Specifies the offset from the beginning of the data field, in bytes. The value range for the offset-value argument is 0 to 65535. A packet matches the signature after the offset. If you do not specify this option, a packet matches the signature from the beginning. If you also specify the field field-name option, the offset begins from the protocol field.
hex hex-vector: Specifies a hexadecimal vector as the match pattern. The hex-vector argument is a string of 8 to 256 characters. The argument must start and end with a vertical bar (|) and must contain an even number of characters.
regex regex-pattern: Specifies a regular expression as the match pattern. The regex-pattern argument is a case-sensitive string of 3 to 253 characters, and it must meet the following requirements:
· Contains a maximum of four branches. For example, abc(c|d|e|\x3D) is valid, and abc(c|onreset|onselect|onchange|style\x3D) is invalid.
· Nested braces are not allowed. For example, ab((abcs*?)) is invalid.
· A branch cannot be specified after another branch. For example, ab(a|b)(c|d)^\\r\\n]+? is invalid.
· A minimum of four non-wildcard characters must exist before an asterisk (*) or question mark (?). For example, abc* is invalid and abcd*DoS\x2d\d{5}\x20\x2bxi\\r\\nJOIN is valid.
string string: Specifies a string as the match pattern. The string argument is a case-sensitive string of 3 to 256 characters.
Usage guidelines
You can repeat this command to configure multiple signatures of different match patterns in a user-defined NBAR rule. If the signatures have different signature IDs, all signatures take effect. The logical relation of these signatures is OR, which indicates that a packet that matches any signature matches the NBAR rule. If the signatures have the same signature ID, the most recent configuration takes effect.
Examples
# Create user-defined NBAR rule abcd, and then add signature 1 in the NBAR rule to define packet match string abcdefg and enter the signature view.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] signature 1 string abcdefg
[Sysname-nbar-application-abcd-signature-1]
# Configure user-defined NBAR rule ddd to match packets with signature 2 which defines hexadecimal vector 123456, and enter the view of the NBAR rule signature.
<Sysname> system-view
[Sysname] nbar application ddd protocol http
[Sysname-nbar-application-ddd] signature 2 hex |123456|
[Sysname-nbar-application-ddd-signature-2]
Related commands
detection
source
Use source to specify a source IP address or subnet as a match criterion in a user-defined NBAR rule.
Use undo source to restore the default.
Syntax
source ip ipv4-address [ mask-length ]
undo source
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
A user-defined NBAR rule matches packets sourced from all IP addresses.
Views
NBAR rule view
Predefined user roles
network-admin
context-admin
Parameters
ip ipv4-address: Specifies a source IPv4 address or IPv4 subnet, in dotted decimal notation.
mask-length: Specifies the mask length for IPv4 addresses, in the range of 0 to 32.
Usage guidelines
If you execute this command multiple times for the same NBAR rule, the most recent configuration takes effect.
Examples
# Configure user-defined NBAR rule abcd to match packets sourced from IPv4 subnet 192.168.2.0/24.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] source ip 192.168.2.0 24
Related commands
nbar application
update schedule
Use update schedule to set the update schedule for automatic update, including the update interval and update time.
Use undo update schedule to restore the default.
Syntax
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
undo update schedule
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
The device automatically updates the APR signature library between 02:01:00 to 04:01:00 every day.
Views
Auto-update configuration view
Predefined user roles
network-admin
context-admin
Parameters
daily: Specifies the daily update interval.
weekly: Specifies the weekly update interval. You can specify one day in a week for the update:
· fri: Specifies Friday.
· mon: Specifies Monday.
· sat: Specifies Saturday.
· sun: Specifies Sunday.
· thu: Specifies Thursday.
· tue: Specifies Tuesday.
· wed: Specifies Wednesday.
start-time time: Specifies the start time for the update, in the format of hh:mm:ss. The value range for the time argument is 00:00:00 to 23:59:59.
tingle minutes: Specifies the tolerance time in minutes. The value range for the minutes argument is 0 to 120 minutes. An automatic update will occur at a time point between the following time points:
· Start time minus half of the tolerance time.
· Start time plus half of the tolerance time.
For example, if the specified start time is 01:00:00 and the tolerance time is 60 minutes, the update starts during the period from 00:30:00 to 01:30:00.
Examples
# Configure the device to automatically update the APR signature library at 23:10:00 every Monday with a tolerance time of 10 minutes.
<Sysname> system-view
[Sysname] apr signature auto-update
[Sysname-apr-autoupdate] update schedule weekly mon start-time 23:10:00 tingle 10
Related commands
apr signature auto-update
user-defined-application
Use user-defined-application to enter the view of a user-defined application.
Use undo user-defined-application to delete a user-defined application.
Syntax
user-defined-application application-name
undo user-defined-application application-name
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The names of predefined applications and names invalid and other are not allowed.
Usage guidelines
You can configure a risk type for an NBAR or PBAR user-defined application after entering the view of the user-defined application. The user-defined application must already exist.
Examples
# Enter the view of user-defined application app1.
<Sysname> system-view
[Sysname] user-defined-application app1
[Sysname-user-defined-app-app1]
Related commands
nbar application
port-mapping
port-mapping acl
port-mapping host
port-mapping subnet
