This command enables the device to learn the connections initiated by the servers specified by using the source-ip command for the specified learning period.

This command is configurable only when both of the following conditions are met:

· Servers are specified for the learning process to learn connections.

· The server connection learning process is not running on the device.

To change the learning period of an ongoing server connection learning process, first execute the undo auto-learn enable command to stop the learning process, and then execute the auto-learn enable command.

Examples

# Enable server connection learning for one day.

<Sysname> system-view

[Sysname] scd learning

[Sysname-scd-learning] auto-learn enable period one-day

Related commands

source-ip

display scd auto-learn config

Use display scd auto-learn config to display the server connection learning information.

Syntax

display scd auto-learn config

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Examples

# Display the server connection learning information.

<Sysname> display scd auto-learn config

Learning status : Active

Learning time : One-hour

Server address object groups : 146

Progress : 6%

Start time : 2018/03/27 10:50

End time : 2018/03/27 11:50

Table 1 Command output

Field	Description
Learning status	Server connection learning status. If server connection learning is in progress, this field displays Active. If server connection learning is not running, this field displays a hyphen (-)..
Learning time	Learning period, which can be One-day, One-hour, Seven-day, or Twelve-hour.
Server address object groups	Number of server IP address object groups specified for server connection learning.
Progress	Progress percentage of the server connection learning.
Start time	Start time of the server connection learning.
End time	End time of the server connection learning.

display scd learning record

Use display scd auto-learn config to display the server-initiated connections learned by server connection learning.

Syntax

display scd learning record [ protected-server ip-address ] [ destination-ip ip-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

protected-server ip-address: Specifies the IP address of the server.

destination-ip ip-address: Specifies the destination IP address of the server-initiated connections.

Usage guidelines

This command displays the server connection learning results, which provides the basis for you to create SCD policies to monitor and log illegal connections initiated by servers.

If you do not specify any parameters, this command displays the connections initiated by all servers specified for server connection learning.

Examples

# Display the connections initiated by all servers specified for server connection learning.

<Sysname> display scd learning record

Id Protected server Destination IPv4 address Protocol Port

1 192.168.102.1 192.168.101.21 TCP 443

Total entries: 1

# Display the connections initiated by server 192.168.102.1.

<Sysname> display scd learning record protected-server 192.168.102.1

Id Protected server Destination IPv4 address Protocol Port

1 192.168.102.1 192.168.101.21 TCP 443

Total entries: 1

# Display the server-initiated connections destined for 192.168.101.21.

<Sysname> display scd learning record destination-ip 192.168.101.21

Id Protected server Destination IPv4 address Protocol Port

1 192.168.102.1 192.168.101.21 TCP 443

Total entries: 1

Table 2 Command output

Field	Description
ID	ID of the server connection learning record.
Protected server	IP address of the server initiated the connection.
Destination IPv4 address	IPv4 address the connection is destined for.
Protocol	Protocol used by the connection.
Port	Destination port number of the connection.
Total entries	Total number of the learned connections.

Related commands

reset scd learning record

display scd policy

Use display scd policy to display the server connection detection (SCD) policy information.

Syntax

display scd policy [ name policy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

name policy-name: Displays detailed information about an SCD policy. The policy-name: argument specifies the policy name, a case-insensitive string of 1 to 63 characters. If you do not specify an SCD policy, this command displays brief information about all SCD policies.

Examples

# Display brief information about all SCD policies.

<Sysname> display scd policy

Id Name Protected server Rules Logging Policy status

1 policy1 1.1.1.1 0 Disabled Disabled

Total entries: 1

Table 3 Command output

Field	Description
Id	Row ID of the SCD policy entry.
Name	Name of the SCD policy.
Protected server	IP address of the protected server. The SCD policy will monitor connections initiated by the server.
Rules	Number of SCD rules in the SCD policy. Each SCD rule defines a set of legal connections initiated by the server.
Logging	Enabling status of the logging for illegal connections (connections that do not match any SCD rules) initiated by the server.
Policy status	Enabling status of the SCD policy.
Total entries	Total number of the SCD policies.

# Display detailed information about SCD policy policy1.

<Sysname> display scd policy name policy1

SCD policy name: policy1

Protected server IPv4: 1.1.1.1

Logging: Enabled

Policy status: Enabled

Rule ID: 1

Permitted dest IPv4: 1.1.2.1

Protocol: TCP port 1-4

Protocol: UDP port 1,3,5,7,9,11,13,15,17,19,21,23

Protocol: ICMP

Table 4 Command output

Field	Description
SCD policy name	Name of the SCD policy.
Protected server IPv4	IP address of the protected server. The SCD policy will monitor connections initiated by the server.
Rule ID	Number of an SCD rule in the SCD policy. Each SCD rule defines a set of legal connections initiated by the server.
Permitted dest IPv4	Destination IP address of the legal connections initiated by the server that match the SCD rule.
Protocol	Protocol used by the legal connections initiated by the server that match the SCD rule.
Logging	Enabling status of the logging for illegal connections (connections that do not match any SCD rules) initiated by the server.
Policy status	Enabling status of the SCD policy.

logging enable

Use logging enable to enable logging for illegal server-initiated connections detected by the SCD policy.

Use undo logging enable to disable logging for illegal server-initiated connections detected by the SCD policy.

Syntax

logging enable

undo logging enable

Default

Logging is disabled for illegal server-initiated connections detected by the SCD policy.

Views

SCD policy view

Predefined user roles

network-admin

context-admin

Usage guidelines

This feature enables the device to log server-initiated connections that do not match any rules in the SCD policy and send the logs to the device information center. With the information center, you can specify log output rules to output the logs to different destinations. For more information about the information center, see information center configuration in Network Management and Monitoring Configuration Guide.

Examples

# Enable logging for illegal server-initiated connections that are detected by SCD policy policy1.

<Sysname> system-view

[Sysname] scd policy name policy1

[Sysname-scd-policy-policy1] logging enable

Related commands

display scd policy

permit-dest-ip

Use permit-dest-ip to configure the destination IP address criterion for an SCD rule.

Use undo permit-dest-ip to remove the destination IP address criterion from an SCD rule.

Syntax

permit-dest-ip ip-address

undo permit-dest-ip [ ip-address ]

Default

The destination IP address criterion is not configured in an SCD rule.

Views

SCD policy rule view

Predefined user roles

network-admin

context-admin

Parameters

ip-address: Specifies an IPv4 address, in dotted decimal notation.

Usage guidelines

Each SCD rule contains the following criteria to identify legal connections initiated by the protected server:

· A destination IP address criterion, which specifies the destination IP address for server-initiated connections.

In one SCD policy, each SCD rule must use a unique destination IP address.

· One or more protocol criteria. Each protocol criterion specifies a protocol and optionally a set of destination port numbers.

A connection initiated by the protected server matches the SCD rule if the connection matches both the destination IP address criterion and a protocol criterion. Connections initiated by the server that do not match any SCD rules are considered illegal connections.

If you execute the command multiple times for an SCD rule, the most recent configuration takes effect.

As a best practice, use the following procedure to configure an SCD policy for a server:

1. Enable server connection learning on the device to learn the connections initiated by the server.

2. Configure SCD rules for legal connections according to the server connection learning results. To view the learned connections, use the display scd learning record command.

Examples

# In SCD policy policy1, configure SCD rule 1 to match connections destined for 1.1.1.1.

<Sysname> system-view

[Sysname] scd policy name policy1

[Sysname-scd-policy-policy1] rule 1

[Sysname-scd-policy-policy1-1] permit-dest-ip 1.1.1.1

Related commands

display scd policy

policy enable

Use policy enable to enable an SCD policy.

Use undo policy enable to disable an SCD policy.

Syntax

policy enable

undo policy enable

Default

An SCD policy is disabled.

Views

SCD policy view

Predefined user roles

network-admin

context-admin

Usage guidelines

An SCD policy takes effect only after it is enabled.

Examples

# Enable SCD policy policy1.

<Sysname> system-view

[Sysname] scd policy name policy1

[Sysname-scd-policy-policy1] policy enable

Related commands

display scd policy

protected-server

Use protected-server to specify the IP address of the protected server in an SCD policy.

Use undo protected-server to remove the protected server IP address from an SCD policy.

Syntax

protected-server ip-address

undo protected-server [ ip-address ]

Default

No protected server IP address is specified.

Views

SCD policy view

Predefined user roles

network-admin

context-admin

Parameters

ip-address: Specifies the IPv4 address of a protected server, in dotted decimal notation.

Usage guidelines

An SCD policy monitors only the connections initiated by the specified protected server.

The protected server IP address must be unique for each SCD policy.

If you execute this command for an SCD policy multiple times, the most recent configuration takes effect.

Examples

# Configure SCD policy policy1 to monitor connections initiated by server 192.168.1.10.

<Sysname> system-view

[Sysname] scd policy name policy1

[Sysname-scd-policy-policy1] protected-server 192.168.1.10

Related commands

display scd policy

protocol

Use protocol to configure a protocol criterion for an SCD rule.

Use undo protocol to remove a protocol criterion from an SCD rule.

Syntax

protocol { icmp | tcp port port-list | udp port port-list }

undo protocol { icmp | tcp | udp }

Default

No protocol criterion is configured in an SCD rule.

Views

SCD rule view

Predefined user roles

network-admin

context-admin

Parameters

icmp: Specifies the ICMP protocol.

tcp port port-list: Specifies the TCP protocol and a list of up to 20 destination TCP port numbers in the range of 1 to 65535. The port-list argument specifies a space-separated list of port number items. Each item specifies a port by its number or specifies a range of port numbers in the form of port-number1 to port-number2. The start port number must be identical to or lower than the end port number.

udp port port-list: Specifies the UDP protocol and a list of up to 20 destination UDP port numbers in the range of 1 to 65535. The port-list argument specifies a space-separated list of port number items. Each item specifies a port by its number or specifies a range of port numbers in the form of port-number1 to port- number2. The start port number must be identical to or lower than the end port number.

Usage guidelines

Each SCD rule contains the following criteria to identify legal connections initiated by the protected server:

· A destination IP address criterion, which specifies the destination IP address for server-initiated connections.

· One or more protocol criteria. Each protocol criterion specifies a protocol and optionally a set of destination port numbers.

You can use this command multiple times to specify different protocols in an SCD rule.

If you specify the TCP or UDP protocol with different port numbers in an SCD rule, the most recent configuration takes effect.

Examples

# In SCD policy policy1, configure a protocol criterion in SCD rule 1 to match the TCP protocol with port numbers 80 and 1000 to 2000.

<Sysname> system-view

[Sysname] scd policy name policy1

[Sysname-scd-policy-policy1] rule 1

[Sysname-scd-policy-policy1-1] protocol tcp port 80 1000 to 2000

Related commands

display scd policy

reset scd learning record

Use reset scd learning record to clear the server connection learning results.

Syntax

reset scd learning record

Views

User view

Predefined user roles

network-admin

context-admin

Examples

# Clear the server connection learning results.

<Sysname> reset scd learning record

Related commands

display scd learning record

rule

Use rule to create an SCD rule and enter its view, or enter the view of an existing SCD rule.

Use undo rule to remove an SCD rule.

Syntax

rule rule-id

undo rule [ rule-id ]

Default

No SCD rules exist in an SCD policy.

Views

SCD policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-id: Specifies a rule ID in the range of 1 to 65535.

Usage guidelines

Each SCD rule contains the following criteria to identify legal connections initiated by the protected server:

· A destination IP address criterion, which specifies the destination IP address for server-initiated connections.

· One or more protocol criteria. Each protocol criterion specifies a protocol and optionally a set of destination port numbers.

If you do not specify a rule ID for the undo rule command, all SCD rules in the SCD policy will be deleted.

Examples

# In SCD policy policy1, create SCD rule 1 and enter its view.

<Sysname> system-view

[Sysname] scd policy name policy1

[Sysname-scd-policy-policy1] rule 1

[Sysname-scd-policy-policy1-1]

Related commands

display scd policy

scd learning

Use scd learning to enter server connection learning configuration view.

Use undo scd learning to remove all server connection learning configurations.

Syntax

scd learning

undo scd learning

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Server connection learning allows the device to learn connections initiated by given servers. The learning results provide the basis for you to create SCD policies to monitor and log illegal connections initiated by the servers.

The undo scd learning command is not configurable when server connection learning is in progress.

Examples

<Sysname> system-view

[Sysname] scd learning

[Sysname-scd-learning]

scd policy

Use scd policy to create an SCD policy and enter its view, or enter the view of an existing SCD policy.

Use undo scd policy to remove an SCD policy.

Syntax

scd policy name policy-name

undo scd policy [ name policy-name ]

Default

No SCD policies exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

name policy-name: Specifies a unique name for the SCD policy. The SCD policy name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

An SCD policy monitors the connections initiated by the specified protected server. You can configure the following settings in an SCD policy:

· Protected server IP address.

· SCD rules to identify legal connections initiated by the server.

· Logging for illegal connections initiated by the server.

· SCD policy enabling status.

If you do not specify an SCD policy for the undo scd policy command, all SCD policies will be deleted.

Examples

# Create an SCD policy named policy1 and enter its view.

<Sysname> system-view

[Sysname] scd policy name policy1

[Sysname-scd-policy-policy1]

Related commands

display scd policy

source-ip

Use source-ip to specify an IP address object group for server connection learning.

Use undo source-ip to remove an IP address object group specified for server connection learning.

Syntax

source-ip object-group-name

undo source-ip [ object-group-name ]

Default

No IP address object groups are specified for server connection learning.

Views

Server connection learning configuration view

Predefined user roles

network-admin

context-admin

Parameters

object-group-name: Specifies an IP address object group by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Server connection learning will learn the connections initiated by the servers that use IP addresses in the specified IP address object groups.

You can repeat this command to specify a maximum of 1024 IP address object groups.

If you specify a nonexistent IP address object group, the system will creates an empty IP address object group with the specified name.

If you do not specify an IP address object group for the undo source-ip command, all IP address object groups specified for server connection learning will be removed.

The source-ip and undo source-ip commands are not configurable when sever connection learning is in progress.

For more information about address object groups, see object group configuration in Security Configuration Guide.

Examples

# Specify IP address object group abc for SCD learning.

<Sysname> system-view

[Sysname] scd learning

[Sysname-scd-learning] source-ip abc

Related commands

object-group

03-Security Command Reference

Server connection detection commands

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us