Configuring HiSec Insight Interworking

To defend against attacks originated from malicious sessions to the intranet, you can configure the FW to interwork with the HiSec Insight.

Prerequisites

Traffic has been mirrored to the HiSec Insight through the port mirroring of the FW or the downstream switch.

HiSec Insight V100R003C30 and later versions support encrypted traffic analysis. Encrypted service traffic (such as HTTPS, POP3S, IMAPS, and SMTPS traffic encrypted based on SSL) can be directly mirrored to the HiSec Insight through the FW or switch. For versions earlier than HiSec Insight V100R003C30, you need to configure SSL encrypted traffic detection on the FW to decrypt the traffic and then mirror the traffic to the HiSec Insight through the FW. For configuration details, see Server Protection Through SSL-Encrypted Traffic Detection.

Procedure

Create an API administrator. When the HiSec Insight system communicates with the FW, this administrator account shall be used for authentication.
Set the administrator service type to api and the authentication mode to local authentication or server authentication based on the actual scenario. For configuration details, see Creating an Administrator Account (Local Authentication) or Creating an Administrator Account (Server Authentication).
Configure the northbound RESTCONF interface in the API view.
1. Enable the HTTPS-based RESTCONF interface service.
  
  api https enable
2. Specify the certificate that the FW sends to users who use HTTPS for authentication on the RESTCONF interface.
  
  security server-certificate file-name
Enable the blacklist function in the system view.
firewall blacklist enable
Access the HiSec Insight interworking view.
apt-cis
Enable the HiSec Insight interworking function.
linkage enable
Optional: Specify the aging time of dynamic blacklist entries for HiSec Insight interworking.
blacklist aging-time aging-time
Optional: Set an interval for the firewall to send blacklist-matching statistics to the HiSec Insight.
log interval time
Optional: Set an alarm threshold for the number of HiSec Insight threat log entries.
threat alarm threshold threshold-value

Threat log entries are created on the FW if traffic matches the blacklist imported from the HiSec Insight. They are used to collect statistics on blacklist-matching traffic. Threat log entries record information such as the source IP address, destination IP address, protocol, matching count, slot ID, and CPU ID. The FW periodically sends logs that are generated by scanning threat log entries at a fixed interval. After each scanning, threat log entries are cleared, so that the table can be written later. If a long log sending interval is set, the threat log entry usage may be high. After the usage exceeds the threshold, an alarm is generated.

Follow-up Procedure

Run the display api restconf client command. You can view the connected client count value in the command output to view the running status of the HiSec Insight, which serves as the RESTCONF client.

Run the display firewall blacklist item type apt-cis command to view the number of blacklist entries detected by HiSec Insight interworking.

<sysname> display firewall blacklist item type apt-cis
 IP/port/protocol/user                              Reason                         Insert Time            Age Time  HitTimes        
  ----------------------------------------------------------------------------------------------------------------------------      
 1.1.1.1 /any (dst) /any/                           Apt-cis                     2016/12/10 16:59:55       Permanent 2

Blacklist entries Apt-cis exist only after the FW successfully interworks with the HiSec Insight.

If the blacklist entry delivered by HiSec Insight interworking is reported falsely, add the IP address in the blacklist entry to a whitelist. Then the FW will not block the traffic with the source or destination address.