Configuring the Blacklist Using the CLI
This section describes how to add a blacklist entry using the CLI.
Prerequisites
Before you add a user blacklist entry, complete relevant user configurations. For details, see User and User Authentication.
Procedure
- Access the system view.
- Enable the blacklist function for blacklist entries to take effect.
The blacklists can be applied only after this command is used to enable the blacklist function. Users can add blacklist entries even if the blacklist function is disabled.
The blacklist function on the FW cannot distinguish VLANs.
- Add blacklist entries.
Create blacklist entries on the CPU.
When traffic arrives at the CPU and matches the blacklist, it is discarded.
For USG6610E/6620E, USG6615E/6625E, USG6630E/6650E, USG6635E/6655E, USG6680E, and USG6712E/6716E, blacklist entries created on the CPU are automatically synchronized to the NP. If the incoming traffic on the NP matches a blacklist entry, the traffic is discarded and will not be delivered to the CPU.
Blacklist a user.
firewall blacklist item user user-name [ timeout minutes ]
After a user is added to the blacklist, the FW discards all packets from or to the user.
Blacklist a source IP address.
firewall blacklist item source-ip { source-IPv4-address | source-IPv6-address } [ source-port source-port ] [ protocol { tcp | udp | icmp | protocol-num } ] [ timeout minutes ]
After a source IP address is added to the blacklist, the FW discards all packets from this IP address. When you blacklist a source IP address, you can also specify a protocol or specify a protocol and a source port. This configuration allows the FW to filter out the packets carrying the protocol or carrying the protocol and source port number but permits other packets from the same IP address.
Blacklist a destination IP address.
firewall blacklist item destination-ip { destination-IPv4-address | destination-IPv6-address } [ destination-port destination-port ] [ protocol { tcp | udp | icmp | protocol-num } ] [ timeout minutes ]
After a destination IP address is added to the blacklist, the FW discards all packets destined for this IP address. When you blacklist a destination IP address, you can also specify a protocol or specify a protocol and a destination port. This configuration allows the FW to filter out the packets carrying the protocol or carrying the protocol and destination port number but permits other packets destined for the same IP address.
timeout minutes indicates the validity period of the blacklist entry. After the timeout period expires, the blacklist entry is automatically deleted. If no timeout period is specified, the blacklist entry is permanently valid.
Create a blacklist entry on the hardware chip.
Only USG6510E/6510E-POE, USG6530E, USG6515E/6550E/6560E/6580E, and USG6525E/6555E/6565E/6575E-B/6585E/6605E-B support this function.
After a blacklist is created on the hardware chip, when traffic arrives at the hardware chip and matches the blacklist, it is discarded. That is, the traffic will not be sent to the CPU, reducing the CPU usage.
Run the firewall blacklist hardware item source-ip source-ip source-IPv4-address [ source-port source-port ] [ protocol { tcp | udp | icmp | protocol-num } ] command to create blacklist entries based on source addresses.
Run the firewall blacklist hardware item destination-ip destination-IPv4-address [ destination-port destination-port ] [ protocol { tcp | udp | icmp | protocol-num } ] command to create blacklist entries based on destination addresses.
- Optional: Enable the function of sending logs and alarms when the usage of blacklist entries reaches the threshold.
firewall dynamic-resource used-up alarm blacklist enable [ threshold threshold ]
Follow-up Procedure
If the timeout period is not specified, blacklist entries are permanently valid and included in the profile. If the timeout period is specified, blacklist entries are not included in the profile because they are automatically deleted after the timeout period expires. If you restart the FW, blacklist entries with specified timeout periods are lost.
<sysname> display firewall blacklist item IP/port/protocol/user Reason Insert Time Age Time HitTimes ---------------------------------------------------------------------------------------------------------------------------- 1.1.1.1 /any (src) /any/ Manual 2015/03/21 15:33:1 Permanent 0
In this example, the output information shows one blacklist entry on the CPU. 1.1.1.1 whose Age Time value is Permanent is a permanent blacklist entry.
To clear all packet-matching counts, run the reset firewall blacklist statistics command in the system view.
<sysname> display firewall blacklist hardware item IP/port/protocol Insert Time HitTimes ----------------------------------------------------------------------------- 1.1.1.1 /any (src) /any 2017/10/16 16:59:55 0
In this example, the output information shows one source-address-based blacklist entry on the hardware chip.