This section describes how to configure the FW to interwork with a third-party IDS device to defend against attacks.
Currently, the FW can interwork with only one type of third-party IDS devices, namely, the Suricata. For details about the Suricata and its configuration, see the Suricata product documentation.
Configure traffic mirroring first to mirror service traffic passing through the FW to the Suricata.
Mirror the traffic to a third-party IDS device through Mirroring of the FW or a downstream switch.
firewall third-party-ids enable
By default, the interworking between the FW and third-party IDS is disabled.
The FW can interwork with a third-party IDS, which can identify malicious traffic and deliver blocking instructions to the FW so that the FW can delete existing sessions or blacklist source or destination addresses to block attacks.
By default, the blacklist function is disabled.
firewall third-party-ids trust-interface
For the secure transmission of interworking packets, you must directly connect the FW to the third-party IDS and must use the firewall third-party-ids trust-interface { interface-name | interface-type interface-number } command to configure trusted interfaces on the FW. The FW analyzes only interworking packets from trusted interfaces and execute corresponding instructions.
firewall layer2 pppoe detect enable
By default, PPPoE packet detection in Layer 2 transparent deployment is disabled.
After you enable this function, PPPoE packets will be detected, and sessions be created when the FW works in transparent mode.
In certain attack defense scenarios, if the FW works in transparent mode, the blocking of certain PPPoE packets may be required. Therefore, you must enable PPPoE packet detection in Layer 2 transparent deployment to create sessions for PPPoE packets for session-based blocking.
Run the display firewall third-party-ids trust-interface command to display the trusted interface for interworking with a third-party IDS device.