CLI: Example for Configuring Artificial Intelligence Engine

Networking Requirements

On an enterprise campus network, a network administrator can configure the AIE function on the FW to grasp the operations of the network and detect abnormal behaviors on the network in a timely manner. If traffic matches a security policy that references the AIE profile, the network administrator collects network-layer, transport-layer, and application-layer information about traffic, and then sends the collected information to the AIE of the FW for analysis and evaluation, in order to identify unknown threats and attacks on the network. After detecting a threat or attack, the FW sends a log to the administrator for further processing.

Figure 1 Application networking for artificial intelligence engine

Procedure

Configure immediate update for the AIE database to improve the threat detection capability and efficiency of the FW. For details about how to configure immediate upgrade, see Updating the Artificial Intelligence Engine Database.

Configure an IP address for each interface and add interfaces to security zones.

Configure an IP address for GigabitEthernet0/0/1, and add the interface to the Untrust zone.

<FW> system-view
[FW] interface GigabitEthernet0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet0/0/1] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet0/0/1
[FW-zone-untrust] quit

Configure an IP address for GigabitEthernet0/0/3, and add the interface to the Trust zone.

[FW] interface GigabitEthernet0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.1.1.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet0/0/3
[FW-zone-trust] quit

Configure an AIE profile.

[FW] profile type aie name aie_profile
[FW-profile-aie-aie_profile] description Artificial Intelligence Engine
[FW-profile-aie-aie_profile] detection-engine all enable
[FW-profile-aie-aie_profile] quit

Configure a security policy to allow Internet users to access the intranet. Reference the AIE profile configured in step 3 to detect unknown threats and attacks.

[FW-policy-security] rule name policy_to_Intranet
[FW-policy-security-rule-policy_to_Internet] source-zone untrust
[FW-policy-security-rule-policy_to_Internet] destination-zone trust
[FW-policy-security-rule-policy_to_Internet] source-address 1.1.1.1 24
[FW-policy-security-rule-policy_to_Internet] profile aie aie_profile 
[FW-policy-security-rule-policy_to_Internet] action permit
[FW-policy-security-rule-policy_to_Internet] quit
[FW-policy-security] quit

Verification

Run the display profile type aie command to check configurations of the AIE profile.

<FW> display profile type aie
==============================================================================
AI-Engine Profile Configurations:
==============================================================================
Total Profiles: 1
------------------------------------------------------------------------------
    Profile Name                       : aie_profile
    Description                        : Artificial Intelligence Engine
    Referenced                         : 1
    
------------------------------------------------------------------------------
    Detection Module                   Status
    cc                                 enabled
    dga                                enabled
    eca                                enabled
    bruteforce                         enabled
    sql                                enabled
------------------------------------------------------------------------------

Run the display aie state command to check the running status of the AIE.

<FW> display aie state
==============================================================================
AI-Engine Running State
==============================================================================
Module               Status     Memory Used (kB)   CPU Usage
Framework            running    4984               0.00%
Redis-Server         running    3724               0.00%
adapt                running    7412               0.00%
bruteforce           running    4296               0.00%
cc                   running    7776               0.00%
dga                  running    15960              0.00%
eca                  running    31832              0.00%
sql                  running    31832              0.00%
------------------------------------------------------------------------------

After detecting a threat on the network, the FW generates the log AIE/4/EVENT. You can view details about the threat in the log.

Configuration Scripts

#
 sysname FW
#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
profile type aie name aie_profile
 description Artificial Intelligence Engine
 detection-engine dga enable 
 detection-engine cc enable
 detection-engine eca enable 
 detection-engine bruteforce enable
 detection-engine sql enable
#
security-policy
 rule name policy_to_Intranet
  source-zone untrust
  destination-zone trust
  source-address 1.1.1.0 mask 255.255.255.0
  profile aie aie_profile 
  action permit
#