< Home

Configuring the Flow Probe Using the CLI

This section describes how to use the CLI to configure the flow probe.

Procedure

  1. Configure parameters for interconnecting the flow probe with the HiSec Insight server.
    1. Access the system view.

      system-view

    2. Configure the mode in which the flow probe sends collected data to the HiSec Insight server.

      flow-probe metadata-collect transfer-method { udp | ssl }

      In UDP mode, the data transmission efficiency is high, but the data is transmitted in plain text. In SSL mode, the data transmission efficiency is lower than that in UDP mode, but the data is transmitted in cipher text, delivering high security.

      To use the SSL mode, you must run the flow-probe metadata-collect ca-certificate certificate-name command to set the CA certificate. This certificate verifies the server certificate of the HiSec Insight system and can be obtained from the HiSec Insight system.

    3. Configure the IP address and port number of the HiSec Insight server.

      flow-probe metadata-collect server ip ip-address [ port port-number ]

      By default, UDP transmission uses port 8514, and SSL transmission uses port 8443.

    4. Configure the source IP address for the flow probe to send collected data to the HiSec Insight server.

      flow-probe metadata-collect source ip ip-address [ vpn-instance vpn-instance-name ]

  2. Configure flow probe policies.
    1. Access the flow probe policy view from the system view.

      flow-probe-policy

    2. Create a flow probe policy rule and access the policy rule view.

      rule name rule-name

    3. Optional: Configure the description of the flow probe policy rule.

      description description

      Policy rule functions must be clearly described so that an administrator can easily query and maintain the policy rules.

    4. Optional: Configure a tag for the policy.

      add tag tag-name

      After the policy references the tag, you can query policies according to the tag and perform batch operations such as deleting, moving, enabling, and disabling. For the tag description and configuration, see Tag.

    5. Configure matching conditions in the policy rule.

      • If multiple flow probe policies are configured, the policies are matched based on their priorities. If the traffic matches a flow probe policy, the remaining flow probe policies are ignored. Therefore, you must place the policies from the most specific to the least specific. By default, a policy configured earlier has a higher priority. You can run the rule move command to change the priority of a policy.

      • A policy has multiple matching conditions, such as security zone, IP address, and service. All conditions in a policy take effect on packets. This means that a packet must meet all conditions to match the policy.
      • If multiple values are configured for a matching condition, the values are logically ORed. When a packet matches any value, the packet is considered to match the condition.

      Function

      Command

      Specify the source security zone.

      source-zone { zone-name &<1-6> | any }

      Specify the destination security zone.

      destination-zone { zone-name &<1-6> | any }

      Specify the source IP address.

      source-address ipv4-address mask mask-address

      source-address-exclude ipv4-address mask mask-address

      Specify the destination address.

      destination-address ipv4-address mask mask-address

      destination-address-exclude ipv4-address mask mask-address

      Specify the service.

      service { service-name &<1-6> | any }

      service-exclude service-name &<1-6>

    6. Configure the action of the flow probe policy rule.

      action probe { network-layer | application-layer }*

      action no-probe

      • network-layer: indicates collecting network-layer and transport-layer information of traffic.

      • application-layer: indicates collecting application-layer information of traffic.

        For encrypted traffic, you usually need to collect the application-layer information of the traffic.

      • network-layer application-layer or application-layer network-layer: indicates that the flow probe collects network-layer, transport-layer, and application-layer data of traffic.

        This action applies to both non-encrypted traffic and encrypted traffic. For the collection of encrypted traffic information, the Encrypted Communication Analytics (ECA) function can be used. This function does not need to decrypt traffic. Instead, it collects SSL protocol negotiation information, packet statistics information, and DNS and HTTP protocol information of the traffic. Then it sends the information to the HiSec Insight in metadata format. The HiSec Insight analyzes and assesses the information to identify malicious encrypted traffic.

        If you do not want to collect encrypted traffic information, you can configure a flow probe policy to exclude encrypted traffic by specifying match conditions.

      • no-probe: indicates collecting no traffic information.

Parent Topic: Flow Probe
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >