< Home

Verification and Check

This section describes the verification and check operations after the APT defense feature is configured.

Viewing or Deleting APT Defense Related Information

Run the commands in Table 1 to view or delete APT defense related information.

Table 1 Viewing or deleting configuration or statistics information
Operation Command
Viewing information about the APT defense profile display profile type aapt
Viewing the global configuration of APT defense display aapt global-configuration
Viewing configuration and status information of the interworking sandbox display sandbox
Viewing statistics about file reputation detection and malicious URL detection of APT defense display anti-apt statistics
Viewing statistics on the file reputation query result display aapt file reputation information
Viewing information about files submitted to the sandbox for detection display aapt file submit information
Viewing information about files to be detected by the sandbox display aapt sample
Viewing statistics of the sandbox interworking function display aapt statistics sample
Deleting statistics of the sandbox interworking function reset aapt statistics sample
Deleting statistics on file reputation detection and malicious URL detection of APT defense reset anti-apt statistics

Debugging the APT Defense Function

Operation Command
Enabling APT defense debugging debugging anti-apt

Viewing Logs

After the traffic matches the APT defense profile, unknown file restoration is performed. The restored file is submitted to the corresponding sandbox (local or cloud sandbox) based on the configured sandbox type for detection. If the file is detected as malicious or suspicious, the log AAPT/4/SCAN_RESULT is reported.

The following is an example of the log AAPT/4/SCAN_RESULT.

AAPT/4/SCAN_RESULT(l)[1]:Sandbox scan-result. (SyslogId=2, VSys="vsys1", Policy="av_rule", SrcIp=192.168.0.100, DstIp=172.16.10.100, SrcPort=2092, DstPort=80, SrcZone=trust, DstZone=untrust, User="unknown", Protocol=TCP, Application="HTTP", Profile="sand_profile", File Name="create.pl", Type="PDF", Size=3309, Direction=download, SandboxType=local, SubTime=2017/08/25 21:57:09, ScanResult="malicious file",RiskLevel="high-risk", Hash="18faf8c60feca1c22fe5aa41862ecb55")

Field

Description
syslog-id Log ID
vsys-name Name of the virtual system
policy-name Name of a security policy
source-ip-address Source IP address of packets
destination-ip-address Destination IP address of packets
source-port Source port of packets
destination-port Destination port of packets
source-zone Source security zone of packets
destination-zone Destination security zone of packets
user-name User name
protocol Protocol name
application-name Application name
profile-name Profile name
file-name File name
file-type File type
file-size File size
direction Traffic direction
sandbox-type Sandbox type, which can be a local or cloud sandbox
time Sample submission time
file-scan-result Sample scanning result: malicious or suspicious
risk-level Risk level, which can be high-risk, middle-risk, or low-risk in a severity descending order
file-hash-value File hash value
The FW periodically reads file detection results from the sandbox. To block subsequent traffic based on detection results, you must configure the antivirus and URL filtering functions in the configuration of content security detection. The IAE updates the malicious file and malicious URL list in the cache based on detection results only after you configure these two functions. After traffic with the same malicious signatures arrives at the FW:

  • If a malicious URL is matched, the device blocks the traffic and generates the log ANTI-APT/4/ANTI-APT.

  • If a malicious file is matched, the device performs the specified action and generates the log ANTI-APT/4/ANTI-APT.

The following is an example of the log ANTI-APT/4/ANTI-APT.

AAPT/4/ANTI-APT(l)[1]:An advanced persistent threat was detected. (SyslogId=2, VSys="vsys1", Policy="av_rule", SrcIp=192.168.0.100, DstIp=172.16.10.100, SrcPort=2092, DstPort=80, 
SrcZone=trust, DstZone=untrust, User="unknown", Protocol=TCP, Application="HTTP", Profile="sand_profile", Direction=download, ThreatType="File Reputation", ThreatName="create.pl", action="block", FileType="PE", Hash="xxxx")

Field

Description
syslog-id Log ID.
vsys-name Name of the virtual system
policy-name Name of a security policy
source-ip-address Source IP address of packets
destination-ip-address Destination IP address of packets
source-port Source port of packets
destination-port Destination port of packets
source-zone Source security zone of packets
destination-zone Destination security zone of packets
user-name User name
protocol Protocol name
application-name Application name
profile-name Profile name
direction Traffic direction
  • download
  • upload
threatType
Threat type.
  • File Reputation: Malicious file
  • Malicious URL
threatName Threat name.
action Action to be taken.
  • Alert
  • Block
  • Declare
  • delete-attachment
fileType File type.
file-hash-value File hash value.
Parent Topic: Configuring APT Defense Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic