< Home

CLI: Example for Configuring Antivirus

This section provides an example for configuring antivirus on the enterprise gateway device to protect intranet users and servers from viruses.

Networking Requirements

The FW is deployed at the network edge of the enterprise as the security gateway. To ensure that intranet users can securely download files and mails from the Web server and POP3 server and that the FTP server can securely receive the uploaded files of Internet users, configure the antivirus function on the FW to protect the intranet. Figure 1 shows the networking diagram.

Users need to receive mails from Netease. Therefore, set the response action for Netease to permit. An important file is blocked by the FW because of false positive (the virus ID is 16424404). To ensure that users can receive this file, configure virus exception for this virus.

Figure 1 Networking diagram of antivirus

Configuration Roadmap

  1. Set the IP address and security zone of the interface.
  2. Configure two antivirus profiles. In one profile, set the matching condition and action for HTTP and POP3 protocols and configure application exception for Netease and virus exception for virus 16424404. In the other profile, set the matching condition and action for the FTP protocol.
  3. Configure a security policy, and reference the antivirus profile in the interzones from the trust zone to the untrust zone and from the untrust to the dmz zone respectively.

Procedure

  1. Set the IP address and security zone of the interface.
    1. Set an IP address for interface GigabitEthernet 0/0/1 and assign the interface to the untrust zone.

      <FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet0/0/1] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit

    2. Set an IP address for interface GigabitEthernet 0/0/2 and assign the interface to the dmz zone.

      [FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 10.2.0.1 24
[FW-GigabitEthernet0/0/2] quit
[FW] firewall zone dmz
[FW-zone-trust] add interface GigabitEthernet 0/0/2
[FW-zone-trust] quit

    3. Set an IP address for interface GigabitEthernet 0/0/3 and assign the interface to the trust zone.

      [FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit

  2. Configure antivirus profiles.
    1. Configure an antivirus profile for HTTP and POP3. As this profile applies to virus detection only for HTTP and POP3, after configuring virus detection for HTTP and POP3, disable virus detection for other protocols.

      [FW] profile type av name av_http_pop3
[FW-profile-av-av_http_pop3] http-detect direction download action block
[FW-profile-av-av_http_pop3] pop3-detect action delete-attachment
[FW-profile-av-av_http_pop3] exception application name Netease_Webmail
[FW-profile-av-av_http_pop3] exception av-signature-id 16424404
[FW-profile-av-av_http_pop3] undo ftp-detect
[FW-profile-av-av_http_pop3] undo smtp-detect
[FW-profile-av-av_http_pop3] undo imap-detect
[FW-profile-av-av_http_pop3] undo nfs-detect
[FW-profile-av-av_http_pop3] undo smb-detect
[FW-profile-av-av_http_pop3] quit

    2. Configure an antivirus profile for FTP. As this profile applies to virus detection only for FTP, after configuring virus detection for FTP, disable virus detection for other protocols.

      [FW] profile type av name av_ftp
[FW-profile-av-av_ftp] ftp-detect direction upload action block
[FW-profile-av-av_ftp] undo http-detect
[FW-profile-av-av_ftp] undo smtp-detect
[FW-profile-av-av_ftp] undo pop3-detect
[FW-profile-av-av_ftp] undo imap-detect
[FW-profile-av-av_ftp] undo nfs-detect
[FW-profile-av-av_ftp] undo smb-detect
[FW-profile-av-av_ftp] quit

  3. Commit the configuration information.

    [FW] engine configuration commit

  4. Create security policies.
    1. Configure a security policy for the direction from intranet users to the Internet (from the trust zone to the untrust zone).

      [FW] security-policy
[FW-policy-security] rule name policy_av_1
[FW-policy-security-rule-policy_av_1] source-zone trust
[FW-policy-security-rule-policy_av_1] destination-zone untrust
[FW-policy-security-rule-policy_av_1] action permit
[FW-policy-security-rule-policy_av_1] profile av av_http_pop3
[FW-policy-security-rule-policy_av_1] quit

    2. Configure a security policy for the direction from the Internet to the intranet server (from the untrust zone to the dmz).

      [FW-policy-security] rule name policy_av_2
[FW-policy-security-rule-policy_av_2] source-zone untrust
[FW-policy-security-rule-policy_av_2] destination-zone dmz
[FW-policy-security-rule-policy_av_2] action permit
[FW-policy-security-rule-policy_av_2] profile av av_ftp
[FW-policy-security-rule-policy_av_2] quit
[FW-policy-security] quit

  5. Save the configuration information to upload the configuration file including the above-mentioned configurations automatically for the next startup.

    [FW] quit
<FW> save

Verification

  • When an intranet user attempts to download virus-infected files using HTTP, the download connection is interrupted.
  • When an intranet user attempts to download a virus-infected email using POP3, the attachments in the email are deleted.
  • When an extranet user attempts to upload virus-infected files, the upload connection is interrupted.
  • Intranet users can use the Netease email box to send and receive emails.
  • Intranet users can download important software infected with virus 16424404.

You can choose Monitor > Log > Threat Log to view threat logs whose threat type is virus. Click to view log details.

You can also verify the configuration using an EICAR test file.

The following part describes how to construct an EICAR test file. Considering such issues as incorrect input in construction, you can also access https://www.eicar.org/ to directly download an EICAR test file.

  1. Construct an EICAR test file and compress it.

    1. Create a .txt file on the PC and enter the following information:

      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

      The preceding 68 characters are known characters in the EICAR test file. In addition, you can add combinations of such characters as the space, tab, LF, CR, and CTRL-Z. Note that the total length of the EICAR test file cannot exceed 128 characters. For simplicity, you are advised to include only the preceding 68 characters in the EICAR test file. Pay attention to the third character in the string. It is the upper-case letter O instead of the digit 0.

    2. When saving the file, select All Files and name it EICAR.COM.
    3. Compress the EICAR.COM file into an eicar.zip file.

  2. Before configuring the ID (16424404) of the EICAR test file as a virus exception, test whether antivirus takes effect in the HTTP download direction.

    Create an HTML page that contains the eicar.zip file download path on the web server. When an intranet user accesses the page using HTTP and downloads the eicar.zip file, the download fails.

    To test whether antivirus takes effect in the HTTP download direction, you can also access https://www.eicar.org/ to directly download an EICAR test file for verification.

  3. Before configuring the ID (16424404) of the EICAR test file as a virus exception, test whether antivirus takes effect in the POP3 download direction.

    Send the eicar.zip file to a mailbox as an attachment. After an intranet user logs in to the mailbox and downloads the email that contains the eicar.zip file using POP3, the attachment in the email is deleted, and the following information is displayed in the email body:eicar.zip is deleted from the mail because it contains virus.

  4. After configuring the ID (16424404) of the EICAR test file as a virus exception, test whether the file can be downloaded using HTTP and POP3.

    The EICAR test file can be downloaded using HTTP and POP3.

  5. Test whether antivirus takes effect in the FTP upload direction.

    When an intranet user attempts to upload the eicar.zip file after logging in to the FTP server, the FTP client displays a file upload failure.

Configuration Scripts

The following lists related scripts of this configuration example.

#
 sysname FW
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 add interface GigabitEthernet0/0/2
#
profile type av name av_http_pop3   
 http-detect direction download     
 undo ftp-detect      
 undo smtp-detect        
 pop3-detect action delete-attachment  
 undo imap-detect   
 undo nfs-detect 
 undo smb-detect  
 exception application name Netease_WebMail action allow   
 exception av-signature-id 16424404  
profile type av name av_ftp  
 undo http-detect  
 ftp-detect direction upload
 undo smtp-detect  
 undo pop3-detect     
 undo imap-detect    
 undo nfs-detect  
 undo smb-detect  
#
security-policy
 rule name policy_av_1
  source-zone trust
  destination-zone untrust
  profile av av_http_pop3
  action permit
 rule name policy_av_2
  source-zone untrust
  destination-zone dmz
  profile av av_ftp
  action permit
#
return

# The following configuration is used to perform a one-time operation and not stored in the configuration profile.
 engine configuration commit
Parent Topic: Content Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >