Page 2
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice.
Page 3
Preface The H3C SecPath Series High-End Firewalls command references describe the commands and command syntax options available for the H3C SecPath Series High-End Firewalls. The Attack Protection Command Reference describes the ARP and web filtering commands. This preface includes: •...
Page 4
Convention Description A line that starts with a pound (#) sign is comments. GUI conventions Convention Description Window names, button names, field names, and menu items are in Boldface. For Boldface example, the New User window appears; click OK. > Multi-level menus are separated by angle brackets.
Page 5
Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] –...
Page 6
Technical support service@h3c.com http://www.h3c.com Documentation feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
ARP attack defense configuration commands ARP automatic scanning and fixed ARP configuration commands arp fixup Syntax arp fixup View System view Default Level 2: System level Parameters None Description Use the arp fixup command to change dynamic ARP entries into static ARP entries. Note the following: The static ARP entries changed from dynamic ARP entries have the same attributes as the static ARP •...
arp scan Syntax arp scan [ start-ip-address to end-ip-address ] View Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view, VLAN interface view Default Level 2: System level Parameters start-ip-address: Start IP address of the scanning range. end-ip-address: End IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.
Web filtering configuration commands NOTE: The file name conventions in this document are as follows: Full file name: File path plus file name, a case-insensitive string of 1 to 135 characters excluding the end • character. • File name: File name without file path, a case-insensitive string of 1 to 91 characters excluding the end character.
.vbs Table 1 Output description Field Description Serial number Match-Times Number of times that a suffix keyword is matched Keywords ActiveX blocking suffix keyword # Display detailed ActiveX blocking information. <Sysname> display firewall http activex-blocking verbose ActiveX blocking is enabled. No ACL group has been configured.
Match-Times Keywords ---------------------------------------------- .CLASS .JAR .java Table 2 Output description Field Description Serial number Match-Times Number of times that the suffix keyword has been matched Keywords Java blocking suffix keyword # Display detailed information about Java blocking. <Sysname> display firewall http java-blocking verbose Java blocking is enabled.
<Sysname> display firewall http url-filter host item ^webfilter$ The HTTP request packet including "^webfilter$" had been matched for 10 times. # Display URL address filtering information about all filtering entries. <Sysname> display firewall http url-filter host all Match-Times Keywords ---------------------------------------------- ^webfilter$ Table 3 Output description Field...
Page 14
Description Use the display firewall http url-filter parameter command to display information about URL parameter filtering. If no parameters are specified, the command displays brief information about URL parameter filtering. Examples # Display brief information about URL parameter filtering. <Sysname> display firewall http url-filter parameter URL-filter parameter is enabled.
firewall http activex-blocking acl Syntax firewall http activex-blocking acl acl-number undo firewall http activex-blocking acl View System view Default level 2: System level Parameters acl-number: ACL number, in the range 2000 to 3999. Description Use the firewall http activex-blocking acl command to specify an ACL for ActiveX blocking. Use the undo firewall http activex-blocking acl command to cancel the configuration.
Description Use the firewall http activex-blocking enable command to enable the ActiveX blocking function and add the default blocking keyword ‘.ocx’ to the ActiveX blocking suffix list. Use the undo firewall http activex-blocking enable command to disable the ActiveX blocking function. By default, the ActiveX blocking function is disabled.
View System view Default level 2: System level Parameters acl-number: ACL number, in the range 2000 to 3999. Description Use the firewall http java-blocking acl command to specify an ACL for Java blocking. Use the undo firewall http java-blocking acl command to cancel the configuration. By default, no ACL is specified for Java blocking.
Parameters acl-number: ACL number, in the range 2000 to 3999. Description Use the firewall http url-filter host acl command to specify an ACL for URL address filtering. Use the undo firewall http url-filter host acl command to cancel the configuration. By default, no ACL is specified for URL address filtering.
This configuration takes effect only after the URL address filtering function is enabled. Related commands: firewall http url-filter host enable, display firewall http url-filter host. Examples # Configure to permit Web requests using IP addresses for access to websites. <Sysname> system-view [Sysname] firewall http url-filter host ip-address permit firewall http url-filter host load Syntax...
Description Use the firewall http url-filter host save command to save the URL address filtering entries to a specified file in text format. Examples # Save all the URL address filtering entries into a file. <Sysname> system-view [Sysname] firewall http url-filter host save cfa0:/urlfilter firewall http url-filter host url-address Syntax firewall http url-filter host url-address { deny | permit } url-address...
standalone webfilter like www.webfilter.com; it does not match website addresses like www.webfilter-china.com. A filtering entry with neither “^” at the beginning nor “$” at the end indicates a fuzzy match, and • matches website addresses containing the keyword. If “*” is present at the beginning of a filtering entry, it must be present in the format like *.xxx, where •...
Table 7 Meanings of wildcards Wildcard Meaning Usage guidelines Matches parameters starting with It can be present once at the beginning of a filtering the keyword entry. Matches parameters ending with It can be present once at the end of a filtering entry. the keyword It can be present multiple times at any position of a filtering entry, consecutively or inconsecutively, and...
Description Use the firewall http url-filter parameter enable command to enable the URL parameter filtering function. Use the undo firewall http url-filter parameter enable command to disable the URL parameter filtering function. By default, the URL parameter filtering function is disabled. Related commands: display firewall http url-filter parameter.
Parameters file-name: Name of the file for storing the parameter filtering entries. The name must contain the file path. Description Use the firewall http url-filter parameter save command to save all the parameter filtering entries (including the default ones) into a specified file. Examples # Save all the parameter filtering entries into a file.
Need help?
Do you have a question about the SecPath Series and is the answer not in the manual?
Questions and answers