process-sequence

Function

The process-sequence command sets the match sequence of packets to be sent to the CPU: TCPSYN packets, packet fragments, dynamic link protection, management protocol ACL, whitelist, blacklist, and user-defined flow.

The undo process-sequence command restores the default sequence.

By default, packets to be sent to the CPU comply with the following match sequence: TCPSYN packets -> packet fragments -> dynamic link protection -> management protocol ACL -> whitelist -> blacklist -> user-defined flow.

Format

process-sequence { fragment-flood tcpsyn-flood dynamic-link-protection whitelist blacklist user-defined-flow management-acl } *

undo process-sequence

Parameters

Parameter Description Value
fragment-flood

Indicates packet fragments.

-
tcpsyn-flood

Indicates TCPSYN packets.

-
dynamic-link-protection

Indicates dynamic link protection.

-
whitelist

Indicates a whitelist.

-
blacklist

Indicates a blacklist.

-
user-defined-flow

Indicates a user-defined flow.

-
management-acl

Indicates a management protocol ACL.

-

Views

Attack defense policy view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
device-mgr write

Usage Guidelines

Usage Scenario

After passing the GTSM check, packets to be sent to the CPU need to match against the TCPSYN packets, packet fragments, dynamic link protection, management protocol ACL, blacklist, whitelist, and user-defined flow. The management protocol ACL, blacklist, whitelist, and user-defined flow are configured with ACL rules. Packets matching corresponding ACL rules are added to the blacklist, whitelist, or user-defined flow. The matching order of packets is specified by the process-sequence command. The default matching sequence is as follows: TCPSYN packets, packet fragments, dynamic link protection, whitelist, blacklist, and user-defined flow.

The seven parameters in the process-sequence { fragment-flood tcpsyn-flood dynamic-link-protection whitelist blacklist user-defined-flow management-acl } * command are mandatory. You can specify them as required.

The three parameters in the process-sequence { whitelist blacklist user-defined-flow } * command are mandatory. You can specify them as required.

Prerequisites

The management protocol ACL, whitelist, blacklist, and user-defined flow are configured with ACL rules.

In VS mode, this command is supported only by the admin VS.

Example

# Configure packets to be sent to the CPU to match against the TCPSYN packets, packet fragments, dynamic link protection, management protocol ACL, blacklist, whitelist, and user-defined flow in sequence in attack defense policy 8.
<HUAWEI> system-view
[~HUAWEI] cpu-defend policy 8
[*HUAWEI-cpu-defend-policy-8] process-sequence tcpsyn-flood fragment-flood dynamic-link-protection management-acl blacklist whitelist user-defined-flow
Parent Topic: Local Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >