security – a family of commands for configuring scanning and analysis of the contents of network traffic

security antivirus

Go to Anti-Virus configuration submenu.

security antivirus> [no] enable

Enable (or disable, if no) the Anti-Virus. Applied only after a restart of the solution.

security antivirus> [no] enable-mail

Enable (or disable, if no) the mail Anti-Virus. Applied only after a restart of the solution.

security antivirus> icap-client

Go to the ICAP client settings submenu.

security antivirus> icap-client> [no] enable

Enable (or disable, if no) the connection of the ICAP client to the server for Anti-Virus.

security antivirus> icap-client> server-ip <ip-address>

Set ICAP server IP address without mask or port.

security antivirus> icap-client> port <port>

Set ICAP server port.

security antivirus> icap-client> reqmod-service <service-name>

Set service for ICAP server requests. Example: for the URL icap://<host>:1344/av/reqmod, the service is av/reqmod.

security antivirus> icap-client> respmod-service <service-name>

Set service for ICAP server responses. Example: for the URL icap://<host>:1344/av/respmod, the service is av/respmod.

security antivirus> icap-client> [no] monitoring-mode

Enable (or disable, if no) monitoring mode. In monitoring mode, responses to requests sent to the ICAP server are ignored. In the non-monitoring mode, the responses are analyzed and a decision is made on blocking the request based on the responses.

security antivirus> icap-client> max-connections <number>

Set the maximum number of concurrent connections to the ICAP server. Possible values: 1 to 100 inclusive.

security antivirus> profile <name>

Go to the configuration submenu of profile with name <name>.

security antivirus> (no profile <name>|no security antivirus profile <name>)

Delete profile with name <name>.

security antivirus> profile=['name']> rename <name>

Set new name <name> for this profile.

security antivirus> profile=['name']> description <description>

Set description for profile. Spaces not allowed.

security antivirus> profile=['name']> action (allow|block-stub|block|reset)

Set action for profile with http support (for hash and Object Anti-Virus).

security antivirus> profile=['name']> action-imap (allow|block|reset)

Set action for profile with imap mail protocol support.

security antivirus> profile=['name']> action-pop3 (allow|block|reset)

Set action for profile with pop3 mail protocol support.

security antivirus> profile=['name']> action-smtp (allow|block|reset)

Set action for profile with smtp mail protocol support.

security antivirus> profile=['name']> action-ftp (allow|block|reset)

Set action for profile with FTP protocol support.

security antivirus> profile=['name']> action-web-socket (allow|block|reset)

Set action for profile with WebSocket protocol support.

security antivirus> profile=['name']> protocols

Go to the protocol selection submenu for a profile.

security antivirus> profile=['name']> protocols> [no] use-http

Enable (or disable, if no) http.

security antivirus> profile=['name']> protocols> [no] use-imap

Enable (or disable, if no) imap.

security antivirus> profile=['name']> protocols> [no] use-pop3

Enable (or disable, if no) pop3.

security antivirus> profile=['name']> protocols> [no] use-smtp

Enable (or disable, if no) smtp.

security antivirus> profile=['name']> protocols> [no] use-ftp

Enable (or disable, if no) ftp.

security antivirus> profile=['name']> protocols> [no] use-websocket

Enable (or disable, if no) the websocket protocol.

security antivirus> profile=['name']> [no] logging

Enable (or disable, if no) logging for all actions.

security antivirus> profile=['name']> url-ksn-reputation

Go to KSN configuration submenu.

security antivirus> profile=['name']> url-ksn-reputation> [no] use-url-reputation

Enable (or disable, if no) URL reputation checking against the list of addresses from KSN.

security antivirus> profile=['name']> url-ksn-reputation> ksn-check-url adware

Set URL reputation check using KSN for profile: check addresses for belonging to advertising URLs.

security antivirus> profile=['name']> url-ksn-reputation> ksn-check-url other

Set URL reputation check using KSN for profile: check addresses for belonging to other URLs not included in any category.

security antivirus> profile=['name']> [no] use-web-checker

Enable (or disable, if no) the Object Anti-Virus.

security antivirus> profile=['name']> [no] use-icap-client

Enable (or disable, if no) the sending of objects to the ICAP server for Object Anti-Virus.

security antivirus> profile=['name']> [no] use-hash-checker

Enable (or disable, if no) Light AV.

security antivirus> profile=['name']> [no] use-mail-checker

Enable (or disable, if no) mail.

security antivirus> profile=['name']> [no] use-kata

Enable (or disable, if no) object scanning using KATA.

security antivirus> profile=['name']> [no] logging-kata-scan-events

Enable (or disable, if no) logging of events when objects are sent for scanning to KATA.

security antivirus> profile=['name']> web-checker-settings

Go to the web-checker configuration submenu.

security antivirus> profile=['name']> web-checker-settings> max-file-size <bytes>

Set maximum file size for scanning in web-checker.

security antivirus> profile=['name']> kata-file-filter

Go to the KATA file security rule submenu.

security antivirus> profile=['name']> kata-file-filter> [no] only-suspicious

Enable (or disable, if no) processing of suspicious files only.

security antivirus> file-name-filter

Go to the configuration submenu of security rules filtering by names of transmitted files.

security antivirus> file-name-filter> [no] enable

Enable (or disable, if no) filtering by names of transmitted files.

security antivirus> file-name-filter> action (allow|block)

Set the default action.

security antivirus> file-name-filter> rule <name>

Add a new security rule or open an existing rule for editing.

security antivirus> file-name-filter> rule=['<name>']> rename <str>

Set new name <str> for this security rule.

security antivirus> file-name-filter> rule=['<name>']> [no] enable

Enable (or disable, if no) rule.

security antivirus> file-name-filter> rule=['<name>']> pattern <text>

Set regular expression describing file names to be filtered. For example, to block all exe files that contain numbers in names, you can use the following regular expression: \d.*\.exe$. The regular expression must comply with the ECMAScript 3 syntax.

security antivirus> file-name-filter> rule=['<name>']> action (allow|block)

Set action for security rule.

security antivirus> file-name-filter> rule=['<name>']> priority <priority>

Set priority for security rule. Higher-priority rules are executed earlier.

security antivirus> file-name-filter> rule=['<name>']> description <text>

Set security rule description. Spaces not allowed.

security antivirus> mime-type-filter

Go to the configuration submenu of security rules filtering by MIME types of transmitted files.

security antivirus> mime-type-filter> [no] enable

Enable (or disable, if no) filter by MIME types of transmitted files.

security antivirus> mime-type-filter> action (allow|block)

Set the default action.

security antivirus> mime-type-filter> rule <name>

Add a new security rule or open an existing rule for editing.

security antivirus> mime-type-filter> rule=['<name>']> rename <str>

Set new name <str> for this security rule.

security antivirus> mime-type-filter> rule=['<name>']> [no] enable

Enable (or disable, if no) rule.

security antivirus> mime-type-filter> rule=['<name>']> pattern <text>

Set regular expression describing filtered MIME types (for example, ^application/json$). For example, to block all zip and gzip files, you can use the following regular expression: ^application/g?zip. The regular expression must comply with the ECMAScript 3 syntax.

security antivirus> mime-type-filter> rule=['<name>']> action (allow|block)

Set action for security rule.

security antivirus> mime-type-filter> rule=['<name>']> priority <priority>

Set priority for security rule. Higher-priority rules are executed earlier.

security antivirus> mime-type-filter> rule=['<name>']> description <text>

Set security rule description. Spaces not allowed.

security antivirus> http-methods-filter

Go to the submenu for settings of security rules for filtering traffic by HTTP methods.

security antivirus> http-methods-filter> [no] enable

Enable (or disable, if no) the traffic filter by HTTP methods.

security antivirus> http-methods-filter> [no] block-http-methods (connect|delete|get|head|options|post|put|trace) [(connect|delete|get|head|options|post|put|trace) ...]

Enable (or disable, if no) the blocking of HTTP methods. This command accepts a space-delimited list of methods.

Example:

ngfw> security antivirus> http-methods-filter> block-http-methods get post

security antivirus> web-checker-settings> [no] scan-archives

Enable (or disable, if no) archive scanning.

security antivirus> profile=['name']> trusted-urls <URL>

Add a trusted URL.

security antivirus> profile=['name']> clone <new-profile-name>

Copy Anti-Virus profile name to new-profile-name.

security dns

Go to the DNS Security configuration submenu.

security dns> [no] enable

Enable (or disable, if no) DNS Security. Applied only after a restart of the solution.

security dns> profile <name>

Go to configuration submenu of profile with name <name>.

security dns> (no profile <name>|no security dns profile <name>)

Delete profile with name <name>.

security dns> profile=['name']> rename <name>

Set new name <name> for this profile.

security dns> profile=['name']> description <description>

Set description for profile. Spaces not allowed.

security dns> profile=['name']> action (reset|allow|block|redirect)

Set action for profile:

• reset - block DNS queries and DNS responses in which malicious or phishing resources were detected, and for TCP sessions, send TCP RST to the client and to the server.
• allow – allow DNS queries and DNS responses in which malicious or phishing web resources are detected.
• block – block DNS queries and DNS responses in which malicious or phishing resources are detected.
• redirect – block users' DNS queries to a malicious or phishing web resource and redirect the DNS response to the specified server.

security dns> profile=['name']> redirect-ip <IP>

Set IP address for redirect action.

security dns> profile=['name']> clone <new-profile-name>

Copy profile name to new-profile-name.

security idps

Go to the Intrusion Detection and Prevention System (IDPS) configuration submenu.

security idps> [no] enable

Enable (or disable, if no) IDPS. Applied only after a restart of the solution.

security idps> portsscan-enabled (enabled|disabled)

Enable or disable port scanning.

security idps> portsscan (allow|block)

Set port scanning action.

security idps> [no] portsscan-logging

Enable (or disable, if no) logging port scans.

security idps> portsscan-events-rate <sec>

Set minimum interval in seconds for port scan event logging.

security idps> [no] portsscan-packet-capture

Enable (or disable, if no) packet capture during port scans.

security idps> profile <name>

Go to configuration submenu of profile with name <name>.

security idps> (no profile <name>|no security idps profile <name>)

Delete profile with name <name>.

security idps> profile=['name']> rename <name>

Set new name <name> for this profile.

security idps> profile=['name']> description <description>

Set description for profile. Spaces not allowed.

security idps> profile=['name']> action (allow|block|reset)

Select action for profile (action to be applied to traffic if a threat is detected):

• allow – allow traffic when threat signatures are detected.
• block – block traffic when signatures are detected (packets of the established session are dropped).
• reset – when threat signatures are detected, block traffic and, for TCP sessions, send TCP RST to the client and to the server.

security idps> profile=['name']> [no] packet-capture

Enable (or disable, if no) packet capture for profile.

security idps> profile=['name']> [no] logging

Enable (or disable, if no) the custom event logging when the profile is triggered.

security idps> profile=['name']> no exclusion-rule <name>

Remove exclusion rule from current profile.

security idps> profile=['name']> exclusion-rule <name>

Add new exclusion rule to profile or open existing exclusion rule for editing. At least one of the sid, priority, vuln-type, tactic, or technique fields of the exclusion rule must be set.

security idps> profile=['name']> exclusion-rule=['<name>']> rename <str>

Set new name <str> for this exclusion rule.

security idps> profile=['name']> exclusion-rule=['<name>']> action (allow|block)

Set action for exclusion rule (action to be applied to traffic when a signature is detected):

• allow – allow traffic when threat signatures are detected.
• block – block traffic when a signature is detected (packets of an established session are dropped).

security idps> profile=['name']> exclusion-rule=['<name>']> [no] logging

Enable (or disable, if no) custom event logging at the exclusion rule level.

security idps> profile=['name']> exclusion-rule=['<name>']> [no] sid <number>

Set (or remove, if no) unique signature ID for rule.

security idps> profile=['name']> exclusion-rule=['<name>']> [no] priority (low|medium|high)

Set (or remove, if no) rule severity.

security idps> profile=['name']> exclusion-rule=['<name>']> [no] vuln-type <str>

Set (or remove, if no) vulnerability or threat type:

To filter signatures, 'vuln type' values (names from the message up to the first period) are used instead of 'classtype', for example: HackTool.BindTaskSchedulerService.ATSVC.C&C, Exploit.CVE-2018-1111.DHCP.C&C.

security idps> profile=['name']> exclusion-rule=['<name>']> [no] tactic <str>

Set (or remove, if no) MITRE tactic.

security idps> profile=['name']> exclusion-rule=['<name>']> [no] technique <str>

Set (or remove, if no) MITRE technique.

security idps> profile=['name']> clone <new-profile-name>

Copy profile name to new-profile-name.

security kata

Go to Kaspersky Anti Targeted Attack Platform (KATA) configuration submenu.

security kata> enable

Enable the sending of files being scanned to KATA for scanning.

security kata> no enable

Disable the sending of files being scanned to KATA for scanning.

security kata> sensor-id <sensor-id>

Set KATA sensor ID.

security kata> generate-sensor-id

Generate unique KATA sensor ID.

security kata> [no] client-certificate <certificate>

Set (or remove, if no) client public certificate in PEM format.

security kata> [no] client-private-key <key>

Set (or delete, if no) client private key in PEM format.

security kata> primary-server

Go to configuration submenu of primary KATA server connection.

security kata> primary-server> [no] host <host>

Set (or remove, if no) primary KATA server address.

security kata> primary-server> port <port>

Set primary KATA server port. By default, 443.

security kata> primary-server> [no] certificate <certificate>

Set (or remove, if no) primary KATA server public certificate in PEM format.

security kata> reserved-server <id>

Go to configuration submenu of reserved KATA server id connection. You can configure from 1 to 3 reserved servers.

security kata> reserved-server=['id']> [no] host <host>

Set (or remove, if no) reserved KATA server address.

security kata> reserved-server=['id']> port <port>

Set reserved KATA server port. By default, 443.

security kata> reserved-server=['id']> [no] certificate <certificate>

Set (or remove, if no) reserved KATA server public certificate in PEM format.

security kata> no reserved-server <id>

Remove settings of reserved KATA server id connection.

security kata> outgoing-queue

Go to the settings submenu for the queue of objects awaiting transmission to the KATA server.

security kata> outgoing-queue> max-waiting-time <seconds>

Set the maximum waiting time for objects in the transmission queue, in seconds. Possible values: 1 to 86400 inclusive.

security kata> outgoing-queue> no max-waiting-time

Remove the maximum waiting time for objects in the transmission queue.

security urls-groups

Go to web category configuration submenu.

security urls-groups>name <name>

Go to the configuration submenu of category with name <name>.

security urls-groups> no name <name>

Delete category with name <name>.

security urls-groups> name=['name']> rename <name>

Set new name <name> for this category.

security urls-groups> name=['name']> description <description>

Set description for category. Spaces are not allowed.

security urls-groups> name=['name']> urls <URL>

Set URL for category. Spaces not allowed.

security urls-groups> name=['name']> no urls <URL>

Remove URL from category. Spaces are not allowed.

security web-control

Go to Web Control configuration submenu.

security web-control> [no] enable

Enable (or disable, if no) Web Control. Applied only after a restart of the solution.

security web-control> profile <name>

Go to configuration submenu of profile with name <name>.

security web-control> (no profile <name>|no security web-control profile <name>)

Delete profile with name <name>.

security web-control> profile=['name']> rename <name>

Set new name <name> for this profile.

security web-control> profile=['name']> description <description>

Set description for profile. Spaces not allowed.

security web-control> profile=['name']> default-action (allow|block-stub|continue-stub)

Set default action for profile: allow, show blocking page (block-stub), or show warning page (continue-stub).

security web-control> profile=['name']> [no] default-logging

Eanble (or disable if no) logging by default for profile.

security web-control> profile=['name']> url (both|ksn|local|none)

Set URL scanning mode for profile.

security web-control> profile=['name']> predefined-category <name>

Set predefined category from the list for profile. Spaces are not allowed.

security web-control> profile=['name']> predefined-category=['name']> action (allow|block-stub|continue-stub)

Set action for predefined category: allow, show blocking page (block-stub), or show warning page (continue-stub).

security web-control> profile=['name']> predefined-category=['name']> [no] logging>

Enable (or disable, if no) logging for predefined category.

security web-control> profile=['name']> custom-category <name>

Set custom category from the list of web categories for profile. Spaces not allowed.

security web-control> profile=['name']> custom-category=['name']> action (allow|block-stub|continue-stub)

Set action for custom category: allow, show blocking page (block-stub), or show warning page (continue-stub).

security web-control> profile=['name']> custom-category=['name']> [no] logging

Enable (or disable, if no) logging for custom category.

security web-control> profile=['name']> trusted-urls-category <name>

Set trusted category from the list of web categories for profile. Spaces are not allowed.

security web-control> profile=['name']> trusted-urls <URL>

Set trusted URL for profile. Spaces not allowed.

security web-control> profile=['name']> [no] logging-trusted

Enable (or disable, if no) exclusion event logging when a URL is trusted.

security web-control> profile=['name']> clone <new-profile-name>

Copy profile name to new-profile-name.

show security (antivirus|dns|idps|web-control) status

Show status information for Anti-Virus|DNS Security|IDPS|Web Control.

Example output:

ngfw> show security antivirus status
{
  "ngfw-antivirus:antivirus": {
    "state": true,
    "enable": true,
    "enable-mail": true,
    "profile": [
      {
        "id": "00000000-0000-4000-0000-000000000001",
        "name": "default",
        "use-hash-checker": true,
        "use-mail-checker": true,
        "use-web-checker": false,
        "use-icap-client": false,
        "use-kata": false,
        "use-file-reputation": false,
        "use-url-reputation": false,
        "use-file-name-filter": false,
        "use-mime-type-filter": false,
        "ksn-check-url-adware": false,
        "ksn-check-url-other": false,
        "use-block-partial-content": false,
        "action": "block-stub",
        "action-imap": "block",
        "action-pop3": "block",
        "action-smtp": "block",
        "logging": true,
        "description": "Default profile",
        "logging-trusted": true,
        "logging-kata-scan-events": true,
        "protocols": {
          "use-http": true,
          "use-imap": true,
          "use-pop3": true,
          "use-smtp": true,
          "use-ftp": false,
          "use-websocket": false
        },
        "web-checker-settings": {
          "max-file-size": 10485760
        },
        "kata-file-filter": {
          "only-suspicious": false
        }
      }
    ]
  }
}

show security (antivirus|dns|idps|web-control) settings

Show information about all Anti-Virus|DNS Security|IDPS|Web Control profiles.

Example output:

ngfw> show security antivirus settings

 Profile            Description        use-url-reputation    use-web-checker    check-url-malware    check-url-phishing    ksn-check-url-adware    ksn-check-url-malware    ksn-check-url-other    ksn-check-url-phishing    http-action
 -----------------  -----------------  --------------------  -----------------  -------------------  --------------------  ----------------------  -----------------------  ---------------------  ------------------------  -------------
  default                               false                 false              false                false                 false                   false                    false                  false                     block-stub
 -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ngfw> show security dns settings

 Profile            Description        check-malware    check-phishing    action
 -----------------  -----------------  ---------------  ----------------  ------------
  default                               true             true              block
 -------------------------------------------------------------------------------------

ngfw> show security idps settings

 Profile            Description        action
 -----------------  -----------------  ------------
  default                               reset-both
 --------------------------------------------------

ngfw> show security web-control settings

 Profile            Description        Default-action        default-log-enable   Url                  Content               Predefined      Custom      Trusted
 -----------------  -----------------  --------------------  -------------------  -------------------  --------------------  --------------  ----------  -----------
  default                               block-stub            true                local                none                  88              0           0
 -------------------------------------------------------------------------------------------------------------------------------------------------------------------

show security (antivirus|dns|idps|web-control) profile <name>

Show profile information for Anti-Virus|DNS Security|IDPS|Web Control profile with name <name>.

show security urls-groups

Show information about all web categories.

Example output:

ngfw> show security urls-groups

 Name               Description        Urls
 -----------------  -----------------  -----------------
  test                                  test.com
 -------------------------------------------------------

show security web-control predefined-categories

Show names of all predefined categories.

Example output:

ngfw> show security web-control predefined-categories

       Categories
 ----  -------------------------------------
 1     adult
 .................................
 88    forbidden-by-regional-laws
 -------------------------------------------

security-group-profiles

Go to group profile configuration submenu.

security-group-profiles> profile <name>

Go to configuration submenu of profile with name <name>.

security-group-profiles> (no profile <name>|no security-group-profiles profile <name>)

Delete profile with name <name>.

security-group-profiles> profile=['name']> description <description>

Set description for profile. Spaces not allowed.

security-group-profiles> profile=['name']> rename <name>

Set new name <name> for this profile.

security-group-profiles> profile=['name']> av-profile <name>

Set Anti-Virus profile from the list for profile. Spaces not allowed.

security-group-profiles> profile=['name']> no av-profile

Remove Anti-Virus profile from the list for profile. Spaces not allowed.

security-group-profiles> profile=['name']> dns-profile <name>

Set DNS Security profile from the list for profile. Spaces not allowed.

security-group-profiles> profile=['name']> no dns-profile

Remove DNS Security profile from the list for profile. Spaces not allowed.

security-group-profiles> profile=['name']> idps-profile <name>

Set IDPS profile from the list for profile. Spaces not allowed.

security-group-profiles> profile=['name']> no idps-profile

Remove IDPS profile from the list for profile. Spaces not allowed.

security-group-profiles> profile=['name']> wc-profile <name>

Set Web Control profile from the list for profile. Spaces not allowed.

security-group-profiles> profile=['name']> no wc-profile

Remove Web Control profile from the list for profile. Spaces not allowed.

security-group-profiles> profile=['name']> clone <new-profile-name>

Copy profile name to new-profile-name.

show security-group-profiles settings

Show information about all group profiles.

show security-group-profiles profile <name>

Show information about group profile with name <name>.

Example output:

{
  "ngfw-security-group-profiles:security-group-profiles": {
    "profile": [
      {
        "id": "00000000-0000-4000-0000-000000000001",
        "name": "default",
        "av-profile": "00000000-0000-4000-0000-000000000001",
        "dns-profile": "00000000-0000-4000-0000-000000000001",
        "ids-profile": "00000000-0000-4000-0000-000000000001",
        "wc-profile": "00000000-0000-4000-0000-000000000001",
        "description": "Default profile"
      }
    ]
  }
}

| Prev | Home | Next |