Configure a blacklist of an AR router

A blacklist can be manually configured. After the address scan and port scan functions of the attack defense module are enabled on an AR router, an IP address (or an interface) for which the packet rate exceeds a set value can be automatically added into a blacklist to shield packets sent from this IP address (or through this interface) as the router considers the rate excess as a scan attack.
To configure a blacklist, do as follows:
Run the system-view command to access the system view.
[Huawei] firewall blacklist enable //Enable the blacklist function. By default, the blacklist function is not enabled.
Blacklist entries can be added one by one or in batches.
[Huawei] firewall blacklist ip-address [ vpn-instance vpn-instance-name ] [ expire-time minutes ] //Add blacklist entries one by one.
Note: Blacklist entries without specified aging time will be written into a configuration file, while those with specified aging time will not. Run the display firewall blacklist command to check the blacklist entries without specified aging time.
[Huawei] firewall black-white-list load configuration-file configuration-file-name //Load the configuration file of the blacklist/whitelist.
Note: By loading the configuration file of the blacklist/whitelist, blacklist entries can be configured in batches. This configuration file must be configured in advance, and it supports only the text format.
For details about how to configure the blacklist function of AR series routers using command lines and through the web NMS, see the URL: AR router configuration blacklist.

Scroll to top