Blocking WannaCry – Defense Solution for Huawei CE Series Switches

Guide to Defense Configuration on CE Series Switches

Note: Before the configuration, ensure that no service is using ports 135, 137, 139, 445, and 3389. Otherwise, the services are affected.

1. Configure an advanced ACL that is not in use on the device to match the destination ports to be protected. For example:

Acl 3000
 Rule  5 permit tcp destination-port eq 135
 Rule  10 permit udp destination-port eq 135
 Rule  15 permit tcp destination-port eq 137
 Rule  20 permit udp destination-port eq 137
 Rule  25 permit tcp destination-port eq 139
 Rule  30 permit udp destination-port eq 139
 Rule  35 permit tcp destination-port eq 445
 Rule  40 permit udp destination-port eq 445 

 Rule  45 permit tcp destination-port eq 3389 

 Rule  50 permit udp destination-port eq 3389

2. Configure a traffic classifier to match the ACL.
Traffic  classifier test
 if-match  acl 3000

3. Configure the traffic behavior to discard packets.
Traffic  behavior test
 deny

4. Configure a traffic policy.
Traffic  policy test
 classifier test behavior test

5. Apply the policy to the global inbound direction.
Traffic-policy  test global  inbound

6. Commit the configuration.
Commit

Note: Apply the policy to the inbound direction of the device. The outbound policy of the CE12800 that matches the IP addresses of traffic takes effect only on forwarded Layer 3 traffic.