Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 18-Object policy configuration | 101.28 KB |
Contents
Object policy configuration task list
Creating an IPv4 object policy
Creating an IPv6 object policy
Configuring object policy rules
Configuring an IPv4 object policy rule
Configuring an IPv6 object policy rule
Applying object policies to zone pairs
Enabling rule matching acceleration
Displaying and maintaining object policies
Object policy configuration example
Configuring object policies
Overview
An object policy is a set of rules for security control over packets between a source and a destination security zone. These two zones define a zone pair. The object policy matches the first packet of a traffic flow against the rules. If a match is found, the device stops the match process and takes the action defined in the rule over the packet and all subsequent packets of the flow.
For more information about zone pair and security zone configuration, see Fundamentals Configuration Guide.
Object policy rules
An object policy contains one or multiple rules. Each object policy rule is a permit, deny, or DPI statement for identifying traffic based on criteria such as the source IP address, destination IP address, and service type. The identified packets are processed based on actions stated in the rules.
Rule numbering
Each rule is uniquely identified by an ID. The rule ID can be manually configured or automatically assigned by the system when you create the rule. In automatic rule numbering, the system assigns the rule an integer next to the greatest ID being used. For example, if the greatest ID is 60000, the system automatically assigns 60001. If the greatest ID is 65534, the system assigns the smallest unused rule ID to the rule.
Rule match order
The system matches packets against rules in the order the rules were configured. The match process stops when a match is found. You can use the display this command in zone pair view to check the rule configuration order. You can use the move rule command in object policy view to change the rule configuration order.
Object policy configuration task list
|
Tasks at a glance |
|
(Required.) Creating object policies: |
|
(Required.) Configuring object policy rules: |
|
(Required.) Applying object policies to zone pairs |
|
(Optional.) Changing the rule match order |
|
(Optional.) Enabling rule matching acceleration |
Configuration prerequisites
Before configuring an object policy, complete the following tasks:
· Create the MDC (see Virtual Technologies Configuration Guide).
· Configure time ranges (see ACL and QoS Configuration Guide).
· Configure IPv4 address objects, IPv6 address objects, and service objects (see "Configuring object groups").
Creating object policies
Creating an IPv4 object policy
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter MDC system view. |
switchto mdc mdc-name |
Required only for MDCs. For more information about this command, see Virtual Technologies Command Reference. |
|
3. Create an IPv4 object policy and enter its view. |
object-policy ip object-policy-name |
By default, no IPv4 object policies exist. |
|
4. (Optional.) Configure a description for the object policy. |
description text |
By default, no description is configured for an object policy. |
Creating an IPv6 object policy
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter MDC system view. |
switchto mdc mdc-name |
Required only for MDCs. For more information about this command, see Virtual Technologies Command Reference. |
|
3. Create an IPv6 object policy and enter its view. |
object-policy ipv6 object-policy-name |
By default, no IPv6 object policies exist. |
|
4. (Optional.) Configure a description for the object policy. |
description text |
By default, no description is configured for an object policy. |
Configuring object policy rules
Configuring an IPv4 object policy rule
You can specify an existing object group in an IPv4 object policy rule for matching target IPv4 packets. If no object group is specified for a rule, the rule applies to all IPv4 packets.
The following object groups can be used in a rule for packet matching:
· Source IPv4 address object group—Used for matching the source IPv4 addresses of packets.
· Destination IPv4 address object group—Used for matching the destination IPv4 addresses of packets.
· Service object group—Used for matching the service types carried in packets.
· VRF instance—Used for matching the MPLS L3VPN instances of packets.
· Application/application group—Used for matching PBAR-classified application IDs of packets. NBAR-classified applications cannot match any packets. For more information about PBAR and NBAR, see "Configuring ARP."
To configure an IPv4 object policy rule:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter MDC system view. |
switchto mdc mdc-name |
Required only for MDCs. For more information about this command, see Virtual Technologies Command Reference. |
|
3. Enter IPv4 object policy view. |
object-policy ip object-policy-name |
N/A |
|
4. Configure an IPv4 object policy rule. |
rule [ rule-id ] { drop | pass | inspect app-profile-name } [ [ source-ip { object-group-name | any } ] [ destination-ip { object-group-name | any } ] [ service { object-group-name | any } ] [ vrf vrf-name ] [ application application-name ] [ app-group app-group-name ] [ counting ] [ disable ] [ logging ] [ time-range time-range-name ] ] * |
By default, no IPv4 object policy rules are configured. If you specify a nonexistent object group, the rule does not match packets. |
|
5. (Optional.) Configure a description for the rule. |
rule rule-id comment text |
By default, an object policy rule does not have a description. |
|
6. (Optional.) Append a criterion to the rule for packet matching. |
rule rule-id append { application application-name | app-group app-group-name | destination-ip object-group-name | service object-group-name | source-ip object-group-name } |
By default, no criterion is appended to an object policy rule. |
Configuring an IPv6 object policy rule
You can specify an existing object group in an IPv6 object policy rule for matching target IPv6 packets. If no object group is specified for a rule, the rule applies to all IPv6 packets.
The following object groups can be used in a rule for packet matching:
· Source IPv6 address object group—Used for matching the source IPv6 addresses of packets.
· Destination IPv6 address object group—Used for matching the destination IPv6 addresses of packets.
· Service object group—Used for matching the service types carried in packets.
· VRF instance—Used for matching the MPLS L3VPN instances of packets.
· Application/application group—Used for matching PBAR-classified application IDs of packets. NBAR-classified applications cannot match any packets. For more information about PBAR and NBAR, see "Configuring ARP."
To configure an IPv6 object policy rule:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter MDC system view. |
switchto mdc mdc-name |
Required only for MDCs. For more information about this command, see Virtual Technologies Command Reference. |
|
3. Enter IPv6 object policy view. |
object-policy ipv6 object-policy-name |
N/A |
|
4. Configure an IPv6 object policy rule. |
rule [ rule-id ] { drop | pass | inspect app-profile-name } [ [ source-ip { object-group-name | any } ] [ destination-ip { object-group-name | any } ] [ service { object-group-name | any } ] [ vrf vrf-name ] [ application application-name ] [ app-group app-group-name ] [ counting ] [ disable ] [ logging ] [ time-range time-range-name ] ] * |
By default, no IPv6 object policy rules are configured. If you specify a nonexistent object group, the rule does not match packets. |
|
5. (Optional.) Configure a description for the rule. |
rule rule-id comment text |
By default, an object policy rule does not have a description. |
|
6. (Optional.) Append a criterion to the rule for packet matching. |
rule rule-id append { application application-name | app-group app-group-name | destination-ip object-group-name | service object-group-name | source-ip object-group-name } |
By default, no criterion is appended to an object policy rule. |
Applying object policies to zone pairs
You can apply one IPv4 object policy and one IPv6 object policy to each zone pair. Configuration fails if you apply more than one IPv4 or IPv6 object policy to a zone pair.
To apply an object policy to a zone pair:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter MDC system view. |
switchto mdc mdc-name |
Required only for MDCs. For more information about this command, see Virtual Technologies Command Reference. |
|
3. Configure the security zones. |
security-zone name zone-name |
By default, no security zones exist. You can repeat this command to create multiple security zones. |
|
4. Return to system view. |
quit |
N/A |
|
5. Create a zone pair in MDC system view and enter zone pair view. |
zone-pair security source source-zone-name destination destination-zone-name |
By default, no zone pairs exist. For more information about this command, see Fundamentals Command Reference. |
|
6. Apply an object policy to the zone pair. |
· Apply an IPv4 object policy to the zone
pair: · Apply an IPv6 object policy to the zone
pair: |
By default, no object policy is applied to a zone pair. |
Changing the rule match order
The device matches packets against object policy rules in the order the rules were configured. You can change the rule match order by changing the position of an object policy rule in the rule list.
To change the rule match order:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter MDC system view. |
switchto mdc mdc-name |
Required only for MDCs. For more information about this command, see Virtual Technologies Command Reference. |
|
3. Enter object policy view. |
· Enter IPv4 object policy view: · Enter IPv6 object policy view: |
N/A |
|
4. Move an object policy rule. |
move rule rule-id before insert-rule-id |
N/A |
Enabling rule matching acceleration
This feature accelerates rule matching. It enhances connection establishment and packet forwarding performance, especially for a device using multiple rules to match first packets from multiple users.
To enable rule matching acceleration:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter MDC system view. |
switchto mdc mdc-name |
Required only for MDCs. For more information about this command, see Virtual Technologies Command Reference. |
|
3. Enter object policy view. |
· Enter IPv4 object policy view: · Enter IPv6 object policy view: |
N/A |
|
4. Enable rule matching acceleration. |
accelerate |
By default, rule matching acceleration is disabled for an object policy. |
Displaying and maintaining object policies
Execute display commands in any view.
|
Task |
Command |
|
Display acceleration information for object policies (in standalone mode). |
display object-policy accelerate { summary { ip | ipv6 } | verbose { ip object-policy-name | ipv6 object-policy-name } slot slot-number } |
|
Display acceleration information for object policies (in IRF mode). |
display object-policy accelerate { summary { ip | ipv6 } | verbose { ip object-policy-name | ipv6 object-policy-name } chassis chassis-number slot slot-number } |
|
Display information about IPv4 object policies. |
display object-policy ip [ object-policy-name ] |
|
Display information about IPv6 object policies. |
display object-policy ipv6 [ object-policy-name ] |
|
Display information about the object policies applied to zone pairs. |
display object-policy zone-pair security [ source source-zone-name destination destination-zone-name ] |
|
Display statistics for object policies applied to a zone pair. |
display object-policy statistics zone-pair security source source-zone-name destination destination-zone-name [ ip | ipv6 ] |
Object policy configuration example
Network requirements
Configure object policies to achieve the following goals:
· The president office can access the financial database server through HTTP at any time.
· The financial office can access the financial database server through HTTP from 8:00 to 18:00 on weekdays.
· The marketing office cannot access the financial database server through HTTP at any time.
Configuration procedure
1. Create a time range named work to cover 8:00 to 18:00 on weekdays.
<DeviceA> system-view
[DeviceA] time-range work 08:00 to 18:00 working-day
2. Create security zones:
# Create a security zone named president, and add GigabitEthernet 1/1/2 to the zone.
[DeviceA] security-zone name president
[DeviceA-security-zone-president] import interface gigabitethernet 1/1/2
[DeviceA-security-zone-president] quit
# Create a security zone named finance, and add GigabitEthernet 1/1/3 to the zone.
[DeviceA] security-zone name finance
[DeviceA-security-zone-finance] import interface gigabitethernet 1/1/3
[DeviceA-security-zone-finance] quit
# Create a security zone named market, and add GigabitEthernet 1/1/4 to the zone.
[DeviceA] security-zone name market
[DeviceA-security-zone-market] import interface gigabitethernet 1/1/4
[DeviceA-security-zone-market] quit
# Create a security zone named database, and add GigabitEthernet 1/1/1 to the zone.
[DeviceA] security-zone name database
[DeviceA-security-zone-database] import interface gigabitethernet 1/1/1
[DeviceA-security-zone-database] quit
3. Create object groups:
# Create an IPv4 address object group named president. Configure an IPv4 address object with the subnet address of 192.168.1.0/24 for the group.
[DeviceA] object-group ip address president
[DeviceA-obj-grp-ip-president] network subnet 192.168.1.0 24
[DeviceA-obj-grp-ip-president] quit
# Create an IPv4 address object group named finance. Configure an IPv4 address object with the subnet address of 192.168.2.0/24 for the group.
[DeviceA] object-group ip address finance
[DeviceA-obj-grp-ip-finance] network subnet 192.168.2.0 24
[DeviceA-obj-grp-ip-finance] quit
# Create an IPv4 address object group named market. Configure an IPv4 address object with the subnet address of 192.168.3.0/24 for the group.
[DeviceA] object-group ip address market
[DeviceA-obj-grp-ip-market] network subnet 192.168.3.0 24
[DeviceA-obj-grp-ip-market] quit
# Create an IPv4 address object group named database. Configure an IPv4 address object with the subnet address of 192.168.0.0/24 for the group.
[DeviceA] object-group ip address database
[DeviceA-obj-grp-ip-database] network subnet 192.168.0.0 24
[DeviceA-obj-grp-ip-database] quit
# Create a service object group named web. Configure a service object with the HTTP service.
[DeviceA] object-group service web
[DeviceA-obj-grp-service-web] service 6 destination eq 80
[DeviceA-obj-grp-service-web] quit
4. Create object policies and rules:
# Create an IPv4 object policy named president-database. Configure a rule that allows the president office to access the financial database server through HTTP at any time.
[DeviceA] object-policy ip president-database
[DeviceA-object-policy-ip-president-database] rule pass source-ip president destination-ip database service web
[DeviceA-object-policy-ip-president-database] quit
# Create an IPv4 object policy named finance-database. Configure a rule that allows the financial office to access the financial database server through HTTP from 8:00 to 18:00 on weekdays.
[DeviceA] object-policy ip finance-database
[DeviceA-object-policy-ip-finance-database] rule pass source-ip finance destination-ip database service web time-range work
[DeviceA-object-policy-ip-finance-database] quit
# Create an IPv4 object policy named market-database. Configure a rule that prohibits the marketing office from accessing the financial database server through HTTP at any time.
[DeviceA] object-policy ip market-database
[DeviceA-object-policy-ip-market-database] rule drop source-ip market destination-ip database service web
[DeviceA-object-policy-ip-market-database] quit
5. Apply object policies to zone pairs:
# Create a zone pair from security zone president to security zone database. Apply IPv4 object policy president-database to the zone pair.
[DeviceA] zone-pair security source president destination database
[DeviceA-zone-pair-security-president-database] object-policy apply ip president-database
[DeviceA-zone-pair-security-president-database] quit
# Create a zone pair from security zone finance to security zone database. Apply IPv4 object policy finance-database to the zone pair.
[DeviceA] zone-pair security source finance destination database
[DeviceA-zone-pair-security-finance-database] object-policy apply ip finance-database
[DeviceA-zone-pair-security-finance-database] quit
# Create a zone pair from security zone market to security zone database. Apply IPv4 object policy market-database to the zone pair.
[DeviceA] zone-pair security source market destination database
[DeviceA-zone-pair-security-market-database] object-policy apply ip market-database
[DeviceA-zone-pair-security-market-database] quit
Verifying the configuration
# Use a PC in each office to access the Web service of the financial database server through the browser. (Details not shown.)
