A security policy defines a set of rules for forwarding control and Deep Packet Inspection (DPI). It matches packets against the rules and takes the action stated in the rules on the matched packets.

Security policies can provide the same functions as packet filtering and object policies, and support precise network management based on application, protocol, and user. By working with DPI, it can also provide security protection services such as antivirus and intrusion protection.

For more information about packet filtering, see ACL and QoS Configuration Guide. For more information about object policies, see "Configuring object policies."

Security policy rules

A security policy contains one or multiple rules. Each security policy rule is a permit or deny, or DPI statement for identifying traffic based on criteria.

Rule numbering

Each rule is uniquely identified by a name and an ID. When you create a rule, the rule name must be manually configured, and the rule ID can be manually configured or automatically assigned by the system.

Rule match criteria

The rule match criteria include the following types: source security zone, destination security zone, source IP address and source MAC address, destination IP address, application and application group, location and location group, URL category, VPN instance, and service.

You can specify multiple criteria for each type, except VPN instance. For example, you can configure multiple source security zones for a rule.

Rule and session management

When a security policy is configured, the device generates session entries for permitted packets to record packet information.

You can set session aging times for protocol states, application layer protocols, or rules. The aging time configured for a rule takes precedence over the aging time configured for a protocol state or an application layer protocol. For more information about session management, see "Managing sessions."

Security policy mechanism

As shown in Figure 1, a security policy operates as follows:

1. After receiving a packet, the device matches the packet against the configured security policy rules.

A security policy rule includes various match criterion types. A packet is considered matched if it matches all the criterion types in the rule. Each criterion type includes one or more criteria, and a packet matches a criterion type if it matches any criterion of the type. Source MAC address criteria and source IP address criteria belong to the same criterion type.

¡ If no match is found, the device discards the packet.

¡ If a match is found and the rule action is drop, the device discards the packet.

¡ If a match is found and the rule action is pass, the device goes to the next step.

2. If a DPI application profile is configured for the matched rule, the device uses the specified profile to perform DPI on the packet. If no DPI application profile is specified, the device allows the packet to pass.

Figure 1 Security policy mechanism

‌

Rule matching acceleration

This feature accelerates security policy rule matching to enhance connection establishment and packet forwarding performance, especially for a device using multiple rules to match packets from multiple users.

Security policy rule grouping

Security policy rule grouping allows users to enable, disable, delete, and move security policy rules in batches. A security policy rule in a security policy rule group takes effect only when both the rule and the group are enabled.

Restrictions: Hardware compatibility with security policies

Hardware	Security policy compatibility
MSR610	Yes
MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-CNDE-SJK, MSR810-EI, MSR810-LM-EA, MSR810-LM-EI	Yes
MSR810-LMS, MSR810-LUS	No
MSR810-SI, MSR810-LM-SI	No
MSR810-LMS-EA, MSR810-LME	Yes
MSR1004S-5G	Yes
MSR1104S-W, MSR1104S-W-CAT6	Yes
MSR2600-6-X1, MSR2600-15-X1, MSR2600-15-X1-T	Yes
MSR2600-10-X1	Yes
MSR2630	Yes
MSR3600-28, MSR3600-51	Yes
MSR3600-28-SI, MSR3600-51-SI	No
MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP	Yes
MSR3600-28-G-DP, MSR3600-51-G-DP	Yes
MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-ES, MSR3610-IE-EAD, MSR-EAD-AK770, MSR3610-I-IG, MSR3610-IE-IG	Yes
MSR3610-X1, MSR3610-X1-DP, MSR3610-X1-DC, MSR3610-X1-DP-DC, MSR3620-X1, MSR3640-X1	Yes
MSR3610, MSR3620, MSR3620-DP, MSR3640, MSR3660	Yes
MSR3610-G, MSR3620-G	Yes
MSR3640-X1-HI	Yes

Hardware	Security policy compatibility
MSR810-W-WiNet, MSR810-LM-WiNet	Yes
MSR830-4LM-WiNet	Yes
MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet	Yes
MSR830-6BHI-WiNet, MSR830-10BHI-WiNet	Yes
MSR2600-6-WiNet	Yes
MSR2600-10-X1-WiNet	Yes
MSR2630-WiNet	Yes
MSR3600-28-WiNet	Yes
MSR3610-X1-WiNet	Yes
MSR3610-WiNet, MSR3620-10-WiNet, MSR3620-DP-WiNet, MSR3620-WiNet, MSR3660-WiNet	Yes

Hardware	Security policy compatibility
MSR860-6EI-XS	Yes
MSR860-6HI-XS	Yes
MSR2630-XS	Yes
MSR3600-28-XS	Yes
MSR3610-XS	Yes
MSR3620-XS	Yes
MSR3610-I-XS	Yes
MSR3610-IE-XS	Yes
MSR3620-X1-XS	Yes
MSR3640-XS	Yes
MSR3660-XS	Yes

Hardware	Security policy compatibility
MSR810-LM-GL	Yes
MSR810-W-LM-GL	Yes
MSR830-6EI-GL	Yes
MSR830-10EI-GL	Yes
MSR830-6HI-GL	Yes
MSR830-10HI-GL	Yes
MSR1004S-5G-GL	Yes
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

Application scenarios

Local device access

In a local access scenario, you must configure security policy rules for the following operations to be performed successfully:

· Local device access through a non-management local port, including ping, telnet, Web access, and FTP operations.

· Protocol packet exchange triggered by any other devices (such as packet exchanges of Dynamic Routing Protocol or VPN tunneling).

For example, as shown in Figure 2, for a PC (10.1.1.10) in the Trust security zone to access the Web interface of the local device (10.1.1.1) through HTTPS, you must configure a security policy rule as described in Table 1.

Figure 2 Local device access

‌

Table 1 Security policy rule configuration

Rule name	Source security zone	Destination security zone	Source IP address	Destination IP address	Service	Action
httpslocalin	Trust	Local	10.1.1.10	10.1.1.1	https	pass

‌

For more information about permitting protocol packets, see "Common local services."

Remote device access

In a remote access scenario, you must configure security policy rules for the following operations to be performed successfully:

· Remote device access through a non-management local port, including ping, telnet, Web access, and FTP operations.

· Protocol packet exchange triggered by the local device (such as packet exchanges of Dynamic Routing Protocol or VPN tunneling).

For example, as shown in Figure 3, for the local device (10.1.1.1) to access the FTP service provided by the FTP server (10.1.1.20) in the Trust security zone, you must configure a security policy rule as described in Table 2.

Figure 3 Remote device access

‌

Table 2 Configuration of local device accessing other devices

Rule name	Source security zone	Destination security zone	Source IP address	Destination IP address	Service	Action
ftplocalout	Local	Trust	10.1.1.1	10.1.1.20	ftp	pass

‌

Direct traffic forwarding

For the local device to forward traffic that is either sent from or destined to the local device, you must configure security policy rules to permit traffic from the corresponding security zones.

For example, as shown in Figure 4, for a PC (10.1.1.10) in the Trust zone to visit a website in the Untrust zone through HTTP, you must configure a security policy rule as shown in Table 3.

Figure 4 Direct traffic forwarding

‌

Table 3 Direct traffic forwarding

Rule name	Source security zone	Destination security zone	Source IP address	Service	Action
trust-untrust	Trust	Untrust	10.1.1.10	http	pass

‌

Configuration principles

As a best practice to achieve the optimal performance, follow these principles when you configure security policy rules:

· Configure matching criteria as strict as possible.

· Follow the depth-first order during rule creation to create rules with stricter match criteria first because the system matches packets against rules in the order the rules were created.

· For packets from and to the same security zone, configure two rules to control packet exchanges between interfaces instead of using one rule that allows traffic between any interfaces in the zone to pass.

· Place security policy rules using the Local security zone as a matching criterion in front of all the other rules to ensure that local service packets can be correctly processed.

Common local services

You must configure security policy rules to permit local service traffic from or to specific security zones. Table 4 lists the common local services that require security policy permission. Support for the common local services varies by device.

Table 4 Common local services that require security policy permission

Service	Required security policy configuration
OSPF/IS-IS/RIP/BGP	Configure rules for the service traffic from or to the local zone.
IPsec/SSL/L2TP/MPLS/GRE	Configure rules for the service traffic from or to the local zone.
DNS/DHCP/FTP (client)	Configure rules only for the service traffic from the local zone.
DNS/DHCP/FTP (server)	Configure rules only for the service traffic to the local zone.
SSH/Telnet/Ping/Tracet (locally triggered)	Configure rules only for the service traffic from the local zone.
SSH/Telnet/SNMP/HTTP/HTTPS (local access)	Configure rules only for the service traffic to the local zone.
BFD	Configure rules for the service traffic from or to the local zone.
LB	Configure rules for the service traffic from or to the local zone.

‌

Restrictions and guidelines: Security policy configuration

As a best practice, do not configure packet filtering, object policies, and security policies at the same time. If you do so, some policies might fail to take effect, causing service interruption.

Before configuring security policies, verify if the device is configured with packet filtering or object policies. As a best practice, switch packet filtering and object policies to security policies because security policies take precedence over packet filtering and object policies lose effect the first time you enter security policy view. For more information, see "Switching packet filtering to security policy settings" and "Switching object policies to security policies."

Configuration procedure diagram

Figure 5 shows how to configure a security policy.

Figure 5 Security policy configuration procedure

‌

Prerequisites for security policies

Before you configure security policies, perform the following tasks:

· Configure a time range. See time range configuration in ACL and QoS Configuration Guide.

· Configure IP address object groups and service object groups. See "Configuring object groups."

· Configure applications and application groups. See "Configuring APR."

· Configure location and location groups. See "Configuring location identification."

· Configure URL categories. See DPI Configuration Guide.

· Configure security zones. See "Configuring security zones."

· Configure DPI. See DPI Configuration Guide.

Security policy tasks at a glance

To configure object policies, perform the following tasks:

1. (Optional.) Switching packet filtering to security policy settings

2. (Optional.) Switching object policies to security policies

3. Enabling the security policy feature

4. Configuring IPv4 security policy rules

a. Creating a security policy rule

b. Configuring filtering criteria for a security policy rule

c. Specifying the action for a security policy rule

d. (Optional.) Specifying a time range for a security policy rule

e. (Optional.) Applying a DPI application profile to a security policy rule

f. (Optional.) Setting the session aging time for a security policy rule

g. (Optional.) Associating a security policy rule with a track entry

h. (Optional.) Enabling logging for matched packets

i. (Optional.) Enabling statistics collection for matched packets

j. (Optional.) Enabling security policy rule learning

5. Configuring IPv6 security policy rules

a. Creating a security policy rule

b. Configuring filtering criteria for a security policy rule

c. Specifying the action for a security policy rule

d. (Optional.) Specifying a time range for a security policy rule

e. (Optional.) Applying a DPI application profile to a security policy rule

f. (Optional.) Setting the session aging time for a security policy rule

g. (Optional.) Associating a security policy rule with a track entry

h. (Optional.) Enabling logging for matched packets

i. (Optional.) Enabling statistics collection for matched packets

j. (Optional.) Enabling security policy rule learning

6. (Optional.) Manage security policy rules

a. Changing the rule match order

b. Activating rule matching acceleration

c. Disabling a security policy rule

d. Renaming a security policy rule

7. (Optional.) Configuring security policy rule groups

a. Creating a security policy rule group

b. Specifying a security policy rule group for a security policy rule

c. Moving a security policy rule group

d. Renaming a security policy rule group

8. (Optional.) Setting the time for fast output of security policy settings as logs

Switching packet filtering to security policy settings

When security policies are configured, packet filtering is performed only on packets that do not match any security policy rule. As a best practice to avoid interruption of services permitted by packet filtering, do not configure packet filtering and security policies at the same time.

If packet filtering is configured, switch packet filtering to security policy settings as a best practice before enabling the security policy feature.

Switching packet filtering to security policy settings before security policies are configured

1. Execute the security-policy disable command to disable the security policy feature.

2. Enter security policy view, configure filtering criteria and actions for security policy rules based on the packet filtering configuration.

3. Execute the undo security-policy disable command to enable the security policy feature.

4. (Optional.) Delete the packet filtering configuration from the device.

Switching packet filtering to security policy settings after security policies are configured

You can perform this task from the Web interface (recommended) or CLI.

To perform this task from the CLI:

1. Access the CLI of the device. As a best practice, access the device through the Console port or interface of the Management security zone in case the connection is terminated by packet filtering.

2. Enter security policy view, and configure filtering criteria and actions for security policy rules based on the packet filtering configuration.

CAUTION:

After using the rule [ rule-id ] name rule-name command to create the first security policy rule, configure the filtering criteria and actions based on packet filtering as soon as possible to shorten service interruption. With no filtering criteria or action specified, the rule matches and drops all packets. You can configure other security policy settings when the service is not busy as a best practice.

3. (Optional.) Delete the packet filtering configuration from the device.

Switching object policies to security policies

About switching object policies to security policies

To avoid service interruption, switch object policies to security policies before configuring security policies for the first time because object policies lose effect once security policies are configured.

After the switching, the device deletes object policy settings and their relations with security zone pairs, and security policy rules switched from object policy rules that are not applied to any security zone pairs are in inactive state and do not take effect.

Restrictions and guidelines for switching object policies to security policies

When you switch object policies to security policies, follow these restrictions and guidelines:

· Perform the undo security-policy disable command to enable the security policy feature before you execute the manual switching command, and then save the configuration.

· Do not configure any security policy settings before switching.

· Use this feature only after you upgrade the device from a security policy-incapable version to a version that supports security policy.

· Make sure the working directory is on a fixed storage medium in the device, for example, the flash memory, instead of a removable storage medium, such as a hard disk.

· After a configuration rollback from security policies to object policies, use the security-policy disable command to disable the security feature for the object policies to take effect.

Prerequisites for switching object policies to security policies

Before configuring a security policy, complete the following tasks:

· Change the object policy rule match order to make sure the rules are created in the depth-first order.

· Make sure no object policy is applied to zone pairs that use security zone any as the source or destination security zone.

· Make sure configuration file encryption is disabled.

Manually switching object policies to security policies

1. Enter system view.

system-view

2. Switch object policy settings in the specified configuration file to security policy settings.

security-policy switch-from object-policy object-filename security-filename

Automatically switching object policies to security policies

Restrictions and guidelines

In auto switching, the device appends _secp to the original configuration file's name, and uses the string as the name of the new file. For example, if the original configuration file is named startup.cfg, the new configuration file will be named startup_secp.cfg.

Procedure

To perform auto switching, upgrade the device software to a version that supports security policies. The device will restart automatically after the switching process completes. For more information about software upgrade, see software upgrade configuration in Fundamentals Configuration Guide.

Enabling the security policy feature

Restrictions and guidelines

Security policy settings take effect only when the security policy feature is enabled.

After the device starts up, the device automatically executes the security-policy disable command to disable the security policy feature if object policy settings exist in the configuration file. If object policy settings do not exist in the configuration file, the device enables the security policy feature.

Security policies and object policies cannot take effect at the same time on a device. If security policy is enabled, object policies lose effect at the first time security policy view is entered. If you are to manually configure security policies item by item based on object policy settings, keep the security policy feature disabled until you finish the configuration.

After a configuration rollback from security policies to object policies, disable the security feature for the object policies to take effect.

Procedure

1. Enter system view.

system-view

2. Enable the security policy feature.

undo security-policy disable

By default, the security policy feature is enabled.

CAUTION:

The security-policy disable command disables the security policy feature and might cause traffic interruption.

‌

Configuring IPv4 security policy rules

Creating a security policy rule

About this task

By default, no rules exist in a security policy, and the device allows only packets exchanged between the Management security zone and the Local security zone to pass. For the device to process packets correctly, configure policy rules for each security policy.

If a configured feature, such as dynamic routing, tunneling, and VPN, requires exchanges with the device, configure security policy rules for the Local security zone to communicate with the specific zones.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

CAUTION:

· The undo security-policy { ip | ipv6 } command directly deletes all security policy configuration and might cause network interruption.

· If the security policy feature is enabled, object policy settings lose effect the first time you enter security policy view. Make sure object policy settings have been switched to security policy settings before you enter security policy view.

‌

3. (Optional.) Configure a description for the policy.

description text

By default, a security policy does not have a description.

4. Create a security policy rule.

rule { rule-id | [ rule-id ] name rule-name }

5. (Optional.) Configure a description for the rule.

description text

By default, a security policy rule does not have a description.

Configuring filtering criteria for a security policy rule

Restrictions and guidelines

A rule matches all packets if no criteria are specified for the rule. If no action is set for the rule, the device drops the matched packets by default.

If a specified object group has no objects, the rule cannot match any packets.

Packets exchanged between the Management and Local security zones are allowed to pass by default and can only match local-to-management or management-to-local security policy rules. To discard packets between the Management and Local security zones, configure local-to-management and management-to-local rules and specify the rule actions as drop.

Security policy rules specified with an IP address object group that uses a user or user group cannot match packets. To filter packets by user or user group, configure security policy rules specified with user or user group criteria.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Configure source filtering criteria:

¡ Specify a source security zone as a filtering criterion.

source-zone source-zone-name

By default, no source security zone is specified as a filtering criterion.

¡ Specify a source IPv4 address object group as a filtering criterion.

source-ip object-group-name

By default, no source IPv4 address object group is specified as a filtering criterion.

¡ Specify a source IPv4 host address as a filtering criterion.

source-ip-host ip-address

By default, no source IPv4 host address is specified as a filtering criterion.

¡ Specify a source IPv4 subnet as a filtering criterion.

source-ip-subnet ip-address { mask-length | mask }

By default, no source IPv4 subnet is specified as a filtering criterion.

¡ Specify a source IPv4 address range as a filtering criterion.

source-ip-range ip-address1 ip-address2

By default, no source IPv4 address range is specified as a filtering criterion.

¡ Specify a source MAC address object group as a filtering criterion.

source-mac object-group-name

By default, no source MAC address object group is specified as a filtering criterion.

5. Configure destination filtering criteria:

¡ Specify a destination security zone as a filtering criterion.

destination-zone destination-zone-name

By default, no destination security zone is specified as a filtering criterion.

¡ Specify a destination IPv4 address object group as a filtering criterion.

destination-ip object-group-name

By default, no destination IPv4 address object group is specified as a filtering criterion.

¡ Specify a destination IPv4 host address as a filtering criterion.

destination-ip-host ip-address

By default, no destination IPv4 host address is specified as a filtering criterion.

¡ Specify a destination IPv4 subnet as a filtering criterion.

destination-ip-subnet ip-address { mask-length | mask }

By default, no destination IPv4 subnet is specified as a filtering criterion.

¡ Specify a destination IPv4 address range as a filtering criterion.

destination-ip-range ip-address1 ip-address2

By default, no destination IPv4 address range is specified as a filtering criterion.

6. Specify an SSID as a filtering criterion.

ssid ssid-name

By default, no SSID is specified as a filtering criterion.

7. Specify an AP or AP group as a filtering criterion.

¡ Specify an AP as a filtering criterion.

ap ap-name

By default, no AP is specified as a filtering criterion.

¡ Specify an AP group as a filtering criterion.

ap-group group-name

By default, no AP group is specified as a filtering criterion.

8. Specify a service object group as a filtering criterion.

service { object-group-name | any }

By default, no service object group is specified as a filtering criterion.

9. Specify a service port as a filtering criterion.

service-port protocol [ { destination { { eq | lt | gt } port | range port1 port2 } | source { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ]

By default, no service port is specified as a filtering criterion.

10. Configure application filtering criteria:

¡ Specify an application as a filtering criterion.

application application-name

By default, no application is specified as a filtering criterion.

For the application filtering criteria to be identified, you must permit the dependent applications to pass through.

¡ Specify an application group as a filtering criterion.

app-group app-group-name

By default, no application group is specified as a filtering criterion.

11. Configure terminal filtering criterion:

¡ Specify a terminal as a filtering criterion.

terminal terminal-name

By default, no terminal is specified as a filtering criterion.

For the terminal filtering criteria to be identified, you must permit packets of protocols on which the terminals depend to pass through.

¡ Specify a terminal group as a filtering criterion.

terminal-group terminal-group-name

By default, no terminal group is specified as a filtering criterion.

12. Configure user filtering criterion:

¡ Specify a user as a filtering criterion.

user username [ domain domain-name ]

By default, no user is specified as a filtering criterion.

¡ Specify a user group as a filtering criterion.

user-group user-group-name [ domain domain-name ]

By default, no user group is specified as a filtering criterion.

13. Specify a URL category as a filtering criterion.

url-category url-category-name

By default, no URL category is specified as a filtering criterion.

14. Configure the rule to take effect on received packets of MPLS L3VPN instances.

¡ Configure the rule to take effect on received packets of the specified MPLS L3VPN instance.

vrf vrf-name

By default, a security policy rule takes effect on received packets of the public network.

¡ Configure the rule to take effect on received packets of any MPLS L3VPN instances.

any-vrf enable

By default, a security policy rule takes effect on received packets of the public network.

Specifying the action for a security policy rule

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Specify the action for the security policy rule.

action { drop | pass }

By default, the action for a security policy rule is drop.

Specifying a time range for a security policy rule

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Specify a time range during which the security policy rule is in effect.

time-range time-range-name

By default, a security policy rule is in effect at any time.

Applying a DPI application profile to a security policy rule

About this task

This feature enables the device to perform DPI on packets matching the specified rule. For more information about DPI, see DPI Configuration Guide.

Restrictions and guidelines

This feature takes effect only when the rule action is pass.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Specify the rule action as pass.

action pass

By default, the action for a security policy rule is drop.

5. Apply a DPI application profile to the rule.

profile app-profile-name

By default, no DPI application profile is applied to a rule.

Setting the session aging time for a security policy rule

About this task

Perform this task to specify the aging time for stable sessions and persistent sessions. The configuration takes effect only on sessions established afterwards.

The configured aging time for persistent sessions is effective only on TCP sessions in ESTABLISHED state.

The priorities of the session aging times configured by using the session persistent aging-time, session aging-time, and session persistent acl commands are in descending order.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Set the session aging time.

session aging-time time-value

By default, the session aging time is not configured.

5. Set the aging time for persistent sessions.

session persistent aging-time time-value

By default, the aging time for persistent sessions is not configured.

CAUTION:

Setting too long an aging time might cause persistent sessions to increase rapidly and therefore cause the CPU usage to be high.

‌

Associating a security policy rule with a track entry

About this task

Perform this task to enable the collaboration between the track module and a security policy rule. The collaboration operates as follows:

· If a rule is associated with the Negative state of a track entry, the device:

¡ Sets the rule state to Active if the track entry is in Negative state.

¡ Sets the rule state to Inactive if the track entry is in Positive state.

· If a rule is associated with the Positive state of a track entry, the device:

¡ Sets the rule state to Active if the track entry is in Positive state.

¡ Sets the rule state to Inactive if the track entry is in Negative state.

For more information about track entries, see High Availability Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Associate the rule with a track entry.

track { negative | positive } track-entry-number

By default, no track entry is associated with a rule.

Enabling logging for matched packets

About this task

This feature enables the device to log matching packets and send the log to the information center for processing or fast output the log. The log destinations and output rules are determined by the information center or fast log output settings. For more information about the information center or fast log output, see Network Management and Monitoring Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Enable logging for matched packets.

logging enable

By default, logging for matched packets is disabled.

Enabling statistics collection for matched packets

About this task

Perform this task to enable the device to collect statistics about matched packets. The collected statistics can be viewed by executing the display security-policy statistics command.

If an enabling period is specified, the system disables the statistics collection feature and removes the configuration at period expiration. If no enabling period is specified, you must execute the undo command to disable the statistics collection feature.

Restrictions and guidelines

When inter-VLAN bridge forwarding is configured, this feature collects statistics only about packets discarded by security policies and DPI. Statistics about permitted packets are not collected. For more information about inter-VLAN bridge forwarding, see Layer 2 forwarding in Layer 2—LAN Switching Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Enable statistics collection for matched packets.

counting enable [ period value ]

By default, the device does not collect statistics about matched packets.

Enabling security policy rule learning

About this task

To ensure accurate packet filtering, configure strict security policy rules with a fine granularity as a best practice. However, when the properties of packets to be passed or dropped cannot be determined, you can only configure security policy rules with relatively loose criteria to ensure correct forwarding.

In this case, perform this task to enable the system to learn matched packets and record their properties. You can then log into the Web management interface of the device to view the records, summarize the properties of packets to be passed or dropped, and refine security policy filtering criteria.

Restrictions and guidelines

After configuring accurate security policies, delete the security policies with loose filtering criteria as a best practice.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ipv4

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Enable security policy rule learning.

learning enable

By default, the security policy rule learning is disabled.

Configuring IPv6 security policy rules

Creating a security policy rule

About this task

Procedure

1. Enter system view.

system-view

2. Enter IPv6 security policy view.

security-policy ipv6

CAUTION:

· The undo security-policy { ip | ipv6 } command directly deletes all security policy configuration and might cause network interruption.

‌

3. (Optional.) Configure a description for the policy.

description text

By default, a security policy does not have a description.

4. Create a security policy rule.

rule { rule-id | [ rule-id ] name rule-name }

5. (Optional.) Configure a description for the rule.

description text

By default, a security policy rule does not have a description.

Configuring filtering criteria for a security policy rule

Restrictions and guidelines

A rule matches all packets if no criteria are specified for the rule. If no action is set for the rule, the device drops the matched packets by default.

If a specified object group has no objects, the rule cannot match any packets.

Procedure

1. Enter system view.

system-view

2. Enter IPv6 security policy view.

security-policy ipv6

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Configure source filtering criteria:

¡ Specify a source security zone as a filtering criterion.

source-zone source-zone-name

By default, no source security zone is specified as a filtering criterion.

¡ Specify a source IPv6 address object group as a filtering criterion.

source-ip object-group-name

By default, no source IPv6 address object group is specified as a filtering criterion.

¡ Specify a source IPv6 host address as a filtering criterion.

source-ip-host ipv6-address

By default, no source IPv6 host address is specified as a filtering criterion.

¡ Specify a source IPv6 subnet as a filtering criterion.

source-ip-subnet ipv6-address prefix-length

By default, no source IPv6 subnet is specified as a filtering criterion.

¡ Specify a source IPv6 address range as a filtering criterion.

source-ip-range ipv6-address1 ipv6-address2

By default, no source IPv6 address range is specified as a filtering criterion.

5. Configure destination filtering criteria:

¡ Specify a destination security zone as a filtering criterion.

destination-zone destination-zone-name

By default, no destination security zone is specified as a filtering criterion.

¡ Specify a destination IPv6 address object group as a filtering criterion.

destination-ip object-group-name

By default, no destination IPv6 address object group is specified as a filtering criterion.

¡ Specify a destination IPv6 host address as a filtering criterion.

destination-ip-host ipv6-address

By default, no destination IPv6 host address is specified as a filtering criterion.

¡ Specify a destination IPv6 subnet as a filtering criterion.

destination-ip-subnet ipv6-address prefix-length

By default, no destination IPv6 subnet is specified as a filtering criterion.

¡ Specify a destination IPv6 address range as a filtering criterion.

destination-ip-range ipv6-address1 ipv6-address2

By default, no destination IPv6 address range is specified as a filtering criterion.

6. Specify a service object group as a filtering criterion.

service { object-group-name | any }

By default, no service object group is specified as a filtering criterion.

7. Specify a service port as a filtering criterion.

service-port protocol [ { destination { { eq | lt | gt } port | range port1 port2 } | source { { eq | lt | gt } port | range port1 port2 } } * | icmpv6-type icmpv6-code ]

By default, no service port is specified as a filtering criterion.

8. Configure application filtering criteria:

¡ Specify an application as a filtering criterion.

application application-name

By default, no application is specified as a filtering criterion.

For the application filtering criteria to be identified, you must permit the dependent applications to pass through.

¡ Specify an application group as a filtering criterion.

app-group app-group-name

By default, no application group is specified as a filtering criterion.

9. Configure user filtering criterion:

¡ Specify a user as a filtering criterion.

user username [ domain domain-name ]

By default, no user is specified as a filtering criterion.

¡ Specify a user group as a filtering criterion.

user-group user-group-name [ domain domain-name ]

By default, no user group is specified as a filtering criterion.

10. Specify a URL category as a filtering criterion.

url-category url-category-name

By default, no URL category is specified as a filtering criterion.

11. Configure the rule to take effect on received packets of MPLS L3VPN instances.

¡ Configure the rule to take effect on received packets of the specified MPLS L3VPN instance.

vrf vrf-name

By default, a security policy rule takes effect on received packets of the public network.

¡ Configure the rule to take effect on received packets of any MPLS L3VPN instances.

any-vrf enable

By default, a security policy rule takes effect on received packets of the public network.

Specifying the action for a security policy rule

1. Enter system view.

system-view

2. Enter IPv6 security policy view.

security-policy ipv6

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Specify the action for the security policy rule.

action { drop | pass }

By default, the action for a security policy rule is drop.

Specifying a time range for a security policy rule

1. Enter system view.

system-view

2. Enter IPv6 security policy view.

security-policy ipv6

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Specify a time range during which the security policy rule is in effect.

time-range time-range-name

By default, a security policy rule is in effect at any time.

Applying a DPI application profile to a security policy rule

About this task

This feature enables the device to perform DPI on packets matching the specified rule. For more information about DPI, see DPI Configuration Guide.

Restrictions and guidelines

This feature takes effect only when the rule action is pass.

Procedure

1. Enter system view.

system-view

2. Enter IPv6 security policy view.

security-policy ipv6

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Specify the rule action as pass.

action pass

By default, the action for a security policy rule is drop.

5. Apply a DPI application profile to the rule.

profile app-profile-name

By default, no DPI application profile is applied to a rule.

Setting the session aging time for a security policy rule

About this task

Perform this task to specify the aging time for stable sessions and persistent sessions. The configuration takes effect only on sessions established afterwards.

The configured aging time for persistent sessions is effective only on TCP sessions in ESTABLISHED state.

The priorities of the session aging times configured by using the session persistent aging-time, session aging-time, and session persistent acl commands are in descending order.

Procedure

1. Enter system view.

system-view

2. Enter IPv6 security policy view.

security-policy ipv6

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Set the session aging time.

session aging-time time-value

By default, the session aging time is not configured.

5. Set the aging time for persistent sessions.

session persistent aging-time time-value

By default, the aging time for persistent sessions is not configured.