Contents

SDP zero trust commands· 1

display trusted-access controller sdp assigned-resource· 1

display trusted-access controller sdp default-policy· 3

display trusted-access controller sdp ip-tunnel route· 4

display trusted-access controller sdp mode transparent 5

display trusted-access controller sdp session· 6

display trusted-access controller sdp tcp-proxy-connection· 9

sdp access-method· 10

sdp api-access default 11

sdp enable· 12

spa enable· 13

trusted-access controller sdp· 14

 

SDP zero trust commands

vSystem supports all SDP zero trust features. For more information about vSystem, see Virtual Technologies Configuration Guide.

display trusted-access controller sdp assigned-resource

Use display trusted-access controller sdp assigned-resource to display the resources assigned by the SDP controller to users.

Syntax

display trusted-access controller sdp assigned-resource { api | app } [ context context-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

api: Displays API resources.

app: Displays app resources.

context context-name: Specifies an SDP context by its name. An SDP context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SDP context, this command displays resource information in all SDP contexts.

Examples

# Display app resources assigned by the SDP controller to users.

<Sysname> display trusted-access controller sdp assigned-resource app

Total Apps             : 2

Context                : default

Apps                   : 2

App ID                 : 1

App Name               : udp

AccessType             : ip-tunnel

Address                : Protocol    : ALL

                         IPv4Address : 15.0.0.2

                         Port        : 1-65535

App ID                 : 13

App Name               : udpv6

AccessType             : ip-tunnel

Address                : Protocol    : ALL

                         IPv6Address : 88::93

                         Port        : 9090

Address                : Protocol    : ICMP

IPv4Address : 4.1.1.1-4.1.1.10

Address                : Protocol    : ICMP

IPv6Address : 66::77-66::88

Table 1 Command output

Field	Description
Total Apps	Total number of apps assigned to the SDP gateway by the SDP controller.
Context	SDP context to which the SDP user belongs. The SDP context name must be default.
Apps	Total number of apps under the SDP context.
App ID	ID of the app that the SDP controller assigns to users.
App Name	Name of the app that the SDP controller assigns to users.
AccessType	Access mode supported by the app: ·     ip-tunnel—IP access mode. ·     web-access—Web access mode. ·     tcp-access—TCP access mode.
HostName	Host name of the app.
Gateway Port	SDP gateway port number for the app server. This field is available only for an app of the TCP proxy type.
Identity Location	Location of the user token in the request message sent by the TCP app client to the SDP gateway, in the range of 1 to 65535. The field value indicates the start bit of user information. This field is available only for an app of the TCP proxy type.
Address	Address of the app. This field might display multiple times.
Protocol	Protocol pf the app, including: ·     TCP. ·     UDP. ·     HTTP. ·     HTTPS. ·     ALL—Supports both TCP, UDP, and ICMP. ·     ICMP.
IPv4Address	IPv4 address of the app.
IPv4Address	IPv6 address of the app.
Port	Port number of the app. This field is not available for ICMP.

 

# Display API resources assigned by the SDP controller to users.

<Sysname> display trusted-access controller sdp assigned-resource api

Total APIs             : 2

Context                : default

APIs                   : 2

API ID                 : 4

API Name               : ui1

URL                    : /ui1

App ID                 : 7

API ID                 : 5

API Name               : ui2

URL                    : /ui2

App ID                 : 7

Table 2 Command output

Field	Description
Total APIs	Total number of APIs assigned to the SDP gateway by the SDP controller.
Context	SDP context to which the SDP user belongs. The SDP context name must be default.
APIs	Total number of apps under the SDP context.
API ID	ID of the API that the SDP controller assigns to users.
API Name	Name of the API that the SDP controller assigns to users.
URL	URL suffix.
App ID	ID of the app to which the API belongs.

‌

display trusted-access controller sdp default-policy

Use display trusted-access controller sdp default-policy to display the default policies assigned to the gateway by the SDP controller.

Syntax

display trusted-access controller sdp default-policy

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Examples

# Display the default policies assigned to the gateway by the SDP controller.

<Sysname> display trusted-access controller sdp default-policy

App default policy: Deny

API default policy: Permit

Table 3 Command output

Field	Description
App default policy	App default policy assigned to the gateway by the SDP controller, including: ·     Permit. ·     Deny.
API default policy	API default policy assigned to the gateway by the SDP controller, including: ·     Permit. ·     Deny.

‌

display trusted-access controller sdp ip-tunnel route

Use display trusted-access controller sdp ip-tunnel route to display internal tunnel routes issued by the SDP controller to the gateway.

Syntax

display trusted-access controller sdp ip-tunnel route

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Examples

# Display internal tunnel routes issued by the SDP controller to the gateway.

<Sysname> display trusted-access controller sdp ip-tunnel route

State: Enabled

IPv4 route:

IPv4 address               Mask length

12.1.0.0                   16

13.1.1.0                   24

IPv6 route:

IPv6 address               Prefix length

2002::0                    16

Table 4 Command output

Field	Description
State	Enabling status of a route issued by the SDP controller to the gateway: ·     Enabled. ·     Disabled.
IPv4 route	IPv4 route issued by the SDP controller to the gateway.
IPv4 address	Address of the IPv4 route.
Mask length	Mask length of the IPv4 route address.
IPv6 route	IPv6 route issued by the SDP controller to the gateway.
IPv6 address	Address of the IPv6 route.
Prefix length	Prefix length of the IPv6 route address.

‌

display trusted-access controller sdp mode transparent

Use display trusted-access controller sdp mode transparent to transparent mode information deployed by the SDP controller.

Syntax

display trusted-access controller sdp mode transparent

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Examples

# Display transparent mode information deployed by the SDP controller.

<Sysname> display trusted-access controller sdp mode transparent

Transparent mode    : Enabled

Heartbeat port      : 2002

Heartbeat interval  : 10 min

Table 5 Command output

Field	Description
Mode	Enabling status of transparent mode deployed by the SDP controller: ·     Disabled. ·     Enabled. The transparent mode applies to only zero trust scenarios in the internal network.
Heartbeat port	Port number of heartbeat packets. This field is available only in transparent mode.
Heartbeat interval	Sending interval of heartbeat packets in minutes. This field is available only in transparent mode.

‌

display trusted-access controller sdp session

Use display trusted-access controller sdp session to display SDP session information.

Syntax

display trusted-access controller sdp session [ context context-name ] [ user user-name ] [ transparent ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

context context-name: Specifies an SDP context by its name. An SDP context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SDP context, this command displays detailed SDP session information in all SDP contexts.

user user-name: Specifies an SDP user by the username, a case-insensitive string of 1 to 63 characters. If you do not specify a user, this command displays detailed SDP session information for all users.

transparent: Displays transparent mode information of SDP sessions. If you do not specify this keyword, this command displays detailed SDP session information of all users or a user in all SDP contexts or an SDP context.

Examples

# Display detailed SDP session information for all users.

<Sysname> display trusted-access controller sdp session

Total users            : 3

 

User                   : user1

Context                : default

Created at             : 13:49:27 UTC Wed 04/14/2021

Latest                : 17:50:58 UTC Wed 04/14/2021

Allocated IPv4 address : 2.2.2.1

Allocated IPv6 address : 3001::C351

Session ID             : 1

Send rate              : 0.00 B/s

Receive rate           : 0.00 B/s

Sent bytes             : 0.00 B

Received bytes         : 0.00 B

Mode                   : Tunnel

Apps                   : app1/permit;

 

User                   : user2

Context                : default

Created at             : 13:50:20 UTC Wed 04/14/2021

Latest                : 17:55:58 UTC Wed 04/14/2021

Allocated IPv4 address : 2.2.2.1

Allocated IPv6 address : 3001::C34C

Session ID             : 9

Send rate              : 0.00 B/s

Receive rate           : 0.00 B/s

Sent bytes             : 0.00 B

Received bytes         : 0.00 B

Mode                   : Transparent (client)

Apps                   : app1/permit;

 

User                   : user3

Context                : default

Created at             : 13:52:20 UTC Wed 04/14/2021

Latest                 : 17:59:58 UTC Wed 04/14/2021

Allocated IPv4 address : 2.2.2.2

Allocated IPv6 address : 3001::C34D

Session ID             : 10

Send rate              : 0.00 B/s

Receive rate           : 0.00 B/s

Sent bytes             : 0.00 B

Received bytes         : 0.00 B

Mode                   : Transparent (no client)

Apps                   : app1/permit;

# Display SDP session information for SDP user user1.

<Sysname> display trusted-access controller sdp session user user1

User                   : user1

Context                : default

Created at             : 13:49:27 UTC Wed 04/14/2021

Latest                : 17:50:58 UTC Wed 04/14/2021

Allocated IPv4 address : 2.2.2.1

Allocated IPv6 address : 3001::C34C

Session ID             : 1

Send rate              : 0.00 B/s

Receive rate           : 0.00 B/s

Sent bytes             : 0.00 B

Received bytes         : 0.00 B

Mode                   : Tunnel

Apps                   : app1/permit;

# Display transparent mode information of an SDP session for SDP user user1.

<Sysname> display trusted-access controller sdp session transparent

User                   : user1

Context                : default

Session ID             : 1

Source IPv4 address    : 192.0.2.1,192.67.1.1

Source IPv6 address    : 12::12

Table 6 Command output

Field	Description
Total users	Total number of SDP users.
User	SDP username.
Context	SDP context to which the SDP user belongs. The SDP context name must be default.
Created at	Time at which the SDP session was created.
Latest	Most recent time when the SDP user accessed resources through the SDP session.
Allocated IPv4 address	IPv4 address allocated to the iNode client of the SDP user. This field is available only for iNode users.
Allocated IPv6 address	IPv6 address allocated to the iNode client of the SDP user. This field is available only for iNode users.
Session ID	ID of the SDP session.
Send rate	Sending rate of the SDP session in one of the following units: ·     B/s—Bytes per second. ·     KB/s—Kilobytes per second. ·     MB/s—Megabytes per second. ·     GB/s—Gigabytes per second. ·     TB/s—Terabytes per second. ·     PB/s—Petabytes per second. This field is not available in transparent mode.
Receive rate	Receiving rate of the SDP session in one of the following units: ·     B/s—Bytes per second. ·     KB/s—Kilobytes per second. ·     MB/s—Megabytes per second. ·     GB/s—Gigabytes per second. ·     TB/s—Terabytes per second. ·     PB/s—Petabytes per second. This field is not available in transparent mode.
Sent bytes	Traffic sent by the SDP session in one of the following units: ·     B—Bytes. ·     KB—Kilobytes. ·     MB—Megabytes. ·     GB—Gigabytes. ·     TB—Terabytes. ·     PB—Petabytes. This field is not available in transparent mode.
Received bytes	Traffic received by the SDP session in one of the following units: ·     B—Bytes. ·     KB—Kilobytes. ·     MB—Megabytes. ·     GB—Gigabytes. ·     TB—Terabytes. ·     PB—Petabytes. This field is not available in transparent mode.
Mode	SDP user access mode: ·     Transparent (client)—Transparent mode with clients, also transparent direct access. This mode applies to only zero trust scenarios in the internal network. ·     Tunnel—IP tunnel mode. ·     Web proxy. ·     Transparent (no client)—Transparent mode without clients, also transparent direct access. This mode applies to only zero trust scenarios in the internal network.
Apps	Apps to which the SDP controller allows or denies user access.
APIs	APIs to which the SDP controller allows or denies user access.
Source IPv4 address	Source IPv4 address of an SDP user in transparent mode.
Source IPv6 address	Source IPv6 address of an SDP user in transparent mode.

‌

display trusted-access controller sdp tcp-proxy-connection

Use display trusted-access controller sdp tcp-proxy-connection to display information about TCP proxy for access to apps.

Syntax

In standalone mode:‌

display trusted-access controller sdp tcp-proxy-connection [ context context-name ] [ slot slot-number [ cpu cpu-number ]  ]

In IRF mode:

display trusted-access controller sdp tcp-proxy-connection [ context context-name ] [ chassis chassis-number slot slot-number [ cpu cpu-number ]  ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

context context-name: Specifies an SDP context by its name. An SDP context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SDP context, this command displays TCP proxy information for all SDP contexts.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays TCP proxy information for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays TCP proxy information for all cards. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) ‌Display TCP proxy information for all SDP contexts.

<Sysname> display trusted-access controller sdp tcp-proxy-connection

Slot                    : 1

Total count             : 2

Context                 : default

  User                  : user1

  Client address        : 192.0.2.1

  Client port           : 1025

  Server address        : 192.168.0.39

  Server port           : 80

  TCP connection status : Connected

  User                  : user2

  Client address        : 192.0.2.4

  Client port           : 56190

  Server address        : 192.168.0.50

  Server port           : 23

  TCP connection status : Connecting

Table 7 Command output

Field	Description
Total count	Total number of SDP users for the SDP context.
Context	SDP context name.
User	Login name of the SDP user.
Client address	IP address of the SDP client.
Client port	Port number of the SDP client.
Server address	IP address of the app server.
Server port	Port number of the app server.
TCP connection status	TCP connection status, Connected or Connecting.

‌

sdp access-method

Use sdp access-method to specify the resource access mode through the SDP gateway.

Use undo sdp access-method to restore the default.

Syntax

sdp access-method { ip-tunnel | mix | web-access }

undo sdp access-method

Default

The resource access mode through the SDP gateway is mix.

Views

SDP trusted access controller view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

ip-tunnel: Specifies IP access mode. In this mode, a user can use only the iNode client to log in to the SDP controller for authentication. After authentication, the user can access internal resources only through the iNode client.

mix: Specifies mix access mode. In this mode, a user must use the iNode client to log in to the SDP controller for authentication. After authentication, the user can access internal resources through a browser or the iNode client.

web-access: Specifies Web access mode. In this mode, a user can log in to the SDP controller only through browsers for authentication. After authentication, the user can access internal resources only through a browser.

Usage guidelines

This command takes effect only when SDP is enabled for trusted access control.

If you change the access mode, a user that has logged in must log in to the SDP controller again for authentication. The user can continue to access internal resources only after passing the authentication.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the Web access mode for users to access the SDP gateway.

<Sysname> system-view

[Sysname] trusted-access controller sdp

[Sysname-tac-sdp] sdp access-method web-access

Related commands

sdp enable

sdp api-access default

Use sdp api-access default to configure the default API access control rule.

Use undo sdp api-access default to restore the default.

Syntax

sdp api-access default { deny | permit }

undo sdp api-access default

Default

Users are permitted to access internal APIs through the SDP gateway.

Views

SDP trusted access controller view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

deny: Denies user access to internal APIs through the SDP gateway.

permit: Allows user access to internal APIs through the SDP gateway.

Usage guidelines

If an API is not in the API list assigned by the SDP controller, the device will deny or allow user access to the API according to the default API access control rule.

If a large number of internal APIs are available, you can manage permissions to access specific APIs. For example, deny or allow user access to an important API. For other APIs, you can use this command to configure the default API access control rule as a whole.

This command takes effect only when SDP is enabled for trusted access control.

Examples

# Deny user access to internal APIs through the SDP gateway.

<Sysname> system-view

[Sysname] trusted-access controller sdp

[Sysname-tac-sdp] sdp api-access default deny

Related commands

sdp enable

sdp enable

Use sdp enable to enable SDP for trusted access control.

Use undo sdp enable to disable SDP for trusted access control.

Syntax

sdp enable

undo sdp enable

Default

SDP is disabled for trusted access control.

Views

SDP trusted access controller view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

SDP zero trust allows the device to act as an SDP gateway to cooperate with an SDP controller to authenticate and authorize users that access a specific app or API. This can centrally control user identities and access permissions to avoid illegal user access.

The SDP gateway uses the cloud connection feature to notify the SDP controller of the keepalive status. To ensure the operation of SDP trusted access control, use cloud-management keepalive to set the keepalive interval to 10 to 29 seconds for the device to send keepalive packets to the cloud server. Because the keepalive interval set on the SDP controller is 30 seconds. For more information about cloud connections, see Network Management and Monitoring Configuration Guide.

In a zero trust scenario, the SDP gateway acts as the SSL VPN gateway to connect remote users to the enterprise internal network.

Examples

# Enable SDP for trusted access control.

<Sysname> system-view

[Sysname] trusted-access controller sdp

[Sysname-tac-sdp] sdp enable

Related commands

cloud-management keepalive

spa enable

Use spa enable to enable SPA authentication.

Use undo spa enable to disable SPA authentication.

Syntax

spa enable

undo spa enable

Default

SPA authentication is disabled.

Views

SDP trusted access controller view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

This command is supported only in IP access mode and mix access mode, and takes effect only when SDP is enabled for trusted access control.

In IP or mix access mode, the iNode client must send an SPA message to the SDP gateway. Then, the SDP gateway identifies whether the client is legal according to the SPA message. If the client is legal, the SDP gateway will receive the subsequent requests from the client. If not, the SDP gateway will reject the client requests.

Re-enabling this feature affects online users. When users access resources, do not re-enable this feature as a best practice. You can use the display trusted-access controller sdp session command to obtain information about online users.

Examples

# Enable SPA authentication.

<Sysname> system-view

[Sysname] trusted-access controller sdp

[Sysname-tac-sdp] spa enable

Related commands

sdp enable

sdp access-method

display trusted-access controller sdp session

trusted-access controller sdp

Use trusted-access controller sdp to enter SDP trusted access controller view.

Use undo trusted-access controller sdp to exit SDP trusted access controller view.

Syntax

trusted-access controller sdp

undo trusted-access controller sdp

Default

The SDP trusted access controller view does not exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Examples

# Enter SDP trusted access controller view.

<Sysname> system-view

[Sysname] trusted-access controller sdp

[Sysname-tac-sdp]