16-Security Command Reference

HomeSupportResource CenterH3C Access Controllers Command References(R5426P02)-6W10416-Security Command Reference
13-URL filtering commands
Title Size Download
13-URL filtering commands 151.88 KB

URL filtering commands

The following compatibility matrixes show the support of hardware platforms for URL filtering:

Hardware series

Model

Product code

URL filtering compatibility

WX1800H series

WX1804H

EWP-WX1804H-PWR-CN

Yes

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2510H-F

WX2540H

WX2540H-F

WX2560H

EWP-WX2508H-PWR-LTE

EWP-WX2510H-PWR

EWP-WX2510H-F-PWR

EWP-WX2540H

EWP-WX2540H-F

EWP-WX2560H

Yes

WX3000H series

WX3010H

WX3010H-X

WX3010H-L

WX3024H

WX3024H-L

WX3024H-F

EWP-WX3010H

EWP-WX3010H-X-PWR

EWP-WX3010H-L-PWR

EWP-WX3024H

EWP-WX3024H-L-PWR

EWP-WX3024H-F

Yes:

·     WX3010H

·     WX3010H-X

·     WX3024H

·     WX3024H-F

No:

·     WX3010H-L

·     WX3024H-L

WX3500H series

WX3508H

WX3510H

WX3520H

WX3520H-F

WX3540H

EWP-WX3508H

EWP-WX3510H

EWP-WX3520H

EWP-WX3520H-F

EWP-WX3540H

Yes

WX5500E series

WX5510E

WX5540E

EWP-WX5510E

EWP-WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

EWP-WX5540H

EWP-WX5560H

EWP-WX5580H

Yes

Access controller modules

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

Yes

Hardware series

Model

Product code

URL filtering compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

EWP-WX1804H-PWR

EWP-WX1810H-PWR

EWP-WX1820H

EWP-WX1840H-GL

Yes

WX3800H series

WX3820H

WX3840H

EWP-WX3820H-GL

EWP-WX3840H-GL

No

WX5800H series

WX5860H

EWP-WX5860H-GL

No

add

Use add to add a blacklist or whitelist rule to a URL filtering policy.

Use undo add to delete a blacklist or whitelist rule from a URL filtering policy.

Syntax

add { blacklist | whitelist } [ id ] host { regex host-regex | text host-name } [ uri { regex uri-regex | text uri-name } ]

undo add { blacklist | whitelist } { id | all }

Default

No blacklist or whitelist rules exist in a URL filtering policy.

Views

URL filtering policy view

Predefined user roles

network-admin

Parameters

blacklist: Specifies the blacklist rule type.

whitelist: Specifies the whitelist rule type.

id: Specifies a rule ID. The value must be an integer in the range of 1 to 65535. The ID of a blacklist or whitelist rule must be unique among all rules of the same type. If you do not specify a rule ID, the system automatically assigns an available ID to the rule according to the largest rule ID N used on the device:

·     If N is smaller than 65535, the smallest available ID that is larger than N is used.

·     If N equals to 65535, the smallest available ID is used.

host: Matches the host field in the URL.

uri: Matches the URI field in the URL.

regex regex: Specifies a case-sensitive regular expression string for fuzzy match. The string can start with only letters, digits, or underscores (_), and it must contain three consecutive non-wildcard characters.

·     If the host keyword is specified, the string can contain 3 to 224 characters.

·     If the uri keyword is specified, the string can contain 3 to 245 characters.

text string: Specifies a case-insensitive text string for exact match.

·     If the host keyword is specified, the string can contain 3 to 224 characters. Valid characters are letters, digits, underscores (_), hyphens (-), colons (:), left square brackets ([), right square brackets (]), and dots (.).

·     If the uri keyword is specified, the string can contain 3 to 245 characters.

all: Specifies all rules of the specified type.

Usage guidelines

The device supports using URL-based whitelist and blacklist rules to filter HTTP packets. If the URL in an HTTP packet matches a blacklist rule, the packet is dropped. If the URL matches a whitelist rule, the packet is permitted to pass through.

When you configure a regular expression in a blacklist or whitelist rule, follow these restrictions and guidelines:

·     The regular expression pattern can contain a maximum of four branches. For example, 'abc(c|d|e|\x3D)' is valid, and 'abc(c|onreset|onselect|onchange|style\x3D)' is invalid.

·     Nested braces are not allowed. For example, 'ab((abcs*?))' is invalid.

·     A branch cannot be specified after another branch. For example, 'ab(a|b)(c|d)^\\r\\n]+?' is invalid.

·     A minimum of four non-wildcard characters must exist before an asterisk (*) or question mark (?). For example, 'abc*' is invalid and 'abcd*DoS\x2d\d{5}\x20\x2bxi\\r\\nJOIN' is valid.

Examples

# In URL filtering policy news, add a blacklist rule to match URLs that contain games.com in the host field.

<Sysname> system-view

[Sysname] url-filter policy news

[Sysname-url-filter-policy-news] add blacklist 1 host text games.com

# In URL filtering policy news, add a whitelist rule to match URLs that contain sina.com in the host field.

[Sysname-url-filter-policy-news] add whitelist 1 host text sina.com

category action

Use category action to specify actions for a URL category.

Use undo category action to remove the action setting from a URL category.

Syntax

category category-name action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } [ logging [ parameter-profile parameter-name ] ]

undo category category-name

Default

A URL category does not have any action specified.

Views

URL filtering policy view

Predefined user roles

network-admin

Parameters

category-name: Specifies a URL category by its name, a case-insensitive string of 1 to 63 characters.

action: Specifies the action for the matching packets.

block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."

drop: Drops matching packets.

permit: Permits matching packets to pass.

redirect: Redirects matching packets to a webpage.

reset: Disconnects the TCP connection for matching packets.

logging: Logs matching packets.

parameter-profile parameter-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a profile, or if the specified profile does not exist, the URL filtering action uses the default parameter settings. For information about configuring parameter profiles, see "DPI engine commands."

Usage guidelines

If an HTTP packet matches a URL filtering rule in a URL category, the action specified for the category applies to the packet.

If the packet matches none of URL filtering rules in the URL filtering policy, the default action specified for the policy applies to the packet. If the default action is not configured, the device permits the packet to pass.

If you execute this command for a URL category multiple times, the most recent configuration takes effect.

Examples

# In the URL filtering policy news, specify the drop action for the URL category sina.

<Sysname> system-view

[Sysname] url-filter policy news

[Sysname-url-filter-policy-news] category sina action drop

Related commands

inspect block-source parameter-profile

inspect redirect parameter-profile

url-filter category

url-filter policy

default-action

Use default-action to specify the default action for a URL filtering policy.

Use undo default-action to restore the default.

Syntax

default-action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } [ logging [ parameter-profile parameter-name ] ]

undo default-action

Default

A URL filtering policy does not have any default action.

Views

URL filtering policy view

Predefined user roles

network-admin

Parameters

block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."

drop: Drops matching packets.

permit: Permits packets to pass.

redirect: Redirects matching packets to a webpage.

reset: Disconnects the TCP connection for matching packets.

logging: Logs matching packets.

parameter-profile parameter-name: Specifies a DPI action parameter profile by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a profile, or if the specified profile does not exist, the DPI action uses the default parameter settings. For information about configuring parameter profiles for DPI actions, see "DPI engine commands."

Usage guidelines

The default action applies to packets that do not match any URL filtering rules.

Examples

# Set the default action to drop for URL filtering policy cmcc.

<Sysname> system-view

[Sysname] url-filter policy cmcc

[Sysname-url-filter-policy-cmcc] default-action drop

Related commands

inspect block-source parameter-profile

inspect redirect parameter-profile

url-filter policy

description

Use description to configure a description for a URL category.

Use undo description to restore the default.

Syntax

description text

undo description

Default

A user-defined URL category does not have a description.

Views

URL category view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-insensitive string of 1 to 255 characters. Spaces are allowed.

Usage guidelines

Use this command to configure descriptions for URL categories for easy maintenance.

Examples

# Configure the description as News information for URL category news.

<Sysname> system-view

[Sysname] url-filter category news

[Sysname-url-filter-category-news] description News information

display url-filter category

Use display url-filter category to display URL category information.

Syntax

display url-filter category [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

verbose: Display detailed URL category information. If you do not specify this keyword, this command displays the summarized URL category information.

Examples

# Display URL category information.

<Sysname> display url-filter category

URL category summary:

      Predefined categories: 108

           Predefined rules: 2000

    User-defined categories: 0

         User-defined rules: 0

URL category details:

           Name: Pre-3C

           Name: Pre-AdultPlace

           Name: Pre-Advertisement

           Name: Pre-Airplanes

           Name: Pre-Alcohol

           Name: Pre-Anime

           Name: Pre-Arts

           Name: Pre-Automobiles

           Name: Pre-Bank

           Name: Pre-BooksDownload

           Name: Pre-Business

           Name: Pre-CharityAndPublicInterest

           Name: Pre-Clothes

           Name: Pre-Community

           Name: Pre-Divining

           Name: Pre-DomainAndIDCServices

# Display detailed URL category information.

<Sysname> display url-filter category verbose

URL category summary:

      Predefined categories: 108

           Predefined rules: 2000

    User-defined categories: 0

         User-defined rules: 0

URL category details:

           Name: Pre-3C

           Type: Predefined

       Severity: 23

          Rules: 15

    Description: 3C

           Name: Pre-AdultPlace

           Type: Predefined

       Severity: 585

          Rules: 5

    Description: AdultPlace

           Name: Pre-Advertisement

           Type: Predefined

       Severity: 500

          Rules: 21

Table 1 Command output

Field

Description

URL category summary

Total number of URL categories, including the predefined and user-defined categories.

Predefined categories

Number of predefined URL categories.

Predefined rules

Number of predefined URL filtering rules.

User-defined categories

Number of user-defined URL categories.

User-defined rules

Number of user-defined URL filtering rules.

URL category details

List of URL categories.

Name

Name of the URL category.

Type

Type of the URL category, Predefined or User Defined.

Severity

Severity level of the URL category.

Rules

Number of URL filtering rules in the URL category.

Description

Description of the URL category.

display url-filter signature information

Use display url-filter signature information to display information about the URL filtering signature library.

Syntax

display url-filter signature information

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about the URL filtering signature library.

<Sysname> display url-filter signature information

URL filter signature library information:

Type      SigVersion         ReleaseTime               Size

Current   1.0.0              Wed Jan 21 06:43:53 2015  36096

(null)    -                  -                         -

Factory   1.0.0              Wed Jan 21 06:43:53 2015  36096

Table 2 Command output

Field

Description

Type

Version of the URL filtering signature library:

·     Current—Current version.

·     Last—Previous version.

·     Factory—Factory default version.

SigVersion

Version number.

ReleaseTime

Time when the URL filtering signature library was released.

Size

Size of the URL filtering signature library, in bytes.

display url-filter statistics

Use display url-filter statistics to display URL filtering statistics.

Syntax

display url-filter statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display URL filtering statistics.

<Sysname> display url-filter statistics

Total HTTP requests                           : 0

Total permitted HTTP requests                 : 0

Total denied HTTP requests                    : 0

Requests that matched the blacklist           : 0

Requests that matched the whitelist           : 0

Requests that matched a user-defined rule     : 0

Requests that matched a predefined rule       : 0

Requests that matched a cached rule           : 0

Requests that matched the default action      : 0

Predefined URL filtering rules                : 2000

--------------------------------------------------------------

Table 3 Command output

Field

Description

Total HTTP requests

Total number of HTTP packets.

Total permitted HTTP requests

Total number of permitted HTTP packets.

Total denied HTTP requests

Total number of denied HTTP packets.

Requests that matched the blacklist

Number of HTTP packets that matched a blacklist rule.

Requests that matched the whitelist

Number of HTTP packets that matched a whitelist rule.

Requests that matched a user-defined rule

Number of HTTP packets that matched a user-defined URL filtering rule.

Requests that matched a predefined rule

Number of HTTP packets that matched a predefined URL filtering rule.

Requests that matched a cached rule

Number of HTTP packets that matched a cached URL filtering rule.

Requests that matched the default action

Number of HTTP packets on which the default action is executed.

Predefined URL filtering rules

Total number of predefined URL filtering rules.

include pre-defined

Use include pre-defined to add the URL filtering rules of a predefined URL category to a user-defined URL category.

Use undo include pre-defined to restore the default.

Syntax

include pre-defined category-name

undo include pre-defined

Default

A user-defined URL category does not contain the URL filtering rules of any predefined URL category.

Views

URL category view

Predefined user roles

network-admin

Parameters

category-name: Specifies a predefined URL category by its name, a case-sensitive string of 1 to 63 characters. The specified URL category must exist on the device.

Usage guidelines

To simplify URL category configuration, you can use this command to add the URL filtering rules of a predefined URL category to a user-defined URL category.

You can add URL filtering rules of only one predefined URL category to a user-defined URL category. If you execute this command for a URL category multiple times, the most recent configuration takes effect.

Examples

# Add the URL filtering rules of predefined URL category pre-Arts to URL category news.

<Sysname> system-view

[Sysname] url-filter category news

[Sysname-url-filter-category-news] include pre-defined pre-Arts

rename (URL category view)

Use rename to rename a URL category.

Syntax

rename new-name

Views

URL category view

Predefined user roles

network-admin

Parameters

new-name: Specify a new name for the URL category, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you change the name for a URL category that is used by a URL filtering policy, the URL category name in the policy is also changed.

Examples

# Rename URL category news to hello, and enter the view of URL category hello.

<Sysname> system-view

[Sysname] url-filter category news

[Sysname-url-filter-category-news] rename hello

[Sysname-url-filter-category-hello]

rename (URL filtering policy view)

Use rename to rename a URL filtering policy.

Syntax

rename new-name

Views

URL filtering policy view

Predefined user roles

network-admin

Parameters

new-name: Specify a new name for the URL filtering policy, a case-insensitive string of 1 to 31 characters.

Usage guidelines

If you change the name of a URL filtering policy that has been assigned to a DPI application profile, the policy name in the DPI application profile is also changed.

Examples

# Rename URL filtering policy news to hello, and enter the view of URL filtering policy hello.

<Sysname> system-view

[Sysname] url-filter policy news

[Sysname-url-filter-policy-news] rename hello

[Sysname-url-filter-policy-hello]

reset url-filter statistics

Use reset url-filter statistics to clear URL filtering statistics.

Syntax

reset url-filter statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear URL filtering statistics.

<Sysname> reset url-filter statistics

Related commands

display url-filter statistics

rule

Use rule to create a URL filtering rule for a user-defined URL category.

Use undo rule to delete a URL filtering rule from a user-defined URL category.

Syntax

rule rule-id host { regex regex | text string } [ uri { regex regex | text string } ]

undo rule rule-id

Default

A user-defined URL category does not have any URL filtering rules.

Views

URL category view

Predefined user roles

network-admin

Parameters

rule-id: Assigns an ID to the URL filtering rule, in the range of 1 to 65535.

host: Matches URLs by the hostname field.

uri: Matches URLs by the URI field.

regex regular-expression: Specifies a case-sensitive regular expression string for fuzzy match. The string can start with only letters, digits, or underscores (_), and it must contain three consecutive non-wildcard characters.

·     If the host keyword is specified, the string can contain 3 to 224 characters.

·     If the uri keyword is specified, the string can contain 3 to 253 characters.

text string: Specifies a case-insensitive text string for exact match.

·     If the host keyword is specified, the string can contain 3 to 224 characters. Valid characters are letters, digits, underscores (_), hyphens (-), colons (:), left square brackets ([), right square brackets (]), and dots (.).

·     If the uri keyword is specified, the string can contain 3 to 255 characters.

Usage guidelines

A URL filtering rule supports the following URL matching methods:

·     Exact match by text—Performs an exact text string match on the hostname or URI field of the URL.

¡     If a rule is configured with the host keyword, a URL matches the rule only if it contains a host name exactly the same as the specified text sting. For example, the rule 1 host text abc.com.cn command matches URLs that carry the abc.com.cn hostname, but it does not match URLs carrying the dfabc.com.cn hostname.

¡     If a rule is configured with the uri keyword, a URL matches the rule if it contains a URI that begins with the complete text string in the rule. For example, the rule 2 uri text /sina/news command matches URLs that contain URIs /sina/news, /sina/news/sports, and /sina/news_sports. However, the command does not match URLs that contain URI /sina.

·     Fuzzy match by regular expression—Performs a fuzzy regular expression match on the hostname or URI field of the URL. For example, the rule 3 host regex sina.*cn command matches URLs that carry the news.sina.com.cn hostname.

When you configure a regular expression in a URL filtering rule, follow these restrictions and guidelines:

·     The regular expression pattern can contain a maximum of four branches. For example, 'abc(c|d|e|\x3D)' is valid, and 'abc(c|onreset|onselect|onchange|style\x3D)' is invalid.

·     Nested braces are not allowed. For example, 'ab((abcs*?))' is invalid.

·     A branch cannot be specified after another branch. For example, 'ab(a|b)(c|d)^\\r\\n]+?' is invalid.

·     A minimum of four non-wildcard characters must exist before an asterisk (*) or question mark (?). For example, 'abc*' is invalid and 'abcd*DoS\x2d\d{5}\x20\x2bxi\\r\\nJOIN' is valid.

Examples

# In URL category news, create a URL filtering rule to match URLs that carry the sina.com hostname.

<Sysname> system-view

[Sysname] url-filter category news

[Sysname-url-filter-category-news] rule 10 host text sina.com

Related commands

url-filter category

update schedule

Use update schedule to configure a schedule for automatic URL filtering signature library update.

Use undo update schedule to restore the default.

Syntax

update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes

undo update schedule

Default

The device starts the URL filtering signature library update at a random time between 01:00:00 and 03:00:00 every day.

Views

Automatic URL filtering signature library update configuration view

Predefined user roles

network-admin

Parameters

daily: Updates the URL filtering signature library every day.

weekly: Updates the URL filtering signature library every week.

fri: Updates the URL filtering signature library every Friday.

mon: Updates the URL filtering signature library every Monday.

sat: Updates the URL filtering signature library every Saturday.

sun: Updates the URL filtering signature library every Sunday.

thu: Updates the URL filtering signature library every Thursday.

tue: Updates the URL filtering signature library every Tuesday.

wed: Updates the URL filtering signature library every Wednesday.

start-time time: Specifies the start time in hh:mm:ss format. The value range is 00:00:00 to 23:59:59.

tingle minutes: Specifies the  tolerance time in minutes. The value range is 0 to 120. An automatic library update will occur at a random time between the following time points:

·     Start time minus half the tolerance time.

·     Start time plus half the tolerance time.

Examples

# Configure the device to automatically update the URL filtering signature library every Sunday at a random time between 20:25:00 and 20:35:00.

<Sysname> system-view

[Sysname] url-filter signature auto-update

[Sysname-url-filter-autoupdate] update schedule weekly sun start-time 20:30:00 tingle 10

Related commands

url-filter signatures auto-update

url-filter apply policy

Use url-filter apply policy to apply a URL filtering policy to a DPI application profile.

Use undo url-filter apply policy to remove the URL filtering policy from a DPI application profile.

Syntax

url-filter apply policy policy-name

undo url-filter apply policy

Default

No URL filtering policy is applied to a DPI application profile.

Views

DPI application profile view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a URL filtering policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A URL filtering policy takes effect only after it is applied to a DPI application profile.

You can apply only one URL filtering policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Apply URL filtering policy news to DPI application profile abc.

<Sysname> system-view

[Sysname] app-profile abc

[Sysname-app-profile-abc] url-filter apply policy news

Related commands

app-profile

display app-profile

display url-filter policy

url-filter category

Use url-filter category to create a user-defined URL category and enter its view, or enter the view of an existing URL category.

Use undo url-filter category to delete a URL category.

Syntax

url-filter category category-name [ severity severity-level ]

undo url-filter category category-name

Default

The device has only predefined URL categories with the name prefix Pre-.

Views

System view

Predefined user roles

network-admin

Parameters

category-name: Specify the URL category name, a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.). The category name cannot start with Pre-.

severity severity-value: Specifies a severity level for the URL category. The value range is 1000 to 65535, and the default is 65535. The larger the value, the higher the severity level. The severity level of each user-defined URL category must be unique. This option is required when you create a URL category.

Usage guidelines

URL filtering provides the URL categorization feature to facilitate filtering rule management.

You can classify multiple URL filtering rules into a URL category and specify an action for the category. If a matching rule is in multiple URL categories, the system takes the action for the category with the highest severity level.

URL filtering supports the following types of URL categories:

·     Predefined URL categories.

The predefined URL categories contain the predefined URL filtering rules. Each predefined URL category has a unique severity level in the range of 1 to 999, and a category name that begins with Pre-. Predefined URL categories cannot be modified.

·     User-defined URL categories.

You can create user-defined URL categories and configure filtering rules for them. The severity level of a user-defined URL category is in the range of 1000 to 65535. You can edit the filtering rules and change the severity level for a user-defined URL category.

Examples

# Create a URL category named news and set its severity level to 2000.

<Sysname> system-view

[Sysname] url-filter category news severity 2000

[Sysname-url-filter-category-news]

Related commands

display url-filter category

url-filter copy category

Use url-filter copy policy to copy a URL category.

Syntax

url-filter copy category old-name new-name severity severity-level

Views

System view

Predefined user roles

network-admin

Parameters

old-name: Specifies the name of the URL category to be copied. The specified URL category must already exist.

new-name: Specifies a name for the new URL category. The name is a case-insensitive string of 1 to 63 characters and cannot begin with Pre.

severity severity-level: Assigns a unique severity level to the new URL category. The value range is 1000 to 65535. The larger the value, the higher the severity level.

Usage guidelines

This command allows you to create a new URL category by copying an existing one.

Examples

# Create URL category test by copying URL category news.

<Sysname> system-view

[Sysname] url-filter copy category news test severity 1001

[Sysname-url-filter-category-test]

Related commands

url-filter category

url-filter copy policy

Use url-filter copy policy to copy a URL filtering policy.

Syntax

url-filter copy policy old-name new-name

Views

System view

Predefined user roles

network-admin

Parameters

old-name: Specifies the name of the URL filtering policy to be copied, a case-insensitive string of 1 to 31 characters.

new-name: Specifies a name for the new URL filtering policy, a case-insensitive string of 1 to 31 characters.

Usage guidelines

This command allows you to create a new URL filtering policy by copying an existing one.

Examples

# Create two URL filtering policies by copying URL filtering policy news.

<Sysname> system-view

[Sysname] url-filter copy policy news news1

[Sysname-url-filter-policy-news_1] quit

[Sysname] url-filter copy policy news new2

[Sysname-url-filter-policy-news_2] quit

Related commands

url-filter policy

url-filter log directory root

Use url-filter log directory root to configure URL filtering to log only access to resources in the root directories of websites.

Use undo url-filter log directory root to restore the default.

Syntax

url-filter log directory root

undo url-filter log directory root

Default

URL filtering logs access to Web resources in all directories.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After this command is configured, the url-filter log except pre-defined and url-filter log except user-defined commands become invalid.

Examples

# Configure URL filtering to log only access to resources in the root directories of websites.

<Sysname> system-view

[Sysname] url-filter log directory root

Related commands

category action logging

default-action logging

url-filter log except pre-defined

url-filter log except user-defined

url-filter log enable

Use url-filter log enable to enable DPI engine logging.

Use undo url-filter log enable to disable DPI engine logging.

Syntax

url-filter log enable

undo url-filter log enable

Default

DPI engine logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

You can enable DPI engine logging for audit. Log messages generated by DPI engine are output to the device information center. The information center then sends the messages to designated destinations based on log output rules. For more information about the information center, see System Management Configuration Guide.

DPI engine logging is memory intensive. To guarantee system performance, enable DPI engine logging only when necessary.

Examples

# Enable DPI engine logging.

<Sysname> system-view

[Sysname] url-filter log enable

url-filter log except pre-defined

Use url-filter log except pre-defined to disable URL filtering logging for access to resources of a predefined resource type.

Use undo url-filter log except pre-defined to enable URL filtering logging for access to resources of a predefined resource type.

Syntax

url-filter log except pre-defined { css | gif | ico | jpg | js | png | swf | xml }

undo url-filter log except pre-defined { css | gif | ico | jpg | js | png | swf | xml }

Default

URL filtering does not log access to resources of the predefined resource types (CSS, GIF, ICO, JPG, JS, PNG, SWF, and XML resources).

Views

System view

Predefined user roles

network-admin

Parameters

css: Specifies the CSS resource type.

gif: Specifies the GIF resource type.

ico: Specifies the ICO resource type.

jpg: Specifies the JPG resource type.

js: Specifies the JS resource type.

png: Specifies the PNG resource type.

swf: Specifies the SWF resource type.

xml: Specifies the XML resource type.

Usage guidelines

Repeat this command to disable URL filtering logging for access to multiple types of predefined resources.

This command does not take effect if the url-filter log directory root command is configured. To validate this command, you must execute undo url-filter log directory root command.

Examples

# Disable URL filtering logging for access to CSS resources.

<Sysname> system-view

[Sysname] url-filter log except pre-defined css

Related commands

category action logging

default-action logging

url-filter log directory root

url-filter log except user-defined

url-filter log except user-defined

Use url-filter log except user-defined to disable URL filtering logging for access to resources of a user-defined resource type.

Use undo url-filter log except user-defined to enable URL filtering logging for access to resources of a user-defined resource type.

Syntax

url-filter log except user-defined text

undo url-filter log except user-defined [ text ]

Default

URL filtering logs access to all resources except for resources of the predefined types.

Views

System view

Predefined user roles

network-admin

Parameters

text: Specifies a Web resource type. The value is a case-insensitive string of 1 to 63 characters.

Usage guidelines

Repeat this command to disable URL logging for access to multiple types of user-defined resources.

This command does not take effect if the url-filter log directory root command is configured. To validate this command, you must execute undo url-filter log directory root command.

Executing the undo url-filter log except user-defined command without the text parameter enables URL logging for access to all resources except resources of the predefined resource types.

Examples

# Disable URL filtering logging for access to HTML resources.

<Sysname> system-view

[Sysname] url-filter log except user-defined html

Related commands

category action logging

default-action logging

url-filter log directory root

url-filter log except pre-defined

url-filter policy

Use url-filter policy to create a URL filtering policy and enter its view, or enter the view of an existing URL filtering policy.

Use undo url-filter policy to delete a URL filtering policy.

Syntax

url-filter policy policy-name

undo url-filter policy policy-name

Default

No URL filtering policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Assigns a name to the URL filtering policy, a case-insensitive string of 1 to 31 characters.

Usage guidelines

In a URL filtering policy, you can specify an action for each URL category. You can also use the default action command to specify the default action for packets that do not match any URL filtering rules in the policy.

A URL filtering policy takes effect only after it is applied to a DPI application profile. For information DPI application profiles, see DPI engine configuration in Security Configuration Guide.

If DRS is enabled, the name of a URL filtering policy cannot be drs to avoid configuration changes or other unexpected errors after reboot. To enable DRS, use the wlan drs enable command. For more information about DRS, see WLAN DRS in WLAN Command Reference.

Examples

# Create a URL filtering policy named news and enter its view.

<Sysname> system-view

[Sysname] url-filter policy news

[Sysname-url-filter-policy-news]

url-filter signature auto-update

Use url-filter signature auto-update to enable automatic URL filtering signature library update and enter automatic URL filtering signature library update configuration view.

Use undo url-filter signature auto-update to disable automatic URL filtering signature library update.

Syntax

url-filter signature auto-update

undo url-filter signature auto-update

Default

Automatic URL filtering signature library update is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The automatic update enables the device to periodically access the company's website to download the latest URL filtering signatures and update the local signature library.

You can schedule the time for automatic signature update by using the update schedule command.

Examples

# Enable automatic URL filtering signature library update and enter automatic URL filtering signature library update configuration view.

<Sysname> system-view

[Sysname] url-filter signature auto-update

[Sysname-url-filter-autoupdate]

Related commands

update schedule

url-filter signature auto-update-now

Use url-filter signature auto-update-now to trigger an automatic URL filtering signature library update manually.

Syntax

url-filter signature auto-update-now

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command immediately starts the automatic signature library update process. The device accesses the company's website to update the local URL filtering signature library.

You can execute this command anytime you find a new version of signature library on the company's website.

Examples

# Trigger an automatic URL filtering signature library update manually.

<Sysname> system-view

[Sysname] url-filter signature auto-update-now

url-filter signature rollback

Use url-filter signature rollback to roll back the URL filtering signature library.

Syntax

url-filter signature rollback { factory | last }

Views

System view

Predefined user roles

network-admin

Parameters

factory: Rolls back the URL filtering signature library to the factory default version.

last: Rolls back the URL filtering signature library to the previous version.

Usage guidelines

If a URL filtering signature library update causes exceptions or a high false alarm rate, you can roll back the URL filtering signature library.

Before rolling back the URL filtering signature library, the device backs up the current signature library as the "previous version." For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.

Examples

# Roll back the URL filtering signature library to the previous version.

<Sysname> system-view

[Sysname] url-filter signature rollback last

url-filter signature update

Use url-filter signature update to manually update the URL filtering signature library.

Syntax

url-filter signature update file-path

Views

System view

Predefined user roles

network-admin

Parameters

file-path: Specifies the URL filtering signature file path, a string of 1 to 255 characters.

Usage guidelines

If the device cannot access the company's website, use one of the following methods to manually update the URL filtering signature library:

·     Local update—Updates the URL filtering signature library on the device by using the locally stored update URL filtering signature file.

(In IRF mode.) Store the update file on the master device for successful signature library update.

The following describes the format of the file-path parameter for different update scenarios.

 

Update scenario

Format of file-path

Remarks

The update file is stored in the current working directory.

filename

To display the current working directory, use the pwd command (see file system management in Fundamentals Command Reference).

The update file is stored in a different directory on the same storage medium.

filename

Before updating the signature library, you must first use the cd command to open the directory where the file is stored.

For information about the cd command, see file system management in Fundamentals Command Reference.

The update file is stored on a different storage medium.

path/filename

Before updating the signature library, you must first use the cd command to open the root directory of the storage medium where the file is stored.

For information about the cd command, see file system management in Fundamentals Command Reference.

 

·     FTP/TFTP update—Updates the URL filtering signature library on the device by using the file stored on the FTP or TFTP server.

The following describes the format of the file-path parameter for different update scenarios.

 

Update scenario

Format of file-path

Remarks

The update file is stored on an FTP server.

ftp://username:password@server address/filename

The username parameter represents the FTP login username.

The password parameter represents the FTP login password.

The server address parameter represents the IP address or host name of the FTP server.

Replace the following special characters in the FTP login username and password with their respective escape characters:

·     Colon (:)—%3A or %3a.

·     At sign (@)—%40.

·     Forward slash (/)—%2F or %2f.

The update file is stored on a TFTP server.

tftp://server address/filename

The server address parameter represents the IP address or host name of the TFTP server.

 

 

NOTE:

To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Network Connectivity Configuration Guide.

 

Examples

# Manually update the local URL filtering signature library by using a signature file stored on a TFTP server.

<Sysname> system-view

[Sysname] url-filter signature update tftp://192.168.0.10/url-filter-1.0.2-en.dat

# Manually update the local URL filtering signature library by using a signature file stored on an FTP server. The FTP login username and password are user:123 and user@abc/123, respectively.

<Sysname> system-view

[Sysname] url-filter signature update ftp://user%3A123:user%40abc%2F123@192.168.0.10/url-filter-1.0.2-en.dat

# Manually update the local URL filtering signature library by using a signature file stored on the device. The file is stored in directory cfa0:/url-filter-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> system-view

[Sysname] url-filter signature update url-filter-1.0.23-en.dat

# Manually update the local URL filtering signature library by using a signature file stored on the device. The file is stored in directory cfa0:/dpi/url-filter-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> cd dpi

<Sysname> system-view

[Sysname] url-filter signature update url-filter-1.0.23-en.dat

# Manually update the local URL filtering signature library by using a signature file stored on the device. The file is stored in directory cfb0:/dpi/url-filter-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> cd cfb0:/

<Sysname> system-view

[Sysname] url-filter signature update dpi/url-filter-1.0.23-en.dat