22-DPI Configuration Guide

HomeSupportConfigure & DeployConfiguration GuidesH3C MSR810 2600 3600 Routers Configuration Guides(V7)-R0707-6W30122-DPI Configuration Guide
04-URL filtering configuration
Title Size Download
04-URL filtering configuration 210.41 KB

Contents

Configuring URL filtering· 1

About URL filtering· 1

URL· 1

URL filtering rule· 1

URL category· 2

URL filtering policy· 2

URL filtering whitelist/blacklist rule· 3

URL filtering mechanism·· 3

URL filtering signature library management 4

Restrictions: Hardware compatibility with URL filtering· 5

Licensing requirements· 5

URL filtering tasks at a glance· 5

Prerequisites for URL filtering· 6

Configuring a URL category· 6

Configuring URL filtering cloud query· 6

Configuring a URL filtering policy· 7

Copying a URL filtering policy or category· 8

Copying a URL filtering policy· 8

Copying a URL filtering category· 8

Applying a URL filtering policy to a DPI application profile· 8

Activating URL filtering policy and rule settings· 9

Using the DPI application profile in an object policy rule· 9

Managing the URL filtering signature library· 10

Restrictions and guidelines· 10

Scheduling automatic URL filtering signature library update· 10

Triggering an immediate URL filtering signature update· 10

Performing a URL filtering signature manual update· 11

Rolling back the URL filtering signature library· 11

Enabling DPI engine logging· 11

Configuring URL filtering logging for resource access· 12

About URL filtering logging for resource access· 12

Logging access to only resources in the root directories of websites· 12

Disabling logging for access to resources of specific types· 12

Display and maintenance commands for URL filtering· 13

URL filtering configuration examples· 13

Example: Using a URL filtering policy in an object policy· 13

Example: Manually updating the URL filtering signature library· 15

Example: Configuring automatic URL filtering signature library update· 16

 


Configuring URL filtering

About URL filtering

URL filtering controls access to the Web resources by filtering the URLs that the users visit.

The software supports only the HTTP URL filtering.

URL

A URL is a reference to a resource that specifies the location of the resource on a network and a mechanism for retrieving it. The syntax of a URL is protocol://host [:port]/path/[;parameters][?query]#fragment. Figure 1 shows an example URL.

Figure 1 URL syntax

 

Table 1 describes the fields in a URL.

Table 1 URL field descriptions

Field

Description

protocol

Transmission protocol, such as HTTP.

host

Domain name or IP address of the server where the indicated resource is located.

[:port]

Optional field that identifies the port number of the transmission protocol. If this field is omitted, the default port number of the protocol is used.

/path/

String that identifies the directory or file where the indicated resource is stored. The path is a sequence of segments separated by zero or multiple forward slashes.

[parameters]

Optional field that contains special parameters.

[?query]

Optional field that contains parameters to be passed to the software for querying dynamic webpages. Each parameter is a <key>=<value> pair. Different parameters are separated by an ampersand (&).

URI

Uniform resource identifier that identifies a resource on a network.

 

URL filtering rule

A URL filtering rule matches URLs based on the content in the URI or hostname field.

URL filtering rule type

URL filtering provides the following types of URL filtering rules:

·     Predefined URL filtering rules—Signature-based URL filtering rules. The device automatically generates them based on the local URL filtering signatures. In most cases, the predefined rules are sufficient for URL filtering.

·     User-defined URL filtering rules—Regular expression- or text-based URL filtering rules that are manfully configured.

URL filtering rule matching method

A URL filtering rule supports the following URL matching methods:

·     Text-based matching—Matches the hostname and URI fields of a URL against text patterns.

When performing text-based matching for the hostname field of a URL, the device first determines if the text pattern contains the asterisk (*) wildcard character at the beginning or end.

¡     If the text pattern does not contain the asterisk (*) wildcard character at the beginning or end, the hostname matching succeeds if the hostname of the URL matches the text pattern.

¡     If the text pattern contains the asterisk (*) wildcard character at the beginning, the hostname matching succeeds if the hostname of the URL matches or ends with the text pattern without the wildcard character.

¡     If the text pattern contains the asterisk (*) wildcard character at the end, the hostname matching succeeds if the hostname of the URL matches or starts with the text pattern without the wildcard character.

¡     If the text pattern contains the asterisk (*) wildcard character at both the beginning and the end, the hostname matching succeeds if the hostname of the URL matches or includes the text pattern without the wildcard characters.

Text-based matching for the URI field works in the same way that text-based matching for the hostname field works.

·     Regular expression-based matching—Matches the hostname and URI fields of a URL against regular expressions. For example, if you set the regular expression for hostname matching to sina.*cn, URLs that carry the news.sina.com.cn hostname will be matched.

URL category

URL filtering provides the URL categorization feature to facilitate filtering rule management.

You can classify multiple URL filtering rules to a URL category and specify an action for the category. If a matching rule is in multiple URL categories, the system takes the action for the category with the highest severity level.

URL filtering supports the following types of URL categories:

·     Predefined URL categories.

The predefined URL categories contain the predefined URL filtering rules. Each predefined URL category has a unique severity level in the range of 1 to 999, and a category name that begins Pre-. Predefined URL categories cannot be modified.

The device supports two levels of URL categories: child URL category and parent URL category.

The parent URL category are predefined and contains only predefined child URL categories.

·     User-defined URL categories.

You can manually create URL categories and configure filtering rules for them. The severity level of a user-defined URL category is in the range of 1000 to 65535. You can edit the filtering rules and change the severity level for a user-defined URL category.

URL filtering policy

A URL filtering policy can contain multiple URL categories, and each category has an action defined for packets that match a filtering rule in the category. You can also specify the default action for packets that do not match any filtering rules in the policy. URL filtering actions include drop, permit, block source, reset, redirect, and logging.

URL filtering whitelist/blacklist rule

The device supports using URL-based whitelist and blacklist rules to filter HTTP packets. If the URL in an HTTP packet matches a blacklist rule, the packet is dropped. If the URL matches a whitelist rule, the packet is permitted to pass through.

URL filtering mechanism

URL filtering takes effect after you apply a URL filtering policy to a DPI application profile and use the DPI application profile in an object policy rule.

As shown in Figure 2, upon receiving a packet, the device performs the following operations:

1.     The device compares the packet with the object policy rules.

If the packet matches a rule that is associated with a URL filtering policy (through a DPI application profile), the device extracts the URL from the packet.

For more information about object policies, see object policy configuration in Security Configuration Guide.

2.     The device compares the extracted URL with the rules in the URL filtering policy.

¡     If the URL matches a rule, the device determines the actions for the packet as follows:

-     If the matching rule is a whitelist rule, the packet is permitted to pass through.

-     If the matching rule is a blacklist rule, the packet is dropped.

-     If the matching rule is a URL filtering rule, the devices takes the actions specified for the URL category to which the rule belongs.

If the URL filtering rule belongs to multiple URL categories, the actions specified for the URL category with the highest severity level apply.

¡     If the URL does not match any rule in the policy, and cloud query is disabled in the policy, the default action specified for the policy applies. If the default action is not configured, the device permits the packet to pass through.

¡     If the URL does not match any rule in the policy, and cloud query is enabled in the policy, the device performs step 3.

3.     The device forwards the URL to the cloud server for further query.

¡     If a matching rule is found for the URL, the actions specified for the URL category to which the rule belongs apply. If the rule belongs to multiple URL categories, the actions specified for the category with the highest severity level apply.

¡     If no matching rule is found, the device executes the default action of the policy on the packet. If the default action is not configured, the device permits the packet to pass through.

Figure 2 URL filtering mechanism

URL filtering signature library management

The device uses the local URL filtering signature library to identify URLs in the HTTP packets.

You can update the device URL filtering signature library to the most up-to-date version or roll back the library to a version.

Updating the URL filtering signature library

The following methods are available for updating the URL filtering signature library on the device:

·     Automatic update.

The device periodically accesses the company's website and automatically downloads the most up-to-date URL filtering signature file to update its local signature library.

·     Triggered update.

The device downloads the most up-to-date URL filtering signature file from the company's website to update its local signature library immediately you trigger the operation.

·     Manual update.

Use this method when the device cannot connect to the company's website.

You must manually download the most up-to-date URL filtering signature file from the company's website, and then use the file to update the signature library on the device.

Rolling back the URL filtering signature library

If filtering false alarms or filtering exceptions occur frequently, you can roll back the URL filtering signature library to the previous version or to the factory default version.

Restrictions: Hardware compatibility with URL filtering

Hardware

URL filtering compatibility

MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LMS-EA

Yes

MSR810-LMS, MSR810-LUS

No

MSR2600-6-X1, MSR2600-10-X1

Yes

MSR 2630

Yes

MSR3600-28, MSR3600-51

Yes

MSR3600-28-SI, MSR3600-51-SI

No

MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP

Yes

MSR3610-I-DP, MSR3610-IE-DP

Yes

MSR3610-X1, MSR3610-X1-DP, MSR3610-X1-DC, MSR3610-X1-DP-DC

Yes

MSR 3610, MSR 3620, MSR 3620-DP, MSR 3640, MSR 3660

Yes

MSR3610-G, MSR3620-G

Yes

Licensing requirements

The URL filtering module requires a license to run on the device. If the license expires, the existing URL filtering signature library is still available but you cannot upgrade the signature library on the device. For more information about licenses, see license management in Fundamentals Configuration Guide.

URL filtering tasks at a glance

To configure URL filtering:

1.     Configuring a URL category

2.     (Optional.) Configuring URL filtering cloud query

3.     Configuring a URL filtering policy

4.     (Optional.) Copying a URL filtering policy or category

5.     Applying a URL filtering policy to a DPI application profile

6.     Activating URL filtering policy and rule settings

7.     Using the DPI application profile in an object policy rule

8.     Managing the URL filtering signature library

9.     (Optional.) Enabling DPI engine logging

10.     (Optional.) Configuring URL filtering logging for resource access

Prerequisites for URL filtering

In multi-MDC scenarios, activate the DPI engine on the default MDC before you configure the URL filtering service on non-default MDCs. To activate the DPI engine on the default MDC, use one of the following methods:

·     Execute the inspect activate command in system view of the default MDC.

·     Configure the URL filtering service on the default MDC.

For more information about MDCs, see MDC configuration in Virtual Technologies Configuration Guide.

Configuring a URL category

About configuring a URL category

Perform this task to create a user-defined URL category and configure filtering rules for it to meet specific URL filtering requirements.

Restrictions and guidelines

When creating a URL category, you must assign a unique severity level in the range of 1000 to 65535 to the URL category. The larger the value, the higher the severity level.

Procedure

1.     Enter system view.

system-view

2.     Create a URL category and enter its view.

url-filter category category-name [ severity severity-level ]

By default, the device provides predefined URL categories with names starting with Pre-.

The name of a user-defined URL category cannot start with Pre-.

3.     (Optional.) Configure a description for the URL category.

description text

4.     Configure URL filtering rules for the URL category. Choose the options to configure as needed:

¡     Configure a URL filtering rule.

rule rule-id host { regex regex | text string } [ uri { regex regex | text string } ]

¡     (Optional.) Add the URL filtering rules of a predefined URL category to the URL category.

include pre-defined category-name

By default, a user-defined URL category does not contain the URL filtering rules of any predefined URL category.

5.     (Optional.) Rename the URL category.

rename new-name

Configuring URL filtering cloud query

About URL filtering cloud query

The URL filtering cloud query feature enables the system to send URLs that do not match any local URL filtering rules to the cloud server for further query. This helps improves URL filtering accuracy for HTTP traffic.

The device caches the URL filtering rules returned from the cloud query server in the URL filtering cache. You can set the maximum number of rules that can be cached, and the minimum cache period for the cached rules. For more information about the cloud query server, see "Configuring the DPI engine."

Procedure

1.     Enter system view.

system-view

2.     Specify the cloud query server.

inspect cloud-server host-name

By default, cloud query server sec.h3c.com is used.

3.     (Optional.) Set URL filtering cache size.

url-filter cache size cache-size

The URL filtering cache can cache a maximum of 16384 entries.

4.     (Optional.) Set the minimum cache period for URL filtering rules.

url-filter cache-time value

By default, the minimum cache period is 10 seconds.

5.     Enter the view of the URL filtering policy in which you want to enable cloud query.

url-filter policy policy-name

6.     Enable cloud query.

cloud-query enable

By default, cloud query is disabled in a URL filtering policy.

Configuring a URL filtering policy

About URL filtering policies

A URL filtering policy contains the following settings:

·     URL category-to-action mappings.

·     Default action.

·     Whitelist and blacklist rules.

Procedure

1.     Enter system view.

system-view

2.     Create a URL filtering policy and enter its view.

url-filter policy policy-name

3.     Specify the actions for a URL category.

category category-name action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } [ logging [ parameter-profile parameter-name ] ]

By default, no actions are specified for a URL category.

If a packet matches a rule that is in multiple URL categories, the system uses the actions for the category with the highest severity level.

4.     (Optional.) Specify the default action for packets that do not match any rule in the policy.

default-action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } [ logging [ parameter-profile parameter-name ] ]

5.     (Optional.) Configure a whitelist or blacklist rule in the policy.

add { blacklist | whitelist } [ id ] host { regex host-regex | text host-name } [ uri { regex uri-regex | text uri-name } ]

6.     (Optional.) Rename the URL filtering policy.

rename new-name

Copying a URL filtering policy or category

Copying a URL filtering policy

About copying a URL filtering policy

You can create a new URL filtering policy by copying an existing one.

Procedure

1.     Enter system view.

system-view

2.     Create a URL filtering policy and enter its view.

url-filter copy policy old-name new-name

Copying a URL filtering category

About copying a URL category

You can create a new URL category by copying an existing one.

Restrictions and guidelines

When you copy a URL category, be sure to assign a unique severity level to the new URL category.

Procedure

1.     Enter system view.

system-view

2.     Copy a URL category.

url-filter copy category old-name new-name severity severity-level

Applying a URL filtering policy to a DPI application profile

About applying a URL filtering policy to a DPI application profile

A URL filtering policy must be applied to a DPI application profile to take effect.

Restrictions and guidelines

A DPI application profile can use only one URL filtering policy. If you apply different URL filtering policies to the same DPI application profile, only the most recent configuration takes effect.

Procedure

1.     Enter system view.

system-view

2.     Enter DPI application profile view.

app-profile app-profile-name

For more information about this command, see DPI engine commands in DPI Command Reference.

3.     Assign a URL filtering policy to the DPI application profile.

url-filter apply policy policy-name

By default, no URL filtering policy is applied to the DPI application profile.

Activating URL filtering policy and rule settings

About activating URL filtering policy and rule settings

After you edit the policy and rule settings in the URL filtering module, perform this task to activate the settings.

Restrictions and guidelines

This task can cause temporary outage for all DPI services. As a best practice, perform the task after all DPI service policy and rule settings are complete.

For more information about activating DPI service module configuration, see "Configuring the DPI engine."

Procedure

1.     Enter system view.

system-view

2.     Activate URL filtering policy and rule settings.

inspect activate

By default, URL filtering policy and rule settings do not take effect.

Using the DPI application profile in an object policy rule

1.     Enter system view.

system-view

2.     Enter object policy view.

object-policy { ip | ipv6 } object-policy-name

3.     Use a DPI application profile in an object policy rule.

rule [ rule-id ] inspect app-profile-name

By default, no DPI application profile is used in an object policy rule.

4.     Return to system view.

quit

5.     Create a zone pair and enter zone pair view.

zone-pair security source source-zone-name destination destination-zone-name

For more information about zone pairs, see security zone configuration in Security Configuration Guide.

6.     Apply the object policy to the zone pair.

object-policy apply { ip | ipv6 } object-policy-name

By default, no object policy is applied to a zone pair.

Managing the URL filtering signature library

You can update or roll back the version of the URL filtering signature library on the device.

Restrictions and guidelines

·     Do not delete the /dpi/ folder in the root directory of the storage medium.

·     Do not perform URL filtering signature update and rollback when the device's free memory is below the normal state threshold. For more information about device memory thresholds, see device management in Fundamentals Configuration Guide.

·     For successful automatic and immediate signature update, make sure the device can resolve the domain name of the company's website into an IP address through DNS. For more information about DNS, see DNS configuration in Layer 3—IP Services Configuration Guide.

Scheduling automatic URL filtering signature library update

About automatic URL filtering signature library update

You can schedule automatic URL filtering signature library update if the device can access the signature database services on the company's website. The device periodically obtains the latest signature file from the company's website to update its local signature library according to the update schedule.

Procedure

1.     Enter system view.

system-view

2.     Enable automatic URL filtering signature library update and enter automatic URL filtering signature library update configuration view.

url-filter signature auto-update

By default, automatic URL filtering signature library update is disabled.

3.     Schedule the update time.

update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes

By default, the device updates the URL filtering signature at a random time between 01:00:00 and 03:00:00 every day.

Triggering an immediate URL filtering signature update

About immediate URL filtering signature update

Anytime you find a release of new signature version on the company's website, you can trigger the device to immediately update the local signature library.

Procedure

1.     Enter system view.

system-view

2.     Trigger an automatic URL filtering signature library update.

url-filter signature auto-update-now

Performing a URL filtering signature manual update

About URL filtering signature manual update

If the device cannot access the signature database services on the company's website, use one of the following methods to manually update the URL filtering signature library on the device:

·     Local update—Updates the URL filtering signature library on the device by using the locally stored update URL filtering signature file.

(In IRF mode.) Store the update file on the master device for successful signature library update.

·     FTP/TFTP update—Updates the URL filtering signature library on the device by using the file stored on the FTP or TFTP server.

Procedure

1.     Enter system view.

system-view

2.     Manually update the URL filtering signature library on the device.

url-filter signature update file-path

Rolling back the URL filtering signature library

About rolling back the URL filtering signature library

If a URL filtering signature library update causes exceptions or a high false alarm rate, you can roll back the URL filtering signature library.

Before rolling back the URL filtering signature library, the device backs up the current signature library as the "previous version." For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.

Procedure

1.     Enter system view.

system-view

2.     Roll back the URL filtering signature library to the previous version or to the factory default version.

url-filter signature rollback { factory | last }

Enabling DPI engine logging

About DPI engine logging

You can enable DPI engine logging for audit purposes. Log messages generated by DPI engine are output to the device information center. The information center then sends the messages to designated destinations based on log output rules. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enable DPI engine logging.

url-filter log enable

By default, DPI engine logging is disabled.

Configuring URL filtering logging for resource access

About URL filtering logging for resource access

URL filtering logs user access to resources after you specify the logging action for a URL category or as a default action for a URL filtering policy.

You can use either of the following methods to configure URL filtering to log access to specific types of resources:

·     Configure URL filtering to log access to only resources in the root directories of websites.

·     Enable or disable URL filtering logging for access to resources of specific types.

Logging access to only resources in the root directories of websites

1.     Enter system view.

system-view

2.     Configure URL filtering to log only access to resources in the root directories of websites.

url-filter log directory root

By default, URL filtering logs access to Web resources in all directories.

Disabling logging for access to resources of specific types

1.     Enter system view.

system-view

2.     Disable URL filtering logging for access to resources of a specific resource type.

¡     Disable logging for access to resources of a predefined resource type.

url-filter log except pre-defined { css | gif | ico | jpg | js | png | swf | xml }

¡     Disable logging for access to resources of a user-defined resource type.

url-filter log except user-defined text

By default, URL filtering logs access to all resources except for resources of the predefined resource types (including CSS, GIF, ICO, JPG, JS, PNG, SWF, and XML resources).

Display and maintenance commands for URL filtering

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display URL filtering cache information.

display url-filter cache

Display URL category information.

display url-filter { category | parent-category } [ verbose ]

Display information about the URL filtering signature library.

display url-filter signature information

Display URL filtering statistics.

display url-filter statistics

Clear URL filtering statistics.

reset url-filter statistics

URL filtering configuration examples

Example: Using a URL filtering policy in an object policy

Network configuration

As shown in Figure 3, the device connects to the LAN and Internet through the security zones Trust and Untrust, respectively.

Configure a URL filtering policy on the device to meet the following requirements:

·     The device permits LAN users in security zone Trust to access website http://www.sina.com on the Web server.

·     The device drops and logs packets that match the Pre-Game URL category.

·     The device drops and logs packets that do not match any filtering rule in the URL filtering policy.

Figure 3 Network diagram

Procedure

1.     Assign IP addresses to interfaces, as shown in Figure 3. (Details not shown.)

2.     Configure the security zones:

# Assign GigabitEthernet 1/0/1 to security zone Trust.

<Device> system-view

[Device] security-zone name trust

[Device-security-zone-Trust] import interface gigabitethernet 1/0/1

[Device-security-zone-Trust] quit

# Assign GigabitEthernet 1/0/2 to security zone Untrust.

[Device] security-zone name untrust

[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2

[Device-security-zone-Untrust] quit

3.     Create IP address object group urlfilter and configure an IP address object with subnet 192.168.1.0/24.

[Device] object-group ip address urlfilter

[Device-obj-grp-ip-urlfilter] network subnet 192.168.1.0 24

[Device-obj-grp-ip-urlfilter] quit

4.     Configure a URL category:

# Create URL category news and set its severity level to 2000.

[Device] url-filter category news severity 2000

# Create URL filtering rule 1 to match HTTP packets that contain the www.sina.com host name in the URL.

[Device-url-filter-category-news] rule 1 host text www.sina.com

[Device-url-filter-category-news] quit

5.     Configure a URL filtering policy:

# Create URL filtering policy urlnews.

[Device] url-filter policy urlnews

# Specify the permit action for URL category news.

[Device-url-filter-policy-urlnews] category news action permit

# Specify the drop action for predefined URL category Pre-Games and enable logging for the matching packets.

[Device-url-filter-policy-urlnews] category Pre-Games action drop logging

# Set the default action to drop and enable logging for the matching packets.

[Device-url-filter-policy-urlnews] default-action drop logging

[Device-url-filter-policy-urlnews] quit

6.     Apply URL filtering policy urlnews to a DPI application profile:

# Create DPI application profile sec.

[Device] app-profile sec

# Apply URL filtering policy urlnews to the DPI application profile.

[Device-app-profile-sec] url-filter apply policy urlnews

[Device-app-profile-sec] quit

7.     Activate the URL filtering policy and rule settings.

[Device] inspect activate

8.     Configure an object policy:

# Create IPv4 object policy urlfilter and enter its view.

[Device] object-policy ip urlfilter

# Configure an object policy rule to apply DPI application profile sec to packets with source IP addresses contained in IP address object group urlfilter.

[Device-object-policy-ip-urlfilter] rule inspect sec source-ip urlfilter destination-ip any

[Device-object-policy-ip-urlfilter] quit

9.     Create a zone pair between source security zone Trust and destination security zone Untrust, and apply object policy urlfilter to the zone pair.

[Device] zone-pair security source trust destination untrust

[Device-zone-pair-security-Trust-Untrust] object-policy apply ip urlfilter

[Device-zone-pair-security-Trust-Untrust] quit

Verifying the configuration

# Verify that LAN users in security zone Trust can access website http://www.sina.com on the Web server

# Verify that the device drops and logs the LAN users' HTTP requests to game resources.

Example: Manually updating the URL filtering signature library

Network configuration

As shown in Figure 4, LAN users in security zone Trust can access the following resources:

·     Internet resources in security zone Untrust.

·     The FTP server at 192.168.2.4/24 in security zone DMZ. The FTP login username and password are url and 123, respectively.

Manually update the URL filtering signature library on the device by using the most up-to-date URL filtering signature file (url-1.0.2-encrypt.dat) stored on the FTP server.

Figure 4 Network diagram

Procedure

1.     Assign IP addresses to interfaces, as shown in Figure 4. (Details not shown.)

2.     Allow the device to communicate with the FTP server:

# Configure ACL 2001 to permit all traffic.

<Device> system-view

[Device] acl basic 2001

[Device-acl-ipv4-basic-2001] rule permit

[Device-acl-ipv4-basic-2001] quit

# Assign GigabitEthernet 1/0/3 to zone DMZ.

[Device] security-zone name dmz

[Device-security-zone-DMZ] import interface gigabitethernet 1/0/3

[Device-security-zone-DMZ] quit

# Create a zone pair between source security zone Local and destination security zone DMZ, and then apply ACL 2001 to the zone pair for packet filtering.

[Device] zone-pair security source local destination dmz

[Device-zone-pair-security-Local-DMZ] packet-filter 2001

[Device-zone-pair-security-Local-DMZ] quit

# Create a zone pair between source security zone DMZ and destination security zone Local, and then apply ACL 2001 to the zone pair for packet filtering.

[Device] zone-pair security source dmz destination local

[Device-zone-pair-security-DMZ-Local] packet-filter 2001

[Device-zone-pair-security-DMZ-Local] quit

3.     Update the URL filtering signature library on the device by using URL filtering signature file url-1.0.2-encrypt.dat stored on the FTP server.

[Device] url-filter signature update ftp://url:123@192.168.2.4/url-1.0.2-encrypt.dat

Verifying the configuration

# Verify that the device URL filtering signature library is updated.

<Device> display url-filter signature information

Example: Configuring automatic URL filtering signature library update

Network configuration

As shown in Figure 5, LAN users in security zone Trust can access Internet resources in security zone Untrust.

Configure the device to automatically update the local URL filtering signature library at a random time between 08:30 a.m. and 09:30 a.m. every Saturday.

Figure 5 Network diagram

Procedure

1.     Assign IP addresses to interfaces, as shown in Figure 5. (Details not shown.)

2.     Configure DNS for the device to resolve the domain name of the company's website into the IP address. (Details not shown.)

3.     Configure an object policy to allow LAN users in security zone Trust to access Internet resources in security zone Untrust. (Details not shown.)

4.     Configure automatic URL filtering signature library update:

# Enable automatic URL filtering signature library update.

<Device> system-view

[Device] url-filter signature auto-update

# Configure the device to perform automatic update at a random time between 08:30 a.m. and 09:30 a.m. every Saturday.

[Device-url-filter-autoupdate] update schedule weekly sat start-time 9:00:00 tingle 60

[Device-url-filter-autoupdate] quit

Verifying the configuration

# Verify that the device URL filtering signature library is updated as scheduled.

<Device> display url-filter signature information

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网