item keywords: Specifies a blocking suffix keyword. It is a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters.

verbose: Specifies detailed information.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters, this command displays brief information about ActiveX blocking.

Examples

# Display brief information about ActiveX blocking.

<Sysname> display firewall http activex-blocking

ActiveX blocking is enabled.

# Display ActiveX blocking information for a specific suffix keyword.

<Sysname> display firewall http activex-blocking item .ocx

The HTTP request packet including ".ocx" had been matched for 5 times.

# Display ActiveX blocking information for all suffix keywords.

<Sysname> display firewall http activex-blocking all

SN Match-Times Keywords

----------------------------------------------

1 5 .OCX

2 0 .vbs

Table 1 Command output

Field	Description
SN	Serial number.
Match-Times	Number of times that a suffix keyword is matched.
Keywords	ActiveX blocking suffix keyword.

# Display detailed ActiveX blocking information.

<Sysname> display firewall http activex-blocking verbose

ActiveX blocking is enabled.

No ACL group has been configured.

There are 5 packet(s) being filtered.

There are 0 packet(s) being passed.

display firewall http java-blocking

Use display firewall http java-blocking to display information about Java blocking.

Syntax

display firewall http java-blocking [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

all: Specifies all Java blocking suffix keywords.

verbose: Specifies detailed information.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters, this command displays brief information about Java blocking.

Examples

# Display brief information about Java blocking.

<Sysname> display firewall http java-blocking

Java blocking is enabled.

# Display Java blocking information for a specific suffix keyword.

<Sysname> display firewall http java-blocking item .class

The HTTP request packet including ".class" had been matched for 10 times.

# Display Java blocking information for all suffix keywords.

<Sysname> display firewall http java-blocking all

SN Match-Times Keywords

----------------------------------------------

1 10 .CLASS

2 0 .JAR

3 0 .java

Table 2 Command output

Field	Description
SN	Serial number.
Match-Times	Number of times that the suffix keyword has been matched.
Keywords	Java blocking suffix keyword.

# Display detailed information about Java blocking.

<Sysname> display firewall http java-blocking verbose

Java blocking is enabled.

No ACL group has been configured.

There are 10 packet(s) being filtered.

There are 0 packet(s) being passed.

display firewall http url-filter host

Use display firewall http url-filter host to display information about URL address filtering.

Syntax

display firewall http url-filter host [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

all: Specifies all URL filtering keywords.

item keywords: Specifies a filtering keyword, The keywords argument is a case-insensitive string of 1 to 80 characters. Valid characters include 0 to 9, a to z, A to Z, dot (.), hyphen (-), underline (_), and wildcards caret (^), dollar sign ($), ampersand (&), and asterisk (*). For meanings and usage guidelines of the wildcards, see the relevant description for command firewall http url-filter host url-address.

verbose: Specifies detailed information.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters, this command displays brief information about URL address filtering.

Examples

# Display brief information about URL address filtering.

<Sysname> display firewall http url-filter host

URL-filter host is enabled.

Default method: permit.

# Display URL address filtering information for a specific filtering entry.

<Sysname> display firewall http url-filter host item ^webfilter$

The HTTP request packet including "^webfilter$" had been matched for 10 times.

# Display URL address filtering information for all filtering entries.

<Sysname> display firewall http url-filter host all

SN Match-Times Keywords

----------------------------------------------

1 10 ^webfilter$

Table 3 Command output

Field	Description
SN	Serial number.
Match-Times	Number of times that the keyword has been matched.
Keywords	URL address filtering keyword.

# Display detailed information about URL address filtering.

<Sysname> display firewall http url-filter host verbose

URL-filter host is enabled.

Default method: permit.

The support for IP address: deny.

No ACL group has been configured.

There are 10 packet(s) being filtered.

There are 0 packet(s) being passed.

Table 4 Command output

Field	Description
Default method	Default URL address filtering action, which can be permit or deny.
The support for IP address	Support for website IP addresses, permit or deny.

display firewall http url-filter parameter

Use display firewall http url-filter parameter to display information about URL parameter filtering.

Syntax

display firewall http url-filter parameter [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

all: Specifies all filtering keywords.

item keywords: Specifies a filtering keyword. The keywords argument is a case-insensitive string of 1 to 80 characters. Valid characters include numerals, English letters, wildcards caret (^), dollar sign ($), ampersand (&), and asterisk (*), and other ASCII characters with values in the range of 31 to 127.

verbose: Specifies detailed information.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters, this command displays brief information about URL parameter filtering.

Examples

# Display brief information about URL parameter filtering.

<Sysname> display firewall http url-filter parameter

URL-filter parameter is enabled.

# Display URL parameter filtering information for a specific keyword.

<Sysname> display firewall http url-filter parameter item ^select$

The HTTP request packet including "^select$" had been matched for 10 times.

# Display URL parameter filtering information for all keywords.

<Sysname> display firewall http url-filter parameter all

SN Match-Times Keywords

----------------------------------------------

1 0 ^select$

2 0 ^insert$

3 0 ^update$

4 0 ^delete$

5 0 ^drop$

6 0 --

7 0 ‘

8 0 ^exec$

9 10 %27

10 0 qqqqq

Table 5 Command output

Field	Description
SN	Serial number.
Match-Times	Number of times that the keyword has been matched.
Keywords	URL parameter filtering keyword.

# Display detailed information about URL parameter filtering.

<Sysname> display firewall http url-filter parameter verbose

URL-filter parameter is enabled.

There are 10 packet(s) being filtered.

There are 0 packet(s) being passed.

firewall http activex-blocking acl

Use firewall http activex-blocking acl to specify an ACL for ActiveX blocking.

Use undo firewall http activex-blocking acl to cancel the configuration.

Syntax

firewall http activex-blocking acl acl-number

undo firewall http activex-blocking acl

Default

No ACL is specified for ActiveX blocking.

Views

System view

Default command level

2: System level

Parameters

acl-number: Specifies an ACL number in the range of 2000 to 3999.

Usage guidelines

After the command takes effect, all Web requests containing any suffix keywords in the ActiveX blocking suffix list will be processed according to the ACL.

You can specify multiple ACLs for ActiveX blocking, but only the last one takes effect.

You can specify a non-existing ACL, but ActiveX blocking based on the ACL takes effect only after you create and configure the ACL correctly.

Examples

# Specify the ACL for ActiveX blocking as ACL 2003.

<Sysname> system-view

[Sysname] firewall http activex-blocking acl 2003

Related commands

display firewall http activex-blocking

firewall http activex-blocking enable

Use firewall http activex-blocking enable to enable the ActiveX blocking function and add the default blocking keyword .ocx to the ActiveX blocking suffix list.

Use undo firewall http activex-blocking enable to disable the ActiveX blocking function.

Syntax

firewall http activex-blocking enable

undo firewall http activex-blocking enable

Default

The ActiveX blocking function is disabled.

Views

System view

Default command level

2: System level

Examples

# Enable the ActiveX blocking function.

<Sysname> system-view

[Sysname] firewall http activex-blocking enable

Related commands

display firewall http activex-blocking

firewall http activex-blocking suffix

Use firewall http activex-blocking suffix to add an ActiveX blocking suffix keyword to the ActiveX blocking suffix list.

Use undo firewall http activex-blocking suffix to remove an ActiveX blocking suffix keyword from the ActiveX blocking suffix list.

Syntax

firewall http activex-blocking suffix keywords

undo firewall http activex-blocking suffix keywords

Views

System view

Default command level

2: System level

Parameters

keywords: Specifies the blocking suffix keyword, a case-insensitive string of 1 to 9 characters. Its starting character must be a dot (.) and the subsequent characters must be digits or English letters.

Usage guidelines

You can add a maximum of 5 ActiveX blocking suffix keywords.

You cannot add or remove the default suffix keyword ".ocx" by these commands.

Examples

# Add .vbs to the ActiveX blocking suffix list.

<Sysname> system-view

[Sysname] firewall http activex-blocking suffix .vbs

Related commands

display firewall http activex-blocking

firewall http java-blocking acl

Use firewall http java-blocking acl to specify an ACL for Java blocking.

Use undo firewall http java-blocking acl to cancel the configuration.

Syntax

firewall http java-blocking acl acl-number

undo firewall http java-blocking acl

Default

No ACL is specified for Java blocking.

Views

System view

Default command level

2: System level

Parameters

acl-number: Specifies an ACL number in the range of 2000 to 3999.

Usage guidelines

After the command takes effect, all Web requests containing any suffix keywords in the Java blocking suffix list will be processed according to the specified ACL.

You can specify multiple ACLs for Java blocking, but only the last one takes effect.

You can specify a non-existing ACL, but Java blocking based on the ACL takes effect only after you create and configure the ACL correctly.

Examples

# Specify the ACL for Java blocking as ACL 2002.

<Sysname> system-view

[Sysname] firewall http java-blocking acl 2002

Related commands

display firewall http java-blocking

firewall http java-blocking enable

Use firewall http java-blocking enable to enable the Java blocking function and add the default blocking keywords .class and .jar to the Java blocking suffix list.

Use undo firewall http java-blocking enable to disable the Java blocking function.

Syntax

firewall http java-blocking enable

undo firewall http java-blocking enable

Default

The Java blocking function is disabled.

Views

System view

Default command level

2: System level

Examples

# Enable the Java blocking function.

<Sysname> system-view

[Sysname] firewall http java-blocking enable

Related commands

display firewall http java-blocking

firewall http java-blocking suffix

Use firewall http java-blocking suffix to add a Java blocking suffix keyword to the Java blocking suffix list.

Use undo firewall http java-blocking suffix to remove a Java blocking suffix keyword from the Java blocking suffix list.

Syntax

firewall http java-blocking suffix keywords

undo firewall http java-blocking suffix keywords

Views

System view

Default command level

2: System level

Parameters

Usage guidelines

You can add a maximum of five Java blocking suffix keywords.

You cannot remove the default block suffix keywords .class and .jar.

Examples

# Add .js to the Java blocking suffix list.

<Sysname> system-view

[Sysname] firewall http java-blocking suffix .js

Related commands

display firewall http java-blocking

firewall http url-filter host acl

Use firewall http url-filter host acl to specify an ACL for URL address filtering.

Use undo firewall http url-filter host acl to cancel the configuration.

Syntax

firewall http url-filter host acl acl-number

undo firewall http url-filter host acl

Default

No ACL is specified for URL address filtering.

Views

System view

Default command level

2: System level

Parameters

acl-number: Specifies an ACL number in the range of 2000 to 3999.

Usage guidelines

With the command configured, all Web requests using IP addresses will be processed according to the specified ACL.

If you specify multiple ACLs for URL address filtering, only the last one takes effect.

You can specify a non-existing ACL, but filtering based on the ACL takes effect only after you create and configure the ACL correctly.

Examples

# Specify URL address filtering to permit Web requests with website IP addresses permitted by ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule 0 permit source 3.3.3.3 0.0.0.0

[Sysname-acl-basic-2000] quit

[Sysname] firewall http url-filter host acl 2000

Related commands

display firewall http url-filter host

firewall http url-filter host default

Use firewall http url-filter host default to specify the default action for URL address filtering, that is, action to be taken for Web requests whose URL addresses do not match the configured filtering entries.

Syntax

firewall http url-filter host default { deny | permit }

Default

The default filtering action is deny.

Views

System view

Default command level

2: System level

Parameters

deny: Denies Web requests.

permit: Permits Web requests.

Examples

# Specify the default filtering action as permit.

<Sysname> system-view

[Sysname] firewall http url-filter host default permit

Related commands

display firewall http url-filter host

firewall http url-filter host enable

Use firewall http url-filter host enable to enable the URL address filtering function.

Use undo firewall http url-filter host enable to disable the URL address filtering function.

Syntax

firewall http url-filter host enable

undo firewall http url-filter host enable

Default

The URL address filtering function is disabled.

Views

System view

Default command level

2: System level

Examples

# Enable the URL address filtering function.

<Sysname> system-view

[Sysname] firewall http url-filter host enable

Related commands

display firewall http url-filter host

firewall http url-filter host ip-address

Use firewall http url-filter host ip-address to enable/disable support for IP address in URL address filtering, that is, to permit or deny Web requests using IP addresses for access to websites.

Syntax

firewall http url-filter host ip-address { deny | permit }

Default

The URL address filtering function denies Web requests using IP addresses for access to websites.

Views

System view

Default command level

2: System level

Parameters

deny: Specifies to deny a Web request whose destination URL is present in IP address.

permit: Specifies to permit a Web request whose destination URL is present in IP address.

Usage guidelines

This configuration takes effect only after the URL address filtering function is enabled.

Examples

# Configure to permit Web requests using IP addresses for access to websites.

<Sysname> system-view

[Sysname] firewall http url-filter host ip-address permit

Related commands

· display firewall http url-filter host

· firewall http url-filter host enable

firewall http url-filter host url-address

Use firewall http url-filter host url-address to add a URL address filtering entry and set the filtering action.

Use undo firewall http url-filter host url-address to remove one or all URL address filtering entries.

Syntax

firewall http url-filter host url-address { deny | permit } url-address

undo firewall http url-filter host url-address [ url-address ]

Views

System view

Default command level

2: System level

Parameters

deny: Denies matched URL addresses.

permit: Permits matched URL addresses.

url-address: URL address filtering entry, a case-insensitive string of 1 to 80 characters. Valid characters include digits, English letters, dot (.), hyphen (-), underline (_), and wildcards caret (^), dollar sign ($), ampersand (&), and asterisk (*).

Table 6 Wildcard meanings

Wildcard	Meaning	Usage guidelines
^	Matches website addresses starting with the keyword	It can be present once at the beginning of a filtering entry.
$	Matches website addresses ending with the keyword	It can be present once at the end of a filtering entry.
&	Stands for a valid character other than dot (.)	It can be present multiple times at any position of a filtering entry, consecutively or inconsecutively, but cannot be used together with asterisk (*).
*	Stands for any number of valid characters and spaces excluding dot (.)	It can be present once at the beginning or in the middle of a filtering entry. It cannot be at the end and cannot be used next to caret (^) or dollar sign ($).

When using the wildcards, follow these rules:

· A filtering entry with caret (^) at the beginning or dollar sign ($) at the end indicates an exact match. For example, filtering entry ^webfilter matches website addresses starting with webfilter (such as webfilter.com.cn) or containing webfilter at the beginning of a string after a dot (such as cmm.webfilter-any.com). Filtering entry ^webfilter$ matches website addresses containing standalone webfilter like www.webfilter.com; it does not match website addresses like www.webfilter-china.com.

· A filtering entry with neither caret (^) at the beginning nor dollar sign ($) at the end indicates a fuzzy match, and matches website addresses containing the keyword.

· If asterisk (*) is present at the beginning of a filtering entry, it must be present in the format like *.xxx, where xxx represents a keyword, for example, *.com or *.webfilter.com.

· A filtering entry with only numerals is invalid. To filter a website address like www.123.com, you can define a filtering entry like ^123$, www.123.com, or 123.com, instead of 123. In other words, you are recommended to use exact match to filter numeral website addresses.

Usage guidelines

The device supports a maximum of 256 URL address filtering entries.

You can change the filtering action for an existing filtering entry, for example, from deny to permit.

Examples

# Add filtering entry ^china& to the URL address filtering entry list and set the filtering action to permit.

<Sysname> system-view

[Sysname] firewall http url-filter host url-address permit ^china&

Related commands

display firewall http url-filter host

firewall http url-filter parameter

Use firewall http url-filter parameter to add URL parameter filtering entries to the URL parameter filtering entry list.

Use undo firewall http url-filter parameter to remove URL parameter filtering entries from the list.

Syntax

firewall http url-filter parameter { default | keywords keywords }

undo firewall http url-filter parameter [ default | keywords keywords ]

Views

System view

Default command level

2: System level

Parameters

default: Specifies to use the default parameter filtering entries, including: ^select$, ^insert$, ^update$, ^delete$, ^drop$, --, ', ^exec$, and %27.

keywords keywords: Specifies to use a user-defined parameter filtering entry. The keywords argument is a case-insensitive string of 1 to 80 characters. Valid characters include numerals, English letters, wildcards caret (^), dollar sign ($), ampersand (&), and asterisk (*), and other ASCII characters with values in the range of 31 to 127. A filtering entry can be a string with spaces, but such an entry must be present in quotes, for example, "select all". One space in a filtering entry can match multiple consecutive spaces in a URL parameter of an HTTP request. For meanings of the wildcards, see Table 7.

Table 7 Meanings of wildcards

Wildcard	Meaning	Usage guidelines
^	Matches parameters starting with the keyword	It can be present once at the beginning of a filtering entry.
$	Matches parameters ending with the keyword	It can be present once at the end of a filtering entry.
&	Stands for one valid character	It can be present multiple times at any position of a filtering entry, consecutively or inconsecutively, and cannot be used next to an asterisk (*). If it is present at the beginning or end of a filtering entry, it must be next to a caret (^) or a dollar sign ($).
*	Stands for up to 4 valid characters including spaces	It can be present once in the middle of a filtering entry.

When using the wildcards, also follow the principles below:

· A filtering entry with a caret (^) at the beginning or a dollar sign ($) at the end indicates an exact match. For example, filtering entry ^webfilter$ matches website addresses containing standalone webfilter, like www.abc.com/webfilter any; it does not match website addresses like www.abc.com/webfilterany.

· A filtering entry with neither a caret (^) at the beginning nor a dollar sign ($) at the end indicates a fuzzy match, and matches website addresses containing the keyword.

Usage guidelines

If you do not specify any parameters, the undo firewall http url-filter parameter command will remove all URL parameter filtering entries in the list.

The device supports a maximum of 256 URL parameter filtering entries, including the default ones.

You cannot specify the same URL filtering entries as the default ones in command firewall http url-filter parameter keywords or undo firewall http url-filter parameter keywords.

Examples

# Add select to the parameter filtering entry list.

<Sysname> system-view

[Sysname] firewall http url-filter parameter keywords select

Related commands

display firewall http url-filter parameter

firewall http url-filter parameter enable

Use firewall http url-filter parameter enable to enable the URL parameter filtering function.

Use undo firewall http url-filter parameter enable to disable the URL parameter filtering function.

Syntax

firewall http url-filter parameter enable

undo firewall http url-filter parameter enable

Default

The URL parameter filtering function is disabled.

Views

System view

Default command level

2: System level

Examples

# Enable the URL parameter filtering function.

<Sysname> system-view

[Sysname] firewall http url-filter parameter enable

Related commands

display firewall http url-filter parameter

reset firewall http

Use reset firewall http to clear Web filtering statistics.

Syntax

reset firewall http { activex-blocking | java-blocking | url-filter host | url-filter parameter } counter

Views

User view

Default command level

1: Monitor level

Parameters

activex-blocking: Specifies ActiveX blocking statistics.

java-blocking: Specifies Java blocking statistics.

url-filter host: Specifies URL address filtering statistics.

url-filter parameter: Specifies URL parameter filtering statistics.

counter: Specifies to clear statistics.

Examples

# Clear URL address filtering statistics.

<Sysname> reset firewall http url-filter host counter

07-Security Command Reference

Web filtering configuration commands

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us