Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-ASPF commands
- 04-Session management commands
- 05-Object group commands
- 06-Object policy commands
- 07-IP source guard commands
- 08-AAA commands
- 09-User identification commands
- 10-Password control commands
- 11-Portal commands
- 12-MAC authentication commands
- 13-IPoE commands
- 14-Public key management commands
- 15-PKI commands
- 16-SSH commands
- 17-SSL commands
- 18-Connection limit commands
- 19-Attack detection and prevention commands
- 20-Server connection detection commands
- 21-ARP attack protection commands
- 22-ND attack defense commands
- 23-uRPF commands
- 24-IP-MAC binding commands
- 25-IP reputation commands
- 26-APR commands
- 27-Keychain commands
- 28-Crypto engine commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-Security policy commands | 179.13 KB |
Contents
description (security policy rule view)
description (security policy view)
display security-policy statistics
display security-policy switch-result
reset security-policy statistics
security-policy config-logging send-time
Security policy commands
accelerate enhanced enable
Use accelerate enhanced enable to manually activate rule matching acceleration.
Syntax
accelerate enhanced enable
Views
IPv4 security policy view
IPv6 security policy view
Predefined user roles
network-admin
context-admin
Usage guidelines
The device also provides automatic activation if you are not to use this command to activate rule matching acceleration manually. The device detects security policy changes at specific intervals and activates security policy matching acceleration automatically if any change has been made. If there are 100 or less security policies, the interval is 2 seconds. If there are over 100 security policies, the interval is 20 seconds.
When you activate rule matching acceleration, follow these restrictions and guidelines:
· Matching of security policies switched from object policies is accelerated by default and rule matching acceleration cannot be disabled.
· Activate rule matching acceleration if one of the following conditions exists:
¡ A rule is added.
¡ The settings in security policy rule view or the objects in an object group of a rule change.
¡ Rule matching acceleration is deactivated because of insufficient hardware resources.
· If rule matching acceleration is deactivated, rules match packets at the low speed.
Examples
# Activate rule matching acceleration.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] accelerate enhanced enable
action
Use action to set the action for a security policy rule.
Syntax
action { drop | pass }
Default
The action for a security policy rule is drop.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
drop: Discards matched packets.
pass: Allows matched packets to pass.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the action for security policy rule rule1 to drop.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action drop
Related commands
display security-policy
app-group
Use app-group to specify an application group as a filtering criterion of a security policy rule.
Use undo app-group to remove the specified application group filtering criterion from a security policy rule.
Syntax
app-group app-group-name
undo app-group [ app-group-name ]
Default
No application group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
app-group-name: Specifies the name of an application policy, a case-insensitive string of 1 to 63 characters. The name cannot be invalid or other. If you do not specify this argument when executing the undo app-group command, the command removes all application groups from the rule. For more information about application groups, see APR in Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple application groups as the filtering criteria.
Examples
# Specify application groups app1 and app2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] app-group app1
[Sysname-security-policy-ip-0-rule1] app-group app2
Related commands
app-group
display security-policy
application
Use application to specify an application as a filtering criterion of a security policy rule.
Use undo application to remove the specified application filtering criterion from a security policy rule.
Syntax
application application-name
undo application [ application-name ]
Default
No application is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
application-name: Specifies the name of an application, a case-insensitive string of 1 to 63 characters. The name cannot be invalid or other. If you do not specify this argument when executing the undo application command, the command removes all applications from the rule. For more information about applications, see APR in Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple applications as the filtering criteria.
For the application filtering criteria to be identified, you must permit the dependent applications to pass through.
Examples
# Specify applications 139Mail and 51job as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] application 139Mail
[Sysname-security-policy-ip-0-rule1] application 51job
Related commands
display security-policy
nbar application
port-mapping
counting enable
Use counting enable to enable statistics collection for matched packets.
Use undo counting enable to disable statistics collection for matched packets.
Syntax
counting enable
undo counting enable
Default
Statistics collection for matched packets is disabled.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Usage guidelines
This feature enables the device to collect statistics about matched packets. The collected statistics can be viewed by executing the display security-policy statistics command.
Examples
# Enable matched packet statistics collection for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] counting enable
Related commands
display security-policy
display security-policy statistics
description (security policy rule view)
Use description to configure a description for a security policy rule.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Examples
# Configure the description as This rule is used for source-ip ip1 for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] description This rule is used for source-ip ip1
Related commands
display object-policy ip
display object-policy ipv6
description (security policy view)
Use description to configure a description for the IPv4 or IPv6 security policy.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for the IPv4 or IPv6 security policy.
Views
IPv4 security policy view
IPv6 security policy view
Predefined user roles
network-admin
context-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Examples
# Configure the description as zone-pair security office to library for the IPv4 security policy.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] description zone-pair security office to library
Related commands
display security-policy
destination-ip
Use destination-ip to specify a destination IP address object group as a filtering criterion of a security policy rule.
Use undo destination-ip to remove the specified destination IP address object group from a security policy rule.
Syntax
destination-ip object-group-name
undo destination-ip [ object-group-name ]
Default
No destination IP address object group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
object-group-name: Specifies the name of a destination IP address object group, a case-insensitive string of 1 to 31 characters. The name cannot be any. If you do not specify this argument when executing the undo destination-ip command, the command removes all destination IP address object groups from the rule. For more information about object groups, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple destination IP address object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
Examples
# Specify destination IP address object groups client1 and client2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-ip client1
[Sysname-security-policy-ip-0-rule1] destination-ip client2
Related commands
display security-policy
object-group
destination-zone
Use destination-zone to specify a destination security zone as a filtering criterion of a security policy rule.
Use undo destination-zone to remove the specified destination security zone from a security policy rule.
Syntax
destination-zone destination-zone-name
undo destination-zone [ destination-zone-name ]
Default
No destination security zone is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
object-group-name: Specifies the name of a destination security zone, a case-insensitive string of 1 to 31 characters. If you do not specify this argument when executing the undo destination-zone command, the command removes all destination security zones from the rule. For more information about security zones, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple destination security zones as the filtering criteria.
Examples
# Specify destination security zones trust and server as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-zone trust
[Sysname-security-policy-ip-0-rule1] destination-zone server
Related commands
display security-policy
security-zone
disable
Use disable to disable a security policy rule.
Use undo disable to enable a security policy rule.
Syntax
disable
undo disable
Default
A security policy rule is enabled.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Examples
# Disable security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] disable
Related commands
display security-policy
display security-policy
Use display security-policy to display information about the specified security policy.
Syntax
display security-policy { ip | ipv6 }
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
ip: Specifies the IPv4 security policy.
ipv6: Specifies the IPv6 security policy.
Examples
# Display information about the IPv4 security policy.
<Sysname> display security-policy ip
Security-policy ip
rule 0 name der (Inactive)
action pass
profile er
vrf re
logging enable
counting enable
time-range dere
track positive 23
session aging-time 5000
session persistent aging-time 2400
source-zone trust
destination-zone trust
source-ip erer
destination-ip client1
service ftp
app-group ere
application 110Wang
user der
user-group ere
Table 1 Command output
|
Field |
Description |
|
Rule ID and rule name. |
|
|
action pass |
Rule action: · pass—Allows matched packets to pass. · drop—Drops matched packets. |
|
profile app-profile-name |
DPI application profile applied to the rule. |
|
vrf vrf-name |
MPLS L3VPN instance whose packets can be filtered by the rule. |
|
time-range time-range-name |
Time range during which the rule is in effect. |
|
track negative 1 (Active) |
Track entry and track entry state associated with the security policy rule. |
|
session aging-time time-value |
Session aging time. |
|
session persistent aging-time time-value |
Persistent session aging time. |
|
source-zone zone-name |
Source security zone that acts as a filtering criterion. |
|
destination-zone zone-name |
Destination security zone that acts as a filtering criterion. |
|
source-ip object-group-name |
Source IP address object group that acts as a filtering criterion. |
|
destination-ip object-group-name |
Destination IP address object group that acts as a filtering criterion. |
|
service object-group-name |
Service object group that acts as a filtering criterion. |
|
app-group app-group-name |
Application group that acts as a filtering criterion. |
|
application application-name |
Application that acts as a filtering criterion. |
|
user user-name |
User that acts as a filtering criterion. |
|
user-group user-group-name |
User group that acts as a filtering criterion. |
Related commands
security-policy ip
security-policy ipv6
display security-policy statistics
Use display security-policy statistics to display security policy statistics.
Syntax
display security-policy statistics { ip | ipv6 } [ rule rule-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
ip: Specifies the IPv4 security policy.
ipv6: Specifies the IPv6 security policy.
rule rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127 characters. If you do not specify this option, the command displays statistics about all security policy rules of the specified IP version.
Examples
# Display statistics about IPv4 security policy rule abc.
<Sysname> display security-policy statistics ip rule abc
rule 0 name abc
action: pass (5 packets, 1000 bytes)
Table 2 Command output
|
Field |
Description |
|
rule id name rule-name |
Rule ID and rule name. |
|
action |
Rule action: · pass—Allows matched packets to pass. · drop—Drops matched packets. |
|
x packets, y bytes |
The rule has matched x packets, a total of y bytes. This field is displayed only if the counting enable or the logging enable command has been executed for the rule. |
Related commands
reset security-policy statistics
display security-policy switch-result
Use display security-policy switch-result to display the security policy switching result.
Syntax
display security-policy switch-result
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Usage guidelines
If the security-policy switch-from object-policy command has not been executed, nothing is displayed. Otherwise, the switching result is displayed even if the switching operation failed.
Examples
# Display the result of a successful security policy switching.
<Sysname> display security-policy switch-result
Time: 2017-03-13 18-11-17
Result: Successful
Object policy file: flash:/chenlu_concon.cfg
Security policy file: flash:/chenlu_concon_secp.cfg
# Display the result of a failed security policy switching.
<Sysname> display security-policy switch-result
Time: 2017-03-13 18-11-15
Result: Failed
Object policy file: flash:/chenlu_convert.cfg
Security policy file: flash:/chenlu_convert_secp.cfg
Failure reason: The switching operation fails because the source or destination security zone is set to any for the zone pair and the action of an object policy rule is set to drop.
Table 3 Command output
|
Field |
Description |
|
Time |
Switching time in the format of year-month-day hour-minute-second. |
|
Result |
Switching result: · Successful. · Failed. |
|
Failure reason |
This field is displayed only for a failed switching operation. |
Related commands
security-policy switch-from object-policy
group move
Use group move to move a security policy rule group to change the match order of security policy rules.
Syntax
group move group-name1 { after | before } { group group-name2 | rule rule-name }
Views
Security policy view
Predefined user roles
network-admin
context-admin
Parameters
group-name1: Specifies the name of the security policy rule group to be moved, a case-insensitive string of 1 to 63 characters.
after: Moves the security policy rule group to the place after the target security policy rule group or the target security policy rule.
before: Moves the security policy rule group to the place before the target security policy rule group or the target security policy rule.
group group-name2: Specifies the name of the target security policy rule group, a case-insensitive string of 1 to 63 characters.
rule rule-name: Specifies the name of the target security policy rule, a case-insensitive string of 1 to 127 characters.
Usage guidelines
If you specify a target security policy rule that belongs to a security policy rule group, follow these restrictions and guidelines:
· If the target rule is neither the start nor end rule of the group, you cannot move a security policy rule group to the place before or after the rule.
· If the target rule is the start rule of the group, you can only move a security policy rule group to the place before the rule.
· If the target rule is the end rule of the group, you can only move a security policy rule group to the place after the rule.
Examples
# Move security policy rule group group1 to the place before security policy rule group group2.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] group move group1 before group group2
group name
Use group name to create a security policy rule group and add security policy rules to the group, or add security policy rules to an existing security policy rule group.
Use undo group name to delete a security policy rule group.
Syntax
group name group-name [ from rule-name1 to rule-name2 ] [ description description-text ] [ disable | enable ]
undo group name group-name [ description | include-member ]
Default
No security policy rule group exists.
Views
Security policy view
Predefined user roles
network-admin
context-admin
Parameters
group-name: Specifies a security policy rule group name, a case-insensitive string of 1 to 63 characters.
from rule-name1: Specifies the start rule of a rule list. The rule-name1 argument represents the security policy rule name, a case-insensitive string of 1 to 127 characters.
to rule-name2: Specifies the end rule of the rule list. The rule-name2 argument represents the security policy rule name, a case-insensitive string of 1 to 127 characters.
description description-text: Specifies the security policy description, a case-sensitive string of 1 to 127 characters. By default, no description is specified for a security policy rule group.
disable: Disables the security policy rule group.
enable: Enables the security policy rule group. By default, a security policy rule group is enabled.
include-member: Specifies security policy rules in the security policy rule group.
Usage guidelines
Security policy rule grouping allows users to enable, disable, delete, and move security policy rules in batches.
A security policy rule in a security policy rule group takes effect only when both the rule and the group are enabled.
To add a list of security policy rules, make sure the end rule is listed behind the start rule and the specified rules do not belong to any other security policy rule group.
When you execute the undo command, follow these restrictions and guidelines:
· The undo group name group-name command deletes only the specified security policy rule group.
· The undo group name group-name description command deletes only the description for the specified security policy rule group.
· The undo group name group-name include-member command deletes both the specified security policy rule group and all the security policy rules in the group.
Examples
# Create security policy rule group group1, add security policy rules rule-name1 through rule-name10 to the group, and specify the group description as marketing.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] group name group1 from rule-name1 to rule-name10 enable description marketing
group rename
Use group rename to rename a security policy rule group.
Syntax
group rename old-name new-name
Views
Security policy view
Predefined user roles
network-admin
context-admin
Parameters
old-name: Specifies the name of a security policy rule group, a case-insensitive string of 1 to 63 characters.
new-name: Specifies a new name for the security policy rule group, a case-insensitive string of 1 to 63 characters.
Examples
# Rename security policy rule group group1 to group2.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] group rename group1 group2
logging enable
Use logging enable to enable logging for matched packets.
Use undo logging enable to disable logging for matched packets.
Syntax
logging enable
undo logging enable
Default
Logging for matched packets is disabled.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Usage guidelines
This feature enables the security policy module to send log messages to the information center when packets match a security policy.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output packet matching logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view packet matching logs stored on the device, use the display logbuffer command or open the security policy log page from the Web interface of the device. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable matched packet logging for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] logging enable
Related commands
display security-policy
move rule
Use move rule to change the rule match order of a security policy rule.
Syntax
move rule rule-id before insert-rule-id
Views
IPv4 security policy view
IPv6 security policy view
Predefined user roles
network-admin
context-admin
Parameters
rule-id: Specifies the ID of a rule, in the range of 0 to 65534.
insert-rule-id: Specifies the ID of the target rule before which a rule is inserted. The target rule ID is in the range of 0 to 65535. If you specify 65535 as the target rule ID, the rule is moved to the end of the list.
Usage guidelines
The system does not execute the command in the following situations:
· You specify the same value for the rule-id and insert-rule-id arguments.
· You specify a nonexistent rule.
Examples
# Insert rule 5 before rule 2 for the IPv4 security policy.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] move rule 5 before 2
Related commands
rule
security-policy ip
security-policy ipv6
parent-group
Use parent-group to specify a security policy rule group for a security policy rule.
Use undo parent-group to restore the default.
Syntax
parent-group group-name
undo parent-group
Default
A security policy rule does not belong to any security policy rule group.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
group-name: Specifies the name of a security policy rule group, a case-insensitive string of 1 to 63 characters.
Examples
# Assign security policy rule rule1 to security policy rule group group1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 1 name rule1
[Sysname-security-policy-ip-1-rule1] parent-group group1
profile
Use profile to apply a DPI application profile to a security policy rule.
Use undo profile to remove the DPI application profile applied to a security policy rule.
Syntax
profile app-profile-name
undo profile
Default
No DPI application profile is applied to a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
app-profile-name: Specifies the name of a DPI application profile, a case-insensitive string of 1 to 63 characters. For more information about DPI application profiles, see DPI engine in DPI Configuration Guide.
Usage guidelines
This feature enables the device to perform DPI on packets matching the specified rule. For more information about DPI, see DPI Configuration Guide.
This feature takes effect only when the rule action is pass.
Examples
# Apply DPI application profile p1 to IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action pass
[Sysname-security-policy-ip-0-rule1] profile p1
Related commands
action pass
app-profile (DPI Command Reference)
display security-policy ip
reset security-policy statistics
Use reset security-policy statistics to clear security policy statistics.
Syntax
reset security-policy statistics [ ip | ipv6 ] [ rule rule-name ]
Views
Any view
Predefined user roles
network-admin
context-admin
Parameters
ip: Specifies the IPv4 security policy.
ipv6: Specifies the IPv6 security policy.
rule rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127 characters.
Usage guidelines
If you do not specify any keyword or option, the command clears all security policy statistics.
Examples
# Clear the security policy statistics about IPv4 security policy rule abc.
<Sysname> reset security-policy statistics ip rule abc
Related commands
display security-policy statistics
rule
Use rule to create a security policy rule and enter its view, or enter the view of an existing security policy rule.
Use undo rule to delete the specified security policy rule.
Syntax
rule { rule-id | [ rule-id ] name rule-name }
undo rule { rule-id | name rule-name } *
Default
No security policy rules exist.
Views
IPv4 security policy view
IPv6 security policy view
Predefined user roles
network-admin
context-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify an ID for the rule, the system automatically assigns the rule the integer next to the greatest ID being used. If the greatest ID is 65534, the system assigns the rule the smallest unused number in the range.
rule-name: Specifies a globally unique rule name, a case-insensitive string of 1 to 127 characters. The name cannot be default. You must specify a rule name when creating a rule.
Examples
# Create an IPv4 security policy rule with rule ID 0 and rule name rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1]
Related commands
display security-policy ip
display security-policy ipv6
security-policy
Use security-policy to enter security policy view.
Use undo security-policy to delete all configurations in security policy view.
Syntax
security-policy { ip | ipv6 }
undo security-policy { ip | ipv6 }
Default
No configurations exist in security policy view.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
ip: Specifies the IPv4 security policy.
ipv6: Specifies the IPv6 security policy.
Examples
# Enter IPv4 security policy view.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip]
Related commands
display security-policy
security-policy config-logging send-time
Use security-policy config-logging send-time to set the time at which the device fast outputs security policy settings as logs every day.
Use undo security-policy config-logging send-time to restore the default.
Syntax
security-policy config-logging send-time time
undo security-policy config-logging send-time
Default
The device fast outputs security policy settings as logs every day at 0 o'clock.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
time: Specify the time at which the device fast outputs security policy settings as logs, in the format of hh:mm. The value range for the hh argument is 00 to 23 and the value range for the mm argument is 00 to 59.
Usage guidelines
After the customlog format security-policy sgcc command is executed, the device fast outputs settings of enabled security policies as logs in SGCC format every day at the specified time. For more information about fast log output, see Network Management and Monitoring Configuration Guide.
Examples
# Configure the device to fast output security policy settings as logs every day at 13:15.
<Sysname>system-view
[Sysname] security-policy config-loggging send-time 13:15
Related commands
customlog format security-policy sgcc (Network Management and Monitoring Command Reference)
customlog host export security-policy (Network Management and Monitoring Command Reference)
security-policy disable
Use security-policy disable to disable the security policy feature.
Use undo security-policy disable to enable the security policy feature.
Syntax
security-policy disable
undo security-policy disable
Default
The security policy feature is enabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Security policy settings take effect only when the security policy feature is enabled.
After the device starts up, the device automatically executes the security-policy disable command to disable the security policy feature if object policy settings exist in the configuration file. If object policy settings do not exist in the configuration file, the device enables the security policy feature.
Security policies and object policies cannot take effect at the same time on a device. If security policy is enabled, object policies lose effect at the first time security policy view is entered. If you are to manually configure security policies item by item based on object policy settings, keep the security policy feature disabled until you finish the configuration.
After a configuration rollback from security policies to object policies, disable the security feature for the object policies to take effect.
Examples
# Disable the security policy feature.
<Sysname> system-view
[Sysname] security-policy disable
security-policy switch-from object-policy
Use security-policy switch-from object-policy to switch object policy settings to security policy settings.
Syntax
security-policy switch-from object-policy object-filename security-filename
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
object-filename: Specifies the configuration file to be switched by its name, a case-sensitive string of 1 to 255 characters. The name must end with .cfg and cannot contain forward slashes (/). Make sure the specified configuration file exist in the root directory of the storage medium.
security-filename: Specifies the name of the configuration file to be created, a case-sensitive string of 1 to 255 characters. The name must end with .cfg and cannot contain forward slashes (/). The created configuration file will be saved in the root directory of the storage medium.
Usage guidelines
This feature enables you to achieve fast switching from object policy settings to security policy settings.
For the switched security policy settings to take effect, reboot the device after the switching process completes.
Examples
# Switch object policy settings in configuration file startup.cfg to security policy settings.
<Sysname> system-view
[Sysname] security-policy switch-from object-policy startup.cfg startup_secp.cfg
Configuration switching begins...
Object policies in the specified configuration file have been switched to security policies.
This command will reboot the device. Continue? [Y/N]:
service
Use service to specify a service object group as a filtering criterion of a security policy rule.
Use undo service to remove the specified service object group from a security policy rule.
Syntax
service { object-group-name | any }
undo service [ object-group-name | any ]
Default
No service object group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
object-group-name: Specifies the name of a service object group, a case-insensitive string of 1 to 31 characters.
any: Specifies all service object groups.
Usage guidelines
You can execute the command multiple times to specify multiple service object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
If you specify neither an object group nor the any keyword when executing the undo service command, the command removes all service object groups from the security policy rule.
Examples
# Specify service object groups http and ftp as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] service http
[Sysname-security-policy-ip-0-rule1] service ftp
Related commands
display security-policy
object-group
session aging-time
Use session aging-time to set the session aging time for a security policy rule.
Use undo session aging-time to restore the default.
Syntax
session aging-time time-value
undo session aging-time
Default
The session aging time is not configured for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
time-value: Specifies the aging time in the range of 1 to 2000000 seconds.
Usage guidelines
This command sets the aging time for stable sessions created for packets matching the specified security policy rule, and takes effect only on newly created sessions.
If the aging time is not configured for a rule, the stable sessions use the aging time set by using the session aging-time application or the session aging-time state command. For more information about session management, see Security Configuration Guide.
The session aging time for unstable sessions is one hour.
Examples
# Set the session aging time to 5000 seconds for security policy rule rule1.
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action pass
[Sysname-security-policy-ip-0-rule1] session aging-time 5000
Related commands
session aging-time application
session aging-time state
session persistent acl
session persistent aging-time
Use session persistent aging-time to set the aging time for persistent sessions.
Use undo session persistent aging-time to restore the default.
Syntax
session persistent aging-time time-value
undo session persistent aging-time
Default
The persistent session aging time is not configured for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
time-value: Specifies the aging time in the range of 0 to 24000 hours. If you set the aging time to 0, persistent sessions do not age out.
Usage guidelines
This command is effective only on TCP sessions in ESTABLISHED state.
It sets the aging time for persistent sessions created for packets matching the specified security policy rule, and takes effect only on newly created sessions.
The aging time configured by using this command takes precedence over the aging times configured by using the session aging-time and session persistent acl commands.
Examples
# Set the persistent session aging time to one hour for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action pass
[Sysname-security-policy-ip-0-rule1] session persistent aging-time 1
Related commands
display security-policy
session persistent acl
source-ip
Use source-ip to specify a source IP address object group as a filtering criterion of a security policy rule.
Use undo source-ip to remove the specified source IP address object group from a security policy rule.
Syntax
source-ip object-group-name
undo source-ip [ object-group-name ]
Default
No source IP address object group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
object-group-name: Specifies the name of a source IP address object group, a case-insensitive string of 1 to 31 characters. The name cannot be any. If you do not specify this argument when executing the undo source-ip command, the command removes all source IP address object groups from the rule. For more information about object groups, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple source IP address object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
Examples
# Specify source IP address object groups server1 and server2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-ip server1
[Sysname-security-policy-ip-0-rule1] source-ip server2
Related commands
display security-policy
object-group
source-mac
Use source-mac to specify a source MAC address object group as a filtering criterion of a security policy rule.
Use undo source-mac to remove the specified source MAC address object group from a security policy rule.
Syntax
source-mac object-group-name
undo source-mac [ object-group-name ]
Default
No source MAC address object group is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
object-group-name: Specifies the name of a source MAC address object group, a case-insensitive string of 1 to 31 characters. The name cannot be any. If you do not specify this argument when executing the undo source-mac command, the command removes all source MAC address object groups from the rule. For more information about MAC address object groups, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple source MAC address object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
Examples
# Specify source MAC address object groups mac1 and mac2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-mac mac1
[Sysname-security-policy-ip-0-rule1] source-mac mac2
Related commands
display security-policy
object-group
source-zone
Use source-zone to specify a source security zone as a filtering criterion of a security policy rule.
Use undo source-zone to remove the specified source security zone from a security policy rule.
Syntax
source-zone source-zone-name
undo source-zone [ source-zone-name ]
Default
No source security zone is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
source-zone-name: Specifies the name of a source security zone, a case-insensitive string of 1 to 31 characters. If you do not specify this argument when executing the undo source-zone command, the command removes all source security zones from the rule. For more information about security zones, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple source security zones as the filtering criteria.
Examples
# Specify source security zones trust and dmz as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-zone trust
[Sysname-security-policy-ip-0-rule1] source-zone dmz
Related commands
display security-policy
security-zone
time-range
Use time-range to specify the time range during which a security policy rule is in effect.
Use undo time-range to restore the default.
Syntax
time-range time-range-name
undo time-range
Default
A security policy rule is in effect at any time.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
time-range-name: Specifies the name of a time range, a case-insensitive string of 1 to 32 characters. For more information about time ranges, see ACL and QoS Configuration Guide.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable security policy rule rule1 to be in effect during time range work.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] time-range work
Related commands
display security-policy
time-range (ACL and QoS Command Reference)
track
Use track to associate a security policy rule with a track entry.
Use undo track to disassociate a security policy rule from the track entry.
Syntax
track { negative | positive } track-entry-number
undo track
Default
No track entry is associated with a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
negative: Specifies the Negative state of a track entry.
positive: Specifies the Positive state of a track entry.
track-entry-number: Specifies the number of a track entry, in the range of 1 to 1024. For more information about Track, see High Availability Configuration Guide.
Usage guidelines
Use this command to enable the collaboration between the track module and a security policy rule. The collaboration operates as follows:
· If a rule is associated with the Negative state of a track entry, the device:
¡ Sets the rule state to Active if the track entry is in Negative state.
¡ Sets the rule state to Inactive if the track entry is in Positive state.
· If a rule is associated with the Positive state of a track entry, the device:
¡ Sets the rule state to Active if the track entry is in Positive state.
¡ Sets the rule state to Inactive if the track entry is in Negative state.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Associate security policy rule rule1 with the Positive state of track entry 10.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] track positive 10
Related commands
display security-policy
track bfd (High Availability Command Reference)
track interface (High Availability Command Reference)
track ip route reachability (High Availability Command Reference)
track nqa (High Availability Command Reference)
user
Use user to specify a user as a filtering criterion of a security policy rule.
Use undo user to remove the specified user filtering criterion from a security policy rule.
Syntax
user username [ domain domain-name ]
undo user [ username [ domain domain-name ] ]
Default
No user is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
username: Specifies a username, a case-sensitive string of 1 to 55 characters. The name cannot be a, al, or all and cannot contain backslashes (\), vertical bars (|), forward slashes (/), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), or at signs (@). If you do not specify this argument when executing the undo user command, the command removes all users from the rule. For more information about users and identity domains, see user identification in Security Configuration Guide.
domain domain-name: Matches the user in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The string cannot contain forward slashes (/), backslashes (\), vertical bars (|), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), or at signs (@). If you do not specify this option, the command matches the user among users that do not belong to any identity domain.
Usage guidelines
You can execute the command multiple times to specify multiple users as the filtering criteria.
Examples
# Specify users usera and userb in identity domain test as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] user usera domain test
[Sysname-security-policy-ip-0-rule1] user userb domain test
Related commands
display security-policy
user-identity enable
user-identity static-user
user-group
Use user-group to specify a user group as a filtering criterion of a security policy rule.
Use undo user-group to remove the specified user group filtering criterion from a security policy rule.
Syntax
user-group user-group-name [ domain domain-name ]
undo user-group [ user-group-name [ domain domain-name ] ]
Default
No user group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
user-group-name: Specifies the name of a user group, a case-insensitive string of 1 to 200 characters. If you do not specify this argument when executing the undo user-group command, the command removes all user groups from the rule. For more information about user groups and identity domains, see user identification in Security Configuration Guide.
domain domain-name: Matches the user group in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The string cannot contain forward slashes (/), backslashes (\), vertical bars (|), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), or at signs (@). If you do not specify this option, the command matches the user group among user groups that do not belong to any identity domain.
Usage guidelines
You can execute the command multiple times to specify multiple user groups as the filtering criteria.
Examples
# Specify user groups groupa and groupb in identity domain test as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] user-group groupa domain test
[Sysname-security-policy-ip-0-rule1] user-group groupb domain test
Related commands
display security-policy
user-group
vrf
Use vrf to configure a security policy rule to take effect on received packets of the specified MPLS L3VPN instance.
Use undo vrf to restore the default.
Syntax
vrf vrf-name
undo vrf
Default
A security policy rule takes effect on received packets of the public network.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
vrf-name: Specifies the name of an MPLS L3VPN instance, a case-sensitive string of 1 to 31 characters.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure security policy rule rule1 to take effect on received packets of MPLS L3VPN instance vpn1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] user-group groupa
[Sysname-security-policy-ip-0-rule1] user-group groupb
Related commands
display security-policy
