Contents

Configuring security policies· 1

About security policies· 1

Benefits· 1

Security policy rules· 1

Security policy mechanism·· 1

Rule matching acceleration· 2

Security policy rule grouping· 2

Restrictions and guidelines: Security policy configuration· 2

Configuration procedure diagram·· 3

Prerequisites for security policies· 4

Security policy tasks at a glance· 5

Switching object policies to security policies· 5

About switching object policies to security policies· 5

Restrictions and guidelines for switching object policies to security policies· 6

Prerequisites for switching object policies to security policies· 6

Manually switching object policies to security policies· 6

Enabling the security policy feature· 6

Configuring security policy rules· 7

Creating a security policy rule· 7

Configuring filtering criteria for a security policy rule· 7

Specifying the action for a security policy rule· 9

Specifying a time range for a security policy rule· 9

Applying a DPI application profile to a security policy rule· 9

Setting the session aging time for a security policy rule· 10

Associating a security policy rule with a track entry· 10

Enabling logging for matched packets· 11

Enabling statistics collection for matched packets· 11

Changing the rule match order 12

Activating rule matching acceleration· 12

Disabling a security policy rule· 12

Configuring security policy rule groups· 13

Creating a security policy rule group· 13

Specifying a security policy rule group for a security policy rule· 13

Moving a security policy rule group· 13

Renaming a security policy rule group· 14

Setting the time for fast output of security policy settings as logs· 14

Display and maintenance commands for object policies· 14

Security policy configuration examples· 15

Example: Configuring an IPv4 security policy· 15

Example: Configuring domain name-based security policy· 17

Example: Switching object policies to security policies· 20

Example: Configuring a security policy for OSPF communication· 24

 

Configuring security policies

About security policies

A security policy defines a set of rules for forwarding control and Deep Packet Inspection (DPI). It matches packets against the rules and takes the action stated in the rules on the matched packets.

Benefits

Security policies can provide the same functions as packet filtering and object policies, and support precise network management based on application, protocol, and user. By partnering with DPI, it can also provide security protection services such as antivirus and intrusion protection.

For more information about packet filtering, see ACL and QoS Configuration Guide. For more information about object policies, see "Configuring object policies."

Security policy rules

A security policy contains one or multiple rules. Each security policy rule is a permit or deny, or DPI statement for identifying traffic based on criteria.

Rule numbering

Each rule is uniquely identified by a name and an ID. When you create a rule, the rule name must be manually configured, and the rule ID can be manually configured or automatically assigned by the system.

Rule match criteria

The rule match criteria include the following types: source security zone, destination security zone, source IP address and source MAC address, destination IP address, user and user group, application and application group, VPN instance, and service.

You can specify multiple criteria for each type, except VPN instance. For example, you can configure multiple source security zones for a rule.

Rule and session management

When a security policy is configured, the device generates session entries for permitted packets to record packet information.

You can set session aging times for protocol states, application layer protocols, or rules. The aging time configured for a rule takes precedence over the aging time configured for a protocol state or an application layer protocol. For more information about session management, see "Managing sessions."

Security policy mechanism

As shown in Figure 1, a security policy operates as follows:

1.     After receiving a packet, the device matches the packet against the configured security policy rules.

A security policy rule includes various match criterion types. A packet is considered matched if it matches all the criterion types in the rule. Each criterion type includes one or more criteria, and a packet matches a criterion type if it matches any criterion of the type. Source MAC address criteria and source IP address criteria belong to the same criterion type.

¡     If no match is found, the device discards the packet.

¡     If a match is found and the rule action is drop, the device discards the packet.

¡     If a match is found and the rule action is pass, the device goes to the next step.

2.     If a DPI application profile is configured for the matched rule, the device uses the specified profile to perform DPI on the packet. If no DPI application profile is specified, the device allows the packet to pass.

Figure 1 Security policy mechanism

‌

Rule matching acceleration

This feature accelerates security policy rule matching to enhance connection establishment and packet forwarding performance, especially for a device using multiple rules to match packets from multiple users.

Matching of security policy rules switched from object policies is accelerated by default. You need to activate rule matching acceleration if a rule is modified or newly added, or if the acceleration feature is deactivated for certain reasons. The following methods are available for activating rule matching acceleration:

·     Manual activation—Activates rule matching acceleration immediately after the accelerate enhanced enable command is executed.

·     Automatic activation—Enables the device to detect security policy changes at specific intervals and activate rule matching acceleration automatically if any change has been made. If there are 100 or less security policies, the interval is 2 seconds. If there are over 100 security policies, the interval is 20 seconds.

Security policy rule grouping

Security policy rule grouping allows users to enable, disable, delete, and move security policy rules in batches. A security policy rule in a security policy rule group takes effect only when both the rule and the group are enabled.

Restrictions and guidelines: Security policy configuration

When you configure security policies, follow these restrictions and guidelines:

·     If the security policy feature is enabled, object policy settings lose effect the first time you enter security policy view. Make sure object policy settings have been switched to security policy settings before you enter security policy view.

·     Packet filtering, if configured, is performed only on packets that do not match any security policy rule. As a best practice, make sure security policies have stricter filtering criteria than packet filtering, so the unmatched packets can still be filtered by packet filtering.

·     Follow the depth-first order during rule creation to create rules with stricter match criteria first because the system matches packets against rules in the order the rules were created.

·     Security policy rules specified with an IP address object group that uses a user or user group cannot match packets. To filter packets by user or user group, configure security policy rules specified with user or user group criteria.

Configuration procedure diagram

Figure 2 shows how to configure a security policy.

Figure 2 Security policy configuration procedure

‌

Prerequisites for security policies

Before you configure security policies, perform the following tasks:

·     Configure a time range. See time range configuration in ACL and QoS Configuration Guide.

·     Configure IP address object groups and service object groups. See "Configuring object groups."

·     Configure applications and application groups. See "Configuring APR."

·     Configure user and user groups. See "Configuring user identification."

·     Configure security zones. See "Configuring security zones.".

·     Configure DPI. See DPI Configuration Guide.

Security policy tasks at a glance

To configure object policies, perform the following tasks:

1.     (Optional.) Switching object policies to security policies

2.     Enabling the security policy feature

3.     Configuring security policy rules

a.     Creating a security policy rule

b.     Configuring filtering criteria for a security policy rule

c.     Specifying the action for a security policy rule

d.     (Optional.) Specifying a time range for a security policy rule

e.     (Optional.) Applying a DPI application profile to a security policy rule

f.     (Optional.) Setting the session aging time for a security policy rule

g.     (Optional.) Associating a security policy rule with a track entry

h.     (Optional.) Enabling logging for matched packets

i.     (Optional.) Enabling statistics collection for matched packets

4.     (Optional.) Manage security policies

a.     Changing the rule match order

b.     Activating rule matching acceleration

c.     Disabling a security policy rule

5.     (Optional.) Configuring security policy rule groups

a.     Creating a security policy rule group

b.     Specifying a security policy rule group for a security policy rule

c.     Moving a security policy rule group

d.     Renaming a security policy rule group

6.     (Optional.) Setting the time for fast output of security policy settings as logs

Switching object policies to security policies

About switching object policies to security policies

After upgrading a device from a security policy-incapable version to a version that supports security policies, you can perform this task to fast switch object policies to security policies. Object policy settings lose effect after the switching.

The device performs object policy switching as follows:

1.     Saves the specified configuration file as a new file with the specified name.

2.     Switches object policy rules in the new file in the order that the rules are displayed on the device (the rule match order).

3.     Deletes object policy settings and their relations with security zone pairs in the new file.

4.     Sets the new file as the main next-startup configuration file.

The security policy settings take effect after the device reboots.

Restrictions and guidelines for switching object policies to security policies

When you switch object policies to security policies, follow these restrictions and guidelines:

·     Enable the security policy feature before you execute the manual switching command.

·     Security policy rules switched from object policy rules that are not applied to any security zone pairs are in inactive state and do not take effect.

·     Do not configure any security policy settings before switching.

·     To downgrade the software to a version that does not support security policies, first set the configuration file used before the switching as the main next-startup configuration file. In-Service Software Upgrade (ISSU) is not supported because the device must be restarted after downgrading.

·     Make sure the working directory is on a fixed storage medium in the device, for example, the flash memory, instead of a removable storage medium, such as a hard disk.

Prerequisites for switching object policies to security policies

Before configuring a security policy, complete the following tasks:

·     Change the object policy rule match order to make sure the rules are created in the depth-first order.

·     Make sure no object policy is applied to zone pairs that use security zone any as the source or destination security zone.

·     Make sure configuration file encryption is disabled.

·     Before you perform manual switching, make sure the current software version supports security policies. For more information about software upgrading, see Fundamentals Configuration Guide.

Manually switching object policies to security policies

1.     Enter system view.

system-view

2.     Switch object policy settings in the specified configuration file to security policy settings.

security-policy switch-from object-policy object-filename security-filename

Enabling the security policy feature

Restrictions and guidelines

Security policy settings take effect only when the security policy feature is enabled.

After the device starts up, the device automatically executes the security-policy disable command to disable the security policy feature if object policy settings exist in the configuration file. If object policy settings do not exist in the configuration file, the device enables the security policy feature.

Security policies and object policies cannot take effect at the same time on a device. If security policy is enabled, object policies lose effect at the first time security policy view is entered. If you are to manually configure security policies item by item based on object policy settings, keep the security policy feature disabled until you finish the configuration.

After a configuration rollback from security policies to object policies, disable the security feature for the object policies to take effect.

Procedure

1.     Enter system view.

system-view

2.     Enable the security policy feature.

undo security-policy disable

By default, the security policy feature is enabled.

Configuring security policy rules

Creating a security policy rule

About this task

By default, no rules exist in a security policy, and the device allows only packets exchanged between the Management security zone and the Local security zone to pass. For the device to process packets correctly, configure policy rules for each security policy.

If a configured feature, such as dynamic routing, tunneling, and VPN, requires exchanges with the device, configure security policy rules for the Local security zone to communicate with the specific zones.

Procedure

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     (Optional.) Configure a description for the policy.

description text

By default, a security policy does not have a description.

4.     Create a security policy rule.

rule { rule-id | [ rule-id ] name rule-name }

5.     (Optional.) Configure a description for the rule.

description text

By default, a security policy rule does not have a description.

Configuring filtering criteria for a security policy rule

Restrictions and guidelines

A rule matches all packets if no criteria are specified for the rule.

If a specified object group has no objects, the rule cannot match any packets.

Packets exchanged between the Management and Local security zones are allowed to pass by default and can only match local-to-management or management-to-local security policy rules. To discard packets between the Management and Local security zones, configure local-to-management and management-to-local rules and specify the rule actions as drop.

Procedure

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4.     Configure source filtering criteria:

¡     Specify a source security zone as a filtering criterion.

source-zone source-zone-name

By default, no source security zone is specified as a filtering criterion.

¡     Specify a source IP address object group as a filtering criterion.

source-ip object-group-name

By default, no source IP address object group is specified as a filtering criterion.

¡     Specify a source MAC address object group as a filtering criterion.

source-mac object-group-name

By default, no source MAC address object group is specified as a filtering criterion.

5.     Configure destination filtering criteria:

¡     Specify a destination security zone as a filtering criterion.

destination-zone destination-zone-name

By default, no destination security zone is specified as a filtering criterion.

¡     Specify a destination IP address object group as a filtering criterion.

destination-ip object-group-name

By default, no destination IP address object group is specified as a filtering criterion.

6.     Specify a service object group as a filtering criterion.

service { object-group-name | any }

By default, no service object group is specified as a filtering criterion.

7.     Configure application filtering criteria:

¡     Specify an application as a filtering criterion.

application application-name

By default, no application is specified as a filtering criterion.

For the application filtering criteria to be identified, you must permit the dependent applications to pass through.

¡     Specify an application group as a filtering criterion.

app-group app-group-name

By default, no application group is specified as a filtering criterion.

8.     Configure user filtering criterion:

¡     Specify a user as a filtering criterion.

user username [ domain domain-name ]

By default, no user is specified as a filtering criterion.

¡     Specify a user group as a filtering criterion.

user-group user-group-name [ domain domain-name ]

By default, no user group is specified as a filtering criterion.

9.     Configure the rule to take effect on received packets of the specified VPN instance.

vrf vrf-name

By default, a security policy rule takes effect on received packets of the public network.

Specifying the action for a security policy rule

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4.     Specify the action for the security policy rule.

action { drop | pass }

By default, the action for a security policy rule is drop.

Specifying a time range for a security policy rule

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4.     Specify a time range during which the security policy rule is in effect.

time-range time-range-name

By default, a security policy rule is in effect at any time.

Applying a DPI application profile to a security policy rule

About this task

This feature enables the device to perform DPI on packets matching the specified rule. For more information about DPI, see DPI Configuration Guide.

Restrictions and guidelines

This feature takes effect only when the rule action is pass.

Procedure

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4.     Specify the rule action as pass.

action pass

By default, the action for a security policy rule is drop.

5.     Apply a DPI application profile to the rule.

profile app-profile-name

By default, no DPI application profile is applied to a rule.

Setting the session aging time for a security policy rule

About this task

Perform this task to specify the aging time for stable sessions and persistent sessions. The configuration takes effect only on sessions established afterwards.

The configured aging time for persistent sessions is effective only on TCP sessions in ESTABLISHED state.

The priorities of the session aging times configured by using the session persistent aging-time, session aging-time, and session persistent acl commands are in descending order.

Procedure

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4.     Set the session aging time.

session aging-time time-value

By default, the session aging time is not configured.

5.     Set the aging time for persistent sessions.

session persistent aging-time time-value

By default, the aging time for persistent sessions is not configured.

Associating a security policy rule with a track entry

About this task

Perform this task to enable the collaboration between the track module and a security policy rule. The collaboration operates as follows:

·     If a rule is associated with the Negative state of a track entry, the device:

¡     Sets the rule state to Active if the track entry is in Negative state.

¡     Sets the rule state to Inactive if the track entry is in Positive state.

·     If a rule is associated with the Positive state of a track entry, the device:

¡     Sets the rule state to Active if the track entry is in Positive state.

¡     Sets the rule state to Inactive if the track entry is in Negative state.

Procedure

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4.     Associate the rule with a track entry.

track { negative | positive } track-entry-number

By default, no track entry is associated with a rule.

Enabling logging for matched packets

About this task

This feature enables the device to log matching packets and send the log to the information center for processing. The log destinations and output rules are determined by the information center settings. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4.     Enable logging for matched packets.

logging enable

By default, logging for matched packets is disabled.

Enabling statistics collection for matched packets

About this task

Perform this task to enable the device to collect statistics about matched packets. The collected statistics can be viewed by executing the display security-policy statistics command.

Restrictions and guidelines

When inter-VLAN bridge forwarding is configured, this feature collects statistics only about packets discarded by security policies and DPI. Statistics about permitted packets are not collected. For more information about inter-VLAN bridge forwarding, see Layer 2 forwarding in Layer 2—LAN Switching Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4.     Enable statistics collection for matched packets.

counting enable

By default, the device does not collect statistics about matched packets.

Changing the rule match order

About this task

The device matches packets against security policy rules in the order the rules were created. You can change the rule match order by changing the position of a security policy rule in the rule list.

Procedure

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Move a security policy rule.

move rule rule-id before insert-rule-id

Activating rule matching acceleration

About this task

You need to activate rule matching acceleration in one of the following conditions:

·     Rule matching acceleration is deactivated because of insufficient hardware resources.

·     The settings in security policy rule view or the objects in an object group of a rule change.

·     A new rule is added.

If rule matching acceleration is deactivated or fails to be activated, all rules can only match packets at the low speed.

Procedure

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Activate rule matching acceleration.

accelerate enhanced enable

Disabling a security policy rule

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4.     Disable the security policy rule.

disable

By default, a security policy rule is enabled.

Configuring security policy rule groups

Creating a security policy rule group

About this task

Perform this task to create a security policy rule group and add security policy rules to the group.

Restrictions and guidelines

To add a list of security policy rules, make sure the end rule is listed behind the start rule and the specified rules do not belong to any other security policy rule group.

A security policy rule group can contain only IPv4 rules or IPv6 rules.

Procedure

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Create a security policy rule group and add security policy rules to the group.

group name group-name [ from rule-name1 to rule-name2 ] [ description description-text ] [ disable | enable ]

Specifying a security policy rule group for a security policy rule

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4.     Specify a security policy rule group for the security policy rule.

parent-group group-name

Moving a security policy rule group

About this task

Perform this task to move a security policy rule group to change the match order of security policy rules.

Restrictions and guidelines

If you specify a target security policy rule that belongs to a security policy rule group, follow these restrictions and guidelines:

·     If the target rule is neither the start nor end rule of the group, you cannot move a security policy rule group to the place before or after the rule.

·     If the target rule is the start rule of the group, you can only move a security policy rule group to the place before the rule.

·     If the target rule is the end rule of the group, you can only move a security policy rule group to the place after the rule.

You can move a security policy rule group before or after a security policy rule or group of the same type (IPv4 or IPv6).

Procedure

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Move a security policy rule group.

group move group-name1 { after | before } { group group-name2 | rule rule-name }

Renaming a security policy rule group

1.     Enter system view.

system-view

2.     Enter IPv4 or IPv6 security policy view.

security-policy { ip | ipv6 }

3.     Rename a security policy rule group.

group rename old-name new-name

Setting the time for fast output of security policy settings as logs

About this task

After the customlog format security-policy sgcc command is executed, the device fast outputs settings of enabled security policies as logs in SGCC format every day at the specified time. For more information about fast log output, see Network Management and Monitoring Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Set the time at which the device fast outputs security policy settings as logs every day.

security-policy config-logging send-time time

By default, the device fast outputs security policy settings as logs every day at 0 o'clock.

Display and maintenance commands for object policies

Execute display commands in any view and reset commands in user view.

 

 

Security policy configuration examples

Example: Configuring an IPv4 security policy

Network configuration

Configure security policy to achieve the following goals:

·     The president office can access the financial database server through HTTP at any time.

·     The financial office can access the financial database server through HTTP from 8:00 to 18:00 on weekdays.

·     The marketing office cannot access the financial database server through HTTP at any time.

Figure 3 Network diagram

‌

Procedure

1.     Assign IP addresses to interfaces and configure routes. Make sure the network connections are available. (Details not shown.)

2.     Create a time range named work to cover 8:00 to 18:00 on weekdays.

<Device> system-view

[Device] time-range work 08:00 to 18:00 working-day

3.     Create security zones:

# Create a security zone named database, and add GigabitEthernet 1/2/5/1 to the zone.

[Device] security-zone name database

[Device-security-zone-database] import interface gigabitethernet 1/2/5/1

[Device-security-zone-database] quit

# Create a security zone named president, and add GigabitEthernet 1/2/5/2 to the zone.

[Device] security-zone name president

[Device-security-zone-president] import interface gigabitethernet 1/2/5/2

[Device-security-zone-president] quit

# Create a security zone named finance, and add GigabitEthernet 1/2/5/3 to the zone.

[Device] security-zone name finance

[Device-security-zone-finance] import interface gigabitethernet 1/2/5/3

[Device-security-zone-finance] quit

# Create a security zone named market, and add GigabitEthernet 1/2/5/4 to the zone.

[DeviceA] security-zone name market

[DeviceA-security-zone-market] import interface gigabitethernet 1/2/5/4

[DeviceA-security-zone-market] quit

4.     Create object groups:

# Create an IPv4 address object group named database. Configure an IPv4 address object with the subnet address of 192.168.0.0/24 for the group.

[Device] object-group ip address database

[Device-obj-grp-ip-database] network subnet 192.168.0.0 24

[Device-obj-grp-ip-database] quit

# Create an IPv4 address object group named president. Configure an IPv4 address object with the subnet address of 192.168.1.0/24 for the group.

[Device] object-group ip address president

[Device-obj-grp-ip-president] network subnet 192.168.1.0 24

[Device-obj-grp-ip-president] quit

# Create an IPv4 address object group named finance. Configure an IPv4 address object with the subnet address of 192.168.2.0/24 for the group.

[Device] object-group ip address finance

[Device-obj-grp-ip-finance] network subnet 192.168.2.0 24

[Device-obj-grp-ip-finance] quit

# Create an IPv4 address object group named market. Configure an IPv4 address object with the subnet address of 192.168.3.0/24 for the group.

[Device] object-group ip address market

[Device-obj-grp-ip-market] network subnet 192.168.3.0 24

[Device-obj-grp-ip-market] quit

# Create a service object group named web. Configure a service object with the HTTP service.

[Device] object-group service web

[Device-obj-grp-service-web] service 6 destination eq 80

[Device-obj-grp-service-web] quit

5.     Configure the IPv4 security policy:

# Enter IPv4 security policy view.

[Device] security-policy ip

# Create a security policy rule named president-database. Configure the rule to allow the president office to access the financial database server through HTTP at any time.

[Device-security-policy-ip] rule 0 name president-database

[Device-security-policy-ip-0-president-database] source-zone president

[Device-security-policy-ip-0-president-database] destination-zone database

[Device-security-policy-ip-0-president-database] source-ip president

[Device-security-policy-ip-0-president-database] destination-ip database

[Device-security-policy-ip-0-president-database] service web

[Device-security-policy-ip-0-president-database] action pass

[Device-security-policy-ip-0-president-database] quit

# Create a security policy rule named finance-database. Configure the rule to allow the financial office to access the financial database server through HTTP from 8:00 to 18:00 on weekdays.

[Device-security-policy-ip] rule 1 name finance-database

[Device-security-policy-ip-1-finance-database] source-zone finance

[Device-security-policy-ip-1-finance-database] destination-zone database

[Device-security-policy-ip-1-finance-database] source-ip finance

[Device-security-policy-ip-1-finance-database] destination-ip database

[Device-security-policy-ip-1-finance-database] service web

[Device-security-policy-ip-1-finance-database] action pass

[Device-security-policy-ip-1-finance-database] time-range work

[Device-security-policy-ip-1-finance-database] quit

# Create a security policy rule named market-database. Configure the rule to prohibit the marketing office from accessing the financial database server through HTTP at any time.

[Device-security-policy-ip] rule 2 name market-database

[Device-security-policy-ip-2-market-database] source-zone market

[Device-security-policy-ip-2-market-database] destination-zone database

[Device-security-policy-ip-2-market-database] source-ip market

[Device-security-policy-ip-2-market-database] destination-ip database

[Device-security-policy-ip-2-market-database] service web

[Device-security-policy-ip-2-market-database] action drop

[Device-security-policy-ip-2-market-database] quit

6.     Activate rule matching acceleration.

[Device-security-policy-ip] accelerate enhanced enable

[Device-security-policy-ip] quit

Verifying the configuration

# Use a PC in each office to access the Web service of the financial database server through the browser. (Details not shown.)

Example: Configuring domain name-based security policy

Network configuration

As shown in Figure 4, a Web server with domain name www.abc.com is deployed to process financial affairs. The domain name has been registered on the DNS server.

Configure security policy to achieve the following goals:

·     The financial office can access the financial Web server through HTTP.

·     The marketing office cannot access the financial Web server through HTTP at any time.

Figure 4 Network diagram

‌

Procedure

1.     Assign IP addresses to interfaces and configure routes. Make sure the network connections are available. (Details not shown.)

2.     Configure security zones:

# Create a security zone named web, and add GigabitEthernet 1/2/5/1 to the zone.

[Device] security-zone name web

[Device-security-zone-web] import interface gigabitethernet 1/2/5/1

[Device-security-zone-web] quit

# Create a security zone named market, and add GigabitEthernet 1/2/5/2 to the zone.

[Device] security-zone name market

[Device-security-zone-market] import interface gigabitethernet 1/2/5/2

[Device-security-zone-market] quit

# Create a security zone named finance, and add GigabitEthernet 1/2/5/3 to the zone.

[Device] security-zone name finance

[Device-security-zone-finance] import interface gigabitethernet 1/2/5/3

[Device-security-zone-finance] quit

# Create a security zone named dns, and add GigabitEthernet 1/2/5/4 to the zone.

[Device] security-zone name dns

[Device-security-zone-dns] import interface gigabitethernet 1/2/5/4

[Device-security-zone-dns] quit

3.     Configure object groups:

# Create an IPv4 address object group named web. Configure an IPv4 address object with host name www.abc.com for the group.

[Device] object-group ip address web

[Device-obj-grp-ip-web] network host name www.abc.com

[Device-obj-grp-ip-web] quit

# Create an IPv4 address object group named market. Configure an IPv4 address object with the subnet address of 10.0.12.0/24 for the group.

[Device] object-group ip address market

[Device-obj-grp-ip-market] network subnet 10.0.12.0 24

[Device-obj-grp-ip-market] quit

# Create an IPv4 address object group named finance. Configure an IPv4 address object with the subnet address of 10.0.11.0/24 for the group.

[Device] object-group ip address finance

[Device-obj-grp-ip-finance] network subnet 10.0.11.0 24

[Device-obj-grp-ip-finance] quit

4.     Specify the IP address of the DNS server as 10.10.10.10.

[Device] dns server 10.10.10.10

5.     Configure the IPv4 security policy:

# Enter IPv4 security policy view.

[Device] security-policy ip

# Create a security policy rule named local-dns. Configure the rule to allow the device to access the DNS server.

[Device-security-policy-ip] rule 0 name local-dns

[Device-security-policy-ip-0-local-dns] source-zone local

[Device-security-policy-ip-0-local-dns] destination-zone dns

[Device-security-policy-ip-0-local-dns] action pass

[Device-security-policy-ip-0-local-dns] quit

# Create a security policy rule named host-dns. Configure the rule to allow the financial department and marketing department to access the DNS server.

[Device-security-policy-ip] rule 5 name host-dns

[Device-security-policy-ip-5-host-dns] source-zone finance

[Device-security-policy-ip-5-host-dns] source-zone market

[Device-security-policy-ip-5-host-dns] source-ip finance

[Device-security-policy-ip-5-host-dns] source-ip market

[Device-security-policy-ip-5-host-dns] destination-zone dns

[Device-security-policy-ip-5-host-dns] action pass

[Device-security-policy-ip-5-host-dns] quit

# Create a security policy rule named finance-web. Configure the rule to allow the financial department to access the financial Web server through HTTP.

[Device-security-policy-ip] rule 1 name finance-web

[Device-security-policy-ip-1-finance-web] source-zone finance

[Device-security-policy-ip-1-finance-web] destination-zone web

[Device-security-policy-ip-1-finance-web] source-ip finance

[Device-security-policy-ip-1-finance-web] destination-ip web

[Device-security-policy-ip-1-finance-web] service http

[Device-security-policy-ip-1-finance-web] action pass

[Device-security-policy-ip-1-finance-web] quit

# Create a security policy rule named market-web. Configure the rule to forbid the marketing department from accessing the financial Web server through HTTP.

[Device-security-policy-ip] rule 2 name market-web

[Device-security-policy-ip-2-market-web] source-zone market

[Device-security-policy-ip-2-market-web] destination-zone web

[Device-security-policy-ip-2-market-web] source-ip market

[Device-security-policy-ip-2-market-web] destination-ip web

[Device-security-policy-ip-2-market-web] service http

[Device-security-policy-ip-2-market-web] action drop

[Device-security-policy-ip-2-market-web] quit

6.     Activate rule matching acceleration.

[Device-security-policy-ip] accelerate enhanced enable

[Device-security-policy-ip] quit

Verifying the configuration

# Use a PC in each office to access the Web service of the financial server. (Details not shown.)

Example: Switching object policies to security policies

Network configuration

Object policies are already configured to achieve the following goals:

·     The president office can access the financial database server through HTTP at any time.

·     The financial office can access the financial database server through HTTP during working hours.

·     The marketing office cannot access the financial database server through HTTP at any time.

The device software needs to be upgraded to a version that supports security policy. Switch object policy settings to security policy settings after software upgrade to achieve the same goals and ensure correct network operation.

Figure 5 Network diagram

‌

Procedure

1.     Make sure you have completed the tasks in "Prerequisites for switching object policies to security policies."

2.     Switch object policy settings to security policy settings.

# Enter system view.

<Device> system-view

# Switch object policy settings in configuration file startup.cfg to security policy settings.

[Device] security-policy switch-from object-policy startup.cfg startup_secp.cfg

Configuration switching begins...

 

 

Object policies in the specified configuration file have been switched to securi

ty policies.

This command will reboot the device. Continue? [Y/N]:y

[Device]

System is starting...

Press Ctrl+D to access BASIC-BOOTWARE MENU...

Press Ctrl+T to start heavy memory test

Verifying the configuration

# Use a PC in each office to access the Web service of the financial database server through the browser. (Details not shown.)

# Verify that the security policy settings are consistent with the object policy settings. The following shows the sample settings.

·     Object policy settings:

#

object-group ip address database

 0 network subnet 192.168.0.0 255.255.255.0

#

object-group ip address finance

 0 network subnet 192.168.2.0 255.255.255.0

#

object-group ip address market

 0 network subnet 192.168.3.0 255.255.255.0

#

object-group ip address president

 0 network subnet 192.168.1.0 255.255.255.0

#

object-group service web

 0 service tcp destination eq 80

#

object-policy ip finance-database

 rule 0 pass source-ip finance destination-ip database service web time-range work

#

object-policy ip market-database

 rule 0 drop source-ip market destination-ip database service web

#

object-policy ip president-database

 rule 0 pass source-ip president destination-ip database service web

#

security-zone name Local

#

security-zone name Trust

#

security-zone name DMZ

#

security-zone name Untrust

#

security-zone name database

 import interface GigabitEthernet1/2/5/1

#

security-zone name finance

 import interface GigabitEthernet1/2/5/3

#

security-zone name market

 import interface GigabitEthernet1/2/5/4

#

security-zone name president

 import interface GigabitEthernet1/2/5/2

#

zone-pair security source finance destination database

 object-policy apply ip finance-database

#

zone-pair security source market destination database

 object-policy apply ip market-database

#

zone-pair security source president destination database

 object-policy apply ip president-database

#

·     Security policy settings:

#

object-group ip address database

 0 network subnet 192.168.0.0 255.255.255.0

#

object-group ip address finance

 0 network subnet 192.168.2.0 255.255.255.0

#

object-group ip address market

 0 network subnet 192.168.3.0 255.255.255.0

#

object-group ip address president

 0 network subnet 192.168.1.0 255.255.255.0

#

object-group service web

 0 service tcp destination eq 80

#

security-zone name Local

#

security-zone name Trust

#

security-zone name DMZ

#

security-zone name Untrust

#

security-zone name database

 import interface GigabitEthernet1/2/5/1

#

security-zone name finance

 import interface GigabitEthernet1/2/5/3

#

security-zone name market

 import interface GigabitEthernet1/2/5/4

#

security-zone name president

 import interface GigabitEthernet1/2/5/2

#

zone-pair security source finance destination database

#

zone-pair security source market destination database

#

zone-pair security source president destination database

#

security-policy ip

 rule 0 name finance-database-0

  action pass

  time-range work

  source-zone finance

  destination-zone database

  source-ip finance

  destination-ip database

  service web

 rule 1 name market-database-1

  source-zone market

  destination-zone database

  source-ip market

  destination-ip database

  service web

 rule 2 name president-database-2

  action pass

  source-zone president

  destination-zone database

  source-ip president

  destination-ip database

  service web

#

Example: Configuring a security policy for OSPF communication

Network configuration

As shown in Figure 6, OSPF is configured and the network is divided into three areas. Device A and Device B act as ABRs to exchange traffic between areas.

Configure the IPv4 security policy to make sure each router can learn the routes to all network segments in the AS.

Figure 6 Network diagram

‌

Configuring Device A

1.     Assign IP addresses to interfaces. (Details not shown.)

2.     Add interfaces to security zones:

# Add interface GigabitEthernet 1/2/5/1 to security zone untrust.

<DeviceA> system-view

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/2/5/1

[DeviceA-security-zone-Untrust] quit

# Add interface GigabitEthernet 1/2/5/2 to security zone trust.

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/2/5/2

[DeviceA-security-zone-Trust] quit

3.     Configure security policies:

# Create security policy rule untrust-local and permit packets from security zone untrust to security zone local to pass.

[DeviceA] security-policy ip

[DeviceA-security-policy-ip] rule 0 name untrust-local

[DeviceA-security-policy-ip-0-untrust-local] source-zone untrust

[DeviceA-security-policy-ip-0-untrust-local] destination-zone local

[DeviceA-security-policy-ip-0-untrust-local] action pass

[DeviceA-security-policy-ip-0-untrust-local] quit

# Create security policy rule local-untrust and permit packets from security zone local to security zone untrust to pass.

[DeviceA-security-policy-ip] rule 1 name local-untrust

[DeviceA-security-policy-ip-1-untrust-local] source-zone local

[DeviceA-security-policy-ip-1-untrust-local] destination-zone untrust

[DeviceA-security-policy-ip-1-untrust-local] action pass

[DeviceA-security-policy-ip-1-untrust-local] quit

# Create security policy rule trust-untrust and permit packets from security zone trust to security zone untrust to pass.

[DeviceA-security-policy-ip] rule 2 name trust-untrust

[DeviceA-security-policy-ip-2-trust-untrust] source-zone trust

[DeviceA-security-policy-ip-2-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ip-2-trust-untrust] action pass

[DeviceA-security-policy-ip-2-trust-untrust] quit

# Create security policy rule untrust-trust and permit packets from security zone untrust to security zone trust to pass.

[DeviceA-security-policy-ip] rule 3 name untrust-trust

[DeviceA-security-policy-ip-3-untrust-trust] source-zone untrust

[DeviceA-security-policy-ip-3-untrust-trust] destination-zone trust

[DeviceA-security-policy-ip-3-untrust-trust] action pass

[DeviceA-security-policy-ip-3-untrust-trust] quit

[DeviceA-security-policy-ip] quit

4.     Configure basic OSPF functions.

[DeviceA] router id 2.2.2.1

[DeviceA] ospf

[DeviceA-ospf-1] area 0

[DeviceA-ospf-1-area-0.0.0.0] network 1.1.1.0 0.0.0.255

[DeviceA-ospf-1-area-0.0.0.0] quit

[DeviceA-ospf-1] area 1

[DeviceA-ospf-1-area-0.0.0.1] network 2.2.2.0 0.0.0.255

[DeviceA-ospf-1-area-0.0.0.1] quit

[DeviceA-ospf-1] quit

Configuring Device B

5.     Assign IP addresses to interfaces. (Details not shown.)

6.     Add interfaces to security zones:

# Add interface GigabitEthernet 1/2/5/1 to security zone untrust.

<DeviceB> system-view

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/2/5/1

[DeviceB-security-zone-Untrust] quit

# Add interface GigabitEthernet 1/2/5/2 to security zone trust.

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitethernet 1/2/5/2

[DeviceB-security-zone-Trust] quit

7.     Configure security policies:

# Create security policy rule untrust-local and permit packets from security zone untrust to security zone local to pass.

[DeviceB] security-policy ip

[DeviceB-security-policy-ip] rule 0 name untrust-local

[DeviceB-security-policy-ip-0-untrust-local] source-zone untrust

[DeviceB-security-policy-ip-0-untrust-local] destination-zone local

[DeviceB-security-policy-ip-0-untrust-local] action pass

[DeviceB-security-policy-ip-0-untrust-local] quit

# Create security policy rule local-untrust and permit packets from security zone local to security zone untrust to pass.

[DeviceB-security-policy-ip] rule 1 name local-untrust

[DeviceB-security-policy-ip-1-untrust-local] source-zone local

[DeviceB-security-policy-ip-1-untrust-local] destination-zone untrust

[DeviceB-security-policy-ip-1-untrust-local] action pass

[DeviceB-security-policy-ip-1-untrust-local] quit

# Create security policy rule trust-untrust and permit packets from security zone trust and security zone untrust to pass.

[DeviceB-security-policy-ip] rule 2 name trust-untrust

[DeviceB-security-policy-ip-2-trust-untrust] source-zone trust

[DeviceB-security-policy-ip-2-trust-untrust] destination-zone untrust

[DeviceB-security-policy-ip-2-trust-untrust] action pass

[DeviceB-security-policy-ip-2-trust-untrust] quit

# Create security policy rule untrust-trust and permit packets from security zone untrust to security zone trust to pass.

[DeviceB-security-policy-ip] rule 3 name untrust-trust

[DeviceB-security-policy-ip-3-untrust-trust] source-zone untrust

[DeviceB-security-policy-ip-3-untrust-trust] destination-zone trust

[DeviceB-security-policy-ip-3-untrust-trust] action pass

[DeviceB-security-policy-ip-3-untrust-trust] quit

[DeviceB-security-policy-ip] quit

8.     Configure basic OSPF functions.

[DeviceB] router id 3.3.3.1

[DeviceB] ospf

[DeviceB-ospf-1] area 0

[DeviceB-ospf-1-area-0.0.0.0] network 1.1.1.0 0.0.0.255

[DeviceB-ospf-1-area-0.0.0.0] quit

[DeviceB-ospf-1] area 2

[DeviceB-ospf-1-area-0.0.0.2] network 3.3.3.0 0.0.0.255

[DeviceB-ospf-1-area-0.0.0.2] quit

[DeviceB-ospf-1] quit

Verifying the configuration

# View detailed information about OSPF neighbors on Device A.

[DeviceA] display ospf peer verbose

 

OSPF Process 1 with Router ID 2.2.2.1

                  Neighbors

 

 Area 0.0.0.0 interface 1.1.1.1(GigabitEthernet1/2/5/1)'s neighbors

 Router ID: 3.3.3.1          Address: 1.1.1.2          GR State: Normal

   State: Full  Mode: Nbr is master  Priority: 1

   DR: 1.1.1.1  BDR: 1.1.1.2  MTU: 0

   Options is 0x42 (-|O|-|-|-|-|E|-)

   Dead timer due in 32  sec

   Neighbor is up for 00:07:08

   Authentication Sequence: [ 0 ]

   Neighbor state change count: 5

   BFD status: Disabled

# View OSPF routing information on Device A.

[DeviceA] display ospf routing

 

OSPF Process 1 with Router ID 2.2.2.1

                   Routing Table

 

 Routing for network

 Destination        Cost     Type    NextHop         AdvRouter       Area

 3.3.3.0/24         2        Inter   1.1.1.2         3.3.3.1         0.0.0.0

 2.2.2.0/24         1        Stub    0.0.0.0         2.2.2.1         0.0.0.1

 1.1.1.0/24         1        Transit 0.0.0.0         2.2.2.1         0.0.0.0

 

 Total nets: 3

 Intra area: 2  Inter area: 1  ASE: 0  NSSA: 0

# Verify that PCs in area 1 can ping PCs in area 2. (Details not shown.)