Contents

Proxy policy commands· 1

action· 1

app-proxy ssl-decrypt-certificate delete· 2

app-proxy ssl-decrypt-certificate import 2

app-proxy ssl-decrypt-certificate modify· 3

app-proxy ssl whitelist activate· 4

app-proxy ssl whitelist predefined-hostname enable· 5

app-proxy ssl whitelist user-defined-hostname· 6

app-proxy-policy· 7

default action· 7

destination-ip object-group· 8

destination-zone· 9

disable· 10

display app-proxy server-certificate· 11

display app-proxy ssl-decrypt-certificate· 12

display app-proxy ssl whitelist hostname· 14

display app-proxy ssl whitelist ip· 16

display app-proxy-policy· 17

rule· 18

rule move id· 19

rule move name· 19

reset app-proxy server-certificate· 20

reset app-proxy ssl whitelist ip· 20

service· 21

source-ip object-group· 22

source-zone· 22

user 23

user-group· 25

 

Proxy policy commands

action

Use action to set the action for traffic matching a proxy policy rule.

Use undo action to restore the default.

Syntax

action { no-proxy | ssl-decrypt | tcp-proxy }

undo action

Default

The no-proxy action is used.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

no-proxy: Specifies the no-proxy action.

ssl-decrypt: Specifies the SSL decryption action.

tcp-proxy: Specifies the TCP proxy action.

Usage guidelines

The device supports the following actions for traffic matching a proxy policy rule:

·     No-proxy—The device directly transmits the traffic without TCP or SSL proxy.

·     SSL-decryption—The devices acts as an SSL proxy to decrypt the SSL traffic and performs deep packet inspection and Layer 7 load balancing on the decrypted traffic. SSL decryption is implemented based on TCP proxy.

·     TCP-proxy—The device acts as a TCP proxy and provides TCP-layer isolation between the TCP client and TCP server to effectively intercept malicious connections and attacks.

If you execute this command for a proxy policy rule multiple times, the most recent configuration takes effect.

Examples

# Specify the ssl-decrypt action for proxy policy rule1.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] action ssl-decrypt

Related commands

display app-proxy-policy

rule

app-proxy ssl-decrypt-certificate delete

Use app-proxy ssl-decrypt-certificate delete to delete an SSL decryption certificate.

Syntax

app-proxy ssl-decrypt-certificate delete filename filename

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

filename: Specifies an SSL decryption certificate by its file name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

The device, acting as an SSL proxy, requires the correct SSL decryption certificate to issue proxy server certificates to send to clients for server authentication. If the required SSL decryption certificate is not available, the device cannot set up a connection with the client and the SSL traffic will be transmitted directly without SSL decryption.

After an SSL decryption certificate is imported, its file extension will be changed to .cer, which must be appended to the file name when you delete the certificate.

Examples

# Delete SSL decryption certificate aaa.cer.

<Sysname> system-view

[Sysname] app-proxy ssl-decrypt-certificate delete filename aaa.cer

Related commands

display app-proxy ssl-decrypt-certificate

app-proxy ssl-decrypt-certificate import

Use app-proxy ssl-decrypt-certificate import to import a CA certificate as a trusted or untrusted SSL decryption certificate.

Syntax

app-proxy ssl-decrypt-certificate import { trusted | untrusted } { pem | p12 } filename filename

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

trusted: Imports the CA certificate as a trusted SSL decryption certificate.

untrusted: Imports the CA certificate as an untrusted SSL decryption certificate.

pem: Specifies the PEM certificate file format.

p12: Specifies the PKCS#12 certificate file format.

filename filename: Specifies the certificate file name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

The device supports a maximum of one trusted SSL decryption certificate and one untrusted SSL decryption certificate. When importing an SSL decryption certificate, you must mark the certificate as Trusted or Untrusted. If you import multiple trusted or multiple untrusted SSL decryption certificates to the device, the most recent configuration takes effect.

To use the same CA certificate as both the trusted and untrusted SSL decryption certificate, first import the certificate with the Trusted or Untrusted tag, and then add the other tag to the certificate by using the app-proxy ssl-decrypt-certificate modify command.

After an SSL decryption certificate is imported, its file extension will be changed to .cer.

After receiving the certificate of the real server, the device verifies the legitimacy of the server certificate on behalf of the SSL client.

·     If the server certificate is legitimate, the device uses the trusted SSL decryption certificate to issue a new certificate to the client. A server certificate issued by the trusted SSL decryption certificate is trusted by the client.

·     If the server certificate is illegitimate, the device uses the untrusted SSL decryption certificate to issue a new certificate to the client. A security alarm will be generated on the client and users must clear the alarm to continue the access.

The trusted SSL decryption certificate must be installed on the client browser. Otherwise, the client cannot trust the proxy server certificate signed by the trusted SSL decryption certificate and might display a warning or directly terminate proxied SSL connections without a warning.

A Firefox browser does not use the SSL decryption certificate in the Windows certificate store by default. To use the SSL decryption certificate on the Firefox browser, you can take the following methods:

·     Import the SSL decryption certificate into the Firefox browser.

·     Configure the Firefox browser to use the SSL decryption certificate in the Windows certificate store through the following steps:

a.     Enter about:config in the address bar.

b.     In the Search box, enter security.enterprise_roots.enabled.

c.     Locate this entry, and double-click or right-click its value to change false to true.

Examples

# Import a PKCS#12 certificate file as a trusted SSL decryption certificate.

<Sysname> system-view

[Sysname] app-proxy ssl-decrypt-certificate import trusted p12 filename aaa.p12

Password:

Related commands

display app-proxy ssl-decrypt-certificate certificate

app-proxy ssl-decrypt-certificate modify

Use app-proxy ssl-decrypt-certificate modify to add the Trusted or Untrusted tag to an SSL decryption certificate.

Use undo app-proxy ssl-decrypt-certificate modify to remove the Trusted or Untrusted tag from an SSL decryption certificate.

Syntax

app-proxy ssl-decrypt-certificate modify { trusted | untrusted } filename filename

undo app-proxy ssl-decrypt-certificate modify { trusted | untrusted }

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

trusted: Specifies the Trusted tag.

untrusted: Specifies the Untrusted tag.

filename: Specifies the SSL decryption certificate by its file name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

To use the same CA certificate as both the trusted and untrusted SSL decryption certificate, first import the certificate with the Trusted or Untrusted tag, and then use this command add the other tag to the certificate.

When you add the Trusted or Untrusted tag to an SSL decryption certificate, the system asks whether you want to overwrite the SSL decryption certificate with the same tag if such a certificate already exists.

Removing the Trusted or Untrusted tag from an SSL decryption certificate does not remove the certificate file from the system. You can use the app-proxy ssl-decrypt-certificate modify command to add the Trusted or Untrusted tag to the certificate again.

After an SSL decryption certificate is imported, its file extension will be changed to .cer. Append the .cer file extension when you specify the file containing the certificate whose credibility you want to change.

Examples

# Add the Trusted tag to the CA certificate in certificate file aaa.

<Sysname> system-view

[Sysname] app-proxy ssl-decrypt-certificate modify trusted filename aaa.cer

[Sysname] A trusted CA certificate already exists. Overwrite the existing trusted CA certificate with the specified certificate? [Y/N]:

Related commands

display app-proxy ssl-decrypt-certificate

app-proxy ssl whitelist activate

Use app-proxy ssl whitelist activate to activate SSL proxy whitelist settings.

Syntax

app-proxy ssl whitelist activate

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

The following SSL proxy whitelist settings must be manually activated by using this command:

·     Adding or removing hostnames to or from the user-defined SSL hostname whitelist.

·     Enabling or disabling hostnames on the predefined SSL hostname whitelist.

This command is supported only on the default context. For more information about contexts, see context configuration in Virtual Technologies Configuration Guide.

Examples

# Add example.com to the user-defined SSL hostname whitelist and activate the setting.

<Sysname> system-view

[Sysname] app-proxy ssl whitelist user-defined-hostname example.com

To activate the setting, execute app-proxy ssl whitelist activate.

[Sysname] app-proxy ssl whitelist activate

Related commands

app-proxy ssl whitelist predefined-hostname enable

app-proxy ssl whitelist user-defined-hostname

app-proxy ssl whitelist predefined-hostname enable

Use app-proxy ssl whitelist predefined-hostname enable to enable hostnames on the predefined SSL hostname whitelist.

Use undo app-proxy ssl whitelist predefined-hostname enable to disable hostnames on the predefined SSL hostname whitelist.

Syntax

app-proxy ssl whitelist predefined-hostname { chrome-hsts [ hostname ] | hostname } enable

undo app-proxy ssl whitelist predefined-hostname { chrome-hsts [ hostname ] | hostname } enable

Default

The entire predefined SSL hostname whitelist is enabled.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

chrome-hsts [ hostname ]: Specifies a hostname on the Chrome HSTS list. The hostname argument represents the hostname, a case-insensitive string of 1 to 63 characters. If the hostname contains spaces, enclose it in double quotation marks. For example, "user for test". If you do not specify a hostname, this command applies to all hostnames on the Chrome HSTS list.

host-name: Specifies a hostname that is not on the Chrome HSTS list. The hostname is a case-insensitive string of 1 to 63 characters. If the hostname contains spaces, enclose it in double quotation marks. For example, "user for test".

Usage guidelines

The Chrome HSTS list is a predefined list of server hostnames that are accessible to Web browsers only through HTTPS.

Follow these guidelines to enable or disable hostnames on the Chrome HSTS list:

·     When the entire Chrome HSTS list is enabled, you can disable individual hostnames on the list.

·     When the entire Chrome HSTS list is disabled, all hostnames on the list are disabled and cannot be enabled individually.

This command is supported only on the default context. For more information about contexts, see context configuration in Virtual Technologies Configuration Guide.

Examples

# Disable the entire Chrome HSTS list.

<Sysname> system-view

[Sysname] undo app-proxy ssl whitelist predefined-hostname chrome-hsts enable

To activate the setting, execute app-proxy ssl whitelist activate.

# Disable hostname 12306.cn on the predefined SSL hostname whitelist.

<Sysname> system-view

[Sysname] undo app-proxy ssl whitelist predefined-hostname 12306.cn enable

To activate the setting, execute app-proxy ssl whitelist activate.

Related commands

app-proxy ssl whitelist activate

display app-proxy ssl whitelist

app-proxy ssl whitelist user-defined-hostname

Use app-proxy ssl whitelist user-defined-hostname host-name to add a hostname to the user-defined SSL hostname whitelist.

Use undo app-proxy ssl whitelist user-defined-hostname to remove hostnames from the user-defined SSL hostname whitelist.

Syntax

app-proxy ssl whitelist user-defined-hostname host-name

undo app-proxy ssl whitelist user-defined-hostname { host-name | all }

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

host-name: Specifies a hostname, a case-insensitive string of 1 to 63 characters. If the hostname contains spaces, enclose it in double quotation marks. For example, "user for test".

all: Specifies all hostnames on the user-defined SSL hostname whitelist.

Usage guidelines

If the DNS Name or Common Name value in a server certificate contains a hostname on the SSL hostname whitelist, the device does not proxy the SSL connections destined for the server.

This command must be manually activated by using the app-proxy ssl whitelist activate command.

This command is supported only on the default context. For more information about contexts, see context configuration in Virtual Technologies Configuration Guide.

Examples

# Add example.com to the user-defined SSL hostname whitelist and active the configuration.

<Sysname> system-view

[Sysname] app-proxy ssl whitelist user-defined-hostname example.com

To activate the setting, execute app-proxy ssl whitelist activate.

[Sysname] app-proxy ssl whitelist activate

Related commands

app-proxy ssl whitelist activate

display app-proxy ssl whitelist

app-proxy-policy

Use app-proxy-policy to enter proxy policy view.

Use undo app-proxy-policy to remove all proxy policy configurations.

Syntax

app-proxy-policy

undo app-proxy-policy

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

The device supports only one IPv4 proxy policy.

Examples

# Enter proxy policy view.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy]

Related commands

display app-proxy-policy

default action

Use default-action to specify the default action for the proxy policy.

Use undo default-action to restore the default.

Syntax

default action { no-proxy | ssl-decrypt | tcp-proxy }

undo default action

Default

The proxy policy uses the no-proxy action.

Views

Proxy policy view

Predefined user roles

network-admin

context-admin

Parameters

no-proxy: Specifies the no-proxy action.

ssl-decrypt: Specifies the SSL decryption action.

tcp-proxy: Specifies the TCP proxy action.

Usage guidelines

The default action applies to packets that do not match any rules in the proxy policy.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the default action to ssl-decrypt for the proxy policy.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] default action ssl-decrypt

destination-ip object-group

Use destination-ip object-group to configure an object group as a destination address filtering criterion in a proxy policy rule.

Use undo destination-ip object-group to remove destination address filtering criteria from a proxy policy rule.

Syntax

destination-ip object-group object-group-name

undo destination-ip object-group [ object-group-name ]

Default

A proxy policy rule does not contain any destination address filtering criterion.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

object-group-name: Specifies an IP address object group by its name, a case-insensitive string of 1 to 31 characters. The object group must already exist and its name cannot be any.

Usage guidelines

You can repeat this command to set multiple destination address filtering criteria in a proxy policy rule. A packet passes the destination address filtering if it matches any of the configured destination address filtering criteria.

If you execute the undo destination-ip object-group command without specifying an object group, all destination address filtering criteria in the proxy policy rule will be deleted.

For more information about object groups, see object group configuration in Security Configuration Guide.

Examples

# In proxy policy rule rule1, set IP address object groups client1 and client2 as destination address filtering criteria.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] destination-ip object-group client1

[Sysname-app-proxy-policy-0-rule1] destination-ip object-group client2

Related commands

display app-proxy-policy

object-group (Security Command Reference)

destination-zone

Use destination-zone to configure a destination security zone filtering criterion in a proxy policy rule.

Use undo destination-zone to remove destination security zone filtering criteria from a proxy policy rule.

Syntax

destination-zone destination-zone-name

undo destination-zone [ destination-zone-name ]

Default

A proxy policy rule does not contain any destination security zone filtering criterion.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

destination-zone-name: Specifies a destination security zone by its name, a case-insensitive string of 1 to 31 characters. The destination security zone name cannot be any.

Usage guidelines

You can repeat this command to set multiple destination security zone filtering criteria in a proxy policy rule. A packet passes the destination security zone filtering if it matches any of the configured destination security zone filtering criteria.

You can specify a nonexistent security zone for a destination security zone filtering criterion. However, the destination security zone filtering criterion does not take effect until the security zone is configured.

If you execute the undo destination-zone command without specifying a security zone, all destination security zone filtering criteria in the proxy policy rule will be deleted.

For more information about security zones, see security zone configuration in Security Configuration Guide.

Examples

# In proxy policy rule rule1, set security zones trust and server as destination security zone filtering criteria.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] destination-zone trust

[Sysname-app-proxy-policy-0-rule1] destination-zone server

Related commands

display app-proxy-policy

security-zone (Security Configuration Guide)

disable

Use disable to disable a proxy policy rule.

Use undo disable to enable a proxy policy rule.

Syntax

disable

undo disable

Default

A proxy policy rule is enabled.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Usage guidelines

The device compares a packet against only the enabled proxy policy rules. The match process stops once a matching rule is found.

Examples

# Disable proxy policy rule rule1.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] disable

Related commands

rule

display app-proxy server-certificate

Use display app-proxy server-certificate to display the SSL server certificates received by the device as the SSL proxy client.

Syntax

display app-proxy server-certificate [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays certificate information on all member devices.

Usage guidelines

When implementing the SSL proxy function, the device acts as the SSL proxy client to complete the SSL handshake and establish an SSL connection with the SSL server. This command displays information about the SSL server certificates received by the device as the SSL proxy client.

Examples

# Display the SSL server certificates received by the device as the SSL proxy client on slot 1.

<Sysname> display app-proxy server-certificate slot 1

Slot1:

Total server certificates: --

Certificate info: /cn=h3c-https-self-signed-certificate-13a73249669cc70a

     Proxy count: 198

     Most recent proxy time: 2017/10/25 10:7:7

     First proxy at: 2017/10/23 15:52:59

Figure 1 Command output

Field	Description
Total server certificates	Total number of server certificates received by the device as the SSL proxy client.
Certificate info	Information about the certificate. This field displays the value in the DNS Name field (in the format of example.com) of the certificate. If the server certificate does not contain the DNS Name field, the value in the Common Name field (in the format of /cn=example.com) is displayed.
Proxy count	Number of times connections to the server had been proxied.
Most recent proxy time	Most recent time the device proxied a connection to the server.
First proxy at	First time the device proxied a connection to the server.

 

Related commands

reset app-proxy server-certificate

display app-proxy ssl-decrypt-certificate

Use display app-proxy ssl-decrypt-certificate to display SSL decryption certificate information.

Syntax

display app-proxy ssl-decrypt-certificate

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Examples

# Display SSL decryption certificate information.

<Sysname> display app-proxy ssl-decrypt-certificate

Trusted:

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            aa:31:f8:3d:06:b0:9b:   Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=CN, ST=bj, L=cp, O=dpi, OU=sec, CN=trustca

        Validity

            Not Before: Sep  7 12:00:43 2017 GMT

            Not After : Aug 28 12:00:43 2057 GMT

        Subject: C=CN, ST=bj, L=cp, O=dpi, OU=sec, CN=trustca

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:ec:d7:73:af:03:07:07:86:e6:31:4d:e5:32:09:

                    20:7f:93:19:20:b2:25:c4:cc:32:8e:e4:29:fd:e0:

                    30:48:4c:8d:0a:83:66:28:af:6a:e0:69:81:08:58:

                    ca:cf:e4:3d:5a:e8:69:92:67:71:e3:c0:66:87:8e:

                    16:cc:6a:89:1d:d4:22:5f:93:14:47:bd:39:60:44:

                    3c:ee:0a:d1:8d:d4:16:84:65:e9:b7:b1:0f:6d:af:

                    6e:ef:21:b5:5a:02:4f:63:46:6e:8b:73:b5:95:70:

                    8a:ed:5d:23:8b:d8:0e:45:2d:8b:52:ab:34:6d:3b:

                    d5:85:ae:1c:d4:26:6e:fb:2c:1e:18:db:55:22:96:

                    d8:1f:1a:33:e9:ff:1f:8c:be:28:9d:de:77:d8:9b:

                    a7:27:0f:7e:e2:52:3e:bd:02:ee:c3:06:93:d0:16:

                    b0:c7:96:bb:c8:b1:96:8d:ee:ca:6e:76:63:1e:b1:

                    b6:fb:31:bf:d0:13:66:ad:f6:97:cf:0b:37:f7:6c:

                    f8:46:b6:76:f1:70:6f:24:6c:92:a6:dd:c2:3b:cf:

                    3c:35:c7:74:60:dd:db:a3:bf:70:b4:55:05:4b:d7:

                    cd:dd:c1:1b:59:0d:41:e7:95:5a:79:44:9d:b0:8b:

                    a7:f2:f4:67:0e:0c:4a:b6:35:97:1e:e6:99:88:fc:

                    c8:e9

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Alternative Name:

                IP Address:1.1.1.1, DNS:trustca, email:1@3.com

            X509v3 Basic Constraints: critical

                CA:TRUE

            X509v3 Key Usage: critical

                Certificate Sign, CRL Sign

            X509v3 Subject Key Identifier:

                D4:35:A8:66:63:03:04:2B:CA:4E:91:06:11:F5:72:1C:26:E0:BE:33

            Netscape Cert Type:

                SSL CA

            Netscape Comment:

                example comment extension

    Signature Algorithm: sha1WithRSAEncryption

         b9:d2:eb:98:bd:f9:8d:7e:03:a8:0e:b4:29:cf:3a:a1:fd:f4:

         2a:fa:56:1c:cf:40:a4:9e:7f:5a:15:6b:88:8a:dd:86:d2:03:

         c3:38:49:7a:11:09:78:81:8c:8f:0a:3b:fb:d6:60:59:c4:0b:

         12:0e:38:b0:92:f3:2e:b5:96:ab:d3:a4:2d:cb:ef:fd:a0:97:

         d0:63:43:8e:91:1f:f1:fc:39:c8:cf:e5:ee:4b:e7:8c:8b:f8:

         3b:ff:5e:dc:00:df:5b:2f:98:53:f2:c7:da:fa:b8:2e:92:dd:

         33:6a:80:df:0e:22:62:62:5d:2f:6c:eb:4c:80:c4:56:c9:00:

         01:a6:82:60:e4:32:69:f7:7b:8f:6c:93:e5:c3:64:65:fe:aa:

         e1:0b:10:92:bd:ea:2f:2f:e5:b6:fd:b5:5b:df:34:c8:5d:5a:

         91:9a:0d:89:10:76:b8:ed:28:ef:6a:c4:7b:48:d7:88:57:7c:

         cf:4e:c8:38:84:ad:54:6d:3f:40:a0:38:d7:36:61:23:7a:82:

         62:34:41:3d:cc:b2:ee:4a:23:f1:7d:12:e2:23:26:10:df:c8:

         a1:6f:00:00:b7:c2:1f:ce:1b:63:60:e0:63:33:e0:59:31:78:

         bc:27:99:b6:27:40:95:da:1b:37:07:75:2f:99:97:56:33:f5:

         4f:ad:14:31

Figure 2 Command output

Field	Description
Trusted	Credibility of the SSL decryption certificate, Trusted or Untrusted.
Version	Version number of the certificate.
Serial Number	Serial number of the certificate.
Signature Algorithm	Signature algorithm used in the certificate.
Issuer	Issuer of the certificate.
Validity	Validity of the certificate.
Subject	Identity of the entity to which the certificate belongs.
Subject Public Key Info	Public key information of the certificate subject.
Modulus	Modulus length of the key.
Exponent	Key exponent.
X509v3 extensions	X.509v3 extensions in the certificate.
X509v3 Subject Alternative Name	Alternative name of the certificate subject.
IP Address	IP address of the certificate subject.
DNS	DNS name of the certificate subject.
email	Email address of the certificate subject.
X509v3 Basic Constraints	Indicates whether the certificate belongs to a CA.
X509v3 Key Usage	Identifies the cryptographic operations which may be performed using the public key contained in the certificate.
X509v3 Subject Key Identifier	Key identifier of the certificate subject.
Netscape Cert Type	Netscape certificate type, an extension defined by Netscape to limit what the certificate can be used for.
Netscape Comment	Netscape comment that can be displayed in certain browsers.

 

display app-proxy ssl whitelist hostname

Use display app-proxy ssl whitelist hostname to display the SSL hostname whitelist.

Syntax

display app-proxy ssl whitelist hostname { predefined | user-defined }

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

user-defined: Displays the user-defined SSL hostname whitelist.

predefined: Displays the predefined SSL hostname whitelist.

Usage guidelines

This command is supported only on the default context. For more information about contexts, see context configuration in Virtual Technologies Configuration Guide.

Examples

# Display the user-defined SSL hostname whitelist.

<Sysname> display app-proxy ssl whitelist hostname user-defined

Hostname

example1.com

example2.com

# Display the predefined SSL hostname whitelist.

<Sysname> display app-proxy ssl whitelist hostname predefined

Chrome HSTS-defined hostnames:

  status      Hostname

  enabled     2mdn.net

  enabled     accounts.firefox.com

  enabled     aclu.org

  enabled     activiti.alfresco.com

  enabled     adamkostecki.de

  enabled     addvocate.com

  enabled     adsfund.org

  enabled     aie.de

  enabled     airbnb.com

  enabled     aladdinschools.appspot.com

  enabled     alexsexton.com

  enabled     alpha.irccloud.com

  enabled     android.com

  enabled     ansdell.net

  enabled     anycoin.me

  enabled     apadvantage.com

  enabled     api.intercom.io

  enabled     api.lookout.com

  enabled     api.mega.co.nz

  enabled     api.recurly.com

  enabled     api.simple.com

---- More ----

Figure 3 Command output

Field	Description
Chrome HSTS-defined hostnames	List of Chrome HSTS-defined hostnames accessible only through HTTPS.
Status	State of the hostname on the SSL hostname whitelist, Enabled or Disabled.

 

Related commands

app-proxy ssl whitelist predefined-hostname enable

app-proxy ssl whitelist user-defined-hostname

display app-proxy ssl whitelist ip

Use display app-proxy ssl whitelist ip to display the SSL IP address whitelist.

Syntax

display app-proxy ssl whitelist ip { all [ slot slot-number ] | ip-address }

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

all: Specifies all IP addresses on the SSL IP address whitelist.

ip-address: Specifies the IP address of an SSL IP address whitelist entry to be displayed.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the SSL IP address whitelist information on all member devices.

Examples

# Display the SSL IP address whitelist on slot 1.

<Sysname> display app-proxy ssl whitelist ip all slot 1

Slot 1:

IP address              Port

10.1.1.1                443

10.10.1.1               443

Figure 4 Command output

Field	Description
IP address	IP address in an SSL IP address whitelist entry.
Port	Port number of the SSL IP address whitelist entry. Connections destined for a server with the IP address and port number matching an IP address whitelist entry will not be proxied.

 

display app-proxy-policy

Use display app-proxy-policy to display proxy policy information.

Syntax

display app-proxy-policy [ rule rule-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

rule rule-name: Specifies a proxy policy rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a proxy policy rule, this command displays information about all proxy policy rules.

Examples

# Display proxy policy information and all rules in the policy.

<Sysname> display app-proxy-policy

Default action: ssl-decrypt

Rule with ID 0 and name rule0:

  Action: ssl-decrypt

  Status: Enabled

  Match criteria:

   Source security zones: trust

   Destination security zones: trust

   Source IP address object groups: srcobj

   Destination IP address object groups: destobj

   Service object groups: serviceobj

   Users: user1

   User groups: usergroup1

 

  Rule with ID 2 and name rule2:

  Action: ssl-decrypt

  Status: Enabled

  Match criteria:

  source-zone: trust

  destination-zone: Untrust

Figure 5 Command output

Field	Description
Default action	Default action of the policy: ·     no-proxy. ·     ssl-decrypt. ·     tcp-proxy.
Rule with ID rule-id and name rule-name	ID and name of a proxy policy rule.
Action	Action for traffic matching the proxy policy rule: ·     no-proxy. ·     ssl-decrypt. ·     tcp-proxy.
Source security zones	Source security zones to which the proxy policy rule applies.
Destination security zones	Destination security zones to which the proxy policy rule applies.
Source IP address object groups	Source IP address object groups to which the proxy policy rule applies.
Destination IP address object groups	Destination IP address object groups to which the proxy policy rule applies.
Service object groups	Service object groups to which the proxy policy rule applies.
Users	Users to whom the proxy policy rule applies.
User groups	User groups to which the proxy policy rule applies.

 

rule

Use rule to create a proxy policy rule and enter its view, or enter the view of an existing proxy policy rule.

Use undo rule to remove a proxy policy rule.

Syntax

rule { rule-id | [ rule-id ] name rule-name }

undo rule { rule-id | name rule-name }

Views

Proxy policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-id: Specifies a rule ID, which must be an integer in the range of 1 to 65535. If you do not specify a rule ID when creating a rule, the system automatically assigns a rule ID that is larger than that the largest rule ID already used. If rule ID 65535 is already used, the system assigns the smallest unused ID to the rule.

name rule-name: Specifies a rule name, a case-insensitive string of 1 to 63 characters. The rule name is required when you create a rule and it cannot be set to default.

Examples

# Create rule 1 named rule1.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-1-rule1]

Related commands

display app-proxy-policy

rule move id

Use rule move id to move a proxy policy rule to a new position by using the rule ID.

Syntax

rule move id rule-id before insert-rule-id

Views

Proxy policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-id: Specifies the target rule to be moved by its ID in the range of 1 to 65535. The specified rule must already exist.

before: Moves the target rule ID before the reference rule ID.

insert-rule-id: Specifies the reference rule ID in the range of 1 to 65535. This target rule is moved to the position before the reference rule. To move the rule to the end of all rules, set the reference rule ID to 65535. The specified reference rule must already exist.

Examples

# Move rule 5 to the position before rule 2.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule move 5 before 2

Related commands

rule

rule move name

Use rule move name to move a proxy policy rule to a new position by using the rule name.

Syntax

rule move name rule-name1 { before [ rule-name2 ] | after rule-name2 }

Views

Proxy policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-name1: Specifies the target rule to be moved by its name.

before: Moves the target rule name before the reference rule name. If no reference rule name is specified, the target rule name is moved to the front of all proxy policy rules.

after: Moves the target rule name after the reference rule name.

rule-name2: Specifies the reference rule to be moved by its name.

Usage guidelines

The proxy policy rule will not be moved if both target rule and reference rule are the same or do not exist.

Examples

# Move rule a to the position before rule b.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule move name a before b

reset app-proxy server-certificate

Use reset app-proxy server-certificate to clear information about the SSL server certificates received by the device as the SSL proxy client.

Syntax

reset app-proxy server-certificate

Views

User view

Predefined user roles

network-admin

context-admin

Examples

# Clear information about the SSL server certificates received by the device as the SSL proxy client.

<Sysname> reset app-proxy server-certificate

Related commands

display app-proxy server-certificate

reset app-proxy ssl whitelist ip

Use reset app-proxy ssl whitelist ip to clear the SSL IP address whitelist.

Syntax

reset app-proxy ssl whitelist

Views

User view

Predefined user roles

network-admin

context-admin

Examples

# Clear the SSL IP address whitelist.

<Sysname> reset app-proxy ssl whitelist ip

Related commands

display app-proxy ssl whitelist ip

service

Use destination-zone to configure a service filtering criterion in a proxy policy rule.

Use undo destination-zone to remove service filtering criteria from a proxy policy rule.

Syntax

service object-group { object-group-name }

undo service object-group [ object-group-name ]

Default

A proxy policy rule does not contain any service filtering criterion.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 31 characters. The object group must already exist and its name cannot be any.

Usage guidelines

You can repeat this command to set multiple service filtering criteria in a proxy policy rule. A packet passes the service filtering if it matches any of the service filtering criteria.

For successful service filtering criterion configuration, make sure the specified service object group does not contain Layer 5 or higher layer protocols.

If you execute the undo service object-group command without specifying an object group zone, all service filtering criteria in the proxy policy rule will be deleted.

Examples

# In proxy rule rule1, specify object groups tcp and ftp as service filtering criteria.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] service object-group tcp

[Sysname-app-proxy-policy-0-rule1] service object-group ftp

Related commands

display app-proxy-policy

object-group (Security Command Reference)

source-ip object-group

Use source-ip object-group to configure an object group as a source address filtering criterion in a proxy policy rule.

Use undo source-ip object-group to remove source address filtering criteria from a proxy policy rule.

Syntax

source-ip object-group object-group-name

undo source-ip object-group [ object-group-name ]

Default

A proxy policy rule does not contain any source address filtering criterion.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

object-group-name: Specifies an IP address object group by its name, a case-insensitive string of 1 to 31 characters. The object group must already exist and its name cannot be any.

Usage guidelines

You can repeat this command to set multiple source address filtering criteria in a proxy policy rule. A packet passes the source address filtering if it matches any of the configured destination address filtering criteria.

If you execute the undo source-ip object-group command without specifying an object group, all source address filtering criteria in the proxy policy rule will be deleted.

For more information about object groups, see object group configuration in Security Configuration Guide.

Examples

# In proxy policy rule rule1, specify IP address object groups server1 and server2 as source address filtering criteria.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] source-ip object-group server1

[Sysname-app-proxy-policy-0-rule1] source-ip object-group server2

Related commands

display app-proxy-policy

object-group (Security Command Reference)

source-zone

Use source-zone to configure a source security zone filtering criterion in a proxy policy rule.

Use undo source-zone to remove source security zone filtering criteria from a proxy policy rule.

Syntax

source-zone source-zone-name

undo source-zone [ source-zone-name ]

Default

A proxy policy rule does not contain any source security zone filtering criterion.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

source-zone-name: Specifies a source security zone by its name, a case-insensitive string of 1 to 31 characters. The source security zone name cannot be any.

Usage guidelines

You can repeat this command to set multiple source security zone filtering criteria in a proxy policy rule. A packet passes the source security zone filtering if it matches any of the configured source security zone filtering criteria.

You can specify a nonexistent security zone for a source security zone filtering criterion. However, the source security zone filtering criterion does not take effect until the security zone is configured.

If you execute the undo source-zone command without specifying a security zone, all source security zone filtering criteria in the proxy policy rule will be deleted.

For more information about security zones, see security zone configuration in Security Configuration Guide.

Examples

# In proxy policy rule rule1, specify security zones trust and server as source security zone filtering criteria.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] source-zone trust

[Sysname-app-proxy-policy-0-rule1] source-zone server

Related commands

display app-proxy-policy

security-zone (Security Command Reference)

user

Use user to configure a user filtering criterion in a proxy policy rule.

Use undo user to remove user filtering criteria from a proxy policy rule.

Syntax

user user-name [ domain domain-name ]

undo user [ username [ domain domain-name ] ]

Default

A proxy policy rule does not contain any user filtering criterion.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

username: Specify a username, a case-sensitive string of 1 to 55 characters. The username cannot be a, al, or all, and cannot contain special characters listed in Table 1.

Table 1 Special characters

Character name	Symbol
Backslash	\
Vertical bar	|
Forward slash	/
Colon	:
Asterisk	*
Question mark	?
Left angle bracket	<
Right angle bracket	>
At sign	@

 

domain domain-name: Specifies the name of the identity domain to which the user belongs. The identity domain name is a case-insensitive string of 1 to 255 characters which cannot contain special characters listed in Table 1.

Usage guidelines

You can repeat this command to set multiple user filtering criteria in a proxy policy rule. A packet passes the user filtering if it matches any of the user filtering criteria.

If the specified user does not exist for the following reasons, the configuration succeeds but does not take effect:

·     The user does not exist.

·     The domain does not exist.

·     The user does not exist in the domain.

For successful user filtering criterion configuration, the user must exist and belong to the domain, if specified.

Follow these guidelines when you execute the undo user command:

·     To remove all user filtering criteria in a proxy policy rule, do not specify any parameters.

·     To remove a user in a domain as a user filtering criterion, specify the username parameter with the domain domain-name option.

·     To remove a user that does not belong to any identity domains, specify the username parameter without the domain domain-name option.

Examples

# In proxy rule rule1, specify users usera and userb in domain test as user filtering criteria.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] user usera domain test

[Sysname-app-proxy-policy-0-rule1] user userb domain test

Related commands

display app-proxy-policy

user-identity enable (Security Command Reference)

user-identity static-user (Security Command Reference)

user-group

Use user-group to configure a user group filtering criterion in a proxy policy rule.

Use undo user-group to remove user group filtering criteria from a proxy policy rule.

Syntax

user-group user-group-name [ domain domain-name ]

undo user-group [ user-group-name [ domain domain-name ] ]

Default

A proxy policy rule does not contain any user group filtering criterion.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

user-group-name: Specify a user group by its name, a case-insensitive string of 1 to 200 characters.

domain domain-name: Specifies the name of the identity domain to which the user group belongs. The identity domain name is a case-insensitive string of 1 to 255 characters which cannot contain special characters listed in Table 2.

Table 2 Special characters

Character name	Symbol
Backslash	\
Vertical bar	|
Forward slash	/
Colon	:
Asterisk	*
Question mark	?
Left angle bracket	<
Right angle bracket	>
At sign	@

 

Usage guidelines

You can repeat this command to set multiple user group filtering criteria in a proxy policy rule. A packet passes the user group filtering if it matches any of the user group filtering criteria.

The command succeeds but does not take effect if the specified user group does not exist for the following reasons:

·     The user does not exist.

·     The domain does not exist.

·     The user does not exist in the domain.

Follow these guidelines when you execute the undo user-group command:

·     To remove all user group filtering criteria in a proxy policy rule, do not specify any parameters.

·     To remove a user group in a domain as a user group filtering criterion, specify the user-group-name parameter with the domain domain-name option.

·     To remove a user group that does not belong to any identity domains, specify the user-group-name parameter without the domain domain-name option.

For more information about user groups, see user identification configuration in Security Configuration Guide.

Examples

# In proxy rule rule1, specify user groups groupa and groupb in domain test as user group filtering criteria.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] user-group groupa domain test

[Sysname-app-proxy-policy-0-rule1] user-group groupb domain test

Related commands

display app-proxy-policy

user-group (Security Command Reference)