Login
- Table of Contents
-
- 04-DPI Configuration Guide
- 00-Preface
- 01-DPI overview
- 02-DPI engine configuration
- 03-IPS configuration
- 04-URL filtering configuration
- 05-Data filtering configuration
- 06-File filtering configuration
- 07-Anti-virus configuration
- 08-Data analysis center configuration
- 09-WAF configuration
- 10-Proxy policy configuration
- 11-IP reputation configuration
- 12-Domain reputation configuration
- 13-APT defense configuration
- 14-DLP configuration
- 15-Content moderation configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-URL filtering configuration | 304.12 KB |
Contents
URL filtering whitelist/blacklist rule
URL filtering signature library management
Restrictions: Hardware compatibility with URL filtering
Restrictions: Licensing requirements for URL filtering
URL filtering tasks at a glance
Configuring URL filtering cloud query
Configuring a URL filtering policy
About configuring a URL filtering policy
Configuring a category-based URL filtering policy
Configuring a whitelist-based URL filtering policy
Copying a URL filtering policy or category
Copying a URL filtering policy
Copying a URL filtering category
Applying a URL filtering policy to a DPI application profile
Activating URL filtering policy and rule settings
Applying a DPI application profile to a security policy rule
Applying a DPI application profile to an object policy rule
Managing the URL filtering signature library
Scheduling automatic URL filtering signature library update
Triggering an immediate URL filtering signature update
Performing a URL filtering signature manual update
Rolling back the URL filtering signature library
Managing the URL reputation signature library
Scheduling automatic URL reputation signature library update
Triggering an immediate URL reputation signature update
Performing a URL reputation signature manual update
Rolling back the URL reputation signature library
Configuring URL filtering logging for resource access
About URL filtering logging for resource access
Logging access to only resources in the root directories of websites
Disabling logging for access to resources of specific types
Display and maintenance commands for URL filtering
URL filtering configuration examples
Example: Using a URL filtering policy in a security policy
Example: Manually updating the URL filtering signature library
Example: Configuring automatic URL filtering signature library update
Example: Using a URL filtering policy in an object policy
Example: Manually updating the URL filtering signature library
Example: Configuring automatic URL filtering signature library update
Configuring URL filtering
About URL filtering
URL filtering controls access to the Web resources by filtering the URLs that the users visit.
URL
A URL is a reference to a resource that specifies the location of the resource on a network and a mechanism for retrieving it. The syntax of a URL is protocol://host [:port]/path/[;parameters][?query]#fragment. Figure 1 shows an example URL.
Table 1 describes the fields in a URL.
Table 1 URL field descriptions
|
Field |
Description |
|
protocol |
Transmission protocol, such as HTTP. |
|
host |
Domain name or IP address of the server where the indicated resource is located. |
|
[:port] |
Optional field that identifies the port number of the transmission protocol. If this field is omitted, the default port number of the protocol is used. |
|
/path/ |
String that identifies the directory or file where the indicated resource is stored. The path is a sequence of segments separated by zero or multiple forward slashes. |
|
[parameters] |
Optional field that contains special parameters. |
|
[?query] |
Optional field that contains parameters to be passed to the software for querying dynamic webpages. Each parameter is a <key>=<value> pair. Different parameters are separated by an ampersand (&). |
|
URI |
Uniform resource identifier that identifies a resource on a network. |
URL filtering rule
A URL filtering rule matches URLs based on the content in the URI or hostname field.
URL filtering rule type
URL filtering provides the following types of URL filtering rules:
· Predefined URL filtering rules—Signature-based URL filtering rules. The device automatically generates them based on the local URL filtering signatures. In most cases, the predefined rules are sufficient for URL filtering.
· User-defined URL filtering rules—Regular expression- or text-based URL filtering rules that are manfully configured.
URL filtering rule matching method
A URL filtering rule supports the following URL matching methods:
· Text-based matching—Matches the hostname and URI fields of a URL against text patterns.
When performing text-based matching for the hostname field of a URL, the device first determines if the text pattern contains the asterisk (*) wildcard character at the beginning or end.
¡ If the text pattern does not contain the asterisk (*) wildcard character at the beginning or end, the hostname matching succeeds if the hostname of the URL matches the text pattern.
¡ If the text pattern contains the asterisk (*) wildcard character at the beginning, the hostname matching succeeds if the hostname of the URL matches or ends with the text pattern without the wildcard character.
¡ If the text pattern contains the asterisk (*) wildcard character at the end, the hostname matching succeeds if the hostname of the URL matches or starts with the text pattern without the wildcard character.
¡ If the text pattern contains the asterisk (*) wildcard character at both the beginning and the end, the hostname matching succeeds if the hostname of the URL matches or includes the text pattern without the wildcard characters.
Text-based matching for the URI field works in the same way that text-based matching for the hostname field works.
· Regular expression-based matching—Matches the hostname and URI fields of a URL against regular expressions. For example, if you set the regular expression for hostname matching to sina.*cn, URLs that carry the news.sina.com.cn hostname will be matched.
URL category
URL filtering provides the URL categorization feature to facilitate filtering rule management.
You can classify multiple URL filtering rules to a URL category and specify an action for the category. If a matching rule is in multiple URL categories, the system takes the action for the category with the highest severity level.
URL filtering supports the following types of URL categories:
· Predefined URL categories.
The predefined URL categories contain the predefined URL filtering rules. Each predefined URL category has a unique severity level in the range of 1 to 999, and a category name that begins Pre-. Predefined URL categories cannot be modified.
The device supports two levels of predefined URL categories: child URL category and parent URL category.
A predefined parent URL category contains only predefined child URL categories.
· User-defined URL categories.
You can manually create URL categories and configure filtering rules for them. The severity level of a user-defined URL category is in the range of 1000 to 65535. You can edit the filtering rules and change the severity level for a user-defined URL category.
URL reputation
URL reputation restricts user online behaviors by filtering malicious URLs, permitting users to access specific websites, and denying them from insecure websites based on the URL reputation signature library. The URL reputation signature library is a collection of malicious URLs, including the attack category to which each URL belongs.
When the URL in packets matches a URL in the URL reputation signature library, the device takes the predefined actions of the corresponding attack category on the packets.
URL filtering whitelist/blacklist rule
The device supports using URL-based whitelist and blacklist rules to filter packets. If the URL in a packet matches a blacklist rule, the packet is dropped. If the URL matches a whitelist rule, the packet is permitted to pass through.
URL filtering policy
A URL filtering policy can contain the following settings:
· URL categories and filtering actions. URL filtering actions include drop, permit, block source, reset, redirect, and logging.
· URL filtering whitelist and blacklist rules.
· URL reputation.
· URL filtering cloud query.
You can also specify the default action on packets that do not match any filtering rules (including URL categories, URL filtering whitelist and blacklist rules, and URL reputation) in the policy.
URL filtering mechanism
URL filtering takes effect after you apply a URL filtering policy to a DPI application profile and use the DPI application profile in a security policy rule or object policy rule.
As shown in Figure 2, upon receiving a packet, the device performs the following operations:
1. The device compares the packet with the object policy rules or security policy rules.
If the packet matches a rule that is associated with a URL filtering policy (through a DPI application profile), the device extracts the URL from the packet.
For more information about security policies and object policies, see Security Configuration Guide.
2. The device compares the extracted URL with the whitelist and blacklist rules in the URL filtering policy.
If both the whitelist and blacklist features are enabled, the device uses the following process to handle the packet:
a. If the URL matches a whitelist rule, the packet is permitted to pass through.
b. If the URL does not match a whitelist rule, the device identifies whether the URL matches a blacklist rule.
- If the URL matches a blacklist rule, the packet is dropped.
- If the URL does not match a blacklist rule, the device performs step 3.
If only the whitelist feature is enabled, the device handles the packet as follows:
¡ If the URL matches a whitelist rule, the packet is permitted to pass through.
¡ If the URL does not match a whitelist rule, the device drops the packet.
If both the whitelist and blacklist features are not enabled, the device performs step 3.
3. The device compares the extracted URL with the URL filtering rules in the URL filtering policy.
a. If the URL matches a URL filtering rule that belongs to a user-defined URL category, the devices takes the action specified for the URL category. If the URL filtering rule belongs to multiple user-defined URL categories, the action specified for the URL category with the highest severity level apply.
If no matching URL filtering rule belongs to a user-defined URL category, the device moves to step b.
b. If URL reputation is enabled, the device determines whether the matching URL filtering rule belongs to an attack category in the URL reputation signature library.
- If yes, the device takes the action specified for the attack category on the packet.
- If no, the device moves to step c.
c. If the URL matches a URL filtering rule that belongs to a predefined URL category, the devices takes the action specified for the URL category.
If the URL filtering rule belongs to multiple predefined URL categories, the action specified for the URL category with the highest severity level apply.
4. If the URL does not match any rule in the policy, and cloud query is disabled in the URL filtering policy, the default action specified for the policy applies. If the default action is not configured, the device permits the packet to pass through.
If the URL does not match any rule in the policy, and cloud query is enabled in the policy, the device handles the packet as follows:
¡ The device identifies whether the URL matches a cached URL filtering rule (history query result from the cloud server, including the URL and its category name).
- If a matching cached rule is found for the URL, the device determines the action to take on the packet as described in step c of step 3.
- If no matching cached rule is found for the URL, the default action specified for the policy applies. If the default action is not configured, the device permits the packet to pass through. In addition, the device sends the URL to the cloud server for further query and caches the query result.
Figure 2 URL filtering mechanism
URL filtering signature library management
The device uses the local URL filtering signature library to identify URLs in the HTTP packets.
You can update the device URL filtering signature library to the most up-to-date version or roll back the library to a version.
Updating the URL filtering signature library
The following methods are available for updating the URL filtering signature library on the device:
· Automatic update.
The device periodically accesses the company's website and automatically downloads the most up-to-date URL filtering signature file to update its local signature library.
· Triggered update.
The device downloads the most up-to-date URL filtering signature file from the company's website to update its local signature library immediately you trigger the operation.
· Manual update.
Use this method when the device cannot connect to the company's website.
You must manually download the most up-to-date URL filtering signature file from the company's website, and then use the file to update the signature library on the device.
Rolling back the URL filtering signature library
If filtering false alarms or filtering exceptions occur frequently, you can roll back the URL filtering signature library to the previous version or to the factory default version.
Restrictions: Hardware compatibility with URL filtering
|
Hardware platform |
Module type |
URL filtering compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
No |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
No |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-6GW |
IPv6 module |
Yes |
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X10 |
Blade VI firewall module |
Yes |
Restrictions: Licensing requirements for URL filtering
A license is required for URL filtering signature library update and URL filtering cloud query. If the license expires, the existing URL filtering signature library is still available but you cannot update the library on the device or perform a URL filtering cloud query task. For more information about licenses, see license management in Fundamentals Configuration Guide.
URL filtering tasks at a glance
To configure URL filtering:
1. (Optional.) Configuring a URL category
2. (Optional.) Configuring URL filtering cloud query
3. Configuring a URL filtering policy
4. (Optional.) Copying a URL filtering policy or category
5. Applying a URL filtering policy to a DPI application profile
6. (Optional.) Activating URL filtering policy and rule settings
7. Applying a DPI application profile
Choose one of the following tasks:
¡ Applying a DPI application profile to a security policy rule
¡ Applying a DPI application profile to an object policy rule
8. Managing the URL filtering signature library
9. (Optional.) Managing the URL reputation signature library
10. (Optional.) Enabling DPI engine logging
11. (Optional.) Configuring URL filtering logging for resource access
12. (Optional.) Enabling URL fast auditing
Configuring a URL category
About this task
Perform this task to create a user-defined URL category and configure filtering rules for it to meet specific URL filtering requirements.
Restrictions and guidelines
When creating a URL category, you must assign a unique severity level in the range of 1000 to 65535 to the URL category. The larger the value, the higher the severity level.
Procedure
1. Enter system view.
system-view
2. Create a URL category and enter its view.
url-filter category category-name [ severity severity-level ]
By default, the device provides predefined URL categories with names starting with Pre-.
The name of a user-defined URL category cannot start with Pre-.
3. (Optional.) Configure a description for the URL category.
description text
4. Configure URL filtering rules for the URL category. Choose the options to configure as needed:
¡ Configure a URL filtering rule.
rule rule-id host { regex regex | text string } [ uri { regex regex | text string } ]
¡ (Optional.) Add the URL filtering rules of a predefined URL category to the URL category.
include pre-defined category-name
By default, a user-defined URL category does not contain the URL filtering rules of any predefined URL category.
Configuring URL filtering cloud query
About this task
The URL filtering cloud query feature enables the system to send URLs that do not match any local URL filtering rules to the cloud server for further query. This helps improves URL filtering accuracy for HTTP traffic.
The device caches the URL filtering rules returned from the cloud query server in the URL filtering cache. You can set the maximum number of rules that can be cached, and the minimum cache period for the cached rules. For more information about the cloud query server, see "Configuring DPI engine."
Procedure
1. Enter system view.
system-view
2. Specify the cloud query server.
inspect cloud-server host-name
By default, cloud query server sec.h3c.com is used.
3. (Optional.) Set URL filtering cache size.
url-filter cache size cache-size
The URL filtering cache can cache a maximum of 16384 entries.
4. (Optional.) Set the minimum cache period for URL filtering rules.
url-filter cache-time value
By default, the minimum cache period is 10 seconds.
5. Enter the view of the URL filtering policy in which you want to enable cloud query.
url-filter policy policy-name
6. Enable cloud query.
cloud-query enable
By default, cloud query is disabled in a URL filtering policy.
Configuring a URL filtering policy
About configuring a URL filtering policy
The URL filtering is implemented by URL filtering polices.
To configure a URL filtering policy, perform either of the following tasks:
· Configuring a category-based URL filtering policy
A category-based URL filtering policy contains the following settings:
¡ URL category-to-action mappings.
¡ Default action.
¡ (Optional.) Whitelist and blacklist rules.
· Configuring a whitelist-based URL filtering policy
Configuring a category-based URL filtering policy
Licensing requirements
To use the URL reputation feature, you must purchase a license for the feature and install it correctly on the device. If the license expires, the URL reputation feature can operate normally with the existing URL reputation signature library on the device. However, you cannot upgrade the URL reputation signature library on the device. For more information about licenses, see license management in Fundamentals Configuration Guide.
Restrictions and guidelines
The logging keyword enables the URL filtering module to log URL filtering events and use one of the following methods to send log messages:
· Fast log output—You must specify a log host to receive the log messages. Log messages are sent to the specified log host.
· Syslog output—Log messages are sent to the information center. With the information center, you can set log message filtering and output rules, including output destinations. The information center can output URL filtering syslogs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect. To view URL filtering syslogs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default. For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Syslog output might affect device performance. As a best practice, use fast log output. For more information about fast log output, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Create a URL filtering policy and enter its view.
url-filter policy policy-name
3. Specify the actions for a URL category.
category category-name action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } [ logging [ parameter-profile parameter-name ] ]
By default, no actions are specified for a URL category.
If a packet matches a rule that is in multiple URL categories, the system uses the actions for the category with the highest severity level.
4. (Optional.) Specify the default action on packets that do not match any rule in the policy.
default-action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } [ logging [ parameter-profile parameter-name ] ]
5. (Optional.) Configure a whitelist or blacklist rule in the policy.
add { blacklist | whitelist } [ id ] host { regex host-regex | text host-name } [ uri { regex uri-regex | text uri-name } ]
6. (Optional.) Enable the referer whitelist.
referer-whitelist enable
By default, the referer whitelist is enabled. It allows an HTTP or HTTPS request to pass through if its referer header matches a whitelist rule.
7. (Optional.) Enable URL reputation.
url-reputation enable
By default, URL reputation is disabled.
8. (Optional.) Specify actions for a URL reputation attack category.
attack-category attack-id action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } [ logging [ parameter-profile parameter-name ] ]
By default, no action is specified for a URL reputation attack category. The device permits packets that match an attack category to pass and logs the matching packets.
9. (Optional.) Rename the URL filtering policy.
rename new-name
Configuring a whitelist-based URL filtering policy
About the task
This feature allows only the HTTP or HTTPS requests that match the whitelist rules to pass through. When you do not want to perform any other configurations, such as URL categories, URL filtering actions, and URL filtering policy default action, you can use this feature.
With this feature enabled, the device allows users to access only the Web resources added to the whitelist rules, and other Web resources are not allowed to access.
Procedure
1. Enter system view.
system-view
2. Create a URL filtering policy and enter its view.
url-filter policy policy-name
3. Configure a whitelist rule in the policy.
add whitelist [ id ] host { regex host-regex | text host-name } [ uri { regex uri-regex | text uri-name } ]
4. (Optional.) Enable the referer whitelist.
referer-whitelist enable
By default, the referer whitelist is enabled. It allows an HTTP or HTTPS request to pass through if its referer header matches a whitelist rule.
5. Enable URL whitelist-only filtering.
whitelist-only enable
By default, URL whitelist-only filtering is disabled.
Copying a URL filtering policy or category
Copying a URL filtering policy
About this task
You can create a new URL filtering policy by copying an existing one.
Procedure
1. Enter system view.
system-view
2. Create a URL filtering policy and enter its view.
url-filter copy policy old-name new-name
Copying a URL filtering category
About this task
You can create a new URL category by copying an existing one.
Restrictions and guidelines
When you copy a URL category, be sure to assign a unique severity level to the new URL category.
Procedure
1. Enter system view.
system-view
2. Copy a URL category.
url-filter copy category old-name new-name severity severity-level
Applying a URL filtering policy to a DPI application profile
About this task
A URL filtering policy must be applied to a DPI application profile to take effect.
Restrictions and guidelines
A DPI application profile can use only one URL filtering policy. If you apply different URL filtering policies to the same DPI application profile, only the most recent configuration takes effect.
Procedure
1. Enter system view.
system-view
2. Enter DPI application profile view.
app-profile app-profile-name
For more information about this command, see DPI engine commands in DPI Command Reference.
3. Assign a URL filtering policy to the DPI application profile.
url-filter apply policy policy-name
By default, no URL filtering policy is applied to the DPI application profile.
Activating URL filtering policy and rule settings
About this task
By default, the system will detect whether another configuration change (such as creation, modification, or deletion) occurs within a 20-second interval after a change to the URL filtering policy and rule settings:
· If no configuration change occurs within the interval, the system will perform an activation operation at the end of the next 20-second interval to make the configuration take effect.
· If a configuration change occurs within the interval, the system continues to periodically detect whether configuration changes occur within next 20-second intervals.
To immediately activate a configuration change, execute the inspect activate command.
For more information about activating DPI service module configuration, see "Configuring DPI engine."
Procedure
1. Enter system view.
system-view
2. Activate URL filtering policy and rule settings.
inspect activate
By default, the system automatically activates changed URL filtering policy and rule settings for them to take effect.
|
|
CAUTION: This command can cause temporary outage for DPI services. Services based on the DPI services might also be interrupted. For example, security policies cannot control access to applications and Layer 7 load balancing services cannot load share traffic based on applications. |
Applying a DPI application profile to a security policy rule
1. Enter system view.
system-view
2. Enter security policy view.
security-policy { ip | ipv6 }
3. Enter security policy rule view.
rule { rule-id | [ rule-id ] name rule-name }
4. Set the rule action to pass.
action pass
The default rule action is drop.
5. Use a DPI application profile in the rule.
profile app-profile-name
By default, no DPI application profile is used in a security policy rule.
Applying a DPI application profile to an object policy rule
1. Enter system view.
system-view
2. Enter object policy view.
object-policy { ip | ipv6 } object-policy-name
3. Use a DPI application profile in an object policy rule.
rule [ rule-id ] inspect app-profile-name
By default, no DPI application profile is used in an object policy rule.
4. Return to system view.
quit
5. Create a zone pair and enter zone pair view.
zone-pair security source source-zone-name destination destination-zone-name
For more information about zone pairs, see security zone configuration in Security Configuration Guide.
6. Apply the object policy to the zone pair.
object-policy apply { ip | ipv6 } object-policy-name
By default, no object policy is applied to a zone pair.
Managing the URL filtering signature library
You can update or roll back the version of the URL filtering signature library on the device.
Restrictions and guidelines
· Do not delete the /dpi/ folder in the root directory of the storage medium.
· Do not perform URL filtering signature update and rollback when the device's free memory is below the normal state threshold. For more information about device memory thresholds, see device management in Fundamentals Configuration Guide.
· For successful automatic and immediate signature update, make sure the device can resolve the domain name of the company's website into an IP address through DNS. For more information about DNS, see DNS configuration in Layer 3—IP Services Configuration Guide.
· Update only one signature library at a time. Do not perform signature library update until the existing signature library update is completed.
Scheduling automatic URL filtering signature library update
About this task
You can schedule automatic URL filtering signature library update if the device can access the signature database services on the company's website. The device periodically obtains the latest signature file from the company's website to update its local signature library as scheduled.
Procedure
1. Enter system view.
system-view
2. Enable automatic URL filtering signature library update and enter automatic URL filtering signature library update configuration view.
url-filter signature auto-update
By default, automatic URL filtering signature library update is disabled.
3. Schedule the update time.
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
By default, the device starts to update the URL filtering signature at a random time between 01:00:00 and 03:00:00 every day.
Triggering an immediate URL filtering signature update
About this task
Anytime you find a release of new signature version on the company's website, you can trigger the device to immediately update the local signature library.
Procedure
1. Enter system view.
system-view
2. Trigger an automatic URL filtering signature library update.
url-filter signature auto-update-now
Performing a URL filtering signature manual update
About this task
If the device cannot access the signature database services on the company's website, use one of the following methods to manually update the URL filtering signature library on the device:
· Local update—Updates the URL filtering signature library on the device by using the locally stored update URL filtering signature file.
(In standalone mode.) Store the update file on the active MPU for successful signature library update.
(In IRF mode.) Store the update file on the global active MPU for successful signature library update.
· FTP/TFTP update—Updates the URL filtering signature library on the device by using the file stored on the FTP or TFTP server.
Procedure
1. Enter system view.
system-view
2. Manually update the URL filtering signature library on the device.
url-filter signature update file-path
|
|
CAUTION: Select a signature file according to the memory size and software version of the device. H3C provides signature files separately for high-memory (equal to or higher than 8 GB) and low-memory (lower than 8 GB) devices and for different software versions. If you use a signature file applicable to high-memory devices to update the URL filtering signature library on a low-memory device, exceptions might occur on the low-memory device. As a best practice, use a signature file that is compatible with the software version and memory size of the device to update the URL filtering signature library on the device. |
Rolling back the URL filtering signature library
About this task
If a URL filtering signature library update causes exceptions or a high false alarm rate, you can roll back the URL filtering signature library.
Before rolling back the URL filtering signature library, the device backs up the current signature library as the "previous version." For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.
Procedure
1. Enter system view.
system-view
2. Roll back the URL filtering signature library to the previous version or to the factory default version.
url-filter signature rollback { factory | last }
Managing the URL reputation signature library
You can update or roll back the version of the URL reputation signature library on the device.
Restrictions and guidelines
· Do not delete the /dpi/ folder in the root directory of the storage medium.
· Do not perform URL reputation signature update and rollback when the device's free memory is below the normal state threshold. For more information about device memory thresholds, see device management in Fundamentals Configuration Guide.
· For successful automatic and immediate signature update, make sure the device can resolve the domain name of the company's website into an IP address through DNS. For more information about DNS, see DNS configuration in Layer 3—IP Services Configuration Guide.
· Update only one signature library at a time. Do not perform signature library update until the existing signature library update is completed.
Scheduling automatic URL reputation signature library update
About this task
You can schedule automatic URL reputation signature library update if the device can access the signature database services on the company's website. The device periodically obtains the latest signature file from the company's website to update its local signature library as scheduled.
Procedure
1. Enter system view.
system-view
2. Enable automatic URL reputation signature library update and enter automatic URL reputation signature library update configuration view.
url-reputation signature auto-update
By default, automatic URL reputation signature library update is disabled.
3. Schedule the update time.
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
By default, the device starts to update the URL reputation signature at a random time between 01:00:00 and 03:00:00 every day.
Triggering an immediate URL reputation signature update
About this task
Anytime you find a release of new signature version on the company's website, you can trigger the device to immediately update the local signature library.
This feature immediately starts the automatic signature library update process and backs up the current URL reputation signature library file.
This feature is independent of the scheduled automatic URL reputation signature library update feature.
Procedure
1. Enter system view.
system-view
2. Trigger an automatic URL reputation signature library update.
url-reputation signature auto-update-now
Performing a URL reputation signature manual update
About this task
If the device cannot access the signature database services on the company's website, use one of the following methods to manually update the URL reputation signature library on the device:
· Local update—Updates the URL reputation signature library on the device by using the locally stored update URL reputation signature file.
(In standalone mode.) Store the update file on the active MPU for successful signature library update.
(In IRF mode.) Store the update file on the global active MPU for successful signature library update.
· FTP/TFTP update—Updates the URL reputation signature library on the device by using the file stored on the FTP or TFTP server.
Procedure
1. Enter system view.
system-view
2. Manually update the URL reputation signature library on the device.
url-reputation signature update file-path
Rolling back the URL reputation signature library
About this task
If a URL reputation signature library update causes exceptions or a high false alarm rate, you can roll back the URL reputation signature library.
Before rolling back the URL reputation signature library, the device backs up the current signature library as the "previous version." For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.
Procedure
1. Enter system view.
system-view
2. Roll back the URL reputation signature library to the previous version.
url-reputation signature rollback last
Enabling DPI engine logging
About this task
You can enable DPI engine logging for audit purposes. Log messages generated by DPI engine are output to the device information center. The information center then sends the messages to designated destinations based on log output rules. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable DPI engine logging.
url-filter log enable
By default, DPI engine logging is disabled.
Configuring URL filtering logging for resource access
About URL filtering logging for resource access
URL filtering logs user access to resources after you specify the logging action for a URL category or as a default action for a URL filtering policy.
You can use either of the following methods to configure URL filtering to log access to specific types of resources:
· Configure URL filtering to log access to only resources in the root directories of websites.
· Enable or disable URL filtering logging for access to resources of specific types.
Logging access to only resources in the root directories of websites
1. Enter system view.
system-view
2. Configure URL filtering to log only access to resources in the root directories of websites.
url-filter log directory root
By default, URL filtering logs access to Web resources in all directories.
Disabling logging for access to resources of specific types
1. Enter system view.
system-view
2. Disable URL filtering logging for access to resources of a specific resource type.
¡ Disable logging for access to resources of a predefined resource type.
url-filter log except pre-defined { css | gif | ico | jpg | js | png | swf | xml }
¡ Disable logging for access to resources of a user-defined resource type.
url-filter log except user-defined text
By default, URL filtering logs access to all resources except for resources of the predefined resource types (including CSS, GIF, ICO, JPG, JS, PNG, SWF, and XML resources).
Enabling URL fast auditing
About this task
By default, URL filtering inspects and audits URLs in packets and determines the packet processing actions based on the inspection results in the software forwarding process. However, both software forwarding and URL filtering consume CPU resources and the packet forwarding performance will be degraded if the CPU usage is high.
URL fast auditing enables the device to send copies of HTTP packets to the CPU for audit (logging) by the URL filtering module during the hardware forwarding process. URL filtering only logs HTTP packets that match the logging action. All other URL filtering actions are ignored.
Restrictions and guidelines
For URL fast auditing to work, you must configure both the URL filtering and hardware fast forwarding features. For information about hardware fast forwarding, see Layer 3—IP Services Configuration Guide.
Enable URL fast auditing in the application scenario that requires high device forwarding performance, URL auditing, and low level of security.
URL fast auditing does not take effect if a feature that requires Layer 5 or higher layer processing (such as Layer 7 load balancing or ALG) is enabled on the device.
All DPI functions become invalid after URL fast auditing is enabled.
Procedure
1. Enter system view.
system-view
2. Enable URL fast auditing.
hardware audit url enable
By default, URL fast auditing is disabled.
Enabling HTTPS URL filtering
About the task
By default, the device supports only the HTTP URL filtering. To enable filtering on HTTPS traffic, use either of the following methods:
· Use SSL decryption to decrypt the HTTPS traffic and then perform HTTP URL filtering on the decrypted traffic. For more information about SSL decryption, see proxy policy configuration in DPI Configuration Guide.
SSL decryption involves a large number of encryption and decryption operations, which might downgrade device forwarding performance. As a best practice, use this method only when the device must perform URL filtering on HTTPS traffic.
· Enable HTTPS URL filtering. This feature performs URL filtering on undecrypted HTTPS traffic. The device directly detects the Client Hello message from the client, and extracts the server name from the Sever Name Indication (SNI) extension to match the URL filtering policy.
Restrictions and guidelines
If SSL decryption is configured, this feature does not take effect.
In HTTPS URL filtering, only the hostname match criterion in a URL filtering rule takes effect. The URI match criterion does not take effect.
This feature takes effect only when the hostname field in the URL is the server's domain name. This feature does not apply to the HTTPS traffic if the hostname field is an IP address.
This feature does not take effect in the following situations:
· The client browser enables TLS 1.3 downgrade enhancement mechanism, because the SNI extension will be encrypted.
· The HTTPS packets do not have the SNI extension.
Procedure
1. Enter system view.
system-view
2. Create a URL filtering policy and enter its view.
url-filter policy policy-name
3. Enable HTTPS URL filtering.
https-filter enable
By default, HTTPS URL filtering is disabled, and the device supports only the HTTP URL filtering.
Display and maintenance commands for URL filtering
Execute display commands except the display url-reputation attack-category command in any view and reset commands in user view.
Execute the display url-reputation attack-category command in URL filtering policy view.
|
Task |
Command |
|
Display URL filtering cache information. |
display url-filter cache |
|
Display URL category information. |
display url-filter { category | parent-category } [ verbose ] |
|
Display information about the URL filtering signature library. |
display url-filter signature library |
|
Display URL filtering statistics. |
display url-filter statistics |
|
Display URL reputation attack category information for a URL filtering policy. |
display url-reputation attack-category |
|
Display information about the URL reputation signature library. |
display url-reputation signature library |
|
Clear URL filtering statistics. |
reset url-filter statistics |
URL filtering configuration examples
Example: Using a URL filtering policy in a security policy
Network configuration
As shown in Figure 3, the device connects to the LAN and Internet through security zones Trust and Untrust, respectively.
Configure a URL filtering policy on the device so the device performs the following operations:
· Permits LAN users in security zone Trust to access website http://www.sina.com on the Web server.
· Drops and logs packets that match the Pre-Game URL category.
· Drops and logs packets that do not match any filtering rule in the URL filtering policy.
Procedure
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures a static route to reach the Web server, and the next hop in the route is 2.2.2.2.
[Device] ip route-static 5.5.5.0 24 2.2.2.2
3. Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
4. Configure URL filtering:
# Create user-defined URL category news, set its severity level to 2000, and create URL filtering rule 1 to match HTTP packets that contain host name www.sina.com in the URL.
[Device] url-filter category news severity 2000
[Device-url-filter-category-news] rule 1 host text www.sina.com
[Device-url-filter-category-news] quit
# Create a URL filtering policy named urlnews. Specify action permit for URL category news and action drop for predefined URL category Pre-Games, enable logging for the matching packets, and set the default actions to drop and logging.
[Device] url-filter policy urlnews
[Device-url-filter-policy-urlnews] category news action permit
[Device-url-filter-policy-urlnews] category Pre-Games action drop logging
[Device-url-filter-policy-urlnews] default-action drop logging
[Device-url-filter-policy-urlnews] quit
5. Apply URL filtering policy urlnews to a DPI application profile and activate the IPS policy settings:
# Create a DPI application profile named sec, and apply URL filtering policy urlnews to the DPI application profile.
[Device] app-profile sec
[Device-app-profile-sec] url-filter apply policy urlnews
[Device-app-profile-sec] quit
# Activate the URL filtering policy and rule settings.
[Device] inspect activate
6. Configure a security policy:
# Enter IPv4 security policy view. Create a rule named trust-untrust to permit the traffic from internal users to the external network and apply the URL filtering policy to the traffic between the internal users and the Internet.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-10-trust-untrust] source-zone trust
[Device-security-policy-ip-10-trust-untrust] source-ip-subnet 192.168.1.0 24
[Device-security-policy-ip-10-trust-untrust] destination-zone untrust
[Device-security-policy-ip-10-trust-untrust] action pass
[Device-security-policy-ip-10-trust-untrust] profile sec
[Device-security-policy-ip-10-trust-untrust] quit
# Activate rule matching acceleration.
[Device-security-policy-ip] accelerate enhanced enable
[Device-security-policy-ip] quit
Verifying the configuration
# Verify that LAN users in security zone Trust can access website http://www.sina.com on the Web server. (Details not shown.)
# Verify that the device drops and logs LAN users' HTTP requests to game resources. (Details not shown.)
Example: Manually updating the URL filtering signature library
Network configuration
As shown in Figure 4, LAN users in security zone Trust can access the following resources:
· Internet resources in security zone Untrust.
· The FTP server at 192.168.2.4/24 in security zone DMZ. The FTP login username and password are url and 123, respectively.
Manually update the URL filtering signature library on the device by using the latest URL filtering signature file (url-1.0.2-encrypt.dat) stored on the FTP server.
Procedure
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures a static route to reach the Web server, and the next hop in the route is 2.2.2.2.
[Device] ip route-static 5.5.5.0 24 2.2.2.2
3. Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
[Device] security-zone name dmz
[Device-security-zone-DMZ] import interface gigabitethernet 1/0/3
[Device-security-zone-DMZ] quit
4. Configure a security policy:
# Configure a security policy rule to permit the traffic from security zone Trust to security zone Untrust for the internal users to access external resources.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-10-trust-untrust] source-zone trust
[Device-security-policy-ip-10-trust-untrust] source-ip-subnet 192.168.1.0 24
[Device-security-policy-ip-10-trust-untrust] destination-zone untrust
[Device-security-policy-ip-10-trust-untrust] action pass
[Device-security-policy-ip-10-trust-untrust] quit
# Configure a security policy rule to permit the traffic from security zone Trust to security zone DMZ for the internal users to access the FTP server in the DMZ security zone.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-dmz
[Device-security-policy-ip-11-trust-dmz] source-zone trust
[Device-security-policy-ip-11-trust-dmz] source-ip-subnet 192.168.1.0 24
[Device-security-policy-ip-11-trust-dmz] destination-zone dmz
[Device-security-policy-ip-11-trust-dmz] action pass
[Device-security-policy-ip-11-trust-dmz] quit
# Configure a security policy rule to permit the traffic between the FTP server and the device so the device can access the FTP server to obtain the signature file.
[Device] security-policy ip
[Device-security-policy-ip]rule name downloadlocalout
[Device-security-policy-ip-12-downloadlocalout] source-zone local
[Device-security-policy-ip-12-downloadlocalout] destination-zone dmz
[Device-security-policy-ip-12-downloadlocalout] destination-ip-subnet 192.168.2.0 24
[Device-security-policy-ip-12-downloadlocalout] application ftp
[Device-security-policy-ip-12-downloadlocalout] application ftp-data
[Device-security-policy-ip-12-downloadlocalout] action pass
[Device-security-policy-ip-12-downloadlocalout] quit
# Activate rule matching acceleration.
[Device-security-policy-ip] accelerate enhanced enable
[Device-security-policy-ip] quit
5. Update the URL filtering library on the device by using URL filtering signature file url-1.0.2-encrypt.dat on the FTP server.
[Device] url-filter signature update ftp://url:123@192.168.2.4/url-1.0.2-encrypt.dat
Verifying the configuration
# Verify that the URL filtering signature library on the device is updated successfully.
<Device> display url-filter signature library
Example: Configuring automatic URL filtering signature library update
Network configuration
As shown in Figure 5, LAN users in security zone Trust can access Internet resources in security zone Untrust.
Configure the device to start automatically updating the local URL filtering signature library at a random time between 08:30 a.m. and 09:30 a.m. every Saturday.
Procedure
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures a static route to reach the Web server, and the next hop in the route is 2.2.2.2.
[Device] ip route-static 5.5.5.0 24 2.2.2.2
3. Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
4. Configure DNS for the device to resolve the domain name of the official website into the correct IP address.
[Device] dns server 10.72.66.36
5. Configure a security policy:
# Configure a security policy rule to permit the traffic from security zone Trust to security zone Untrust for the internal users to access external resources.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-10-trust-untrust] source-zone trust
[Device-security-policy-ip-10-trust-untrust] source-ip-subnet 192.168.1.0 24
[Device-security-policy-ip-10-trust-untrust] destination-zone untrust
[Device-security-policy-ip-10-trust-untrust] action pass
[Device-security-policy-ip-10-trust-untrust] quit
# Configure a security policy rule to permit the traffic from security zone Local to security zone Untrust so the device can access the official website to obtain the signature file.
[Device] security-policy ip
[Device-security-policy-ip] rule name downloadlocalout
[Device-security-policy-ip-11-downloadlocalout] source-zone local
[Device-security-policy-ip-11-downloadlocalout] destination-zone untrust
[Device-security-policy-ip-11-downloadlocalout] action pass
[Device-security-policy-ip-11-downloadlocalout] quit
# Activate rule matching acceleration.
[Device-security-policy-ip] accelerate enhanced enable
[Device-security-policy-ip] quit
6. Configure automatic URL filtering signature library update:
# Enable automatic URL filtering signature library update. Configure the device to perform automatic update at a random time between 08:30 a.m. and 09:30 a.m. every Saturday.
[Device] url-filter signature auto-update
[Device-url-filter-autoupdate] update schedule weekly sat start-time 9:00:00 tingle 60
[Device-url-filter-autoupdate] quit
Verifying the configuration
# Verify that the device URL filtering signature library is updated as scheduled.
<Device> display url-filter signature library
Example: Using a URL filtering policy in an object policy
Network configuration
As shown in Figure 6, the device connects to the LAN and Internet through the security zones Trust and Untrust, respectively.
Configure a URL filtering policy on the device to meet the following requirements:
· The device permits LAN users in security zone Trust to access website http://www.sina.com on the Web server.
· The device drops and logs packets that match the Pre-Game URL category.
· The device drops and logs packets that do not match any filtering rule in the URL filtering policy.
Procedure
1. Assign IP addresses to interfaces, as shown in Figure 6. (Details not shown.)
2. Configure the security zones:
# Assign GigabitEthernet 1/0/1 to security zone Trust.
<Device> system-view
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
# Assign GigabitEthernet 1/0/2 to security zone Untrust.
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
3. Create IP address object group urlfilter and configure an IP address object with subnet 192.168.1.0/24.
[Device] object-group ip address urlfilter
[Device-obj-grp-ip-urlfilter] network subnet 192.168.1.0 24
[Device-obj-grp-ip-urlfilter] quit
4. Configure a URL category:
# Create URL category news and set its severity level to 2000.
[Device] url-filter category news severity 2000
# Create URL filtering rule 1 to match HTTP packets that contain the www.sina.com host name in the URL.
[Device-url-filter-category-news] rule 1 host text www.sina.com
[Device-url-filter-category-news] quit
5. Configure a URL filtering policy:
# Create URL filtering policy urlnews.
[Device] url-filter policy urlnews
# Specify the permit action for URL category news.
[Device-url-filter-policy-urlnews] category news action permit
# Specify the drop action for predefined URL category Pre-Games and enable logging for the matching packets.
[Device-url-filter-policy-urlnews] category Pre-Games action drop logging
# Set the default action to drop and enable logging for the matching packets.
[Device-url-filter-policy-urlnews] default-action drop logging
[Device-url-filter-policy-urlnews] quit
6. Apply URL filtering policy urlnews to a DPI application profile:
# Create DPI application profile sec.
[Device] app-profile sec
# Apply URL filtering policy urlnews to the DPI application profile.
[Device-app-profile-sec] url-filter apply policy urlnews
[Device-app-profile-sec] quit
7. Activate the URL filtering policy and rule settings.
[Device] inspect activate
8. Configure an object policy:
# Create IPv4 object policy urlfilter and enter its view.
[Device] object-policy ip urlfilter
# Configure an object policy rule to apply DPI application profile sec to packets with source IP addresses contained in IP address object group urlfilter.
[Device-object-policy-ip-urlfilter] rule inspect sec source-ip urlfilter destination-ip any
[Device-object-policy-ip-urlfilter] quit
9. Create a zone pair between source security zone Trust and destination security zone Untrust, and apply object policy urlfilter to the zone pair.
[Device] zone-pair security source trust destination untrust
[Device-zone-pair-security-Trust-Untrust] object-policy apply ip urlfilter
[Device-zone-pair-security-Trust-Untrust] quit
Verifying the configuration
# Verify that LAN users in security zone Trust can access website http://www.sina.com on the Web server
# Verify that the device drops and logs the LAN users' HTTP requests to game resources.
Example: Manually updating the URL filtering signature library
Network configuration
As shown in Figure 7, LAN users in security zone Trust can access the following resources:
· Internet resources in security zone Untrust.
· The FTP server at 192.168.2.4/24 in security zone DMZ. The FTP login username and password are url and 123, respectively.
Manually update the URL filtering signature library on the device by using the most up-to-date URL filtering signature file (url-1.0.2-encrypt.dat) stored on the FTP server.
Procedure
1. Assign IP addresses to interfaces, as shown in Figure 7. (Details not shown.)
2. Allow the device to communicate with the FTP server:
# Configure ACL 2001 to permit all traffic.
<Device> system-view
[Device] acl basic 2001
[Device-acl-ipv4-basic-2001] rule permit
[Device-acl-ipv4-basic-2001] quit
# Assign GigabitEthernet 1/0/3 to zone DMZ.
[Device] security-zone name dmz
[Device-security-zone-DMZ] import interface gigabitethernet 1/0/3
[Device-security-zone-DMZ] quit
# Create a zone pair between source security zone Local and destination security zone DMZ, and then apply ACL 2001 to the zone pair for packet filtering.
[Device] zone-pair security source local destination dmz
[Device-zone-pair-security-Local-DMZ] packet-filter 2001
[Device-zone-pair-security-Local-DMZ] quit
# Create a zone pair between source security zone DMZ and destination security zone Local, and then apply ACL 2001 to the zone pair for packet filtering.
[Device] zone-pair security source dmz destination local
[Device-zone-pair-security-DMZ-Local] packet-filter 2001
[Device-zone-pair-security-DMZ-Local] quit
3. Configure the security zones:
# Assign GigabitEthernet 1/0/1 to security zone Trust.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
# Assign GigabitEthernet 1/0/2 to security zone Untrust.
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
4. Update the device URL filtering signature library by using URL filtering signature file url-1.0.2-encrypt.dat stored on the FTP server.
[Device] url-filter signature update ftp://url:123@192.168.2.4/url-1.0.2-encrypt.dat
Verifying the configuration
# Verify that the device URL filtering signature library is updated.
<Device> display url-filter signature library
Example: Configuring automatic URL filtering signature library update
Network configuration
As shown in Figure 8, LAN users in security zone Trust can access Internet resources in security zone Untrust.
Configure the device to automatically update the local URL filtering signature library at a random time between 08:30 a.m. and 09:30 a.m. every Saturday.
Procedure
1. Assign IP addresses to interfaces, as shown in Figure 8. (Details not shown.)
2. Configure DNS for the device to resolve the domain name of the company's website into the IP address. (Details not shown.)
3. Configure an object policy to allow LAN users in security zone Trust to access Internet resources in security zone Untrust. (Details not shown.)
4. Configure automatic URL filtering signature library update:
# Enable automatic URL filtering signature library update.
<Device> system-view
[Device] url-filter signature auto-update
# Configure the device to perform automatic update at a random time between 08:30 a.m. and 09:30 a.m. every Saturday.
[Device-url-filter-autoupdate] update schedule weekly sat start-time 9:00:00 tingle 60
[Device-url-filter-autoupdate] quit
Verifying the configuration
# Verify that the device URL filtering signature library is updated as scheduled.
<Device> display url-filter signature library
