Login
- Table of Contents
-
- 04-DPI Configuration Guide
- 00-Preface
- 01-DPI overview
- 02-DPI engine configuration
- 03-IPS configuration
- 04-URL filtering configuration
- 05-Data filtering configuration
- 06-File filtering configuration
- 07-Anti-virus configuration
- 08-Data analysis center configuration
- 09-WAF configuration
- 10-Proxy policy configuration
- 11-IP reputation configuration
- 12-Domain reputation configuration
- 13-APT defense configuration
- 14-DLP configuration
- 15-Content moderation configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-Data filtering configuration | 120.62 KB |
Contents
Restrictions: Hardware compatibility with data filtering
Data filtering tasks at a glance
Configuring a data filtering policy
Applying a data filtering policy to a DPI application profile
Activating data filtering policy and rule settings
Applying a DPI application profile to a security policy rule
Applying a DPI application profile to an object policy rule
Data filtering configuration examples
Example: Using a data filtering policy in a security policy
Example: Using a data filtering policy in an object policy
Configuring data filtering
About data filtering
Data filtering filters packets based on application layer information. You can use data filtering to effectively prevent leakage of internal information, distribution of illegal information, and unauthorized access to the Internet.
Data filtering supports filtering packets of the following protocols:
· HTTP.
· FTP.
· SMTP.
· IMAP.
· NFS.
· POP3.
· RTMP.
· SMB.
Basic concepts
Keyword match pattern
The device provides predefined keyword match patterns and allows you to create user-defined keyword match patterns in a keyword group.
· Predefined pattern—Includes the phone number, bank card number, credit card number, and ID card number patterns. These patterns can be used to identify packets that contain phone numbers, bank card numbers, credit card numbers, and ID card numbers.
· User-defined pattern—A text- or regular expression-based string to identify patterns in the application layer data of packets.
Keyword group
A keyword group is a group of keyword match patterns.
Data filtering rule
A data filtering rule contains a set of filtering criteria for matching packets, including keyword group, traffic direction, and application layer protocol. You can specify the actions to take on packets matching a data filtering rule. Supported actions include drop, permit, and logging. A packet must match all the filtering criteria for the actions specified for the rule to apply.
Data filtering mechanism
Data filtering takes effect after you apply a data filtering policy to a DPI application profile and use the DPI application profile in a security policy rule or object policy rule.
Upon receiving a packet of a protocol that data filtering supports, the device performs the following operations:
1. Compares the packet with the object policy rules or security policy rules.
If the packet matches a rule that is associated with a data filtering policy (through a DPI application profile), the device extracts the application layer information from the packet.
For more information about security policies and object policies, see Security Configuration Guide.
2. Determines the actions to take on the packet by comparing the extracted application layer information with the data filtering rules in the data filtering policy:
¡ If the packet does not match any data filtering rules in the policy, the device permits the packet to pass.
¡ If the packet matches only one rule, the device takes the actions specified for the rule.
¡ If the packet matches multiple rules, the device determines the actions as follows:
- If the matching rules have both the permit and drop actions, the device takes the drop action.
- If the logging action is specified for any of the matching rules, the device logs the packet.
Restrictions: Hardware compatibility with data filtering
|
Hardware platform |
Module type |
Data filtering compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
No |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
No |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-6GW |
IPv6 module |
Yes |
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X10 |
Blade VI firewall module |
Yes |
Data filtering tasks at a glance
To configure data filtering, perform the following tasks:
1. Configuring a keyword group
2. Configuring a data filtering policy
3. Applying a data filtering policy to a DPI application profile
4. (Optional.) Activating data filtering policy and rule settings
5. Applying a DPI application profile
Choose one of the following tasks:
¡ Applying a DPI application profile to a security policy rule
¡ Applying a DPI application profile to an object policy rule
Configuring a keyword group
About this task
A keyword group is a group of keyword match patterns. A keyword match pattern is a text or regular expression string that matches packets based on application layer data.
A packet matches a keyword group if it matches any keyword match pattern in the group.
Procedure
1. Enter system view.
system-view
2. Create a keyword group and enter its view.
data-filter keyword-group keywordgroup-name
3. (Optional.) Configure a description for the keyword group.
description string
By default, a keyword group does not have a description.
4. Configure keyword match patterns:
¡ Create a user-defined keyword match pattern.
pattern pattern-name { regex | text } pattern-string
By default, a keyword group does not contain any user-defined keyword match patterns.
¡ Enable a predefined keyword match pattern.
pre-defined-pattern name { bank-card-number | credit-card-number | id-card-number | phone-number }
By default, no predefined patterns are enabled in a keyword group.
Configuring a data filtering policy
About this task
A data filtering policy can contain a maximum of 32 data filtering rules. Each rule defines a set of filtering criteria and actions for matching packets. The filtering criteria include:
· One keyword group.
· One or more application layer protocols.
· Traffic direction.
Restrictions and guidelines
Data filtering rules applied to the NFS protocol take effect only on NFSv3 traffic.
Data filtering rules applied to the SMB protocol take effect only on SMBv1 and SMBv2 traffic.
The logging keyword enables the data filtering module to log packet matching events and use one of the following methods to send log messages:
· Fast log output—You must specify a log host to receive the log messages. Log messages are sent to the specified log host.
· Syslog output—Log messages are sent to the information center. With the information center, you can set log message filtering and output rules, including output destinations. The information center can output data filtering syslogs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect. To view data filtering syslogs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default. For more information about the display logbuffer command, see information center commands in Network Management and Monitoring Command Reference.
Syslog output might affect device performance. As a best practice, use fast log output. For more information about fast log output, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Create a data filtering policy and enter its view.
data-filter policy policy-name
3. (Optional.) Configure a description for the data filtering policy.
description string
By default, a data filtering policy does not have a description.
4. Create a data filtering rule and enter its view.
rule rule-name
5. Specify a keyword group for the data filtering rule.
keyword-group keywordgroup-name
By default, a data filtering rule does not contain any keyword group.
6. Specify the application layer protocols to which the data filtering rule applies.
application { all | type { ftp | http | imap | nfs | pop3 | rtmp | smb | smtp } * }
By default, no applicable application layer protocols are specified for a data filtering rule.
7. Specify the traffic directions to which the data filtering rule applies.
direction { both | download | upload }
By default, a data filtering rule applies to upload traffic.
8. Specify the actions to take on matching packets.
action { drop | permit } [ logging ]
The default action of a data filtering rule is drop.
Applying a data filtering policy to a DPI application profile
About this task
A data filtering policy must be applied to a DPI application profile to take effect.
A DPI application profile can use only one data filtering policy. If you apply different data filtering policies to the same DPI application profile, only the most recent configuration takes effect.
Procedure
1. Enter system view.
system-view
2. Enter DPI application profile view.
app-profile profile-name
For more information about this command, see DPI engine commands in DPI Command Reference.
3. Apply a data filtering policy to the DPI application profile.
data-filter apply policy policy-name
By default, no data filtering policy is applied to the DPI application profile.
Activating data filtering policy and rule settings
About this task
By default, the system will detect whether another configuration change (such as creation, modification, or deletion) occurs within a 20-second interval after a change to the data filtering policy and rule settings:
· If no configuration change occurs within the interval, the system will perform an activation operation at the end of the next 20-second interval to make the configuration take effect.
· If a configuration change occurs within the interval, the system continues to periodically detect whether configuration changes occur within next 20-second intervals.
To activate the policy and rule configurations immediately, you can execute the inspect activate command.
Procedure
1. Enter system view.
system-view
2. Activate data filtering policy and rule settings.
inspect activate
By default, data filtering policy and rule settings will be activated automatically.
|
|
CAUTION: This command can cause temporary outage for DPI services. Services based on the DPI services might also be interrupted. For example, security policies cannot control access to applications and Layer 7 load balancing services cannot load share traffic based on applications. |
Applying a DPI application profile to a security policy rule
1. Enter system view.
system-view
2. Enter security policy view.
security-policy { ip | ipv6 }
3. Enter security policy rule view.
rule { rule-id | [ rule-id ] name rule-name }
4. Set the rule action to pass.
action pass
The default rule action is drop.
5. Use a DPI application profile in the rule.
profile app-profile-name
By default, no DPI application profile is used in a security policy rule.
Applying a DPI application profile to an object policy rule
1. Enter system view.
system-view
2. Enter object policy view.
object-policy { ip | ipv6 } object-policy-name
3. Use a DPI application profile in an object policy rule.
rule [ rule-id ] inspect app-profile-name
By default, no DPI application profile is used in an object policy rule.
4. Return to system view.
quit
5. Create a zone pair and enter zone pair view.
zone-pair security source source-zone-name destination destination-zone-name
For more information about zone pairs, see security zone configuration in Security Configuration Guide.
6. Apply the object policy to the zone pair.
object-policy apply { ip | ipv6 } object-policy-name
By default, no object policy is applied to a zone pair.
Data filtering configuration examples
Example: Using a data filtering policy in a security policy
Network configuration
As shown in Figure 1, the device connects to the LAN and Internet through security zones Trust and Untrust, respectively.
Configure data filtering on the device so the device performs the following operations:
· Blocks HTTP packets that contain the uri or abc.*abc string in the URI field or message body.
· Blocks download FTP traffic that contains the http://www.abcd.com/ string.
· Logs the blocked packets.
Procedure
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures a static route to reach the Web server, and the next hop in the route is 2.2.2.2.
[Device] ip route-static 5.5.5.0 24 2.2.2.2
3. Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
4. Configure data filtering:
a. Configure keyword groups:
# Create a keyword group named kg1 and create two keyword match patterns that match the uri text string and the abc.*abc regular expression string, respectively.
[Device] data-filter keyword-group kg1
[Device-data-filter-kgroup-kg1] pattern 1 text uri
[Device-data-filter-kgroup-kg1] pattern 2 regex abc.*abc
[Device-data-filter-kgroup-kg1] quit
# Create a keyword group named kg2 and create a keyword match pattern that matches the http://www.abcd.com/ text string.
[Device] data-filter keyword-group kg2
[Device-data-filter-kgroup-kg2] pattern 1 text www.abcd.com
[Device-data-filter-kgroup-kg2] quit
b. Configure a data filtering policy:
# Create a data filtering rule named r1 and configure it to drop and log both upload and download HTTP traffic that matches keyword group kg1.
[Device] data-filter policy p1
[Device-data-filter-policy-p1] rule r1
[Device-data-filter-policy-p1-rule-r1] keyword-group kg1
[Device-data-filter-policy-p1-rule-r1] application type http
[Device-data-filter-policy-p1-rule-r1] direction both
[Device-data-filter-policy-p1-rule-r1] action drop logging
[Device-data-filter-policy-p1-rule-r1] quit
# Create a data filtering rule named r2 and configure it to drop and log download FTP traffic that matches keyword group kg2.
[Device-data-filter-policy-p1] rule r2
[Device-data-filter-policy-p1-rule-r2] keyword-group kg2
[Device-data-filter-policy-p1-rule-r2] application type ftp
[Device-data-filter-policy-p1-rule-r2] direction download
[Device-data-filter-policy-p1-rule-r2] action drop logging
[Device-data-filter-policy-p1-rule-r2] quit
5. Configure a DPI application profile and activate the data filtering policy and rule settings:
# Create a DPI application profile named sec and apply data filtering policy p1 to the DPI application profile.
[Device] app-profile sec
[Device-app-profile-profile1] data-filter apply policy p1
[Device-app-profile-profile1] quit
# Activate the data filtering policy and rule settings.
[Device] inspect activate
6. Configure a security policy:
# Create a security policy rule named trust-untrust. Configure the rule to apply DPI application profile sec to packets from security zone Trust to security zone Untrust with source subnet address 192.168.1.0/24.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-10-trust-untrust] source-zone trust
[Device-security-policy-ip-10-trust-untrust] source-ip-subnet 192.168.1.0 24
[Device-security-policy-ip-10-trust-untrust] destination-zone untrust
[Device-security-policy-ip-10-trust-untrust] action pass
[Device-security-policy-ip-10-trust-untrust] profile sec
[Device-security-policy-ip-10-trust-untrust] quit
# Activate rule matching acceleration.
[Device-security-policy-ip] accelerate enhanced enable
[Device-security-policy-ip] quit
Verifying the configuration
# Verify that the device blocks and logs HTTP packets and FTP packets that meet the specified criteria. (Details not shown.)
Example: Using a data filtering policy in an object policy
Network configuration
As shown in Figure 2, the device connects to the LAN and Internet through security zones Trust and Untrust, respectively.
Configure data filtering on the device so the device performs the following tasks:
· Blocks HTTP packets that contain the uri or abc.*abc string in the URI field or message body.
· Blocks download FTP traffic that contains the http://www.abcd.com/ string.
· Logs the blocked packets.
Procedure
1. Assign IP addresses to interfaces, as shown in Figure 2. (Details not shown.)
2. Configure the security zones:
# Assign GigabitEthernet 1/0/1 to security zone Trust.
<Device> system-view
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
# Assign GigabitEthernet 1/0/2 to security zone Untrust.
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
3. Create an IP address object group named datafilter and configure an IP address object with subnet 192.168.1.0/24.
[Device] object-group ip address datafilter
[Device-obj-grp-ip-datafilter] network subnet 192.168.1.0 24
[Device-obj-grp-ip-datafilter] quit
4. Configure data filtering:
a. Configure keyword groups:
# Create a keyword group named kg1 and enter its view.
[Device] data-filter keyword-group kg1
# Create two keyword match patterns in keyword group kg1: one matches the uri text string and the other matches the abc.*abc regular expression string.
[Device-data-filter-kgroup-kg1] pattern 1 text uri
[Device-data-filter-kgroup-kg1] pattern 2 regex abc.*abc
[Device-data-filter-kgroup-kg1] quit
# Create a keyword group named kg2 and enter its view.
[Device] data-filter keyword-group kg2
# Create a keyword match pattern that matches the http://www.abcd.com/ text string.
[Device-data-filter-kgroup-kg2] pattern 1 text www.abcd.com
[Device-data-filter-kgroup-kg2] quit
b. Configure a data filtering policy:
# Create a data filtering policy named p1 and enter its view.
[Device] data-filter policy p1
# Create a data filtering rule named r1 and enter its view.
[Device-data-filter-policy-p1] rule r1
# Configure data filtering rule r1 to drop and log both upload and download HTTP traffic that matches keyword group kg1.
[Device-data-filter-policy-p1-rule-r1] keyword-group kg1
[Device-data-filter-policy-p1-rule-r1] application type http
[Device-data-filter-policy-p1-rule-r1] direction both
[Device-data-filter-policy-p1-rule-r1] action drop logging
[Device-data-filter-policy-p1-rule-r1] quit
# Create a data filtering rule named r2 and enter its view.
[Device-data-filter-policy-p1] rule r2
# Configure data filtering rule r2 to drop and log download FTP traffic that matches keyword group kg2.
[Device-data-filter-policy-p1-rule-r2] keyword-group kg2
[Device-data-filter-policy-p1-rule-r2] application type ftp
[Device-data-filter-policy-p1-rule-r2] direction download
[Device-data-filter-policy-p1-rule-r2] action drop logging
[Device-data-filter-policy-p1-rule-r2] quit
5. Apply data filtering policy p1 to a DPI application profile:
# Create a DPI application profile named profile1 and enter its view.
[Device] app-profile profile1
# Apply data filtering policy p1 to DPI application profile profile1.
[Device-app-profile-profile1] data-filter apply policy p1
[Device-app-profile-profile1] quit
6. Activate the data filtering policy and rule settings.
[Device] inspect activate
7. Configure an object policy:
# Create object policy inspect1 and enter its view.
[Device] object-policy ip inspect1
# Configure an object policy rule to apply DPI application profile profile1 to packets that uses source IP addresses in IP address object group datafilter.
[Device-object-policy-ip-inspect1] rule inspect profile1 source-ip datafilter destination-ip any
[Device-object-policy-ip-inspect1] quit
8. Create a zone pair between source zone Trust and destination zone Untrust, and then apply object policy inspect1 to the zone pair.
[Device] zone-pair security source trust destination untrust
[Device-zone-pair-security-trust-untrust] object-policy apply ip inspect1
[Device-zone-pair-security-trust-untrust] quit
Verifying the configuration
# Verify that the device blocks and logs HTTP packets and FTP packets that meet the specified criteria.
