Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-Application audit and management configuration | 134.33 KB |
Contents
Configuring application audit and management
About application audit and management
Application audit and management policy
Application audit and management workflow
Restrictions: Hardware compatibility with application audit and management
Restrictions and guidelines: Application audit and management configuration
Prerequisites for application audit and management
Application audit and management tasks at a glance
Creating an application audit and management policy
Configuring match criteria for the policy
Specifying a time range for the policy
Configuring an audit rule for the policy
Managing and maintaining an application audit and management policy
Copying an application audit and management policy
Renaming an application audit and management policy
Moving an application audit and management policy
Disabling an application audit and management policy
Activating policy and rule settings of all DPI service modules
Application audit and management configuration examples
Example: Configuring account login audit
Example: Configuring sensitive information audit
Configuring application audit and management
About application audit and management
Application audit and management audits and records Internet access behaviors of users by identifying behaviors (for example, login and message sending in IM applications) and behavior objects (for example, account information for IM login).
|
|
NOTE: This feature parses personal information from user packets and must be used for legitimate purposes. |
Application audit and management policy
You can configure match criteria, audit rules, and actions in an application audit and management policy to audit matching packets.
Policy types
Application audit and management policies have the following types:
· Audit policy—Audits packets that meet match criteria in the policy.
· Audit-free policy—Does not audit packets that meet match criteria in the policy.
· Deny policy—Drops packets that meet match criteria in the policy.
Match criteria
Multiple match criteria can be configured in an application audit and management policy.
The following match criteria are available:
· Source and destination security zones.
· Source and destination IP addresses.
· Services.
· Users/user groups.
· Applications.
One match criterion can contain multiple match values. For example, you can configure multiple source security zones for a source security zone match criterion.
Audit rule
Audit rules can be configured for an audit policy to perform more granular control on user behaviors and to generate audit logs.
The following rule match modes are available:
· in-order—The device compares packets with audit rules in ascending order of rule ID. When a packet matches a rule, the device stops the match process and performs the action defined in the rule.
· all—The device compares packets with audit rules in ascending order of rule ID.
¡ If a packet matches a rule with the permit action, all subsequent rules continue to be matched.
The device takes the action with higher priority on matching packets. The deny action has higher priority than the permit action.
¡ If a packet matches a rule with the deny action, the device stops the match process and performs the deny action.
Audit log
The device can generate and output audit logs for packets that match an audit rule. The audit logs can be output as common logs or output by using the fast log output feature.
Application audit and management workflow
Figure 1 shows the application audit and management workflow.
Figure 1 Application audit and management workflow
The application audit and management workflow is as follows:
1. The device matches the packet against the match criteria in an application audit and management policy.
The packet meets a match criterion if it matches any of its match values. A packet does not match a match criterion if it matches none of its match values.
2. If the packet meets all match criteria in the policy (for the user and user group criteria, only one criterion needs to be matched), the packet matches the policy. Otherwise, the packet does not match the policy and continues to be matched by the next policy. If the packet does not match any policy, the device takes the policy's default action on the packet.
3. If the packet matches a policy, it is processed according to the policy type.
¡ If the policy is an audit-free policy, the packet is allowed to pass.
¡ If the policy is a deny policy, the packet is denied.
¡ If the policy is an audit policy, the packet is matched against the audit rules in the policy.
4. The device processes the packet as follows:
¡ If a packet matches all items in an audit rule, the action in the audit rule is taken on the packet.
¡ If a packet matches only the specified application or application category in an audit rule, the packet is allowed to pass through.
¡ If a packet does not match the specified application or application category in an audit rule, the default action for audit rules is taken on the packet.
Restrictions: Hardware compatibility with application audit and management
|
Hardware platform |
Module type |
Application audit and management compatibility |
|
M9006 M9010 M9014 |
Blade 4 firewall module |
Yes |
|
Blade 5 firewall module |
No |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade 5 firewall module |
No |
|
M9008-S M9012-S |
Blade 4 firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-6GW |
IPv6 module |
Yes |
|
M9008-S-V |
Blade 4 firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade 5 firewall module |
Yes |
|
M9000-X06 M9000-X10 |
Blade 6 firewall module |
Yes |
vSystem support for features
vSystem supports all application audit and management features. For more information about vSystem, see Virtual Technologies Configuration Guide.
Restrictions and guidelines: Application audit and management configuration
As a best practice to audit packets more accurately, observe the depth-first principle when creating policies. Always create a policy with a smaller audit scope before a policy with a larger audit scope.
Prerequisites for application audit and management
Before configuring application audit and management, complete the following tasks:
· Update the APR signature library to the latest version (see APR configuration in Security Configuration Guide).
· Configure time ranges (see time range configuration in ACL and QoS Configuration Guide).
· Configure IP address object groups and service object groups (see object group configuration in Security Configuration Guide).
· Configure applications (see APR configuration in Security Configuration Guide).
· Configure users and user groups (see user identification configuration in Security Configuration Guide).
· Configure security zones (see security zone configuration in Security Configuration Guide).
Application audit and management tasks at a glance
To configure application audit and management, perform the following tasks:
1. Creating an application audit and management policy
2. Configuring match criteria for the policy
3. (Optional.) Specifying a time range for the policy
4. Configuring an audit rule for the policy
5. Configuring a keyword group
6. (Optional.) Managing and maintaining an application audit and management policy
7. Activating policy and rule settings of all DPI service modules
Creating an application audit and management policy
1. Enter system view.
system-view
2. Enter application audit and management view.
uapp-control
3. Create an application audit and management policy and enter its view.
policy name policy-name { audit | deny | noaudit }
4. Configure the default action for the policy.
policy default-action { deny | permit }
By default, the default action for a policy is permit.
Configuring match criteria for the policy
1. Enter system view.
system-view
2. Enter application audit and management view.
uapp-control
3. Enter application audit and management policy view.
policy name policy-name [ audit | deny | noaudit ]
4. Configure a security zone as a match criterion.
¡ Configure a source security zone as a match criterion.
source-zone source-zone-name
¡ Configure a destination security zone as a match criterion.
destination-zone destination-zone-name
By default, no security zone is used as a match criterion.
5. Configure an IP address object group as a match criterion.
¡ Configure a source IP address object group as a match criterion.
source-address { ipv4 | ipv6 } object-group-name
¡ Configure a destination IP address object group as a match criterion.
destination-address { ipv4 | ipv6 } object-group-name
By default, no IP address object group is used as a match criterion.
6. Configure a service object group as a match criterion.
service service-name
By default, no service object group is used as a match criterion.
7. Configure a user or user group as a match criterion.
¡ Configure a user as a match criterion.
user user-name [ domain domain-name ]
¡ Configure a user group as a match criterion.
user-group user-group-name [ domain domain-name ]
By default, no user or user group is used as a match criterion.
8. Configure an application or application group as a match criterion.
application { app application-name | app-group application-group-name }
By default, no application or application group is used as a match criterion.
The application and application group match criteria can be configured only in audit-free policies and deny policies.
Specifying a time range for the policy
1. Enter system view.
system-view
2. Enter application audit and management view.
uapp-control
3. Enter application audit and management policy view.
policy name policy-name { audit | deny | noaudit }
4. Specify a time range during which the policy is in effect.
time-range time-range-name
By default, an application audit and management policy is in effect at any time.
Configuring an audit rule for the policy
About this task
An audit rule provices the following functions:
· General auditing—Performs granular control on user behaviors.
· Email protection—Detects incoming emails, counts emails based on recipients, and protects recipients from attacks. Specifically, you can configure the following functions:
¡ Limit email sending—Prevents users from sending emails to users of a different domain. For example, the user at user1@abc.com cannot receive emails from the user at user2@123.com.
¡ Prevent email bombing—Protects recipients from being overwhelmed by large numbers of emails from the same sender during a short period of time.
You can configure audit rules only for an audit policy.
If you specify the audit-logging keyword for an audit rule, the device supports the following methods to send log messages:
· Fast log output—You must specify a log host to receive the log messages. Log messages are sent to the specified log host.
· Syslog output—Log messages are sent to the information center. With the information center, you can set log message filtering and output rules, including output destinations. The information center can output audit syslogs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect. To view audit syslogs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
Syslog output might affect device performance. As a best practice, use fast log output.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide. For more information about fast log output, see fast log output configuration in Network Management and Monitoring Configuration Guide.
Restrictions and guidelines
For WeChat and QQ, specific messages cannot be audited..
Procedure
1. Enter system view.
system-view
2. Enter application audit and management view.
uapp-control
3. Enter application audit and management policy view of the audit type.
policy name policy-name [ audit ]
4. Configure an audit rule for the policy.
rule rule-id { app app-name | app-category app-category-name | any } behavior { behavior-name | any } bhcontent { bhcontent-name | any } { keyword { equal | exclude | include | unequal } { keyword-group-name | any } | integer { equal | greater | greater-equal | less | less-equal | unequal } { number } } action { deny | permit } [ audit-logging ]
rule rule-id { email-bomb-defense [ interval interval max-number email-number ] | email-send-restriction } * action { deny | permit } [ audit-logging ]
By default, a policy does not have audit rules.
5. Configure the match mode for audit rules in the policy.
rule match-method { all | in-order }
By default, the match mode for audit rules is in-order.
6. Configure the default action for audit rules in the policy.
rule default-action { deny | permit }
By default, the default action for audit rules is permit.
Configuring a keyword group
About this task
A keyword group can be used by an audit rule to match more specific information.
Procedure
1. Enter system view.
system-view
2. Enter application audit and management view.
uapp-control
3. Create a keyword group and enter its view.
keyword-group name keyword-group-name
4. (Optional.) Configure a description for the keyword group.
description text
By default, a keyword group does not have a description.
5. Add a keyword to the keyword group.
keyword keyword-value
By default, a keyword group does not contain keywords.
Managing and maintaining an application audit and management policy
Copying an application audit and management policy
1. Enter system view.
system-view
2. Enter application audit and management view.
uapp-control
3. Copy an application audit and management policy.
policy copy policy-name new-policy-name
Renaming an application audit and management policy
1. Enter system view.
system-view
2. Enter application audit and management view.
uapp-control
3. Rename an application audit and management policy.
policy rename old-policy-name new-policy-name
Moving an application audit and management policy
1. Enter system view.
system-view
2. Enter application audit and management view.
uapp-control
3. Move an application audit and management policy.
policy move policy-name1 { after | before } policy-name2
Disabling an application audit and management policy
1. Enter system view.
system-view
2. Enter application audit and management view.
uapp-control
3. Enter application audit and management policy view.
policy name policy-name
4. Disable the application audit and management policy.
disable
By default, an application audit and management policy is enabled.
Activating policy and rule settings of all DPI service modules
About this task
After detecting application audit and management policy changes, the system starts a timer to check for new changes 20 seconds later.
· If no further changes are detected when the timer expires, the system determines that the changes are final and activate the changes at the expiration of the next check interval (after 40 seconds).
· If new changes are detected, the system resets the check interval timer and continues the periodic check until it determines that the changes are final and activates the changes.
You can also perform this task to manually activate policy changes immediately.
For more information about this task, see DPI engine configuration in DPI Configuration Guide.
Restrictions and guidelines
This task will interrupt DPI service processing. To reduce the impact on DPI services, perform this task after you complete policy and rule settings of all DPI service modules.
Procedure
1. Enter system view.
system-view
2. Activate policy and rule settings of all DPI service modules.
inspect activate
By default, policy and rule settings of all DPI service modules are deactivated.
|
|
CAUTION: This command causes transient DPI service interruption. DPI-based services might also be interrupted. For example, security policies cannot control access to applications, or server load balancing services cannot load share traffic based on applications. |
Application audit and management configuration examples
Example: Configuring account login audit
Network configuration
As shown in Figure 2, all departments of a company access the Internet through the device. The working hours of the company are 8:00:00 through 18:00:00 from Monday to Friday.
Configure an application audit and management policy on the device to meet the following requirements:
· Permit login from all QQ accounts during working hours.
· Generate audit logs.
Procedure
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures static routes, and the next hop in the routes is 2.2.2.2.
[Device] ip route-static 5.5.5.5 24 2.2.2.2
3. Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
4. Configure a security policy:
# Configure a rule named trust-untrust to allow the host to access the Internet.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-1-trust-untrust] source-zone trust
[Device-security-policy-ip-1-trust-untrust] destination-zone untrust
[Device-security-policy-ip-1-trust-untrust] source-ip-host 192.168.1.2
[Device-security-policy-ip-1-trust-untrust] source-ip-host 192.168.1.3
[Device-security-policy-ip-1-trust-untrust] source-ip-host 192.168.1.4
[Device-security-policy-ip-1-trust-untrust] action pass
[Device-security-policy-ip-1-trust-untrust] quit
[Device-security-policy-ip] quit
5. Configure a time range named work to cover 8:00:00 through 18:00:00 from Monday to Friday.
[Device] time-range work 08:00 to 18:00 working-day
6. Update the APR signature library to the latest version (in this example, 1.0.106). (Details not shown.)
7. Configure an application audit and management policy:
# Enter application audit and management view.
[Device] uapp-control
# Create an audit policy named audit-qq and enter its view.
[Device-uapp-control] policy name audit-qq audit
# Configure source security zone Trust as a match criterion for audit policy audit-qq.
[Device-uapp-control-policy-audit-qq] source-zone trust
# Configure destination security zone Untrust as a match criterion for audit policy audit-qq.
[Device-uapp-control-policy-audit-qq] destination-zone untrust
# Specify time range work for audit policy audit-qq.
[Device-uapp-control-policy-audit-qq] time-range work
# Configure an audit rule to permit login from all QQ accounts and generate audit logs.
[Device-uapp-control-policy-audit-qq] rule 1 app QQ behavior Login bhcontent any keyword equal any action permit audit-logging
[Device-uapp-control-policy-audit-qq] quit
[Device-uapp-control] quit
# Activate the configuration.
[Device] inspect activate
Verifying the configuration
When QQ accounts attempt to access the Internet, the device permits the login requests and generates audit log messages.
Example: Configuring sensitive information audit
Network configuration
As shown in Figure 3, all departments of a company access the Internet through the device. The working hours of the company are 8:00:00 through 18:00:00 from Monday to Friday.
Configure an application audit and management policy on the device to meet the following requirements:
· Deny search requests for Bing that include keyword confidential or terrorist attack.
· Generate audit logs.
Procedure
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures static routes, and the next hop in the routes is 2.2.2.2.
[Device] ip route-static 5.5.5.5 24 2.2.2.2
3. Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
4. Configure a security policy:
# Configure a rule named trust-untrust to allow the host to access the Internet.
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-1-trust-untrust] source-zone trust
[Device-security-policy-ip-1-trust-untrust] destination-zone untrust
[Device-security-policy-ip-1-trust-untrust] source-ip-host 192.168.1.2
[Device-security-policy-ip-1-trust-untrust] source-ip-host 192.168.1.3
[Device-security-policy-ip-1-trust-untrust] source-ip-host 192.168.1.4
[Device-security-policy-ip-1-trust-untrust] action pass
[Device-security-policy-ip-1-trust-untrust] quit
[Device-security-policy-ip] quit
5. Update the APR signature library to the latest version (in this example, 1.0.106). (Details not shown.)
6. Configure an application audit and management policy:
# Enter application audit and management view.
[Device] uapp-control
# Configure a keyword group named keyword-bing.
[Device-uapp-control] keyword-group name keyword-bing
# Add keywords confidential and terrorist attack to keyword group keyword-bing.
[Device-uapp-control-keyword-group-keyword-bing] keyword confidential
[Device-uapp-control-keyword-group-keyword-bing] keyword terrorist attack
[Device-uapp-control-keyword-group-keyword-bing] quit
# Create an audit policy named audit-bing and enter its view.
[Device-uapp-control] policy name audit-bing audit
# Configure source security zone Trust as a match criterion for audit policy audit-bing.
[Device-uapp-control-policy-audit-bing] source-zone trust
# Configure destination security zone Untrust as a match criterion for audit policy audit-bing.
[Device-uapp-control-policy-audit-bing] destination-zone untrust
# Configure an audit rule to deny search requests for Bing that include keyword confidential or terrorist attack, generating audit logs.
[Device-uapp-control-policy-audit-bing] rule 2 app Bing behavior Search bhcontent Keyword keyword include keyword-bing action deny audit-logging
[Device-uapp-control-policy-audit-bing] quit
[Device-uapp-control] quit
# Activate the configuration.
[Device] inspect activate
Verifying the configuration
When a user searches for information that includes keyword confidential or terrorist attack by using Bing, the device denies the search request and generates a log message.
