This help contains the following topics:

·     Introduction

¡     Basic concepts

¡     Application audit process

¡     Application audit policy

¡     Match criteria

¡     Audit rule

·     Configure application audit

¡     Configure a keyword group

¡     Configure an application audit policy

Introduction

	This feature parses personal information from user packets and must be used for legitimate purposes.

 

Based on application recognition (APR), application audit audits and records Internet access behaviors of users by identifying behaviors and behavior contents of applications.

Basic concepts

Application behaviors

Applications and programs are characterized by different behaviors. For example, IM applications are characterized by login and message sending. FTP is characterized by file upload and file download.

Behavior contents

A behavior content is the content of a behavior. For example, the content of a login behavior is the account information. The content of an FTP file upload behavior is the file name. You can match behavior contents by using a string or a number.

Application audit process

Figure 1 Application audit process

Application audit policy

Different audit policies process matching packets differently.

Policy types

Application audit policies have the following types:

·     Audit policy—Audits packets that meet match criteria in the policy.

·     Audit-free policy—Does not audit packets that meet match criteria in the policy.

·     Deny policy—Drops packets that meet match criteria in the policy.

Policy matching

Multiple application audit policies can exist on a device. The device compares a packet with policies in their configuration order. When a match is found, the match process ends. If no match is found, the device applies the default action to the packet.

You can view the configuration order of policies on the Audit Policy page. The configuration order is the creation order if no polices are moved. You can change the configuration order of a policy by moving the policy. As a best practice to audit packets more accurately, observe the depth-first principle when creating policies. Always create a policy with a smaller audit scope before a policy with a larger audit scope.

Match criteria

Multiple match criteria can be configured in an application audit policy. A policy is matched if all match criteria in the policy are matched.

The following match criteria are available:

·     Source and destination security zones.

·     Source and destination IP addresses.

·     Users/user groups.

·     Applications/application groups.

·     Services.

·     Time ranges.

One match criterion can contain multiple match values. For example, you can configure multiple address object groups for a source IP address match criterion. A match criterion is matched if any of its match values is matched.

Audit rule

Audit rules can be configured for an audit policy to perform more granular control on user behaviors and to generate audit logs.

The following rule match modes are available:

·     in-order—The device compares packets with audit rules in ascending order of rule ID. When a packet matches a rule, the device stops the match process and performs the action defined in the rule.

·     all—The device compares packets with audit rules in ascending order of rule ID.

¡     If a packet matches a rule with the permit action, all subsequent rules continue to be matched.

The device takes the action with higher priority on matching packets. The deny action has higher priority than the permit action.

¡     If a packet matches a rule with the deny action, the device stops the match process and performs the deny action.

If a packet does not match any audit rule, the devices takes the default action for audit rules on the packet.

Email protection can be configured in a rule. The device detects incoming emails, counts emails based on recipients, and protects recipients from attacks. Specifically, you can configure the following functions:

·     Limit email sending—Prevents users from sending emails to users of a different domain. For example, the user at user1@abc.com cannot receive emails from the user at user2@123.com.

·     Prevent email bombing—Protects recipients from being overwhelmed by large numbers of emails from the same sender during a short period of time.

Configure application audit

Figure 2 shows the configuration procedure for application audit.

Figure 2 Application audit configuration procedure

 

Before configuring application audit, configure security policies to allow traffic to flow through the device. For information about configuring security policies, see "Security Policy Help."

Configure a keyword group

1.     Select Policies > Application Audit > Audit Policy.

2.     Click Keyword Group.

3.     Click Create to create a keyword group.

Table 1 Keyword group configuration items

Item	Description
Name	Enter a name for the keyword group.
Description	Enter a description for the keyword group, which helps the administrator identify the keyword group.
Keyword	Enter keywords to be audited. Keywords are separated by carriage returns.

 

4.     Click OK. The new keyword group appears in the Keyword Group page.

Configure an application audit policy

1.     Select Policies > Application Audit > Audit Policies.

2.     Click Create in the Audit Policy page.

3.     Create an application audit policy.

Table 2 Application audit policy configuration items

Item	Description
Name	Enter a name for the application audit policy.
Type	Select the application audit policy type: Audit, Audit-free, and Deny.
Enable	Enable the policy to make it take effect.
Source security zone	Specify a source security zone as a match criterion.
Destination security zone	Specify a destination security zone as a match criterion.
Source IP address	Specify a source IP address object group as a match criterion.
Destination IP address	Specify a destination IP address object group as a match criterion.
Service	Specify a service object group as a match criterion.
User	Specify a user as a match criterion.
Application	Specify an application or application group as a match criterion.
Time range	Specify a time range during which the policy is in effect.
Audit rule	Configure an audit rule to perform refined auditing on the behaviors and behavior contents of applications. This item can be configured only for an Audit-type policy.
Rule ID	Enter a rule ID.
Application	Select the applications to be audited.
Behavior	Select the behaviors to be audited.
Behavior content	Select the behavior contents to be audited.
Match type	Specify the behavior content type: ·     Keyword. ·     Number.
Keyword	Operator used when behavior contents are matched: ·     For keyword-type behavior contents: Include, Exclude, Equal, Unequal. ·     For number-type behavior contents: Equal, Unequal, Greater, Less, Greater-equal, Less-equal.
Email protection	Select Enable to configure the Limit email sending and Prevent email bombing functions.
Limit email sending	Select Enable to prevent users from sending emails to users of a different domain.
Prevent email bombing	Configure this function to protect recipients from being overwhelmed by large numbers of emails from the same sender during a short period of time. ·     Detection time—The specified maximum number of emails can be received from the same user during this time. ·     Email count—The maximum number of emails that can be received from the same user during the detection time.
Action	Select an action to take on packets matching audit rules: Permit or Deny.
Logging	Select Enabled or Disabled to enable or disable generation of logs.

 

4.     Click OK. The new application audit policy appears in the Audit Policy page.