Login
- Table of Contents
-
- 04-Policies
- 01-Security policy
- 02-Security policy redundancy analysis
- 03-Security policy hit analysis
- 04-Security policy optimization
- 05-Attack defense
- 06-Connection limit
- 07-uRPF
- 08-IP reputation
- 09-NAT
- 10-NAT66
- 11-AFT
- 12-Application audit
- 13-Bandwidth management
- 14-Server load balancing
- 15-Outbound link load balancing
- 16-Inbound link load balancing
- 17-Transparent DNS proxy
- 18-NetShare control
- 19-Server connection detection
- 20-Application proxy
- 21-Load balancing common configuration
- 22-Global load balancing
| Title | Size | Download |
|---|---|---|
| 12-Application audit | 83.70 KB |
This help contains the following topics:
¡ Configure an application audit policy
Introduction
|
|
This feature parses personal information from user packets and must be used for legitimate purposes. |
Based on application recognition (APR), application audit audits and records Internet access behaviors of users by identifying behaviors and behavior contents of applications.
Basic concepts
Application behaviors
Applications and programs are characterized by different behaviors. For example, IM applications are characterized by login and message sending. FTP is characterized by file upload and file download.
Behavior contents
A behavior content is the content of a behavior. For example, the content of a login behavior is the account information. The content of an FTP file upload behavior is the file name. You can match behavior contents by using a string or a number.
Application audit process
Figure 1 Application audit process
Application audit policy
Different audit policies process matching packets differently.
Policy types
Application audit policies have the following types:
· Audit policy—Audits packets that meet match criteria in the policy.
· Audit-free policy—Does not audit packets that meet match criteria in the policy.
· Deny policy—Drops packets that meet match criteria in the policy.
Policy matching
Multiple application audit policies can exist on a device. The device compares a packet with policies in their configuration order. When a match is found, the match process ends. If no match is found, the device applies the default action to the packet.
You can view the configuration order of policies on the Audit Policy page. The configuration order is the creation order if no polices are moved. You can change the configuration order of a policy by moving the policy. As a best practice to audit packets more accurately, observe the depth-first principle when creating policies. Always create a policy with a smaller audit scope before a policy with a larger audit scope.
Match criteria
Multiple match criteria can be configured in an application audit policy. A policy is matched if all match criteria in the policy are matched.
The following match criteria are available:
· Source and destination security zones.
· Source and destination IP addresses.
· Users/user groups.
· Applications/application groups.
· Services.
· Time ranges.
One match criterion can contain multiple match values. For example, you can configure multiple address object groups for a source IP address match criterion. A match criterion is matched if any of its match values is matched.
Audit rule
Audit rules can be configured for an audit policy to perform more granular control on user behaviors and to generate audit logs.
The following rule match modes are available:
· in-order—The device compares packets with audit rules in ascending order of rule ID. When a packet matches a rule, the device stops the match process and performs the action defined in the rule.
· all—The device compares packets with audit rules in ascending order of rule ID.
¡ If a packet matches a rule with the permit action, all subsequent rules continue to be matched.
The device takes the action with higher priority on matching packets. The deny action has higher priority than the permit action.
¡ If a packet matches a rule with the deny action, the device stops the match process and performs the deny action.
If a packet does not match any audit rule, the devices takes the default action for audit rules on the packet.
Restrictions and guidelines
After an application audit policy is created, edited, deleted, enabled, or disabled, the configuration change immediately takes effect if you click Submit. By default, the configuration change automatically takes effect after 40 seconds.
Configure application audit
Figure 2 shows the configuration procedure for application audit.
Figure 2 Application audit configuration procedure
Before configuring application audit, configure security policies to allow traffic to flow through the device. For information about configuring security policies, see "Security Policy Help."
Configure a keyword group
1. Select Policies > Application Audit > Keyword Groups.
2. Click Create in the Keyword Group page.
3. Create a keyword group.
Table 1 Keyword group configuration items
|
Item |
Description |
|
Name |
Enter a name for the keyword group. |
|
Description |
Enter a description for the keyword group, which helps the administrator identify the keyword group. |
|
Keyword |
Enter keywords to be audited. Keywords are separated by carriage returns. |
4. Click OK. The new keyword group appears in the Keyword Group page.
Configure an application audit policy
1. Select Policies > Application Audit > Audit Policies.
2. Click Create in the Audit Policy page.
3. Create an application audit policy.
Table 2 Application audit policy configuration items
|
Item |
Description |
|
Name |
Enter a name for the application audit policy. |
|
Type |
Select the application audit policy type: Audit, Audit-free, and Deny. |
|
Enable |
Enable the policy to make it take effect. |
|
Source security zone |
Specify a source security zone as a match criterion. |
|
Destination security zone |
Specify a destination security zone as a match criterion. |
|
Source IP address |
Specify a source IP address object group as a match criterion. |
|
Destination IP address |
Specify a destination IP address object group as a match criterion. |
|
Service |
Specify a service object group as a match criterion. |
|
User |
Specify a user as a match criterion. |
|
Application |
Specify an application or application group as a match criterion. |
|
Time range |
Specify a time range during which the policy is in effect. |
|
Audit rule |
Configure an audit rule to perform refined auditing on the behaviors and behavior contents of applications. This item can be configured only for an Audit-type policy. |
4. Click OK. The new application audit policy appears in the Audit Policy page.
5. To make the new application audit policy take effect immediately, click Submit. By default, the application audit policy automatically takes effect after 40 seconds.
