Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-Data filtering configuration | 110.06 KB |
Contents
Data filtering tasks at a glance
Configuring a data filtering policy
Applying a data filtering policy to a DPI application profile
Activating data filtering policy and rule settings
Applying a DPI application profile to a security policy rule
Data filtering configuration examples
Example: Using a data filtering policy in a security policy
Configuring data filtering
About data filtering
Data filtering filters packets based on application layer information. You can use data filtering to effectively prevent leakage of internal information, distribution of illegal information, and unauthorized access to the Internet.
Data filtering supports filtering packets of the following protocols:
· HTTP.
· FTP.
· SMTP.
· IMAP.
· NFS.
· POP3.
· RTMP.
· SMB.
Basic concepts
Keyword match pattern
The device provides predefined keyword match patterns and allows you to create user-defined keyword match patterns in a keyword group.
· Predefined pattern—Includes the phone number, bank card number, credit card number, and ID card number patterns. These patterns can be used to identify packets that contain phone numbers, bank card numbers, credit card numbers, and ID card numbers.
· User-defined pattern—A text- or regular expression-based string to identify patterns in the application layer data of packets.
Keyword group
A keyword group is a group of keyword match patterns.
Data filtering rule
A data filtering rule contains a set of filtering criteria for matching packets, including keyword group, traffic direction, and application layer protocol. You can specify the actions to take on packets matching a data filtering rule. Supported actions include drop, permit, and logging. A packet must match all the filtering criteria for the actions specified for the rule to apply.
Data filtering mechanism
Data filtering takes effect after you apply a data filtering policy to a DPI application profile and use the DPI application profile in a security policy rule.
Upon receiving a packet of a protocol that data filtering supports, the device performs the following operations:
1. Compares the packet with the security policy rules.
If the packet matches a rule that is associated with a data filtering policy (through a DPI application profile), the device extracts the application layer information from the packet.
For more information about security policies, see Security Configuration Guide.
2. Determines the actions to take on the packet by comparing the extracted application layer information with the data filtering rules in the data filtering policy:
¡ If the packet does not match any data filtering rules in the policy, the device permits the packet to pass.
¡ If the packet matches only one rule, the device takes the actions specified for the rule.
¡ If the packet matches multiple rules, the device determines the actions as follows:
- If the matching rules have both the permit and drop actions, the device takes the drop action.
- If the logging action is specified for any of the matching rules, the device logs the packet.
Data filtering tasks at a glance
To configure data filtering, perform the following tasks:
1. Configuring a keyword group
2. Configuring a data filtering policy
3. Applying a data filtering policy to a DPI application profile
4. (Optional.) Activating data filtering policy and rule settings
5. Applying a DPI application profile to a security policy rule
Configuring a keyword group
About this task
A keyword group is a group of keyword match patterns. A keyword match pattern is a text or regular expression string that matches packets based on application layer data.
A packet matches a keyword group if it matches any keyword match pattern in the group.
Procedure
1. Enter system view.
system-view
2. Create a keyword group and enter its view.
data-filter keyword-group keywordgroup-name
3. (Optional.) Configure a description for the keyword group.
description string
By default, a keyword group does not have a description.
4. Configure keyword match patterns:
¡ Create a user-defined keyword match pattern.
pattern pattern-name { regex | text } pattern-string
By default, a keyword group does not contain any user-defined keyword match patterns.
¡ Enable a predefined keyword match pattern.
pre-defined-pattern name { bank-card-number | credit-card-number | id-card-number | phone-number }
By default, no predefined patterns are enabled in a keyword group.
Configuring a data filtering policy
About this task
A data filtering policy can contain a maximum of 32 data filtering rules. Each rule defines a set of filtering criteria and actions for matching packets. The filtering criteria include:
· One keyword group.
· One or more application layer protocols.
· Traffic direction.
Restrictions and guidelines
Data filtering rules applied to the NFS protocol take effect only on NFSv3 traffic.
Data filtering rules applied to the SMB protocol take effect only on SMBv1 and SMBv2 traffic.
The logging keyword enables the data filtering module to log packet matching events and use one of the following methods to send log messages:
· Fast log output—You must specify a log host to receive the log messages. Log messages are sent to the specified log host.
· Syslog output—Log messages are sent to the information center. With the information center, you can set log message filtering and output rules, including output destinations. The information center can output data filtering syslogs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect. To view data filtering syslogs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default. For more information about the display logbuffer command, see information center commands in System Management Command Reference.
Syslog output might affect device performance. As a best practice, use fast log output. For more information about fast log output, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Create a data filtering policy and enter its view.
data-filter policy policy-name
3. (Optional.) Configure a description for the data filtering policy.
description string
By default, a data filtering policy does not have a description.
4. Create a data filtering rule and enter its view.
rule rule-name
5. Specify a keyword group for the data filtering rule.
keyword-group keywordgroup-name
By default, a data filtering rule does not contain any keyword group.
6. Specify the application layer protocols to which the data filtering rule applies.
application { all | type { ftp | http | imap | nfs | pop3 | rtmp | smb | smtp } * }
By default, no applicable application layer protocols are specified for a data filtering rule.
7. Specify the traffic directions to which the data filtering rule applies.
direction { both | download | upload }
By default, a data filtering rule applies to upload traffic.
8. Specify the actions to take on matching packets.
action { drop | permit } [ logging ]
The default action of a data filtering rule is drop.
Applying a data filtering policy to a DPI application profile
About this task
A data filtering policy must be applied to a DPI application profile to take effect.
A DPI application profile can use only one data filtering policy. If you apply different data filtering policies to the same DPI application profile, only the most recent configuration takes effect.
Procedure
1. Enter system view.
system-view
2. Enter DPI application profile view.
app-profile profile-name
For more information about this command, see DPI engine commands in DPI Command Reference.
3. Apply a data filtering policy to the DPI application profile.
data-filter apply policy policy-name
By default, no data filtering policy is applied to the DPI application profile.
Activating data filtering policy and rule settings
About this task
By default, the system will detect whether another configuration change (such as creation, modification, or deletion) occurs within a 20-second interval after a change to the data filtering policy and rule settings:
· If no configuration change occurs within the interval, the system will perform an activation operation at the end of the next 20-second interval to make the configuration take effect.
· If a configuration change occurs within the interval, the system continues to periodically detect whether configuration changes occur within next 20-second intervals.
To activate the policy and rule configurations immediately, you can execute the inspect activate command.
Procedure
1. Enter system view.
system-view
2. Activate data filtering policy and rule settings.
inspect activate
By default, data filtering policy and rule settings will be activated automatically.
|
|
CAUTION: This command can cause temporary outage for DPI services. Services based on the DPI services might also be interrupted. For example, security policies cannot control application access. |
Applying a DPI application profile to a security policy rule
1. Enter system view.
system-view
2. Enter security policy view.
security-policy { ip | ipv6 }
3. Enter security policy rule view.
rule { rule-id | [ rule-id ] name rule-name }
4. Set the rule action to pass.
action pass
The default rule action is drop.
5. Use a DPI application profile in the rule.
profile app-profile-name
By default, no DPI application profile is used in a security policy rule.
Data filtering configuration examples
Example: Using a data filtering policy in a security policy
Network configuration
As shown in Figure 1, the AC connects to the Internet.
Configure data filtering on the AC so the AC performs the following operations:
· Blocks HTTP packets that contain the uri or abc.*abc string in the URI field or message body.
· Blocks download FTP traffic that contains the http://www.abcd.com/ string.
· Logs the blocked packets.
Procedure
1. Configure interfaces on the AC:
# Create VLAN 100 and VLAN-interface 100, and assign an IP address to the VLAN interface. The AP will obtain this IP address to establish CAPWAP tunnels with the AC.
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
[AC] interface vlan-interface 100
[AC-Vlan-interface100] ip address 192.1.1.1 24
[AC-Vlan-interface100] quit
# Create VLAN 200 and VLAN-interface 200, and assign an IP address to the VLAN interface. The client will access the wireless network in this VLAN.
[AC] vlan 200
[AC-vlan200] quit
[AC] interface vlan-interface 200
[AC-Vlan-interface200] ip address 192.2.1.1 24
[AC-Vlan-interface200] quit
# Set the link type of GigabitEthernet 1/0/1 (the port connected to the switch) to trunk, and allow traffic from VLAN 100 and VLAN 200 to pass through the port.
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/1] quit
2. Configure a wireless service:
# Create service template 1 and enter service template view.
[AC] wlan service-template 1
# Set the SSID to service.
[AC-wlan-st-1] ssid service
# Configure the AC to forward client traffic.
[AC-wlan-st-1] client forwarding-location ac
# Assign the client to VLAN 200 after it comes online.
[AC-wlan-st-1] vlan 200
# Enable the service template.
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
3. Configure the AP:
# Create a manual AP named ap1, and specify the AP model.
[AC] wlan ap ap1 model WA6320
# Set the serial ID to 219801A28N819CE0002T.
[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T
# Enter the view of radio 1 and bind service template 1 to the radio.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] service-template 1
# Enable radio 1.
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] quit
# Enter the view of radio 2 and bind service template 1 to the radio.
[AC-wlan-ap-ap1] radio 2
[AC-wlan-ap-ap1-radio-2] service-template 1
# Enable radio 2.
[AC-wlan-ap-ap1-radio-2] radio enable
[AC-wlan-ap-ap1-radio-2] quit
[AC-wlan-ap-ap1] quit
4. Configure an IP address object group named datafilter and specify subnet 192.2.1.0/24 for the object group.
[AC] object-group ip address datafilter
[AC-obj-grp-ip-datafilter] network subnet 192.2.1.0 24
[AC-obj-grp-ip-datafilter] quit
5. Configure data filtering:
a. Configure keyword groups:
# Create a keyword group named kg1 and create two keyword match patterns that match the uri text string and the abc.*abc regular expression string, respectively.
[AC] data-filter keyword-group kg1
[AC-data-filter-kgroup-kg1] pattern 1 text uri
[AC-data-filter-kgroup-kg1] pattern 2 regex abc.*abc
[AC-data-filter-kgroup-kg1] quit
# Create a keyword group named kg2 and create a keyword match pattern that matches the http://www.abcd.com/ text string.
[AC] data-filter keyword-group kg2
[AC-data-filter-kgroup-kg2] pattern 1 text www.abcd.com
[AC-data-filter-kgroup-kg2] quit
b. Configure a data filtering policy:
# Create a data filtering policy named p1 and enter data filtering policy view.
[AC] data-filter policy p1
# Create a data filtering rule named r1 and configure it to drop and log both upload and download HTTP traffic that matches keyword group kg1.
[AC-data-filter-policy-p1] rule r1
[AC-data-filter-policy-p1-rule-r1] keyword-group kg1
[AC-data-filter-policy-p1-rule-r1] application type http
[AC-data-filter-policy-p1-rule-r1] direction both
[AC-data-filter-policy-p1-rule-r1] action drop logging
[AC-data-filter-policy-p1-rule-r1] quit
# Create a data filtering rule named r2 and configure it to drop and log download FTP traffic that matches keyword group kg2.
[AC-data-filter-policy-p1] rule r2
[AC-data-filter-policy-p1-rule-r2] keyword-group kg2
[AC-data-filter-policy-p1-rule-r2] application type ftp
[AC-data-filter-policy-p1-rule-r2] direction download
[AC-data-filter-policy-p1-rule-r2] action drop logging
[AC-data-filter-policy-p1-rule-r2] quit
[AC-data-filter-policy-p1] quit
6. Configure a DPI application profile and activate the data filtering policy and rule settings:
# Create a DPI application profile named profile1 and apply data filtering policy p1 to the DPI application profile.
[AC] app-profile profile1
[AC-app-profile-profile1] data-filter apply policy p1
[AC-app-profile-profile1] quit
# Activate the data filtering policy and rule settings.
[AC] inspect activate
7. Configure a security policy:
# Enter IPv4 security policy view.
[AC] security-policy ip
# Create a security policy rule named inspect1. Configure the rule to permit packets from IP addresses in IP address object group datafilter and apply DPI application profile profile1 to the security policy.
[AC-security-policy-ip] rule name inspect1
[AC-security-policy-ip-14-inspect1] source-ip datafilter
[AC-security-policy-ip-14-inspect1] action pass
[AC-security-policy-ip-14-inspect1] profile profile1
[AC-security-policy-ip-14-inspect1] quit
# Activate rule matching acceleration.
[AC-security-policy-ip] accelerate enhanced enable
[AC-security-policy-ip] quit
Verifying the configuration
# Verify that the AC blocks and logs HTTP packets and FTP packets that meet the specified criteria. (Details not shown.)
