Login
- Table of Contents
-
- 16-Security Command Reference
- 00-Preface
- 01-ACL commands
- 02-Packet filter commands
- 03-Time range commands
- 04-User profile commands
- 05-Password control commands
- 06-Keychain commands
- 07-Public key management commands
- 08-PKI commands
- 09-IPsec commands
- 10-IKE commands
- 11-IKEv2 commands
- 12-SSH commands
- 13-SSL commands
- 14-SSL VPN commands
- 15-Session management commands
- 16-Connection limit commands
- 17-Attack detection and prevention commands
- 18-IP-based attack prevention commands
- 19-IP source guard commands
- 20-ARP attack protection commands
- 21-ND attack defense commands
- 22-Protocol packet rate limit commands
- 23-Object group commands
- 24-Security policy commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 24-Security policy commands | 216.69 KB |
Contents
description (security policy rule view)
description (security policy view)
display security-policy statistics
reset security-policy statistics
Security policy commands
accelerate enhanced enable
Use accelerate enhanced enable to manually activate rule matching acceleration.
Syntax
accelerate enhanced enable
Views
IPv4 security policy view
IPv6 security policy view
Predefined user roles
network-admin
Usage guidelines
Rule matching acceleration enhances connection establishment and packet forwarding performance, especially for a device using multiple rules to match packets from multiple users.
Rule matching acceleration does not take effect on newly added, modified, and moved rules unless the feature is activated for the rules. By default, the system automatically activates rule matching acceleration for such rules at specific intervals. The interval is 2 seconds if 100 or fewer rules exist and 20 seconds if over 100 rules exist.
To activate rule matching acceleration immediately after a rule change, you can execute this command.
If no rule change is detected, the system does not perform an activation operation.
Insufficient memory can cause rule matching acceleration failures. Unaccelerated rules do not take effect, and rules that have been accelerated are not affected.
Examples
# Activate rule matching acceleration.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] accelerate enhanced enable
action
Use action to set the action for a security policy rule.
Use undo action to restore the default.
Syntax
action { drop | pass }
undo action pass
Default
The action for a security policy rule is drop.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
drop: Discards matched packets.
pass: Allows matched packets to pass.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the action for security policy rule rule1 to drop.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action drop
Related commands
display security-policy
app-group
Use app-group to specify an application group as a filtering criterion of a security policy rule.
Use undo app-group to remove the specified application group filtering criterion from a security policy rule.
Syntax
app-group app-group-name
undo app-group [ app-group-name ]
Default
No application group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
app-group-name: Specifies the name of an application policy, a case-insensitive string of 1 to 63 characters. The name cannot be invalid or other. If you do not specify this argument when executing the undo app-group command, the command removes all application groups from the rule. For more information about application groups, see APR in DPI Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple application groups as the filtering criteria.
Examples
# Specify application groups app1 and app2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] app-group app1
[Sysname-security-policy-ip-0-rule1] app-group app2
Related commands
app-group
display security-policy
application
Use application to specify an application as a filtering criterion of a security policy rule.
Use undo application to remove the specified application filtering criterion from a security policy rule.
Syntax
application application-name
undo application [ application-name ]
Default
No application is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
application-name: Specifies the name of an application, a case-insensitive string of 1 to 63 characters. The name cannot be invalid or other. If you do not specify this argument when executing the undo application command, the command removes all applications from the rule. For more information about applications, see APR in DPI Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple applications as the filtering criteria.
For the application filtering criteria to be identified, you must permit the packets of the protocols on which the applications depend to pass through. If port-based packet filtering is configured and a dependent protocol uses a non-default port, you must permit the packets from the port to pass.
Examples
# Specify applications 139Mail and 51job as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] application 139Mail
[Sysname-security-policy-ip-0-rule1] application 51job
Related commands
display security-policy
nbar application
port-mapping
counting enable
Use counting enable to enable statistics collection for matched packets.
Use undo counting enable to disable statistics collection for matched packets.
Syntax
counting enable
undo counting enable
Default
Statistics collection for matched packets is disabled.
Views
Security policy rule view
Predefined user roles
network-admin
Usage guidelines
This feature enables the device to collect statistics about matched packets. The collected statistics can be viewed by executing the display security-policy statistics command.
Examples
# Enable matched packet statistics collection for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] counting enable
Related commands
display security-policy
display security-policy statistics
default rule action
Use default rule action to configure the action of the default security policy rule.
Syntax
default rule action { drop | pass }
Default
The action for the default security policy rule is drop.
Views
Security policy view
Predefined user roles
network-admin
Parameters
drop: Discards matched packets.
pass: Allows matched packets to pass.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the action for the default security policy rule to drop.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] default rule action drop
default rule counting enable
Use default rule counting enable to enable statistics collection for the default security policy rule.
Use undo default rule counting enable to disable statistics collection for the default security policy rule.
Syntax
default rule counting enable
undo default rule counting enable
Default
Statistics collection is disabled for the default security policy rule.
Views
Security policy view
Predefined user roles
network-admin
Usage guidelines
This feature enables the device to collect statistics about packets matching the default security policy rule. To view the collected statistics, execute the display security-policy statistics command.
Examples
# Enable matched packet statistics collection for the default security policy rule.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] default rule counting enable
default rule logging enable
Use default rule logging enable to enable logging for the default security policy rule.
Use undo default rule logging enable to disable logging for the default security policy rule.
Syntax
default rule logging enable
undo default rule logging enable
Default
Logging for is disabled for the default security policy rule.
Views
Security policy view
Predefined user roles
network-admin
Usage guidelines
This feature enables the security policy module to generate log messages for packet matching events of the default security policy rule and send the messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output packet matching logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view packet matching logs stored on the device, use the display logbuffer command or open the security policy log page from the Web interface of the device. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see System Management Configuration Guide.
Examples
# Enable matched packet logging for the default security policy rule.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] default rule logging enable
description (security policy rule view)
Use description to configure a description for a security policy rule.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Examples
# Configure the description as This rule is used for source-ip ip1 for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] description This rule is used for source-ip ip1
Related commands
display object-policy ip
display object-policy ipv6
description (security policy view)
Use description to configure a description for the IPv4 or IPv6 security policy.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for the IPv4 or IPv6 security policy.
Views
IPv4 security policy view
IPv6 security policy view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Examples
# Configure the description as zone-pair security office to library for the IPv4 security policy.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] description zone-pair security office to library
Related commands
display security-policy
destination-ip
Use destination-ip to specify a destination IP address object group as a filtering criterion of a security policy rule.
Use undo destination-ip to remove the specified destination IP address object group from a security policy rule.
Syntax
destination-ip object-group-name
undo destination-ip [ object-group-name ]
Default
No destination IP address object group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies the name of a destination IP address object group, a case-insensitive string of 1 to 31 characters. The name cannot be any. If you do not specify this argument when executing the undo destination-ip command, the command removes all destination IP address object groups from the rule. For more information about object groups, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple destination IP address object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
Examples
# Specify destination IP address object groups client1 and client2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-ip client1
[Sysname-security-policy-ip-0-rule1] destination-ip client2
Related commands
display security-policy
object-group
disable
Use disable to disable a security policy rule.
Use undo disable to enable a security policy rule.
Syntax
disable
undo disable
Default
A security policy rule is disabled.
Views
Security policy rule view
Predefined user roles
network-admin
Examples
# Disable security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] disable
Related commands
display security-policy
display security-policy
Use display security-policy to display information about the specified security policy.
Syntax
display security-policy { ip | ipv6 }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip: Specifies the IPv4 security policy.
ipv6: Specifies the IPv6 security policy.
Examples
# Display information about the IPv4 security policy.
<Sysname> display security-policy ip
Security-policy ip
rule 0 name der (Inactive)
action pass
profile er
vrf re
logging enable
counting enable
counting enable TTL 1200
time-range dere
track positive 23
session aging-time 5000
session persistent aging-time 2400
source-ip erer
destination-ip client1
service ftp
app-group ere
application 110Wang
user der
user-group ere
undo disable
Table 1 Command output
|
Field |
Description |
|
Rule ID and rule name. |
|
|
action pass |
Rule action: · pass—Allows matched packets to pass. · drop—Drops matched packets. |
|
profile app-profile-name |
DPI application profile applied to the rule. |
|
vrf vrf-name |
This field is not supported in the current software version. MPLS L3VPN instance whose packets can be filtered by the rule. |
|
logging enable |
Indicates that logging for matched packets is enabled. |
|
counting enable |
Indicates that statistics collection for matched packets is enabled. |
|
counting enable TTL time-value |
Indicates that statistics collection for matched packets is enabled. The time-value argument represents the remaining enabling period in seconds. |
|
time-range time-range-name |
Time range during which the rule is in effect. |
|
track negative 1 (Active) |
Track entry and track entry state associated with the security policy rule. |
|
session aging-time time-value |
Session aging time. |
|
session persistent aging-time time-value |
Persistent session aging time. |
|
source-ip object-group-name |
Source IP address object group that acts as a filtering criterion. |
|
destination-ip object-group-name |
Destination IP address object group that acts as a filtering criterion. |
|
service object-group-name |
Service object group that acts as a filtering criterion. |
|
app-group app-group-name |
Application group that acts as a filtering criterion. |
|
application application-name |
Application that acts as a filtering criterion. |
|
user user-name |
User that acts as a filtering criterion. |
|
user-group user-group-name |
User group that acts as a filtering criterion. |
|
undo disable |
The rule is enabled. |
Related commands
security-policy ip
security-policy ipv6
display security-policy statistics
Use display security-policy statistics to display security policy statistics.
Syntax
display security-policy statistics { ip | ipv6 } [ rule rule-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip: Specifies the IPv4 security policy.
ipv6: Specifies the IPv6 security policy.
rule rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127 characters. If you do not specify this option, the command displays statistics about all security policy rules of the specified IP version.
Examples
# Display statistics about IPv4 security policy rule abc.
<Sysname> display security-policy statistics ip rule abc
rule 0 name abc
action: pass (5 packets, 1000 bytes)
Table 2 Command output
|
Field |
Description |
|
rule id name rule-name |
Rule ID and rule name. |
|
action |
Rule action: · pass—Allows matched packets to pass. · drop—Drops matched packets. |
|
x packets, y bytes |
The rule has matched x packets, a total of y bytes. This field is displayed only if the counting enable or the logging enable command has been executed for the rule. |
Related commands
reset security-policy statistics
group move
Use group move to move a security policy rule group to change the match order of security policy rules.
Syntax
group move group-name1 { after | before } { group group-name2 | rule rule-name }
Views
Security policy view
Predefined user roles
network-admin
Parameters
group-name1: Specifies the name of the security policy rule group to be moved, a case-insensitive string of 1 to 63 characters.
after: Moves the security policy rule group to the place after the target security policy rule group or the target security policy rule.
before: Moves the security policy rule group to the place before the target security policy rule group or the target security policy rule.
group group-name2: Specifies the name of the target security policy rule group, a case-insensitive string of 1 to 63 characters.
rule rule-name: Specifies the name of the target security policy rule, a case-insensitive string of 1 to 127 characters.
Usage guidelines
If you specify a target security policy rule that belongs to a security policy rule group, follow these restrictions and guidelines:
· If the target rule is neither the start nor end rule of the group, you cannot move a security policy rule group to the place before or after the rule.
· If the target rule is the start rule of the group, you can only move a security policy rule group to the place before the rule.
· If the target rule is the end rule of the group, you can only move a security policy rule group to the place after the rule.
Examples
# Move security policy rule group group1 to the place before security policy rule group group2.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] group move group1 before group group2
group name
Use group name to create a security policy rule group and add security policy rules to the group, or add security policy rules to an existing security policy rule group.
Use undo group name to delete a security policy rule group.
Syntax
group name group-name [ from rule-name1 to rule-name2 ] [ description description-text ] [ disable | enable ]
undo group name group-name [ description | include-member ]
Default
No security policy rule group exists.
Views
Security policy view
Predefined user roles
network-admin
Parameters
group-name: Specifies a security policy rule group name, a case-insensitive string of 1 to 63 characters.
from rule-name1: Specifies the start rule of a rule list. The rule-name1 argument represents the security policy rule name, a case-insensitive string of 1 to 127 characters.
to rule-name2: Specifies the end rule of the rule list. The rule-name2 argument represents the security policy rule name, a case-insensitive string of 1 to 127 characters.
description description-text: Specifies the security policy description, a case-sensitive string of 1 to 127 characters. By default, no description is specified for a security policy rule group.
disable: Disables the security policy rule group.
enable: Enables the security policy rule group. By default, a security policy rule group is enabled.
include-member: Specifies security policy rules in the security policy rule group.
Usage guidelines
Security policy rule grouping allows users to enable, disable, delete, and move security policy rules in batches.
A security policy rule in a security policy rule group takes effect only when both the rule and the group are enabled.
To add a list of security policy rules, make sure the end rule is listed behind the start rule and the specified rules do not belong to any other security policy rule group.
When you execute the undo command, follow these restrictions and guidelines:
· The undo group name group-name command deletes only the specified security policy rule group.
· The undo group name group-name description command deletes only the description for the specified security policy rule group.
· The undo group name group-name include-member command deletes both the specified security policy rule group and all the security policy rules in the group.
Examples
# Create security policy rule group group1, add security policy rules rule-name1 through rule-name10 to the group, and specify the group description as marketing.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] group name group1 from rule-name1 to rule-name10 enable description marketing
group rename
Use group rename to rename a security policy rule group.
Syntax
group rename old-name new-name
Views
Security policy view
Predefined user roles
network-admin
Parameters
old-name: Specifies the name of a security policy rule group, a case-insensitive string of 1 to 63 characters.
new-name: Specifies a new name for the security policy rule group, a case-insensitive string of 1 to 63 characters.
Examples
# Rename security policy rule group group1 to group2.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] group rename group1 group2
logging enable
Use logging enable to enable logging for matched packets.
Use undo logging enable to disable logging for matched packets.
Syntax
logging enable
undo logging enable
Default
Logging for matched packets is disabled.
Views
Security policy rule view
Predefined user roles
network-admin
Usage guidelines
This feature enables the security policy module to send log messages to the information center when packets match a security policy.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output packet matching logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view packet matching logs stored on the device, use the display logbuffer command or open the security policy log page from the Web interface of the device. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see System Management Configuration Guide.
Examples
# Enable matched packet logging for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] logging enable
Related commands
display security-policy
move rule
Use move rule to move a security policy rule by rule ID.
Syntax
move rule rule-id before insert-rule-id
Views
IPv4 security policy view
IPv6 security policy view
Predefined user roles
network-admin
Parameters
rule-id: Specifies the ID of a rule, in the range of 0 to 65534.
insert-rule-id: Specifies the ID of the target rule before which a rule is inserted. The target rule ID is in the range of 0 to 65535. If you specify 65535 as the target rule ID, the rule is moved to the end of the list.
Usage guidelines
The system does not execute the command in the following situations:
· You specify the same value for the rule-id and insert-rule-id arguments.
· You specify a nonexistent rule.
Examples
# Insert rule 5 before rule 2 for the IPv4 security policy.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] move rule 5 before 2
Related commands
rule
security-policy ip
security-policy ipv6
move rule name
Use move rule name to move a security policy rule by rule name.
Syntax
move rule name rule-name1 { { after | before } name rule-name2 | bottom | down | top | up }
Views
Security policy view
Predefined user roles
network-admin
Parameters
rule-name1: Specifies the name of the rule to move, a case-insensitive string of 1 to 127 characters.
after: Move the rule to the place after the destination rule.
before: Move the rule to the place before the destination rule.
name rule-name2: Specify the name of the destination rule, a case-insensitive string of 1 to 127 characters.
bottom: Move the rule to the end of the security policy.
down: Move the rule down one place.
top: Move the rule to the beginning of the security policy.
up: Move the rule up one place.
Usage guidelines
You can move a rule to change its packet matching priority.
Examples
# Move rule rule1 to the place before rule rule2.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] move rule name rule1 before name rule2
Related commands
rule
security-policy ip
security-policy ipv6
parent-group
Use parent-group to specify a security policy rule group for a security policy rule.
Use undo parent-group to restore the default.
Syntax
parent-group group-name
undo parent-group
Default
A security policy rule does not belong to any security policy rule group.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
group-name: Specifies the name of a security policy rule group, a case-insensitive string of 1 to 63 characters.
Examples
# Assign security policy rule rule1 to security policy rule group group1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 1 name rule1
[Sysname-security-policy-ip-1-rule1] parent-group group1
profile
Use profile to apply a DPI application profile to a security policy rule.
Use undo profile to remove the DPI application profile applied to a security policy rule.
Syntax
profile app-profile-name
undo profile
Default
No DPI application profile is applied to a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
app-profile-name: Specifies the name of a DPI application profile, a case-insensitive string of 1 to 63 characters. For more information about DPI application profiles, see DPI engine in DPI Configuration Guide.
Usage guidelines
This feature enables the device to perform DPI on packets matching the specified rule. For more information about DPI, see DPI Configuration Guide.
This feature takes effect only when the rule action is pass.
Examples
# Apply DPI application profile p1 to IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action pass
[Sysname-security-policy-ip-0-rule1] profile p1
Related commands
action pass
app-profile (DPI Command Reference)
display security-policy ip
reset security-policy statistics
Use reset security-policy statistics to clear security policy statistics.
Syntax
reset security-policy statistics [ ip | ipv6 ] [ rule rule-name ]
Views
Any view
Predefined user roles
network-admin
Parameters
ip: Specifies the IPv4 security policy.
ipv6: Specifies the IPv6 security policy.
rule rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127 characters.
Usage guidelines
If you do not specify any keyword or option, the command clears all security policy statistics.
Examples
# Clear the security policy statistics about IPv4 security policy rule abc.
<Sysname> reset security-policy statistics ip rule abc
Related commands
display security-policy statistics
rule
Use rule to create a security policy rule and enter its view, or enter the view of an existing security policy rule.
Use undo rule to delete the specified security policy rule.
Syntax
rule { rule-id | [ rule-id ] name rule-name }
undo rule { rule-id | name rule-name } *
Default
No security policy rules exist.
Views
IPv4 security policy view
IPv6 security policy view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify an ID for the rule, the system automatically assigns the rule the integer next to the greatest ID being used. If the greatest ID is 65534, the system assigns the rule the smallest unused number in the range.
rule-name: Specifies a globally unique rule name, a case-insensitive string of 1 to 127 characters. The name cannot be default. You must specify a rule name when creating a rule.
Examples
# Create an IPv4 security policy rule with rule ID 0 and rule name rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1]
Related commands
display security-policy ip
display security-policy ipv6
security-policy
Use security-policy to enter security policy view.
Use undo security-policy to delete all configurations in security policy view.
Syntax
security-policy { ip | ipv6 }
undo security-policy { ip | ipv6 }
Default
No configurations exist in security policy view.
Views
System view
Predefined user roles
network-admin
Parameters
ip: Specifies the IPv4 security policy.
ipv6: Specifies the IPv6 security policy.
Examples
# Enter IPv4 security policy view.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip]
Related commands
display security-policy
security-policy log real-time-sending enable
Use security-policy log real-time-sending enable to enable real-time sending for security policy log messages.
Use undo security-policy log real-time-sending enable to disable real-time sending for security policy log messages.
Syntax
security-policy log real-time-sending enable
undo security-policy log real-time-sending enable
Default
The buffering mode is used to generate and send security policy log messages.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The device can send security policy log messages in the following ways:
· Buffering mode—After the device generates and sends the log message for the first packet of a flow, it buffers that log message and starts a 5-second timer, which is not configurable. If other packets of the same flow match are received before the timer expires, the buffered log message is sent. Otherwise, the buffered log message is deleted. After the number of log messages reaches the limit, no log messages can be generated for subsequent flows.
· Real-time mode—The device generates and sends a log message for the first packet of a flow but does not buffer it. For packets of a flow permitted by a security policy, the device generates and sends only one log message. For packets of a flow denied by a security policy, the device generates and sends one log message for each packet.
Examples
# Enable real-time sending for security policy log messages.
<Sysname>system-view
[Sysname] security-policy log real-time-sending enable
Related commands
logging enable
service
Use service to specify a service object group as a filtering criterion of a security policy rule.
Use undo service to remove the specified service object group from a security policy rule.
Syntax
service { object-group-name | any }
undo service [ object-group-name | any ]
Default
No service object group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies the name of a service object group, a case-insensitive string of 1 to 31 characters.
any: Specifies all service object groups.
Usage guidelines
You can execute the command multiple times to specify multiple service object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
If you specify neither an object group nor the any keyword when executing the undo service command, the command removes all service object groups from the security policy rule.
Examples
# Specify service object groups http and ftp as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] service http
[Sysname-security-policy-ip-0-rule1] service ftp
Related commands
display security-policy
object-group
session aging-time
Use session aging-time to set the session aging time for a security policy rule.
Use undo session aging-time to restore the default.
Syntax
session aging-time time-value
undo session aging-time
Default
The session aging time is not configured for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
time-value: Specifies the aging time in the range of 1 to 2000000 seconds.
Usage guidelines
This command sets the aging time for stable sessions created for packets matching the specified security policy rule, and takes effect only on newly created sessions.
If the aging time is not configured for a rule, the stable sessions use the aging time set by using the session aging-time application or the session aging-time state command. For more information about session management, see Security Configuration Guide.
The session aging time for unstable sessions is one hour.
Examples
# Set the session aging time to 5000 seconds for security policy rule rule1.
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action pass
[Sysname-security-policy-ip-0-rule1] session aging-time 5000
Related commands
session aging-time application
session aging-time state
session persistent acl
session persistent aging-time
Use session persistent aging-time to set the aging time for persistent sessions.
Use undo session persistent aging-time to restore the default.
Syntax
session persistent aging-time time-value
undo session persistent aging-time
Default
The persistent session aging time is not configured for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
time-value: Specifies the aging time in the range of 0 to 24000 hours. If you set the aging time to 0, persistent sessions do not age out.
Usage guidelines
This command is effective only on TCP sessions in ESTABLISHED state.
It sets the aging time for persistent sessions created for packets matching the specified security policy rule, and takes effect only on newly created sessions.
The aging time configured by using this command takes precedence over the aging times configured by using the session aging-time and session persistent acl commands.
Examples
# Set the persistent session aging time to one hour for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action pass
[Sysname-security-policy-ip-0-rule1] session persistent aging-time 1
Related commands
display security-policy
session persistent acl
source-ip
Use source-ip to specify a source IP address object group as a filtering criterion of a security policy rule.
Use undo source-ip to remove the specified source IP address object group from a security policy rule.
Syntax
source-ip object-group-name
undo source-ip [ object-group-name ]
Default
No source IP address object group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies the name of a source IP address object group, a case-insensitive string of 1 to 31 characters. The name cannot be any. If you do not specify this argument when executing the undo source-ip command, the command removes all source IP address object groups from the rule. For more information about object groups, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple source IP address object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
Examples
# Specify source IP address object groups server1 and server2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-ip server1
[Sysname-security-policy-ip-0-rule1] source-ip server2
Related commands
display security-policy
object-group
source-mac
Use source-mac to specify a source MAC address object group as a filtering criterion of a security policy rule.
Use undo source-mac to remove the specified source MAC address object group from a security policy rule.
Syntax
source-mac object-group-name
undo source-mac [ object-group-name ]
Default
No source MAC address object group is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies the name of a source MAC address object group, a case-insensitive string of 1 to 31 characters. The name cannot be any. If you do not specify this argument when executing the undo source-mac command, the command removes all source MAC address object groups from the rule. For more information about MAC address object groups, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple source MAC address object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
Examples
# Specify source MAC address object groups mac1 and mac2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-mac mac1
[Sysname-security-policy-ip-0-rule1] source-mac mac2
Related commands
display security-policy
object-group
time-range
Use time-range to specify the time range during which a security policy rule is in effect.
Use undo time-range to restore the default.
Syntax
time-range time-range-name
undo time-range
Default
A security policy rule is in effect at any time.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
time-range-name: Specifies the name of a time range, a case-insensitive string of 1 to 32 characters. For more information about time ranges, see "Configuring time ranges."
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable security policy rule rule1 to be in effect during time range work.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] time-range work
Related commands
display security-policy
track
Use track to associate a security policy rule with a track entry.
Use undo track to disassociate a security policy rule from the track entry.
Syntax
track { negative | positive } track-entry-number
undo track
Default
No track entry is associated with a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
negative: Specifies the Negative state of a track entry.
positive: Specifies the Positive state of a track entry.
track-entry-number: Specifies the number of a track entry, in the range of 1 to 1024. For more information about Track, see High Availability Configuration Guide.
Usage guidelines
Use this command to enable the collaboration between the track module and a security policy rule. The collaboration operates as follows:
· If a rule is associated with the Negative state of a track entry, the device:
¡ Sets the rule state to Active if the track entry is in Negative state.
¡ Sets the rule state to Inactive if the track entry is in Positive state.
· If a rule is associated with the Positive state of a track entry, the device:
¡ Sets the rule state to Active if the track entry is in Positive state.
¡ Sets the rule state to Inactive if the track entry is in Negative state.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Associate security policy rule rule1 with the Positive state of track entry 10.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] track positive 10
Related commands
display security-policy
track bfd (High Availability Command Reference)
track interface (High Availability Command Reference)
track ip route reachability (High Availability Command Reference)
track nqa (High Availability Command Reference)
user
Use user to specify a user as a filtering criterion of a security policy rule.
Use undo user to remove the specified user filtering criterion from a security policy rule.
Syntax
user username [ domain domain-name ]
undo user [ username [ domain domain-name ] ]
Default
No user is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
username: Specifies a username, a case-sensitive string of 1 to 55 characters. The name cannot be a, al, or all and cannot contain at signs (@). If you do not specify this argument when executing the undo user command, the command removes all users from the rule. For more information about users and identity domains, see user identification in User Access and Authentication Configuration Guide.
domain domain-name: Matches the user in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The string cannot contain forward slashes (/), backslashes (\), vertical bars (|), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), or at signs (@). If you do not specify this option, the command matches the user among users that do not belong to any identity domain.
Usage guidelines
You can execute the command multiple times to specify multiple users as the filtering criteria.
Examples
# Specify users usera and userb in identity domain test as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] user usera domain test
[Sysname-security-policy-ip-0-rule1] user userb domain test
Related commands
display security-policy
user-identity enable (User Access and Authentication Command Reference)
user-identity static-user (User Access and Authentication Command Reference)
user-group
Use user-group to specify a user group as a filtering criterion of a security policy rule.
Use undo user-group to remove the specified user group filtering criterion from a security policy rule.
Syntax
user-group user-group-name [ domain domain-name ]
undo user-group [ user-group-name [ domain domain-name ] ]
Default
No user group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
user-group-name: Specifies the name of a user group, a case-insensitive string of 1 to 200 characters. If you do not specify this argument when executing the undo user-group command, the command removes all user groups from the rule. For more information about user groups and identity domains, see user identification in User Access and Authentication Configuration Guide.
domain domain-name: Matches the user group in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The string cannot contain forward slashes (/), backslashes (\), vertical bars (|), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), or at signs (@). If you do not specify this option, the command matches the user group among user groups that do not belong to any identity domain.
Usage guidelines
You can execute the command multiple times to specify multiple user groups as the filtering criteria.
Examples
# Specify user groups groupa and groupb in identity domain test as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] user-group groupa domain test
[Sysname-security-policy-ip-0-rule1] user-group groupb domain test
Related commands
display security-policy
user-group (User Access and Authentication Command Reference)
