Contents

Application audit and management commands· 1

application· 1

description· 2

destination-address· 2

disable· 3

keyword· 4

keyword-group name· 4

policy copy· 5

policy default-action· 5

policy move· 6

policy name· 7

policy rename· 7

rule· 8

rule default-action· 10

rule match-method· 10

service· 11

source-address· 12

time-range· 13

uapp-control 13

user 14

user-group· 15

Application audit and management commands

This feature parses personal information from user packets and must be used for legitimate purposes.

application

Use application to configure an application or application group as a match criterion for an application audit and management policy.

Use undo application to delete an application or application group match criterion from an application audit and management policy.

Syntax

application { app application-name | app-group application-group-name }

undo application { app application-name | app-group application-group-name }

Default

No application or application group is used as a match criterion.

Views

Application audit and management policy view

Predefined user roles

network-admin

Parameters

app application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters.

app-group application-group-name: Specifies an application group by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can configure this command only in an audit-free policy or deny policy.

You can configure this command multiple times to specify multiple applications or application groups.

Examples

# Specify applications app1 and app2 and application groups group1 and group2 for policy mypolicy2 to match packets.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name mypolicy2 deny

[Sysname-uapp-control-policy-mypolicy2] application app app1

[Sysname-uapp-control-policy-mypolicy2] application app app2

[Sysname-uapp-control-policy-mypolicy2] application app-group group1

[Sysname-uapp-control-policy-mypolicy2] application app-group group2

Related commands

app-group (DPI Command Reference)

nbar application (DPI Command Reference)

port-mapping (DPI Command Reference)

description

Use description to set a description for a keyword group.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description exists for a keyword group.

Views

Keyword group view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 255 characters.

Examples

# Set the description to account limit for keyword group mykeywordgroup.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] keyword-group name mykeywordgroup

[Sysname-uapp-control-keyword-group-mykeywordgroup] description account limit

destination-address

Use destination-address to configure a destination IP address object group as a match criterion for an application audit and management policy.

Use undo destination-address to remove a destination IP address object group as a match criterion from an application audit and management policy.

Syntax

destination-address { ipv4 | ipv6 } object-group-name

undo destination-address { ipv4 | ipv6 } object-group-name

Default

No destination IP address object group is used as a match criterion.

Views

Application audit and management policy view

Predefined user roles

network-admin

Parameters

ipv4: Specifies an IPv4 address object group.

ipv6: Specifies an IPv6 address object group.

object-group-name: Specifies an existing address object group by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

You can configure this command multiple times to specify multiple IPv4 or IPv6 address object groups.

Examples

# Specify IPv4 address object groups obgroup3 and obgroup4 for policy mypolicy1 to match destination IPv4 addresses of packets.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name mypolicy1 audit

[Sysname-uapp-control-policy-mypolicy1] destination-address ipv4 obgroup3

[Sysname-uapp-control-policy-mypolicy1] destination-address ipv4 obgroup4

Related commands

object-group (Security Command Reference)

disable

Use disable to disable an application audit and management policy.

Use undo disable to enable an application audit and management policy.

Syntax

disable

undo disable

Default

An application audit and management policy is enabled.

Views

Application audit and management policy view

Predefined user roles

network-admin

Usage guidelines

If an application audit and management policy is not used, use this command to disable it. A disabled policy does not participate in traffic matching. You can copy, rename, and move a disabled policy.

Examples

# Disable application audit and management policy mypolicy1.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name mypolicy1

[Sysname-uapp-control-policy-mypolicy1] disable

keyword

Use keyword to add a keyword to a keyword group.

Use undo keyword to delete a keyword from a keyword group.

Syntax

keyword keyword-value

undo keyword keyword-value

Default

No keywords exist in a keyword group.

Views

Keyword group view

Predefined user roles

network-admin

Parameters

keyword-value: Specifies a keyword, a case-sensitive string of 1 to 63 characters.

Examples

# Add keyword keywordname to keyword group mykeywordgroup.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] keyword-group name mykeywordgroup

[Sysname-uapp-control-keyword-group-mykeywordgroup] keyword keywordname

keyword-group name

Use keyword-group name to create a keyword group and enter its view, or enter the view of an existing keyword group.

Use undo keyword-group name to delete a keyword group.

Syntax

keyword-group name keyword-group-name

undo keyword-group name keyword-group-name

Default

No keyword groups exist.

Views

Application audit and management view

Predefined user roles

network-admin

Parameters

keyword-group-name: Specifies a keyword group by its name, a case-insensitive string of 1 to 63 characters.

Examples

# Create a keyword group named mykeywordgroup and enter its view.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] keyword-group name mykeywordgroup

[Sysname-uapp-control-keyword-group-mykeywordgroup]

policy copy

Use policy copy to copy an application audit and management policy.

Syntax

policy copy policy-name new-policy-name

Default

No application audit and management policies exist.

Views

Application audit and management view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an application audit and management policy to be copied by its name, a case-insensitive string of 1 to 63 characters.

new-policy-name: Specifies a name for the new application audit and management policy, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If an application audit and management policy to be created is similar to an existing policy, create the policy by copying the existing policy and then modify it.

Examples

# Create an application audit and management policy named policy2 by copying policy policy1.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy copy policy1 policy2

policy default-action

Use policy default-action to configure the default action for application audit and management policies.

Syntax

policy default-action { deny | permit }

Default

The default action for application audit and management policies is permit.

Views

Application audit and management view

Predefined user roles

network-admin

Parameters

deny: Drops packets.

permit: Allows packets to pass.

Usage guidelines

If a packet does not match any application audit and management policy, the device applies the default action to the packet.

Examples

# Configure the default action as deny for application audit and management policies.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy default-action deny

policy move

Use policy move to move an application audit and management policy to a new position.

Syntax

policy move policy-name1 { after | before } policy-name2

Views

Application audit and management view

Predefined user roles

network-admin

Parameters

policy-name1: Specifies an application audit and management policy to be moved by its name, a case-insensitive string of 1 to 63 characters. The traffic rule can be a parent or child traffic rule.

after: Moves the specified policy to the position after a target policy.

before: Moves the specified policy to the position before a target policy.

policy-name2: Specifies the target policy by its name, a case-insensitive string of 1 to 63 characters.

Examples

# Create two application audit and management policies named policy1 and policy2, and move policy1 to the position after policy2.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name policy1 audit

[Sysname-uapp-control-policy-policy1] quit

[Sysname-uapp-control] policy name policy2 audit

[Sysname-uapp-control-policy-policy2] quit

[Sysname-uapp-control] policy move policy1 after policy2

policy name

Use policy name to create an application audit and management policy and enter its view, or enter the view of an existing policy.

Use undo policy name to delete an application audit and management policy.

Syntax

policy name policy-name [ audit | deny | noaudit ]

undo policy name policy-name

Default

No application audit and management policies exist.

Views

Application audit and management view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a name for the application audit and management policy, a case-insensitive string of 1 to 63 characters. The name must be globally unique.

audit: Creates an audit policy.

deny: Creates a deny policy.

noaudit: Creates an audit-free policy.

Usage guidelines

You must specify the policy type when creating a policy. Application audit and management policies have the following types:

·     Audit policy—Audits packets that meet match criteria in the policy.

·     Audit-free policy—Does not audit packets that meet match criteria in the policy.

·     Deny policy—Drops packets that meet match criteria in the policy.

The application command can be configured only in an audit-free policy or deny policy.

The following commands can be configured only in an audit policy:

·     rule.

·     rule default-action.

·     rule match-method.

Examples

# Create an application audit and management policy named mypolicy1 and enter its view.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name mypolicy1 audit

[Sysname-uapp-control-policy-mypolicy1]

policy rename

Use policy rename to rename an application audit and management policy.

Syntax

policy rename old-policy-name new-policy-name

Views

Application audit and management view

Predefined user roles

network-admin

Parameters

old-policy-name: Specifies the old name of the policy, a case-insensitive string of 1 to 63 characters.

new-policy-name: Specifies a new name for the policy, a case-insensitive string of 1 to 63 characters.

Examples

# Create an application audit and management policy named policy1, and rename the policy as policy2.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name policy1 audit

[Sysname-uapp-control-policy-policy1] quit

[Sysname-uapp-control] policy rename policy1 policy2

rule

Use rule to configure an audit rule.

Use undo rule to delete an audit rule.

Syntax

rule rule-id { app app-name | app-category app-category-name | any } behavior { behavior-name | any } bhcontent { bhcontent-name | any } { keyword { equal | exclude | include | unequal } { keyword-group-name | any } | integer { equal | greater | greater-equal | less | less-equal | unequal } { number } } action { deny | permit } [ audit-logging ]

undo rule rule-id

Default

No audit rules exist.

Views

Application audit and management policy view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 1 to 64.

app app-name: Audits an application specified by its name.

app-category app-category-name: Audits an application category specified by its name.

any: Audits all applications and application categories.

behavior behavior-name: Audits a behavior specified by its name.

behavior any: Audits all behaviors.

bhcontent bhcontent-name: Audits a behavior content specified by its name.

bhcontent any: Audits all behavior contents.

keyword: Matches behavior contents by a string-type keyword.

·     equal: Matches behavior contents that are the same as the keyword.

·     exclude: Matches behavior contents that do not include the keyword.

·     include: Matches behavior contents that include the keyword.

·     unequal: Matches behavior contents that are different from the keyword.

keyword-group-name: Specifies a keyword group by its name.

any: Audits all behavior contents of an application or application category.

integer: Matches behavior contents by a number.

·     equal: Matches behavior contents that are equal to the number.

·     greater: Matches behavior contents that are greater than the number.

·     greater-equal: Matches behavior contents that are greater than or equal to the number.

·     less: Matches behavior contents that are smaller than the number.

·     less-equal: Matches behavior contents that are smaller than or equal to the number.

·     unequal: Matches behavior contents that are not equal to the number.

number: Specifies a number in the range of 0 to 4294967295.

action: Specifies the action to take on packets that match the audit rule.

·     deny: Denies matching packets.

·     permit: Allows matching packets to pass.

audit-logging: Generates audit logs for packets that match the audit rule. If you do not specify this keyword, audit logs are not generated for packets that match the audit rule.

Usage guidelines

An audit rule is used to perform more granular control on user behaviors.

After a packet matches all match criteria in an application audit and management policy, the device performs a finer audit on the packet.

This command can be configured only in an audit policy.

For WeChat and QQ, you can only block the entire application and cannot block them by behavior or content.

Examples

# Create an application audit and management policy named mypolicy1.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name mypolicy1 audit

# Create an audit rule that allows login packets from QQ accounts that include keyword 1234, generating audit logs.

[Sysname-uapp-control-policy-mypolicy1] rule 1 app qq behavior Login bhcontent Account keyword include mykeywd1 action permit audit-logging

# Create an audit rule that allows login packets from QQ accounts that are not equal to 785, without generating audit logs.

[Sysname-uapp-control-policy-mypolicy1] rule 2 app qq behavior Login bhcontent Account integer unequal 785 action permit

# Create an audit rule that allows login packets from accounts that include keyword 0 in the IM application group, generating audit logs.

[Sysname-uapp-control-policy-mypolicy1] rule 3 app-category IM behavior Login bhcontent Account keyword include mykeywd2 action deny audit-logging

Related commands

keyword

keyword-group name

rule default-action

Use rule default-action to configure the default action for audit rules in an application audit and management policy.

Syntax

rule default-action { deny | permit }

Default

The default action for audit rules is permit.

Views

Application audit and management policy view

Predefined user roles

network-admin

Parameters

deny: Drops packets.

permit: Allows packets to pass.

Usage guidelines

If a packet does not match any audit rule in an application audit and management policy, the device applies the default action to the packet.

Examples

# Configure the default action as deny for audit rules in policy mypolicy1.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name mypolicy1 audit

[Sysname-uapp-control-policy-mypolicy1] rule default-action deny

rule match-method

Use rule match-method to configure the match mode for audit rules in an application audit and management policy.

Syntax

rule match-method { all | in-order }

Default

The match mode for audit rules is in-order.

Views

Application audit and management policy view

Predefined user roles

network-admin

Parameters

all: Specifies the all match mode.

in-order: Specifies the in-order match mode.

Usage guidelines

In the in-order match mode, the device compares packets with audit rules in ascending order of rule ID. When a packet matches a rule, the device stops the match process and performs the action defined in the rule.

In the all match mode, the device compares packets with audit rules in ascending order of rule ID.

·     If a packet matches a rule with the permit action, all subsequent rules continue to be matched.

The device takes the action with higher priority on matching packets. The deny action has higher priority than the permit action.

·     If a packet matches a rule with the deny action, the device stops the match process and performs the deny action.

Examples

# Configure the match mode as all for audit rules in policy mypolicy1.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name mypolicy1 audit

[Sysname-uapp-control-policy-mypolicy1] rule match-method all

service

Use service to configure a service object group as a match criterion for an application audit and management policy.

Use undo service to delete a service object group match criterion from an application audit and management policy.

Syntax

service service-name

undo service [ service-name ]

Default

No service object group is used as a match criterion.

Views

Application audit and management policy view

Predefined user roles

network-admin

Parameters

service-name: Specifies an existing service object group by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

You can configure this command multiple times to specify multiple service object groups.

The undo service command removes all service object groups from match criteria if you do not specify a service object group or specify the system-defined service object group any.

Examples

# Specify service object groups dns-tcp and dns-udp for policy mypolicy1 to match packets.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name mypolicy1 audit

[Sysname-uapp-control-policy-mypolicy1] service dns-tcp

[Sysname-uapp-control-policy-mypolicy1] service dns-udp

Related commands

object-group (Security Command Reference)

source-address

Use source-address to configure a source IP address object group as a match criterion for an application audit and management policy.

Use undo source-address to remove a source IP address object group as a match criterion from an application audit and management policy.

Syntax

source-address { ipv4 | ipv6 } object-group-name

undo source-address { ipv4 | ipv6 } object-group-name

Default

No source IP address object group is used as a match criterion.

Views

Application audit and management policy view

Predefined user roles

network-admin

Parameters

ipv4: Specifies an IPv4 address object group.

ipv6: Specifies an IPv6 address object group.

object-group-name: Specifies an existing address object group by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

You can configure this command multiple times to specify multiple IPv4 or IPv6 address object groups.

Examples

# Specify IPv4 address object groups obgroup1 and obgroup2 for policy mypolicy1 to match source IPv4 addresses of packets.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name mypolicy audit

[Sysname-uapp-control-policy-mypolicy] source-address ipv4 obgroup1

[Sysname-uapp-control-policy-mypolicy] source-address ipv4 obgroup2

Related commands

object-group (Security Command Reference)

time-range

Use time-range to specify a time range during which an application audit and management policy is in effect.

Use undo time-range to restore the default.

Syntax

time-range time-range-name

undo time-range

Default

An application audit and management policy is in effect at any time.

Views

Application audit and management policy view

Predefined user roles

network-admin

Parameters

time-range-name: Specifies a time range by its name, a case-insensitive string of 1 to 32 characters.

Examples

# Specify time range work-time for policy mypolicy1.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name mypolicy1 audit

[Sysname-uapp-control-policy-mypolicy1] time-range work-time

Related commands

time-range (Security Command Reference)

uapp-control

Use uapp-control to enter application audit and management view.

Use undo uapp-control to remove all application audit and management policy settings.

Syntax

uapp-control

undo uapp-control

Views

System view

Predefined user roles

network-admin

Usage guidelines

In application audit and management view, you can create, copy, move, and rename application audit and management policies. You can also create keyword groups in this view.

Application audit and management policies have the following types:

·     Audit policy.

·     Audit-free policy.

·     Deny policy.

Audit-free policies and deny policies provide application audit and management at a coarse level of granularity. Audit policies provide more granular application audit and management.

Examples

# Enter application audit and management view.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control]

user

Use user to configure a user as a match criterion for an application audit and management policy.

Use undo user to delete a user match criterion from an application audit and management policy.

Syntax

user user-name [ domain domain-name ]

undo user user-name [ domain domain-name ]

Default

No user is used as a match criterion.

Views

Application audit and management policy view

Predefined user roles

network-admin

Parameters

user-name: Specifies an identity user by its name, a case-sensitive string of 1 to 55 characters. The username cannot be a, al, or all, and cannot contain the following special characters: \ | / : * ? < > @.

domain domain-name: Matches the user in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The domain name cannot contain the following special characters: \ | / : * ? < > @. If you do not specify this option, the system matches the user among users that do not belong to any identity domain. For more information about identity domains, see user identification in User Access and Authentication Configuration Guide.

Usage guidelines

You can configure this command multiple times to specify multiple users.

Examples

# Specify users managers1 and managers2 for policy mypolicy1 to match packets.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name mypolicy1 audit

[Sysname-uapp-control-policy-mypolicy1] user managers1

[Sysname-uapp-control-policy-mypolicy1] user managers2

# Configure user managers1 in identity domain dpi for policy mypolicy1 to match packets.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name mypolicy1 audit

[Sysname-uapp-control-policy-mypolicy1] user managers1 domain dpi

Related commands

user-identity enable (User Access and Authentication Command Reference)

user-group

Use user-group to configure a user group as a match criterion for an application audit and management policy.

Use undo user-group to delete a user group match criterion from an application audit and management policy.

Syntax

user-group user-group-name [ domain domain-name ]

undo user-group user-group-name [ domain domain-name ]

Default

No user group is used as a match criterion.

Views

Application audit and management policy view

Predefined user roles

network-admin

Parameters

user-group-name: Specifies an identity user group by its name, a case-insensitive string of 1 to 200 characters.

domain domain-name: Matches the user group in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The domain name cannot contain the following special characters: \ | / : * ? < > @.If you do not specify this option, the system matches the user group among user groups that do not belong to any identity domain. For more information about identity domains, see user identification in User Access and Authentication Configuration Guide.

Usage guidelines

You can configure this command multiple times to specify multiple user groups.

Examples

# Specify user groups group1 and group2 for policy mypolicy1 to match packets.

<Sysname> system-view

[Sysname-uapp-control] policy name mypolicy1 audit

[Sysname-uapp-control-policy-mypolicy1] user-group group1

[Sysname-uapp-control-policy-mypolicy1] user-group group2

# Configure user group group1 in identity domain dpi for policy mypolicy1 to match packets.

<Sysname> system-view

[Sysname] uapp-control

[Sysname-uapp-control] policy name mypolicy1 audit

[Sysname-uapp-control-policy-mypolicy1] user-group group1 domain dpi

Related commands

user-identity enable (User Access and Authentication Command Reference)