Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-SDP zero trust commands | 109.29 KB |
Contents
display trusted-access controller sdp assigned-resource
display trusted-access controller sdp session
display trusted-access controller sdp tcp-proxy-connection
SDP zero trust commands
vSystem supports all SDP zero trust features. For more information about vSystem, see Virtual Technologies Configuration Guide.
display trusted-access controller sdp assigned-resource
Use display trusted-access controller sdp assigned-resource to display the resources assigned by the SDP controller to users.
Syntax
display trusted-access controller sdp assigned-resource { api | app } [ context context-name ]
Views
Any view
Predefined user roles
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
api: Displays API resources.
app: Displays application resources.
context context-name: Specifies an SDP context by its name. An SDP context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SDP context, this command displays resource information in all SDP contexts.
Examples
# Display application resources assigned by the SDP controller to users.
<Sysname> display trusted-access controller sdp assigned-resource app
Context : default
App ID : 12345
App Name : sdptest
AccessType : web-proxy
HostName : host1
Address : Protocol : HTTPS
IPv4Address : 2.2.2.1
Port : 4430
App ID : 345
App Name : sdptest
AccessType : tcp-access
HostName : host5
Gateway Port : 4430
Identity Location : 1
Address : Protocol : HTTPS
IPv4Address : 2.2.2.5
Port : 443
App ID : 12345
App Name : sdptest
AccessType : ip-tunnel
HostName : host1
Address : Protocol : TCP
IPv4Address : 2.2.2.1-2.2.2.10
Port : 4430
Address : Protocol : UDP
IPv4Address : 3.1.1.0/24
Port : 80,90-100
Table 1 Command output
|
Field |
Description |
|
Context |
SDP context to which the SDP user belongs. The SDP context name must be default. |
|
App ID |
ID of the application that the SDP controller assigns to users. |
|
App Name |
Name of the application that the SDP controller assigns to users. |
|
AccessType |
Access mode supported by the application: · ip-tunnel—IP access mode. · mix—Mix access mode. · web-access—Web access mode. · tcp-access—TCP access mode. |
|
HostName |
Host name of the application. |
|
Gateway Port |
SDP gateway port number for the application server. This field is available only for an application of the TCP proxy type. |
|
Identity Location |
Location of the user token in the request message sent by the TCP application client to the SDP gateway, in the range of 1 to 65535. The field value indicates the start bit of user information. This field is available only for an application of the TCP proxy type. |
|
Address |
Address of the application. This field might display multiple times. |
|
Protocol |
Protocol pf the application, including: · TCP. · UDP. · HTTP. · HTTPS. |
|
IPv4Address |
IPv4 address of the application. |
|
Port |
Port number of the application. |
# Display API resources assigned by the SDP controller to users.
<Sysname> display trusted-access controller sdp assigned-resource api
Context : default
API ID : 12345-1
API Name : sdptest-1
URL : http://10.1.1.1
App ID : 12345
Table 2 Command output
|
Field |
Description |
|
Context |
SDP context to which the SDP user belongs. The SDP context name must be default. |
|
API ID |
ID of the API that the SDP controller assigns to users. |
|
API Name |
Name of the API that the SDP controller assigns to users. |
|
URL |
Full URL with path. |
|
App ID |
ID of the application to which the API belongs. |
display trusted-access controller sdp session
Use display trusted-access controller sdp session to display SDP session information.
Syntax
display trusted-access controller sdp session [ context context-name ] [ user user-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
context context-name: Specifies an SDP context by its name. An SDP context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SDP context, this command displays detailed SDP session information in all SDP contexts.
user user-name: Specifies an SDP user by the username, a case-insensitive string of 1 to 63 characters. If you do not specify a user, this command displays detailed SDP session information for all users.
Examples
# Display detailed SDP session information for all users.
<Sysname> display trusted-access controller sdp session
User : user1
Authentication method : SDP authentication
Context : default
Created at : 13:49:27 UTC Wed 04/14/2021
Lastest : 17:50:58 UTC Wed 04/14/2021
Allocated IPv4 address : 2.2.2.1
Session ID : 1
Send rate : 0.00 B/s
Receive rate : 0.00 B/s
Sent bytes : 0.00 B
Received bytes : 0.00 B
Apps : app1/permit;
app2/deny;
…
APIs : api1/permit;
api2/deny;
…
User : user2
Authentication method : SDP authentication
Context : default
Created at : 13:50:20 UTC Wed 04/14/2021
Lastest : 17:55:58 UTC Wed 04/14/2021
Allocated IPv4 address : 2.2.2.1
Session ID : 1
Send rate : 0.00 B/s
Receive rate : 0.00 B/s
Sent bytes : 0.00 B
Received bytes : 0.00 B
Apps : app1/permit;
app3/deny;
…
APIs : api1/permit;
api3/deny;
…
# Display SDP session information for SDP user user1.
<Sysname> display trusted-access controller sdp session user user1
User : user1
Authentication method : SDP authentication
Context : default
Created at : 13:49:27 UTC Wed 04/14/2021
Lastest : 17:50:58 UTC Wed 04/14/2021
Allocated IPv4 address : 2.2.2.1
Session ID : 1
Send rate : 0.00 B/s
Receive rate : 0.00 B/s
Sent bytes : 0.00 B
Received bytes : 0.00 B
Apps : app1/permit;
app2/deny;
…
APIs : api1/permit;
api2/deny;
…
Table 3 Command output
|
Field |
Description |
|
User |
SDP username. |
|
Authentication method |
Authentication methods required for logging in to the SDP context. Only SDP authentication is supported, which indicates authentication through the DP controller. |
|
Context |
SDP context to which the SDP user belongs. The SDP context name must be default. |
|
Created at |
Time at which the SDP session was created. |
|
Latest |
Most recent time when the SDP user accessed resources through the SDP session. |
|
Allocated IPv4 address |
IPv4 address allocated to the iNode client of the SDP user. This field is displayed only for iNode users. |
|
Session ID |
ID of the SDP session. |
|
Send rate |
Sending rate of the SDP session in one of the following units: · B/s—Bytes per second. · KB/s—Kilobytes per second. · MB/s—Megabytes per second. · GB/s—Gigabytes per second. · TB/s—Terabytes per second. · PB/s—Petabytes per second. |
|
Receive rate |
Receiving rate of the SDP session in one of the following units: · B/s—Bytes per second. · KB/s—Kilobytes per second. · MB/s—Megabytes per second. · GB/s—Gigabytes per second. · TB/s—Terabytes per second. · PB/s—Petabytes per second. |
|
Sent bytes |
Traffic sent by the SDP session in one of the following units: · B—Bytes. · KB—Kilobytes. · MB—Megabytes. · GB—Gigabytes. · TB—Terabytes. · PB—Petabytes. |
|
Received bytes |
Traffic received by the SDP session in one of the following units: · B—Bytes. · KB—Kilobytes. · MB—Megabytes. · GB—Gigabytes. · TB—Terabytes. · PB—Petabytes. |
|
Apps |
Applications to which the SDP controller allows or denies user access. |
|
APIs |
APIs to which the SDP controller allows or denies user access. |
display trusted-access controller sdp tcp-proxy-connection
Use display trusted-access controller sdp tcp-proxy-connection to display information about TCP proxy for access to applications.
Syntax
display trusted-access controller sdp tcp-proxy-connection [ context context-name ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
context context-name: Specifies an SDP context by its name. An SDP context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SDP context, this command displays TCP proxy information for all SDP contexts.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays TCP proxy information for all member devices.
Examples
# Display TCP proxy information for all SDP contexts.
<Sysname> display trusted-access controller sdp tcp-proxy-connection
Slot : 1
Total count : 2
Context : default
User : user1
Client address : 192.0.2.1
Client port : 1025
Server address : 192.168.0.39
Server port : 80
TCP connection status : Connected
User : user2
Client address : 192.0.2.4
Client port : 56190
Server address : 192.168.0.50
Server port : 23
TCP connection status : Connecting
Table 4 Command output
|
Field |
Description |
|
Total count |
Total number of SDP users for the SDP context. |
|
Context |
SDP context name. |
|
User |
Login name of the SDP user. |
|
Client address |
IP address of the SDP client. |
|
Client port |
Port number of the SDP client. |
|
Server address |
IP address of the application server. |
|
Server port |
Port number of the application server. |
|
TCP connection status |
TCP connection status, Connected or Connecting. |
sdp access-method
Use sdp access-method to specify the resource access mode through the SDP gateway.
Use undo sdp access-method to restore the default.
Syntax
sdp access-method { ip-tunnel | mix | web-access }
undo sdp access-method
Default
The resource access mode through the SDP gateway is mix.
Views
SDP trusted access controller view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-tunnel: Specifies IP access mode. In this mode, a user can use only the iNode client to log in to the SDP controller for authentication. After authentication, the user can access internal resources only through the iNode client.
mix: Specifies mix access mode. In this mode, a user must use the iNode client to log in to the SDP controller for authentication. After authentication, the user can access internal resources through a browser or the iNode client.
web-access: Specifies Web access mode. In this mode, a user can log in to the SDP controller only through browsers for authentication. After authentication, the user can access internal resources only through a browser.
Usage guidelines
This command takes effect only when SDP is enabled for trusted access control.
If you change the access mode, a user that has logged in must log in to the SDP controller again for authentication. The user can continue to access internal resources only after passing the authentication.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the Web access mode for users to access the SDP gateway.
<Sysname> system-view
[Sysname] trusted-access controller sdp
[Sysname-tac-sdp] sdp access-method web-access
Related commands
sdp enable
sdp api-access default
Use sdp api-access default to configure the default API access control rule.
Use undo sdp api-access default to restore the default.
Syntax
sdp api-access default { deny | permit }
undo sdp api-access default
Default
Users are permitted to access internal APIs through the SDP gateway.
Views
SDP trusted access controller view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
deny: Denies user access to internal APIs through the SDP gateway.
permit: Allows user access to internal APIs through the SDP gateway.
Usage guidelines
If an API is not in the API list assigned by the SDP controller, the device will deny or allow user access to the API according to the default API access control rule.
If a large number of internal APIs are available, you can manage permissions to access specific APIs. For example, deny or allow user access to an important API. For other APIs, you can use this command to configure the default API access control rule as a whole.
This command takes effect only when SDP is enabled for trusted access control.
Examples
# Deny user access to internal APIs through the SDP gateway.
<Sysname> system-view
[Sysname] trusted-access controller sdp
[Sysname-tac-sdp] sdp api-access default deny
Related commands
sdp enable
sdp enable
Use sdp enable to enable SDP for trusted access control.
Use undo sdp enable to disable SDP for trusted access control.
Syntax
sdp enable
undo sdp enable
Default
SDP is disabled for trusted access control.
Views
SDP trusted access controller view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
SDP zero trust allows the device to act as an SDP gateway to cooperate with an SDP controller to authenticate and authorize users that access a specific application or API. This can centrally control user identities and access permissions to avoid illegal user access.
The SDP gateway uses the cloud connection feature to notify the SDP controller of the keepalive status. To ensure the operation of SDP trusted access control, use cloud-management keepalive to set the keepalive interval to 10 to 29 seconds for the device to send keepalive packets to the cloud server. Because the keepalive interval set on the SDP controller is 30 seconds. For more information about cloud connections, see Network Management and Monitoring Configuration Guide.
In a zero trust scenario, the SDP gateway acts as the SSL VPN gateway to connect remote users to the enterprise internal network.
Examples
# Enable SDP for trusted access control.
<Sysname> system-view
[Sysname] trusted-access controller sdp
[Sysname-tac-sdp] sdp enable
Related commands
cloud-management keepalive
spa enable
Use spa enable to enable SPA authentication.
Use undo spa enable to disable SPA authentication.
Syntax
spa enable
undo spa enable
Default
SPA authentication is disabled.
Views
SDP trusted access controller view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This command is supported only in IP access mode and mix access mode, and takes effect only when SDP is enabled for trusted access control.
In IP or mix access mode, the iNode client must send an SPA message to the SDP gateway. Then, the SDP gateway identifies whether the client is legal according to the SPA message. If the client is legal, the SDP gateway will receive the subsequent requests from the client. If not, the SDP gateway will reject the client requests.
Re-enabling this feature affects online users. When users access resources, do not re-enable this feature as a best practice. You can use the display trusted-access controller sdp session command to obtian information about online users.
Examples
# Enable SPA authentication.
<Sysname> system-view
[Sysname] trusted-access controller sdp
[Sysname-tac-sdp] spa enable
Related commands
sdp enable
sdp access-method
display trusted-access controller sdp session
trusted-access controller sdp
Use trusted-access controller sdp to enter SDP trusted access controller view.
Use undo trusted-access controller sdp to exit SDP trusted access controller view.
Syntax
trusted-access controller sdp
undo trusted-access controller sdp
Default
The SDP trusted access controller view does not exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Examples
# Enter SDP trusted access controller view.
<Sysname> system-view
[Sysname] trusted-access controller sdp
[Sysname-tac-sdp]
