max-number: Specifies the maximum number of connections, in the range of 0 to 4294967295. The value 0 means the maximum number of connections is not limited for the trusted proxy.

Examples

# Configure the maximum number of connections as 10000 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] connection-limit max 10000

description

Use description to configure a description for the trusted access controller.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for the trusted access controller.

Views

IAM trusted access controller view

Predefined user roles

network-admin

context-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 127 characters.

Examples

# Configure the description iam server for IAM trusted access controller tac.

<Sysname> system-view

[Sysname] trusted-access controller tac type iam

[Sysname-tac-iam-tac] description iam server

Related commands

display trusted-access controller

display trusted-access api-id-url

Use display trusted-access api-id-url to display API ID-to-URL mappings.

Syntax

display trusted-access api-id-url [ name controller-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

name controller-name: Specifies a trusted access controller by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays API ID-to-URL mappings for all trusted access controllers.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays API ID-to-URL mappings for all member devices.

Usage guidelines

The device maps URLs in API requests to API IDs of shorter length to reduce resource consumption on the IAM server. Upon receiving an API authorization request, the device maps the API URL in the request to an API ID before forwarding the request to the trusted access controller. After the authorization is complete, the device maps the API ID in the authorization result to an API URL before sending the result to the user.

Examples

# Display API ID-to-URL mappings.

<Sysname> display trusted-access api-id-url

Slot 2:

API ID URL

888 http://888.com

666 http://666.com

display trusted-access controller

Use display trusted-access controller to display trusted access controller information.

Syntax

display trusted-access controller [ name controller-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

Examples

# Display information about all trusted access controllers.

<Sysname> display trusted-access controller

Trusted access controller: tac

Description:

Type: IAM

State: Active

Local service URL: http://10.153.10.120:80

Peer service URL: http://10.153.10.121:80

SSL client policy: scp

SSL server policy: ssp

Slot 1:

Peer service state: Active

Serial ID: 38ad-be93-e0c4-0008-0100

Slot 2:

Peer service state: Inactive

Serial ID: 38ad-be93-e0c4-0010-0100

Table 1 Command output

Field	Description
Trusted access controller	Name of the trusted access controller.
Description	Description of the trusted access controller.
Type	Type of the trusted access controller. Only IAM is supported in the current software version.
State	State of the trusted access controller: · Active—The trusted access controller is available. · Inactive—The trusted access controller is not available although it is enabled. · Inactive(disabled)—The trusted access controller is not available because it is disabled.
Serial ID	Serial ID that identifies the trusted proxy device.

display trusted-access permitted-record

Use display trusted-access permitted-record to display user authorization success records.

Syntax

display trusted-access permitted-record { api-auth | app-auth } user { brief | user-name } [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

api-auth: Specifies API authorization success records.

app-auth: Specifies application authorization success records.

user: Displays authorization success records for the specified user.

brief: Displays brief authorization success records for all users.

user-name: Specifies a user by username, a case-sensitive string of 1 to 63 characters.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays user authorization success records for all member devices.

Usage guidelines

Use this command to view the URLs that have been authorized as permitted.

If an access request is permitted by the trusted access controller in an authorization, the associated application URL or API URL is added as an authorization success record. Before this record expires, the associated resource is available for matching requests through a lookup. If the record expires, authorization is required for the access requests on the trusted access controller.

Examples

# Display authorization success records for user test.

<Sysname> display trusted-access permitted-record app-auth user test

Slot 1:

Username: test

Created at: 2020-04-15 14:34:54

Application access list:

Application URL Time of last access

test.iam.com/aaa/ 2020-04-15 14:34:54

test.iam.com/bbb/

# Display brief authorization success records for all users.

<Sysname> display trusted-access record app-auth user brief

Slot 1:

Total users: 1

Username Creation time

test 2020-04-15 14:34:54

test1 2020-04-15 14:37:21

Table 2 Command output

Field	Description
Created at	Time when the user authorization success record was created.
Total users	Total number of users that have been successfully authorized.
Time of last access	Most recent time when the application URL or API URL was accessed.

display trusted-api-proxy

Use display trusted-api-proxy to display trusted API proxy information.

Syntax

display trusted-api-proxy [ brief | name trusted-proxy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

brief: Displays brief trusted API proxy information. If you do not specify this keyword, the command displays detailed trusted API proxy information.

name trusted-proxy-name: Specifies a trusted API proxy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays information about all trusted API proxies.

Examples

# Display brief information about all trusted API proxies.

<Sysname> display trusted-api-proxy brief

Trusted API proxy State Type Proxy address Port

api Active HTTP 172.40.0.10/32 80

1::1/128

api2 Inactive HTTP -- 80

(disabled)

# Display detailed information about all trusted API proxies.

<Sysname> display trusted-api-proxy

Trusted API proxy: api

Type: HTTP

State: Active

IPv4 address: 172.40.0.10/32

IPv6 address: 1::1/128

Port: 80

LB policy: api

LB connection limit policy: a

TCP parameter profile: tcp

Connection limit: 10000

Rate limit:

Connections: 10000

SSL server policy: ssp

SSL client policy: scp

IAM trusted access controller: tac

Trusted API proxy: api2

Type: HTTP

State: Inactive (disabled)

IPv4 address: --

IPv6 address: --

Port: 80

LB policy:

LB connection limit policy:

Connection limit: --

Rate limit:

Connections: --

SSL server policy:

SSL client policy:

IAM trusted access controller: tac

Table 3 Command output

Field	Description
Trusted API proxy	Name of the trusted API proxy.
State	State of the trusted API proxy: · Active—The trusted API proxy is available. · Inactive—The trusted API proxy is not available although a license has been installed and the proxy is enabled. · Inactive (no license)—The trusted API proxy is not available due to lack of license. · Inactive (disabled)—The trusted API proxy is not available because it is disabled.
Type	Type of the trusted API proxy. Only HTTP is supported in the current software version.
Proxy IPv4 address	IPv4 address and mask length of the trusted API proxy.
Proxy IPv6 address	IPv6 address and prefix length of the trusted API proxy.
Port	Port number of the trusted API proxy.
LB policy	LB policy used by the trusted API proxy.
LB limit-policy	LB connection limit policy used by the trusted API proxy.
TCP parameter profile	TCP parameter profile used by the trusted API proxy. This field is displayed only when the TCP parameter profile is configured.
TCP parameter profile (client-side)	Client-side TCP parameter profile used by the trusted API proxy. This field is displayed only when the client-side TCP parameter profile is configured.
TCP parameter profile (server-side)	Server-side TCP parameter profile used by the trusted API proxy. This field is displayed only when the server-side TCP parameter profile is configured.
DPI application profile	DPI application profile used by the trusted API proxy. This field is displayed only when a DPI application profile has been specified.
Connection limit	Maximum number of connections for the trusted API proxy.
Rate limit	Connection rate limit setting for the trusted API proxy.
Connections	Maximum connection rate for the trusted API proxy.
SSL server policy	Name of the SSL server policy. This field is displayed only for an HTTP trusted API proxy.
SSL client policy	Name of the SSL client policy. This field is displayed only for an HTTP trusted API proxy.
HTTP protection policy	HTTP protection policy used by the trusted API proxy.
IAM trusted access controller	Name of the IAM trusted access controller used by the trusted API proxy.

display trusted-api-proxy statistics

Use display trusted-api-proxy statistics to display trusted API proxy statistics.

Syntax

display trusted-api-proxy statistics [ name trusted-proxy-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

name trusted-proxy-name: Specifies a trusted API proxy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays statistics for all trusted API proxies.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays trusted API proxy statistics for all member devices.

Examples

# Display statistics for trusted API proxy api.

<Sysname> display trusted-api-proxy statistics name api

Trusted application proxy: api

Total connections: 979

Active connections: 618

Max connections: 661

Recorded at 11:02:49 on Tue May 21 2019

Connections per second: 146

Max connections per second: 156

Recorded at 11:02:49 on Tue May 21 2019

Client input: 333332 bytes

Client output: 472054 bytes

Throughput: 4088 bps

Inbound throughput: 1214 bps

Outbound throughput: 2874 bps

Max throughput: 4368 bps

Recorded at 11:02:49 on Tue May 21 2019

Max inbound throughput: 1214 bps

Recorded at 11:02:49 on Tue May 21 2019

Max outbound throughput: 3154 bps

recorded at 11:02:49 on Tue May 21 2019

Received packets: 979

Sent packets: 0

Dropped packets: 0

Received requests: 0

Authentication permitted requests: 0

Authentication denied requests: 0

Table 4 Command output

Field	Description
Trusted API proxy	Name of the trusted API proxy.
Client input	Traffic received from clients in bytes.
Client output	Traffic sent to clients in bytes.
Throughput	Total packet throughput in bps.
Inbound throughput	Total inbound packet throughput in bps.
Outbound throughput	Total outbound packet throughput in bps.
Max throughput	Maximum packet throughput in bps.
Max inbound throughput	Maximum inbound packet throughput in bps.
Max outbound throughput	Maximum outbound packet throughput in bps.
Received packets	Number of received packets.
Sent packets	Number of packets sent by the trusted API proxy to clients.
Dropped packets	Number of dropped packets.
Received requests	Number of received HTTP requests. This field is displayed only for an HTTP trusted API proxy.
Dropped requests	Number of dropped HTTP requests. This field is displayed only for an HTTP trusted API proxy.
Sent responses	Number of sent HTTP responses. This field is displayed only for an HTTP trusted API proxy.
Dropped responses	Number of dropped HTTP responses. This field is displayed only for an HTTP trusted API proxy.
Authentication permitted requests	Number of requests that are permitted in authorization.
Authentication denied requests	Number of requests that are denied in authorization.

display trusted-app-proxy

Use display trusted-app-proxy to display trusted application proxy information.

Syntax

display trusted-app-proxy [ brief | name trusted-proxy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

brief: Displays brief trusted application proxy information. If you do not specify this keyword, the command displays detailed trusted application proxy information.

name trusted-proxy-name: Specifies a trusted application proxy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays information about all trusted application proxies.

Examples

# Display brief information about all trusted application proxies.

<Sysname> display trusted-app-proxy brief

Trusted App proxy State Type Proxy address Port

app Active HTTP 172.40.0.10/32 80

1::1/128

app2 Inactive HTTP -- 80

(disabled)

# Display detailed information about all trusted application proxies.

<Sysname> display trusted-app-proxy

Trusted application proxy: app

Type: HTTP

State: Active

IPv4 address: 172.40.0.10/32

IPv6 address: 1::1/128

Port: 80

LB policy: app

LB connection limit policy: a

TCP parameter profile: tcp

Connection limit: 10000

Rate limit:

Connections: 10000

SSL server policy: ssp

SSL client policy: scp

IAM trusted access controller: tac

Trusted application proxy: app2

Type: HTTP

State: Inactive (disabled)

IPv4 address: --

IPv6 address: --

Port: 80

LB policy:

LB connection limit policy:

Connection limit: --

Rate limit:

Connections: --

SSL server policy:

SSL client policy:

IAM trusted access controller: tac

Table 5 Command output

Field	Description
Trusted application proxy	Name of the trusted application proxy.
State	State of the trusted application proxy: · Active—The trusted application proxy is available. · Inactive—The trusted application proxy is not available although a license has been installed and the proxy is enabled. · Inactive (no license)—The trusted application proxy is not available due to lack of license. · Inactive (disabled)—The trusted application proxy is not available because it is disabled.
Type	Type of the trusted application proxy. Only HTTP is supported in the current software version.
Proxy IPv4 address	IPv4 address and mask length of the trusted application proxy.
Proxy IPv6 address	IPv6 address and prefix length of the trusted application proxy.
Port	Port number of the trusted application proxy.
LB policy	LB policy used by the trusted application proxy.
LB limit-policy	LB connection limit policy used by the trusted application proxy.
TCP parameter profile	TCP parameter profile used by the trusted application proxy. This field is displayed only when the TCP parameter profile is configured.
TCP parameter profile (client-side)	Client-side TCP parameter profile used by the trusted application proxy. This field is displayed only when the client-side TCP parameter profile is configured.
TCP parameter profile (server-side)	Server-side TCP parameter profile used by the trusted application proxy. This field is displayed only when the server-side TCP parameter profile is configured.
DPI application profile	DPI application profile used by the trusted application proxy. This field is displayed only when a DPI application profile has been specified.
External authentication app-policy	External application authentication policy used by the trusted application proxy.
Connection limit	Maximum number of connections for the trusted application proxy.
Rate limit	Connection rate limit setting for the trusted application proxy.
Connections	Maximum connection rate for the trusted application proxy.
SSL server policy	Name of the SSL server policy. This field is displayed only for an HTTP trusted application proxy.
SSL client policy	Name of the SSL client policy. This field is displayed only for an HTTP trusted application proxy.
HTTP protection policy	HTTP protection policy used by the trusted application proxy. This field is displayed only when the HTTP protection policy is configured.
IAM trusted access controller	Name of the IAM trusted access controller used by the trusted application proxy.

display trusted-app-proxy statistics

Use display trusted-app-proxy statistics to display trusted application proxy statistics.

Syntax

display trusted-app-proxy statistics [ name trusted-proxy-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays trusted application proxy statistics for all member devices.

Examples

# Display statistics for trusted application proxy app.

<Sysname> display trusted-app-proxy statistics name app

Trusted application proxy: app

Total connections: 979

Active connections: 618

Max connections: 661

Recorded at 11:02:49 on Tue May 21 2019

Connections per second: 146

Max connections per second: 156

Recorded at 11:02:49 on Tue May 21 2019

Client input: 333332 bytes

Client output: 472054 bytes

Throughput: 4088 bps

Inbound throughput: 1214 bps

Outbound throughput: 2874 bps

Max throughput: 4368 bps

Recorded at 11:02:49 on Tue May 21 2019

Max inbound throughput: 1214 bps

Recorded at 11:02:49 on Tue May 21 2019

Max outbound throughput: 3154 bps

Recorded at 11:02:49 on Tue May 21 2019

Received packets: 979

Sent packets: 0

Dropped packets: 0

Received requests: 0

Authentication permitted requests: 0

Authentication denied requests: 0

Redirected requests for login: 4

Redirected requests for re-authentication: 0

Table 6 Command output

Field	Description
Trusted application proxy	Name of the trusted API proxy.
Client input	Traffic received from clients in bytes.
Client output	Traffic sent to clients in bytes.
Throughput	Total packet throughput in bps.
Inbound throughput	Inbound packet throughput in bps.
Outbound throughput	Outbound packet throughput in bps.
Max throughput	Maximum total packet throughput in bps.
Max inbound throughput	Maximum inbound packet throughput in bps.
Max outbound throughput	Maximum outbound packet throughput in bps.
Received packets	Number of received packets.
Sent packets	Number of packets sent by the trusted application proxy to clients.
Dropped packets	Number of dropped packets.
Received requests	Number of received HTTP requests. This field is displayed only for an HTTP trusted application proxy.
Dropped requests	Number of dropped HTTP requests. This field is displayed only for an HTTP trusted application proxy.
Sent responses	Number of sent HTTP responses. This field is displayed only for an HTTP trusted application proxy.
Dropped responses	Number of dropped HTTP responses. This field is displayed only for an HTTP trusted application proxy.
Authentication permitted requests	Number of requests that are permitted in authorization.
Authentication denied requests	Number of requests that are denied in authorization.
Redirected requests for login	Number of requests redirected to the login page.
Redirected requests for re-authentication	Number of requests redirected to the reauthentication page.

Related commands

reset trusted-app-proxy statistics

dpi-app-profile

Use dpi-app-profile to specify a DPI application profile for the trusted proxy.

Use undo dpi-app-profile to restore the default.

Syntax

dpi-app-profile app-profile-name

undo dpi-app-profile

Default

No DPI application profile is specified for a trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

app-profile-name: Specifies a DPI application profile by its name, a case-insensitive string of 1 to 63 characters. For more information about DPI application profiles, see DPI engine in DPI Configuration Guide.

Usage guidelines

This command allows you to perform DPI on the traffic matching a trusted proxy, including IPS, anti-virus, and WAF. DPI helps you identify network attacks and security risks to secure the application servers and API servers. For more information about DPI application profiles, see DPI engine in DPI Configuration Guide.

Examples

# Specify DPI application profile profile_1 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] dpi-app-profile profile_1

Related commands

app-profile (DPI Command Reference)

display trusted-app-proxy

display trusted-api-proxy

lb-limit-policy

Use lb-limit-policy to specify an LB connection limit policy for the trusted proxy.

Use undo lb-limit-policy to restore the default.

Syntax

lb-limit-policy policy-name

undo lb-limit-policy

Default

No LB connection limit policy is specified for a trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies an LB connection limit policy by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Use this command to limit the number of connections for traffic matching a trusted proxy.

The LB connection limit policy takes effect only on newly created sessions. Existing sessions are not affected. For more information about LB connection limit policies, see server load balancing configuration in Load Balancing Configuration Guide.

Examples

# Specify LB connection limit policy llp for HTTP trusted application policy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] lb-limit-policy llp

Related commands

loadbalance limit-policy (Load Balancing Command Reference)

lb-policy

Use lb-policy to specify an LB policy for the trusted proxy.

Use undo lb-policy to restore the default.

Syntax

lb-policy policy-name

undo lb-policy

Default

No LB policy is specified for a trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies an LB policy by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

This command enables the trusted proxy to perform load balancing for packets matching the specified LB policy.

You can specify only a general or HTTP LB policy for an HTTP trusted proxy.

For more information about LB policies, see server load balancing configuration in Load Balancing Configuration Guide.

Examples

# Specify LB policy lbp1 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] lb-policy lbp1

Related commands

lb-policy (Load Balancing Command Reference)

local-service url

Use local-service url to specify the local service URL used to collaborate with the trusted access controller.

Use undo local-service url to restore the default.

Syntax

local-service url service-url

undo local-service url

Default

No local service URL is specified.

Views

IAM trusted access controller view

Predefined user roles

network-admin

context-admin

Parameters

service-url: Specifies a local service URL, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The local service URL is used to collaborate with the trusted access controller. The trusted access controller can notify the device of events such as user offline and user permission changes through the local service URL.

The local service URL must be in the format of protocol type://server IP address:port number.

· The protocol type is HTTP or HTTPS.

· The server IP address must be an IPv4 address.

You cannot specify the same local service URL for different trusted access controllers on a device.

Examples

# Configure local service URL https://10.153.10.120:443 for IAM trusted access controller tac.

<Sysname> system-view

[Sysname] trusted-access controller tac type iam

[Sysname-tac-iam-tac] local-service url https://10.153.10.120:443

Related commands

display trusted-access controller

peer-service url

parameter

Use parameter to specify a parameter profile for the trusted proxy.

Use undo parameter to remove the parameter profile from the trusted proxy.

Syntax

parameter tcp profile-name [ client-side | server-side ]

undo parameter tcp [ client-side | server-side ]

Default

No parameter profile is specified for a trusted proxy.

Views

Trusted application proxy view

Trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

tcp: Specifies a TCP parameter profile.

profile-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters.

client-side: Specifies a client-side TCP parameter profile.

server-side: Specifies a server-side TCP parameter profile.

Usage guidelines

A parameter profile is used to analyze, process, and optimize traffic received by the trusted proxy. The trusted proxy uses the settings in the parameter profile to process matching traffic.

If you specify a client-side TCP parameter profile for the trusted proxy, the system optimizes and processes TCP connections between the client and the device. If you specify a server-side TCP parameter profile for the trusted proxy, the system optimizes and processes TCP connections between the device and the server.

If you do not specify the client-side or server-side keyword, you configure a TCP parameter profile for both the client side and server side. Only TCP parameter profiles can be configured for the client side and server side, respectively.

For more information about parameter profiles, see server load balancing configuration in Load Balancing Configuration Guide.

Examples

# Specify TCP parameter profile pp for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] parameter tcp pp

Related commands

parameter-profile (Load Balancing Command Reference)

peer-service url

Use peer-service url to specify the peer service URL used for providing trusted access control services.

Use undo peer-service url to restore the default.

Syntax

peer-service url service-url

undo peer-service url

Default

No peer service URL is specified.

Views

IAM trusted access controller view

Predefined user roles

network-admin

context-admin

Parameters

service-url: Specifies a peer service URL, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The device uses the peer service URL to perform registration and authorization with the trusted access controller.

The peer service URL must be in the format of protocol type://server IP address:port number.

· The protocol type is HTTP or HTTPS.

· The server IP address must be an IPv4 address.

Examples

# Configure peer service URL http://10.153.10.121:80 for IAM trusted access controller tac.

<Sysname> system-view

[Sysname] trusted-access controller tac type iam

[Sysname-tac-iam-tac] peer-service url https://10.153.10.120:443

port

Use port to configure the port number for the trusted proxy.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The port number is 80 for a trusted proxy

Views

Trusted application proxy view

Trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

port-number: Specifies a port number in the range of 1 to 65535.

Usage guidelines

Use this command to configure port number used for providing trusted application proxy or trusted API proxy services.

If the trusted proxy uses an SSL policy, you must specify a non-default port number for it (a typical example is 443).

Examples

# Configure port 8080 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] port 8080

protection-policy

Use protection-policy to specify a HTTP protection policy for the trusted proxy.

Use undo protection-policy to restore the default.

Syntax

protection-policy http policy-name

undo protection-policy http

Default

No protection policy is specified for a trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

http: Specifies an HTTP protection policy.

policy-name: Specifies a protection policy by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Use this command to protect URLs specified in an HTTP protection policy in order to prevent the application and API servers from being overwhelmed by a large number of forged requests.

For more information about HTTP protection policies, see server load balancing configuration in Load Balancing Configuration Guide.

Examples

# Specify HTTP protection policy p1 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] protection-policy http p1

Related commands

display trusted-api-proxy

display trusted-app-proxy

loadbalance protection-policy (Load Balancing Command Reference)

proxy ip address

Use proxy ip address to configure the IP address for the trusted proxy.

Use undo proxy ip address to restore the default.

Syntax

proxy ip address ipv4-address

undo proxy ip address

Default

No IP address is configured for a trusted proxy.

Views

Trusted application proxy view

Trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

ipv4-address: Specifies an IPv4 address. The IPv4 address cannot be a loopback address, multicast address, broadcast address, or an address in the format of 0.X.X.X.

Usage guidelines

Use this command to configure the IPv4 address used for providing trusted application proxy or trusted API proxy services.

Examples

# Configure IPv4 address 1.1.1.1 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] proxy ip address 1.1.1.1

proxy ipv6 address

Use proxy ipv6 address to configure the IPv6 address for the trusted proxy.

Use undo proxy ipv6 address to restore the default.

Syntax

proxy ipv6 address ipv6-address

undo proxy ipv6 address

Default

No IPv6 address is configured for a trusted proxy.

Views

Trusted application proxy view

Trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

ipv6-address: Specifies an IPv6 address. The IPv6 address cannot be a loopback address, multicast address, link-local address, or an all-zero address.

Usage guidelines

Use this command to configure the IPv6 address used for providing trusted application proxy or trusted API proxy services.

Examples

# Configure IPv6 address 1001::1 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] proxy ip address 1001::1

rate-limit connection

Use rate-limit connection to configure the maximum connection rate for the trusted proxy.

Use undo rate-limit connection to restore the default.

Syntax

rate-limit connection connection-rate

undo rate-limit connection

Default

The maximum connection rate is 0 (not limited) for the trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

connection-rate: Specifies the maximum connection rate in the range of 0 to 4294967295. The value 0 means the maximum connection rate is not limited for the trusted proxy.

Examples

# Configure the maximum connection rate as 10000 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] rate-limit connection 10000

reset trusted-access permitted-record

Use reset trusted-access permitted-record to clear user authorization success records.

Syntax

reset trusted-access permitted-record { api-auth | app-auth } user user-name

Views

User view

Predefined user roles

network-admin

context-admin

Parameters

api-auth: Specifies API authorization success records.

app-auth: Specifies application authorization success records.

user user-name: Specifies a user by username, a case-sensitive string of 1 to 63 characters.

Examples

# Clear application authorization success records for user test.

<Sysname> reset trusted-access permitted-record app-auth user test

Related commands

display trusted-access permitted-record

reset trusted-api-proxy statistics

Use reset trusted-api-proxy statistics to clear trusted API proxy statistics.

Syntax

reset trusted-api-proxy statistics [ trusted-proxy-name ]

Views

User view

Predefined user roles

network-admin

context-admin

Parameters

trusted-proxy-name: Specifies a trusted API proxy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command clear statistics for all trusted API proxies.

Examples

# Clear statistics for all trusted API proxies.

<Sysname> reset trusted-api-proxy statistics

Related commands

display trusted-api-proxy statistics

reset trusted-app-proxy statistics

Use reset trusted-app-proxy statistics to clear trusted application proxy statistics.

Syntax

reset trusted-app-proxy statistics [ trusted-proxy-name ]

Views

User view

Predefined user roles

network-admin

context-admin

Parameters

trusted-proxy-name: Specifies a trusted application proxy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command clear statistics for all trusted application proxies.

Examples

# Clear statistics for all trusted application proxies.

<Sysname> reset trusted-app-proxy statistics

Related commands

display trusted-app-proxy statistics

service enable (trusted access controller view)

Use service enable to enable the trusted access controller.

Use undo service enable to disable the trusted access controller.

Syntax

service enable

undo service enable

Default

The trusted access controller is disabled.

Views

IAM trusted access controller view

Predefined user roles

network-admin

context-admin

Examples

# Enable trusted access controller tac.

<Sysname> system-view

[Sysname] trusted-access controller tac type iam

[Sysname-tac-iam-tac] service enable

service enable (trusted app proxy/trusted api proxy view)

Use service enable to enable the trusted proxy.

Use undo service enable to disable the trusted proxy.

Syntax

service enable

undo service enable

Default

The trusted proxy is disabled.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Examples

# Enable HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] service enable

ssl-client-policy (trusted access controller view)

Use ssl-client-policy to specify an SSL client policy used for establishing an SSL connection to the trusted access controller.

Use undo ssl-client-policy to restore the default.

Syntax

ssl-client-policy policy-name

undo ssl-client-policy

Default

No SSL client policy is specified for establishing an SSL connection to the trusted access controller.

Views

IAM trusted access controller view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

This command is required if the peer service URL type is HTTPS. When the device acts as an SSL client, you can specify an SSL client policy to encrypt registration and authorization traffic sent to the trusted access controller.

For modification of the SSL client policy for a trusted access controller take effect, you must delete and then specify the policy again for the trusted access controller. For more information about SSL policies, see SSL configuration in Security Configuration Guide.

The device does not support SSL client policies using the exp_rsa_des_cbc_sha, exp_rsa_rc2_md5, exp_rsa_rc4_md5, or rsa_des_cbc_sha encryption suite.

Examples

# Specify SSL client policy scp for IAM trusted access controller tac.

<Sysname> system-view

[Sysname] trusted-access controller tac type iam

[Sysname-tac-iam-tac] ssl-client-policy scp

Related commands

peer-service url

ssl client-policy (Security Command Reference)

ssl-client-policy (trusted app proxy/trusted api proxy view)

Use ssl-client-policy to specify an SSL client policy for the trusted proxy to encrypt the traffic exchanged with the SSL server.

Use undo ssl-client-policy to restore the default.

Syntax

ssl-client-policy policy-name

undo ssl-client-policy policy-name

Default

No SSL client policy is specified for a trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

After modifying the SSL client policy for a trusted proxy, you must disable and then enable the trusted proxy for the modification to take effect. To disable the trusted proxy, use the undo service enable command in trusted proxy view. To enable the trusted proxy, use the service enable command in trusted proxy view.

The device does not support SSL client policies using the exp_rsa_des_cbc_sha, exp_rsa_rc2_md5, exp_rsa_rc4_md5, or rsa_des_cbc_sha encryption suite.

Examples

# Specify SSL client policy scp for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] ssl-client-policy scp

Related commands

ssl client-policy (Security Command Reference)

ssl-server-policy (trusted access controller view)

Use ssl-server-policy to specify an SSL server policy used for establishing an SSL connection to the trusted access controller.

Use undo ssl-server-policy to restore the default.

Syntax

ssl-server-policy policy-name

undo ssl-server-policy

Default

No SSL server policy is specified for establishing an SSL connection to the trusted access controller.

Views

IAM trusted access controller view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

This command is required if the local service URL type is HTTPS. Use this command to encrypt information such as user offline and user permission changes sent by trusted access controller.

For modification of the SSL server policy for a trusted access controller take effect, you must delete and then specify the policy again for the trusted access controller. For more information about SSL policies, see SSL configuration in Security Configuration Guide.

The device does not support SSL server policies using the exp_rsa_des_cbc_sha, exp_rsa_rc2_md5, exp_rsa_rc4_md5, or rsa_des_cbc_sha encryption suite.

Examples

# Specify SSL server policy ssp for IAM trusted access controller tac.

<Sysname> system-view

[Sysname] trusted-access controller tac type iam

[Sysname-tac-iam-tac] ssl-server-policy ssp

Related commands

local-service url

ssl server-policy (Security Command Reference)

ssl-server-policy (trusted app proxy/trusted api proxy view)

Use ssl-server-policy to specify an SSL server policy for the trusted proxy to encrypt the traffic exchanged with the SSL client.

Use undo ssl-server-policy to restore the default.

Syntax

ssl-server-policy policy-name

undo ssl-server-policy

Default

No SSL server policy is specified for a trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

After modifying the SSL server policy for a trusted proxy, you must disable and then enable the trusted proxy for the modification to take effect. To disable the trusted proxy, use the undo service enable command in trusted proxy view. To enable the trusted proxy, use the service enable command in trusted proxy view.

The device does not support SSL server policies using the exp_rsa_des_cbc_sha, exp_rsa_rc2_md5, exp_rsa_rc4_md5, or rsa_des_cbc_sha encryption suite.

Examples

# Specify SSL server policy ssp for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] ssl-server-policy ssp

Related commands

ssl server-policy (Security Command Reference)

trusted-access-controller iam (trusted app proxy/trusted api proxy view)

Use trusted-access-controller iam to specify an IAM trusted access controller for the trusted proxy.

Use undo trusted-access-controller iam to restore the default.

Syntax

trusted-access-controller iam controller-name

undo trusted-access-controller

Default

No trusted access controller is specified for a trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

controller-name: Specifies a trusted access controller by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Use this command to enable a trusted application proxy or trusted API proxy to use an IAM trusted access controller for implementing access control on traffic accessing the trusted proxy.

Examples

# Specify IAM trusted access controller tac for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] trusted-access-controller iam tac

Related commands

display trusted-api-proxy

display trusted-app-proxy

trusted-access controller

trusted-access controller (system view)

Use trusted-access controller to create a trusted access controller and enter trusted access controller view, or enter the view of an existing trusted access controller.

Use undo trusted-access controller to delete the specified trusted access controller.

Syntax

trusted-access controller controller-name type iam

undo trusted-access controller controller-name

Default

No trusted access controllers exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

controller-name: Specifies a trusted access controller by its name, a case-insensitive string of 1 to 63 characters.

type: Specifies the trusted access controller type. The controller type is not required when you enter the view of an existing trusted access controller. To specify the controller type, make sure it is the same as the one you specified upon creating the controller.

iam: Specifies the trusted access controller type as IAM.

Usage guidelines

This command allows the device to send user requests to the IAM trusted access controller for authentication and authorization. For users that have passed the authentication, the IAM trusted access controller validates user permissions to the requested resources.

Examples

# Create IAM trusted access controller tac and enter its view.

<Sysname> system-view

[Sysname] trusted-access controller tac type iam

[Sysname-tac-iam-tac]

trusted-api-proxy

Use trusted-api-proxy to create a trusted API proxy and enter trusted API proxy view, or enter the view of an existing trusted API proxy.

Use undo trusted-api-proxy to delete the specified trusted API proxy.

Syntax

trusted-api-proxy proxy-name type http

undo trusted-api-proxy proxy-name

Default

No trusted API proxies exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

proxy-name: Specifies a trusted API proxy by its name, a case-insensitive string of 1 to 63 characters.

type http: Specifies the trusted API proxy type. Only HTTP is supported in the current software version. To create a trusted API proxy, you must specify the proxy type. The proxy type is not required when you enter the view of an existing trusted API proxy. To specify the proxy type, make sure it is the same as the one you specified upon creating the trusted API proxy.

Usage guidelines

The trusted API proxy sends matching API requests to the trusted access controller for authentication and authorization. The trusted access controller will return the authentication and authorization results to the device to implement user access permission control.

The HTTP trusted API proxy feature requires a license to run on the device. For information about feature licensing, see Fundamentals Configuration Guide.

Examples

# Create HTTP trusted API proxy p2 and enter its view.

<Sysname> system-view

[Sysname] trusted-api-proxy p2 type http

[Sysname-tip-http-p2]

Related commands

display trusted-api-proxy

trusted-app-proxy

Use trusted-app-proxy to create a trusted application proxy and enter trusted application proxy view, or enter the view of an existing trusted application proxy.

Use undo trusted-app-proxy to delete the specified trusted application proxy.

Syntax

trusted-app-proxy proxy-name type http

undo trusted-app-proxy proxy-name

Default

No trusted application proxies exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

proxy-name: Specifies a trusted application proxy by its name, a case-insensitive string of 1 to 63 characters.

type http: Specifies the trusted application proxy type. Only HTTP is supported in the current software version. To create a trusted application proxy, you must specify the proxy type. The proxy type is not required when you enter the view of an existing trusted application proxy. To specify the proxy type, make sure it is the same as the one you specified upon creating the trusted application proxy.

Usage guidelines

The trusted application proxy sends matching application requests to the trusted access controller for authentication and authorization. The trusted access controller will return the authentication and authorization results to the device to implement user access permission control.

The HTTP trusted application proxy feature requires a license to run on the device. For information about feature licensing, see Fundamentals Configuration Guide.

Examples

# Create HTTP trusted application proxy p1 and enter its view.

<Sysname> system-view

[Sysname] trusted-app-proxy p1 type http

[Sysname-tap-http-p1]

Related commands

display trusted-app-proxy

CSAP trusted access control commands

peer-service url

Use peer-service url to specify the peer service URL used for providing trusted access control services.

Use undo peer-service url to restore the default.

Syntax

peer-service url service-url

undo peer-service url

Default

No peer service URL is specified.

Views

CSAP trusted access controller view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

service-url: Specifies a peer service URL, a case-insensitive string of 1 to 255 characters. Question marks (?) are supported.

Usage guidelines

The device uses the peer service URL to access the Threat Discovery and Security Operations Platform (CSAP) trusted access controller in order to obtain security status of users and assets.

The peer service URL must be in the format of protocol type://server IP address:port number/resource path.

· The protocol type is HTTP or HTTPS. The default is HTTP.

· The server IP address must be an IPv4 address.

To specify an IPv6 address in the URL, enclose the IPv6 address with a pair of square brackets, for example, http://[1234::5678]:8080.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure peer service URL http://10.153.10.121:80 for the CSAP trusted access controller.

<Sysname> system-view

[Sysname] trusted-access controller csap

[Sysname-tac-csap] peer-service url https://10.153.10.120:443

rule

Use rule to configure a trusted access rule.

Use undo rule to restore the default.

Syntax

rule user-risk-level { fallen | high-risk | low-risk | trust } asset-risk-level { fallen | high-risk | low-risk | trust } action { allow | deny }

undo rule user-risk-level { fallen | high-risk | low-risk | trust } asset-risk-level { fallen | high-risk | low-risk | trust }

Default

See CSAP trusted access control configuration in Security Configuration Guide.

Views

CSAP trusted access policy view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

user-risk-level: Specifies the user security status.

asset-risk-level: Specifies the asset security status.

fallen: Specifies the compromised security status.

high-risk: Specifies the high-risk security status.

low-risk: Specifies the low-risk security status.

trust: Specifies the trusted security status.

action: Specifies the action to take on access requests.

allow: Permits requests from users to access assets.

deny: Denies requests from users to access assets.

Usage guidelines

Use this command to configure trusted access rules that specify the actions to take on user requests to access assets based on their security statuses.

The device predefines 16 trusted access rules that can be edited. You cannot create or delete rules.

Examples

# In CSAP trusted access policy view, configure a rule that denies requests from users in high-risk security status to access assets in high-risk security status.

<Sysname> system-view

[Sysname] trusted-access policy csap

[Sysname-tap-csap] rule user-risk-level high-risk asset-risk-level high-risk action deny

service enable

Use service enable to enable the CSAP trusted access policy.

Use undo service enable to disable the CSAP trusted access policy.

Syntax

service enable

undo service enable

Default

The CSAP trusted access policy is disabled.

Views

CSAP trusted access policy view

Predefined user roles

network-admin

context-admin

vsys-admin

Examples

# Enable the CSAP trusted access policy.

<Sysname> system-view

[Sysname] trusted-access policy csap

[Sysname-tap-csap]service enable

ssl-client-policy

Use ssl-client-policy to specify an SSL client policy used for establishing an SSL connection to the trusted access controller.

Use undo ssl-client-policy to restore the default.

Syntax

ssl-client-policy policy-name

undo ssl-client-policy

Default

No SSL client policy is specified for establishing an SSL connection to the trusted access controller.

Views

Trusted access controller view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

This command is required if the peer service URL type is HTTPS. When the device acts as an SSL client, you can specify an SSL client policy to encrypt traffic sent to the trusted access controller.

For modification of the SSL client policy for a trusted access controller to take effect, you must delete and then specify the policy again for the trusted access controller. For more information about SSL policies, see SSL configuration in Security Configuration Guide.

The CSAP trusted access controller does not support SSL client policies using the exp_rsa_des_cbc_sha, exp_rsa_rc2_md5, exp_rsa_rc4_md5, or rsa_des_cbc_sha encryption suite.

Examples

# Specify SSL client policy scp for the CSAP trusted access controller.

<Sysname> system-view

[Sysname] trusted-access controller csap

[Sysname-tac-csap] ssl-client-policy scp

Related commands

peer-service url

trusted-access controller csap

Use trusted-access controller csap to enter CSAP trusted access controller view.

Syntax

trusted-access controller csap

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

The device collaborates with the CSAP trusted access controller to obtain security status of users and assets, and controls access permissions for users to specific assets based on the specified trusted access policy.

Examples

# Enter CSAP trusted access controller view.

<Sysname> system-view

[Sysname] trusted-access controller csap

[Sysname-tac-csap]

trusted-access policy csap

Use trusted-access policy csap to enter CSAP trusted access policy view.

Syntax

trusted-access policy csap

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

A CSAP trusted access policy defines user access permissions to assets based on the security status of users and assets.

Based on the security status information obtained from the CSAP trusted access controller, the device uses the CSAP trusted access policy to implement asset access control.

Examples

# Enter CSAP trusted access policy view.

<Sysname> system-view

[Sysname] trusted-access policy csap

[Sysname-tap-csap]

vpn-instance

Use vpn-instance to specify a VPN instance for the trusted access controller.

Use undo vpn-instance to restore the default.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

The trusted access controller belongs to the public network.

Views

CSAP trusted access controller view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.

Examples

# Specify VPN instance vpn1 for the CSAP trusted access controller.

<Sysname> system-view

[Sysname] trusted-access controller csap

[Sysname-tac-csap] vpn-instance vpn1

07-Zero Trust Command Reference

display trusted-app-proxy

service enable (trusted access controller view)

service enable (trusted app proxy/trusted api proxy view)

ssl-client-policy (trusted access controller view)

ssl-client-policy (trusted app proxy/trusted api proxy view)

ssl-server-policy (trusted access controller view)

trusted-access controller (system view)

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

Company Information

News & Events

Contact Us