Login
- Table of Contents
-
- 04-DPI Command Reference
- 00-Preface
- 01-DPI engine commands
- 02-IPS commands
- 03-URL filtering commands
- 04-Data filtering commands
- 05-File filtering commands
- 06-Anti-virus commands
- 07-Data analysis center commands
- 08-Proxy policy commands
- 09-WAF commands
- 10-APT defense commands
- 11-IP reputation commands
- 12-Domain reputation commands
- 13-DGA detection commands
- 14-Intelligent service platform commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-URL filtering commands | 325.04 KB |
display url-filter signature library
display url-reputation attack-category
display url-reputation signature library
update schedule (automatic URL signature library update configuration view)
update schedule (automatic URL reputation signature library update configuration view)
url-filter log except pre-defined
url-filter log except user-defined
url-filter signature auto-update
url-filter signature auto-update-now
url-reputation signature auto-update
url-reputation signature auto-update-now
url-reputation signature rollback
url-reputation signature update
URL filtering commands
Non-default vSystems do not support some of the URL filtering commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.
add
Use add to add a blacklist or whitelist rule to a URL filtering policy.
Use undo add to delete a blacklist or whitelist rule from a URL filtering policy.
Syntax
add { blacklist | whitelist } [ id ] host { regex host-regex | text host-name } [ uri { regex uri-regex | text uri-name } ]
undo add { blacklist | whitelist } { id | all }
Default
No blacklist or whitelist rules exist in a URL filtering policy.
Views
URL filtering policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
blacklist: Specifies the blacklist rule type.
whitelist: Specifies the whitelist rule type.
id: Specifies a rule ID. The value must be an integer in the range of 1 to 65535. The ID of a blacklist or whitelist rule must be unique among all rules of the same type. If you do not specify a rule ID, the system automatically assigns an available ID to the rule according to the largest rule ID N used on the device:
· If N is smaller than 65535, the smallest available ID that is larger than N is used.
· If N equals to 65535, the smallest available ID is used.
host: Matches the host field in the URL.
uri: Matches the URI field in the URL.
regex regex: Specifies a case-sensitive regular expression string pattern. The string can start with only letters, digits, or underscores (_), and it must contain a minimum of three consecutive non-wildcard characters.
· If the host keyword is specified, the string can contain 3 to 224 characters.
· If the uri keyword is specified, the string can contain 3 to 245 characters.
text string: Specifies a case-insensitive text string pattern, which must contain a minimum of three consecutive non-wildcard characters.
· If the host keyword is specified, the string can contain 3 to 224 characters. Valid characters are letters, digits, underscores (_), hyphens (-), colons (:), left square brackets ([), right square brackets (]), dots (.), and asterisk (*).
· If the uri keyword is specified, the string can contain 3 to 245 characters.
all: Specifies all rules of the specified type.
Usage guidelines
The device supports using URL-based whitelist and blacklist rules to filter HTTP packets. If the URL in an HTTP packet matches a blacklist rule, the packet is dropped. If the URL matches a whitelist rule, the packet is permitted to pass through.
Follow these guidelines when you use the asterisk character (*) in the text string pattern for hostname or URI matching:
· For hostname matching, the asterisk (*) can appear only at the beginning or end of the text string pattern as a wildcard character to match zero or more characters.
· For URI matching, the asterisk (*) can appear at the beginning or end of the text string pattern as a wildcard character to match zero or more characters, or appear in the middle as a non-wildcard character.
When you configure a regular expression in a blacklist or whitelist rule, follow these restrictions and guidelines:
· The regular expression pattern can contain a maximum of four branches. For example, 'abc(c|d|e|\x3D)' is valid, and 'abc(c|onreset|onselect|onchange|style\x3D)' is invalid.
· Nested braces are not allowed. For example, 'ab((abcs*?))' is invalid.
· A branch cannot be specified after another branch. For example, 'ab(a|b)(c|d)^\\r\\n]+?' is invalid.
· A minimum of four non-wildcard characters must exist before an asterisk (*) or question mark (?). For example, 'abc*' is invalid and 'abcd*DoS\x2d\d{5}\x20\x2bxi\\r\\nJOIN' is valid.
Examples
# In URL filtering policy news, add a blacklist rule to match URLs with the host field starting with games.com.
<Sysname> system-view
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news] add blacklist 1 host text games.com*
attack-category action
Use attack-category action to specify actions for a URL reputation attack category.
Use undo attack-category action to restore the default.
Syntax
attack-category attack-id action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } logging { disable | enable }
undo attack-category attack-id
Default
No action is specified for a URL reputation attack category. The device permits packets that match an attack category to pass and logs the matching packets.
Views
URL filtering policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
attack-id: Specifies an attack category by its ID in the range of 1 to 65535. To obtain the attack category IDs corresponding to the attack category names, enter a question mark (?) at the position of this argument or use the display url-reputation attack-category command.
action: Specifies the action for the matching packets.
block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."
drop: Drops matching packets.
permit: Permits matching packets to pass.
redirect: Redirects matching packets to a webpage.
reset: Closes the TCP connections for matching packets by sending TCP reset messages.
logging: Logs matching packets.
disable: Disables logging matching packets.
enable: Enables logging matching packets.
Usage guidelines
This command takes effect only when URL reputation is enabled.
In the URL reputation signature library, a URL can belong to multiple attack categories. You can specify actions for each attack category depending on the actual requirements.
If a URL belongs only to one attack category, the device takes the action specified for the attack category on packets that match the URL. If the URL belongs to multiple attack categories, the action specified for the attack category with the highest severity level apply to packets that match the URL. The block source action has higher priority than the permit action.
If you enable logging for any attack category of a URL, the system logs all packets that match the URL.
Examples
# In URL filtering policy news, drop the packets that match attack category 1 in the URL reputation signature library, and enable logging matching packets.
<Sysname> system-view
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news] attack-category 1 action drop logging enable
Related commands
display url-reputation attack-category
url-reputation enable
category action
Use category action to specify actions for a URL category.
Use undo category to remove the action setting from a URL category.
Syntax
category category-name action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } [ logging [ parameter-profile parameter-name ] ]
undo category category-name
Default
A URL category does not have any action specified.
Views
URL filtering policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
category-name: Specifies a URL category by its name, a case-insensitive string of 1 to 63 characters. Chinese characters are supported.
action: Specifies the action for the matching packets.
block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."drop: Drops matching packets.
permit: Permits matching packets to pass.
redirect: Redirects matching packets to a webpage.
reset: Disconnects the TCP connection for matching packets.
logging: Logs matching packets.
parameter-profile parameter-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a profile, or if the specified profile does not exist, the URL filtering action uses the default parameter settings. For information about configuring parameter profiles, see "DPI engine commands."
Usage guidelines
If an HTTP packet matches a URL filtering rule in a URL category, the action specified for the category applies to the packet.
If the packet matches none of URL filtering rules in the URL filtering policy, the default action specified for the policy applies to the packet. If the default action is not configured, the device permits the packet to pass.
If you execute this command for a URL category multiple times, the most recent configuration takes effect.
Examples
# In the URL filtering policy news, specify the drop action for the URL category sina.
<Sysname> system-view
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news] category sina action drop
Related commands
inspect block-source parameter-profile
inspect redirect parameter-profile
url-filter category
url-filter policy
cloud-query enable
Use cloud-query enable to enable cloud query for URL filtering.
Use undo cloud-query enable to disable cloud query for URL filtering.
Syntax
cloud-query enable
undo cloud-query enable
Default
URL filtering cloud query is disabled.
Views
URL filtering policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
With cloud query enabled in a URL filtering policy, URLs that do not match any URL filtering rules in the policy are sent to the cloud server for further query. The device determines the actions for an HTTP packet based on the URL query results returned from the cloud server:
· If a matching rule is found, the rule and the name of URL category to which the rule belongs are returned. The device executes the actions specified for the URL category. If no actions are specified for the URL category, the default action of the policy is executed.
· If no matching rule is found, the device executes the default action of the policy.
Examples
# Enable URL filtering cloud query in URL filtering policy news.
<Sysname> system-view
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news] cloud-query enable
Related commands
url-filter policy
default-action
Use default-action to specify the default action for a URL filtering policy.
Use undo default-action to restore the default.
Syntax
default-action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } [ logging [ parameter-profile parameter-name ] ]
undo default-action
Default
A URL filtering policy does not have any default action.
Views
URL filtering policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."
drop: Drops matching packets.
permit: Permits packets to pass.
redirect: Redirects matching packets to a webpage.
reset: Disconnects the TCP connection for matching packets.
logging: Logs matching packets.
parameter-profile parameter-name: Specifies a DPI action parameter profile by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a profile, or if the specified profile does not exist, the DPI action uses the default parameter settings. For information about configuring parameter profiles for DPI actions, see "DPI engine commands."
Usage guidelines
The default action applies to packets that do not match any URL filtering rules.
Examples
# Set the default action to drop for URL filtering policy cmcc.
<Sysname> system-view
[Sysname] url-filter policy cmcc
[Sysname-url-filter-policy-cmcc] default-action drop
Related commands
inspect block-source parameter-profile
inspect redirect parameter-profile
url-filter policy
description
Use description to configure a description for a URL category.
Use undo description to restore the default.
Syntax
description text
undo description
Default
A user-defined URL category does not have a description.
Views
URL category view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
text: Specifies a description, a case-insensitive string of 1 to 255 characters. Spaces are allowed.
Usage guidelines
Use this command to configure descriptions for URL categories for easy maintenance.
Examples
# Configure the description as News information for URL category news.
<Sysname> system-view
[Sysname] url-filter category news
[Sysname-url-filter-category-news] description News information
display url-filter cache
Use display url-filter cache to display URL filtering cache information.
Syntax
display url-filter cache [ category category-name ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
category category-name: Specify a URL category by its name, a case-insensitive string of 1 to 63 characters.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information for all member devices.
Usage guidelines
This command displays the cached entries in the URL filtering cache and the cloud query information.
Examples
# Display all URL filtering rules in the URL filtering cache.
<Sysname> display url-filter cache
Slot 1 :
Url-filter cache information:
Cloud-query status: Enabled
Total cached entries: 35
Min update interval: 906 seconds
Max update interval: 46760 seconds
Last query message sent: 906 seconds ago
Last query result received: 906 seconds ago
Slot 1 :
Url-filter cache verbose:
Host: 192.168.56.99
URI: /wnm/get.j?sessionid=200001a5de59aebeb0877f982e5c31f58728
Hit count: 15
Time elapsed since last update: 906 seconds
Category ID: 152
Cache query state: Query ended
Table 1 Command output
|
Field |
Description |
|
Url_filter cache information |
URL filtering cache information. |
|
Cloud-query status |
Whether cloud query is enabled or disabled. |
|
Total cached entries |
Total number of cached URL entries. |
|
Min update interval |
Minimum interval that a cached entry was updated, in seconds. |
|
Max update interval |
Maximum interval that a cached entry was updated, in seconds. |
|
Last query message sent |
Number of seconds elapsed since the last query message was sent. |
|
Last query result received |
Number of seconds elapsed since the last query result was received. |
|
Url-filter cache verbose |
Detailed information about a cached URL entry. |
|
Host |
Host field of the cached URL. |
|
URI |
URI field of the cached URL. |
|
Hit count |
Number of times the URL filtering rule has been matched. |
|
Time elapsed since last update |
Number of seconds elapsed since the cached entry was last updated. |
|
Category ID |
ID of the URL category to which the matching URL filtering rule belongs. This field is empty if no matching URL filtering rule is found for the URL. If the matching URL filtering rule belongs to multiple URL categories, the URL category IDs are displayed in a space-separated list. |
|
Cache query state |
Query state of the URL: · In the cloud query—Cloud query is in progress. · Query end—Cloud query is completed. |
Related commands
url-filter category
display url-filter category
Use display url-filter category to display URL category information.
Syntax
display url-filter { category | parent-category } [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
category: Specifies child URL categories.
parent-category: Specifies parent URL categories.
verbose: Display detailed URL category information. If you do not specify this keyword, this command displays the summarized URL category information.
Usage guidelines
The device supports two levels of predefined URL categories: child URL category and parent URL category. A predefined parent URL category contains only predefined child URL categories.
Examples
# Display information about child URL categories.
<Sysname> display url-filter category
URL category statistics:
Predefined categories: 53
Predefined rules: 2000
User-defined categories: 5
User-defined rules: 4
URL categories:
Name : 23
Name : 24
Name : 33
Name : Pre-AdvertisementsAndPop-Ups
Name : Pre-AlcoholAndTobacco
Name : Pre-Anonymizers
Name : Pre-Arts
Name : Pre-Business
Name : Pre-Chat
Name : Pre-ComputersAndTechnology
Name : Pre-CriminalActivity
Name : Pre-Cults
Name : Pre-DatingAndPersonals
Name : Pre-DownloadSites
Name : Pre-Education
Name : Pre-Entertainment
Name : Pre-FashionAndBeauty
…
# Display detailed information about child URL categories.
<Sysname> display url-filter category verbose
URL category statistics:
Predefined categories: 53
Predefined rules: 2000
User-defined categories: 5
User-defined rules: 4
URL category details:
Name: 23
Type: User defined
Severity: 1001
Rules: 1
Description:
Name: 24
Type: User defined
Severity: 1002
Rules: 1
Description:
Name: Pre-AdvertisementsAndPop-Ups
Type: Predefined
Severity: 300
Rules: 32
Description: Sites that provide advertising graphics or other ad content fi
les such as banners and pop-ups.
Name: Pre-AlcoholAndTobacco
Type: Predefined
Severity: 960
Rules: 7
Description: Sites that promote or sell alcohol- or tobacco-related product
s or services.
...
Table 2 Command output
|
Field |
Description |
|
Predefined categories |
Number of predefined child URL categories. |
|
Predefined rules |
Number of predefined URL filtering rules. |
|
User-defined categories |
Number of user-defined child URL categories. |
|
User-defined rules |
Number of user-defined URL filtering rules. |
|
URL category details |
Detailed information about the child URL categories. |
|
Name |
Name of the child URL category. |
|
Type |
Type of the child URL category, Predefined or User Defined. |
|
Severity |
Severity level of the child URL category. |
|
Rules |
Number of rules in the child URL category. |
# Display information about parent URL categories.
<Sysname> display url-filter parent-category
URL parent category statistics:
Predefined parent categories: 40
Included predefined categories: 14
URL parent categories:
Parent category name: SearchEngineAndPortal
Parent category name: P2PAndDownload
Parent category name: OrdinaryDownload
Parent category name: House
Parent category name: EducationAndScientificResearch
Parent category name: Finance
Parent category name: StreamMediaAndVideo
Parent category name: Shopping
Parent category name: TransportationVehicle
Parent category name: Travel
...
# Display detailed information about parent URL categories.
<Sysname> display url-filter parent-category verbose
URL parent category statistics:
Predefined parent categories: 46
Included predefined categories: 139
URL parent category details:
Parent category name: Pre-Adult
Type: Predefined
Description: Adult
Included categories: 7
Pre-Abortion
Pre-AdultSuppliers
Pre-Homosexual
Pre-Nudity
Pre-OtherAdult
Pre-SexualHealth
Pre-Vulgar
Parent category name: Pre-Arts
Type: Predefined
Description: Arts
Included categories: 1
Pre-Arts
...
Table 3 Command output
|
Field |
Description |
|
Predefined parent categories |
Number of predefined parent URL categories. |
|
Included predefined categories |
Total number of predefined URL categories included in all parent URL categories. |
|
URL parent category details |
Detailed information about the parent URL categories. |
|
Parent category name |
Name of the parent URL category. |
|
Type |
Type of the parent URL category. The device supports only predefined parent URL categories. |
|
Description |
Description of the parent URL category. |
|
Included categories |
Number of child URL categories in the parent URL category. |
display url-filter signature library
Use display url-filter signature library to display information about the URL signature library.
Syntax
display url-filter signature library
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Examples
# Display information about the URL signature library.
<Sysname> display url-filter signature library
URL filter signature library information:
Type SigVersion ReleaseTime Size
Current 1.0.0 Wed Jan 21 06:43:53 2015 36096
(null) - - -
Factory 1.0.0 Wed Jan 21 06:43:53 2015 36096
Table 4 Command output
|
Field |
Description |
|
Type |
Version of the URL signature library: · Current—Current version. · Last—Previous version. · Factory—Factory default version. |
|
SigVersion |
Version number. |
|
ReleaseTime |
Time when the URL signature library was released. |
|
Size |
Size of the URL signature library, in bytes. |
display url-filter statistics
Use display url-filter statistics to display URL filtering statistics.
Syntax
display url-filter statistics
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Examples
# Display URL filtering statistics.
<Sysname> display url-filter statistics
--------------------------------------------------------
Slot 1 :
Total HTTP requests : 0
Total HTTPS handshakes : 0
Total logged requests : 0
Total logging rate : 0/s
Total permitted requests and handshakes : 0
Total denied requests : 0
Requests that matched the blacklist : 0
Requests that matched the whitelist : 0
Requests that matched the referer-whitelist : 0
Requests that matched a user-defined rule : 0
Requests that matched a predefined rule : 0
Requests that matched a cached rule : 0
Requests that matched the default action : 0
Requests that matched URLs in URL reputation library : 0
Predefined URL filtering rules : 2000
--------------------------------------------------------
Table 5 Command output
|
Field |
Description |
|
Total HTTP requests |
Total number of HTTP packets. |
|
Total HTTPS handshakes |
Total number of encrypted traffic hits. |
|
Total logged requests |
Total number of logged HTTP packets. |
|
Total HTTP logging rate |
Logging rate for HTTP packets. |
|
Total permitted HTTP requests |
Total number of permitted HTTP packets. |
|
Total denied HTTP requests |
Total number of denied HTTP packets. |
|
Requests that matched the blacklist |
Number of HTTP packets that matched a blacklist rule. |
|
Requests that matched the whitelist |
Number of HTTP packets that matched a whitelist rule. |
|
Requests that matched the referer-whitelist |
Number of HTTP packets with a referer header that matched a whitelist rule. |
|
Requests that matched a user-defined rule |
Number of HTTP packets that matched a user-defined URL filtering rule. |
|
Requests that matched a predefined rule |
Number of HTTP packets that matched a predefined URL filtering rule. |
|
Requests that matched a cached rule |
Number of HTTP packets that matched a cached URL filtering rule. |
|
Requests that matched the default action |
Number of HTTP packets on which the default action is executed. |
|
Requests that matched URLs in URL reputation library |
Total number of requests that matched URLs in the URL reputation library. |
|
Predefined URL filtering rules |
Total number of predefined URL filtering rules. |
display url-reputation attack-category
Use display url-reputation attack-category to display URL reputation attack category information in a URL filtering policy.
Syntax
display url-reputation attack-category
Views
URL filtering policy view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Usage guidelines
Use this command when URL reputation is enabled.
If no action is specified for an attack category, the default actions apply. The device permits packets that match the attack category to pass and logs these packets.
Examples
# Display URL reputation attack category information in URL filtering policy abc.
<Sysname> system-view
[Sysname] url-filter policy abc
[Sysname-url-filter-policy-abc] display url-reputation attack-category
Attack ID Attack name Action Logging
-------------------------------------------------------
1 C&C permit enable
2 Network_Worm permit enable
3 Risk_Software permit enable
4 Malware permit enable
5 Trojan permit enable
6 Infectious_Virus permit enable
7 Trojan_the_Thief permit enable
8 Ransomware permit enable
9 miner permit enable
10 Botnet permit enable
15 tor permit enable
16 Porn_Website permit enable
17 Gambling_Website permit enable
18 Phishing_Website permit enable
19 Fraud_Website permit enable
20 spam permit enable
21 Malicious_Email permit enable
22 DGA permit enable
23 APT permit enable
Table 6 Command output
|
Field |
Description |
|
Attack ID |
Attack category ID. |
|
Attack name |
Attack category name. |
|
Action |
Action on packets that match the attack category: · block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · drop—Drops matching packets. · permit—Permits matching packets to pass. · reset—Closes the TCP connections for matching packets by sending TCP reset messages or closes the UDP connections for matching packets by sending ICMP port unreachable messages. · redirect—Redirects matching packets to a webpage. |
|
Logging |
State of logging: · enable. · disable. |
Related commands
attack-category
display url-reputation signature library
Use display url-reputation signature library to display information about the URL reputation signature library.
Syntax
display url-reputation signature library
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Examples
# Display information about the URL reputation signature library.
<Sysname> display url-reputation signature library
URL reputation signature library information:
Type SigVersion ReleaseTime Size
Current 1.0.6 Tue Jul 28 12:32:55 2020 10492240
Last - - -
Factory - - -
Table 7 Command output
|
Field |
Description |
|
Type |
Version of the URL reputation signature library: · Current—Current version. · Last—Previous version. · Factory—Factory default version. This version is not supported in the current software version. |
|
SigVersion |
Version number. |
|
ReleaseTime |
Time when the URL reputation signature library was released. |
|
Size |
Size of the URL reputation signature library, in bytes. |
https-filter enable
Use https-filter enable to enable HTTPS URL filtering.
Use undo https-filter enable to disable HTTPS URL filtering.
Syntax
https-filter enable
undo https-filter enable
Default
HTTPS URL filtering is disabled.
Views
URL filtering policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
By default, the device supports only the HTTP URL filtering. To enable filtering on HTTPS traffic, use either of the following methods:
· Use SSL decryption to decrypt the HTTPS traffic and then perform HTTP URL filtering on the decrypted traffic. For more information about SSL decryption, see proxy policy configuration in DPI Configuration Guide.
SSL decryption involves a large number of encryption and decryption operations, which might downgrade device forwarding performance. As a best practice, use this method only when the device must perform URL filtering on HTTPS traffic.
· Enable HTTPS URL filtering. This feature performs URL filtering on undecrypted HTTPS traffic. The device directly detects the Client Hello message from the client, and extracts the server name from the Sever Name Indication (SNI) extension to match the URL filtering policy.
If SSL decryption is configured, this command does not take effect. For more information about SSL decryption, see proxy policy configuration in DPI Configuration Guide.
In HTTPS URL filtering, only the hostname match criterion in a URL filtering rule takes effect. The URI match criterion does not take effect.
This feature takes effect only when the hostname field in the URL is the server's domain name. This feature does not apply to the HTTPS traffic if the hostname field is an IP address.
This feature does not take effect in the following situations:
· The client browser enables TLS 1.3 downgrade enhancement mechanism, because the SNI extension will be encrypted.
· The HTTPS packets do not have the SNI extension.
Examples
# Enable HTTPS URL filtering in URL filtering policy news.
<Sysname> system-view
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news] https-filter enable
Related commands
action ssl-decrypt
include pre-defined
Use include pre-defined to add the URL filtering rules of a predefined URL category to a user-defined URL category.
Use undo include pre-defined to restore the default.
Syntax
include pre-defined category-name
undo include pre-defined
Default
A user-defined URL category does not contain the URL filtering rules of any predefined URL category.
Views
URL category view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
category-name: Specifies a predefined URL category by its name, a case-sensitive string of 1 to 63 characters. The specified URL category must exist on the device.
Usage guidelines
To simplify URL category configuration, you can use this command to add the URL filtering rules of a predefined URL category to a user-defined URL category.
You can add URL filtering rules of only one predefined URL category to a user-defined URL category. If you execute this command for a URL category multiple times, the most recent configuration takes effect.
Examples
# Add the URL filtering rules of predefined URL category Pre-Arts to URL category news.
<Sysname> system-view
[Sysname] url-filter category news
[Sysname-url-filter-category-news] include pre-defined Pre-Arts
referer-whitelist enable
Use referer-whitelist enable to enable referer whitelist.
Use undo referer-white enable to disable referer whitelist.
Syntax
referer-whitelist enable
undo referer-whitelist enable
Default
Referer whitelist is enabled.
Views
URL filtering policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The referer whitelist is useful when you want to allow users to access links on the webpages that match the whitelist rules.
If this feature is disabled, the users can visit a webpage when the URL of the webpage matches a whitelist rule, but other links on the accessed webpage are inaccessible. To solve the preceding problem, you can enable this feature. It allows the device to extract the referer header of an HTTP or HTTPS request and compare the referer header with whitelist rules. If a match is found, the device permits the HTTP or HTTPS request to pass through. If no match is found, the device drops the HTTP or HTTPS request.
Examples
# Enable referer whitelist in URL filtering policy news.
<Sysname> system-view
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news] referer-whitelist enable
Related commands
add
rename
Use rename to rename a URL filtering policy.
Syntax
rename new-name
Views
URL filtering policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
new-name: Specify a new name for the URL filtering policy, a case-insensitive string of 1 to 31 characters.
Usage guidelines
If you change the name of a URL filtering policy that has been assigned to a DPI application profile, the policy name in the DPI application profile is also changed.
Examples
# Rename URL filtering policy news to hello, and enter the view of URL filtering policy hello.
<Sysname> system-view
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news] rename hello
[Sysname-url-filter-policy-hello]
reset url-filter statistics
Use reset url-filter statistics to clear URL filtering statistics.
Syntax
reset url-filter statistics
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Examples
# Clear URL filtering statistics.
<Sysname> reset url-filter statistics
Related commands
display url-filter statistics
rule
Use rule to create a URL filtering rule for a user-defined URL category.
Use undo rule to delete a URL filtering rule from a user-defined URL category.
Syntax
rule rule-id host { regex regex | text string } [ uri { regex regex | text string } ]
undo rule rule-id
Default
A user-defined URL category does not have any URL filtering rules.
Views
URL category view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
rule-id: Assigns an ID to the URL filtering rule, in the range of 1 to 65535.
host: Matches URLs by the hostname field.
uri: Matches URLs by the URI field.
regex regular-expression: Specifies a case-sensitive regular expression string pattern. The string can start with only letters, digits, or underscores (_), and it must contain a minimum of three consecutive non-wildcard characters.
· If the host keyword is specified, the string can contain 3 to 224 characters.
· If the uri keyword is specified, the string can contain 3 to 253 characters.
text string: Specifies a case-insensitive text string pattern, which must contain a minimum of three consecutive non-wildcard characters.
· If the host keyword is specified, the string can contain 3 to 224 characters. Valid characters are letters, digits, underscores (_), hyphens (-), colons (:), left square brackets ([), right square brackets (]), dots (.), and asterisk (*).
· If the uri keyword is specified, the string can contain 3 to 255 characters.
Usage guidelines
A URL filtering rule supports the following URL matching methods:
· Text-based matching—Matches the hostname and URI fields of a URL against text string patterns.
When performing text-based matching for the hostname field of a URL, the device first determines if the text string pattern contains the asterisk (*) wildcard character at the beginning or end.
¡ If the text string pattern does not contain the asterisk (*) wildcard character at the beginning or end, the hostname matching succeeds if the hostname of the URL matches the text string pattern.
¡ If the text string pattern contains the asterisk (*) wildcard character at the beginning, the hostname matching succeeds if the hostname of the URL matches or ends with the text string pattern without the wildcard character.
¡ If the text string pattern contains the asterisk (*) wildcard character at the end, the hostname matching succeeds if the hostname of the URL matches or starts with the text string pattern without the wildcard character.
¡ If the text string pattern contains the asterisk (*) wildcard character at both the beginning and the end, the hostname matching succeeds if the hostname of the URL matches or includes the text string pattern without the wildcard characters.
Text-based matching for the URI field works in the same way that text-based matching for the hostname field works.
· Regular expression-based matching—Matches the hostname and URI fields of a URL against regular expressions. For example, if you set the regular expression for hostname matching to sina.*cn, URLs that carry the news.sina.com.cn hostname will be matched.
Follow these guidelines when you use the asterisk character (*) in the text string for hostname or URI matching:
· For hostname matching, the asterisk (*) can appear only at the beginning or end of the text string as a wildcard character to match zero or more characters.
· For URI matching, the asterisk (*) can appear at the beginning or end of the text string pattern as a wildcard character to match zero or more characters, or appear in the middle as a non-wildcard character.
When you configure a regular expression in a URL filtering rule, follow these restrictions and guidelines:
· The regular expression pattern can contain a maximum of four branches. For example, 'abc(c|d|e|\x3D)' is valid, and 'abc(c|onreset|onselect|onchange|style\x3D)' is invalid.
· Nested braces are not allowed. For example, 'ab((abcs*?))' is invalid.
· A branch cannot be specified after another branch. For example, 'ab(a|b)(c|d)^\\r\\n]+?' is invalid.
· A minimum of four non-wildcard characters must exist before an asterisk (*) or question mark (?). For example, 'abc*' is invalid and 'abcd*DoS\x2d\d{5}\x20\x2bxi\\r\\nJOIN' is valid.
Examples
# In URL category news, create a URL filtering rule to match URLs with the host field starting with sina.com.
<Sysname> system-view
[Sysname] url-filter category news
[Sysname-url-filter-category-news] rule 10 host text sina.com*
Related commands
url-filter category
update schedule (automatic URL signature library update configuration view)
Use update schedule to configure a schedule for automatic URL signature library update.
Use undo update schedule to restore the default.
Syntax
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
undo update schedule
Default
The device starts the URL signature library update at a random time between 01:00:00 and 03:00:00 every day.
Views
Automatic URL signature library update configuration view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
Parameters
daily: Updates the URL signature library every day.
weekly: Updates the URL signature library every week.
fri: Updates the URL signature library every Friday.
mon: Updates the URL signature library every Monday.
sat: Updates the URL signature library every Saturday.
sun: Updates the URL signature library every Sunday.
thu: Updates the URL signature library every Thursday.
tue: Updates the URL signature library every Tuesday.
wed: Updates the URL signature library every Wednesday.
start-time time: Specifies the start time in hh:mm:ss format. The value range is 00:00:00 to 23:59:59.
tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will start at a random time between the following time points:
· Start time minus half the tolerance time.
· Start time plus half the tolerance time.
Examples
# Configure the device to automatically start the URL signature library update every Sunday at a random time between 20:25:00 and 20:35:00.
<Sysname> system-view
[Sysname] url-filter signature auto-update
[Sysname-url-filter-autoupdate] update schedule weekly sun start-time 20:30:00 tingle 10
Related commands
url-filter signatures auto-update
update schedule (automatic URL reputation signature library update configuration view)
Use update schedule to configure a schedule for automatic URL reputation signature library update.
Use undo update schedule to restore the default.
Syntax
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
undo update schedule
Default
The device starts the URL reputation signature library update at a random time between 01:00:00 and 03:00:00 every day.
Views
Automatic URL reputation signature library update configuration view
Predefined user roles
network-admin
context-admin
Parameters
daily: Updates the URL reputation signature library every day.
weekly: Updates the URL reputation signature library every week.
fri: Updates the URL reputation signature library every Friday.
mon: Updates the URL reputation signature library every Monday.
sat: Updates the URL reputation signature library every Saturday.
sun: Updates the URL reputation signature library every Sunday.
thu: Updates the URL reputation signature library every Thursday.
tue: Updates the URL reputation signature library every Tuesday.
wed: Updates the URL reputation signature library every Wednesday.
start-time time: Specifies the start time in hh:mm:ss format. The value range is 00:00:00 to 23:59:59.
tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will start at a random time between the following time points:
· Start time minus half the tolerance time.
· Start time plus half the tolerance time.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Configure the device to automatically start the URL reputation signature library update every Monday at a random time between 20:25:00 and 20:35:00.
<Sysname> system-view
[Sysname] url-reputation signature auto-update
[Sysname-url-reputation-autoupdate] update schedule weekly mon start-time 20:30:00 tingle 10
Related commands
url-reputation signature auto-update
url-filter apply policy
Use url-filter apply policy to apply a URL filtering policy to a DPI application profile.
Use undo url-filter apply policy to remove the URL filtering policy from a DPI application profile.
Syntax
url-filter apply policy policy-name
undo url-filter apply policy
Default
No URL filtering policy is applied to a DPI application profile.
Views
DPI application profile view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Specifies a URL filtering policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A URL filtering policy takes effect only after it is applied to a DPI application profile.
You can apply only one URL filtering policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply URL filtering policy news to DPI application profile abc.
<Sysname> system-view
[Sysname] app-profile abc
[Sysname-app-profile-abc] url-filter apply policy news
Related commands
app-profile
display app-profile
display url-filter policy
url-filter cache size
Use url-filter cache size to set the URL filtering cache size.
Use undo url-filter cache size to restore the default.
Syntax
url-filter cache size cache-size
undo url-filter cache size
Default
The URL filtering cache can cache a maximum of 16384 URL entries.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
cache-size: Specifies the cache size in the range of 8192 to 65535.
Usage guidelines
Non-default vSystems do not support this command.
The device caches the URL filtering rules and categories returned from the cloud server. The cached rules can be used directly for subsequent URL filtering.
This command is supported only on the default context. For more information about contexts, see context configuration in Virtual Technologies Configuration Guide.
Examples
# Set the URL filtering cache size to 20000.
<Sysname> system-view
[Sysname] url-filter cache size 20000
url-filter cache-time
Use url-filter cache-time to set the minimum cache time for a URL filtering rule.
Use undo url-filter cache-time to restore the default.
Syntax
url-filter cache-time value
undo url-filter cache-time
Default
The minimum cache time of a URL filtering rule is 10 minutes.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
value: Specifies the minimum cache time in minutes. The value range is 10 to 720.
Usage guidelines
Non-default vSystems do not support this command.
Setting the minimum cache time for URL filtering rules ensures that the cached rules will not be deleted during the specified period of time.
When the URL filtering cache is full, the system identifies the cache time of the oldest URL filtering rule to determine whether to overwrite it:
· If the cache time of the rule is equal to or less than the minimum cache time, the system does not delete the rule. The new rule is not cached.
· If the cache time of the rule is greater than the minimum cache time, the system overwrites the rule with the new rule.
This command is supported only on the default context. For more information about contexts, see context configuration in Virtual Technologies Configuration Guide.
Examples
# Set the minimum cache time to 36 minutes for URL filtering rules.
<Sysname> system-view
[Sysname] url-filter cache-time 36
url-filter category
Use url-filter category to create a user-defined URL category and enter its view, or enter the view of an existing URL category.
Use undo url-filter category to delete a URL category.
Syntax
url-filter category category-name [ severity severity-level ]
undo url-filter category category-name
Default
The device has only predefined URL categories with the name prefix Pre-.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
category-name: Specify the URL category name, a case-insensitive string of 1 to 63 characters. Valid characters are letters, Chinese characters, digits, underscores (_), hyphens (-), and dots (.). The category name cannot start with Pre- and must be different from the Chinese name of any predefined URL category.
severity severity-value: Specifies a severity level for the URL category. The value range is 1000 to 65535, and the default is 65535. The larger the value, the higher the severity level. The severity level of each user-defined URL category must be unique. This option is required when you create a URL category.
Usage guidelines
URL filtering provides the URL categorization feature to facilitate filtering rule management.
You can classify multiple URL filtering rules into a URL category and specify an action for the category. If a matching rule is in multiple URL categories, the system takes the action for the category with the highest severity level.
URL filtering supports the following types of URL categories:
· Predefined URL categories.
The predefined URL categories contain the predefined URL filtering rules. Each predefined URL category has a unique severity level in the range of 1 to 999, and a category name that begins with Pre-. Predefined URL categories cannot be modified.
· User-defined URL categories.
You can create user-defined URL categories and configure filtering rules for them. The severity level of a user-defined URL category is in the range of 1000 to 65535. You can edit the filtering rules and change the severity level for a user-defined URL category.
Examples
# Create a URL category named news and set its severity level to 2000.
<Sysname> system-view
[Sysname] url-filter category news severity 2000
[Sysname-url-filter-category-news]
Related commands
display url-filter category
url-filter copy category
Use url-filter copy policy to copy a URL category.
Syntax
url-filter copy category old-name new-name severity severity-level
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
old-name: Specifies the name of the URL category to be copied. The specified URL category must already exist.
new-name: Specifies a name for the new URL category. The name is a case-insensitive string of 1 to 63 characters and cannot begin with Pre.
severity severity-level: Assigns a unique severity level to the new URL category. The value range is 1000 to 65535. The larger the value, the higher the severity level.
Usage guidelines
This command allows you to create a new URL category by copying an existing one.
The device supports copying only user-defined URL categories.
Examples
# Create URL category test by copying URL category news.
<Sysname> system-view
[Sysname] url-filter copy category news test severity 1001
[Sysname-url-filter-category-test]
Related commands
url-filter category
url-filter copy policy
Use url-filter copy policy to copy a URL filtering policy.
Syntax
url-filter copy policy old-name new-name
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
old-name: Specifies the name of the URL filtering policy to be copied, a case-insensitive string of 1 to 31 characters.
new-name: Specifies a name for the new URL filtering policy, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command allows you to create a new URL filtering policy by copying an existing one.
Examples
# Create two URL filtering policies by copying URL filtering policy news.
<Sysname> system-view
[Sysname] url-filter copy policy news news1
[Sysname-url-filter-policy-news_1] quit
[Sysname] url-filter copy policy news new2
[Sysname-url-filter-policy-news_2] quit
Related commands
url-filter policy
url-filter log directory root
Use url-filter log directory root to configure URL filtering to log only access to resources in the root directories of websites.
Use undo url-filter log directory root to restore the default.
Syntax
url-filter log directory root
undo url-filter log directory root
Default
URL filtering logs access to Web resources in all directories.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
After this command is configured, the url-filter log except pre-defined and url-filter log except user-defined commands become invalid.
Examples
# Configure URL filtering to log only access to resources in the root directories of websites.
<Sysname> system-view
[Sysname] url-filter log directory root
Related commands
category action logging
default-action logging
url-filter log except pre-defined
url-filter log except user-defined
url-filter log enable
Use url-filter log enable to enable DPI engine logging.
Use undo url-filter log enable to disable DPI engine logging.
Syntax
url-filter log enable
undo url-filter log enable
Default
DPI engine logging is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
You can enable DPI engine logging for audit. Log messages generated by DPI engine are output to the device information center. The information center then sends the messages to designated destinations based on log output rules. For more information about the information center, see Network Management and Monitoring Configuration Guide.
DPI engine logging is memory intensive. To guarantee system performance, enable DPI engine logging only when necessary.
Examples
# Enable DPI engine logging.
<Sysname> system-view
[Sysname] url-filter log enable
url-filter log except pre-defined
Use url-filter log except pre-defined to disable URL filtering logging for access to resources of a predefined resource type.
Use undo url-filter log except pre-defined to enable URL filtering logging for access to resources of a predefined resource type.
Syntax
url-filter log except pre-defined { css | gif | ico | jpg | js | png | swf | xml }
undo url-filter log except pre-defined { css | gif | ico | jpg | js | png | swf | xml }
Default
URL filtering does not log access to resources of the predefined resource types (CSS, GIF, ICO, JPG, JS, PNG, SWF, and XML resources).
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
css: Specifies the CSS resource type.
gif: Specifies the GIF resource type.
ico: Specifies the ICO resource type.
jpg: Specifies the JPG resource type.
js: Specifies the JS resource type.
png: Specifies the PNG resource type.
swf: Specifies the SWF resource type.
xml: Specifies the XML resource type.
Usage guidelines
Repeat this command to disable URL filtering logging for access to multiple types of predefined resources.
This command does not take effect if the url-filter log directory root command is configured. To validate this command, you must execute undo url-filter log directory root command.
Examples
# Disable URL filtering logging for access to CSS resources.
<Sysname> system-view
[Sysname] url-filter log except pre-defined css
Related commands
category action logging
default-action logging
url-filter log directory root
url-filter log except user-defined
url-filter log except user-defined
Use url-filter log except user-defined to disable URL filtering logging for access to resources of a user-defined resource type.
Use undo url-filter log except user-defined to enable URL filtering logging for access to resources of a user-defined resource type.
Syntax
url-filter log except user-defined text
undo url-filter log except user-defined [ text ]
Default
URL filtering logs access to all resources except for resources of the predefined types.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
text: Specifies a Web resource type. The value is a case-insensitive string of 1 to 63 characters.
Usage guidelines
Repeat this command to disable URL logging for access to multiple types of user-defined resources.
This command does not take effect if the url-filter log directory root command is configured. To validate this command, you must execute undo url-filter log directory root command.
Executing the undo url-filter log except user-defined command without the text parameter enables URL logging for access to all resources except resources of the predefined resource types.
Examples
# Disable URL filtering logging for access to HTML resources.
<Sysname> system-view
[Sysname] url-filter log except user-defined html
Related commands
category action logging
default-action logging
url-filter log directory root
url-filter log except pre-defined
url-filter policy
Use url-filter policy to create a URL filtering policy and enter its view, or enter the view of an existing URL filtering policy.
Use undo url-filter policy to delete a URL filtering policy.
Syntax
url-filter policy policy-name
undo url-filter policy policy-name
Default
No URL filtering policies exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Assigns a name to the URL filtering policy, a case-insensitive string of 1 to 31 characters.
Usage guidelines
In a URL filtering policy, you can specify an action for each URL category. You can also use the default action command to specify the default action for packets that do not match any URL filtering rules in the policy.
A URL filtering policy takes effect only after it is applied to a DPI application profile. For information about DPI application profiles, see DPI Configuration Guide.
Examples
# Create a URL filtering policy named news and enter its view.
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news]
url-filter signature auto-update
Use url-filter signature auto-update to enable automatic URL signature library update and enter automatic URL signature library update configuration view.
Use undo url-filter signature auto-update to disable automatic URL signature library update.
Syntax
url-filter signature auto-update
undo url-filter signature auto-update
Default
Automatic URL signature library update is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
The automatic update enables the device to periodically access the company's website to download the latest URL filtering signatures and update the local signature library.
You can schedule the time for automatic signature update by using the update schedule command.
Examples
# Enable automatic URL signature library update and enter automatic URL signature library update configuration view.
<Sysname> system-view
[Sysname] url-filter signature auto-update
[Sysname-url-filter-autoupdate]
Related commands
update schedule
url-filter signature auto-update-now
Use url-filter signature auto-update-now to trigger an automatic URL signature library update manually.
Syntax
url-filter signature auto-update-now
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
This command immediately starts the automatic signature library update process. The device accesses the company's website to update the local URL signature library.
You can execute this command anytime you find a new version of signature library on the company's website.
Examples
# Trigger an automatic URL signature library update manually.
<Sysname> system-view
[Sysname] url-filter signature auto-update-now
url-filter signature rollback
Use url-filter signature rollback to roll back the URL signature library.
Syntax
url-filter signature rollback { factory | last }
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
factory: Rolls back the URL signature library to the factory default version.
last: Rolls back the URL signature library to the previous version.
Usage guidelines
Non-default vSystems do not support this command.
If a URL signature library update causes exceptions or a high false alarm rate, you can roll back the URL signature library.
Before rolling back the URL signature library, the device backs up the current signature library as the "previous version." For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.
Examples
# Roll back the URL signature library to the previous version.
<Sysname> system-view
[Sysname] url-filter signature rollback last
url-filter signature update
Use url-filter signature update to manually update the URL signature library.
Syntax
url-filter signature update file-path [ vpn-instance vpn-instance-name ] [ source { ip | ipv6 } { ip-address | interface interface-type interface-number } ]
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
file-path: Specifies the URL filtering signature file path, a string of 1 to 255 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the TFTP or FTP server belongs by the instance's name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the TFTP or FTP server belongs to the public network.
source: Specifies the source IP address of request packets sent to the TFTP or FTP server for manual signature library update. If you do not specify a source IP address, the system uses the IP address of the outgoing routed interface as the source IP address.
ip ip-address: Specifies the source IPv4 address of request packets sent to the TFTP or FTP server for manual signature library update.
ipv6 ip-address: Specifies the source IPv6 address of request packets sent to the TFTP or FTP server for manual signature library update.
interface interface-type interface-number: Specifies the source interface. The primary IPv4 address of the interface or the minimum IPv6 address on the interface will be used as the source IP address.
Usage guidelines
|
|
CAUTION: Select a signature file according to the memory size and software version of the device. H3C provides signature files separately for high-memory (equal to or higher than 8 GB) and low-memory (lower than 8 GB) devices and for different software versions. If you use a signature file applicable to high-memory devices to update the URL filtering signature library on a low-memory device, exceptions might occur on the low-memory device. As a best practice, use a signature file that is compatible with the software version and memory size of the device to update the URL filtering signature library on the device. |
Non-default vSystems do not support this command.
If the device cannot access the company's website, use one of the following methods to manually update the URL signature library:
· Local update—Updates the URL signature library on the device by using the locally stored update URL filtering signature file.
Store the update file on the master device for successful signature library update.
The following describes the format of the file-path parameter for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command (see file system management in Fundamentals Command Reference). |
|
The update file is stored in a different directory on the same storage medium. |
filename |
Before updating the signature library, you must first use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
|
The update file is stored on a different storage medium. |
path/filename |
Before updating the signature library, you must first use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP update—Updates the URL signature library on the device by using the file stored on the FTP or TFTP server.
The following describes the format of the file-path parameter for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored on an FTP server. |
ftp://username:password@server address/filename |
The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: · Colon (:)—%3A or %3a. · At sign (@)—%40. · Forward slash (/)—%2F or %2f. |
|
The update file is stored on a TFTP server. |
tftp://server address/filename |
The server address parameter represents the IP address or host name of the TFTP server. |
|
|
NOTE: To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide. |
To execute the url-filter signature update command, you also need to follow these restrictions and guidelines:
· To specify the source IP address of request packets sent to the TFTP or FTP server for manual signature library update, you must specify the source keyword. For example, if packets from the device must be translated by NAT before accessing the TFTP or FTP server, you must specify a source IP address complied with NAT rules for NAT translation. If NAT translation is performed by an independent NAT device, make sure the IP address specified by this command can reach the NAT device at Layer 3.
· If you specify both source and vpn-instance keywords, make sure the VPN instance to which the specified source IP or interface belongs is the same as that specified by the vpn-instance keyword.
Examples
# Manually update the local URL signature library by using a signature file stored on a TFTP server.
<Sysname> system-view
[Sysname] url-filter signature update tftp://192.168.0.10/url-filter-1.0.2-en.dat
# Manually update the local URL signature library by using a signature file stored on an FTP server. The FTP login username and password are user:123 and user@abc/123, respectively.
<Sysname> system-view
[Sysname] url-filter signature update ftp://user%3A123:user%40abc%[email protected]/url-filter-1.0.2-en.dat
# Manually update the local URL signature library by using a signature file stored on the device. The file is stored in directory cfa0:/url-filter-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> system-view
[Sysname] url-filter signature update url-filter-1.0.23-en.dat
# Manually update the local URL signature library by using a signature file stored on the device. The file is stored in directory cfa0:/dpi/url-filter-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> cd dpi
<Sysname> system-view
[Sysname] url-filter signature update url-filter-1.0.23-en.dat
# Manually update the local URL signature library by using a signature file stored on the device. The file is stored in directory cfb0:/dpi/url-filter-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> cd cfb0:/
<Sysname> system-view
[Sysname] url-filter signature update dpi/url-filter-1.0.23-en.dat
url-reputation enable
Use url-reputation enable to enable URL reputation.
Use undo url-reputation enable to disable URL reputation.
Syntax
url-reputation enable
undo url-reputation enable
Default
URL reputation is disabled.
Views
URL filtering policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
URL reputation filters malicious URLs. With this feature, the device matches the URL in packets with the URLs in the URL reputation signature library.
· If a matching is found, the device takes the actions specified for the attack category of the URL. To specify actions for an attack category, use the attack-category action command.
· If no matching is found, the device permits the packets to pass through.
Examples
# In URL filtering policy abc, enable URL reputation.
<Sysname> system-view
[Sysname] url-filter policy abc
[Sysname-url-filter-policy-abc] url-reputation enable
url-reputation signature auto-update
Use url-reputation signature auto-update to enable automatic URL reputation signature library update and enter automatic URL reputation signature library update configuration view.
Use undo url-reputation signature auto-update to disable automatic URL reputation signature library update.
Syntax
url-reputation signature auto-update
undo url-reputation signature auto-update
Default
Automatic URL reputation signature library update is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
The automatic update enables the device to periodically access the company's website to download the latest URL reputation signatures and update the local signature library.
You can schedule the time for automatic signature update by using the update schedule command in automatic URL reputation signature library update configuration view.
Examples
# Enable automatic URL reputation signature library update and enter automatic URL reputation signature library update configuration view.
<Sysname> system-view
[Sysname] url-reputation signature auto-update
[Sysname-url-reputation-autoupdate]
Related commands
update schedule (automatic URL reputation signature library update configuration view)
url-reputation signature auto-update-now
Use url-reputation signature auto-update-now to trigger an automatic URL reputation signature library update manually.
Syntax
url-reputation signature auto-update-now
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
This command immediately starts the automatic signature library update process and backs up the current URL reputation signature library file. With this command, the device accesses the company's website to update the local URL reputation signature library.
This command is independent of the url-reputation signature auto-update command.
You can execute this command anytime you find a new version of signature library on the company's website.
Examples
# Trigger an automatic URL reputation signature library update manually.
<Sysname> system-view
[Sysname] url-reputation signature auto-update-now
url-reputation signature rollback
Use url-reputation signature rollback to roll back the URL reputation signature library.
Syntax
url-reputation signature rollback last
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
last: Rolls back the URL reputation signature library to the previous version.
Usage guidelines
Non-default vSystems do not support this command.
If a URL reputation signature library update causes exceptions or a high false alarm rate, you can roll back the URL reputation signature library.
Before rolling back the URL reputation signature library, the device backs up the current signature library as the "previous version." For example, the previous library version is V1 and the current library version is V2. If you perform a rollback to the previous version, library version V1 becomes the current version and library version V2 becomes the previous version. If you perform a rollback to the previous version again, the library rolls back to library version V2.
Examples
# Roll back the URL signature library to the previous version.
<Sysname> system-view
[Sysname] url-reputation signature rollback last
url-reputation signature update
Use url-reputation signature update to manually update the URL reputation signature library.
Syntax
url-reputation signature update file-path [ vpn-instance vpn-instance-name ] [ source { ip | ipv6 } { ip-address | interface interface-type interface-number } ]
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
file-path: Specifies the URL reputation signature file path, a string of 1 to 255 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the TFTP or FTP server belongs by the instance's name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the TFTP or FTP server belongs to the public network.
source: Specifies the source IP address of request packets sent to the TFTP or FTP server for manual signature library update. If you do not specify a source IP address, the system uses the IP address of the outgoing routed interface as the source IP address.
ip ip-address: Specifies the source IPv4 address of request packets sent to the TFTP or FTP server for manual signature library update.
ipv6 ip-address: Specifies the source IPv6 address of request packets sent to the TFTP or FTP server for manual signature library update.
interface interface-type interface-number: Specifies the source interface. The primary IPv4 address of the interface or the minimum IPv6 address on the interface will be used as the source IP address.
Usage guidelines
Non-default vSystems do not support this command.
If the device cannot access the company's website, use one of the following methods to manually update the URL reputation signature library:
· Local update—Updates the URL reputation signature library on the device by using the locally stored update URL reputation signature file.
Store the update file on the master device for successful signature library update.
The following describes the format of the file-path parameter for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command (see file system management in Fundamentals Command Reference). |
|
The update file is stored in a different directory on the same storage medium. |
filename |
Before updating the signature library, you must first use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
|
The update file is stored on a different storage medium. |
path/filename |
Before updating the signature library, you must first use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP update—Updates the URL reputation signature library on the device by using the file stored on the FTP or TFTP server.
The following describes the format of the file-path parameter for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored on an FTP server. |
ftp://username:password@server address/filename |
The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: · Colon (:)—%3A or %3a. · At sign (@)—%40. · Forward slash (/)—%2F or %2f. |
|
The update file is stored on a TFTP server. |
tftp://server address/filename |
The server address parameter represents the IP address or host name of the TFTP server. |
|
|
NOTE: To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide. |
To execute the url-filter signature update command, you also need to follow these restrictions and guidelines:
· To specify the source IP address of request packets sent to the TFTP or FTP server for manual signature library update, you must specify the source keyword. For example, if packets from the device must be translated by NAT before accessing the TFTP or FTP server, you must specify a source IP address complied with NAT rules for NAT translation. If NAT translation is performed by an independent NAT device, make sure the IP address specified by this command can reach the NAT device at Layer 3.
· If you specify both source and vpn-instance keywords, make sure the VPN instance to which the specified source IP or interface belongs is the same as that specified by the vpn-instance keyword.
Examples
# Manually update the local URL reputation signature library by using a signature file stored on a TFTP server.
<Sysname> system-view
[Sysname] url-reputation signature update tftp://192.168.0.10/url-1.0.2-en.dat
# Manually update the local URL reputation signature library by using a signature file stored on the device. The file is stored in directory cfb0:/dpi/url-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> cd cfb0:/
<Sysname> system-view
[Sysname] url-reputation signature update dpi/url-1.0.23-en.dat
warning parameter-profile
Use warning parameter-profile to apply a warning parameter profile to a URL filtering policy, and enable sending the alarm message defined in the profile.
Use undo warning parameter-profile to restore the default.
Syntax
warning parameter-profile profile-name
undo warning parameter-profile
Default
No warning parameter profile is applied and the device sends the default alarm message.
Views
URL filtering policy view
Predefined user roles
network-admin
context-admin
Parameters
profile-name: Specifies a warning parameter profile by its name, a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, underscores (_).
Usage guidelines
Non-default vSystems do not support this command.
If an endpoint user visits a website blocked by URL filtering, the device will display an alarm message on the user's browser. The alarm message is stored in the warning parameter profile applied to the URL filtering policy. For more information about configuring a warning parameter profile, see DPI engine configuration in DPI Configuration Guide.
If no warning parameter profile is applied to the URL filtering policy, the device sends the default alarm message to the user. The default alarm message is as follows:
Web Access Blocked
Your access to this website was denied. To access this webpage, contact Technical Support.
· Reason: XXX
· Category: XXX
· URL: XXXX
The device will generate the reason, category, and URL according to the actual condition.
· Reason—Why the URL of the website visited by the user is blocked. The following values are available:
¡ The URL of the website hit the URL blacklist.
¡ The URL of the website hit a user-defined URL category.
¡ The URL of the website hit a predefined URL category.
¡ No matching whitelist entry was found for the website in whitelist mode.
¡ The URL of the website did not match any accessible URL category.
¡ The URL of the website hit the URL reputation signature library.
· Category—Attack category of the hit user-defined URL category, predefined URL category, or URL reputation.
· URL—URL of the website visited by the user.
Examples
# Apply warning parameter profile uflt1 to URL filtering policy abc and enable the sending of alarm message defined in the profile.
<Sysname> system-view
[Sysname] url-filter policy abc
[Sysname-url-filter-policy-abc] warning parameter-profile uflt1
Related commands
inspect url-filter warning parameter-profile
whitelist-only enable
Use whitelist-only enable to enable URL whitelist-only filtering.
Use undo whitelist-only enable to disable URL whitelist-only filtering.
Syntax
whitelist-only enable
undo whitelist-only enable
Default
URL whitelist-only filtering is disabled.
Views
URL filtering policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This feature allows only the HTTP or HTTPS requests that match the whitelist rules to pass through, and the other settings in the URL filtering policy will not take effect.
Examples
# Enable URL whitelist-only filtering in URL filtering policy news.
<Sysname> system-view
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news] whitelist-only enable
Related commands
add
