Login
- Table of Contents
-
- 16-Security Command Reference
- 00-Preface
- 01-ACL commands
- 02-Time range commands
- 03-User profile commands
- 04-Password control commands
- 05-Public key management commands
- 06-PKI commands
- 07-IPsec commands
- 08-SSH commands
- 09-SSL commands
- 10-SSL VPN commands
- 11-Session management commands
- 12-Connection limit commands
- 13-Attack detection and prevention commands
- 14-ARP attack protection commands
- 15-ND attack defense commands
- 16-ASPF commands
- 17-Protocol packet rate limit commands
- 18-Crypto engine commands
- 19-Security policy commands
- 20-Object group commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 19-Security policy commands | 314.51 KB |
description (security policy rule view)
description (security policy view)
display security-policy statistics
reset security-policy learning-records
reset security-policy statistics
security-policy config-logging send-time
security-policy object-strict-inspection enable
security-policy rules mandatory-item-control
Security policy commands
accelerate enhanced enable
Use accelerate enhanced enable to manually activate rule matching acceleration.
Syntax
accelerate enhanced enable
Views
IPv4 security policy view
Predefined user roles
network-admin
Usage guidelines
Rule matching acceleration enhances connection establishment and packet forwarding performance, especially for a device using multiple rules to match packets from multiple users.
Rule matching acceleration does not take effect on newly added, modified, and moved rules unless the feature is activated for the rules. By default, the system automatically activates rule matching acceleration for such rules at dynamically calculated intervals.
To activate rule matching acceleration immediately after a rule change, you can execute this command.
If no rule change is detected, the system does not perform an activation operation.
Insufficient memory can cause rule matching acceleration failures. Unaccelerated rules do not take effect, and rules that have been accelerated are not affected.
Examples
# Activate rule matching acceleration.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] accelerate enhanced enable
action
Use action to set the action for a security policy rule.
Use undo action to restore the default.
Syntax
action { drop | pass }
undo action pass
Default
The action for a security policy rule is drop.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
drop: Discards matched packets.
pass: Allows matched packets to pass.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the action for security policy rule rule1 to drop.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action drop
Related commands
display security-policy
ap
Use ap ap-name to specify an access point (AP) as a filtering criterion of a security policy rule.
Use undo ap to remove the specified AP filtering criterion from a security policy rule.
Syntax
ap ap-name
undo ap [ ap-name ]
Default
No AP is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
Parameters
ap-name: Specifies the AP name, a case-sensitive string of 1 to 64 characters. Only letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-) are allowed.
Usage guidelines
You can execute this command multiple times to specify multiple APs as the filtering criteria.
Examples
# Specify AP ap1 as a filtering criterion of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 1 name rule1
[Sysname-security-policy-ip-1-rule1] ap ap1
ap-group
Use ap-group group-name to specify an AP group as a filtering criterion of a security policy rule.
Use undo ap-group to remove the specified AP group filtering criterion from a security policy rule.
Syntax
ap-group group-name
undo ap-group [ group-name ]
Default
No AP group is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
Parameters
group-name: Specifies the AP group name, a case-insensitive string of 1 to 31 characters. Only letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-) are allowed.
Usage guidelines
You can execute this command multiple times to specify multiple AP groups as the filtering criteria.
Examples
# Specify AP group apgroup1 as a filtering criterion of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 1 name rule1
[Sysname-security-policy-ip-1-rule1] ap-group apgroup1
app-group
Use app-group to specify an application group as a filtering criterion of a security policy rule.
Use undo app-group to remove the specified application group filtering criterion from a security policy rule.
Syntax
app-group app-group-name
undo app-group [ app-group-name ]
Default
No application group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
app-group-name: Specifies the name of an application policy, a case-insensitive string of 1 to 63 characters. The name cannot be invalid or other. If you do not specify this argument when executing the undo app-group command, the command removes all application groups from the rule. For more information about application groups, see APR in Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple application groups as the filtering criteria.
Examples
# Specify application groups app1 and app2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] app-group app1
[Sysname-security-policy-ip-0-rule1] app-group app2
Related commands
app-group
display security-policy
application
Use application to specify an application as a filtering criterion of a security policy rule.
Use undo application to remove the specified application filtering criterion from a security policy rule.
Syntax
application application-name
undo application [ application-name ]
Default
No application is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
application-name: Specifies the name of an application, a case-insensitive string of 1 to 63 characters. The name cannot be invalid or other. If you do not specify this argument when executing the undo application command, the command removes all applications from the rule. For more information about applications, see APR in Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple applications as the filtering criteria.
For the application filtering criteria to be identified, you must permit the packets of the protocols on which the applications depend to pass through. If port-based packet filtering is configured and a dependent protocol uses a non-default port, you must permit the packets from the port to pass.
Examples
# Specify applications 139Mail and 51job as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] application 139Mail
[Sysname-security-policy-ip-0-rule1] application 51job
Related commands
display security-policy
nbar application
port-mapping
counting enable
Use counting enable to enable statistics collection for matched packets.
Use undo counting enable to disable statistics collection for matched packets.
Syntax
counting enable [ period value ]
undo counting enable
Default
Statistics collection for matched packets is disabled.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
period value: Specifies the period during which the statistics collection feature is enabled, in the range of 1 to 4294967295 minutes. If you do not specify this option, the command enables statistics collection permanently.
Usage guidelines
This feature enables the device to collect statistics about matched packets. The collected statistics can be viewed by executing the display security-policy statistics command.
If an enabling period is specified, the system disables the statistics collection feature and removes the configuration at period expiration. If no enabling period is specified, you must execute the undo counting enable command to disable the statistics collection feature.
Examples
# Enable matched packet statistics collection for security policy rule rule1 and set the enabling period to 20 minutes.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] counting enable period 20
Related commands
display security-policy
display security-policy statistics
description (security policy rule view)
Use description to configure a description for a security policy rule.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Examples
# Configure the description as This rule is used for source-ip ip1 for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] description This rule is used for source-ip ip1
Related commands
display object-policy ip
description (security policy view)
Use description to configure a description for the IPv4 security policy.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for the IPv4 security policy.
Views
IPv4 security policy view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Examples
# Configure the description as zone-pair security office to library for the IPv4 security policy.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] description zone-pair security office to library
Related commands
display security-policy
destination-ip
Use destination-ip to specify a destination IP address object group as a filtering criterion of a security policy rule.
Use undo destination-ip to remove the specified destination IP address object group from a security policy rule.
Syntax
destination-ip object-group-name
undo destination-ip [ object-group-name ]
Default
No destination IP address object group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies the name of a destination IP address object group, a case-insensitive string of 1 to 63 characters. The name cannot be any. If you do not specify this argument when executing the undo destination-ip command, the command removes all destination IP address object groups from the rule. For more information about object groups, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple destination IP address object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
For a security policy rule, the number of configured destination IP address object groups cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify destination IP address object groups client1 and client2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-ip client1
[Sysname-security-policy-ip-0-rule1] destination-ip client2
Related commands
display security-policy
object-group
destination-ip-host
Use destination-ip-host to specify a destination IPv4 host address as a filtering criterion of a security policy rule.
Use undo destination-ip-host to remove the specified destination IPv4 host address from a security policy rule.
Syntax
destination-ip-host ip-address
undo destination-ip-host [ ip-address ]
Default
No destination IPv4 host address is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IPv4 address of a host. If you do not specify this argument when executing the undo destination-ip-host command, the command removes all destination IPv4 host addresses from the rule.
Usage guidelines
You can execute the command multiple times to specify multiple destination IPv4 host addresses as the filtering criteria.
If you specify an IP address that has been configured as a destination host filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured destination host addresses, destination subnets, and destination address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify destination IPv4 host address 192.167.0.1 as the filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-ip-host 192.167.0.1
Related commands
display security-policy
destination-ip-range
Use destination-ip-range to specify a destination IPv4 address range as a filtering criterion of a security policy rule.
Use undo destination-ip-range to remove the specified destination IPv4 address range from a security policy rule.
Syntax
destination-ip-range ip-address1 ip-address2
undo destination-ip-range [ ip-address1 ip-address2 ]
Default
No destination IPv4 address range is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
Parameters
ip-address1 ip-address2: Specifies an IPv4 address range. The ip-address1 argument represents the start IP address and the ip-address2 argument represents the end IP address. If you do not specify the arguments when executing the undo destination-ip-range command, the command removes all destination IPv4 address ranges from the rule.
Usage guidelines
You can execute the command multiple times to specify multiple destination IPv4 address ranges as the filtering criteria.
If you specify an IP address range that has been configured as a destination IP range filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured destination host addresses, destination subnets, and destination address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
When you specify an IP address range, follow these restrictions and guidelines:
· If the start IP address is the same as the end IP address, the command creates a host address filtering criteria.
· If the start IP address and the end IP address define a subnet, the command creates a subnet filtering criteria.
· If ip-address1 is greater than ip-address2, the system automatically adjusts the range to [ ip-address2, ip-address1 ].
Examples
# Specify destination IPv4 address range 192.165.0.100 to 192.165.0.200 as the filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-ip-range 192.165.0.100 192.165.0.200
Related commands
display security-policy
destination-ip-subnet
Use destination-ip-subnet to specify a destination IPv4 subnet as a filtering criterion of a security policy rule.
Use undo destination-ip-subnet to remove the specified destination IPv4 subnet from a security policy rule.
Syntax
destination-ip-subnet ip-address { mask-length | mask }
undo destination-ip-subnet [ ip-address { mask-length | mask } ]
Default
No destination IPv4 subnet is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
Parameters
ip-address { mask-length | mask }: Specifies an IPv4 subnet. You can specify the mask length or the mask in dotted decimal notation. The mask length is in the range of 0 to 32. If you set the mask length to 32 or the mask to 255.255.255.255, the command creates a host address filtering criterion. If you do not specify the arguments when executing the undo destination-ip-subnet command, the command removes all destination IPv4 subnets from the rule.
Usage guidelines
You can execute the command multiple times to specify multiple destination IPv4 subnets as the filtering criteria.
If you specify a subnet that has been configured as a destination subnet filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured destination host addresses, destination subnets, and destination address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify the destination subnet with IP address 192.167.0.0 and mask length 24 as a filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-ip-subnet 192.167.0.0 24
# Specify the destination subnet with IP address 192.166.0.0 and mask 255.255.0.0 as a filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-ip-subnet 192.166.0.0 255.255.0.0
Related commands
display security-policy
disable
Use disable to disable a security policy rule.
Use undo disable to enable a security policy rule.
Syntax
disable
undo disable
Default
A security policy rule is enabled.
Views
Security policy rule view
Predefined user roles
network-admin
Examples
# Disable security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] disable
Related commands
display security-policy
display security-policy
Use display security-policy to display information about the specified security policy.
Syntax
display security-policy ip [ brief | rule name rule-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
brief: Displays summary information. If you do not specify this keyword, the command displays detailed information.
rule name rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127 characters.
Examples
# Display information about the IPv4 security policy.
<Sysname> display security-policy ip
Security-policy ip
TotalRule: 2
TotalGroup: 0
rule 0 name der (Inactive)
action pass
profile er
logging enable
counting enable period 20
counting enable TTL 1200
time-range dere
track positive 23
session aging-time 5000
session persistent aging-time 2400
source-ip erer
source-ip-host 1.1.1.4
source-ip-subnet 1.1.1.0 255.255.255.0
source-ip-range 2.2.1.1 3.3.3.3
destination-ip client1
destination-ip-host 5.5.1.2
destination-ip-subnet 5.5.1.0 255.255.255.0
destination-ip-range 2.2.1.1 3.3.3.3
service ftp
service-port tcp
service-port tcp source lt 100 destination eq 104
service-port tcp source eq 100 destination range 104 2000
service-port udp
service-port udp source gt 100 destination eq 104
service-port udp destination eq 100
service-port icmp 100 122
service-port icmp
service-port sctp
service-port sctp source lt 100 destination eq 104
service-port sctp destination range 104 2000
app-group ere
application 110Wang
user der
user-group ere
# Display information about IPv4 security policy rule der.
<Sysname> display security-policy ip rule name der
rule 0 name der (Inactive)
action pass
profile er
logging enable
counting enable period 20
counting enable TTL 1200
time-range dere
track positive 23
session aging-time 5000
session persistent aging-time 2400
source-ip erer
source-ip-host 1.1.1.4
source-ip-subnet 1.1.1.0 255.255.255.0
source-ip-range 2.2.1.1 3.3.3.3
destination-ip client1
destination-ip-host 5.5.1.2
destination-ip-subnet 5.5.1.0 255.255.255.0
destination-ip-range 2.2.1.1 3.3.3.3
service ftp
service-port tcp
service-port tcp source lt 100 destination eq 104
service-port tcp source eq 100 destination range 104 2000
service-port udp
service-port udp source gt 100 destination eq 104
service-port udp destination eq 100
service-port icmp 100 122
service-port icmp
app-group ere
application 110Wang
user der
user-group ere
# Display summary information about all IPv4 security policy rules.
<Sysname> display security-policy ip brief
ID Name State Action Hits
------------------------------------------------------------------------------------
0 default_any active pass 11221440
1 test active drop 0
------------------------------------------------------------------------------------
Table 1 Command output
|
Field |
Description |
|
TotalRule |
Total number of rules. |
|
TotalGroup |
Total number of policy groups. |
|
Rule ID, rule name, and state of the rule. Rule state: · Active—The rule is enabled. · Inactive—The rule is disabled. This field is displayed only when the rule state is associated with a Track entry. |
|
|
action pass |
Rule action: · pass—Allows matched packets to pass. · drop—Drops matched packets. |
|
profile app-profile-name |
DPI application profile applied to the rule. |
|
logging enable |
Indicates that logging for matched packets is enabled. |
|
counting enable period value |
Indicates that statistics collection for matched packets is enabled. The value argument represents the enabling period in minutes. |
|
counting enable TTL time-value |
Indicates that statistics collection for matched packets is enabled. The time-value argument represents the remaining enabling period in seconds. |
|
time-range time-range-name |
Time range during which the rule is in effect. |
|
track negative 1 |
Track entry and track entry state associated with the security policy rule. |
|
session aging-time time-value |
Session aging time. |
|
session persistent aging-time time-value |
Persistent session aging time. |
|
source-ip object-group-name |
Source IP address object group that acts as a filtering criterion. |
|
source-ip-host ip-address |
Source IP host address that acts as a filtering criterion. |
|
source-ip-subnet ip-address |
Source IP subnet that acts as a filtering criterion. |
|
source-ip-range ip-address1 ip-address2 |
Source IP address range that acts as a filtering criterion. |
|
destination-ip object-group-name |
Destination IP address object group that acts as a filtering criterion. |
|
destination-ip-host ip-address |
Destination IP host address that acts as a filtering criterion. |
|
destination-ip-subnet ip-address |
Destination IP subnet that acts as a filtering criterion. |
|
destination-ip-range ip-address1 ip-address2 |
Destination IP address range that acts as a filtering criterion. |
|
service object-group-name |
Service object group that acts as a filtering criterion. |
|
service-port protocol |
Service port that acts as a filtering criterion. |
|
app-group app-group-name |
Application group that acts as a filtering criterion. |
|
application application-name |
Application that acts as a filtering criterion. |
|
user user-name |
User that acts as a filtering criterion. |
|
user-group user-group-name |
User group that acts as a filtering criterion. |
|
ID |
Security policy rule ID. |
|
Name |
Name of a security policy rule. |
|
State |
State of a rule. The state of a rule is associated with a Track entry. Options: · Active—The rule is enabled. · Inactive—The rule is disabled. |
|
Action |
Rule action: · pass—Allows matched packets to pass. · drop—Drops matched packets. |
|
Hits |
Number of times that the security policy rule matches a packet. |
Related commands
security-policy ip
display security-policy statistics
Use display security-policy statistics to display security policy statistics.
Syntax
display security-policy statistics ip [ rule rule-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
rule rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127 characters. If you do not specify this option, the command displays statistics about all security policy rules of the specified IP version.
Examples
# Display statistics about IPv4 security policy rule abc.
<Sysname> display security-policy statistics ip rule abc
rule 0 name abc
action: pass (5 packets, 1000 bytes)
Table 2 Command output
|
Field |
Description |
||||
|
rule id name rule-name |
Rule ID and rule name. |
||||
|
action |
Rule action: · pass—Allows matched packets to pass. · drop—Drops matched packets. |
||||
|
x packets, y bytes |
The rule has matched x packets, a total of y bytes. This field is displayed only if the counting enable or the logging enable command has been executed for the rule. |
||||
|
Field |
Description |
||||
|
rule id name rule-name |
Rule ID and rule name. |
||||
|
action |
Rule action: · pass—Allows matched packets to pass. · drop—Drops matched packets. |
||||
|
x packets, y bytes |
The rule has matched x packets, a total of y bytes. This field is displayed only if the counting enable or the logging enable command has been executed for the rule. |
||||
Related commands
reset security-policy statistics
group move
Use group move to move a security policy rule group to change the match order of security policy rules.
Syntax
group move group-name1 { after | before } { group group-name2 | rule rule-name }
Views
Security policy view
Predefined user roles
network-admin
Parameters
group-name1: Specifies the name of the security policy rule group to be moved, a case-insensitive string of 1 to 63 characters.
after: Moves the security policy rule group to the place after the target security policy rule group or the target security policy rule.
before: Moves the security policy rule group to the place before the target security policy rule group or the target security policy rule.
group group-name2: Specifies the name of the target security policy rule group, a case-insensitive string of 1 to 63 characters.
rule rule-name: Specifies the name of the target security policy rule, a case-insensitive string of 1 to 127 characters.
Usage guidelines
If you specify a target security policy rule that belongs to a security policy rule group, follow these restrictions and guidelines:
· If the target rule is neither the start nor end rule of the group, you cannot move a security policy rule group to the place before or after the rule.
· If the target rule is the start rule of the group, you can only move a security policy rule group to the place before the rule.
· If the target rule is the end rule of the group, you can only move a security policy rule group to the place after the rule.
Examples
# Move security policy rule group group1 to the place before security policy rule group group2.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] group move group1 before group group2
group name
Use group name to create a security policy rule group and add security policy rules to the group, or add security policy rules to an existing security policy rule group.
Use undo group name to delete a security policy rule group.
Syntax
group name group-name [ from rule-name1 to rule-name2 ] [ disable | enable ] [ description description-text ]
undo group name group-name [ description | include-member ]
Default
No security policy rule group exists.
Views
Security policy view
Predefined user roles
network-admin
Parameters
group-name: Specifies a security policy rule group name, a case-insensitive string of 1 to 63 characters.
from rule-name1: Specifies the start rule of a rule list. The rule-name1 argument represents the security policy rule name, a case-insensitive string of 1 to 127 characters.
to rule-name2: Specifies the end rule of the rule list. The rule-name2 argument represents the security policy rule name, a case-insensitive string of 1 to 127 characters.
disable: Disables the security policy rule group.
enable: Enables the security policy rule group. By default, a security policy rule group is enabled.
description description-text: Specifies the security policy description, a case-sensitive string of 1 to 127 characters. By default, no description is specified for a security policy rule group.
include-member: Specifies security policy rules in the security policy rule group.
Usage guidelines
Security policy rule grouping allows users to enable, disable, delete, and move security policy rules in batches.
A security policy rule in a security policy rule group takes effect only when both the rule and the group are enabled.
To add a list of security policy rules, make sure the end rule is listed behind the start rule and the specified rules do not belong to any other security policy rule group.
When you execute the undo group name command, follow these restrictions and guidelines:
· The undo group name group-name command deletes only the specified security policy rule group.
· The undo group name group-name description command deletes only the description for the specified security policy rule group.
· The undo group name group-name include-member command deletes both the specified security policy rule group and all the security policy rules in the group.
Examples
# Create security policy rule group group1, add security policy rules rule-name1 through rule-name10 to the group, and specify the group description as marketing.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] group name group1 from rule-name1 to rule-name10 enable description marketing
group rename
Use group rename to rename a security policy rule group.
Syntax
group rename old-name new-name
Views
Security policy view
Predefined user roles
network-admin
Parameters
old-name: Specifies the name of a security policy rule group, a case-insensitive string of 1 to 63 characters.
new-name: Specifies a new name for the security policy rule group, a case-insensitive string of 1 to 63 characters.
Examples
# Rename security policy rule group group1 to group2.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] group rename group1 group2
learning enable
Use learning enable to enable security policy rule learning.
Use undo learning enable to disable security policy rule learning.
Syntax
learning enable
undo learning enable
Default
Security policy rule learning is disabled.
Views
Security policy rule view
Predefined user roles
network-admin
Usage guidelines
To ensure accurate packet filtering, configure strict security policy rules with a fine granularity as a best practice. However, when the properties of packets to be passed or dropped cannot be determined, you can only configure security policy rules with relatively loose criteria to ensure a correct forwarding.
In this case, perform this task to enable the system to learn matched packets and record their properties. You can then log into the Web management interface of the device to view the records, summarize the properties of packets to be passed or dropped, and refine security policy filtering criteria.
Examples
# Enable security policy rule learning for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] learning enable
Related commands
reset security-policy learning-records
logging enable
Use logging enable to enable logging for matched packets.
Use undo logging enable to disable logging for matched packets.
Syntax
logging enable
undo logging enable
Default
Logging for matched packets is disabled.
Views
Security policy rule view
Predefined user roles
network-admin
Usage guidelines
This feature enables the security policy module to send log messages to the information center or fast output log messages when packets match a security policy.
With the information center or fast log output, you can set log message filtering and output rules, including output destinations.
The information center can output packet matching logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view packet matching logs stored on the device, use the display logbuffer command or open the security policy log page from the Web interface of the device. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see System Management Configuration Guide.
Examples
# Enable matched packet logging for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] logging enable
Related commands
display security-policy
move rule
Use move rule to move a security policy rule by rule ID.
Syntax
move rule rule-id1 { { after | before } rule-id2 | bottom | down | top | up }
Views
IPv4 security policy view
Predefined user roles
network-admin
Parameters
rule-id1: Specifies the ID of a rule to be moved, in the range of 0 to 4294967290.
after: Moves the rule to the position after the target rule.
before: Moves the rule to the position before the target rule.
rule-id2: Specifies the ID of the target rule before which a rule is inserted. The target rule ID is in the range of 0 to 4294967290 or 4294967295. If you specify 4294967295 as the target rule ID, the rule is moved to the end of the list.
bottom: Moves the rule to the end of the list.
down: Moves the rule one position down.
top: Moves the rule to the beginning of the list.
up: Moves the rule one position up.
Usage guidelines
The system does not execute the command in the following situations:
· You specify the same value for the rule-id and insert-rule-id arguments.
· You specify a nonexistent rule.
Examples
# Insert rule 5 before rule 2 for the IPv4 security policy.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] move rule 5 before 2
Related commands
rule
security-policy ip
move rule name
Use move rule name to move a security policy rule by rule name.
Syntax
move rule name rule-name1 { { after | before } name rule-name2 | bottom | down | top | up }
Views
Security policy view
Predefined user roles
network-admin
Parameters
rule-name1: Specifies the name of the rule to move, a case-insensitive string of 1 to 127 characters.
after: Move the rule to the place after the destination rule.
before: Move the rule to the place before the destination rule.
name rule-name2: Specify the name of the destination rule, a case-insensitive string of 1 to 127 characters.
bottom: Move the rule to the end of the security policy.
down: Move the rule down one place.
top: Move the rule to the beginning of the security policy.
up: Move the rule up one place.
Usage guidelines
You can move a rule to change its packet matching priority.
Examples
# Move rule rule1 to the place before rule rule2.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] move rule name rule1 before name rule2
Related commands
rule
security-policy ip
parent-group
Use parent-group to specify a security policy rule group for a security policy rule.
Use undo parent-group to restore the default.
Syntax
parent-group group-name
undo parent-group
Default
A security policy rule does not belong to any security policy rule group.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
group-name: Specifies the name of a security policy rule group, a case-insensitive string of 1 to 63 characters.
Examples
# Assign security policy rule rule1 to security policy rule group group1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 1 name rule1
[Sysname-security-policy-ip-1-rule1] parent-group group1
profile
Use profile to apply a DPI application profile to a security policy rule.
Use undo profile to remove the DPI application profile applied to a security policy rule.
Syntax
profile app-profile-name
undo profile
Default
No DPI application profile is applied to a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
app-profile-name: Specifies the name of a DPI application profile, a case-insensitive string of 1 to 63 characters. For more information about DPI application profiles, see DPI engine in DPI Configuration Guide.
Usage guidelines
This feature enables the device to perform DPI on packets matching the specified rule. For more information about DPI, see DPI Configuration Guide.
This feature takes effect only when the rule action is pass.
Examples
# Apply DPI application profile p1 to IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action pass
[Sysname-security-policy-ip-0-rule1] profile p1
Related commands
action pass
app-profile (DPI Command Reference)
display security-policy ip
reset security-policy learning-records
Use reset security-policy learning-records to clear security policy rule learning records.
Syntax
reset security-policy learning-records [ ip ]
Views
User view
Predefined user roles
network-admin
network-operator
Parameters
ip: Specifies the IPv4 security policy.
If you do not specify the ip keyword, this command clears all security policy rule learning records.
Examples
# Clear all security policy rule learning records.
<Sysname> reset security-policy learning-records
Related commands
learning enable
reset security-policy statistics
Use reset security-policy statistics to clear security policy statistics.
Syntax
reset security-policy statistics [ ip ] [ rule rule-name ]
Views
Any view
Predefined user roles
network-admin
Parameters
ip: Specifies the IPv4 security policy.
rule rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127 characters.
Usage guidelines
If you do not specify any keyword or option, the command clears all security policy statistics.
Examples
# Clear the security policy statistics about IPv4 security policy rule abc.
<Sysname> reset security-policy statistics ip rule abc
Related commands
display security-policy statistics
rule
Use rule to create a security policy rule and enter its view, or enter the view of an existing security policy rule.
Use undo rule to delete the specified security policy rule.
Syntax
rule { rule-id | [ rule-id ] name rule-name }
undo rule { rule-id | name rule-name } *
Default
No security policy rules exist.
Views
IPv4 security policy view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify an ID for the rule, the system automatically assigns the rule the integer next to the greatest ID being used. If the greatest ID is 65534, the system assigns the rule the smallest unused number in the range.
rule-name: Specifies a globally unique rule name, a case-insensitive string of 1 to 127 characters. The name cannot be default. You must specify a rule name when creating a rule.
Examples
# Create an IPv4 security policy rule with rule ID 0 and rule name rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1]
Related commands
display security-policy ip
rule rename
Use rule rename to rename a security policy rule.
Syntax
rule rename old-name new-name
Views
Security policy view
Predefined user roles
network-admin
Parameters
old-name: Specifies the current name, a case-insensitive string of 1 to 127 characters.
new-name: Specifies the new name, a case-insensitive string of 1 to 127 characters. The name must be globally unique and cannot be default.
Examples
# Change the name of security policy rule rule1 to rule2.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule rename rule1 rule2
Related commands
rule
security-policy ip
security-policy
Use security-policy to enter security policy view.
Use undo security-policy to delete all configurations in security policy view.
Syntax
security-policy ip
undo security-policy ip
Default
No configurations exist in security policy view.
Views
System view
Predefined user roles
network-admin
Usage guidelines
|
|
CAUTION: The undo security-policy ip command directly deletes all security policy configuration and might cause network interruption. |
Examples
# Enter IPv4 security policy view.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip]
Related commands
display security-policy
security-policy config-logging send-time
Use security-policy config-logging send-time to set the time at which the device fast outputs security policy settings as logs every day.
Use undo security-policy config-logging send-time to restore the default.
Syntax
security-policy config-logging send-time time
undo security-policy config-logging send-time
Default
The device fast outputs security policy settings as logs every day at 0 o'clock.
Views
System view
Predefined user roles
network-admin
Parameters
time: Specify the time at which the device fast outputs security policy settings as logs, in the format of hh:mm. The value range for the hh argument is 00 to 23 and the value range for the mm argument is 00 to 59.
Usage guidelines
After the customlog format security-policy sgcc command is executed, the device fast outputs settings of enabled security policies as logs in SGCC format every day at the specified time. For more information about fast log output, see Network Management and Monitoring Configuration Guide.
Examples
# Configure the device to fast output security policy settings as logs every day at 13:15.
<Sysname>system-view
[Sysname] security-policy config-logging send-time 13:15
Related commands
customlog format security-policy sgcc (Network Management and Monitoring Command Reference)
customlog host export security-policy (Network Management and Monitoring Command Reference)
security-policy disable
Use security-policy disable to disable the security policy feature.
Use undo security-policy disable to enable the security policy feature.
Syntax
security-policy disable
undo security-policy disable
Default
The security policy feature is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
|
|
CAUTION: The security-policy disable command disables the security policy feature and might cause traffic interruption. |
Security policy settings take effect only when the security policy feature is enabled.
Examples
# Disable the security policy feature.
<Sysname> system-view
[Sysname] security-policy disable
security-policy object-strict-inspection enable
Use security-policy object-strict-inspection enable to enable strict object inspection.
Use undo security-policy object-strict-inspection enable to disable strict object inspection.
Syntax
security-policy object-strict-inspection enable
undo security-policy object-strict-inspection enable
Default
Strict object inspection is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Perform this task to prevent security policy rules from referencing objects that do not exist.
By default, security policy rules can successfully reference source addresses (address groups and MAC address groups), destination addresses (address groups), services, applications, application groups, users, user groups, terminal, terminal groups, profiles, and URLs, regardless of whether these objects exist or not.
|
|
NOTE: User and user group objects can only be detected for existence when referenced after user identification is enabled. |
This feature takes effect on configurations added afterwards. Existing configurations with non-existent objects are not affected.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable strict object inspection.
<Sysname> system-view
[Sysname] security-policy object-strict-inspection enable
Related commands
security-policy ip
security-policy rules mandatory-item-control
Use security-policy rules mandatory-item-control to enable mandatory item control.
Use undo security-policy rules mandatory-item-control to disable mandatory item control.
Syntax
security-policy rules mandatory-item-control { ip | service } *
undo security-policy rules mandatory-item-control { ip | service } *
Default
Mandatory item control is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
ip: Specifies IP-related objects, including source/destination IP address object groups, host addresses, range addresses, subnet addresses, and regions/region groups. If none of these objects are configured, the rule does not take effect.
service: Specifies service-related objects, including services and service ports. If neither a service nor a service port is configured, the rule does not take effect.
Usage guidelines
To perform strict and refined packet filtering based on security policies, perform this task to configure specific types of filtering criteria as mandatory items for a security policy rule. With this feature enabled, rules not configured with the mandatory items do not take effect.
To specify the IP mandatory item:
· When IP is specified as a mandatory item, you can specify the source/destination IP address object group as any to match all source/destination IP addresses.
· When IP is not specified as a mandatory item, for a rule to match all source/destination IP addresses, do not specify IP filtering criteria. In this case, do not specify any as a source/destination IP address object group. If you do so, the rule cannot match any packets.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable mandatory item control for IP address-related objects and service-related objects.
<Sysname> system-view
[Sysname] security-policy rules mandatory-item-control ip service
Enabling this command will force the security policy rule to configure the source address, destination address and service, otherwise the security policy rule will not take effect.Continue? [Y/N]:
security-policy show-default-action enable
Use security-policy show-default-action enable to enable displaying of default actions in use.
Use undo security-policy show-default-action enable to disable displaying of default actions in use.
Syntax
security-policy show-default-action enable
undo security-policy show-default-action enable
Default
The default actions are not displayed in the configuration.
Views
System view
Predefined user roles
network-admin
Usage guidelines
A security policy rule not configured with an action discards matching packets by default. This default action is not shown in the configuration. You can enable this feature to display the default action in the configuration.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable displaying the default actions in use.
<Sysname> system-view
[Sysname] security-policy show-default-action enable
Related commands
security-policy ip
service
Use service to specify a service object group as a filtering criterion of a security policy rule.
Use undo service to remove the specified service object group from a security policy rule.
Syntax
service { object-group-name | any }
undo service [ object-group-name | any ]
Default
No service object group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies the name of a service object group, a case-insensitive string of 1 to 63 characters.
any: Specifies all service object groups.
Usage guidelines
You can execute the command multiple times to specify multiple service object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
If you specify neither an object group nor the any keyword when executing the undo service command, the command removes all service object groups from the security policy rule.
For a security policy rule, the number of configured service object groups cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify service object groups http and ftp as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] service http
[Sysname-security-policy-ip-0-rule1] service ftp
Related commands
display security-policy
object-group
service-port
Use service-port to specify a service port as a filtering criterion of a security policy rule.
Use undo service-port to remove the specified service port range from a security policy rule.
Syntax
service-port protocol [ { destination { { eq | lt | gt } port | range port1 port2 | port-list } | source { { eq | lt | gt } port | range port1 port2 | port-list } } * | icmp-type [ icmp-code ] | type icmp-type [ code { icmp-code-list} ] ]
undo service-port [ protocol [ { destination { { eq | lt | gt } port | range port1 port2 | port-list } | source { { eq | lt | gt } port | range port1 port2 | port-list } } * | icmp-type [ icmp-code ] | type icmp-type [ code { icmp-code-list } ] ] ]
Default
No service port is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
Parameters
protocol: Specify the number or name of a protocol. The value range for protocol numbers and available protocol names vary by security policy rule view.
· For IPv4 security policy rule view, the value range for protocol numbers is 0 to 57 and 59 to 255. Available protocol names include tcp, udp, and icmp whose protocol numbers are 6, 17, and 1, respectively.
destination: Specifies the destination port. This configuration takes effect only when the protocol is TCP, UDP, or SCTP.
source: Specifies the source port. This configuration takes effect only when the protocol is TCP , UDP, or SCTP.
eq: Specifies the specified port.
lt: Specifies all ports whose port numbers are smaller than the specified port. If you specify this keyword, the specified port number cannot be 0.
gt: Specifies all ports whose port numbers are larger than the specified port. If you specify this keyword, the specified port number cannot be 65535.
port: Specifies a port number in the range of 0 to 65535.
range port1 port2: Specifies a range of port numbers. The port1 argument represents the start port and the port2 argument represents the end port. Each port number is in the range of 0 to 65535.
port-list: Specifies a space-separated list of up to 15 port items. A port item specifies a single port number or specifies a range of port numbers in the form of port1 to port2. The value range for port numbers is 0 to 65535.
type: Specifies an ICMP message type. This configuration takes effect only when the protocol is ICMP.
code: Specifies an ICMP message code. This configuration takes effect only when the protocol is ICMP.
icmp-type: Specifies an ICMP message type in the range of 0 to 255. This configuration takes effect only when the protocol is ICMP.
icmp-code: Specifies the ICMP message code in the range of 0 to 255.
icmp-code-list: Specifies a space-separated list of up to 15 ICMP message code items. An ICMP message code item specifies a single code number or specifies a range of code numbers in the form of icmp-code1 to icmp-code2. The value range for code numbers is 0 to 255.
Usage guidelines
You can execute this command multiple times to specify multiple service ports as the filtering criteria.
If you specify a service port that has been configured as a service port filtering criterion, the command execution fails.
For a security policy rule, the number of configured service ports cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
When you specify the range keyword, following these restrictions and guidelines:
· If port1 is the same as port2, the command takes effect as if you specified the eq keyword.
· If port1 is 0, the command takes effect as if you specified the lt keyword with port2 as the specified port.
· If port2 is 65535, the command takes effect as if you specified the gt keyword with port1 as the specified port.
· If port1 is larger than port2, the system automatically changes the port range to [port2, port1].
Other restrictions and guidelines:
· port1 to port2: If the specified value for port1 is greater than that for port2, the port range is automatically changed to [port2,port1].
· icmp-code1 to icmp-code2: If the specified value for icmp-code1 is greater than that for icmp-code2, the code range is automatically changed to [icmp-code2, icmp-code1].
If you do not specify any keyword or argument when executing the undo command, the command removes all service ports from the security policy rule.
Examples
# Specify TCP destination and source ports as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] service-port tcp destination range 100 200 source eq 100
# Specify a list of TCP destination and source ports as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] service-port tcp destination 10 20 to 30 source 30 to 40
# Specify an ICMP message type and code as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] service-port icmp 100 150
# Specify an ICMP message type and a list of ICMP message codes as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] service-port icmp type 100 code 150 180 to 200 210
Related commands
display security-policy
session aging-time
Use session aging-time to set the session aging time for a security policy rule.
Use undo session aging-time to restore the default.
Syntax
session aging-time time-value
undo session aging-time
Default
The session aging time is not configured for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
time-value: Specifies the aging time in the range of 1 to 2000000 seconds.
Usage guidelines
This command sets the aging time for stable sessions created for packets matching the specified security policy rule. It takes effect on both existing sessions and newly created sessions.
If the aging time is not configured for a rule, the stable sessions use the aging time set by using the session aging-time application or the session aging-time state command. For more information about session management, see Security Configuration Guide.
The unstable sessions age based on the default session aging time.
Examples
# Set the session aging time to 5000 seconds for security policy rule rule1.
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action pass
[Sysname-security-policy-ip-0-rule1] session aging-time 5000
Related commands
session aging-time application
session aging-time state
session persistent acl
session persistent aging-time
Use session persistent aging-time to set the aging time for persistent sessions.
Use undo session persistent aging-time to restore the default.
Syntax
session persistent aging-time time-value
undo session persistent aging-time
Default
The persistent session aging time is not configured for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
time-value: Specifies the aging time in the range of 0 to 24000 hours. If you set the aging time to 0, persistent sessions do not age out.
Usage guidelines
|
|
CAUTION: Setting too long an aging time might cause persistent sessions to increase rapidly and therefore cause the CPU usage to be high. |
This command is effective only on TCP sessions in ESTABLISHED state.
It sets the aging time for persistent sessions created for packets matching the specified security policy rule. It takes effect on both existing sessions and newly created sessions.
The aging time configured by using this command takes precedence over the aging times configured by using the session aging-time and session persistent acl commands.
Examples
# Set the persistent session aging time to one hour for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action pass
[Sysname-security-policy-ip-0-rule1] session persistent aging-time 1
Related commands
display security-policy
session persistent acl
source-ip
Use source-ip to specify a source IP address object group as a filtering criterion of a security policy rule.
Use undo source-ip to remove the specified source IP address object group from a security policy rule.
Syntax
source-ip object-group-name
undo source-ip [ object-group-name ]
Default
No source IP address object group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies the name of a source IP address object group, a case-insensitive string of 1 to 63 characters. The name cannot be any. If you do not specify this argument when executing the undo source-ip command, the command removes all source IP address object groups from the rule. For more information about object groups, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple source IP address object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
For a security policy rule, the number of configured source IP address object groups cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify source IP address object groups server1 and server2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-ip server1
[Sysname-security-policy-ip-0-rule1] source-ip server2
Related commands
display security-policy
object-group
source-ip-host
Use source-ip-host to specify a source IPv4 host address as a filtering criterion of a security policy rule.
Use undo source-ip-host to remove the specified source IPv4 host address from a security policy rule.
Syntax
source-ip-host ip-address
undo source-ip-host [ ip-address ]
Default
No source IPv4 host address is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IPv4 address of a host. If you do not specify this argument when executing the undo command, the command removes all source IPv4 host addresses from the security policy rule.
Usage guidelines
You can execute the command multiple times to specify multiple source IPv4 host addresses as the filtering criteria.
If you specify an IP address that has been configured as a source host filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured source host addresses, source subnets, and source address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify source IPv4 host address 192.167.0.1 as the filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-ip-host 192.167.0.1
Related commands
display security-policy
source-ip-range
Use source-ip-range to specify a source IPv4 address range as a filtering criterion of a security policy rule.
Use undo source-ip-range to remove the specified source IPv4 address range from a security policy rule.
Syntax
source-ip-range ip-address1 ip-address2
undo source-ip-range [ ip-address1 ip-address2 ]
Default
No source IPv4 address range is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
Parameters
ip-address1 ip-address2: Specifies an IPv4 address range. The ip-address1 argument represents the start IP address and the ip-address2 argument represents the end IP address. If you do not specify the arguments when executing the undo command, the command removes all source IPv4 address ranges from the security policy rule.
Usage guidelines
You can execute the command multiple times to specify multiple source IPv4 address ranges as the filtering criteria.
If you specify an IP address range that has been configured as a source IP range filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured source host addresses, source subnets, and source address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
When you specify an IP address range, follow these restrictions and guidelines:
· If the start IP address is the same as the end IP address, the command creates a host address filtering criteria.
· If the start IP address and the end IP address define a subnet, the command creates a subnet filtering criteria.
· If ip-address1 is greater than ip-address2, the system automatically adjusts the range to [ ip-address2, ip-address1 ].
Examples
# Specify source IPv4 address range 192.165.0.100 to 192.165.0.200 as the filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-ip-range 192.165.0.100 192.165.0.200
Related commands
display security-policy
source-ip-subnet
Use source-ip-subnet to specify a source IPv4 subnet as a filtering criterion of a security policy rule.
Use undo source-ip-subnet to remove the specified source IPv4 subnet from a security policy rule.
Syntax
source-ip-subnet ip-address { mask-length | mask }
undo source-ip-subnet [ ip-address { mask-length | mask } ]
Default
No source IPv4 subnet is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
Parameters
ip-address { mask-length | mask }: Specifies an IPv4 subnet. You can specify the mask length or the mask in dotted decimal notation. The mask length is in the range of 0 to 32. If you set the mask length to 32 or the mask to 255.255.255.255, the command creates a host address filtering criterion. If you do not specify the arguments when executing the undo command, the command removes all source IPv4 subnets from the security policy rule.
Usage guidelines
You can execute the command multiple times to specify multiple source IPv4 subnets as the filtering criteria.
If you specify a subnet that has been configured as a source subnet filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured source host addresses, source subnets, and source address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify the source subnet with IP address 192.167.0.0 and mask length 24 as a filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-ip-subnet 192.167.0.0 24
# Specify the source subnet with IP address 192.166.0.0 and mask 255.255.0.0 as a filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-ip-subnet 192.166.0.0 255.255.0.0
Related commands
display security-policy
source-mac
Use source-mac to specify a source MAC address object group as a filtering criterion of a security policy rule.
Use undo source-mac to remove the specified source MAC address object group from a security policy rule.
Syntax
source-mac object-group-name
undo source-mac [ object-group-name ]
Default
No source MAC address object group is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies the name of a source MAC address object group, a case-insensitive string of 1 to 63 characters. The name cannot be any. If you do not specify this argument when executing the undo source-mac command, the command removes all source MAC address object groups from the rule. For more information about MAC address object groups, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple source MAC address object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
Examples
# Specify source MAC address object groups mac1 and mac2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-mac mac1
[Sysname-security-policy-ip-0-rule1] source-mac mac2
Related commands
display security-policy
object-group
ssid
Use ssid ssid-name to specify a service set identifier (SSID) as a filtering criterion for a security policy rule.
Use undo ssid to remove the specified SSID from a security policy rule.
Syntax
ssid ssid-name
undo ssid [ ssid-name ]
Default
No SSID is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
Parameters
ssid-name: Specifies an SSID for a wireless service template, a case-sensitive string of 1 to 32 characters.
Usage guidelines
You can execute this command multiple times to specify several SSIDs as the filtering criteria to match wireless packets from services with different SSIDs.
Examples
# Specify SSID ssid1 as the filtering criterion of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 1 name rule1
[Sysname-security-policy-ip-1-rule1] ssid ssid1
time-range
Use time-range to specify the time range during which a security policy rule is in effect.
Use undo time-range to restore the default.
Syntax
time-range time-range-name
undo time-range [ time-range-name ]
Default
A security policy rule is in effect at any time.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
time-range-name: Specifies the name of a time range, a case-insensitive string of 1 to 63 characters. The time range name cannot be all. If you do not specify this argument for the undo command, the command deletes the time range during which the rule takes effect. For more information about time ranges, see Security Configuration Guide.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable security policy rule rule1 to be in effect during time range work.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] time-range work
Related commands
display security-policy
time-range (Security Command Reference)
track
Use track to associate a security policy rule with a track entry.
Use undo track to disassociate a security policy rule from the track entry.
Syntax
track { negative | positive } track-entry-number
undo track
Default
No track entry is associated with a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
negative: Specifies the Negative state of a track entry.
positive: Specifies the Positive state of a track entry.
track-entry-number: Specifies the number of a track entry, in the range of 1 to 1024. For more information about Track, see High Availability Configuration Guide.
Usage guidelines
Use this command to enable the collaboration between the track module and a security policy rule. The collaboration operates as follows:
· If a rule is associated with the Negative state of a track entry, the device:
¡ Sets the rule state to Active if the track entry is in Negative state.
¡ Sets the rule state to Inactive if the track entry is in Positive state.
· If a rule is associated with the Positive state of a track entry, the device:
¡ Sets the rule state to Active if the track entry is in Positive state.
¡ Sets the rule state to Inactive if the track entry is in Negative state.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Associate security policy rule rule1 with the Positive state of track entry 10.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] track positive 10
Related commands
display security-policy
track interface (High Availability Command Reference)
track ip route reachability (High Availability Command Reference)
track nqa (High Availability Command Reference)
url-category
Use url-category to specify a URL category as a filtering criterion of a security policy rule.
Use undo url-category to remove the specified user filtering criterion from a security policy rule.
Syntax
url-category url-category-name
undo url-category [ url-category-name ]
Default
No URL category is specified as a filtering criterion of a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
url-category-name: Specifies the name of a URL category, a case-insensitive string of 1 to 63 characters. If you do not specify this argument when executing the undo url-category command, the command removes all URL categories from the rule. For more information about URL categories, see DPI Configuration Guide.
Usage guidelines
You can execute this command multiple times to specify multiple URL categories as the filtering criteria.
Examples
# Specify URL category category1 as a filtering criterion of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] url-category category1
Related commands
display security-policy
url-filter category (DPI Command Reference)
user
Use user to specify a user as a filtering criterion of a security policy rule.
Use undo user to remove the specified user filtering criterion from a security policy rule.
Syntax
user username [ domain domain-name ]
undo user [ username [ domain domain-name ] ]
Default
No user is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
username: Specifies a username, a case-sensitive string of 1 to 55 characters. The name cannot be a, al, or all and cannot contain at signs (@). If you do not specify this argument when executing the undo user command, the command removes all users from the rule. For more information about users and identity domains, see user identification in User Access and Authentication Configuration Guide.
domain domain-name: Matches the user in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The string cannot contain forward slashes (/), backslashes (\), vertical bars (|), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), or at signs (@). If you do not specify this option, the command matches the user among users that do not belong to any identity domain.
Usage guidelines
You can execute the command multiple times to specify multiple users as the filtering criteria.
Examples
# Specify users usera and userb in identity domain test as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] user usera domain test
[Sysname-security-policy-ip-0-rule1] user userb domain test
Related commands
display security-policy
user-identity enable
user-identity static-user
user-group
Use user-group to specify a user group as a filtering criterion of a security policy rule.
Use undo user-group to remove the specified user group filtering criterion from a security policy rule.
Syntax
user-group user-group-name [ domain domain-name ]
undo user-group [ user-group-name [ domain domain-name ] ]
Default
No user group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
Parameters
user-group-name: Specifies the name of a user group, a case-insensitive string of 1 to 200 characters. If you do not specify this argument when executing the undo user-group command, the command removes all user groups from the rule. For more information about user groups and identity domains, see user identification in User Access and Authentication Configuration Guide.
domain domain-name: Matches the user group in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The string cannot contain forward slashes (/), backslashes (\), vertical bars (|), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), or at signs (@). If you do not specify this option, the command matches the user group among user groups that do not belong to any identity domain.
Usage guidelines
You can execute the command multiple times to specify multiple user groups as the filtering criteria.
Examples
# Specify user groups groupa and groupb in identity domain test as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] user-group groupa domain test
[Sysname-security-policy-ip-0-rule1] user-group groupb domain test
Related commands
display security-policy
user-group
