Contents

URL filtering commands· 1

add· 1

category action· 2

default-action· 3

description· 4

display url-filter category· 5

display url-filter signature library· 8

display url-filter statistics· 9

include pre-defined· 10

referer-whitelist enable· 11

rename· 12

reset url-filter statistics· 12

rule· 12

update schedule (automatic URL signature library update configuration view) 14

url-filter apply policy· 15

url-filter category· 16

url-filter copy category· 17

url-filter copy policy· 18

url-filter log directory root 18

url-filter log enable· 19

url-filter log except pre-defined· 20

url-filter log except user-defined· 21

url-filter policy· 21

url-filter signature auto-update· 22

url-filter signature auto-update-now· 23

url-filter signature rollback· 23

url-filter signature update· 24

warning parameter-profile· 26

whitelist-only enable· 28

 

URL filtering commands

add

Use add to add a blacklist or whitelist rule to a URL filtering policy.

Use undo add to delete a blacklist or whitelist rule from a URL filtering policy.

Syntax

add { blacklist | whitelist } [ id ] host { regex host-regex | text host-name } [ uri { regex uri-regex | text uri-name } ]

undo add { blacklist | whitelist } { id | all }

Default

No blacklist or whitelist rules exist in a URL filtering policy.

Views

URL filtering policy view

Predefined user roles

network-admin

Parameters

blacklist: Specifies the blacklist rule type.

whitelist: Specifies the whitelist rule type.

id: Specifies a rule ID. The value must be an integer in the range of 1 to 65535. The ID of a blacklist or whitelist rule must be unique among all rules of the same type. If you do not specify a rule ID, the system automatically assigns an available ID to the rule according to the largest rule ID N used on the device:

·     If N is smaller than 65535, the smallest available ID that is larger than N is used.

·     If N equals to 65535, the smallest available ID is used.

host: Matches the host field in the URL.

uri: Matches the URI field in the URL.

regex regex: Specifies a case-sensitive regular expression string pattern. The string can start with only letters, digits, or underscores (_), and it must contain a minimum of three consecutive non-wildcard characters.

·     If the host keyword is specified, the string can contain 3 to 224 characters.

·     If the uri keyword is specified, the string can contain 3 to 245 characters.

text string: Specifies a case-insensitive text string pattern, which must contain a minimum of three consecutive non-wildcard characters.

·     If the host keyword is specified, the string can contain 3 to 224 characters. Valid characters are letters, digits, underscores (_), hyphens (-), colons (:), left square brackets ([), right square brackets (]), dots (.), and asterisk (*).

·     If the uri keyword is specified, the string can contain 3 to 245 characters.

all: Specifies all rules of the specified type.

Usage guidelines

The device supports using URL-based whitelist and blacklist rules to filter HTTP packets. If the URL in an HTTP packet matches a blacklist rule, the packet is dropped. If the URL matches a whitelist rule, the packet is permitted to pass through.

Follow these guidelines when you use the asterisk character (*) in the text string pattern for hostname or URI matching:

·     For hostname matching, the asterisk (*) can appear only at the beginning or end of the text string pattern as a wildcard character to match zero or more characters.

·     For URI matching, the asterisk (*) can appear at the beginning or end of the text string pattern as a wildcard character to match zero or more characters, or appear in the middle as a non-wildcard character.

When you configure a regular expression in a blacklist or whitelist rule, follow these restrictions and guidelines:

·     The regular expression pattern can contain a maximum of four branches. For example, 'abc(c|d|e|\x3D)' is valid, and 'abc(c|onreset|onselect|onchange|style\x3D)' is invalid.

·     Nested braces are not allowed. For example, 'ab((abcs*?))' is invalid.

·     A branch cannot be specified after another branch. For example, 'ab(a|b)(c|d)^\\r\\n]+?' is invalid.

·     A minimum of four non-wildcard characters must exist before an asterisk (*) or question mark (?). For example, 'abc*' is invalid and 'abcd*DoS\x2d\d{5}\x20\x2bxi\\r\\nJOIN' is valid.

Examples

# In URL filtering policy news, add a blacklist rule to match URLs with the host field starting with example.com.

<Sysname> system-view

[Sysname] url-filter policy news

[Sysname-url-filter-policy-news] add blacklist 1 host text example.com*

category action

Use category action to specify actions for a URL category.

Use undo category to remove the action setting from a URL category.

Syntax

category category-name action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } [ logging [ parameter-profile parameter-name ] ]

undo category category-name

Default

A URL category does not have any action specified.

Views

URL filtering policy view

Predefined user roles

network-admin

Parameters

category-name: Specifies a URL category by its name, a case-insensitive string of 1 to 63 characters. Chinese characters are supported.

action: Specifies the action for the matching packets.

block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."

drop: Drops matching packets.

permit: Permits matching packets to pass.

redirect: Redirects HTTP request packets to a webpage.

reset: Disconnects the TCP connection for matching packets.

logging: Logs matching packets.

parameter-profile parameter-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a profile, or if the specified profile does not exist, the URL filtering action uses the default parameter settings. For information about configuring parameter profiles, see "DPI engine commands."

Usage guidelines

If an HTTP packet matches a URL filtering rule in a URL category, the action specified for the category applies to the packet.

If the packet matches none of URL filtering rules in the URL filtering policy, the default action specified for the policy applies to the packet. If the default action is not configured, the device permits the packet to pass.

If you execute this command for a URL category multiple times, the most recent configuration takes effect.

Examples

# In the URL filtering policy news, specify the drop action for the URL category sina.

<Sysname> system-view

[Sysname] url-filter policy news

[Sysname-url-filter-policy-news] category sina action drop

Related commands

inspect block-source parameter-profile

inspect redirect parameter-profile

url-filter category

url-filter policy

default-action

Use default-action to specify the default action for a URL filtering policy.

Use undo default-action to restore the default.

Syntax

default-action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } [ logging [ parameter-profile parameter-name ] ]

undo default-action

Default

A URL filtering policy does not have any default action.

Views

URL filtering policy view

Predefined user roles

network-admin

Parameters

block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."

drop: Drops matching packets.

permit: Permits packets to pass.

redirect: Redirects matching packets to a webpage.

reset: Disconnects the TCP connection for HTTP request packets.

logging: Logs matching packets.

parameter-profile parameter-name: Specifies a DPI action parameter profile by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a profile, or if the specified profile does not exist, the DPI action uses the default parameter settings. For information about configuring parameter profiles for DPI actions, see "DPI engine commands."

Usage guidelines

The default action applies to packets that do not match any URL filtering rules.

Examples

# Set the default action to drop for URL filtering policy cmcc.

<Sysname> system-view

[Sysname] url-filter policy cmcc

[Sysname-url-filter-policy-cmcc] default-action drop

Related commands

inspect block-source parameter-profile

inspect redirect parameter-profile

url-filter policy

description

Use description to configure a description for a URL category.

Use undo description to restore the default.

Syntax

description text

undo description

Default

A user-defined URL category does not have a description.

Views

URL category view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-insensitive string of 1 to 255 characters. Spaces are allowed.

Usage guidelines

Use this command to configure descriptions for URL categories for easy maintenance.

Examples

# Configure the description as News information for URL category news.

<Sysname> system-view

[Sysname] url-filter category news

[Sysname-url-filter-category-news] description News information

display url-filter category

Use display url-filter category to display URL category information.

Syntax

display url-filter { category | parent-category } [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

category: Specifies child URL categories.

parent-category: Specifies parent URL categories.

verbose: Display detailed URL category information. If you do not specify this keyword, this command displays the summarized URL category information.

Usage guidelines

The device supports two levels of predefined URL categories: child URL category and parent URL category. A predefined parent URL category contains only predefined child URL categories.

Examples

# Display information about child URL categories.

<Sysname> display url-filter category

URL category statistics:

  Predefined categories: 53

  Predefined rules: 2000

  User-defined categories: 5

  User-defined rules: 4

 

URL categories:

  Name : 23

  Name : 24

  Name : 33

  Name : Pre-AdvertisementsAndPop-Ups

  Name : Pre-AlcoholAndTobacco

  Name : Pre-Anonymizers

  Name : Pre-Arts

  Name : Pre-Business

  Name : Pre-Chat

  Name : Pre-ComputersAndTechnology

  Name : Pre-CriminalActivity

  Name : Pre-Cults

  Name : Pre-DatingAndPersonals

  Name : Pre-DownloadSites

  Name : Pre-Education

  Name : Pre-Entertainment

  Name : Pre-FashionAndBeauty

…

# Display detailed information about child URL categories.

<Sysname> display url-filter category verbose

URL category statistics:

  Predefined categories: 53

  Predefined rules: 2000

  User-defined categories: 5

  User-defined rules: 4

 

URL category details:

  Name: 23

  Type: User defined

  Severity: 1001

  Rules: 1

  Description:

  Name: 24

  Type: User defined

  Severity: 1002

  Rules: 1

  Description:

  Name: Pre-AdvertisementsAndPop-Ups

  Type: Predefined

  Severity: 300

  Rules: 32

  Description: Sites that provide advertising graphics or other ad content fi

               les such as banners and pop-ups.

  Name: Pre-AlcoholAndTobacco

  Type: Predefined

  Severity: 960

  Rules: 7

  Description: Sites that promote or sell alcohol- or tobacco-related product

                  s or services.

...

Table 1 Command output

Field	Description
Predefined categories	Number of predefined child URL categories.
Predefined rules	Number of predefined URL filtering rules.
User-defined categories	Number of user-defined child URL categories.
User-defined rules	Number of user-defined URL filtering rules.
URL category details	Detailed information about the child URL categories.
Name	Name of the child URL category.
Type	Type of the child URL category, Predefined or User Defined.
Severity	Severity level of the child URL category.
Rules	Number of rules in the child URL category.

‌

# Display information about parent URL categories.

<Sysname> display url-filter parent-category

URL parent category statistics:

  Predefined parent categories: 40

  Included predefined categories: 14

URL parent categories:

  Parent category name: SearchEngineAndPortal

  Parent category name: P2PAndDownload

  Parent category name: OrdinaryDownload

  Parent category name: House

  Parent category name: EducationAndScientificResearch

  Parent category name: Finance

  Parent category name: StreamMediaAndVideo

  Parent category name: Shopping

  Parent category name: TransportationVehicle

  Parent category name: Travel

 

...

# Display detailed information about parent URL categories.

<Sysname> display url-filter parent-category verbose

URL parent category statistics:

  Predefined parent categories: 46

  Included predefined categories: 139

URL parent category details:

  Parent category name: Pre-Adult

  Type: Predefined

  Description: Adult

  Included categories: 7

    Pre-Abortion

    Pre-AdultSuppliers

    Pre-Homosexual

    Pre-Nudity

    Pre-OtherAdult

    Pre-SexualHealth

    Pre-Vulgar

  Parent category name: Pre-Arts

  Type: Predefined

  Description: Arts

  Included categories: 1

    Pre-Arts

...

Table 2 Command output

Field	Description
Predefined parent categories	Number of predefined parent URL categories.
Included predefined categories	Total number of predefined URL categories included in all parent URL categories.
URL parent category details	Detailed information about the parent URL categories.
Parent category name	Name of the parent URL category.
Type	Type of the parent URL category. The device supports only predefined parent URL categories.
Description	Description of the parent URL category.
Included categories	Number of child URL categories in the parent URL category.

‌

display url-filter signature library

Use display url-filter signature library to display information about the URL signature library.

Syntax

display url-filter signature library

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about the URL signature library.

<Sysname> display url-filter signature library

URL filter signature library information:

Type      SigVersion         ReleaseTime               Size

Current   1.0.0              Wed Jan 21 06:43:53 2015  36096

Factory   1.0.0              Wed Jan 21 06:43:53 2015  36096

Table 3 Command output

Field	Description
Type	Version of the URL signature library: ·     Current—Current version. ·     Factory—Factory default version.
SigVersion	Version number.
ReleaseTime	Time when the URL signature library was released.
Size	Size of the URL signature library, in bytes.

‌

display url-filter statistics

Use display url-filter statistics to display URL filtering statistics.

Syntax

display url-filter statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display URL filtering statistics.

<Sysname> display url-filter statistics

--------------------------------------------------------

Slot 1 :

Total HTTP requests                         : 0

Total HTTPS handshakes                      : 0

Total logged requests                       : 0

Total logging rate                          : 0/s

Total permitted requests and handshakes     : 0

Total denied requests                       : 0

Requests that matched the blacklist         : 0

Requests that matched the whitelist         : 0

Requests that matched the referer-whitelist : 0

Requests that matched a user-defined rule   : 0

Requests that matched a predefined rule     : 0

Requests that matched a cached rule         : 0

Requests that matched the default action    : 0

Requests that matched URLs in URL reputation library : 0

Predefined URL filtering rules              : 2000

--------------------------------------------------------

Table 4 Command output

Field	Description
Total HTTP requests	Total number of HTTP packets.
Total HTTPS handshakes	Total number of encrypted traffic hits.
Total logged requests	Total number of logged HTTP packets.
Total HTTP logging rate	Logging rate for HTTP packets.
Total permitted HTTP requests	Total number of permitted HTTP packets.
Total denied HTTP requests	Total number of denied HTTP packets.
Requests that matched the blacklist	Number of HTTP packets that matched a blacklist rule.
Requests that matched the whitelist	Number of HTTP packets that matched a whitelist rule.
Requests that matched the referer-whitelist	Number of HTTP packets with a referer header that matched a whitelist rule.
Requests that matched a user-defined rule	Number of HTTP packets that matched a user-defined URL filtering rule.
Requests that matched a predefined rule	Number of HTTP packets that matched a predefined URL filtering rule.
Requests that matched a cached rule	Number of HTTP packets that matched a cached URL filtering rule.
Requests that matched the default action	Number of HTTP packets on which the default action is executed.
Requests that matched URLs in URL reputation library	This field is not supported in the current software version. Total number of requests that matched URLs in the URL reputation library.
Predefined URL filtering rules	Total number of predefined URL filtering rules.

‌

include pre-defined

Use include pre-defined to add the URL filtering rules of a predefined URL category to a user-defined URL category.

Use undo include pre-defined to restore the default.

Syntax

include pre-defined category-name

undo include pre-defined

Default

A user-defined URL category does not contain the URL filtering rules of any predefined URL category.

Views

URL category view

Predefined user roles

network-admin

Parameters

category-name: Specifies a predefined URL category by its name, a case-sensitive string of 1 to 63 characters. The specified URL category must exist on the device.

Usage guidelines

To simplify URL category configuration, you can use this command to add the URL filtering rules of a predefined URL category to a user-defined URL category.

You can add URL filtering rules of only one predefined URL category to a user-defined URL category. If you execute this command for a URL category multiple times, the most recent configuration takes effect.

Examples

# Add the URL filtering rules of predefined URL category Pre-Arts to URL category news.

<Sysname> system-view

[Sysname] url-filter category news

[Sysname-url-filter-category-news] include pre-defined Pre-Arts

referer-whitelist enable

Use referer-whitelist enable to enable referer whitelist.

Use undo referer-white enable to disable referer whitelist.

Syntax

referer-whitelist enable

undo referer-whitelist enable

Default

Referer whitelist is enabled.

Views

URL filtering policy view

Predefined user roles

network-admin

Usage guidelines

The referer whitelist is useful when you want to allow users to access links on the webpages that match the whitelist rules.

If this feature is disabled, the users can visit a webpage when the URL of the webpage matches a whitelist rule, but other links on the accessed webpage are inaccessible. To solve the preceding problem, you can enable this feature. It allows the device to extract the referer header of an HTTP or HTTPS request and compare the referer header with whitelist rules. If a match is found, the device permits the HTTP or HTTPS request to pass through. If no match is found, the device drops the HTTP or HTTPS request.

Examples

# Enable referer whitelist in URL filtering policy news.

<Sysname> system-view

[Sysname] url-filter policy news

[Sysname-url-filter-policy-news] referer-whitelist enable

Related commands

add

rename

Use rename to rename a URL filtering policy.

Syntax

rename new-name

Views

URL filtering policy view

Predefined user roles

network-admin

Parameters

new-name: Specify a new name for the URL filtering policy, a case-insensitive string of 1 to 31 characters.

Usage guidelines

If you change the name of a URL filtering policy that has been assigned to a DPI application profile, the policy name in the DPI application profile is also changed.

Examples

# Rename URL filtering policy news to hello, and enter the view of URL filtering policy hello.

<Sysname> system-view

[Sysname] url-filter policy news

[Sysname-url-filter-policy-news] rename hello

[Sysname-url-filter-policy-hello]

reset url-filter statistics

Use reset url-filter statistics to clear URL filtering statistics.

Syntax

reset url-filter statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear URL filtering statistics.

<Sysname> reset url-filter statistics

Related commands

display url-filter statistics

rule

Use rule to create a URL filtering rule for a user-defined URL category.

Use undo rule to delete a URL filtering rule from a user-defined URL category.

Syntax

rule rule-id host { regex regex | text string } [ uri { regex regex | text string } ]

undo rule rule-id

Default

A user-defined URL category does not have any URL filtering rules.

Views

URL category view

Predefined user roles

network-admin

Parameters

rule-id: Assigns an ID to the URL filtering rule, in the range of 1 to 65535.

host: Matches URLs by the hostname field.

uri: Matches URLs by the URI field.

regex regular-expression: Specifies a case-sensitive regular expression string pattern. The string can start with only letters, digits, or underscores (_), and it must contain a minimum of three consecutive non-wildcard characters.

·     If the host keyword is specified, the string can contain 3 to 224 characters.

·     If the uri keyword is specified, the string can contain 3 to 253 characters.

text string: Specifies a case-insensitive text string pattern, which must contain a minimum of three consecutive non-wildcard characters.

·     If the host keyword is specified, the string can contain 3 to 224 characters. Valid characters are letters, digits, underscores (_), hyphens (-), colons (:), left square brackets ([), right square brackets (]), dots (.), and asterisk (*).

·     If the uri keyword is specified, the string can contain 3 to 255 characters.

Usage guidelines

A URL filtering rule supports the following URL matching methods:

·     Text-based matching—Matches the hostname and URI fields of a URL against text string patterns.

When performing text-based matching for the hostname field of a URL, the device first determines if the text string pattern contains the asterisk (*) wildcard character at the beginning or end.

¡     If the text string pattern does not contain the asterisk (*) wildcard character at the beginning or end, the hostname matching succeeds if the hostname of the URL matches the text string pattern.

¡     If the text string pattern contains the asterisk (*) wildcard character at the beginning, the hostname matching succeeds if the hostname of the URL matches or ends with the text string pattern without the wildcard character.

¡     If the text string pattern contains the asterisk (*) wildcard character at the end, the hostname matching succeeds if the hostname of the URL matches or starts with the text string pattern without the wildcard character.

¡     If the text string pattern contains the asterisk (*) wildcard character at both the beginning and the end, the hostname matching succeeds if the hostname of the URL matches or includes the text string pattern without the wildcard characters.

Text-based matching for the URI field works in the same way that text-based matching for the hostname field works.

·     Regular expression-based matching—Matches the hostname and URI fields of a URL against regular expressions. For example, if you set the regular expression for hostname matching to sina.*cn, URLs that carry the news.sina.com.cn hostname will be matched.

Follow these guidelines when you use the asterisk character (*) in the text string for hostname or URI matching:

·     For hostname matching, the asterisk (*) can appear only at the beginning or end of the text string as a wildcard character to match zero or more characters.

·     For URI matching, the asterisk (*) can appear at the beginning or end of the text string pattern as a wildcard character to match zero or more characters, or appear in the middle as a non-wildcard character.

When you configure a regular expression in a URL filtering rule, follow these restrictions and guidelines:

·     The regular expression pattern can contain a maximum of four branches. For example, 'abc(c|d|e|\x3D)' is valid, and 'abc(c|onreset|onselect|onchange|style\x3D)' is invalid.

·     Nested braces are not allowed. For example, 'ab((abcs*?))' is invalid.

·     A branch cannot be specified after another branch. For example, 'ab(a|b)(c|d)^\\r\\n]+?' is invalid.

·     A minimum of four non-wildcard characters must exist before an asterisk (*) or question mark (?). For example, 'abc*' is invalid and 'abcd*DoS\x2d\d{5}\x20\x2bxi\\r\\nJOIN' is valid.

Examples

# In URL category news, create a URL filtering rule to match URLs with the host field starting with sina.com.

<Sysname> system-view

[Sysname] url-filter category news

[Sysname-url-filter-category-news] rule 10 host text sina.com*

Related commands

url-filter category

update schedule (automatic URL signature library update configuration view)

Use update schedule to configure a schedule for automatic URL signature library update.

Use undo update schedule to restore the default.

Syntax

update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes

undo update schedule

Default

The device starts the URL signature library update at a random time between 01:00:00 and 03:00:00 every day.

Views

Automatic URL signature library update configuration view

Predefined user roles

network-admin

Parameters

daily: Updates the URL signature library every day.

weekly: Updates the URL signature library every week.

fri: Updates the URL signature library every Friday.

mon: Updates the URL signature library every Monday.

sat: Updates the URL signature library every Saturday.

sun: Updates the URL signature library every Sunday.

thu: Updates the URL signature library every Thursday.

tue: Updates the URL signature library every Tuesday.

wed: Updates the URL signature library every Wednesday.

start-time time: Specifies the start time in hh:mm:ss format. The value range is 00:00:00 to 23:59:59.

tingle minutes: Specifies the  tolerance time in minutes. The value range is 0 to 120. An automatic library update will start at a random time between the following time points:

·     Start time minus half the tolerance time.

·     Start time plus half the tolerance time.

Examples

# Configure the device to automatically start the URL signature library update every Sunday at a random time between 20:25:00 and 20:35:00.

<Sysname> system-view

[Sysname] url-filter signature auto-update

[Sysname-url-filter-autoupdate] update schedule weekly sun start-time 20:30:00 tingle 10

Related commands

url-filter signatures auto-update

url-filter apply policy

Use url-filter apply policy to apply a URL filtering policy to a DPI application profile.

Use undo url-filter apply policy to remove the URL filtering policy from a DPI application profile.

Syntax

url-filter apply policy policy-name

undo url-filter apply policy

Default

No URL filtering policy is applied to a DPI application profile.

Views

DPI application profile view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a URL filtering policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A URL filtering policy takes effect only after it is applied to a DPI application profile.

You can apply only one URL filtering policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Apply URL filtering policy news to DPI application profile abc.

<Sysname> system-view

[Sysname] app-profile abc

[Sysname-app-profile-abc] url-filter apply policy news

Related commands

app-profile

display app-profile

display url-filter policy

url-filter category

Use url-filter category to create a user-defined URL category and enter its view, or enter the view of an existing URL category.

Use undo url-filter category to delete a URL category.

Syntax

url-filter category category-name [ severity severity-level ]

undo url-filter category category-name

Default

The device has only predefined URL categories with the name prefix Pre-.

Views

System view

Predefined user roles

network-admin

Parameters

category-name: Specify the URL category name, a case-insensitive string of 1 to 63 characters. Valid characters are letters, Chinese characters, digits, underscores (_), hyphens (-), and dots (.). The category name cannot start with Pre- and must be different from the Chinese name of any predefined URL category.

severity severity-value: Specifies a severity level for the URL category. The value range is 1000 to 65535, and the default is 65535. The larger the value, the higher the severity level. The severity level of each user-defined URL category must be unique. This option is required when you create a URL category.

Usage guidelines

URL filtering provides the URL categorization feature to facilitate filtering rule management.

You can classify multiple URL filtering rules into a URL category and specify an action for the category. If a matching rule is in multiple URL categories, the system takes the action for the category with the highest severity level.

URL filtering supports the following types of URL categories:

·     Predefined URL categories.

The predefined URL categories contain the predefined URL filtering rules. Each predefined URL category has a unique severity level in the range of 1 to 999, and a category name that begins with Pre-. Predefined URL categories cannot be modified.

·     User-defined URL categories.

You can create user-defined URL categories and configure filtering rules for them. The severity level of a user-defined URL category is in the range of 1000 to 65535. You can edit the filtering rules and change the severity level for a user-defined URL category.

Examples

# Create a URL category named news and set its severity level to 2000.

<Sysname> system-view

[Sysname] url-filter category news severity 2000

[Sysname-url-filter-category-news]

Related commands

display url-filter category

url-filter copy category

Use url-filter copy policy to copy a URL category.

Syntax

url-filter copy category old-name new-name severity severity-level

Views

System view

Predefined user roles

network-admin

Parameters

old-name: Specifies the name of the URL category to be copied. The specified URL category must already exist.

new-name: Specifies a name for the new URL category. The name is a case-insensitive string of 1 to 63 characters and cannot begin with Pre.

severity severity-level: Assigns a unique severity level to the new URL category. The value range is 1000 to 65535. The larger the value, the higher the severity level.

Usage guidelines

This command allows you to create a new URL category by copying an existing one.

The device supports copying only user-defined URL categories.

Examples

# Create URL category test by copying URL category news.

<Sysname> system-view

[Sysname] url-filter copy category news test severity 1001

[Sysname-url-filter-category-test]

Related commands

url-filter category

url-filter copy policy

Use url-filter copy policy to copy a URL filtering policy.

Syntax

url-filter copy policy old-name new-name

Views

System view

Predefined user roles

network-admin

Parameters

old-name: Specifies the name of the URL filtering policy to be copied, a case-insensitive string of 1 to 31 characters.

new-name: Specifies a name for the new URL filtering policy, a case-insensitive string of 1 to 31 characters.

Usage guidelines

This command allows you to create a new URL filtering policy by copying an existing one.

Examples

# Create two URL filtering policies by copying URL filtering policy news.

<Sysname> system-view

[Sysname] url-filter copy policy news news1

[Sysname-url-filter-policy-news_1] quit

[Sysname] url-filter copy policy news new2

[Sysname-url-filter-policy-news_2] quit

Related commands

url-filter policy

url-filter log directory root

Use url-filter log directory root to configure URL filtering to log only access to resources in the root directories of websites.

Use undo url-filter log directory root to restore the default.

Syntax

url-filter log directory root

undo url-filter log directory root

Default

URL filtering logs access to Web resources in all directories.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After this command is configured, the url-filter log except pre-defined and url-filter log except user-defined commands become invalid.

Examples

# Configure URL filtering to log only access to resources in the root directories of websites.

<Sysname> system-view

[Sysname] url-filter log directory root

Related commands

category action logging

default-action logging

url-filter log except pre-defined

url-filter log except user-defined

url-filter log enable

Use url-filter log enable to enable DPI engine logging.

Use undo url-filter log enable to disable DPI engine logging.

Syntax

url-filter log enable

undo url-filter log enable

Default

DPI engine logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

You can enable DPI engine logging for audit. Log messages generated by DPI engine are output to the device information center. The information center then sends the messages to designated destinations based on log output rules. For more information about the information center, see System Management Configuration Guide.

DPI engine logging is memory intensive. To guarantee system performance, enable DPI engine logging only when necessary.

Examples

# Enable DPI engine logging.

<Sysname> system-view

[Sysname] url-filter log enable

url-filter log except pre-defined

Use url-filter log except pre-defined to disable URL filtering logging for access to resources of a predefined resource type.

Use undo url-filter log except pre-defined to enable URL filtering logging for access to resources of a predefined resource type.

Syntax

url-filter log except pre-defined { css | gif | ico | jpg | js | png | swf | xml }

undo url-filter log except pre-defined { css | gif | ico | jpg | js | png | swf | xml }

Default

URL filtering does not log access to resources of the predefined resource types (CSS, GIF, ICO, JPG, JS, PNG, SWF, and XML resources).

Views

System view

Predefined user roles

network-admin

Parameters

css: Specifies the CSS resource type.

gif: Specifies the GIF resource type.

ico: Specifies the ICO resource type.

jpg: Specifies the JPG resource type.

js: Specifies the JS resource type.

png: Specifies the PNG resource type.

swf: Specifies the SWF resource type.

xml: Specifies the XML resource type.

Usage guidelines

Repeat this command to disable URL filtering logging for access to multiple types of predefined resources.

This command does not take effect if the url-filter log directory root command is configured. To validate this command, you must execute undo url-filter log directory root command.

Examples

# Disable URL filtering logging for access to CSS resources.

<Sysname> system-view

[Sysname] url-filter log except pre-defined css

Related commands

category action logging

default-action logging

url-filter log directory root

url-filter log except user-defined

url-filter log except user-defined

Use url-filter log except user-defined to disable URL filtering logging for access to resources of a user-defined resource type.

Use undo url-filter log except user-defined to enable URL filtering logging for access to resources of a user-defined resource type.

Syntax

url-filter log except user-defined text

undo url-filter log except user-defined [ text ]

Default

URL filtering logs access to all resources except for resources of the predefined types.

Views

System view

Predefined user roles

network-admin

Parameters

text: Specifies a Web resource type. The value is a case-insensitive string of 1 to 63 characters.

Usage guidelines

Repeat this command to disable URL logging for access to multiple types of user-defined resources.

This command does not take effect if the url-filter log directory root command is configured. To validate this command, you must execute undo url-filter log directory root command.

Executing the undo url-filter log except user-defined command without the text parameter enables URL logging for access to all resources except resources of the predefined resource types.

Examples

# Disable URL filtering logging for access to HTML resources.

<Sysname> system-view

[Sysname] url-filter log except user-defined html

Related commands

category action logging

default-action logging

url-filter log directory root

url-filter log except pre-defined

url-filter policy

Use url-filter policy to create a URL filtering policy and enter its view, or enter the view of an existing URL filtering policy.

Use undo url-filter policy to delete a URL filtering policy.

Syntax

url-filter policy policy-name

undo url-filter policy policy-name

Default

No URL filtering policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Assigns a name to the URL filtering policy, a case-insensitive string of 1 to 31 characters.

Usage guidelines

In a URL filtering policy, you can specify an action for each URL category. You can also use the default action command to specify the default action for packets that do not match any URL filtering rules in the policy.

A URL filtering policy takes effect only after it is applied to a DPI application profile. For information about DPI application profiles, see DPI Configuration Guide.

If DRS is enabled, the name of a URL filtering policy cannot be drs to avoid configuration changes or other unexpected errors after reboot. To enable DRS, use the wlan drs enable command. For more information about DRS, see WLAN DRS commands in WLAN Security Command Reference.

Examples

# Create a URL filtering policy named news and enter its view.

<Sysname> system-view

[Sysname] url-filter policy news

[Sysname-url-filter-policy-news]

url-filter signature auto-update

Use url-filter signature auto-update to enable automatic URL signature library update and enter automatic URL signature library update configuration view.

Use undo url-filter signature auto-update to disable automatic URL signature library update.

Syntax

url-filter signature auto-update

undo url-filter signature auto-update

Default

Automatic URL signature library update is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The automatic update enables the device to periodically access the company's website to download the latest URL filtering signatures and update the local signature library.

You can schedule the time for automatic signature update by using the update schedule command.

Examples

# Enable automatic URL signature library update and enter automatic URL signature library update configuration view.

<Sysname> system-view

[Sysname] url-filter signature auto-update

[Sysname-url-filter-autoupdate]

Related commands

update schedule

url-filter signature auto-update-now

Use url-filter signature auto-update-now to trigger an automatic URL signature library update manually.

Syntax

url-filter signature auto-update-now

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command immediately starts the automatic signature library update process. The device accesses the company's website to update the local URL signature library.

You can execute this command anytime you find a new version of signature library on the company's website.

Examples

# Trigger an automatic URL signature library update manually.

<Sysname> system-view

[Sysname] url-filter signature auto-update-now

url-filter signature rollback

Use url-filter signature rollback to roll back the URL signature library.

Syntax

url-filter signature rollback factory

Views

System view

Predefined user roles

network-admin

Parameters

factory: Rolls back the URL signature library to the factory default version.

Usage guidelines

If a URL signature library update causes exceptions or a high false alarm rate, you can roll back the URL signature library. In the current software version, you can roll back the URL signature library version to only the factory default version.

Examples

# Roll back the URL signature library to the factory default version.

<Sysname> system-view

[Sysname] url-filter signature rollback factory

url-filter signature update

Use url-filter signature update to manually update the URL signature library.

Syntax

url-filter signature update file-path [ source { ip | ipv6 } { ip-address | interface interface-type interface-number } ]

Views

System view

Predefined user roles

network-admin

Parameters

file-path: Specifies the URL filtering signature file path, a string of 1 to 255 characters.

source: Specifies the source IP address of request packets sent to the TFTP or FTP server for manual signature library update. If you do not specify a source IP address, the system uses the IP address of the outgoing routed interface as the source IP address.

ip ip-address: Specifies the source IPv4 address of request packets sent to the TFTP or FTP server for manual signature library update.

ipv6 ip-address: Specifies the source IPv6 address of request packets sent to the TFTP or FTP server for manual signature library update.

interface interface-type interface-number: Specifies the source interface. The primary IPv4 address of the interface or the minimum IPv6 address on the interface will be used as the source IP address.

Usage guidelines

CAUTION: Select a signature file according to the memory size and software version of the device. H3C provides signature files separately for high-memory (equal to or higher than 8 GB) and low-memory (lower than 8 GB) devices and for different software versions. If you use a signature file applicable to high-memory devices to update the URL filtering signature library on a low-memory device, exceptions might occur on the low-memory device. As a best practice, use a signature file that is compatible with the software version and memory size of the device to update the URL filtering signature library on the device.

‌

If the device cannot access the company's website, use one of the following methods to manually update the URL signature library:

·     Local update—Updates the URL signature library on the device by using the locally stored update URL filtering signature file.

The following describes the format of the file-path parameter for different update scenarios.

‌

Update scenario	Format of file-path	Remarks
The update file is stored in the current working directory.	filename	To display the current working directory, use the pwd command (see file system management in Fundamentals Command Reference).
The update file is stored in a different directory on the same storage medium.	filename	Before updating the signature library, you must first use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.
The update file is stored on a different storage medium.	path/filename	Before updating the signature library, you must first use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference.

‌

·     FTP/TFTP update—Updates the URL signature library on the device by using the file stored on the FTP or TFTP server.

The following describes the format of the file-path parameter for different update scenarios.

‌

Update scenario	Format of file-path	Remarks
The update file is stored on an FTP server.	ftp://username:password@server address/filename	The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: ·     Colon (:)—%3A or %3a. ·     At sign (@)—%40. ·     Forward slash (/)—%2F or %2f.
The update file is stored on a TFTP server.	tftp://server address/filename	The server address parameter represents the IP address or host name of the TFTP server.

‌

	NOTE: To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Network Connectivity Configuration Guide.

‌

To execute the url-filter signature update command, you also need to follow these restrictions and guidelines:

·     To specify the source IP address of request packets sent to the TFTP or FTP server for manual signature library update, you must specify the source keyword. For example, if packets from the device must be translated by NAT before accessing the TFTP or FTP server, you must specify a source IP address complied with NAT rules for NAT translation. If NAT translation is performed by an independent NAT device, make sure the IP address specified by this command can reach the NAT device at Layer 3.

Examples

# Manually update the local URL signature library by using a signature file stored on a TFTP server.

<Sysname> system-view

[Sysname] url-filter signature update tftp://192.168.0.10/url-filter-1.0.2-en.dat

# Manually update the local URL signature library by using a signature file stored on an FTP server. The FTP login username and password are user:123 and user@abc/123, respectively.

<Sysname> system-view

[Sysname] url-filter signature update ftp://user%3A123:user%40abc%[email protected]/url-filter-1.0.2-en.dat

# Manually update the local URL signature library by using a signature file stored on the device. The file is stored in directory cfa0:/url-filter-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> system-view

[Sysname] url-filter signature update url-filter-1.0.23-en.dat

# Manually update the local URL signature library by using a signature file stored on the device. The file is stored in directory cfa0:/dpi/url-filter-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> cd dpi

<Sysname> system-view

[Sysname] url-filter signature update url-filter-1.0.23-en.dat

# Manually update the local URL signature library by using a signature file stored on the device. The file is stored in directory cfb0:/dpi/url-filter-1.0.23-en.dat, and the current working directory is cfa0:.

<Sysname> cd cfb0:/

<Sysname> system-view

[Sysname] url-filter signature update dpi/url-filter-1.0.23-en.dat

warning parameter-profile

Use warning parameter-profile to apply a warning parameter profile to a URL filtering policy, and enable sending the alarm message defined in the profile.

Use undo warning parameter-profile to restore the default.

Syntax

warning parameter-profile profile-name

undo warning parameter-profile

Default

No warning parameter profile is applied and the device sends the default alarm message.

Views

URL filtering policy view

Predefined user roles

network-admin

Parameters

profile-name: Specifies a warning parameter profile by its name, a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, underscores (_).

Usage guidelines

If an endpoint user visits a website blocked by URL filtering, the device will display an alarm message on the user's browser. The alarm message is stored in the warning parameter profile applied to the URL filtering policy. For more information about configuring a warning parameter profile, see DPI engine configuration in DPI Configuration Guide.

If no warning parameter profile is applied to the URL filtering policy, the device sends the default alarm message to the user. The default alarm message is as follows:

Web Access Blocked

Your access to this website was denied. To access this webpage, contact Technical Support.

·     Reason: XXX

·     Category: XXX

·     URL: XXXX

The device will generate the reason, category, and URL according to the actual condition.

·     Reason—Why the URL of the website visited by the user is blocked. The following values are available:

¡     The URL of the website hit the URL blacklist.

¡     The URL of the website hit a user-defined URL category.

¡     The URL of the website hit a predefined URL category.

¡     No matching whitelist entry was found for the website in whitelist mode.

¡     The URL of the website did not match any accessible URL category.

¡     The URL of the website hit the URL reputation signature library.

·     Category—Attack category of the hit user-defined URL category or predefined URL category.

·     URL—URL of the website visited by the user.

Examples

# Apply warning parameter profile uflt1 to URL filtering policy abc and enable the sending of alarm message defined in the profile.

<Sysname> system-view

[Sysname] url-filter policy abc

[Sysname-url-filter-policy-abc] warning parameter-profile uflt1

Related commands

inspect url-filter warning parameter-profile

whitelist-only enable

Use whitelist-only enable to enable URL whitelist-only filtering.

Use undo whitelist-only enable to disable URL whitelist-only filtering.

Syntax

whitelist-only enable

undo whitelist-only enable

Default

URL whitelist-only filtering is disabled.

Views

URL filtering policy view

Predefined user roles

network-admin

Usage guidelines

This feature allows only the HTTP or HTTPS requests that match the whitelist rules to pass through, and the other settings in the URL filtering policy will not take effect.

Examples

# Enable URL whitelist-only filtering in URL filtering policy news.

<Sysname> system-view

[Sysname] url-filter policy news

[Sysname-url-filter-policy-news] whitelist-only enable

Related commands

add