A security policy defines a set of rules for forwarding control and Deep Packet Inspection (DPI). It matches packets against the rules and takes the action stated in the rules on the matched packets.

Security policy rules

A security policy contains one or multiple rules. Each security policy rule is a permit or deny, or DPI statement for identifying traffic based on criteria.

Each rule is uniquely identified by a name and an ID. When you create a rule, the rule name must be manually configured, and the rule ID can be manually configured or automatically assigned by the system.

Rule match criteria

The rule match criteria include the following types: source IP address and source MAC address, destination IP address, user and user group, AP and AP group, SSID, application and application group, URL category, and service.

You can specify multiple criteria for each type.

Rule and session management

When a security policy is configured, the device generates session entries for permitted packets to record packet information.

You can set session aging times for protocol states, application layer protocols, or rules. The aging time configured for a rule takes precedence over the aging time configured for a protocol state or an application layer protocol. For more information about session management, see "Managing sessions."

Security policy mechanism

A security policy operates as follows:

1. After receiving a packet, the device matches the packet against the configured security policy rules.

A security policy rule includes various match criterion types. A packet is considered matched if it matches all the criterion types in the rule. Each criterion type includes one or more criteria, and a packet matches a criterion type if it matches any criterion of the type. Source MAC address criteria and source IP address criteria belong to the same criterion type.

¡ If no match is found, the device discards the packet.

¡ If a match is found and the rule action is drop, the device discards the packet.

¡ If a match is found and the rule action is pass, the device goes to the next step.

2. If a DPI application profile is configured for the matched rule, the device uses the specified profile to perform DPI on the packet. If no DPI application profile is specified, the device allows the packet to pass.

Rule matching acceleration

This feature accelerates security policy rule matching to enhance connection establishment and packet forwarding performance, especially for a device using multiple rules to match packets from multiple users.

Security policy rule grouping

Security policy rule grouping allows users to enable, disable, delete, and move security policy rules in batches. A security policy rule in a security policy rule group takes effect only when both the rule and the group are enabled.

Restrictions and guidelines: Security policy configuration

As a best practice, do not configure packet filtering, and security policies at the same time. If you do so, some policies might fail to take effect, causing service interruption.

Before configuring security policies, verify if the device is configured with packet filtering. As a best practice, switch packet filtering to security policies because security policies take precedence over packet filtering lose effect the first time you enter security policy view.

When security policies are configured, packet filtering is performed only on packets that do not match any security policy rule. As a best practice to avoid interruption of services permitted by packet filtering, do not configure packet filtering and security policies at the same time.

If packet filtering is configured, switch packet filtering to security policy settings as a best practice before enabling the security policy feature.

Prerequisites for security policies

Before you configure security policies, perform the following tasks:

· Configure a time range. See time range configuration in Security Configuration Guide.

· Configure IP address object groups and service object groups. See "Configuring object groups."

· Configure applications and application groups. See "Configuring APR."

· Configure user and user groups. See "Configuring user identification."

· Configure URL categories. See DPI Configuration Guide.

· Configure DPI. See DPI Configuration Guide.

Security policy tasks at a glance

To configure security policies, perform the following tasks:

1. Enabling the security policy feature

2. Configuring IPv4 security policy rules

a. Creating a security policy rule

b. Configuring filtering criteria for a security policy rule

c. Specifying the action for a security policy rule

d. (Optional.) Specifying a time range for a security policy rule

e. (Optional.) Applying a DPI application profile to a security policy rule

f. (Optional.) Setting the session aging time for a security policy rule

g. (Optional.) Associating a security policy rule with a track entry

h. (Optional.) Enabling logging for matched packets

i. (Optional.) Enabling statistics collection for matched packets

j. (Optional.) Enabling security policy rule learning

3. (Optional.) Manage security policy rules

a. Changing the rule match order

b. Activating rule matching acceleration

c. Disabling a security policy rule

d. Renaming a security policy rule

e. Enabling mandatory item control

f. Enabling strict object inspection

g. Enabling displaying the default actions in use

4. (Optional.) Configuring security policy rule groups

a. Creating a security policy rule group

b. Specifying a security policy rule group for a security policy rule

c. Moving a security policy rule group

d. Renaming a security policy rule group

5. (Optional.) Setting the time for fast output of security policy settings as logs

Enabling the security policy feature

Restrictions and guidelines

Security policy settings take effect only when the security policy feature is enabled.

Procedure

1. ‍Enter system view.

system-view

2. Enable the security policy feature.

undo security-policy disable

By default, the security policy feature is enabled.

CAUTION:

The security-policy disable command disables the security policy feature and might cause traffic interruption.

‌

Configuring IPv4 security policy rules

Creating a security policy rule

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

CAUTION:

The undo security-policy ip command directly deletes all security policy configuration and might cause network interruption.

‌

3. (Optional.) Configure a description for the policy.

description text

By default, a security policy does not have a description.

4. Create a security policy rule.

rule { rule-id | [ rule-id ] name rule-name }

5. (Optional.) Configure a description for the rule.

description text

By default, a security policy rule does not have a description.

Configuring filtering criteria for a security policy rule

Restrictions and guidelines

A rule matches all packets if no criteria are specified for the rule. If no action is set for the rule, the device drops the matched packets by default.

If a specified object group has no objects, the rule cannot match any packets.

Security policy rules specified with an IP address object group that uses a user or user group cannot match packets. To filter packets by user or user group, configure security policy rules specified with user or user group criteria.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Configure source filtering criteria:

¡ Specify a source IPv4 address object group as a filtering criterion.

source-ip object-group-name

By default, no source IPv4 address object group is specified as a filtering criterion.

¡ Specify a source IPv4 host address as a filtering criterion.

source-ip-host ip-address

By default, no source IPv4 host address is specified as a filtering criterion.

¡ Specify a source IPv4 subnet as a filtering criterion.

source-ip-subnet ip-address { mask-length | mask }

By default, no source IPv4 subnet is specified as a filtering criterion.

¡ Specify a source IPv4 address range as a filtering criterion.

source-ip-range ip-address1 ip-address2

By default, no source IPv4 address range is specified as a filtering criterion.

¡ Specify a source MAC address object group as a filtering criterion.

source-mac object-group-name

By default, no source MAC address object group is specified as a filtering criterion.

5. Configure destination filtering criteria:

¡ Specify a destination IPv4 address object group as a filtering criterion.

destination-ip object-group-name

By default, no destination IPv4 address object group is specified as a filtering criterion.

¡ Specify a destination IPv4 host address as a filtering criterion.

destination-ip-host ip-address

By default, no destination IPv4 host address is specified as a filtering criterion.

¡ Specify a destination IPv4 subnet as a filtering criterion.

destination-ip-subnet ip-address { mask-length | mask }

By default, no destination IPv4 subnet is specified as a filtering criterion.

¡ Specify a destination IPv4 address range as a filtering criterion.

destination-ip-range ip-address1 ip-address2

By default, no destination IPv4 address range is specified as a filtering criterion.

6. Specify a service object group as a filtering criterion.

service { object-group-name | any }

By default, no service object group is specified as a filtering criterion.

7. Specify a service port as a filtering criterion.

service-port protocol [ { destination { { eq | lt | gt } port | range port1 port2 | port-list } | source { { eq | lt | gt } port | range port1 port2 | port-list } } * | icmp-type [ icmp-code ] | icmpv6-type [ icmpv6-code ] | type { icmp-type | icmpv6-type } [ code { icmp-code-list | icmpv6-code list } ] ]

By default, no service port is specified as a filtering criterion.

8. Configure application filtering criteria:

¡ Specify an application as a filtering criterion.

application application-name

By default, no application is specified as a filtering criterion.

For the application filtering criteria to be identified, you must permit the dependent applications to pass through.

¡ Specify an application group as a filtering criterion.

app-group app-group-name

By default, no application group is specified as a filtering criterion.

9. Configure user filtering criterion:

¡ Specify a user as a filtering criterion.

user username [ domain domain-name ]

By default, no user is specified as a filtering criterion.

¡ Specify a user group as a filtering criterion.

user-group user-group-name [ domain domain-name ]

By default, no user group is specified as a filtering criterion.

10. Specify a URL category as a filtering criterion.

url-category url-category-name

By default, no URL category is specified as a filtering criterion.

Specifying the action for a security policy rule

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Specify the action for the security policy rule.

action { drop | pass }

By default, the action for a security policy rule is drop.

Specifying a time range for a security policy rule

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Specify a time range during which the security policy rule is in effect.

time-range time-range-name

By default, a security policy rule is in effect at any time.

Applying a DPI application profile to a security policy rule

About this task

This feature enables the device to perform DPI on packets matching the specified rule. For more information about DPI, see DPI Configuration Guide.

Restrictions and guidelines

This feature takes effect only when the rule action is pass.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Specify the rule action as pass.

action pass

By default, the action for a security policy rule is drop.

5. Apply a DPI application profile to the rule.

profile app-profile-name

By default, no DPI application profile is applied to a rule.

Setting the session aging time for a security policy rule

About this task

Perform this task to specify the aging time for stable sessions and persistent sessions. The configuration takes effect on both existing sessions and sessions established afterwards.

The configured aging time for persistent sessions is effective only on TCP sessions in ESTABLISHED state.

The priorities of the session aging times configured by using the session persistent aging-time, session aging-time, and session persistent acl commands are in descending order.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Set the session aging time.

session aging-time time-value

By default, the session aging time is not configured.

5. Set the aging time for persistent sessions.

session persistent aging-time time-value

By default, the aging time for persistent sessions is not configured.

CAUTION:

Setting too long an aging time might cause persistent sessions to increase rapidly and therefore cause the CPU usage to be high.

‌

Associating a security policy rule with a track entry

About this task

Perform this task to enable the collaboration between the track module and a security policy rule. The collaboration operates as follows:

· If a rule is associated with the Negative state of a track entry, the device:

¡ Sets the rule state to Active if the track entry is in Negative state.

¡ Sets the rule state to Inactive if the track entry is in Positive state.

· If a rule is associated with the Positive state of a track entry, the device:

¡ Sets the rule state to Active if the track entry is in Positive state.

¡ Sets the rule state to Inactive if the track entry is in Negative state.

For more information about track entries, see High Availability Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Associate the rule with a track entry.

track { negative | positive } track-entry-number

By default, no track entry is associated with a rule.

Enabling logging for matched packets

About this task

This feature enables the device to log matching packets and send the log to the information center for processing or fast output the log. The log destinations and output rules are determined by the information center or fast log output settings. For more information about the information center or fast log output, see System Management Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Enable logging for matched packets.

logging enable

By default, logging for matched packets is disabled.

Enabling statistics collection for matched packets

About this task

Perform this task to enable the device to collect statistics about matched packets. The collected statistics can be viewed by executing the display security-policy statistics command.

If an enabling period is specified, the system disables the statistics collection feature and removes the configuration at period expiration. If no enabling period is specified, you must execute the undo command to disable the statistics collection feature.

Restrictions and guidelines

When inter-VLAN bridge forwarding is configured, this feature collects statistics only about packets discarded by security policies and DPI. Statistics about permitted packets are not collected. For more information about inter-VLAN bridge forwarding, see Layer 2 forwarding in Network Connectivity Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Enable statistics collection for matched packets.

counting enable [ period value ]

By default, the device does not collect statistics about matched packets.

Enabling security policy rule learning

About this task

To ensure accurate packet filtering, configure strict security policy rules with a fine granularity as a best practice. However, when the properties of packets to be passed or dropped cannot be determined, you can only configure security policy rules with relatively loose criteria to ensure correct forwarding.

In this case, perform this task to enable the system to learn matched packets and record their properties. You can then log into the Web management interface of the device to view the records, summarize the properties of packets to be passed or dropped, and refine security policy filtering criteria.

Restrictions and guidelines

After configuring accurate security policies, delete the security policies with loose filtering criteria as a best practice.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Enable security policy rule learning.

learning enable

By default, the security policy rule learning is disabled.

Changing the rule match order

About this task

The device matches packets against security policy rules in the order the rules were created. You can change the rule match order by changing the position of a security policy rule in the rule list.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Move a security policy rule.

¡ Move a security policy rule by rule ID.

move rule rule-id before insert-rule-id

¡ Move a security policy rule by rule name.

move rule name rule-name1 { { after | before } name rule-name2 | bottom | down | top | up }

Activating rule matching acceleration

About this task

Rule matching acceleration does not take effect on newly added, modified, and moved rules unless the feature is activated for the rules. By default, the system automatically activates rule matching acceleration for such rules at different calculated intervals.

To activate rule matching acceleration immediately after a rule change, you can perform this task.

Restrictions and guidelines

If no rule change is detected, the system does not perform an activation operation.

Insufficient memory can cause rule matching acceleration failures. Unaccelerated rules do not take effect, and rules that have been accelerated are not affected.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Activate rule matching acceleration.

accelerate enhanced enable

Disabling a security policy rule

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Disable the security policy rule.

disable

By default, a security policy rule is enabled.

Renaming a security policy rule

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Rename a security policy rule.

rule rename old-name new-name

Enabling mandatory item control

About this task

To perform strict and refined packet filtering based on security policies, perform this task to configure specific types of filtering criteria as mandatory items for a security policy rule. With this feature enabled, rules not configured with the mandatory items do not take effect.

To specify the IP mandatory item:

· When IP is specified as a mandatory item, you can specify the source/destination IP address object group as any to match all source/destination IP addresses.

· When IP is not specified as a mandatory item, for a rule to match all source/destination IP addresses, do not specify IP filtering criteria. In this case, do not specify any as a source/destination IP address object group. If you do so, the rule cannot match any packets.

Procedure

1. Enter system view.

system-view

2. Enable mandatory item control.

security-policy rules mandatory-item-control { ip | service } *

By default, mandatory item control is disabled.

Enabling strict object inspection

About this task

Perform this task to prevent security policy rules from referencing objects that do not exist.

By default, security policy rules can successfully reference source addresses (address groups and MAC address groups), destination addresses (address groups), services, applications, application groups, users, user groups, terminal, terminal groups, profiles, and URLs, regardless of whether these objects exist or not.

When this feature is enabled, security policy rules are unable to reference objects that do not exist.

Procedure

1. Enter system view.

system-view

2. Enable strict object inspection.

security-policy object-strict-inspection enable

By default, strict object inspection is disabled.

Enabling displaying the default actions in use

About this task

A security policy rule not configured with an action discards matching packets by default. This default action is not shown in the configuration. You can enable this feature to display the default action in the configuration.

Procedure

1. Enter system view.

system-view

2. Enable displaying the default actions in use.

security-policy show-default-action enable

By default, the default actions are not displayed in the configuration.

Configuring security policy rule groups

Creating a security policy rule group

About this task

Perform this task to create a security policy rule group and add security policy rules to the group.

Restrictions and guidelines

To add a list of security policy rules, make sure the end rule is listed behind the start rule and the specified rules do not belong to any other security policy rule group.

A security policy rule group can contain only IPv4 rule.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Create a security policy rule group and add security policy rules to the group.

group name group-name [ from rule-name1 to rule-name2 ] [ disable | enable ] [ description description-text ]

Specifying a security policy rule group for a security policy rule

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Specify a security policy rule group for the security policy rule.

parent-group group-name

Moving a security policy rule group

About this task

Perform this task to move a security policy rule group to change the match order of security policy rules.

Restrictions and guidelines

If you specify a target security policy rule that belongs to a security policy rule group, follow these restrictions and guidelines:

· If the target rule is neither the start nor end rule of the group, you cannot move a security policy rule group to the place before or after the rule.

· If the target rule is the start rule of the group, you can only move a security policy rule group to the place before the rule.

· If the target rule is the end rule of the group, you can only move a security policy rule group to the place after the rule.

You can move a security policy rule group before or after a security policy rule or group of the same type.

Procedure

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Move a security policy rule group.

group move group-name1 { after | before } { group group-name2 | rule rule-name }

Renaming a security policy rule group

1. Enter system view.

system-view

2. Enter IPv4 security policy view.

security-policy ip

3. Rename a security policy rule group.

group rename old-name new-name

Setting the time for fast output of security policy settings as logs

About this task

After the customlog format security-policy sgcc command is executed, the device fast outputs settings of enabled security policies as logs in SGCC format every day at the specified time. For more information about fast log output, see Network Management and Monitoring Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Set the time at which the device fast outputs security policy settings as logs every day.

security-policy config-logging send-time time

By default, the device fast outputs security policy settings as logs every day at 0 o'clock.

Display and maintenance commands for security policies

Execute display commands in any view and reset commands in user view.

Task	Command
Display security policy configuration.	display security-policy ip [ brief \| rule name rule-name ]
Display IPv4 security policy rule configuration with the specified filtering criteria.	display security-policy ip query { destination-ip { destination-ip-address \| any } \| protocol { protocol-number \| any \| { tcp \| udp \| sctp } [ source-port source-port \| destination-port destination-port ] * \| icmp [ icmp-type icmp-type [ icmp-code icmp-code ] ] } \| source-ip { source-ip-address \| any } } * [ brief ]
Display security policy statistics.	display security-policy statistics ip [ rule rule-name ]
Clear the security policy learning records.	reset security-policy learning-records ip
Clear security policy statistics.	reset security-policy statistics ip [ rule rule-name ]

‌

16-Security Configuration Guide

Configuring security policies

Restrictions and guidelines

Procedure

Configuring IPv4 security policy rules

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us