Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-File filtering configuration | 139.16 KB |
File filtering tasks at a glance
Configuring a file filtering policy
Setting the action for packets with files carrying false extensions
Applying a file filtering policy to a DPI application profile
Activating file filtering policy and rule settings
Applying a DPI application profile to a security policy rule
File filtering configuration examples
Example: Using a file filtering policy in a security policy
Configuring file filtering
About file filtering
The file filtering feature filters files based on file extensions. You can configure file filtering to perform actions on files based on the file extensions.
File filtering supports filtering packets of the following protocols:
· HTTP.
· FTP.
· SMTP.
· IMAP.
· NFS.
· POP3.
· RTMP.
· SMB.
Basic concepts
File type match pattern
A file type match pattern identifies a type of files by file extension.
File type group
A file type group can contain a maximum of 32 file type match patterns. A file matches a file type group if it matches a pattern in the group.
File filtering rule
A file filtering rule contains a set of filtering criteria for matching files, including file type group, traffic direction, and application layer protocol. You can specify the actions to take on packets matching a file filtering rule. Supported actions include drop, permit, and logging. A file must match all the filtering criteria for the actions specified for the rule to apply.
File filtering mechanism
File filtering takes effect after you apply a file filtering policy to a DPI application profile and use the DPI application profile in a security policy rule.
Upon receiving a packet of a protocol that file filtering supports, the device performs the following operations:
1. Compares the packet with the security policy rules.
If the packet matches a rule that is associated with a file filtering policy (through a DPI application profile), the device submits the packet to the DPI engine for file filtering processing.
For more information about security policies, see Security Configuration Guide.
2. Extracts and records the file extension in the packet.
3. Identifies the real file extension and compares it with the recorded file extension:
¡ If the two file extensions match or if the real file extension cannot be identified, the device proceeds to step 4.
¡ If the two file extensions do not match, the device checks the action specified for packets with files carrying false extensions.
- If the Drop action is specified, the device drops the packet directly.
- If the Permit action is specified, the device proceeds to step 4 to perform file filtering inspection based on the real file extension.
4. Determines the actions to take on the packet by comparing the packet attributes (file extension, application layer application, and traffic direction) with the file filtering rules in the file filtering policy:
¡ If the packet does not match any file filtering rules in the policy, the device permits the packet to pass.
¡ If the packet matches only one rule, the device takes the actions specified for the rule.
¡ If the packet matches multiple rules, the device determines the actions as follows:
- If the matching rules have both the permit and drop actions, the device takes the drop action.
- The logging action is taken if it is specified for any of the matching rules.
File filtering tasks at a glance
To configure data filtering, perform the following tasks:
5. Configuring a file type group
6. Configuring a file filtering policy
7. Setting the action for packets with files carrying false extensions
8. Applying a file filtering policy to a DPI application profile
9. (Optional.) Activating file filtering policy and rule settings
10. Applying a DPI application profile to a security policy rule
Configuring a file type group
About this task
A file type group is a group of file type match patterns. A file type match pattern is a text or regular expression string that matches files by file extension.
A file matches a file type group if it matches a pattern in the group.
Procedure
1. Enter system view.
system-view
2. Create a file type group and enter its view.
file-filter policy policy-name
3. (Optional.) Configure a description for the file type group.
description string
By default, a file type group does not have a description.
4. Configure a file type match pattern.
pattern pattern-name text pattern-string
By default, a file type group does not contain any file type match patterns.
Configuring a file filtering policy
About this task
A file filtering policy can contain a maximum of 32 file filtering rules. Each rule defines a set of filtering criteria and the actions for matching packets. The filtering criteria include:
· One file type group.
· One or more application layer protocols.
· Traffic direction.
Restrictions and guidelines
File filtering rules applied to the NFS protocol take effect only on NFSv3 traffic.
File filtering rules applied to the SMB protocol take effect only on SMBv1 and SMBv2 traffic.
The logging keyword enables the file filtering module to log packet matching events and use one of the following methods to send log messages:
· Fast log output—You must specify a log host to receive the log messages. Log messages are sent to the specified log host.
· Syslog output—Log messages are sent to the information center. With the information center, you can set log message filtering and output rules, including output destinations. The information center can output file filtering syslogs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect. To view file filtering syslogs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default. For more information about the display logbuffer command, see information center commands in System Management Command Reference.
Syslog output might affect device performance. As a best practice, use fast log output. For more information about fast log output, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Create a file filtering policy and enter its view.
file-filter policy policy-name
3. (Optional.) Configure a description for the file filtering policy.
description string
By default, a file filtering policy does not have a description.
4. Create a file filtering rule and enter its view.
rule rule-name
5. Specify a file type group for the file filtering rule.
filetype-group group-name
By default, a file filtering rule does not contain any file type group.
6. Specify the application layer protocols to which the file filtering rule applies.
application { all | type { ftp | http | imap | nfs | pop3 | rtmp | smb | smtp } * }
By default, no applicable application layer protocols are specified for a file filtering rule.
7. Specify the traffic directions to which the file filtering rule applies.
direction { both | download | upload }
By default, a file filtering rule applies to upload traffic.
8. Specify the actions to take on matching packets.
action { drop | permit } [ logging ]
The default action of a file filtering rule is drop.
Setting the action for packets with files carrying false extensions
About this task
A packet might contain files that carry false extensions. For example, a file that carries the .exe file extension might actually be a .txt file.
Use this command to specify the action for packets with files carrying false extensions. To perform file filtering inspection based on the real file extension, set the action to permit. To discard such packets directly, set the action to drop.
Procedure
1. Enter system view.
system-view
2. Set the action for packets with files carrying false extensions.
file-filter false-extension action { drop | permit }
The default action is permit, which enables the device to determine the packet processing action based on the real file extension.
Applying a file filtering policy to a DPI application profile
About this task
A file filtering policy must be applied to a DPI application profile to take effect.
A DPI application profile can use only one file filtering policy. If you apply different file filtering policies to the same DPI application profile, only the most recent configuration takes effect.
Procedure
1. Enter system view.
system-view
2. Enter DPI application profile view.
app-profile profile-name
For more information about this command, see DPI engine commands in DPI Command Reference.
3. Apply a file filtering policy to the DPI application profile.
file-filter apply policy policy-name
By default, no file filtering policy is applied to the DPI application profile.
Activating file filtering policy and rule settings
About this task
By default, the system will detect whether another configuration change (such as creation, modification, or deletion) occurs within a 20-second interval after a change to the file filtering policy and rule settings:
· If no configuration change occurs within the interval, the system will perform an activation operation at the end of the next 20-second interval to make the configuration take effect.
· If a configuration change occurs within the interval, the system continues to periodically detect whether configuration changes occur within next 20-second intervals.
To activate the policy and rule configurations immediately, you can execute the inspect activate command.
For more information about configuration activation for DPI service modules, see "Configuring DPI engine."
Procedure
1. Enter system view.
system-view
2. Activate file filtering policy and rule settings.
inspect activate
By default, file filtering policy and rule settings will be activated automatically.
|
|
CAUTION: This command can cause temporary outage for DPI services. Services based on the DPI services might also be interrupted. For example, security policies cannot control access to applications. |
Applying a DPI application profile to a security policy rule
3. Enter system view.
system-view
4. Enter security policy view.
security-policy { ip | ipv6 }
5. Enter security policy rule view.
rule { rule-id | [ rule-id ] name rule-name }
6. Set the rule action to pass.
action pass
The default rule action is drop.
7. Use a DPI application profile in the rule.
profile app-profile-name
By default, no DPI application profile is used in a security policy rule.
File filtering configuration examples
Example: Using a file filtering policy in a security policy
Network configuration
As shown in Figure 1, the AC connects to the Internet.
Configure file filtering on the AC so the AC performs the following operations:
· Blocks files with the pptx or dotx extension.
· Logs the blocked files.
Procedure
1. Configure interfaces on the AC:
# Create VLAN 100 and VLAN-interface 100, and assign an IP address to the VLAN interface. The AP will obtain this IP address to establish CAPWAP tunnels with the AC.
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
[AC] interface vlan-interface 100
[AC-Vlan-interface100] ip address 192.1.1.1 24
[AC-Vlan-interface100] quit
# Create VLAN 200 and VLAN-interface 200, and assign an IP address to the VLAN interface. The client will access the wireless network in this VLAN.
[AC] vlan 200
[AC-vlan200] quit
[AC] interface vlan-interface 200
[AC-Vlan-interface200] ip address 192.2.1.1 24
[AC-Vlan-interface200] quit
# Set the link type of GigabitEthernet 1/0/1 (the port connected to the switch) to trunk, and allow traffic from VLAN 100 and VLAN 200 to pass through the port.
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/1] quit
2. Configure a wireless service:
# Create service template 1 and enter service template view.
[AC] wlan service-template 1
# Set the SSID to service.
[AC-wlan-st-1] ssid service
# Configure the AC to forward client traffic.
[AC-wlan-st-1] client forwarding-location ac
# Assign the client to VLAN 200 after it comes online.
[AC-wlan-st-1] vlan 200
# Enable the service template.
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
3. Configure the AP:
# Create a manual AP named ap1, and specify the AP model.
[AC] wlan ap ap1 model WA6320
# Set the serial ID to 219801A28N819CE0002T.
[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T
# Enter the view of radio 1 and bind service template 1 to the radio.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] service-template 1
# Enable radio 1.
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] quit
# Enter the view of radio 2 and bind service template 1 to the radio.
[AC-wlan-ap-ap1] radio 2
[AC-wlan-ap-ap1-radio-2] service-template 1
# Enable radio 2.
[AC-wlan-ap-ap1-radio-2] radio enable
[AC-wlan-ap-ap1-radio-2] quit
[AC-wlan-ap-ap1] quit
4. Configure an IP address object group named filefilter and specify subnet 192.2.1.0/24 for the object group.
[AC] object-group ip address filefilter
[AC-obj-grp-ip-filefilter] network subnet 192.2.1.0 24
[AC-obj-grp-ip-filefilter] quit
5. Configure file filtering:
a. Create a file type group named fg1 and create two file type match patterns to match files with the pptx and dotx extensions, respectively.
[AC] file-filter filetype-group fg1
[AC-file-filter-fgroup-fg1] pattern 1 text pptx
[AC-file-filter-fgroup-fg1] pattern 2 text dotx
[AC-file-filter-fgroup-fg1] quit
b. Create a file filtering policy named p1 and enter file filtering policy view. Create a file filtering rule named r1 and configure it to drop and log both upload and download HTTP packets that match file type group fg1.
[AC] file-filter policy p1
[AC-file-filter-policy-p1] rule r1
[AC-file-filter-policy-p1-rule-r1] filetype-group fg1
[AC-file-filter-policy-p1-rule-r1] application type http
[AC-file-filter-policy-p1-rule-r1] direction both
[AC-file-filter-policy-p1-rule-r1] action drop logging
[AC-file-filter-policy-p1-rule-r1] quit
[AC-file-filter-policy-p1] quit
6. Configure a DPI application profile and activate the file filtering policy and rule settings:
# Create a DPI application profile named profile1 and apply file filtering policy p1 to the DPI application profile.
[AC] app-profile profile1
[AC-app-profile-profile1] file-filter apply policy p1
[AC-app-profile-profile1] quit
# Activate the file filtering policy and rule settings.
[AC] inspect activate
7. Configure a security policy:
# Enter IPv4 security policy view.
[AC] security-policy ip
# Create a security policy rule named inspect1. Configure the rule to permit packets from IP addresses in IP address object group filefilter and apply DPI application profile profile1 to the security policy.
[AC-security-policy-ip] rule name inspect1
[AC-security-policy-ip-14-inspect1] source-ip filefilter
[AC-security-policy-ip-14-inspect1] action pass
[AC-security-policy-ip-14-inspect1] profile profile1
[AC-security-policy-ip-14-inspect1] quit
# Activate rule matching acceleration.
[AC-security-policy-ip] accelerate enhanced enable
[AC-security-policy-ip] quit
Verifying the configuration
# Verify that the AC blocks and logs files that meet the specified criteria. (Details not shown.)
