Login

WelcomeuserNew H3C退出

English

Contact Sales Online Exhibition Center Resource Center Become a Partner
Back

19-Security Command Reference

HomeSupportRoutersMSR5600-X3 Series(Comware V9)Reference GuidesCommand ReferencesH3C MSR5680-X3 Router Command Reference-R9141-6W10119-Security Command Reference
Table of Contents
Related Documents
11-Security policy commands
Title Size Download
11-Security policy commands 276.19 KB

Contents

Security policy commands· 1

accelerate enhanced enable· 1

action· 1

application· 2

counting enable· 3

default rule action· 4

default rule counting enable· 4

default rule logging enable· 5

description (security policy rule view) 6

description (security policy view) 6

destination-address· 7

destination-zone· 9

disable· 10

display security-policy· 11

display security-policy match-criteria· 13

display security-policy statistics· 17

group move· 17

group name· 18

group rename· 19

ips-policy· 20

logging enable· 21

move rule· 21

move rule name· 22

parent-group· 23

profile· 23

reset security-policy statistics· 24

rule· 25

security-policy· 26

security-policy log real-time-sending enable· 26

service· 27

session aging-time· 28

session persistent aging-time· 29

source-address· 30

source-zone· 32

time-range· 33

track· 34

user 35

Security policy commands

accelerate enhanced enable

Use accelerate enhanced enable to manually activate rule matching acceleration.

Syntax

accelerate enhanced enable

Views

Security policy view

Predefined user roles

network-admin

Usage guidelines

Rule matching acceleration enhances connection establishment and packet forwarding performance, especially for a device using multiple rules to match packets from multiple users.

Rule matching acceleration does not take effect on newly added, modified, and moved rules unless the feature is activated for the rules. By default, the system automatically activates rule matching acceleration for such rules at specific intervals. The interval is 2 seconds if 100 or fewer rules exist and 20 seconds if over 100 rules exist.

To activate rule matching acceleration immediately after a rule change, you can execute this command.

If no rule change is detected, the system does not perform an activation operation.

Insufficient memory can cause rule matching acceleration failures. Unaccelerated rules do not take effect, and rules that have been accelerated are not affected.

Examples

# Activate rule matching acceleration.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] accelerate enhanced enable

action

Use action to set the action for a security policy rule.

Syntax

action { drop | pass }

Default

The action for a security policy rule is not specified.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

drop: Discards matched packets.

pass: Allows matched packets to pass.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

If no action is specified for a security policy rule, the rule cannot take effect and will not be used to match or control packets.

Examples

# Set the action for security policy rule rule1 to drop.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] action drop

Related commands

display security-policy

application

Use application to specify an application or application group as a filtering criterion of a security policy rule.

Use undo application to remove the specified application or application group filtering criterion from a security policy rule.

Syntax

application { name application-name | group app-group-name }

undo application [ name [ application-name ] | [ group [ app-group-name ] ]

Default

No application is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

name application-name: Specifies the name of an application, a case-insensitive string of 1 to 63 characters. The name cannot be invalid or other. If you do not specify this argument when executing the undo command, the command removes all applications from the rule. For more information about applications, see APR in Security Configuration Guide.

group app-group-name: Specifies the name of an application group, a case-insensitive string of 1 to 63 characters. The name cannot be invalid or other. If you do not specify this argument when executing the undo command, the command removes all application groups from the rule. For more information about application groups, see APR in Security Configuration Guide.

Usage guidelines

You can execute the command multiple times to specify multiple applications as the filtering criteria.

For the application filtering criteria to be identified, you must permit the packets of the protocols on which the applications depend to pass through. If port-based packet filtering is configured and a dependent protocol uses a non-default port, you must permit the packets from the port to pass.

When you use the undo command without specifying any parameters, the command deletes all the filtering conditions of application and application group types in this rule.

Examples

# Specify applications 139Mail and 51job as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] application name 139Mail

[Sysname-security-policy-1-rule1] application name 51job

# Specify application groups app1 and app2 as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] application group app1

[Sysname-security-policy-1-rule1] application group app2

Related commands

display security-policy

nbar application

port-mapping

counting enable

Use counting enable to enable statistics collection for matched packets.

Use undo counting enable to disable statistics collection for matched packets.

Syntax

counting enable

undo counting enable

Default

Statistics collection for matched packets is disabled.

Views

Security policy rule view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to collect statistics about matched packets. The collected statistics can be viewed by executing the display security-policy statistics command.

Examples

# Enable matched packet statistics collection for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] counting enable

Related commands

display security-policy

display security-policy statistics

default rule action

Use default rule action to configure the action of the default security policy rule.

Syntax

default rule action { drop | pass }

Default

The action for the default security policy rule is drop.

Views

Security policy view

Predefined user roles

network-admin

Parameters

drop: Discards matched packets.

pass: Allows matched packets to pass.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the action for the default security policy rule to drop.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] default rule action drop

default rule counting enable

Use default rule counting enable to enable statistics collection for the default security policy rule.

Use undo default rule counting enable to disable statistics collection for the default security policy rule.

Syntax

default rule counting enable

undo default rule counting enable

Default

Statistics collection is disabled for the default security policy rule.

Views

Security policy view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to collect statistics about packets matching the default security policy rule. To view the collected statistics, execute the display security-policy statistics command.

Examples

# Enable matched packet statistics collection for the default security policy rule.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] default rule counting enable

default rule logging enable

Use default rule logging enable to enable logging for the default security policy rule.

Use undo default rule logging enable to disable logging for the default security policy rule.

Syntax

default rule logging enable

undo default rule logging enable

Default

Logging for is disabled for the default security policy rule.

Views

Security policy view

Predefined user roles

network-admin

Usage guidelines

This feature enables the security policy module to generate log messages for packet matching events of the default security policy rule and send the messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output packet matching logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view packet matching logs stored on the device, use the display logbuffer command or open the security policy log page from the Web interface of the device. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see System Management Configuration Guide.

Examples

# Enable matched packet logging for the default security policy rule.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] default rule logging enable

description (security policy rule view)

Use description to configure a description for a security policy rule.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 127 characters.

Examples

# Configure the description as This rule is used for source-ip ip1 for security policy rule 1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] description This rule is used for source-ip ip1

Related commands

display object-policy

description (security policy view)

Use description to configure a description for the IPv4 or IPv6 security policy.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for the security policy.

Views

Security policy view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 127 characters.

Examples

# Configure the description as zone-pair security office to library for the security policy.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] description zone-pair security office to library

Related commands

display security-policy

destination-address

Use destination-address to specify a destination address as a filtering criterion of a security policy rule.

Use undo destination-address to remove the specified destination address from a security policy rule.

Syntax

destination-address { host { ip-address | ipv6-address} | subnet { ip-address { mask-length | mask }| ipv6-address prefix-length | ipv6-address / prefix-length } | range { ip-address1 ip-address2 | ipv6-address1 ipv6-address2 } | object-group-ip address-object-group-name | object-group-ipv6 address-object-group-name }

undo destination-address [ host [ip-address | ipv6-address ] | subnet [ip-address { mask-length | mask } | ipv6-address prefix-length | ipv6-address / prefix-length ] | range [ ip-address1 ip-address2 | ipv6-address1 ipv6-address2 ] | object-group-ip [ object-group-name ] | object-group-ipv6 [address-object-group-name ] ]

Default

No destination IP address object group is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

ip-address: Specifies a host IPv4 address.

ipv6-address: Specifies a host IPv6 address.

ip-address { mask-length | mask }: Specifies a subnet IPv4 address. The mask-length argument represents the subnet mask length in the range of 0 to 32. The mask argument represents the subnet mask in dotted decimal notation. If the specified mask length is 32 or the mask is 255.255.255.255, the address is considered as a host address.

ipv6-address prefix-length: Specifies a subnet IPv6 address. The prefix-length argument represents the prefix length in the range of 1 to 128. If the prefix-length value is set to 128, the address is considered as a host address.

ip-address1 ip-address2: Specifies an IPv4 address range. The ip-address1 argument represents the start IPv4 address, and the ip-address2 argument represents the end IPv4 address.

ipv6-address1 ipv6-address2: Specifies an IPv6 address range. The ipv6-address1 argument represents the start IPv6 address and the ipv6-address2 argument represents the end IPv6 address.

object-group-ip: Specifies an IP address object group.

object-group-ipv6: Specifies an IPv6 address object group.

address-object-group-name: Specifies the address object group name, a case-insensitive string of 1 to 63 characters. The group name cannot be any.

Usage guidelines

You can execute this command multiple times to specify multiple destination addresses as filtering conditions for a security policy rule.

When you configure a destination IP address as a filtering condition, if the specified address object group does not exist, the configuration can still succeed. At the same time, the command creates an empty address object group with the specified name in the system. However, this filtering condition will not match any packets.

The total number of destination host addresses, destination subnet addresses, destination address ranges, and destination address object groups configured under one rule cannot exceed 1024. If the limit is reached, the command will fail and an error message will be displayed.

When you specify a destination address as a filtering criterion, follow these restrictions and guidelines:

·     If the ip-address1 is the same as the ip-address2, the address is considered as a host address.

·     If the ip-address1 and ip-address2 is the start and end addresses of a subnet, the configuration is considered as a subnet address.

·     If the ip-address1 is higher than the ip-address2, the command automatically adjusts the range to [ ip-address2, ip-address1 ].

·     If the ipv6-address1 is the same as the ipv6-address2, the address is considered as a host address.

·     If the ipv6-address1 and ipv6-address2 is the start and end addresses of a subnet, the configuration is considered as a subnet address.

·     If the ipv6-address1 is higher than the ipv6-address2, the command automatically adjusts the range to [ ipv6-address2, ipv6-address1 ].

If you do not specify any keywords when executing the undo command, the command deletes all IP address-type filtering criteria specified for the rule, including destination host addresses, destination subnet address, destination address ranges, and destination address object groups.

Examples

# Specify host destination address 192.167.0.1 as the filtering condition for the security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] destination-address host 192.167.0.1

# Specify host destination address 192::167:1 as the filtering condition for the security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] destination-address host 192::167:1

# Specify IPv4 subnet address 192.167.0.0 with a mask length of 24 as the filtering condition for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] destination-address subnet 192.167.0.0 24

# Specify IPv4 subnet address 192.166.0.0 with a mask of 255.255.0.0 as the filtering condition for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] destination-address subnet 192.166.0.0 255.255.0.0

# Specify IPv4 subnet address 192::167:0 with a prefix length of 64 as the filtering condition for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] destination-address subnet 192::167:0 64

# Specify IPv4 address range of 192.165.0.100 to 192.165.0.200 as the filtering condition for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] destination-address range 192.165.0.100 192.165.0.200

# Specify destination address object groups address1 and address2 as the filtering conditions for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] destination-address object-group-ip address1

[Sysname-security-policy-1-rule1] destination-address object-group-ipv6 address2

Related commands

display security-policy

object-group

destination-zone

Use destination-zone to specify a destination security zone as a filtering criterion of a security policy rule.

Use undo destination-zone to remove the specified destination security zone from a security policy rule.

Syntax

destination-zone destination-zone-name

undo destination-zone [ destination-zone-name ]

Default

No destination security zone is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

object-group-name: Specifies the name of a destination security zone, a case-insensitive string of 1 to 31 characters. If you do not specify this argument when executing the undo destination-zone command, the command removes all destination security zones from the rule. For more information about security zones, see Security Configuration Guide.

Usage guidelines

You can execute the command multiple times to specify multiple destination security zones as the filtering criteria.

Examples

# Specify destination security zones trust and server as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] destination-zone trust

[Sysname-security-policy-1-rule1] destination-zone server

Related commands

display security-policy

security-zone

disable

Use disable to disable a security policy rule.

Use undo disable to enable a security policy rule.

Syntax

disable

undo disable

Default

A security policy rule is enabled.

Views

Security policy rule view

Predefined user roles

network-admin

Examples

# Disable security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] disable

Related commands

display security-policy

display security-policy

Use display security-policy to display information about the specified security policy.

Syntax

display security-policy [ verbose | rule name rule-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

verbose: Displays detailed configuration information. If you do not specify this keyword, the command displays the summary information.

rule: Specifies a security policy rule.

name rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127.

Examples

# Display summary information about all security policy rules.

<Sysname> display security-policy

ID           Name                      State           Action           Hits

------------------------------------------------------------------------------------

0           default                    active          pass              11221440

1           test                       active           drop              0

------------------------------------------------------------------------------------

# Display detailed information about the security policy.

<Sysname> display security-policy verbose

Security-policy

 

 rule 1 name der (Inactive: action not configured, track entry down)

  profile er

  vrf re

  logging enable

  counting enable

  counting enable TTL 1200

  time-range dere

  track positive 23

  session aging-time 5000

  session persistent aging-time 2400

  source-zone trust

  destination-zone trust

  source-address host 1::4

  source-address subnet 1.1.1.10

  source-address subnet 1::/64

  source-address subnet 1.1.1.0 255.255.255.0

  source-address range 2.2.1.1 3.3.3.3

  destination-address host 1.1.1.3

  destination-address host 5::2

  destination-address subnet 1.1.1.0 255.255.255.0

  destination-address range 2.2.1.1 3.3.3.3

  service object-group http

  user name usera domain test

  user group groupa domain test

  application name 139Mail

  application group app1

Table 1 Command output

Field

Description

ID

Rule ID.

Name

Rule name.

State

Active status of the rule. The status is associated with a Track entry. Options include:

·     active.

·     inactive.

Action

Rule action. Options include:

·     pass—Allows matched packets to pass.

·     drop—Drops matched packets.

Hits

Number of times that the rule matches a packet.

rule id name rule-name (Inactive: action not configured, track entry down)

Rule ID, name, and active status. In this example, the rule status is inactive.

Active status options include:

Inactive.

Reason that the rule is inactive:

·     action not configured—No action is specified for the rule.

·     rule disabled—The rule is disabled.

·     rule group disabled—The security policy group to which the rule belongs is disabled.

·     time range inactive—The rule is not in the effective time range.

·     track entry down—The associated Track entry is down.

action pass

Rule action:

·     pass—Allows matched packets to pass.

·     drop—Drops matched packets.

profile app-profile-name

DPI application profile applied to the rule.

Ips-policy ips-polic-name

IPS policy applied to the rule.

logging enable

Indicates that logging for matched packets is enabled.

counting enable

Indicates that statistics collection for matched packets is enabled.

time-range time-range-name

Time range during which the rule is in effect.

track negative 1

The rule is associated with the Negative state of the Track entry.

track positive 1

The rule is associated with the Positive or NotReady state of the Track entry.

session aging-time time-value

Session aging time in seconds.

session persistent aging-time time-value

Persistent session aging time in hours.

source-zone zone-name

Source security zone that acts as a filtering criterion.

destination-zone zone-name

Destination security zone that acts as a filtering criterion.

source-address object-group-ip address-object-group-name

Source IPv4 address that acts as a filtering criterion.

source-address object-group-ipv6 address-object-group-name

Source IPv6 address that acts as a filtering criterion.

source-address object-group-mac mac-object-group-name

This field is not supported in the current software version.

Source MAC address that acts as a filtering criterion.

source-address host ip-address

Source IP host address that acts as a filtering criterion.

source-address subnet ip-address

Source IP subnet address that acts as a filtering criterion.

source-address range ip-address1 ip-address2

Source IP address range that acts as a filtering criterion.

destination-address object-group-ip address-object-group-name

Destination IPv4 address that acts as a filtering criterion.

destination-address object-group-ipv6 address-object-group-name

Destination IPv6 address that acts as a filtering criterion.

destination-address host ip-address

Destination IP host address that acts as a filtering criterion.

destination-address subnet ip-address

Destination IP subnet address that acts as a filtering criterion.

destination-address range ip-address1 ip-address2

Destination IP address range that acts as a filtering criterion.

service object-group object-group-name

Service object group that acts as a filtering criterion.

application group app-group-name

Application group that acts as a filtering criterion.

application name application-name

Application that acts as a filtering criterion.

user name user-name

User that acts as a filtering criterion.

User group user-group-name

User group that acts as a filtering criterion.

 

Related commands

security-policy ip

display security-policy match-criteria

Use display security-policy match-criteria to display the specified five-tuple matching criteria of the security policy.

Syntax

display security-policy match-criteria { source-zone { name source-zone-name | any } | destination-zone { name destination-zone-name | any } | source-address { ip-address | ipv6-address | any } | destination-address { ip-address | ipv6-address | any } | protocol { protocol-number [ [ source-port source-port | destination-port destination-port ] * | icmp-type icmp-type-number icmp-code icmp-code-number | icmpv6-type icmpv6-type-number icmpv6-code icmpv6-code-number ] | any } } * [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

source-zone { name source-zone-name | any }: Specifies a source zone filtering criterion. The source-zone-name argument represents the source zone name, a case-insensitive string of 1 to 31 characters. The any keyword represents rules not configured with a source zone filtering criterion.

destination-zone { name destination-zone-name | any }: Specifies a destination zone filtering criterion. The destination-zone-name argument represents the destination zone name, a case-insensitive string of 1 to 31 characters. The any keyword represents rules not configured with a destination zone filtering criterion.

source-address: Specifies a source address filtering criterion.

destination-address: Specifies a destination address filtering criterion.

{ipv4-address | any }: Specifies an IPv4 address or rules not configured with IPv4 address filtering criteria.

{ipv6-address | any }: Specifies an IPv6 address or rules not configured with IPv6 address filtering criteria.

protocol-number: Specifies a protocol type. You can specify a number in the range of 0 to 255 or a protocol type name. Available protocol type names include tcp (6), udp (17), sctp (132), icmp(1), and icmpv6 (58).

source-port source-port: Specifies a source port in the range of 0 to 65535. This configuration takes effect only when the protocol type is tcp, udp, or sctp.

destination-port destination-port: Specifies a destination port in the range of 0 to 65535. This configuration takes effect only when the protocol type is tcp, udp, or sctp.

any: Specifies rules not configured with service or port matching criteria.

icmp-type icmp-type-number: Specifies the ICMP message type in the range of 0 to 255. This configuration takes effect only when the protocol type is icmp.

icmp-code icmp-code-number: Specifies the ICMP message code in the range of 0 to 255.

icmpv6-type icmpv6-type-number: Specifies the ICMPv6 message type in the range of 0 to 255. This configuration takes effect only when the protocol type is icmpv6.

icmpv6-code icmpv6-code-number: Specifies the ICMPv6 message code in the range of 0 to 255.

verbose: Displays the detailed information. If you do not specify this keyword, the command displays the brief information.

Usage guidelines

If a specified filtering criterion does not exist, the command displays information about rules not configured with the criterion.

Examples

# Display brief information about security policy rules configured with source address 1.2.3.4 as a filtering criterion.

<Sysname> display security-policy match-criteria source-address 1.2.3.4

ID           Name                               State        Action     Hits

------------------------------------------------------------------------------------

1            test                               active       drop       0

------------------------------------------------------------------------------------

# Display detailed information about security policy rules configured with source address 1.2.3.4 as a filtering criterion.

<Sysname> display security-policy match-criteria source-address 1.2.3.4 verbose

 rule 1 name test(Inactive: action not configured, track entry down)

  source-zone aa

  destination-zone bb

  source-address host 1.2.3.4

  destination-address host 2.3.4.5

  service udp-s1110-d80

  service icmp-3-3

Table 2 Command output

Field

Description

ID

Rule ID.

Name

Rule name.

State

Active status of the rule. The status is associated with a Track entry. Options include:

·     active.

·     inactive.

Action

Rule action. Options include:

·     pass—Allows matched packets to pass.

·     drop—Drops matched packets.

Hits

Number of times that the rule matches a packet.

rule id name rule-name (Inactive: action not configured, track entry down)

Rule ID, name, and active status. In this example, the rule status is inactive.

Active status options include:

Inactive.

Reason that the rule is inactive:

·     action not configured—No action is specified for the rule.

·     rule disabled—The rule is disabled.

·     rule group disabled—The security policy group to which the rule belongs is disabled.

·     time range inactive—The rule is not in the effective time range.

·     track entry down—The associated Track entry is down.

action pass

Rule action:

·     pass—Allows matched packets to pass.

·     drop—Drops matched packets.

profile app-profile-name

DPI application profile applied to the rule.

Ips-policy ips-polic-name

IPS policy applied to the rule.

logging enable

Indicates that logging for matched packets is enabled.

counting enable

Indicates that statistics collection for matched packets is enabled.

time-range time-range-name

Time range during which the rule is in effect.

track negative 1

The rule is associated with the Negative state of the Track entry.

track positive 1

The rule is associated with the Positive or NotReady state of the Track entry.

session aging-time time-value

Session aging time in seconds.

session persistent aging-time time-value

Persistent session aging time in hours.

source-zone zone-name

Source security zone that acts as a filtering criterion.

destination-zone zone-name

Destination security zone that acts as a filtering criterion.

source-address object-group-ip address-object-group-name

Source IPv4 address that acts as a filtering criterion.

source-address object-group-ipv6 address-object-group-name

Source IPv6 address that acts as a filtering criterion.

source-address object-group-mac mac-object-group-name

This field is not supported in the current software version.

Source MAC address that acts as a filtering criterion.

source-address host ip-address

Source IP host address that acts as a filtering criterion.

source-address subnet ip-address

Source IP subnet address that acts as a filtering criterion.

source-address range ip-address1 ip-address2

Source IP address range that acts as a filtering criterion.

destination-address object-group-ip address-object-group-name

Destination IPv4 address that acts as a filtering criterion.

destination-address object-group-ipv6 address-object-group-name

Destination IPv6 address that acts as a filtering criterion.

destination-address host ip-address

Destination IP host address that acts as a filtering criterion.

destination-address subnet ip-address

Destination IP subnet address that acts as a filtering criterion.

destination-address range ip-address1 ip-address2

Destination IP address range that acts as a filtering criterion.

service object-group object-group-name

Service object group that acts as a filtering criterion.

Service protocol protocol

Service port number that acts as a filtering criterion.

Application group app-group-name

Application group that acts as a filtering criterion.

application name application-name

Application that acts as a filtering criterion.

user name user-name

User that acts as a filtering criterion.

user group user-group-name

User group that acts as a filtering criterion.

 

display security-policy statistics

Use display security-policy statistics to display security policy statistics.

Syntax

display security-policy statistics [ rule rule-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

rule rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127 characters. If you do not specify this option, the command displays statistics about all security policy rules of the specified IP version.

Examples

# Display statistics about security policy rule abc.

<Sysname> display security-policy statistics rule abc

rule 1 name abc

 action: pass (5 packets, 1000 bytes)

Table 3 Command output

Field

Description

rule id name rule-name

Rule ID and rule name.

action

Rule action:

·     pass—Allows matched packets to pass.

·     drop—Drops matched packets.

x packets, y bytes

The rule has matched x packets, a total of y bytes.

This field is displayed only if the counting enable or the logging enable command has been executed for the rule.

 

Related commands

reset security-policy statistics

group move

Use group move to move a security policy rule group to change the match order of security policy rules.

Syntax

group move group-name1 { after | before } { group group-name2 | rule rule-name }

Views

Security policy view

Predefined user roles

network-admin

Parameters

group-name1: Specifies the name of the security policy rule group to be moved, a case-insensitive string of 1 to 63 characters.

after: Moves the security policy rule group to the place after the target security policy rule group or the target security policy rule.

before: Moves the security policy rule group to the place before the target security policy rule group or the target security policy rule.

group group-name2: Specifies the name of the target security policy rule group, a case-insensitive string of 1 to 63 characters.

rule rule-name: Specifies the name of the target security policy rule, a case-insensitive string of 1 to 127 characters.

Usage guidelines

If you specify a target security policy rule that belongs to a security policy rule group, follow these restrictions and guidelines:

·     If the target rule is neither the start nor end rule of the group, you cannot move a security policy rule group to the place before or after the rule.

·     If the target rule is the start rule of the group, you can only move a security policy rule group to the place before the rule.

·     If the target rule is the end rule of the group, you can only move a security policy rule group to the place after the rule.

Examples

# Move security policy rule group group1 to the place before security policy rule group group2.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] group move group1 before group group2

group name

Use group name to create a security policy rule group and add security policy rules to the group, or add security policy rules to an existing security policy rule group.

Use undo group name to delete a security policy rule group.

Syntax

group name group-name [ from rule-name1 to rule-name2 ] [ disable | enable ] [ description description-text ]

undo group name group-name [ description | include-member ]

Default

No security policy rule group exists.

Views

Security policy view

Predefined user roles

network-admin

Parameters

group-name: Specifies a security policy rule group name, a case-insensitive string of 1 to 63 characters.

from rule-name1: Specifies the start rule of a rule list. The rule-name1 argument represents the security policy rule name, a case-insensitive string of 1 to 127 characters.

to rule-name2: Specifies the end rule of the rule list. The rule-name2 argument represents the security policy rule name, a case-insensitive string of 1 to 127 characters.

disable: Disables the security policy rule group.

enable: Enables the security policy rule group. By default, a security policy rule group is enabled.

description description-text: Specifies the security policy description, a case-sensitive string of 1 to 127 characters. By default, no description is specified for a security policy rule group.

include-member: Specifies security policy rules in the security policy rule group.

Usage guidelines

Security policy rule grouping allows users to enable, disable, delete, and move security policy rules in batches.

A security policy rule in a security policy rule group takes effect only when both the rule and the group are enabled.

To add a list of security policy rules, make sure the end rule is listed behind the start rule and the specified rules do not belong to any other security policy rule group.

When you execute the undo command, follow these restrictions and guidelines:

·     The undo group name group-name command deletes only the specified security policy rule group.

·     The undo group name group-name description command deletes only the description for the specified security policy rule group.

·     The undo group name group-name include-member command deletes both the specified security policy rule group and all the security policy rules in the group.

Examples

# Create security policy rule group group1, add security policy rules rule-name1 through rule-name10 to the group, and specify the group description as marketing.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] group name group1 from rule-name1 to rule-name10 enable description marketing

group rename

Use group rename to rename a security policy rule group.

Syntax

group rename old-name new-name

Views

Security policy view

Predefined user roles

network-admin

Parameters

old-name: Specifies the name of a security policy rule group, a case-insensitive string of 1 to 63 characters.

new-name: Specifies a new name for the security policy rule group, a case-insensitive string of 1 to 63 characters.

Examples

# Rename security policy rule group group1 to group2.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] group rename group1 group2

ips-policy

Use ips-policy to apply an IPS policy to a security policy rule.

Use undo ips-policy to remove the IPS policy applied to a security policy rule.

Syntax

ips-policy policy-name

undo ips-policy

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

policy-name: Specifies the IPS policy name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

This feature enables the device to filter packets matching the security rule by using an IPS policy. For more information about DPI, see DPI Configuration Guide.

This feature takes effect only when the rule action is pass.

Under the same rule, you can specify an IPS policy or a DPI application profile, but cannot specify the policy and profile at the same time.

Examples

# Apply IPS policy p1 to a security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] action pass

[Sysname-security-policy-1-rule1] ips-policy p1

Related commands

rule

security-policy

logging enable

Use logging enable to enable logging for matched packets.

Use undo logging enable to disable logging for matched packets.

Syntax

logging enable

undo logging enable

Default

Logging for matched packets is disabled.

Views

Security policy rule view

Predefined user roles

network-admin

Usage guidelines

This feature enables the security policy module to send log messages to the information center when packets match a security policy.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output packet matching logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view packet matching logs stored on the device, use the display logbuffer command or open the security policy log page from the Web interface of the device. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see System Management Configuration Guide.

Examples

# Enable matched packet logging for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] logging enable

Related commands

display security-policy

move rule

Use move rule to move a security policy rule by rule ID.

Syntax

move rule rule-id before insert-rule-id

Views

Security policy view

Predefined user roles

network-admin

Parameters

rule-id: Specifies the ID of a rule, in the range of 0 to 65534.

insert-rule-id: Specifies the ID of the target rule before which a rule is inserted. The target rule ID is in the range of 0 to 65535. If you specify 65535 as the target rule ID, the rule is moved to the end of the list.

Usage guidelines

The system does not execute the command in the following situations:

·     You specify the same value for the rule-id and insert-rule-id arguments.

·     You specify a nonexistent rule.

Examples

# Insert rule 5 before rule 2 for the security policy.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] move rule 5 before 2

Related commands

rule

security-policy

move rule name

Use move rule name to move a security policy rule by rule name.

Syntax

move rule name rule-name1 { { after | before } name rule-name2 | bottom | down | top | up }

Views

Security policy view

Predefined user roles

network-admin

Parameters

rule-name1: Specifies the name of the rule to move, a case-insensitive string of 1 to 127 characters.

after: Move the rule to the place after the destination rule.

before: Move the rule to the place before the destination rule.

name rule-name2: Specify the name of the destination rule, a case-insensitive string of 1 to 127 characters.

bottom: Move the rule to the end of the security policy.

down: Move the rule down one place.

top: Move the rule to the beginning of the security policy.

up: Move the rule up one place.

Usage guidelines

You can move a rule to change its packet matching priority.

Examples

# Move rule rule1 to the place before rule rule2.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] move rule name rule1 before name rule2

Related commands

rule

security-policy

parent-group

Use parent-group to specify a security policy rule group for a security policy rule.

Use undo parent-group to restore the default.

Syntax

parent-group group-name

undo parent-group

Default

A security policy rule does not belong to any security policy rule group.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

group-name: Specifies the name of a security policy rule group, a case-insensitive string of 1 to 63 characters.

Examples

# Assign security policy rule rule1 to security policy rule group group1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] parent-group group1

profile

Use profile to apply a DPI application profile to a security policy rule.

Use undo profile to remove the DPI application profile applied to a security policy rule.

Syntax

profile app-profile-name

undo profile

Default

No DPI application profile is applied to a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

app-profile-name: Specifies the name of a DPI application profile, a case-insensitive string of 1 to 63 characters. For more information about DPI application profiles, see DPI engine in DPI Configuration Guide.

Usage guidelines

This feature enables the device to perform DPI on packets matching the specified rule. For more information about DPI, see DPI Configuration Guide.

This feature takes effect only when the rule action is pass.

Under the same rule, you can specify an IPS policy or a DPI application profile, but cannot specify the policy and profile at the same time.

Examples

# Apply DPI application profile p1 to security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] action pass

[Sysname-security-policy-1-rule1] profile p1

Related commands

action pass

app-profile (DPI Command Reference)

display security-policy

reset security-policy statistics

Use reset security-policy statistics to clear security policy statistics.

Syntax

reset security-policy statistics [ rule rule-name ]

Views

Any view

Predefined user roles

network-admin

Parameters

rule rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127 characters.

Usage guidelines

If you do not specify any keyword or option, the command clears all security policy statistics.

Examples

# Clear the security policy statistics about security policy rule abc.

<Sysname> reset security-policy statistics rule abc

Related commands

display security-policy statistics

rule

Use rule to create a security policy rule and enter its view, or enter the view of an existing security policy rule.

Use undo rule to delete the specified security policy rule.

Syntax

rule { rule-id | [ rule-id ] name rule-name }

undo rule { rule-id | name rule-name } *

Default

No security policy rules exist.

Views

Security policy view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 1 to 4294967290. The value of 0 is reserved for the default security policy rule named default. If you do not specify an ID for the rule, the system automatically assigns the rule the integer next to the greatest ID being used. If the greatest ID is 4294967290, the system assigns the rule the smallest unused number in the range.

name rule-name: Specifies a globally unique rule name, a case-insensitive string of 1 to 127 characters. The name cannot be default. You must specify a rule name when creating a rule.

Usage guidelines

For the created security policy rule to take effect, use the action command to specify the rule action.

Examples

# Create an IPv4 security policy rule with rule ID 1 and rule name rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1]

Related commands

display security-policy

security-policy

Use security-policy to enter security policy view.

Use undo security-policy to delete all configurations in security policy view.

Syntax

security-policy

undo security-policy

Default

No configurations exist in security policy view.

Views

System view

Predefined user roles

network-admin

Parameters

ip: Specifies the IPv4 security policy.

Usage guidelines

The undo command deletes all security policy configurations and might cause network interruption. Please be cautious.

Examples

# Enter IP security policy view.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy]

Related commands

display security-policy

security-policy log real-time-sending enable

Use security-policy log real-time-sending enable to enable real-time sending for security policy log messages.

Use undo security-policy log real-time-sending enable to disable real-time sending for security policy log messages.

Syntax

security-policy log real-time-sending enable

undo security-policy log real-time-sending enable

Default

The buffering mode is used to generate and send security policy log messages.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The device can send security policy log messages in the following ways:

·     Buffering mode—After the device generates and sends the log message for the first packet of a flow, it buffers that log message and starts a 5-second timer, which is not configurable. If other packets of the same flow match are received before the timer expires, the buffered log message is sent. Otherwise, the buffered log message is deleted. After the number of log messages reaches the limit, no log messages can be generated for subsequent flows.

·     Real-time mode—The device generates and sends a log message for the first packet of a flow but does not buffer it. For packets of a flow permitted by a security policy, the device generates and sends only one log message. For packets of a flow denied by a security policy, the device generates and sends one log message for each packet.

Examples

# Enable real-time sending for security policy log messages.

<Sysname>system-view

[Sysname] security-policy log real-time-sending enable

Related commands

logging enable

service

Use service to specify a service object group as a filtering criterion of a security policy rule.

Use undo service to remove the specified service object group from a security policy rule.

Syntax

service object-group object-group-name

undo service [ object-group [ object-group-name ] ]

Default

No service object group is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

object-group object-group-name: Specifies the name of a service object group, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can execute the command multiple times to specify multiple service object groups as the filtering criteria.

If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.

If you specify neither an object group nor the any keyword when executing the undo service command, the command removes all service object groups from the security policy rule.

Examples

# Specify service object groups http and ftp as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] service object-group http

[Sysname-security-policy-1-rule1] service object-group ftp

Related commands

display security-policy

object-group

session aging-time

Use session aging-time to set the session aging time for a security policy rule.

Use undo session aging-time to restore the default.

Syntax

session aging-time time-value

undo session aging-time

Default

The session aging time is not configured for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

time-value: Specifies the aging time in the range of 1 to 2000000 seconds.

Usage guidelines

This command sets the aging time for stable sessions created for packets matching the specified security policy rule, and takes effect only on newly created sessions.

If the aging time is not configured for a rule, the stable sessions use the aging time set by using the session aging-time application or the session aging-time state command. For more information about session management, see Security Configuration Guide.

The session aging time for unstable sessions is one hour.

Examples

# Set the session aging time to 5000 seconds for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] action pass

[Sysname-security-policy-1-rule1] session aging-time 5000

Related commands

display security-policy

session aging-time application

session aging-time state

session persistent acl

session persistent aging-time

Use session persistent aging-time to set the aging time for persistent sessions.

Use undo session persistent aging-time to restore the default.

Syntax

session persistent aging-time time-value

undo session persistent aging-time

Default

The persistent session aging time is not configured for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

time-value: Specifies the aging time in the range of 0 to 24000 hours. If you set the aging time to 0, persistent sessions do not age out.

Usage guidelines

This command is effective only on TCP sessions in ESTABLISHED state.

It sets the aging time for persistent sessions created for packets matching the specified security policy rule, and takes effect only on newly created sessions.

The aging time configured by using this command takes precedence over the aging times configured by using the session aging-time and session persistent acl commands.

Examples

# Set the persistent session aging time to one hour for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] action pass

[Sysname-security-policy-1-rule1] session persistent aging-time 1

Related commands

display security-policy

session persistent acl

source-address

Use source-address to specify a source address as a filtering criterion of a security policy rule.

Use source-address host to specify a source host address as a filtering criterion of a security policy rule.

Use source-address subnet to specify a source IPv4 or IPv6 subnet address as a filtering criterion of a security policy rule.

Use source-address range to specify a source IPv4 address range as a filtering criterion of a security policy rule.

Use source-address object-group-mac to specify a source MAC address as a filtering criterion of a security policy rule.

Use source-address object-group-ip to specify a source IP address object group as a filtering criterion of a security policy rule.

Use source-address object-group-ipv6 to specify a source IPv6 address object group as a filtering criterion of a security policy rule.

Use undo source-address to remove the specified source address from a security policy rule.

Syntax

source-address { host { ip-address | ipv6-address } | subnet { ip-address { mask-length | mask } | ipv6-address prefix-length | ipv6-address / prefix-length } | range { ip-address1 ip-address2 | ipv6-address1 ipv6-address2 } | object-group-ip address-object-group-name | object-group-ipv6 address-object-group-name }

undo source-address [ host [ ip-address | ipv6-address ] | subnet [ ip-address { mask-length | mask } | ipv6-address prefix-length | ipv6-address / prefix-length ] | range [ ip-address1 ip-address2 | ipv6-address1 ipv6-address2 ] | object-group-ip [address-object-group-name ] |

object-group-ipv6 [ address-object-group-name ] ]

Default

No source address is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

ip-address: Specifies a host IPv4 address.

ipv6-address: Specifies a host IPv6 address.

ip-address { mask-length | mask }: Specifies a subnet IPv4 address. The mask-length argument represents the subnet mask length in the range of 0 to 32. The mask argument represents the subnet mask in dotted decimal notation. If the specified mask length is 32 or the mask is 255.255.255.255, the address is considered as a host address.

ipv6-address prefix-length: Specifies a subnet IPv6 address. The prefix-length argument represents the prefix length in the range of 1 to 128. If the prefix-length value is set to 128, the address is considered as a host address.

ip-address1 ip-address2: Specifies an IPv4 address range. The ip-address1 argument represents the start IPv4 address, and the ip-address2 argument represents the end IPv4 address.

ipv6-address1 ipv6-address2: Specifies an IPv6 address range. The ipv6-address1 argument represents the start IPv6 address and the ipv6-address2 argument represents the end IPv6 address.

object-group-ip: Specifies an IP address object group.

object-group-ipv6: Specifies an IPv6 address object group.

address-object-group-name: Specifies the address object group name, a case-insensitive string of 1 to 63 characters. The group name cannot be any.

Usage guidelines

You can execute this command multiple times to specify multiple source addresses as the filtering criteria.

When you configure a source IP address as a filtering condition, if the specified address object group does not exist, the configuration can still succeed. At the same time, the command creates an empty address object group with the specified name in the system. However, this filtering condition will not match any packets.

The total number of source host addresses, source subnet addresses, source address ranges, and source address object groups configured under one rule cannot exceed 1024. If the limit is reached, the command will fail and an error message will be displayed.

When you specify a source address as a filtering criterion, follow these restrictions and guidelines:

·     If the ip-address1 is the same as the ip-address2, the address is considered as a host address.

·     If the ip-address1 and ip-address2 is the start and end addresses of a subnet, the configuration is considered as a subnet address.

·     If the ip-address1 is higher than the ip-address2, the command automatically adjusts the range to [ ip-address2, ip-address1 ].

·     If the ipv6-address1 is the same as the ipv6-address2, the address is considered as a host address.

·     If the ipv6-address1 and ipv6-address2 is the start and end addresses of a subnet, the configuration is considered as a subnet address.

·     If the ipv6-address1 is higher than the ipv6-address2, the command automatically adjusts the range to [ ipv6-address2, ipv6-address1 ].

If you do not specify any keywords when executing the undo command, the command deletes all source IP address-type filtering criteria specified for the rule, including source host addresses, source subnet address, source address ranges, and source address object groups.

For more information about address object groups, see "Configuring object groups."

Examples

# Specify host source address 192.167.0.1 as the filtering condition for the security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] source-address host 192.167.0.1

# Specify host source address 192::167:1 as the filtering condition for the security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] source-address host 192::167:1

# Specify IPv4 subnet address 192.167.0.0 with a mask length of 24 as the filtering condition for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] source-address subnet 192.167.0.0 24

# Specify IPv4 subnet address 192.166.0.0 with a mask of 255.255.0.0 as the filtering condition for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] source-address subnet 192.166.0.0 255.255.0.0

# Specify IPv6 subnet address 192: 167::0 with a prefix length of 64 as the filtering condition for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] source-address subnet 192:167::0 64

# Specify IPv4 address range of 192.165.0.100 to 192.165.0.200 as the filtering condition for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] source-address range 192.165.0.100 192.165.0.200

# Specify IPv6 address range of 192::165:100 to 192::165:200 as the filtering condition for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] source-address range 192::165:100 192::165:200

# Specify source address objects address1 and address2 as the filtering condition for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] source-address object-group-ip address1

[Sysname-security-policy-1-rule1] source-address object-group-ipv6 address2

Related commands

display security-policy

object-group

source-zone

Use source-zone to specify a source security zone as a filtering criterion of a security policy rule.

Use undo source-zone to remove the specified source security zone from a security policy rule.

Syntax

source-zone source-zone-name

undo source-zone [ source-zone-name ]

Default

No source security zone is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

source-zone-name: Specifies the name of a source security zone, a case-insensitive string of 1 to 31 characters. If you do not specify this argument when executing the undo source-zone command, the command removes all source security zones from the rule. For more information about security zones, see Security Configuration Guide.

Usage guidelines

You can execute the command multiple times to specify multiple source security zones as the filtering criteria.

Examples

# Specify source security zones trust and dmz as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] source-zone trust

[Sysname-security-policy-1-rule1] source-zone dmz

Related commands

display security-policy

security-zone

time-range

Use time-range to specify the time range during which a security policy rule is in effect.

Use undo time-range to restore the default.

Syntax

time-range time-range-name

undo time-range

Default

A security policy rule is in effect at any time.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

time-range-name: Specifies the name of a time range, a case-insensitive string of 1 to 63 characters. For more information about time ranges, see ACL and QoS Configuration Guide

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable security policy rule rule1 to be in effect during time range work.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] time-range work

Related commands

display security-policy

time-range (ACL and QoS Command Reference)

track

Use track to associate a security policy rule with a track entry.

Use undo track to disassociate a security policy rule from the track entry.

Syntax

track { negative | positive } track-entry-number

undo track

Default

No track entry is associated with a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

negative: Specifies the Negative state of a track entry.

positive: Specifies the Positive state of a track entry.

track-entry-number: Specifies the number of a track entry, in the range of 1 to 1024. For more information about Track, see High Availability Configuration Guide.

Usage guidelines

Use this command to enable the collaboration between the track module and a security policy rule. The collaboration operates as follows:

·     If a rule is associated with the Negative state of a track entry, the device:

¡     Sets the rule state to Active if the track entry is in Negative state.

¡     Sets the rule state to Inactive if the track entry is in Positive state.

·     If a rule is associated with the Positive state of a track entry, the device:

¡     Sets the rule state to Active if the track entry is in Positive state.

¡     Sets the rule state to Inactive if the track entry is in Negative state.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Associate security policy rule rule1 with the Positive state of track entry 10.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] track positive 10

Related commands

display security-policy

track bfd (High Availability Command Reference)

track interface (High Availability Command Reference)

track ip route reachability (High Availability Command Reference)

track nqa (High Availability Command Reference)

user

Use user to specify a user or user group as a filtering criterion of a security policy rule.

Use undo user to remove the specified user or user group filtering criterion from a security policy rule.

Syntax

user { name username | group user-group-name } [ domain domain-name ]

undo user [ name [ username [ domain domain-name ] ] | group [ user-group-name [ domain domain-name ] ]

Default

No user is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

Parameters

name username: Specifies a username, a case-sensitive string of 1 to 55 characters. The name cannot be a, al, or all and cannot contain at signs (@). If you do not specify this argument when executing the undo command, the command removes all users from the rule.

group user-group-name: Specifies the name of a user group, a case-insensitive string of 1 to 200 characters. If you do not specify this argument when executing the undo command, the command removes all user groups from the rule.

domain domain-name: Matches the user in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The string cannot contain forward slashes (/), backslashes (\), vertical bars (|), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), or at signs (@). If you do not specify this option, the command matches the user among users that do not belong to any identity domain.

Usage guidelines

You can execute the command multiple times to specify multiple users as the filtering criteria.

Examples

# Specify users usera and userb in identity domain test as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy

[Sysname-security-policy] rule 1 name rule1

[Sysname-security-policy-1-rule1] user usera domain test

[Sysname-security-policy-1-rule1] user userb domain test

Related commands

display security-policy

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Intelligent Storage
  • Security
  • SMB Products
  • Intelligent Terminal Products

Cloud & AI

H3C Workspace Cloud Desktop

Learn more

Intelligent Connection

Intelligent Computing

H3C UniServer R4900 G5 Server

Learn more

Intelligent Storage

Security

Situational Awareness

Learn more

Zero Trust Security Solution

Learn more

SMB Products

Intelligent Terminal Products

Industry Solutions

The Government Cloud “1+N+N+1” Innovation Model Becomes a Template

Learn more

Strong Support for the G20 Hangzhou Summit

Learn more
  • Product Support Services
  • Technical Service Solutions
All Services

Product Support Services

Technical Service Solutions

  • Resource Center
  • Policy
  • Online Help
  • Technical Blogs
All Support

Resource Center

Policy

Online Help

Technical Blogs

Training & Certification

  • Become A Partner
  • Partner Policy & Program
  • Global Learning
  • Partner Sales Resources
  • Partner Business Management
  • Service Business
All Partners

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Partner Business Management

Service Business

  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us

Profile

News & Events

Online Exhibition Center

Contact Us

新华三官网