Contents

Data filtering commands· 1

action· 1

application· 2

data-filter apply policy· 3

data-filter keyword-group· 4

data-filter policy· 4

description (data filtering policy view) 5

description (keyword group view) 6

direction· 6

keyword-group· 7

pattern· 8

pre-defined-pattern· 9

rule· 9

 

Data filtering commands

The following compatibility matrix shows the support of hardware platforms for data filtering:

 

Hardware platform	Module type	Data filtering compatibility
M9006 M9010 M9014	Blade IV firewall module	Yes
	Blade V firewall module	Yes
	NAT module	No
M9010-GM	Encryption module	Yes
M9016-V	Blade V firewall module	Yes
M9008-S M9012-S	Blade IV firewall module	Yes
	Intrusion prevention service (IPS) module	Yes
	Video network gateway module	Yes
M9008-S-V	Blade IV firewall module	Yes
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16	Blade V firewall module	Yes
M9000-AK001	Blade V firewall module	Yes
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10	Blade VI firewall module	Yes
M9000-AI-X06 M9000-AI-X10	Blade VI firewall module	Yes

‌

action

Use action to specify actions for a data filtering rule.

Use undo action to remove the action setting from a data filtering rule.

Syntax

action { drop | permit } [ logging ]

undo action

Default

The default action of a data filtering rule is drop.

Views

Data filtering rule view

Predefined user roles

network-admin

context-admin

Parameters

drop: Drops the matching packets.

permit: Permits the matching packets to pass.

logging: Logs the matching packets.

Usage guidelines

If a packet matches multiple data filtering rules, the device determines the actions as follows:

·     If the matching rules have both the permit and drop actions, the device takes the drop action.

·     If the logging action is specified for any of the matching rules, the device logs the packet.

Examples

# Create data filtering policy def.

<Sysname> system-view

[Sysname] data-filter policy def

# Specify action permit for data filtering rule r1 in the policy.

[Sysname-data-filter-policy-def] rule r1

[Sysname-data-filter-policy-def-rule-r1] action permit

application

Use application to specify application layer protocols for a data filtering rule.

Use undo application to remove application layer protocols from a data filtering rule.

Syntax

application { all | type { ftp | http | imap | nfs | pop3 | rtmp | smb | smtp } * }

undo application { all | type { ftp | http | imap | nfs | pop3 | rtmp | smb | smtp } * }

Default

No application layer protocols are specified for a data filtering rule.

Views

Data filtering rule view

Predefined user roles

network-admin

context-admin

Parameters

all: Specifies all application layer protocols.

type: Specifies specific types of application layer protocols.

ftp: Specifies the FTP protocol.

http: Specifies the HTTP protocol.

imap Specifies the IMAP protocol.

nfs Specifies the NFS protocol. Only NFSv3 is supported.

pop3 Specifies the POP3 protocol.

rtmp Specifies the RTMP protocol.

smb Specifies the SMB protocol. Only SMBv1 and SMBv2 are supported.

smtp: Specifies the SMTP protocol.

Usage guidelines

Use this command to specify the application layer protocols to which a data filtering rule applies.

Examples

# Create data filtering policy def.

<Sysname> system-view

[Sysname] data-filter policy def

# Specify the HTTP protocol for data filtering rule r1 in the policy.

[Sysname-data-filter-policy-def] rule r1

[Sysname-data-filter-policy-def-rule-r1] application type http

data-filter apply policy

Use data-filter apply policy to apply a data filtering policy to a DPI application profile.

Use undo data-filter apply policy to remove the data filtering policy from a DPI application profile.

Syntax

data-filter apply policy policy-name

undo data-filter apply policy

Default

No data filtering policy is applied to a DPI application profile.

Views

DPI application profile view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies a data filtering policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A data filtering policy takes effect only after it is applied to a DPI application profile.

You can apply only one data filtering policy to a DPI application profile. If you execute this command for a DPI application profile multiple times, the most recent configuration takes effect.

Examples

# Apply data filtering policy def to DPI application profile abc.

<Sysname> system-view

[Sysname] app-profile abc

[Sysname-app-profile-abc] data-filter apply policy def

Related commands

app-profile

data-filter policy

data-filter keyword-group

Use data-filter keyword-group to create a keyword group and enter its view, or enter the view of an existing keyword group.

Use undo data-filter keyword-group to delete a keyword group.

Syntax

data-filter keyword-group keywordgroup-name

undo data-filter keyword-group keywordgroup-name

Default

No keyword groups exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

keywordgroup-name: Assigns a name to the keyword group, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A keyword group is a group of keyword match patterns. A packet matches a keyword group if it matches a pattern in the group.

Examples

# Create a keyword group named kg1 and enter its view.

<Sysname> system-view

[Sysname] data-filter keyword-group kg1

[Sysname-data-filter-keygroup-kg1]

data-filter policy

Use data-filter policy to create a data filtering policy and enter its view, or enter the view of an existing data filtering policy.

Use undo data-filter policy to delete a data filtering policy.

Syntax

data-filter policy policy-name

undo data-filter policy policy-name

Default

No data filtering policies exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Assigns a name to the data filtering policy, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A data filtering policy can contain a maximum of 32 data filtering rules.

Examples

# Create data filtering policy def and enter its view.

<Sysname> system-view

[Sysname] data-filter policy def

[Sysname-data-filter-policy-def]

Related commands

data-filter apply policy

description (data filtering policy view)

Use description to configure a description for a data filtering policy.

Use undo description to restore the default.

Syntax

description string

undo description

Default

A data filtering policy does not have a description.

Views

Data filtering policy view

Predefined user roles

network-admin

context-admin

Parameters

string: Specifies a description, a case-sensitive string of 1 to 255 characters.

Usage guidelines

Use this command to configure descriptions for data filtering policies for easy maintenance.

Examples

# Configure the description as The data filter for data filtering policy def.

<Sysname> system-view

[Sysname] data-filter policy def

[Sysname-data-filter-policy-def] description The data filter

description (keyword group view)

Use description to configure a description for a keyword group.

Use undo description to restore the default.

Syntax

description string

undo description

Default

A keyword group does not have a description.

Views

Keyword group view

Predefined user roles

network-admin

context-admin

Parameters

string: Specifies a description, a case-sensitive string of 1 to 255 characters.

Usage guidelines

Use this command to configure descriptions for keyword groups for easy maintenance.

Examples

# Configure the description as The data filter keyword group for keyword group kg1.

<Sysname> system-view

[Sysname] data-filter keyword-group kg1

[Sysname-data-filter-kgroup-kg1] description The data filter keyword group

direction

Use direction to specify the traffic direction for a data filtering rule.

Use undo direction to restore the default.

Syntax

direction { both | download | upload }

undo direction

Default

A data filtering rule applies to upload traffic.

Views

Data filtering rule view

Predefined user roles

network-admin

context-admin

Parameters

both: Specifies both the upload and download traffic directions.

download: Specifies the download traffic direction.

upload: Specifies the upload traffic direction.

Usage guidelines

Use this command to specify the traffic direction to which a data filtering rule applies.

Examples

# Create data filtering policy def.

<Sysname> system-view

[Sysname] data-filter policy def

# Specify the download traffic direction for data filtering rule r1 in the policy.

[Sysname-data-filter-policy-def] rule r1

[Sysname-data-filter-policy-def-rule-r1] direction download

keyword-group

Use keyword-group to specify a keyword group for a data filtering rule.

Use undo keyword-group to restore the default.

Syntax

keyword-group keygroup-name

undo keyword-group

Default

A data filtering rule does not have a keyword group.

Views

Data filtering rule view

Predefined user roles

network-admin

context-admin

Parameters

keygroup-name: Specifies a keyword group by its name, a case-insensitive string of 1 to 31 characters. The specified keyword group must exist on the device.

Usage guidelines

A data filtering rule uses the keyword group to filter packets based on the application layer data.

You can specify only one keyword group for a data filtering rule. If you execute this command for a data filtering rule multiple times, the most recent configuration takes effect.

Examples

# Create data filtering policy def.

<Sysname> system-view

[Sysname] data-filter policy def

# Specify keyword group kg1 for data filtering rule r1 in the policy.

[Sysname-data-filter-policy-def] rule r1

[Sysname-data-filter-policy-def-rule-r1] keyword-group kg1

Related commands

data-filter keyword-group

pattern

Use pattern to configure a pattern for keyword matching.

Use undo pattern to delete a pattern.

Syntax

pattern pattern-name { regex | text } pattern-string

undo pattern pattern-name

Default

A keyword group does not contain any keyword match patterns.

Views

Keyword group view

Predefined user roles

network-admin

context-admin

Parameters

pattern-name: Assigns a name to the match pattern, a case-insensitive string of 1 to 31 characters.

regex pattern-string: Specifies a regular expression, a case-sensitive string of 3 to 245 characters. All printable characters are supported. The regular expression must include a minimum of three consecutive non-wildcard characters.

text pattern-string: Specifies a case-sensitive string of 3 to 245 characters for exact match. All printable characters are supported.

Usage guidelines

A pattern for keyword matching can be a regular expression or a text string.

A keyword group can contain a maximum of 32 keyword match patterns. A packet matches a keyword group if it matches a pattern in the group.

When you configure a regular expression pattern for keyword matching, follow these restrictions and guidelines:

·     The regular expression pattern can contain a maximum of four branches. For example, 'abc(c|d|e|\x3D)' is valid, and 'abc(c|onreset|onselect|onchange|style\x3D)' is invalid.

·     Nested braces are not allowed. For example, 'ab((abcs*?))' is invalid.

·     A branch cannot be specified after another branch. For example, 'ab(a|b)(c|d)^\\r\\n]+?' is invalid.

·     A minimum of four non-wildcard characters must exist before an asterisk (*) or question mark (?). For example, 'abc*' is invalid and 'abcd*DoS\x2d\d{5}\x20\x2bxi\\r\\nJOIN' is valid.

Examples

# In keyword group kg1, configure a keyword match pattern with regular expression (?i)^.*abc.*.

<Sysname> system-view

[Sysname] data-filter keyword-group kg1

[Sysname-data-filter-kgroup-kg1] pattern 1 regex (?i)^.*abc.*

pre-defined-pattern

Use pre-defined-pattern to enable a predefined pattern in a keyword group.

Use undo pre-defined-pattern to disable a predefined pattern in a keyword group.

Syntax

pre-defined-pattern name { bank-card-number | credit-card-number | id-card-number | phone-number }

undo pre-defined-pattern name { bank-card-number | credit-card-number | id-card-number | phone-number }

Default

No predefined patterns are enabled in a keyword group.

Views

Keyword group view

Predefined user roles

network-admin

context-admin

Parameters

name: Specifies a predefined pattern by its name.

bank-card-number: Specifies the bank card number pattern.

credit-card-number: Specifies the credit card number pattern.

id-card-number: Specifies the ID card number pattern.

phone-number: Specifies the phone number pattern.

Usage guidelines

To match packets that contain phone numbers, bank card numbers, credit card numbers, or ID card numbers in a keyword group, enable the corresponding predefined pattern in the keyword group.

You can execute this command multiple times in a keyword group to enable multiple predefined patterns.

Examples

# Enable the phone number predefined pattern in keyword group kg1 to match packets that contain phone numbers.

<Sysname> system-view

[Sysname] data-filter keyword-group kg1

[Sysname-data-filter-kgroup-kg1] pre-defined-pattern name phone-number

rule

Use rule to create a data filtering rule and enter its view, or enter the view of an existing data filtering rule.

Use undo rule to delete a data filtering rule.

Syntax

rule rule-name

undo rule rule-name

Default

No data filtering rules exist.

Views

Data filtering policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-name: Assigns a name to the data filtering rule, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A data filtering rule contains a set of filtering criteria and the actions for matching packets. The filtering criteria include keyword group, traffic direction, and application layer protocol. The actions include drop, permit, and logging. A packet must match all the filtering criteria for the actions specified for the rule to apply.

Examples

# In data filtering policy def, create a data filtering rule named r1 and enter its view.

<Sysname> system-view

[Sysname] data-filter policy def

[Sysname-data-filter-policy-def] rule r1

[Sysname-data-filter-policy-def-rule-r1]