Login
- Table of Contents
-
- 04-DPI Command Reference
- 00-Preface
- 01-DPI engine commands
- 02-IPS commands
- 03-URL filtering commands
- 04-Data filtering commands
- 05-File filtering commands
- 06-Anti-virus commands
- 07-Data analysis center commands
- 08-WAF commands
- 09-Proxy policy commands
- 10-IP reputation commands
- 11-Domain reputation commands
- 12-APT defense commands
- 13-DLP commands
- 14-Content moderation commands
- 15-Network asset scan commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-File filtering commands | 97.78 KB |
description (file filtering policy view)
description (file type group view)
file-filter false-extension action
File filtering commands
The following compatibility matrix shows the support of hardware platforms for file filtering:
|
Hardware platform |
Module type |
File filtering compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
action
Use action to specify actions for a file filtering rule.
Use undo action to remove the action setting from a file filtering rule.
Syntax
action { drop | permit } [ logging ]
undo action
Default
The default action of a file filtering rule is drop.
Views
File filtering rule view
Predefined user roles
network-admin
context-admin
Parameters
drop: Drops the matching packets.
permit: Permits the matching packets to pass.
logging: Logs the matching packets.
Usage guidelines
If a packet matches only one file filtering rule, the device takes the actions specified for the rule.
If a packet matches multiple file filtering rules, the device determines the actions as follows:
· If the matching rules have both the permit and drop actions, the device takes the drop action.
· If the logging action is specified for any of the matching rules, the device logs the packet.
Examples
# Create file filtering policy def.
<Sysname> system-view
[Sysname] file-filter policy def
# Specify action permit for file filtering rule ch1 in the policy.
[Sysname-file-filter-policy-def] rule ch1
[Sysname-file-filter-policy-def-rule-ch1] action permit
application
Use application to specify application layer protocols for a file filtering rule.
Use undo application to remove application layer protocols from a file filtering rule.
Syntax
application { all | type { ftp | http | imap | nfs | pop3 | rtmp | smb | smtp } * }
undo application { all | type { ftp | http | imap | nfs | pop3 | rtmp | smb | smtp } * }
Default
No application layer protocols are specified for a file filtering rule.
Views
File filtering rule view
Predefined user roles
network-admin
context-admin
Parameters
all: Specifies all application layer protocols.
type: Specifies specific types of application layer protocols.
ftp: Specifies the FTP protocol.
http: Specifies the HTTP protocol.
imap Specifies the IMAP protocol.
nfs Specifies the NFS protocol. Only NFSv3 is supported.
pop3 Specifies the POP3 protocol.
rtmp Specifies the RTMP protocol.
smb Specifies the SMB protocol. Only SMBv1 and SMBv2 are supported.
smtp: Specifies the SMTP protocol.
Usage guidelines
Use this command to specify the application layer protocols to which a file filtering rule applies.
Examples
# Create file filtering policy def.
<Sysname> system-view
[Sysname] file-filter policy def
# Specify the HTTP protocol for file filtering rule ch1 in the policy.
[Sysname-file-filter-policy-def] rule ch1
[Sysname-file-filter-policy-def-rule-ch1] application type http
description (file filtering policy view)
Use description to configure a description for a file filtering policy.
Use undo description to restore the default.
Syntax
description string
undo description
Default
A file filtering policy does not have a description.
Views
File filtering policy view
Predefined user roles
network-admin
context-admin
Parameters
string: Specifies a description, a case-sensitive string of 1 to 255 characters.
Usage guidelines
Use this command to configure descriptions for file filtering policies for easy maintenance.
Examples
# Configure the description as The file filter for file filtering policy def.
<Sysname> system-view
[Sysname] file-filter policy def
[Sysname-file-filter-policy-def] description The file filter
Related commands
file-filter policy
description (file type group view)
Use description to configure a description for a file type group.
Use undo description to restore the default.
Syntax
description string
undo description
Default
A file type group does not have a description.
Views
File type group view
Predefined user roles
network-admin
context-admin
Parameters
string: Specifies a description, a case-sensitive string of 1 to 255 characters.
Usage guidelines
Use this command to configure descriptions for file type groups for easy maintenance.
Examples
# Configure the description as def for file type group abc.
<Sysname> system-view
[Sysname] file-filter filetype-group abc
[Sysname-file-filter-fgroup-abc] description def
Related commands
file-filter filetype-group
direction
Use direction to specify the traffic direction for a file filtering rule.
Use undo direction to restore the default.
Syntax
direction { both | download | upload }
undo direction
Default
A file filtering rule applies to upload traffic.
Views
File filtering rule view
Predefined user roles
network-admin
context-admin
Parameters
both: Specifies both the upload and download traffic directions.
download: Specifies the download traffic direction.
upload: Specifies the upload traffic direction.
Usage guidelines
Use this command to specify the traffic direction to which a file filtering rule applies.
For FTP and SMTP, the upload and download directions refer to the upload and download directions of the FTP or SMTP session.
For HTTP, the upload direction refers to HTTP POST requests, and the download direction refers to HTTP GET requests.
Examples
# Create file filtering policy def.
<Sysname> system-view
[Sysname] file-filter policy def
# Specify the download traffic direction for file filtering rule ch1 in the policy.
[Sysname-file-filter-policy-def] rule ch1
[Sysname-file-filter-policy-def-rule-ch1] direction download
file-filter apply policy
Use data-filter apply policy to apply a file filtering policy to a DPI application profile.
Use undo data-filter apply policy to remove the file filtering policy from a DPI application profile.
Syntax
file-filter apply policy policy-name
undo file-filter apply policy
Default
No file filtering policy is applied to a DPI application profile.
Views
DPI application profile view
Predefined user roles
network-admin
context-admin
Parameters
policy-name: Specifies a file filtering policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A file filtering policy takes effect only after it is applied to a DPI application profile.
You can apply only one file filtering policy to a DPI application profile. If you execute this command for a DPI application profile multiple times, the most recent configuration takes effect.
Examples
# Apply file filtering policy def to DPI application profile abc.
<Sysname> system-view
[Sysname] app-profile abc
[Sysname-app-profile-abc] file-filter apply policy def
Related commands
app-profile
data-filter policy
file-filter false-extension action
Use file-filter false-extension action to set the action for packets with files carrying false extensions.
Use undo file-filter false-extension action to restore the default.
Syntax
file-filter false-extension action { drop | permit }
undo file-filter false-extension action
Default
The default action is permit, which enables the device to determine the packet processing action based on the real file extension.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
drop: Drops the packet.
permit: Permits the packet to pass so the action for the packet can be determined based on the real file extension.
Usage guidelines
A packet might contain files that carry false extensions. For example, a file that carries the .exe file extension might actually be a .txt file.
Use this command to specify the action for packets with files carrying false extensions. To perform file filtering inspection based on the real file extension, set the action to permit. To discard such packets directly, set the action to drop.
Examples
# Set the action to drop for packets with files carrying false extensions.
<Sysname> system-view
[Sysname] file-filter false-extension action drop
file-filter filetype-group
Use file-filter filetype-group to create a file type group and enter its view, or enter the view of an existing file type group.
Use undo file-filter filetype-group to delete a file type group.
Syntax
file-filter filetype-group group-name
undo file-filter filetype-group group-name
Default
No file type groups exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
group-name: Assigns a name to the file type group, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A file type group is a group of file type match patterns. A file matches a file type group if it matches a pattern in the group.
Examples
# Create a file type group named fg1 and enter its view.
<Sysname> system-view
[Sysname] file-filter filetype-group fg1
[Sysname-file-filter-fgroup-fg1]
file-filter policy
Use file-filter policy to create a file filtering policy and enter its view, or enter the view of an existing file filtering policy.
Use undo file-filter policy to delete a file filtering policy.
Syntax
file-filter policy policy-name
undo file-filter policy policy-name
Default
No file filtering policies exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
policy-name: Assigns a name to the file filtering policy, a case-sensitive string of 1 to 31 characters.
Usage guidelines
A file filtering policy can contain a maximum of 32 file filtering rules.
Examples
# Create file filtering policy def and enter its view.
[Sysname] file-filter policy def
[Sysname-file-filter-policy-def]
Related commands
file-filter apply policy
filetype-group
Use filetype-group to apply a file type group to a file filtering rule.
Use undo filetype-group to restore the default.
Syntax
filetype-group group-name
undo filetype-group
Default
A file filtering rule does not have a file type group.
Views
File filtering rule view
Predefined user roles
network-admin
context-admin
Parameters
keygroup-name: Specifies a file type group by its name, a case-sensitive string of 1 to 31 characters. The specified file type group must exist on the device.
Usage guidelines
A file filtering rule uses the file type group to filter files based on the file extension.
You can specify only one file type group for a file filtering rule. If you execute this command for a file filtering rule multiple times, the most recent configuration takes effect.
Examples
# Create file filtering policy def.
<Sysname> system-view
[Sysname] file-filter policy def
# Specify file type group fg1 for file filtering rule ch1 in the policy.
[Sysname-file-filter-policy-def] rule ch1
[Sysname-file-filter-policy-def-rule-ch1] filetype-group fg1
Related commands
file-filter filetype-group
pattern
Use pattern to configure a pattern for file type matching.
Use undo pattern to delete a pattern.
Syntax
pattern pattern-name text pattern-string
undo pattern pattern-name
Default
A file type group does not contain any file type match patterns.
Views
File type group view
Predefined user roles
network-admin
context-admin
Parameters
pattern-name: Assigns a name to the match pattern, a case-insensitive string of 1 to 31 characters.
text pattern-string: Specifies a file extension, a case-insensitive string of 1 to 8 characters.
Usage guidelines
File filtering uses file type match patterns to identify files based on the file extension.
A file type group can contain a maximum of 32 file type match patterns. A file matches a file type group if it matches a pattern in the group.
Examples
# In file type group fg1, configure a file type match pattern to match files that use the doc extension.
<Sysname> system-view
[Sysname] file-filter filetype-group fg1
[Sysname-file-filter-fgroup-fg1] pattern 1 text doc
rule
Use rule to create a file filtering rule and enter its view, or enter the view of an existing file filtering rule.
Use undo rule to delete a file filtering rule.
Syntax
rule rule-name
undo rule rule-name
Default
No file filtering rules exist.
Views
File filtering policy view
Predefined user roles
network-admin
context-admin
Parameters
rule-name: Assigns a name to the file filtering rule, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A file filtering rule contains a set of filtering criteria and the actions for matching files. The filtering criteria include file type group, traffic direction, and application layer protocol. The actions include drop, permit, and logging.
A file must match all the filtering criteria for the actions specified for the rule to apply.
A file filtering policy can contain a maximum of 32 filtering rules.
Examples
# In file filtering policy def, create a file filtering rule named ch1 and enter its view.
<Sysname> system-view
[Sysname] file-filter policy def
[Sysname-file-filter-policy-def]rule ch1
[Sysname-file-filter-policy-def-rule-ch1]
