Hardware platform	Module type	Proxy policy compatibility
M9006 M9010 M9014	Blade IV firewall module	Yes
	Blade V firewall module	Yes
	NAT module	No
M9010-GM	Encryption module	Yes
M9016-V	Blade V firewall module	Yes
M9008-S M9012-S	Blade IV firewall module	Yes
	Intrusion prevention service (IPS) module	Yes
	Video network gateway module	Yes
M9008-S-V	Blade IV firewall module	Yes
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16	Blade V firewall module	Yes
M9000-AK001	Blade V firewall module	Yes
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10	Blade VI firewall module	Yes
M9000-AI-X06 M9000-AI-X10	Blade VI firewall module	Yes

‌

action

Use action to set the action for traffic matching a proxy policy rule.

Use undo action to restore the default.

Syntax

action { no-proxy | ssl-decrypt | tcp-proxy }

undo action

Default

The no-proxy action is used.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

no-proxy: Specifies the no-proxy action.

ssl-decrypt: Specifies the SSL decryption action.

tcp-proxy: Specifies the TCP proxy action.

Usage guidelines

The device supports the following actions for traffic matching a proxy policy rule:

· No-proxy—The device directly transmits the traffic without TCP or SSL proxy.

· SSL-decryption—The device acts as an SSL proxy to decrypt the SSL traffic and performs deep packet inspection and Layer 7 load balancing on the decrypted traffic. SSL decryption is implemented based on TCP proxy.

· TCP-proxy—The device acts as a TCP proxy and provides TCP-layer isolation between the TCP client and TCP server to effectively intercept malicious connections and attacks.

If you execute this command for a proxy policy rule multiple times, the most recent configuration takes effect.

Examples

# Specify the ssl-decrypt action for proxy policy rule rule1.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] action ssl-decrypt

Related commands

display app-proxy-policy

rule

app-proxy internal-server-certificate delete

Use app-proxy internal-server-certificate delete to delete an internal server certificate.

Syntax

app-proxy internal-server-certificate delete md5 md5-value

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

md5 md5-value: Specifies the MD5 value of an internal server certificate.

Usage guidelines

When an internal server certificate expires or an internal server does not need to be protected, you can execute this command to delete the imported internal server certificate.

You can execute the display app-proxy imported internal-server-certificate command to view the MD5 values of the internal server certificates.

Examples

# Delete the internal server certificate with the MD5 value c4f5f2c41ca1de4258d893c9887bf287.

<Sysname> system-view

[Sysname] app-proxy internal-server-certificate delete md5 c4f5f2c41ca1de4258d893c9887bf287

Related commands

display app-proxy imported internal-server-certificate

app-proxy internal-server-certificate import

Use app-proxy internal-server-certificate import to import an internal server certificate.

Syntax

app-proxy internal-server-certificate import { p12 | pem } filename filename

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

p12: Specifies the PKCS#12 certificate file format.

pem: Specifies the PEM certificate file format.

filename filename: Specifies the certificate file name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

The internal server certificates are required in the scenario of protecting internal servers. With an internal server certificate imported, the device will decrypt the certificate and generate a CER file and a key file. The CER file is used to identify the server and the key file is used to encrypt and decrypt the packets in the subsequent SSL proxy process. The device will calculate the MD5 value of the CER file and use the MD5 value as the unique identifier of the file.

The SSL proxy process is as follows:

1. The device receives an internal server certificate and calculates the MD5 value of the certificate.

2. The device compares the calculated MD5 value with the MD5 value of the imported internal server certificate:

¡ If they are the same, the certificate is trusted and the device will use the certificate to establish an SSL connection with the client.

¡ If they are different, the certificate is untrusted.

You can import multiple internal server certificates. If two certificates have the same MD5 value, the new certificate will overwrite the old certificate.

Examples

# Import a PKCS#12 certificate file as an internal server certificate.

<Sysname> system-view

[Sysname] app-proxy internal-server-certificate import p12 filename server.p12

Password:

Related commands

display app-proxy imported internal-server-certificate

app-proxy ssl whitelist activate

Use app-proxy ssl whitelist activate to activate SSL proxy whitelist settings.

Syntax

app-proxy ssl whitelist activate

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

The following SSL proxy whitelist settings must be manually activated by using this command:

· Adding or removing hostnames to or from the user-defined SSL hostname whitelist.

· Enabling or disabling hostnames on the predefined SSL hostname whitelist.

This command is supported only on the default context. For more information about contexts, see context configuration in Virtual Technologies Configuration Guide.

Examples

# Add example.com to the user-defined SSL hostname whitelist and activate the setting.

<Sysname> system-view

[Sysname] app-proxy ssl whitelist user-defined-hostname example.com

To activate the setting, execute app-proxy ssl whitelist activate.

[Sysname] app-proxy ssl whitelist activate

Related commands

app-proxy ssl whitelist predefined-hostname enable

app-proxy ssl whitelist user-defined-hostname

app-proxy ssl whitelist predefined-hostname enable

Use app-proxy ssl whitelist predefined-hostname enable to enable hostnames on the predefined SSL hostname whitelist.

Use undo app-proxy ssl whitelist predefined-hostname enable to disable hostnames on the predefined SSL hostname whitelist.

Syntax

app-proxy ssl whitelist predefined-hostname { chrome-hsts [ hostname ] | hostname } enable

undo app-proxy ssl whitelist predefined-hostname { chrome-hsts [ hostname ] | hostname } enable

Default

The entire predefined SSL hostname whitelist is enabled.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

chrome-hsts [ hostname ]: Specifies a hostname on the Chrome HSTS list. The hostname argument represents the hostname, a case-insensitive string of 1 to 63 characters. If the hostname contains spaces, enclose it in double quotation marks. For example, "user for test". If you do not specify a hostname, this command applies to all hostnames on the Chrome HSTS list.

host-name: Specifies a hostname that is not on the Chrome HSTS list. The hostname is a case-insensitive string of 1 to 63 characters. If the hostname contains spaces, enclose it in double quotation marks. For example, "user for test".

Usage guidelines

The Chrome HSTS list is a predefined list of server hostnames that are accessible to Web browsers only through HTTPS.

Follow these guidelines to enable or disable hostnames on the Chrome HSTS list:

· When the entire Chrome HSTS list is enabled, you can disable individual hostnames on the list.

· When the entire Chrome HSTS list is disabled, all hostnames on the list are disabled and cannot be enabled individually.

This command is supported only on the default context. For more information about contexts, see context configuration in Virtual Technologies Configuration Guide.

Examples

# Disable the entire Chrome HSTS list.

<Sysname> system-view

[Sysname] undo app-proxy ssl whitelist predefined-hostname chrome-hsts enable

To activate the setting, execute app-proxy ssl whitelist activate.

# Disable hostname 12306.cn on the predefined SSL hostname whitelist.

<Sysname> system-view

[Sysname] undo app-proxy ssl whitelist predefined-hostname 12306.cn enable

To activate the setting, execute app-proxy ssl whitelist activate.

Related commands

app-proxy ssl whitelist activate

display app-proxy ssl whitelist

app-proxy ssl whitelist user-defined-hostname

Use app-proxy ssl whitelist user-defined-hostname host-name to add a hostname to the user-defined SSL hostname whitelist.

Use undo app-proxy ssl whitelist user-defined-hostname to remove hostnames from the user-defined SSL hostname whitelist.

Syntax

app-proxy ssl whitelist user-defined-hostname host-name

undo app-proxy ssl whitelist user-defined-hostname { host-name | all }

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

host-name: Specifies a hostname, a case-insensitive string of 1 to 63 characters. If the hostname contains spaces, enclose it in double quotation marks. For example, "user for test".

all: Specifies all hostnames on the user-defined SSL hostname whitelist.

Usage guidelines

If the DNS Name or Common Name value in a server certificate contains a hostname on the SSL hostname whitelist, the device does not proxy the SSL connections destined for the server.

This command must be manually activated by using the app-proxy ssl whitelist activate command.

This command is supported only on the default context. For more information about contexts, see context configuration in Virtual Technologies Configuration Guide.

Examples

# Add example.com to the user-defined SSL hostname whitelist and active the configuration.

<Sysname> system-view

[Sysname] app-proxy ssl whitelist user-defined-hostname example.com

To activate the setting, execute app-proxy ssl whitelist activate.

[Sysname] app-proxy ssl whitelist activate

Related commands

app-proxy ssl whitelist activate

display app-proxy ssl whitelist

app-proxy ssl-decrypt-certificate delete

Use app-proxy ssl-decrypt-certificate delete to delete an SSL decryption certificate.

Syntax

app-proxy ssl-decrypt-certificate delete filename filename

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

filename: Specifies an SSL decryption certificate by its file name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

The device, acting as an SSL proxy, requires the correct SSL decryption certificate to issue proxy server certificates to send to clients for server authentication. If the required SSL decryption certificate is not available, the device cannot set up a connection with the client and the SSL traffic will be transmitted directly without SSL decryption.

After an SSL decryption certificate is imported, its file extension will be changed to .cer, which must be appended to the file name when you delete the certificate.

Examples

# Delete SSL decryption certificate aaa.cer.

<Sysname> system-view

[Sysname] app-proxy ssl-decrypt-certificate delete filename aaa.cer

Related commands

display app-proxy ssl-decrypt-certificate

app-proxy ssl-decrypt-certificate import

Use app-proxy ssl-decrypt-certificate import to import a CA certificate as a trusted or untrusted SSL decryption certificate.

Syntax

app-proxy ssl-decrypt-certificate import { trusted | untrusted } { pem | p12 } filename filename

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

trusted: Imports the CA certificate as a trusted SSL decryption certificate.

untrusted: Imports the CA certificate as an untrusted SSL decryption certificate.

pem: Specifies the PEM certificate file format.

p12: Specifies the PKCS#12 certificate file format.

filename filename: Specifies the certificate file name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

The device supports a maximum of one trusted SSL decryption certificate and one untrusted SSL decryption certificate. When importing an SSL decryption certificate, you must mark the certificate as Trusted or Untrusted. If you import multiple trusted or multiple untrusted SSL decryption certificates to the device, the most recent configuration takes effect.

To use the same CA certificate as both the trusted and untrusted SSL decryption certificate, first import the certificate with the Trusted or Untrusted tag, and then add the other tag to the certificate by using the app-proxy ssl-decrypt-certificate modify command.

After an SSL decryption certificate is imported, its file extension will be changed to .cer.

After receiving the certificate of the real server, the device verifies the legitimacy of the server certificate on behalf of the SSL client.

· If the server certificate is legitimate, the device uses the trusted SSL decryption certificate to issue a new certificate to the client. A server certificate issued by the trusted SSL decryption certificate is trusted by the client.

· If the server certificate is illegitimate, the device uses the untrusted SSL decryption certificate to issue a new certificate to the client. A security alarm will be generated on the client and users must clear the alarm to continue the access.

The trusted SSL decryption certificate must be installed on the client browser. Otherwise, the client cannot trust the proxy server certificate signed by the trusted SSL decryption certificate and might display a warning or directly terminate proxied SSL connections without a warning.

A Firefox browser does not use the SSL decryption certificate in the Windows certificate store by default. To use the SSL decryption certificate on the Firefox browser, you can take the following methods:

· Import the SSL decryption certificate into the Firefox browser.

· Configure the Firefox browser to use the SSL decryption certificate in the Windows certificate store through the following steps:

a. Enter about:config in the address bar.

b. In the Search box, enter security.enterprise_roots.enabled.

c. Locate this entry, and double-click or right-click its value to change false to true.

Examples

# Import a PKCS#12 certificate file as a trusted SSL decryption certificate.

<Sysname> system-view

[Sysname] app-proxy ssl-decrypt-certificate import trusted p12 filename aaa.p12

Password:

Related commands

display app-proxy ssl-decrypt-certificate certificate

app-proxy ssl-decrypt-certificate modify

Use app-proxy ssl-decrypt-certificate modify to add the Trusted or Untrusted tag to an SSL decryption certificate.

Use undo app-proxy ssl-decrypt-certificate modify to remove the Trusted or Untrusted tag from an SSL decryption certificate.

Syntax

app-proxy ssl-decrypt-certificate modify { trusted | untrusted } filename filename

undo app-proxy ssl-decrypt-certificate modify { trusted | untrusted }

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

trusted: Specifies the Trusted tag.

untrusted: Specifies the Untrusted tag.

filename: Specifies the SSL decryption certificate by its file name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

To use the same CA certificate as both the trusted and untrusted SSL decryption certificate, first import the certificate with the Trusted or Untrusted tag, and then use this command add the other tag to the certificate.

When you add the Trusted or Untrusted tag to an SSL decryption certificate, the system asks whether you want to overwrite the SSL decryption certificate with the same tag if such a certificate already exists.

Removing the Trusted or Untrusted tag from an SSL decryption certificate does not remove the certificate file from the system. You can use the app-proxy ssl-decrypt-certificate modify command to add the Trusted or Untrusted tag to the certificate again.

After an SSL decryption certificate is imported, its file extension will be changed to .cer. Append the .cer file extension when you specify the file containing the certificate whose credibility you want to change.

Examples

# Add the Trusted tag to the CA certificate in certificate file aaa.

<Sysname> system-view

[Sysname] app-proxy ssl-decrypt-certificate modify trusted filename aaa.cer

[Sysname] A trusted CA certificate already exists. Overwrite the existing trusted CA certificate with the specified certificate? [Y/N]:

Related commands

display app-proxy ssl-decrypt-certificate

app-proxy-policy

Use app-proxy-policy to enter proxy policy view.

Use undo app-proxy-policy to remove all proxy policy configurations.

Syntax

app-proxy-policy

undo app-proxy-policy

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

The device supports only one IPv4 proxy policy.

Examples

# Enter proxy policy view.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy]

Related commands

display app-proxy-policy

default action

Use default-action to specify the default action for the proxy policy.

Use undo default-action to restore the default.

Syntax

default action { no-proxy | ssl-decrypt | tcp-proxy }

undo default action

Default

The proxy policy uses the no-proxy action.

Views

Proxy policy view

Predefined user roles

network-admin

context-admin

Parameters

no-proxy: Specifies the no-proxy action.

ssl-decrypt: Specifies the SSL decryption action.

tcp-proxy: Specifies the TCP proxy action.

Usage guidelines

The default action applies to packets that do not match any rules in the proxy policy.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the default action to ssl-decrypt for the proxy policy.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] default action ssl-decrypt

default ssl-decrypt protect-mode

Use default ssl-decrypt protect-mode to specify an SSL decryption protection mode for the proxy policy.

Use undo default ssl-decrypt protect-mode to restore the default.

Syntax

default ssl-decrypt protect-mode { client | server }

undo default ssl-decrypt protect-mode

Default

The SSL decryption protection mode of the proxy policy is client.

Views

Proxy policy view

Predefined user roles

network-admin

context-admin

Parameters

client: Specifies client protection.

server: Specifies server protection.

Usage guidelines

The SSL decryption supports the following protection services:

· Internal client protection—The device is deployed at the exit of the network where the internal clients are. When the internal clients access an external server, the device acts as a proxy server to decrypt the packets and perform deep packet inspection on the decrypted packets. It protects the internal clients from being attacked by external malicious websites. In this scenario, the device requires imported SSL decryption certificates to establish SSL connections with the clients.

· Internal server protection—The device is deployed at the entrance of the network where the internal servers are. When the external clients access an internal server, the device acts as a proxy server to decrypt the packets and perform deep packet inspection on the decrypted packets. It protects the internal servers from being attacked by external malicious traffic. In this scenario, the device requires imported internal server certificates to establish SSL connections with the clients.

For more information about DPI, see "DPI overview."

By default, the SSL proxy protects the internal clients. You can select a protection service of the SSL decryption as required and import the corresponding certificates to the device for SSL connection establishment with the clients.

This command takes effect only when the SSL decryption action is used as the default action for the proxy policy.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify server as the SSL decryption protection mode for the proxy policy.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] default ssl-decrypt protect-mode server

Related commands

display app-proxy-policy

destination-ip object-group

Use destination-ip object-group to configure an object group as a destination address filtering criterion in a proxy policy rule.

Use undo destination-ip object-group to remove destination address filtering criteria from a proxy policy rule.

Syntax

destination-ip object-group object-group-name

undo destination-ip object-group [ object-group-name ]

Default

A proxy policy rule does not contain any destination address filtering criterion.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

object-group-name: Specifies an IP address object group by its name, a case-insensitive string of 1 to 63 characters. The object group must already exist and its name cannot be any.

Usage guidelines

You can repeat this command to set multiple destination address filtering criteria in a proxy policy rule. A packet passes the destination address filtering if it matches any of the configured destination address filtering criteria.

If you execute the undo destination-ip object-group command without specifying an object group, all destination address filtering criteria in the proxy policy rule will be deleted.

For more information about object groups, see object group configuration in Security Configuration Guide.

Examples

# In proxy policy rule rule1, set IP address object groups client1 and client2 as destination address filtering criteria.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] destination-ip object-group client1

[Sysname-app-proxy-policy-0-rule1] destination-ip object-group client2

Related commands

display app-proxy-policy

object-group (Security Command Reference)

destination-zone

Use destination-zone to configure a destination security zone filtering criterion in a proxy policy rule.

Use undo destination-zone to remove destination security zone filtering criteria from a proxy policy rule.

Syntax

destination-zone destination-zone-name

undo destination-zone [ destination-zone-name ]

Default

A proxy policy rule does not contain any destination security zone filtering criterion.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

destination-zone-name: Specifies a destination security zone by its name, a case-insensitive string of 1 to 31 characters. The destination security zone name cannot be any.

Usage guidelines

You can repeat this command to set multiple destination security zone filtering criteria in a proxy policy rule. A packet passes the destination security zone filtering if it matches any of the configured destination security zone filtering criteria.

You can specify a nonexistent security zone for a destination security zone filtering criterion. However, the destination security zone filtering criterion does not take effect until the security zone is configured.

If you execute the undo destination-zone command without specifying a security zone, all destination security zone filtering criteria in the proxy policy rule will be deleted.

For more information about security zones, see security zone configuration in Security Configuration Guide.

Examples

# In proxy policy rule rule1, set security zones trust and server as destination security zone filtering criteria.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] destination-zone trust

[Sysname-app-proxy-policy-0-rule1] destination-zone server

Related commands

display app-proxy-policy

security-zone (Security Configuration Guide)

disable

Use disable to disable a proxy policy rule.

Use undo disable to enable a proxy policy rule.

Syntax

disable

undo disable

Default

A proxy policy rule is enabled.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Usage guidelines

The device compares a packet against only the enabled proxy policy rules. The match process stops once a matching rule is found.

Examples

# Disable proxy policy rule rule1.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] disable

Related commands

Rule

display app-proxy imported internal-server-certificate

Use display app-proxy imported internal-server-certificate to display information about imported internal server certificates.

Syntax

display app-proxy imported internal-server-certificate

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Usage guidelines

The information about the imported internal server certificates includes MD5 values, data, and signature algorithms.

Examples

# Display information about imported internal server certificates.

<Sysname> display app-proxy imported internal-server-certificate

Certificate Md5: c4f5f2c41ca1de4258d893c9887bf287

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

aa:31:f8:3d:06:b0:9b: Signature Algorithm: sha1WithRSAEncryption

Issuer: C=CN, ST=bj, L=cp, O=dpi, OU=sec, CN=trustca

Validity

Not Before: Sep 7 12:00:43 2017 GMT

Not After : Aug 28 12:00:43 2057 GMT

Subject: C=CN, ST=bj, L=cp, O=dpi, OU=sec, CN=trustca

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:ec:d7:73:af:03:07:07:86:e6:31:4d:e5:32:09:

20:7f:93:19:20:b2:25:c4:cc:32:8e:e4:29:fd:e0:

30:48:4c:8d:0a:83:66:28:af:6a:e0:69:81:08:58:

ca:cf:e4:3d:5a:e8:69:92:67:71:e3:c0:66:87:8e:

16:cc:6a:89:1d:d4:22:5f:93:14:47:bd:39:60:44:

3c:ee:0a:d1:8d:d4:16:84:65:e9:b7:b1:0f:6d:af:

6e:ef:21:b5:5a:02:4f:63:46:6e:8b:73:b5:95:70:

8a:ed:5d:23:8b:d8:0e:45:2d:8b:52:ab:34:6d:3b:

d5:85:ae:1c:d4:26:6e:fb:2c:1e:18:db:55:22:96:

d8:1f:1a:33:e9:ff:1f:8c:be:28:9d:de:77:d8:9b:

a7:27:0f:7e:e2:52:3e:bd:02:ee:c3:06:93:d0:16:

b0:c7:96:bb:c8:b1:96:8d:ee:ca:6e:76:63:1e:b1:

b6:fb:31:bf:d0:13:66:ad:f6:97:cf:0b:37:f7:6c:

f8:46:b6:76:f1:70:6f:24:6c:92:a6:dd:c2:3b:cf:

3c:35:c7:74:60:dd:db:a3:bf:70:b4:55:05:4b:d7:

cd:dd:c1:1b:59:0d:41:e7:95:5a:79:44:9d:b0:8b:

a7:f2:f4:67:0e:0c:4a:b6:35:97:1e:e6:99:88:fc:

c8:e9

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Alternative Name:

IP Address:1.1.1.1, DNS:trustca, email:[email protected]

X509v3 Basic Constraints: critical

CA:TRUE

X509v3 Key Usage: critical

Certificate Sign, CRL Sign

X509v3 Subject Key Identifier:

D4:35:A8:66:63:03:04:2B:CA:4E:91:06:11:F5:72:1C:26:E0:BE:33

Netscape Cert Type:

SSL CA

Netscape Comment:

example comment extension

Signature Algorithm: sha1WithRSAEncryption

b9:d2:eb:98:bd:f9:8d:7e:03:a8:0e:b4:29:cf:3a:a1:fd:f4:

2a:fa:56:1c:cf:40:a4:9e:7f:5a:15:6b:88:8a:dd:86:d2:03:

c3:38:49:7a:11:09:78:81:8c:8f:0a:3b:fb:d6:60:59:c4:0b:

12:0e:38:b0:92:f3:2e:b5:96:ab:d3:a4:2d:cb:ef:fd:a0:97:

d0:63:43:8e:91:1f:f1:fc:39:c8:cf:e5:ee:4b:e7:8c:8b:f8:

3b:ff:5e:dc:00:df:5b:2f:98:53:f2:c7:da:fa:b8:2e:92:dd:

33:6a:80:df:0e:22:62:62:5d:2f:6c:eb:4c:80:c4:56:c9:00:

01:a6:82:60:e4:32:69:f7:7b:8f:6c:93:e5:c3:64:65:fe:aa:

e1:0b:10:92:bd:ea:2f:2f:e5:b6:fd:b5:5b:df:34:c8:5d:5a:

91:9a:0d:89:10:76:b8:ed:28:ef:6a:c4:7b:48:d7:88:57:7c:

cf:4e:c8:38:84:ad:54:6d:3f:40:a0:38:d7:36:61:23:7a:82:

62:34:41:3d:cc:b2:ee:4a:23:f1:7d:12:e2:23:26:10:df:c8:

a1:6f:00:00:b7:c2:1f:ce:1b:63:60:e0:63:33:e0:59:31:78:

bc:27:99:b6:27:40:95:da:1b:37:07:75:2f:99:97:56:33:f5:

4f:ad:14:31

Figure 1 Command output

Field	Description
Certificate Md5	MD5 value of the certificate.
Certificate	Information about the certificate.
Version	Version number of the certificate.
Serial Number	Serial number of the certificate.
Signature Algorithm	Signature algorithm used in the certificate.
Issuer	Issuer of the certificate.
Validity	Validity of the certificate.
Subject	Identity of the entity to which the certificate belongs.
Subject Public Key Info	Public key information of the certificate subject.
Modulus	Modulus length of the key.
Exponent	Key exponent.
X509v3 extensions	X.509v3 extensions in the certificate.
X509v3 Subject Alternative Name	Alternative name of the certificate subject.
IP Address	IP address of the certificate subject.
DNS	DNS name of the certificate subject.
email	Email address of the certificate subject.
X509v3 Basic Constraints	Indicates whether the certificate belongs to a CA.
X509v3 Key Usage	Identifies the cryptographic operations which may be performed using the public key contained in the certificate.
X509v3 Subject Key Identifier	Key identifier of the certificate subject.
Netscape Cert Type	Netscape certificate type, an extension defined by Netscape to limit what the certificate can be used for.
Netscape Comment	Netscape comment that can be displayed in certain browsers.

Related commands

app-proxy server-certificate import

app-proxy server-certificate delete

display app-proxy server-certificate

Use display app-proxy server-certificate to display the SSL server certificates received by the device as the SSL proxy client.

Syntax

In standalone mode:

display app-proxy server-certificate [ slot slot-number ]

In IRF mode:

display app-proxy server-certificate [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays certificate information on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays certificate information on all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

When implementing the SSL proxy function, the device acts as the SSL proxy client to complete the SSL handshake and establish an SSL connection with the SSL server. This command displays information about the SSL server certificates received by the device as the SSL proxy client.

Examples

# (In standalone mode.) Display the SSL server certificates received by the device as the SSL proxy client on slot 1.

<Sysname> display app-proxy server-certificate slot 1

Slot1:

Total server certificates: --

Certificate info: /cn=h3c-https-self-signed-certificate-13a73249669cc70a

Proxy count: 198

Most recent proxy time: 2017/10/25 10:7:7

First proxy at: 2017/10/23 15:52:59

Figure 2 Command output

Field	Description
Total server certificates	Total number of server certificates received by the device as the SSL proxy client.
Certificate info	Information about the certificate. This field displays the value in the DNS Name field (in the format of example.com) of the certificate. If the server certificate does not contain the DNS Name field, the value in the Common Name field (in the format of /cn=example.com) is displayed.
Proxy count	Number of times connections to the server had been proxied.
Most recent proxy time	Most recent time the device proxied a connection to the server.
First proxy at	First time the device proxied a connection to the server.

Related commands

reset app-proxy server-certificate

display app-proxy ssl whitelist hostname

Use display app-proxy ssl whitelist hostname to display the SSL hostname whitelist.

Syntax

display app-proxy ssl whitelist hostname { predefined | user-defined }

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

user-defined: Displays the user-defined SSL hostname whitelist.

predefined: Displays the predefined SSL hostname whitelist.

Usage guidelines

This command is supported only on the default context. For more information about contexts, see context configuration in Virtual Technologies Configuration Guide.

Examples

# Display the user-defined SSL hostname whitelist.

<Sysname> display app-proxy ssl whitelist hostname user-defined

Hostname

example1.com

example2.com

# Display the predefined SSL hostname whitelist.

<Sysname> display app-proxy ssl whitelist hostname predefined

Chrome HSTS-defined hostnames:

status Hostname

enabled 2mdn.net

enabled accounts.firefox.com

enabled aclu.org

enabled activiti.alfresco.com

enabled adamkostecki.de

enabled addvocate.com

enabled adsfund.org

enabled aie.de

enabled airbnb.com

enabled aladdinschools.appspot.com

enabled alexsexton.com

enabled alpha.irccloud.com

enabled android.com

enabled ansdell.net

enabled anycoin.me

enabled apadvantage.com

enabled api.intercom.io

enabled api.lookout.com

enabled api.mega.co.nz

enabled api.recurly.com

enabled api.simple.com

---- More ----

Figure 3 Command output

Field	Description
Chrome HSTS-defined hostnames	List of Chrome HSTS-defined hostnames accessible only through HTTPS.
Status	State of the hostname on the SSL hostname whitelist, Enabled or Disabled.

Related commands

app-proxy ssl whitelist predefined-hostname enable

app-proxy ssl whitelist user-defined-hostname

display app-proxy ssl whitelist { ipv4 | ipv6 }

Use display app-proxy ssl whitelist { ipv4 | ipv6 } to display the SSL IP address whitelist.

Syntax

In standalone mode:

display app-proxy ssl whitelist { ipv4 | ipv6 } { all [ slot slot-number ] | ip-address }

In IRF mode:

display app-proxy ssl whitelist { ipv4 | ipv6 } { all [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] | ip-address }

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

ipv4: Specifies the SSL IPv4 address whitelist.

ipv6: Specifies the SSL IPv6 address whitelist.

all: Specifies all IP addresses on the SSL IP address whitelist.

ip-address: Specifies the IP address of an SSL IP address whitelist entry to be displayed.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays the SSL IP address whitelist information on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays the SSL IP address whitelist information on all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) Display the SSL IPv4 address whitelist on slot 1.

<Sysname> display app-proxy ssl whitelist ipv4 all slot 1

Slot 1:

IPv4 address Port

10.1.1.1 443

10.10.1.1 443

Figure 4 Command output

Field	Description
IPv4 address	IPv4 address in an SSL IP address whitelist entry.
IPv6 address	IPv6 address in an SSL IP address whitelist entry.
Port	Port number of the SSL IP address whitelist entry. Connections destined for a server with the IP address and port number matching an IP address whitelist entry will not be proxied.

display app-proxy ssl-decrypt-certificate

Use display app-proxy ssl-decrypt-certificate to display SSL decryption certificate information.

Syntax

display app-proxy ssl-decrypt-certificate

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Examples

# Display SSL decryption certificate information.

<Sysname> display app-proxy ssl-decrypt-certificate

Trusted:

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

aa:31:f8:3d:06:b0:9b: Signature Algorithm: sha1WithRSAEncryption

Issuer: C=CN, ST=bj, L=cp, O=dpi, OU=sec, CN=trustca

Validity

Not Before: Sep 7 12:00:43 2017 GMT

Not After : Aug 28 12:00:43 2057 GMT

Subject: C=CN, ST=bj, L=cp, O=dpi, OU=sec, CN=trustca

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:ec:d7:73:af:03:07:07:86:e6:31:4d:e5:32:09:

20:7f:93:19:20:b2:25:c4:cc:32:8e:e4:29:fd:e0:

30:48:4c:8d:0a:83:66:28:af:6a:e0:69:81:08:58:

ca:cf:e4:3d:5a:e8:69:92:67:71:e3:c0:66:87:8e:

16:cc:6a:89:1d:d4:22:5f:93:14:47:bd:39:60:44:

3c:ee:0a:d1:8d:d4:16:84:65:e9:b7:b1:0f:6d:af:

6e:ef:21:b5:5a:02:4f:63:46:6e:8b:73:b5:95:70:

8a:ed:5d:23:8b:d8:0e:45:2d:8b:52:ab:34:6d:3b:

d5:85:ae:1c:d4:26:6e:fb:2c:1e:18:db:55:22:96:

d8:1f:1a:33:e9:ff:1f:8c:be:28:9d:de:77:d8:9b:

a7:27:0f:7e:e2:52:3e:bd:02:ee:c3:06:93:d0:16:

b0:c7:96:bb:c8:b1:96:8d:ee:ca:6e:76:63:1e:b1:

b6:fb:31:bf:d0:13:66:ad:f6:97:cf:0b:37:f7:6c:

f8:46:b6:76:f1:70:6f:24:6c:92:a6:dd:c2:3b:cf:

3c:35:c7:74:60:dd:db:a3:bf:70:b4:55:05:4b:d7:

cd:dd:c1:1b:59:0d:41:e7:95:5a:79:44:9d:b0:8b:

a7:f2:f4:67:0e:0c:4a:b6:35:97:1e:e6:99:88:fc:

c8:e9

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Alternative Name:

IP Address:1.1.1.1, DNS:trustca, email:[email protected]

X509v3 Basic Constraints: critical

CA:TRUE

X509v3 Key Usage: critical

Certificate Sign, CRL Sign

X509v3 Subject Key Identifier:

D4:35:A8:66:63:03:04:2B:CA:4E:91:06:11:F5:72:1C:26:E0:BE:33

Netscape Cert Type:

SSL CA

Netscape Comment:

example comment extension

Signature Algorithm: sha1WithRSAEncryption

b9:d2:eb:98:bd:f9:8d:7e:03:a8:0e:b4:29:cf:3a:a1:fd:f4:

2a:fa:56:1c:cf:40:a4:9e:7f:5a:15:6b:88:8a:dd:86:d2:03:

c3:38:49:7a:11:09:78:81:8c:8f:0a:3b:fb:d6:60:59:c4:0b:

12:0e:38:b0:92:f3:2e:b5:96:ab:d3:a4:2d:cb:ef:fd:a0:97:

d0:63:43:8e:91:1f:f1:fc:39:c8:cf:e5:ee:4b:e7:8c:8b:f8:

3b:ff:5e:dc:00:df:5b:2f:98:53:f2:c7:da:fa:b8:2e:92:dd:

33:6a:80:df:0e:22:62:62:5d:2f:6c:eb:4c:80:c4:56:c9:00:

01:a6:82:60:e4:32:69:f7:7b:8f:6c:93:e5:c3:64:65:fe:aa:

e1:0b:10:92:bd:ea:2f:2f:e5:b6:fd:b5:5b:df:34:c8:5d:5a:

91:9a:0d:89:10:76:b8:ed:28:ef:6a:c4:7b:48:d7:88:57:7c:

cf:4e:c8:38:84:ad:54:6d:3f:40:a0:38:d7:36:61:23:7a:82:

62:34:41:3d:cc:b2:ee:4a:23:f1:7d:12:e2:23:26:10:df:c8:

a1:6f:00:00:b7:c2:1f:ce:1b:63:60:e0:63:33:e0:59:31:78:

bc:27:99:b6:27:40:95:da:1b:37:07:75:2f:99:97:56:33:f5:

4f:ad:14:31

Figure 5 Command output

Field	Description
Trusted	Credibility of the SSL decryption certificate, Trusted or Untrusted.
Version	Version number of the certificate.
Serial Number	Serial number of the certificate.
Signature Algorithm	Signature algorithm used in the certificate.
Issuer	Issuer of the certificate.
Validity	Validity of the certificate.
Subject	Identity of the entity to which the certificate belongs.
Subject Public Key Info	Public key information of the certificate subject.
Modulus	Modulus length of the key.
Exponent	Key exponent.
X509v3 extensions	X.509v3 extensions in the certificate.
X509v3 Subject Alternative Name	Alternative name of the certificate subject.
IP Address	IP address of the certificate subject.
DNS	DNS name of the certificate subject.
email	Email address of the certificate subject.
X509v3 Basic Constraints	Indicates whether the certificate belongs to a CA.
X509v3 Key Usage	Identifies the cryptographic operations which may be performed using the public key contained in the certificate.
X509v3 Subject Key Identifier	Key identifier of the certificate subject.
Netscape Cert Type	Netscape certificate type, an extension defined by Netscape to limit what the certificate can be used for.
Netscape Comment	Netscape comment that can be displayed in certain browsers.

display app-proxy-policy

Use display app-proxy-policy to display proxy policy information.

Syntax

display app-proxy-policy [ rule rule-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

rule rule-name: Specifies a proxy policy rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a proxy policy rule, this command displays information about all proxy policy rules.

Examples

# Display proxy policy information and all rules in the policy.

<Sysname> display app-proxy-policy

Default action: ssl-decrypt (Protect mode: server)

Rule with ID 0 and name rule0:

Action: ssl-decrypt

Status: Enabled

Protect mode: server

Match criteria:

Source security zones: trust

Destination security zones: trust

Source IP address object groups: srcobj

Destination IP address object groups: destobj

Service object groups: serviceobj

Users: user1

User groups: usergroup1

Rule with ID 2 and name rule2:

Action: ssl-decrypt

Status: Enabled

Match criteria:

source-zone: trust

destination-zone: Untrust

Protection mode: Client

Figure 6 Command output

Field	Description
Default action	Default action of the policy: · no-proxy. · ssl-decrypt. · tcp-proxy.
(Protect mode: XXX)	SSL decryption protection mode of the proxy policy: · client—Protects internal clients from attacks. · server—Protects internal servers from attacks. This field is available only when the SSL decryption action is used as the default action for the proxy policy.
Rule with ID rule-id and name rule-name	ID and name of a proxy policy rule.
Action	Action for traffic matching the proxy policy rule: · no-proxy. · ssl-decrypt. · tcp-proxy.
Protect mode	SSL decryption protection mode of the proxy policy rule: · client—Protects internal clients from attacks. · server—Protects internal clients from attacks.
Source security zones	Source security zones to which the proxy policy rule applies.
Destination security zones	Destination security zones to which the proxy policy rule applies.
Source IP address object groups	Source IP address object groups to which the proxy policy rule applies.
Destination IP address object groups	Destination IP address object groups to which the proxy policy rule applies.
Service object groups	Service object groups to which the proxy policy rule applies.
Users	Users to whom the proxy policy rule applies.
User groups	User groups to which the proxy policy rule applies.

reset app-proxy server-certificate

Use reset app-proxy server-certificate to clear information about the SSL server certificates received by the device as the SSL proxy client.

Syntax

reset app-proxy server-certificate

Views

User view

Predefined user roles

network-admin

context-admin

Examples

# Clear information about the SSL server certificates received by the device as the SSL proxy client.

<Sysname> reset app-proxy server-certificate

Related commands

display app-proxy server-certificate

reset app-proxy ssl whitelist ip

Use reset app-proxy ssl whitelist ip to clear the SSL IP address whitelist.

Syntax

reset app-proxy ssl whitelist

Views

User view

Predefined user roles

network-admin

context-admin

Examples

# Clear the SSL IP address whitelist.

<Sysname> reset app-proxy ssl whitelist ip

Related commands

display app-proxy ssl whitelist ip

rule

Use rule to create a proxy policy rule and enter its view, or enter the view of an existing proxy policy rule.

Use undo rule to remove a proxy policy rule.

Syntax

rule { rule-id | [ rule-id ] name rule-name }

undo rule { rule-id | name rule-name }

Views

Proxy policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-id: Specifies a rule ID, which must be an integer in the range of 1 to 65535. If you do not specify a rule ID when creating a rule, the system automatically assigns a rule ID that is larger than that the largest rule ID already used. If rule ID 65535 is already used, the system assigns the smallest unused ID to the rule.

name rule-name: Specifies a rule name, a case-insensitive string of 1 to 63 characters. The rule name is required when you create a rule and it cannot be set to default.

Examples

# Create rule 1 named rule1.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-1-rule1]

Related commands

display app-proxy-policy

rule move

Use rule move to move a proxy policy rule to a new position.

Syntax

rule move rule-id before insert-rule-id

Views

Proxy policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-id: Specifies the target rule to be moved by its ID in the range of 1 to 65535. The specified rule must already exist.

insert-rule-id: Specifies the reference rule ID in the range of 1 to 65535. This target rule is moved to the position before the reference rule. To move the rule to the end of all rules, set the reference rule ID to 65535. The specified reference rule must already exist.

Examples

# Move rule 5 to the position before rule 2.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule move 5 before 2

Related commands

rule

service

Use destination-zone to configure a service filtering criterion in a proxy policy rule.

Use undo destination-zone to remove service filtering criteria from a proxy policy rule.

Syntax

service object-group { object-group-name }

undo service object-group [ object-group-name ]

Default

A proxy policy rule does not contain any service filtering criterion.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 63 characters. The object group must already exist and its name cannot be any.

Usage guidelines

You can repeat this command to set multiple service filtering criteria in a proxy policy rule. A packet passes the service filtering if it matches any of the service filtering criteria.

For successful service filtering criterion configuration, make sure the specified service object group does not contain Layer 5 or higher layer protocols.

If you execute the undo service object-group command without specifying an object group zone, all service filtering criteria in the proxy policy rule will be deleted.

Examples

# In proxy rule rule1, specify object group ftp as a service filtering criterion.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] service object-group ftp

Related commands

display app-proxy-policy

object-group (Security Command Reference)

source-ip object-group

Use source-ip object-group to configure an object group as a source address filtering criterion in a proxy policy rule.

Use undo source-ip object-group to remove source address filtering criteria from a proxy policy rule.

Syntax

source-ip object-group object-group-name

undo source-ip object-group [ object-group-name ]

Default

A proxy policy rule does not contain any source address filtering criterion.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

object-group-name: Specifies an IP address object group by its name, a case-insensitive string of 1 to 63 characters. The object group must already exist and its name cannot be any.

Usage guidelines

You can repeat this command to set multiple source address filtering criteria in a proxy policy rule. A packet passes the source address filtering if it matches any of the configured destination address filtering criteria.

If you execute the undo source-ip object-group command without specifying an object group, all source address filtering criteria in the proxy policy rule will be deleted.

For more information about object groups, see object group configuration in Security Configuration Guide.

Examples

# In proxy policy rule rule1, specify IP address object groups server1 and server2 as source address filtering criteria.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] source-ip object-group server1

[Sysname-app-proxy-policy-0-rule1] source-ip object-group server2

Related commands

display app-proxy-policy

object-group (Security Command Reference)

source-zone

Use source-zone to configure a source security zone filtering criterion in a proxy policy rule.

Use undo source-zone to remove source security zone filtering criteria from a proxy policy rule.

Syntax

source-zone source-zone-name

undo source-zone [ source-zone-name ]

Default

A proxy policy rule does not contain any source security zone filtering criterion.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

source-zone-name: Specifies a source security zone by its name, a case-insensitive string of 1 to 31 characters. The source security zone name cannot be any.

Usage guidelines

You can repeat this command to set multiple source security zone filtering criteria in a proxy policy rule. A packet passes the source security zone filtering if it matches any of the configured source security zone filtering criteria.

You can specify a nonexistent security zone for a source security zone filtering criterion. However, the source security zone filtering criterion does not take effect until the security zone is configured.

If you execute the undo source-zone command without specifying a security zone, all source security zone filtering criteria in the proxy policy rule will be deleted.

For more information about security zones, see security zone configuration in Security Configuration Guide.

Examples

# In proxy policy rule rule1, specify security zones trust and server as source security zone filtering criteria.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] source-zone trust

[Sysname-app-proxy-policy-0-rule1] source-zone server

Related commands

display app-proxy-policy

security-zone (Security Command Reference)

ssl-decrypt protect-mode

Use ssl-decrypt protect-mode to specify an SSL decryption protection mode for a proxy policy rule.

Use ssl-decrypt protect-mode to restore the default.

Syntax

ssl-decrypt protect-mode { client | server }

undo ssl-decrypt protect-mode

Default

The SSL decryption protection mode of a proxy policy rule is client.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

client: Specifies client protection.

server: Specifies server protection.

Usage guidelines

The SSL decryption supports the following protection services:

For more information about DPI, see "DPI overview."

This command takes effect only when the SSL decryption action is used as the default action for the proxy policy.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify server as the SSL decryption protection mode for proxy policy rule rule1.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] ssl-decrypt protect-mode server

Related commands

display app-proxy-policy

user

Use user to configure a user filtering criterion in a proxy policy rule.

Use undo user to remove user filtering criteria from a proxy policy rule.

Syntax

user user-name [ domain domain-name ]

undo user [ username [ domain domain-name ] ]

Default

A proxy policy rule does not contain any user filtering criterion.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

username: Specify a username, a case-sensitive string of 1 to 55 characters. The username cannot be a, al, or all, and cannot contain special characters listed in Table 1.

Table 1 Special characters

Character name	Symbol
Backslash	\
Vertical bar	\|
Forward slash	/
Colon	:
Asterisk	*
Question mark	?
Left angle bracket	<
Right angle bracket	>
At sign	@

domain domain-name: Specifies the name of the identity domain to which the user belongs. The identity domain name is a case-insensitive string of 1 to 255 characters which cannot contain special characters listed in Table 1.

Usage guidelines

You can repeat this command to set multiple user filtering criteria in a proxy policy rule. A packet passes the user filtering if it matches any of the user filtering criteria.

If the specified user does not exist for the following reasons, the configuration succeeds but does not take effect:

· The user does not exist.

· The domain does not exist.

· The user does not exist in the domain.

For successful user filtering criterion configuration, the user must exist and belong to the domain, if specified.

Follow these guidelines when you execute the undo user command:

· To remove all user filtering criteria in a proxy policy rule, do not specify any parameters.

· To remove a user in a domain as a user filtering criterion, specify the username parameter with the domain domain-name option.

· To remove a user that does not belong to any identity domains, specify the username parameter without the domain domain-name option.

Examples

# In proxy rule rule1, specify users usera and userb in domain test as user filtering criteria.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] user usera domain test

[Sysname-app-proxy-policy-0-rule1] user userb domain test

Related commands

display app-proxy-policy

user-identity enable (Security Command Reference)

user-identity static-user (Security Command Reference)

user-group

Use user-group to configure a user group filtering criterion in a proxy policy rule.

Use undo user-group to remove user group filtering criteria from a proxy policy rule.

Syntax

user-group user-group-name [ domain domain-name ]

undo user-group [ user-group-name [ domain domain-name ] ]

Default

A proxy policy rule does not contain any user group filtering criterion.

Views

Proxy policy rule view

Predefined user roles

network-admin

context-admin

Parameters

user-group-name: Specify a user group by its name, a case-insensitive string of 1 to 200 characters.

domain domain-name: Specifies the name of the identity domain to which the user group belongs. The identity domain name is a case-insensitive string of 1 to 255 characters which cannot contain special characters listed in Table 2.

Table 2 Special characters

Character name	Symbol
Backslash	\
Vertical bar	\|
Forward slash	/
Colon	:
Asterisk	*
Question mark	?
Left angle bracket	<
Right angle bracket	>
At sign	@

Usage guidelines

You can repeat this command to set multiple user group filtering criteria in a proxy policy rule. A packet passes the user group filtering if it matches any of the user group filtering criteria.

The command succeeds but does not take effect if the specified user group does not exist for the following reasons:

· The user does not exist.

· The domain does not exist.

· The user does not exist in the domain.

Follow these guidelines when you execute the undo user-group command:

· To remove all user group filtering criteria in a proxy policy rule, do not specify any parameters.

· To remove a user group in a domain as a user group filtering criterion, specify the user-group-name parameter with the domain domain-name option.

· To remove a user group that does not belong to any identity domains, specify the user-group-name parameter without the domain domain-name option.

For more information about user groups, see user identification configuration in Security Configuration Guide.

Examples

# In proxy rule rule1, specify user groups groupa and groupb in domain test as user group filtering criteria.

<Sysname> system-view

[Sysname] app-proxy-policy

[Sysname-app-proxy-policy] rule 1 name rule1

[Sysname-app-proxy-policy-0-rule1] user-group groupa domain test

[Sysname-app-proxy-policy-0-rule1] user-group groupb domain test

Related commands

display app-proxy-policy

user-group (Security Command Reference)

04-DPI Command Reference

Proxy policy commands

app-proxy ssl whitelist activate

app-proxy ssl-decrypt-certificate delete

app-proxy ssl-decrypt-certificate import

app-proxy ssl-decrypt-certificate modify

default ssl-decrypt protect-mode

destination-ip object-group

display app-proxy ssl whitelist { ipv4 | ipv6 }

rule

source-ip object-group

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us