Login
- Table of Contents
-
- 04-DPI Command Reference
- 00-Preface
- 01-DPI engine commands
- 02-IPS commands
- 03-URL filtering commands
- 04-Data filtering commands
- 05-File filtering commands
- 06-Anti-virus commands
- 07-Data analysis center commands
- 08-WAF commands
- 09-Proxy policy commands
- 10-IP reputation commands
- 11-Domain reputation commands
- 12-APT defense commands
- 13-DLP commands
- 14-Content moderation commands
- 15-Network asset scan commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 13-DLP commands | 84.05 KB |
display dlp flow-monitor local-address config
display dlp flow-monitor protocol config
dlp flow-monitor file-transfer
dlp flow-monitor local-address
DLP commands
The following compatibility matrix shows the support of hardware platforms for DLP:
|
Hardware platform |
Module type |
DLP compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
disable protocol
Use disable protocol to disable DLP flow monitoring for specific protocols.
Use undo disable protocol to enable DLP flow monitoring for specific protocols.
Syntax
disable protocol { all | type protocol-name }
undo disable protocol { all | type protocol-name }
Default
DLP flow monitoring is enabled for all DLP-supported protocols.
Views
DLP protocol configuration view
Predefined user roles
network-admin
context-admin
Parameters
all: Specifies all protocols supported by DLP.
type protocol-name: Specifies a protocol by its name.
Usage guidelines
If you disable DLP flow monitoring for a protocol, the device will not perform file extraction and sensitive information detection for packets of that protocol. Currently, the supported protocols include FTP, SMTP, IMAP, POP3, SMB, NFS, HTTP, and HTTPS.
You can execute this command multiple times to specify multiple protocols.
Examples
# Disable DLP flow monitoring for FTP.
[Sysname] dlp flow-monitor protocol
[Sysname-dlp-flow-monitor-protocol] disable protocol type ftp
Related commands
dlp bypass
display dlp flow-monitor local-address config
Use display dlp flow-monitor local-address config to display IP address object group configuration for DLP flow monitoring.
Syntax
display dlp flow-monitor local-address { ip | ipv6 } config
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
ip: Displays IPv4 address object group configuration for DLP flow monitoring.
ipv6: Displays IPv6 address object group configuration for DLP flow monitoring.
Examples
# Display IPv4 address object group configuration for DLP flow monitoring.
<Sysname> display dlp flow-monitor local-address ip config
Num Object-group-name
1 obj1
2 obj2
Total entries: 2
# Display IPv6 address object group configuration for DLP flow monitoring.
<Sysname> display dlp flow-monitor local-address ipv6 config
Num Object-group-name
1 objipv61
2 objipv62
Total entries: 2
Table 1 Command output
|
Field |
Description |
|
Num |
Number of an IPv4 or IPv6 address object group. |
|
Object-group-name |
Name of the IPv4 or IPv6 address object group. |
|
Total entries |
Number of IPv4 or IPv6 address object groups. |
Related commands
dlp bypass
object-group
display dlp flow-monitor protocol config
Use display dlp flow-monitor protocol config to display DLP flow monitoring status for all protocols supported by DLP.
Syntax
display dlp flow-monitor protocol config
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Examples
# Display DLP flow monitoring status for all protocols supported by DLP.
<Sysname> display dlp flow-monitor protocol config
DLP_FILTER_PROTOCOL:
ftp : Enabled
smtp : Enabled
imap : Enabled
pop3 : Enabled
smb : Enabled
nfs : Enabled
http : Enabled
https : Enabled
Table 2 Command output
|
Field |
Description |
|
DLP_FILTER_PROTOCOL |
DLP flow monitoring state for each protocol: · Enabled. · Disabled. |
Related commands
disable protocol
dlp bypass
dlp bypass
Use dlp bypass to disable DLP.
Use undo dlp bypass to enable DLP.
Syntax
dlp bypass
undo dlp bypass
Default
DLP is enabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Sensitive information detection is a complex operation that occupies certain amount of system resources. To guarantee system performance when the CPU usage is too high, use this command to disable DLP. When DLP is disabled, the system does not perform sensitive information detection on received packets.
Examples
# Disable DLP.
<Sysname> system-view
[Sysname] dlp bypass
dlp flow-monitor file-transfer
Use dlp flow-monitor file-transfer to specify a file transfer direction for DLP flow monitoring.
Use undo dlp flow-monitor file-transfer to cancel DLP flow monitoring on the specified file transfer direction.
Syntax
dlp flow-monitor file-transfer { all | incoming | outgoing }
undo dlp flow-monitor file-transfer { all | incoming | outgoing }
Default
DLP does not monitor files of any direction.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
all: Specifies both the internal-to-external and external-to-internal directions.
incoming: Specifies the external-to-internal direction.
outgoing: Specifies the internal-to-external direction.
Usage guidelines
Internal addresses are the addresses in the IP address object groups specified by using the object-group command in DLP internal IPv4 or IPv6 address view. Addresses not in these IP address object groups are external addresses.
The dlp flow-monitor file-transfer command enables DLP to perform sensitive information detection only on the files transferred in the specified direction.
If you execute this command multiple times, you can configure DLP flow monitoring for multiple file transfer directions.
Examples
# Enable DLP to monitor files transferred in the external-to-internal and internal-to-external directions.
<Sysname> system-view
[Sysname] dlp flow-monitor file-transfer all
Related commands
dlp bypass
dlp flow-monitor local-address
Use dlp flow-monitor local-address to enter a DLP internal address view.
Use undo dlp flow-monitor local-address to delete all internal IP addresses for DLP flow monitoring from a DLP internal address view.
Syntax
dlp flow-monitor local-address { ip | ipv6 }
undo dlp flow-monitor local-address { ip | ipv6 }
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
ip: Enters DLP internal IPv4 address view.
ipv6: Enters DLP internal IPv6 address view.
Usage guidelines
In a DLP internal address view, you can execute the object-group command to specify IP address object groups for DLP flow monitoring. With the configuration, DLP monitors packets sent from or destined for the addresses in the specified address object groups.
Use the undo dlp flow-monitor local-address command with caution. This command deletes all internal IPv4 or IPv6 addresses for DLP flow monitoring.
Examples
# Enter DLP internal IPv4 address view.
<Sysname> system-view
[Sysname] dlp flow-monitor local-address ip
[Sysname-dlp-flow-monitor-local-addr-ip]
Related commands
disable protocol
dlp bypass
dlp flow-monitor protocol
Use dlp flow-monitor protocol to enter DLP protocol configuration view.
Use undo dlp flow-monitor protocol to enable DLP flow monitoring for all DLP-supported protocols.
Syntax
dlp flow-monitor protocol
undo dlp flow-monitor protocol
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
In DLP protocol configuration view, you can execute the disable protocol command to disable DLP flow monitoring for specific protocols.
If you execute the undo dlp flow-monitor protocol command, all settings of the disable protocol command in DLP protocol configuration view will be deleted.
Examples
# Enter DLP protocol configuration view.
<Sysname> system-view
[Sysname] dlp flow-monitor protocol
[Sysname-dlp-flow-monitor-protocol]
Related commands
disable protocol
dlp bypass
object-group
Use object-group to specify an IP address object group for DLP flow monitoring.
Use undo object-group to delete an IP address object group specified for DLP flow monitoring.
Syntax
object-group object-group-name
undo object-group object-group-name
Default
No IP address object groups are specified for DLP flow monitoring.
Views
DLP internal IPv4 address view
DLP internal IPv6 address view
Predefined user roles
network-admin
context-admin
Parameters
object-group-name: Specifies an IP address object group by its name.
Usage guidelines
You can specify a maximum of 32 IPv4 and IPv6 address object groups for DLP flow monitoring. The objects in the object groups can be host names, subnets, or address ranges.
Examples
# Specify IPv4 address object group objv4 for DLP flow monitoring.
<Sysname> system-view
[Sysname] dlp flow-monitor local-address ip
[Sysname-dlp-flow-monitor-local-address-ip] object-group objv4
Related commands
dlp bypass
