Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-Application audit and management commands | 157.84 KB |
Application audit and management commands
This feature parses personal information from user packets and must be used for legitimate purposes.
The following compatibility matrixes show the support of hardware platforms for application audit and management:
|
Hardware platform |
Module type |
Application audit and management compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
vSystem supports all application audit and management features. For more information about vSystem, see Virtual Technologies Configuration Guide.
application
Use application to configure an application or application group as a match criterion for an application audit and management policy.
Use undo application to delete an application or application group match criterion from an application audit and management policy.
Syntax
application { app application-name | app-group application-group-name }
undo application { app application-name | app-group application-group-name }
Default
No application or application group is used as a match criterion.
Views
Application audit and management policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
app application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters.
app-group application-group-name: Specifies an application group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can configure this command only in an audit-free policy or deny policy.
You can configure this command multiple times to specify multiple applications or application groups.
Examples
# Specify applications app1 and app2 and application groups group1 and group2 for policy mypolicy2 to match packets.
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy2 deny
[Sysname-uapp-control-policy-mypolicy2] application app app1
[Sysname-uapp-control-policy-mypolicy2] application app app2
[Sysname-uapp-control-policy-mypolicy2] application app-group group1
[Sysname-uapp-control-policy-mypolicy2] application app-group group2
Related commands
app-group (Security Command Reference)
nbar application (Security Command Reference)
port-mapping (Security Command Reference)
description
Use description to set a description for a keyword group.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description exists for a keyword group.
Views
Keyword group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 255 characters.
Examples
# Set the description to account limit for keyword group mykeywordgroup.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] keyword-group name mykeywordgroup
[Sysname-uapp-control-keyword-group-mykeywordgroup] description account limit
destination-address
Use destination-address to configure a destination IP address object group as a match criterion for an application audit and management policy.
Use undo destination-address to remove a destination IP address object group as a match criterion from an application audit and management policy.
Syntax
destination-address { ipv4 | ipv6 } object-group-name
undo destination-address { ipv4 | ipv6 } object-group-name
Default
No destination IP address object group is used as a match criterion.
Views
Application audit and management policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv4: Specifies an IPv4 address object group.
ipv6: Specifies an IPv6 address object group.
object-group-name: Specifies an existing address object group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can configure this command multiple times to specify multiple IPv4 or IPv6 address object groups.
Examples
# Specify IPv4 address object groups obgroup3 and obgroup4 for policy mypolicy1 to match destination IPv4 addresses of packets.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy1 audit
[Sysname-uapp-control-policy-mypolicy1] destination-address ipv4 obgroup3
[Sysname-uapp-control-policy-mypolicy1] destination-address ipv4 obgroup4
Related commands
object-group (Security Command Reference)
destination-zone
Use destination-zone to configure a destination security zone as a match criterion for an application audit and management policy.
Use undo destination-zone to delete a destination security zone match criterion from an application audit and management policy.
Syntax
destination-zone destination-zone-name
undo destination-zone destination-zone-name
Default
No destination security zone is used as a match criterion.
Views
Application audit and management policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
destination-zone-name: Specifies a destination security zone by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can configure this command multiple times to specify multiple destination security zones.
Examples
# Specify destination security zones zone3 and zone4 for policy mypolicy1 to match packets.
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy1 audit
[Sysname-uapp-control-policy-mypolicy1] destination-zone zone3
[Sysname-uapp-control-policy-mypolicy1] destination-zone zone4
Related commands
security-zone name (Security Command Reference)
disable
Use disable to disable an application audit and management policy.
Use undo disable to enable an application audit and management policy.
Syntax
disable
undo disable
Default
An application audit and management policy is enabled.
Views
Application audit and management policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
If an application audit and management policy is not used, use this command to disable it. A disabled policy does not participate in traffic matching. You can copy, rename, and move a disabled policy.
Examples
# Disable application audit and management policy mypolicy1.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy1
[Sysname-uapp-control-policy-mypolicy1] disable
keyword
Use keyword to add a keyword to a keyword group.
Use undo keyword to delete a keyword from a keyword group.
Syntax
keyword keyword-value
undo keyword keyword-value
Default
No keywords exist in a keyword group.
Views
Keyword group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
keyword-value: Specifies a keyword, a case-sensitive string of 1 to 63 characters.
Examples
# Add keyword keywordname to keyword group mykeywordgroup.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] keyword-group name mykeywordgroup
[Sysname-uapp-control-keyword-group-mykeywordgroup] keyword keywordname
keyword-group name
Use keyword-group name to create a keyword group and enter its view, or enter the view of an existing keyword group.
Use undo keyword-group name to delete a keyword group.
Syntax
keyword-group name keyword-group-name
undo keyword-group name keyword-group-name
Default
No keyword groups exist.
Views
Application audit and management view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
keyword-group-name: Specifies a keyword group by its name, a case-insensitive string of 1 to 63 characters.
Examples
# Create a keyword group named mykeywordgroup and enter its view.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] keyword-group name mykeywordgroup
[Sysname-uapp-control-keyword-group-mykeywordgroup]
policy copy
Use policy copy to copy an application audit and management policy.
Syntax
policy copy policy-name new-policy-name
Default
No application audit and management policies exist.
Views
Application audit and management view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Specifies an application audit and management policy to be copied by its name, a case-insensitive string of 1 to 63 characters.
new-policy-name: Specifies a name for the new application audit and management policy, a case-insensitive string of 1 to 63 characters.
Usage guidelines
If an application audit and management policy to be created is similar to an existing policy, create the policy by copying the existing policy and then modify it.
Examples
# Create an application audit and management policy named policy2 by copying policy policy1.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy copy policy1 policy2
policy default-action
Use policy default-action to configure the default action for application audit and management policies.
Syntax
policy default-action { deny | permit }
Default
The default action for application audit and management policies is permit.
Views
Application audit and management view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
deny: Drops packets.
permit: Allows packets to pass.
Usage guidelines
If a packet does not match any application audit and management policy, the device applies the default action to the packet.
Examples
# Configure the default action as deny for application audit and management policies.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy default-action deny
policy move
Use policy move to move an application audit and management policy to a new position.
Syntax
policy move policy-name1 { after | before } policy-name2
Views
Application audit and management view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name1: Specifies an application audit and management policy to be moved by its name, a case-insensitive string of 1 to 63 characters. The traffic rule can be a parent or child traffic rule.
after: Moves the specified policy to the position after a target policy.
before: Moves the specified policy to the position before a target policy.
policy-name2: Specifies the target policy by its name, a case-insensitive string of 1 to 63 characters.
Examples
# Create two application audit and management policies named policy1 and policy2, and move policy1 to the position after policy2.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name policy1 audit
[Sysname-uapp-control-policy-policy1] quit
[Sysname-uapp-control] policy name policy2 audit
[Sysname-uapp-control-policy-policy2] quit
[Sysname-uapp-control] policy move policy1 after policy2
policy name
Use policy name to create an application audit and management policy and enter its view, or enter the view of an existing policy.
Use undo policy name to delete an application audit and management policy.
Syntax
policy name policy-name [ audit | deny | noaudit ]
undo policy name policy-name
Default
No application audit and management policies exist.
Views
Application audit and management view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Specifies a name for the application audit and management policy, a case-insensitive string of 1 to 63 characters. The name must be globally unique.
audit: Creates an audit policy.
deny: Creates a deny policy.
noaudit: Creates an audit-free policy.
Usage guidelines
You must specify the policy type when creating a policy. Application audit and management policies have the following types:
· Audit policy—Audits packets that meet match criteria in the policy.
· Audit-free policy—Does not audit packets that meet match criteria in the policy.
· Deny policy—Drops packets that meet match criteria in the policy.
The application command can be configured only in an audit-free policy or deny policy.
The following commands can be configured only in an audit policy:
· rule.
· rule default-action.
· rule match-method.
Examples
# Create an application audit and management policy named mypolicy1 and enter its view.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy1 audit
[Sysname-uapp-control-policy-mypolicy1]
policy rename
Use policy rename to rename an application audit and management policy.
Syntax
policy rename old-policy-name new-policy-name
Views
Application audit and management view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
old-policy-name: Specifies the old name of the policy, a case-insensitive string of 1 to 63 characters.
new-policy-name: Specifies a new name for the policy, a case-insensitive string of 1 to 63 characters.
Examples
# Create an application audit and management policy named policy1, and rename the policy as policy2.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name policy1 audit
[Sysname-uapp-control-policy-policy1] quit
[Sysname-uapp-control] policy rename policy1 policy2
rule
Use rule to configure an audit rule.
Use undo rule to delete an audit rule.
Syntax
rule rule-id { app app-name | app-category app-category-name | any } behavior { behavior-name | any } bhcontent { bhcontent-name | any } { keyword { equal | exclude | include | unequal } { keyword-group-name | any } | integer { equal | greater | greater-equal | less | less-equal | unequal } { number } } action { deny | permit } [ audit-logging ]
rule rule-id { email-bomb-defense [ interval interval max-number email-number ] | email-send-restriction } * action { deny | permit } [ audit-logging ]
undo rule rule-id
Default
No audit rules exist.
Views
Application audit and management policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
rule-id: Specifies a rule ID in the range of 1 to 64.
app app-name: Audits an application specified by its name.
app-category app-category-name: Audits an application category specified by its name.
any: Audits all applications and application categories.
behavior behavior-name: Audits a behavior specified by its name.
behavior any: Audits all behaviors.
bhcontent bhcontent-name: Audits a behavior content specified by its name.
bhcontent any: Audits all behavior contents.
keyword: Matches behavior contents by a string-type keyword.
· equal: Matches behavior contents that are the same as the keyword.
· exclude: Matches behavior contents that do not include the keyword.
· include: Matches behavior contents that include the keyword.
· unequal: Matches behavior contents that are different from the keyword.
keyword-group-name: Specifies a keyword group by its name.
any: Audits all behavior contents of an application or application category.
integer: Matches behavior contents by a number.
· equal: Matches behavior contents that are equal to the number.
· greater: Matches behavior contents that are greater than the number.
· greater-equal: Matches behavior contents that are greater than or equal to the number.
· less: Matches behavior contents that are smaller than the number.
· less-equal: Matches behavior contents that are smaller than or equal to the number.
· unequal: Matches behavior contents that are not equal to the number.
number: Specifies a number in the range of 0 to 4294967295.
action: Specifies the action to take on packets that match the audit rule.
· deny: Denies matching packets.
· permit: Allows matching packets to pass.
audit-logging: Generates audit logs for packets that match the audit rule. If you do not specify this keyword, audit logs are not generated for packets that match the audit rule.
email-bomb-defense: Configures email bomb prevention.
interval interval: Specifies the detection time in the range of 1 to 5 minutes. The default is 1 minute.
max-number email-number: Specifies the maximum number of emails that can be received from the same user during the detection time.
email-send-restriction: Enables preventing users from sending emails to users of a different domain.
Usage guidelines
After a packet matches all match criteria in an application audit and management policy, the device performs a finer audit on the packet.
· If a packet matches all items in an audit rule, the action in the audit rule is taken on the packet.
· If a packet matches only the specified application or application category in an audit rule, the packet is allowed to pass through.
· If a packet does not match the specified application or application category in an audit rule, the default action for audit rules is taken on the packet.
This command can be configured only in an audit policy.
For WeChat and QQ, specific messages cannot be audited.
An audit rule provices the following functions:
· General auditing—Performs granular control on user behaviors.
· Email protection—Detects incoming emails, counts emails based on recipients, and protects recipients from attacks. Specifically, you can configure the following functions:
¡ Limit email sending—Prevents users from sending emails to users of a different domain. For example, the user at [email protected] cannot receive emails from the user at user2@example2.com.
¡ Prevent email bombing—Protects recipients from being overwhelmed by large numbers of emails from the same sender during a short period of time.
Examples
# Create an application audit and management policy named mypolicy1.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy1 audit
# Create an audit rule that allows login packets from accounts that include keyword 0 in the IM application group, generating audit logs.
[Sysname-uapp-control-policy-mypolicy1] rule 1 app-category IM behavior Login bhcontent Account keyword include mykeywd2 action deny audit-logging
# Create an audit rule that enables email bombing prevention, with the permit action and logging action specified.
[Sysname-uapp-control-policy-mypolicy1] rule 2 email-bomb-defense interval 1 max-number 5 action permit audit-logging
# Create an audit rule that enables email sending limitation, with the permit action and logging action specified.
[Sysname-uapp-control-policy-mypolicy1] rule 3 email-send-restriction action permit audit-logging
Related commands
keyword
keyword-group name
rule default-action
Use rule default-action to configure the default action for audit rules in an application audit and management policy.
Syntax
rule default-action { deny | permit }
Default
The default action for audit rules is permit.
Views
Application audit and management policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
deny: Drops packets.
permit: Allows packets to pass.
Usage guidelines
If a packet does not match the application or application category in any audit rule, the device applies the default action to the packet.
Examples
# Configure the default action as deny for audit rules in policy mypolicy1.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy1 audit
[Sysname-uapp-control-policy-mypolicy1] rule default-action deny
rule match-method
Use rule match-method to configure the match mode for audit rules in an application audit and management policy.
Syntax
rule match-method { all | in-order }
Default
The match mode for audit rules is in-order.
Views
Application audit and management policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
all: Specifies the all match mode.
in-order: Specifies the in-order match mode.
Usage guidelines
In the in-order match mode, the device compares packets with audit rules in ascending order of rule ID. When a packet matches a rule, the device stops the match process and performs the action defined in the rule.
In the all match mode, the device compares packets with audit rules in ascending order of rule ID.
· If a packet matches a rule with the permit action, all subsequent rules continue to be matched.
The device takes the action with higher priority on matching packets. The deny action has higher priority than the permit action.
· If a packet matches a rule with the deny action, the device stops the match process and performs the deny action.
Examples
# Configure the match mode as all for audit rules in policy mypolicy1.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy1 audit
[Sysname-uapp-control-policy-mypolicy1] rule match-method all
service
Use service to configure a service object group as a match criterion for an application audit and management policy.
Use undo service to delete a service object group match criterion from an application audit and management policy.
Syntax
service service-name
undo service [ service-name ]
Default
No service object group is used as a match criterion.
Views
Application audit and management policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
service-name: Specifies an existing service object group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can configure this command multiple times to specify multiple service object groups.
The undo service command removes all service object groups from match criteria if you do not specify a service object group or specify the system-defined service object group any.
Examples
# Specify service object groups dns-tcp and dns-udp for policy mypolicy1 to match packets.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy1 audit
[Sysname-uapp-control-policy-mypolicy1] service dns-tcp
[Sysname-uapp-control-policy-mypolicy1] service dns-udp
Related commands
object-group (Security Command Reference)
source-address
Use source-address to configure a source IP address object group as a match criterion for an application audit and management policy.
Use undo source-address to remove a source IP address object group as a match criterion from an application audit and management policy.
Syntax
source-address { ipv4 | ipv6 } object-group-name
undo source-address { ipv4 | ipv6 } object-group-name
Default
No source IP address object group is used as a match criterion.
Views
Application audit and management policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv4: Specifies an IPv4 address object group.
ipv6: Specifies an IPv6 address object group.
object-group-name: Specifies an existing address object group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can configure this command multiple times to specify multiple IPv4 or IPv6 address object groups.
Examples
# Specify IPv4 address object groups obgroup1 and obgroup2 for policy mypolicy1 to match source IPv4 addresses of packets.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy audit
[Sysname-uapp-control-policy-mypolicy] source-address ipv4 obgroup1
[Sysname-uapp-control-policy-mypolicy] source-address ipv4 obgroup2
Related commands
object-group (Security Command Reference)
source-zone
Use source-zone to configure a source security zone as a match criterion for an application audit and management policy.
Use undo source-zone to delete a source security zone match criterion from an application audit and management policy.
Syntax
source-zone source-zone-name
undo source-zone source-zone-name
Default
No source security zone is used as a match criterion.
Views
Application audit and management policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
source-zone-name: Specifies a source security zone by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can configure this command multiple times to specify multiple source security zones.
Examples
# Specify source security zones zone1 and zone2 for policy mypolicy1 to match packets.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy1 audit
[Sysname-uapp-control-policy-mypolicy1] source-zone zone1
[Sysname-uapp-control-policy-mypolicy1] source-zone zone2
Related commands
security-zone name (Security Command Reference)
time-range
Use time-range to specify a time range during which an application audit and management policy is in effect.
Use undo time-range to restore the default.
Syntax
time-range time-range-name
undo time-range
Default
An application audit and management policy is in effect at any time.
Views
Application audit and management policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
time-range-name: Specifies a time range by its name, a case-insensitive string of 1 to 32 characters. To avoid confusion, do not use all as a time range name.
Examples
# Specify time range work-time for policy mypolicy1.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy1 audit
[Sysname-uapp-control-policy-mypolicy1] time-range work-time
Related commands
time-range (ACL and QoS Command Reference)
uapp-control
Use uapp-control to enter application audit and management view.
Use undo uapp-control to remove all application audit and management policy settings.
Syntax
uapp-control
undo uapp-control
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
In application audit and management view, you can create, copy, move, and rename application audit and management policies. You can also create keyword groups in this view.
Application audit and management policies have the following types:
· Audit policy.
· Audit-free policy.
· Deny policy.
Audit-free policies and deny policies provide application audit and management at a coarse level of granularity. Audit policies provide more granular application audit and management.
Examples
# Enter application audit and management view.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control]
user
Use user to configure a user as a match criterion for an application audit and management policy.
Use undo user to delete a user match criterion from an application audit and management policy.
Syntax
user user-name [ domain domain-name ]
undo user user-name [ domain domain-name ]
Default
No user is used as a match criterion.
Views
Application audit and management policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
user-name: Specifies an identity user by its name, a case-sensitive string of 1 to 55 characters. The username cannot be a, al, or all, and cannot contain the following special characters: \ | / : * ? < > @.
domain domain-name: Matches the user in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The domain name cannot contain the following special characters: \ | / : * ? < > @. If you do not specify this option, the system matches the user among users that do not belong to any identity domain. For more information about identity domains, see user identification in Security Configuration Guide.
Usage guidelines
You can configure this command multiple times to specify multiple users.
Examples
# Specify users managers1 and managers2 for policy mypolicy1 to match packets.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy1 audit
[Sysname-uapp-control-policy-mypolicy1] user managers1
[Sysname-uapp-control-policy-mypolicy1] user managers2
# Configure user managers1 in identity domain dpi for policy mypolicy1 to match packets.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy1 audit
[Sysname-uapp-control-policy-mypolicy1] user managers1 domain dpi
Related commands
user-identity enable (Security Command Reference)
user-group
Use user-group to configure a user group as a match criterion for an application audit and management policy.
Use undo user-group to delete a user group match criterion from an application audit and management policy.
Syntax
user-group user-group-name [ domain domain-name ]
undo user-group user-group-name [ domain domain-name ]
Default
No user group is used as a match criterion.
Views
Application audit and management policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
user-group-name: Specifies an identity user group by its name, a case-insensitive string of 1 to 200 characters.
domain domain-name: Matches the user group in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The domain name cannot contain the following special characters: \ | / : * ? < > @.If you do not specify this option, the system matches the user group among user groups that do not belong to any identity domain. For more information about identity domains, see user identification in Security Configuration Guide.
Usage guidelines
You can configure this command multiple times to specify multiple user groups.
Examples
# Specify user groups group1 and group2 for policy mypolicy1 to match packets.
<Sysname> system-view
[Sysname-uapp-control] policy name mypolicy1 audit
[Sysname-uapp-control-policy-mypolicy1] user-group group1
[Sysname-uapp-control-policy-mypolicy1] user-group group2
# Configure user group group1 in identity domain dpi for policy mypolicy1 to match packets.
<Sysname> system-view
[Sysname] uapp-control
[Sysname-uapp-control] policy name mypolicy1 audit
[Sysname-uapp-control-policy-mypolicy1] user-group group1 domain dpi
Related commands
user-identity enable (Security Command Reference)
