Login
- Table of Contents
-
- 04-DPI Configuration Guide
- 00-Preface
- 01-DPI overview
- 02-URL filtering configuration
- 03-Data filtering configuration
- 04-File filtering configuration
- 05-IPS configuration
- 06-DPI engine configuration
- 07-DLP configuration
- 08-Content moderation configuration
- 09-Network asset scan configuration
- 10-APT defense configuration
- 11-IP reputation configuration
- 12-Domain reputation configuration
- 13-URL reputation configuration
- 14-Data analysis center configuration
- 15-Anti-virus configuration
- 16-Proxy policy configuration
- 17-WAF configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 13-URL reputation configuration | 108.62 KB |
Restrictions and guidelines: URL reputation configuration
Restrictions: Licensing requirements for URL reputation
URL reputation tasks at a glance
Specifying actions for a URL reputation attack category
Applying a URL reputation policy to a DPI application profile
Applying a DPI application profile to a security policy rule
Managing the URL reputation signature library
Scheduling automatic URL reputation signature library update
Triggering an immediate URL reputation signature update
Performing a URL reputation signature manual update
Deleting the URL reputation signature library
Display and maintenance commands for URL reputation
Configuring URL reputation
About URL reputation
When the URL in packets matches a URL in the URL reputation signature library, the device takes the predefined actions of the corresponding attack category on the packets.
URL reputation mechanism
As shown in Figure 1, upon receiving a packet, the device performs the following operations:
1. The device extracts the URL of the packet.
2. The device compares the URL with URLs in the signature library. If no match is found, the device permits the packet to pass through. If a match is found, the device perform the following operations as needed:
¡ If the URL belongs to one attack category, the device takes the action specified for the attack category on the packet.
¡ If the URL belongs to multiple attack categories, the device takes the high-priority action among the actions for these attack categories on the packet.
The actions for attack categories include the following:
¡ permit—Permits matching packets to pass.
¡ drop—Drops matching packets.
¡ logging—Logs matching packets in URL reputation logs.
Figure 1 URL reputation mechanism
Restrictions and guidelines: URL reputation configuration
The NSQM1FWEFGA0 service module does not support URL reputation.
Restrictions: Licensing requirements for URL reputation
A license is required for URL reputation. If the license expires, the existing URL reputation signature library is still available but you cannot upgrade the library to the version released after the expiration time. For more information about licenses, see license management in Fundamentals Configuration Guide.
URL reputation tasks at a glance
To configure URL reputation:
2. (Optional.) Specifying actions for a URL reputation attack category
3. Applying a URL reputation policy to a DPI application profile
4. Applying a DPI application profile to a security policy rule
5. Managing the URL reputation signature library
Enabling URL reputation
About this task
After URL reputation is enabled, the device matches the URL in an packet with the URL reputation signature library. If a match is found, the device takes the actions for the matching attack category.
Procedure
1. Enter system view.
system-view
2. Create a URL reputation policy and enter its view.
url-filter policy policy-name
3. Enable URL reputation.
url-reputation enable
By default, URL reputation is disabled.
Specifying actions for a URL reputation attack category
About this task
In the URL reputation signature library, a single URL can match multiple attack categories, each of which has corresponding actions.
If a URL of a packet matches only one attack category, the device takes the actions specified for the attack category on the packet. If a URL of a packet matches multiple attack categories, the device takes the highest-priority action. The priority of the drop action is higher than the permit actions.
If any attack category to which a URL belongs is configured with the logging action, the device will perform the logging action for the matching packets.
The device can send log messages of URL reputation only through fast log output. For more information about fast log output, see fast log output configuration in Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Create a URL reputation policy and enter its view.
3. url-filter policy policy-name
4. Specify actions for a URL reputation attack category.
attack-category attack-id action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } [ logging [ parameter-profile parameter-name ] ]
By default, no action is specified for a URL reputation attack category. If a packets matches an attack category in the URL reputation library, the device takes the default actions for that attack category.
Applying a URL reputation policy to a DPI application profile
About this task
A URL reputation policy must be applied to a DPI application profile to take effect.
A DPI application profile is a configuration template for security services. To implement security functions, you must apply the corresponding security service policy to the DPI application profile. As URL reputation is configured in a URL reputation policy, you must apply the URL reputation policy to the DPI application profile to implement URL reputation.
Restrictions and guidelines
A DPI application profile can use only one URL reputation policy. If you apply different URL reputation policies to the same DPI application profile, only the most recent configuration takes effect.
Procedure
1. Enter system view.
system-view
2. Enter DPI application profile view.
app-profile app-profile-name
For more information about this command, see DPI engine commands in DPI Command Reference.
3. Assign a URL reputation policy to the DPI application profile.
url-filter apply policy policy-name
By default, no URL reputation policy is applied to the DPI application profile.
Applying a DPI application profile to a security policy rule
1. Enter system view.
system-view
2. Enter security policy view.
security-policy { ip | ipv6 }
3. Enter security policy rule view.
rule { rule-id | [ rule-id ] name rule-name }
4. Set the rule action to pass.
action pass
By default, the rule action is drop.
5. Use a DPI application profile in the rule.
profile app-profile-name
By default, no DPI application profile is used in a security policy rule.
Managing the URL reputation signature library
You can update the version of the URL reputation signature library on the device.
Restrictions and guidelines
· Do not delete the /dpi/ folder in the root directory of the storage medium.
· Do not perform URL reputation signature update when the device's free memory is below the normal state threshold. For more information about device memory thresholds, see device management in Fundamentals Configuration Guide.
· For successful automatic and immediate signature update, make sure the device can resolve the domain name of the company's website into an IP address through DNS. For more information about DNS, see DNS configuration in Layer 3—IP Services Configuration Guide.
· Update only one signature library at a time. Do not perform signature library update until the existing signature library update is completed.
Scheduling automatic URL reputation signature library update
About this task
You can schedule automatic URL reputation signature library update if the device can access the signature database services on the company's website. The device periodically obtains the latest signature file from the company's website to update its local signature library as scheduled.
Procedure
1. Enter system view.
system-view
2. Enable automatic URL reputation signature library update and enter automatic URL reputation signature library update configuration view.
url-reputation signature auto-update
By default, automatic URL reputation signature library update is disabled.
3. Schedule the update time.
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
By default, the device starts to update the URL reputation signature at a random time between 01:00:00 and 03:00:00 every day.
Triggering an immediate URL reputation signature update
About this task
Anytime you find a release of new signature version on the company's website, you can trigger the device to immediately update the local signature library.
This feature immediately starts the automatic signature library update process and backs up the current URL reputation signature library file.
This feature is independent of the scheduled automatic URL reputation signature library update feature.
Procedure
1. Enter system view.
system-view
2. Trigger an automatic URL reputation signature library update.
url-reputation signature auto-update-now
Performing a URL reputation signature manual update
About this task
If the device cannot access the signature database services on the company's website, use one of the following methods to manually update the URL reputation signature library on the device:
· Local update—Updates the URL reputation signature library on the device by using the locally stored update URL reputation signature file.
(In standalone mode.) Store the update file on the active MPU for successful signature library update.
(In IRF mode.) Store the update file on the global active MPU for successful signature library update.
· FTP/TFTP update—Updates the URL reputation signature library on the device by using the file stored on the FTP or TFTP server.
To specify the source IP of request packets to the TFTP or FTP server for manual signature library update, specify the source keyword in the url-reputation signature update command. For example, if packets from the device must be translated by NAT before accessing the TFTP or FTP server, you must specify a source IP address complied with NAT rules for NAT translation. If NAT translation is performed by an independent NAT device, make sure the IP address specified by the url-reputation signature update command can reach the NAT device at Layer 3.
Restrictions and guidelines
If you specify both source and vpn-instance in the url-reputation signature update command, make sure the VPN instance to which the specified source IP or interface belongs is the same as that specified by the vpn-instance keyword.
Procedure
1. Enter system view.
system-view
2. Manually update the URL reputation signature library on the device.
url-reputation signature update file-path [ vpn-instance vpn-instance-name ] [ source { ip | ipv6 } { ip-address | interface interface-type interface-number } ]
Deleting the URL reputation signature library
About this task
If the memory on the device is insufficient or the current URL reputation signature library is unnecessary, you can delete the URL reputation signature library of the current version to free up memory space.
Procedure
1. Enter system view.
system-view
2. Delete the URL reputation signature library.
url-reputation signature rollback factory
Display and maintenance commands for URL reputation
Execute display commands in the view of a URL filtering policy or any view as needed.
|
Task |
Command |
|
Display URL reputation attack category information for a URL reputation policy. |
display url-reputation attack-category |
|
Display information about the URL reputation signature library. |
display url-reputation signature library |
