Login
- Table of Contents
-
- 04-DPI Command Reference
- 00-Preface
- 01-URL filtering commands
- 02-Data filtering commands
- 03-File filtering commands
- 04-DPI engine commands
- 05-IPS commands
- 06-DLP commands
- 07-Content moderation commands
- 08-Network asset scan commands
- 09-Proxy policy commands
- 10-APT defense commands
- 11-Data analysis center commands
- 12-Anti-virus commands
- 13-IP reputation commands
- 14-Domain reputation commands
- 15-URL reputation commands
- 16-WAF commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-URL reputation commands | 106.88 KB |
display url-reputation attack-category
display url-reputation signature library
url-reputation signature auto-update
url-reputation signature auto-update-now
url-reputation signature rollback factory
url-reputation signature update
URL reputation commands
The NSQM1FWEFGA0 service module does not support URL reputation.
attack-category action
Use attack-category action to specify actions for a URL reputation attack category.
Use undo attack-category action to restore the default.
Syntax
attack-category attack-id action { block-source [ parameter-profile parameter-name ] | drop | permit | redirect parameter-profile parameter-name | reset } logging { disable | enable }
undo attack-category attack-id
Default
No action is specified for a URL reputation attack category. The device takes the default action in the signature library for the packets that match an attack category.
Views
URL filtering policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
attack-id: Specifies an attack category by its ID in the range of 1 to 65535. To obtain the attack category IDs corresponding to the attack category names, enter a question mark (?) at the position of this argument or use the display url-reputation attack-category command.
action: Specifies the action for the matching packets.
block-source: Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked. For more information about the IP blacklist feature, see Security Configuration Guide. For information about configuring the block period, see "DPI engine commands."
drop: Drops matching packets.
permit: Permits matching packets to pass.
redirect: Redirects matching packets to a webpage.
reset: Closes the TCP connections for matching packets by sending TCP reset messages.
logging: Logs matching packets.
disable: Disables logging matching packets.
enable: Enables logging matching packets.
Usage guidelines
This command takes effect only when URL reputation is enabled.
In the URL reputation signature library, a URL can belong to multiple attack categories. You can specify actions for each attack category depending on the actual requirements.
If a URL belongs only to one attack category, the device takes the actions specified for the attack category on packets that match the URL. If the URL belongs to multiple attack categories, the action specified for the attack category with the highest severity level apply to packets that match the URL. The block source action has higher priority than the permit action.
If you enable logging for any attack category of a URL, the system logs all packets that match the URL.
Examples
# In URL filtering policy news, drop the packets that match attack category 1 in the URL reputation signature library, and enable logging matching packets.
<Sysname> system-view
[Sysname] url-filter policy news
[Sysname-url-filter-policy-news] attack-category 1 action drop logging enable
Related commands
display url-reputation attack-category
url-reputation enable
display url-reputation attack-category
Use display url-reputation attack-category to display URL reputation attack category information in a URL filtering policy.
Syntax
display url-reputation attack-category
Views
URL filtering policy view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Usage guidelines
Use this command when URL reputation is enabled.
If no action is specified for an attack category, the default actions apply in the signature library.
Examples
# Display URL reputation attack category information in URL filtering policy abc.
<Sysname> system-view
[Sysname] url-filter policy abc
[Sysname-url-filter-policy-abc] display url-reputation attack-category
Attack ID Attack name Action Logging
-------------------------------------------------------
1 C&C permit enable
2 Network_Worm permit enable
3 Risk_Software permit enable
4 Malware permit enable
5 Trojan permit enable
6 Infectious_Virus permit enable
7 Trojan_the_Thief permit enable
8 Ransomware permit enable
9 miner permit enable
10 Botnet permit enable
15 tor permit enable
16 Porn_Website permit enable
17 Gambling_Website permit enable
18 Phishing_Website permit enable
19 Fraud_Website permit enable
20 spam permit enable
21 Malicious_Email permit enable
22 DGA permit enable
23 APT permit enable
Table 1 Command output
|
Field |
Description |
|
Attack ID |
Attack category ID. |
|
Attack name |
Attack category name. |
|
Action |
Action on packets that match the attack category: · block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. · drop—Drops matching packets. · permit—Permits matching packets to pass. · reset—Closes the TCP connections for matching packets by sending TCP reset messages or closes the UDP connections for matching packets by sending ICMP port unreachable messages. · redirect—Redirects matching packets to a webpage. |
|
Logging |
State of logging: · enable. · disable. |
Related commands
attack-category
display url-reputation signature library
Use display url-reputation signature library to display information about the URL reputation signature library.
Syntax
display url-reputation signature library
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Examples
# Display information about the URL reputation signature library.
<Sysname> display url-reputation signature library
URL reputation signature library information:
Type SigVersion ReleaseTime Size
Current 1.0.6 Tue Jul 28 12:32:55 2020 10492240
Factory - - -
Table 2 Command output
|
Field |
Description |
|
Type |
Version of the URL reputation signature library: · Current—Current version. · Factory—Factory default version. This version is not supported in the current software version. |
|
SigVersion |
Version number. |
|
ReleaseTime |
Time when the URL reputation signature library was released. |
|
Size |
Size of the URL reputation signature library, in bytes. |
update schedule
Use update schedule to configure a schedule for automatic URL reputation signature library update.
Use undo update schedule to restore the default.
Syntax
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
undo update schedule
Default
The device starts the URL reputation signature library update at a random time between 01:00:00 and 03:00:00 every day.
Views
Automatic URL reputation signature library update configuration view
Predefined user roles
network-admin
context-admin
Parameters
daily: Updates the URL reputation signature library every day.
weekly: Updates the URL reputation signature library every week.
fri: Updates the URL reputation signature library every Friday.
mon: Updates the URL reputation signature library every Monday.
sat: Updates the URL reputation signature library every Saturday.
sun: Updates the URL reputation signature library every Sunday.
thu: Updates the URL reputation signature library every Thursday.
tue: Updates the URL reputation signature library every Tuesday.
wed: Updates the URL reputation signature library every Wednesday.
start-time time: Specifies the start time in hh:mm:ss format. The value range is 00:00:00 to 23:59:59.
tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will start at a random time between the following time points:
· Start time minus half the tolerance time.
· Start time plus half the tolerance time.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Configure the device to automatically start the URL reputation signature library update every Monday at a random time between 20:25:00 and 20:35:00.
<Sysname> system-view
[Sysname] url-reputation signature auto-update
[Sysname-url-reputation-autoupdate] update schedule weekly mon start-time 20:30:00 tingle 10
Related commands
url-reputation signature auto-update
url-reputation enable
Use url-reputation enable to enable URL reputation.
Use undo url-reputation enable to disable URL reputation.
Syntax
url-reputation enable
undo url-reputation enable
Default
URL reputation is disabled.
Views
URL filtering policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
URL reputation filters malicious URLs. With this feature, the device matches the URL in packets with the URLs in the URL reputation signature library.
· If a matching is found, the device takes the actions specified for the attack category of the URL. To specify actions for an attack category, use the attack-category action command.
· If no matching is found, the device permits the packets to pass through.
Examples
# In URL filtering policy abc, enable URL reputation.
<Sysname> system-view
[Sysname] url-filter policy abc
[Sysname-url-filter-policy-abc] url-reputation enable
url-reputation signature auto-update
Use url-reputation signature auto-update to enable automatic URL reputation signature library update and enter automatic URL reputation signature library update configuration view.
Use undo url-reputation signature auto-update to disable automatic URL reputation signature library update.
Syntax
url-reputation signature auto-update
undo url-reputation signature auto-update
Default
Automatic URL reputation signature library update is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
The automatic update enables the device to periodically access the company's website to download the latest URL reputation signatures and update the local signature library.
You can schedule the time for automatic signature update by using the update schedule command in automatic URL reputation signature library update configuration view.
Examples
# Enable automatic URL reputation signature library update and enter automatic URL reputation signature library update configuration view.
<Sysname> system-view
[Sysname] url-reputation signature auto-update
[Sysname-url-reputation-autoupdate]
Related commands
update schedule
url-reputation signature auto-update-now
Use url-reputation signature auto-update-now to trigger an automatic URL reputation signature library update manually.
Syntax
url-reputation signature auto-update-now
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
This command immediately starts the automatic signature library update process and backs up the current URL reputation signature library file. With this command, the device accesses the company's website to update the local URL reputation signature library.
This command is independent of the url-reputation signature auto-update command.
You can execute this command anytime you find a new version of signature library on the company's website.
Examples
# Trigger an automatic URL reputation signature library update manually.
<Sysname> system-view
[Sysname] url-reputation signature auto-update-now
url-reputation signature rollback factory
Use url-reputation signature rollback factory to delete the URL reputation signature library.
Syntax
url-reputation signature rollback factory
Views
System view
Predefined user roles
context-admin
Usage guidelines
Application scenarios
If the memory on the device is insufficient or the current URL reputation signature library is unnecessary, you can delete the URL reputation signature library of the current version to free up memory space.
Restrictions and guidelines
Non-default vSystems do not support this command.
Examples
# Delete the URL reputation signature library.
<Sysname> system-view
[Sysname] ip-reputation signature rollback factory
url-reputation signature update
Use url-reputation signature update to manually update the URL reputation signature library.
Syntax
url-reputation signature update file-path [ vpn-instance vpn-instance-name ] [ source { ip | ipv6 } { ip-address | interface interface-type interface-number } ]
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
file-path: Specifies the URL reputation signature file path, a string of 1 to 255 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the TFTP or FTP server belongs by the instance's name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the TFTP or FTP server belongs to the public network.
source: Specifies the source IP address of request packets sent to the TFTP or FTP server for manual signature library update. If you do not specify a source IP address, the system uses the IP address of the outgoing routed interface as the source IP address.
ip ip-address: Specifies the source IPv4 address of request packets sent to the TFTP or FTP server for manual signature library update.
ipv6 ip-address: Specifies the source IPv6 address of request packets sent to the TFTP or FTP server for manual signature library update.
interface interface-type interface-number: Specifies the source interface. The primary IPv4 address of the interface or the minimum IPv6 address on the interface will be used as the source IP address.
Usage guidelines
Non-default vSystems do not support this command.
If the device cannot access the company's website, use one of the following methods to manually update the URL reputation signature library:
· Local update—Updates the URL reputation signature library on the device by using the locally stored update URL reputation signature file.
(In standalone mode.) Store the update file on the active MPU for successful signature library update.
(In IRF mode.) Store the update file on the global active MPU for successful signature library update.
The following describes the format of the file-path parameter for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command (see file system management in Fundamentals Command Reference). |
|
The update file is stored in a different directory on the same storage medium. |
filename |
Before updating the signature library, you must first use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
|
The update file is stored on a different storage medium. |
path/filename |
Before updating the signature library, you must first use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP update—Updates the URL reputation signature library on the device by using the file stored on the FTP or TFTP server.
The following describes the format of the file-path parameter for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored on an FTP server. |
ftp://username:password@server address/filename |
The username parameter represents the FTP login username. The password parameter represents the FTP login password. The server address parameter represents the IP address or host name of the FTP server. Replace the following special characters in the FTP login username and password with their respective escape characters: · Colon (:)—%3A or %3a. · At sign (@)—%40. · Forward slash (/)—%2F or %2f. |
|
The update file is stored on a TFTP server. |
tftp://server address/filename |
The server address parameter represents the IP address or host name of the TFTP server. |
|
|
NOTE: To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide. |
To execute the url-filter signature update command, you also need to follow these restrictions and guidelines:
· To specify the source IP address of request packets sent to the TFTP or FTP server for manual signature library update, you must specify the source keyword. For example, if packets from the device must be translated by NAT before accessing the TFTP or FTP server, you must specify a source IP address complied with NAT rules for NAT translation. If NAT translation is performed by an independent NAT device, make sure the IP address specified by this command can reach the NAT device at Layer 3.
· If you specify both source and vpn-instance keywords, make sure the VPN instance to which the specified source IP or interface belongs is the same as that specified by the vpn-instance keyword.
Examples
# Manually update the local URL reputation signature library by using a signature file stored on a TFTP server.
<Sysname> system-view
[Sysname] url-reputation signature update tftp://192.168.0.10/url-1.0.2-en.dat
# Manually update the local URL reputation signature library by using a signature file stored on the device. The file is stored in directory cfb0:/dpi/url-1.0.23-en.dat, and the current working directory is cfa0:.
<Sysname> cd cfb0:/
<Sysname> system-view
[Sysname] url-reputation signature update dpi/url-1.0.23-en.dat
