USG2220配置URL过滤功能不生效

发布时间:  2012-07-19 浏览次数:  195 下载次数:  0
问题描述
用户启用了url过滤功能,激活licence后,配置了黑白名单,预定义策略和自定义策略,结果都不生效,无一条匹配上应用的策略,url过滤功能无法生效。如下:
[USG2200]disp url-filter statistics
19:26:34 2011/08/08
Statistic information about URL filtering
------------------------------------------------------------
Total HTTP requests : 0
Total permitted HTTP requests : 0
Total denied HTTP requests : 0
Match blacklist : 0
Match whitelist : 0
Match user-defined category : 0
Match pre-defined category : 0
Default action : 0
------------------------------------------------------------
告警信息
处理过程

1、检查url过滤功能的license激活并在有效期内
2、检查防火墙模式为UTM,检查url每个步骤配置,必配部分均以配置,并在正确的域间应用了策略。
3、仔细检查域间的策略发现policy 1 有命中,而policy无一命中。
[USG2200]disp policy interzone trust untrust outbound
18:59:34 2011/08/08
policy interzone trust untrust outbound
firewall default packet-filter is permit
policy 1 (316123 times matched)
action permit
policy logging
policy service service-set ip
policy source any
policy destination any
policy ips protectintranet
policy av policy1
policy url-filter worktime
http-access log enable

policy 2 (0 times matched)
action permit
policy logging
policy time-range worktime
policy service service-set ip
policy source any
policy destination any
policy url-filter worktime
http-access log enable
4、将policy 2中policy url-filter worktime配置到policy 1中,url过滤生效。
[USG2200]disp url-filter statistics
19:42:25 2011/08/08
Statistic information about URL filtering
------------------------------------------------------------
Total HTTP requests : 1309
Total permitted HTTP requests : 1296
Total denied HTTP requests : 13
Match blacklist : 0
Match whitelist : 0
Match user-defined category : 0
Match pre-defined category : 1309
Default action : 0
------------------------------------------------------------

根因
1、配置以后未提交策略
2、配置不完整
3、防火墙运行模式不正确。
建议与总结
策略只要命中一个就不会再执行剩下的策略,所以需要把所有的UTM的功能都加到一个策略里面。

END