Campus Egress Security

S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples(V100 and V200)

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Campus Egress Security

This section uses a typical campus network as an example to describe how to deploy campus egress security. Service security requirements are as follows:

Internal network users can access Internet resources but only education/science and search/portal websites.

To prevent information leaks, employees are not allowed to upload common documents, R&D files (such as C, CPP, and JAVA files), and compressed files to the Internet.
To reduce the risk of viruses transferred to internal networks, employees are not allowed to download executable files from the Internet.
To ensure the work efficiency, employees are not allowed to download videos from the Internet.
To prevent disclosure of confidential information and transmission of violation information, filter out uploaded files, sent emails, published ports and microblogs, and searched web pages and contents of internal network users.
External network users can access the HTTP server on the internal network. To ensure the proper running of the server, defend against SYN flood, UDP flood, and HTTP flood attacks.
To prevent viruses from being introduced by emails, perform antivirus detection on emails using HTTP and POP3 protocols.
Defend against attacks such as worms, Trojan horses, and botnets.
To ensure normal services, restrict P2P and online video traffic within 30 Mbit/s at any time. To better control P2P and online video traffic, restrict connections of related applications within 10,000. To ensure the proper running of email and ERP applications, assign a minimum of 60 Mbit/s bandwidth for such traffic.
Record employees' online behaviors to implement more refined security policy control.

Figure 2-79 Networking diagram of campus egress security

Device Requirements and Versions

Location	Device Requirement	Device Used in This Example	Version Used in This Example
Egress	-	USG6650	V500R001C30
Core layer	-	S7706	V200R010C00
Aggregation layer	-	S5720-EI	V200R011C00

Deployment Roadmap

Step	Deployment Roadmap	Devices Involved
1	Configure security zones and security policies to ensure that internal network users can access Internet resources and external network users can access the HTTP server.	Egress firewall
2	Configure the filtering functions. URL filtering: Allows users to access only education/science and search/portal websites. File filtering: Prevents employees from uploading common documents, R&D files (such as C, CPP, and JAVA files), and compressed files to the Internet as well as downloading executable files and video files from the Internet. Data filtering: Prevents disclosure of confidential information and transmission of violation information.	Egress firewall
3	Configure antivirus and intrusion prevention to prevent viruses from being introduced by emails and defend against attacks such as worms, Trojan horses, and botnets.	Egress firewall
4	Configure DDoS attack defense to defend against SYN flood, UDP flood, and HTTP flood attacks.	Egress firewall
5	Configure traffic policies to ensure that applications such as email and ERP work properly.	Egress firewall
6	Configure online behavior audit and management and record employees' online behaviors, implementing more refined security policy control.	Egress firewall

Data Plan

Device	Interface Number	Member Interface	VLANIF	IP Address
FWA	GE1/0/0	-	-	192.0.2.1/24
	GE1/0/3	-	-	10.4.0.1/24
	Eth-Trunk 1	GE1/0/1	-	10.3.0.1/24
	Eth-Trunk 1	GE1/0/2	-	10.3.0.1/24
FWB	GE1/0/0	-	-	192.0.2.2/24
	GE1/0/3	-	-	10.4.0.2/24
	Eth-Trunk 1	GE1/0/1	-	10.3.0.2/24
	Eth-Trunk 1	GE1/0/2	-	10.3.0.2/24
CORE	GE1/1/0/10	-	VLANIF 50	10.7.0.1/24
	Eth-Trunk 10	GE1/1/1/0	VLANIF 20	10.3.0.254/24
	Eth-Trunk 10	GE2/1/1/1
	Eth-Trunk 20	GE2/1/1/0
	Eth-Trunk 20	GE1/1/1/1
	Eth-Trunk 30	GE1/2/0/0	VLANIF 30	10.5.0.1/24
	Eth-Trunk 30	GE2/2/0/0	VLANIF 30	10.5.0.1/24
AGG	Eth-Trunk 30	GE1/0/1	-	-
AGG	Eth-Trunk 30	GE2/0/1	-	-
HTTP server	Ethernet interface	-	-	10.7.0.2/24

Procedure

This section mainly describes security configurations of firewalls. For details about other configurations, see Campus Egress Deployment.

To configure URL filtering, you need to activate the license and ensure that the license is within the validity period.

Ensure that the content security package has been loaded before configuring file and data filtering.

Assume that the user in this example already exists on the firewall, and the authentication configuration is complete.

Configure security zones and security policies.

Configure security zones.

The system has four security zones by default. If the default security zones do not meet your service requirements, you can create security zones and define their security levels. After creating a security zone, add interfaces to it. Then all packets sent and received on the interfaces are considered in the security zone. By default, an interface does not belong to any security zone and is unable to communicate with interfaces in other security zones.

# Assign interfaces to security zones.

[FWA] firewall zone trust
[FWA-zone-trust] set priority 85
[FWA-zone-trust] add interface eth-trunk 1  //Add Eth-Trunk 1 connected to the internal network to the trusted zone.
[FWA-zone-trust] quit
[FWA] firewall zone name untrust                     //Add the interface connected to the external network to the untrusted zone.
[FWA-zone-untrust] set priority 5
[FWA-zone-untrust] add interface gigabitethernet 1/0/0  
[FWA-zone-untrust] quit
[FWA] firewall zone dmz
[FWA-zone-dmz] set priority 50
[FWA-zone-dmz] add interface gigabitethernet 1/0/3  //Add the heartbeat interface to the DMZ.
[FWA-zone-dmz] quit

[FWB] firewall zone trust
[FWB-zone-trust] set priority 85
[FWB-zone-trust] add interface eth-trunk 1  //Add Eth-Trunk 1 connected to the internal network to the trusted zone.
[FWB-zone-trust] quit
[FWB] firewall zone name untrust            //Add the interface connected to the external network to the untrusted zone.
[FWB-zone-untrust] set priority 5
[FWB-zone-untrust] add interface gigabitethernet 1/0/0  
[FWB-zone-untrust] quit
[FWB] firewall zone dmz
[FWB-zone-dmz] set priority 50
[FWB-zone-dmz] add interface gigabitethernet 1/0/3  //Add the heartbeat interface to the DMZ.
[FWB-zone-dmz] quit

Configure security policies.

# After a hot standby group is successfully established between the active and standby firewalls, the security policies configured on FWA will be automatically backed up to FWB. For details about how to configure hot backup, see Deploying IPSec on Firewalls for Secure Communication with the Headquarters.

HRP_M[FWA] security-policy 
HRP_M[FWA-policy-security] rule name policy_dmz       //Allow mutual access between the local zone and DMZ.
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone local 
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone dmz 
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone local
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone dmz
HRP_M[FWA-policy-security-rule-policy_dmz] action permit  
HRP_M[FWA-policy-security-rule-policy_dmz] quit
HRP_M[FWA-policy-security] rule name trust_to_untrust  //Allow internal network users to access the Internet.
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FWA-policy-security-rule-trust_to_untrust] destination-zone untrust
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-address 10.6.0.0 24
HRP_M[FWA-policy-security-rule-trust_to_untrust] action permit
HRP_M[FWA-policy-security-rule-trust_to_untrust] quit
HRP_M[FWA-policy-security] rule name untrust_to_trust  //Allow external network users to access the HTTP server.
HRP_M[FWA-policy-security-rule-untrust_to_trust] source-zone untrust
HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-zone trust
HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-address 10.7.0.0 24
HRP_M[FWA-policy-security-rule-untrust_to_trust] action permit
HRP_M[FWA-policy-security-rule-untrust_to_trust] quit
HRP_M[FWAA-policy-security] quit

Configure the filtering functions.

Configure URL filtering.

# Configure a URL filtering profile.

HRP_M[FWA] profile type url-filter name profile_url_research 
HRP_M[FWA-profile-url-filter-profile_url_research] category user-defined action block
HRP_M[FWA-profile-url-filter-profile_url_research] category pre-defined action block
HRP_M[FWA-profile-url-filter-profile_url_research] category pre-defined category-id 15 action allow     //Allow users to access search/portal websites.
HRP_M[FWA-profile-url-filter-profile_url_research] category pre-defined category-id 17 action allow     //Allow users to access education/science websites.
HRP_M[FWA-profile-url-filter-profile_url_research] quit

# Configure a security policy.

HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_sec_research
HRP_M[FWA-policy-security-rule-policy_sec_research] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_research] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_sec_research] user user-group /default/priuser
HRP_M[FWA-policy-security-rule-policy_sec_research] action permit
HRP_M[FWA-policy-security-rule-policy_sec_research] profile url-filter profile_url_research
HRP_M[FWA-policy-security-rule-policy_sec_research] quit

# Commit the content security profile.

HRP_M[FWA] engine configuration commit
Info: The operation may last for several minutes, please wait.
Info: URL submitted configurations successfully.-
Info: Finish committing engine compiling.

Configure file filtering.

# Create profile profile_file_user1 to prevent users from uploading documents, R&D files, and decompressed files as well as downloading executable files, audios, and videos from the Internet.

HRP_M[FWA] profile type file-block name profile_file_user1
HRP_M[FWA-profile-file-block-profile_file_user1] rule name rule1
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] application all
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] file-type pre-defined name DOC PPT XLS MSOFFICE DOCX PPTX XLSX PDF VSD MPP
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] file-type pre-defined name ODS ODT ODP EML UOF RAR TAR ZIP GZIP CAB
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] file-type pre-defined name BZ2 Z 7ZIP JAR C CPP JAVA VBS
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] direction upload
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] action block
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule1] quit
HRP_M[FWA-profile-file-block-profile_file_user1] rule name rule2
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] application all
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] file-type pre-defined name EXE MSI RPM OCX A ELF DLL PE SYS MDI
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] file-type pre-defined name MOV MPEG AVI RMVB ASF SWF MP3 MP4 MIDI
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] direction download
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] action block
HRP_M[FWA-profile-file-block-profile_file_user1-rule-rule2] quit
HRP_M[FWA-profile-file-block-profile_file_user1] quit

# Configure security policy policy_sec_user1 for traffic from the trusted zone to the untrusted zone and reference profile profile_file_user1.

HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_sec_user1
HRP_M[FWA-policy-security-rule-policy_sec_user1] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_user1] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_sec_user1] user user-group /default/priuser
HRP_M[FWA-policy-security-rule-policy_sec_user1] profile file-block profile_file_user1
HRP_M[FWA-policy-security-rule-policy_sec_user1] action permit
HRP_M[FWA-policy-security-rule-policy_sec_user1] quit

# Commit the content security profile.

HRP_M[FWA] engine configuration commit
Info: The operation may last for several minutes, please wait.
Info: DLP submitted configurations successfully.
Info: Finish committing engine compiling.

Configure data filtering.

# Configure keyword group keyword1.

HRP_M[FWA] keyword-group name keyword1
HRP_M[FWA-keyword-group-keyword1] pre-defined-keyword name confidentiality weight 1
HRP_M[FWA-keyword-group-keyword1] user-defined-keyword name abc
HRP_M[FWA-keyword-group-keyword1-keyword-abc] expression match-mode text "abcd"  //Define keyword abcd.
HRP_M[FWA-keyword-group-keyword1-keyword-abc] weight 1
HRP_M[FWA-keyword-group-keyword1-keyword-abc] quit

# Create profile profile_data_research.

HRP_M[FWA] profile type data-filter name profile_data_research
HRP_M[FWA-profile-data-filter-profile_data_research] rule name rule1
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] keyword-group name keyword1
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] application all
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] file-type all
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] direction upload
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] action block
HRP_M[FWA-profile-data-filter-profile_data_research-rule-rule1] quit

# Configure security policy policy_sec_research and reference profile profile_data_research.

HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_sec_research
HRP_M[FWA-policy-security-rule-policy_sec_research] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_research] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_sec_research] user user-group /default/priuser
HRP_M[FWA-policy-security-rule-policy_sec_research] profile data-filter profile_data_research
HRP_M[FWA-policy-security-rule-policy_sec_research] action permit
HRP_M[FWA-policy-security-rule-policy_sec_research] quit

# Commit the content security profile.

HRP_M[FWA] engine configuration commit
Info: The operation may last for several minutes, please wait.
Info: DLP submitted configurations successfully.
Info: Finish committing engine compiling.

Configure antivirus and intrusion prevention.

Configure antivirus.

When an internal network user attempts to download virus-infected files using HTTP, the download connection is blocked. When an internal network user attempts to download a virus-infected mail using POP3, the attachments in the mail are deleted.

# Configure an antivirus profile for HTTP and POP3.

HRP_M[FWA] profile type av name av_http_pop3
HRP_M[FWA-profile-av-av_http_pop3] http-detect direction download action block
HRP_M[FWA-profile-av-av_http_pop3] pop3-detect action delete-attachment
HRP_M[FWA-profile-av-av_http_pop3] exception application name Netease_Webmail
HRP_M[FWA-profile-av-av_http_pop3] exception av-signature-id 1000
HRP_M[FWA-profile-av-av_http_pop3] quit

# Configure a security policy for traffic from the internal network to the external network (from the trusted zone to the untrusted zone).

HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_av_1
HRP_M[FWA-policy-security-rule-policy_av_1] source-zone trust
HRP_M[FWA-policy-security-rule-policy_av_1] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_av_1] action permit
HRP_M[FWA-policy-security-rule-policy_av_1] profile av av_http_pop3
HRP_M[FWA-policy-security-rule-policy_av_1] quit

Configure intrusion prevention.

# Create intrusion prevention profile profile_ips_pc to protect internal network users.

HRP_M[FWA] profile type ips name profile_ips_pc
HRP_M[FWA-profile-ips-profile_ips_pc] description profile for intranet users
HRP_M[FWA-profile-ips-profile_ips_pc] capture-packet enable
HRP_M[FWA-profile-ips-profile_ips_pc] signature-set name filter1
HRP_M[FWA-profile-ips-profile_ips_pc-sigset-filter1] target client
HRP_M[FWA-profile-ips-profile_ips_pc-sigset-filter1] severity high
HRP_M[FWA-profile-ips-profile_ips_pc-sigset-filter1] protocol HTTP
HRP_M[FWA-profile-ips-profile_ips_pc-sigset-filter1] quit
HRP_M[FWA-profile-ips-profile_ips_pc] quit

# Commit the configuration.

HRP_M[FWA] engine configuration commit
Info: The operation may last for several minutes, please wait.
Info: DLP submitted configurations successfully.
Info: Finish committing engine compiling.

# Configure a security policy for traffic from the trusted zone to the untrusted zone and reference intrusion prevention profile profile_ips_pc.

HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_sec_1
HRP_M[FWA-policy-security-rule-policy_sec_1] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_1] destination-zone untrust
HRP_M[FWA-policy-security-rule-policy_sec_1] source-address 10.6.0.0 24
HRP_M[FWA-policy-security-rule-policy_sec_1] profile ips profile_ips_pc
HRP_M[FWA-policy-security-rule-policy_sec_1] action permit
HRP_M[FWA-policy-security-rule-policy_sec_1] quit

Configure DDoS attack defense.

Servers often suffer from SYN flood, UDP flood, and HTTP flood attacks. To ensure the normal running of the servers, enable the anti-DDoS function on the firewall to defend against the three types of DDoS attacks.

# Configure anti-DDoS parameters.

HRP_M[FWA] interface GigabitEthernet1/0/0
HRP_M[FWA-GigabitEthernet1/0/0] anti-ddos flow-statistic enable
HRP_M[FWA-GigabitEthernet1/0/0] quit
HRP_M[FWA] ddos-mode detect-clean

# Configure the threshold learning function.

HRP_M[FWA] anti-ddos baseline-learn start
HRP_M[FWA] anti-ddos baseline-learn tolerance-value 100
HRP_M[FWA] anti-ddos baseline-learn apply

# Enable the anti-DDoS function.

HRP_M[FWA] anti-ddos syn-flood source-detect
HRP_M[FWA] anti-ddos udp-flood dynamic-fingerprint-learn
HRP_M[FWA] anti-ddos udp-frag-flood dynamic-fingerprint-learn
HRP_M[FWA] anti-ddos http-flood defend alert-rate 2000
HRP_M[FWA] anti-ddos http-flood source-detect mode basic

Configure traffic policies.

# Configure a traffic profile for P2P and online video services.

HRP_M[FWA] traffic-policy
HRP_M[FWA-policy-traffic] profile profile_p2p
HRP_M[FWA-policy-traffic-profile-profile_p2p] bandwidth maximum-bandwidth whole both 30000
HRP_M[FWA-policy-traffic-profile-profile_p2p] bandwidth connection-limit whole both 10000
HRP_M[FWA-policy-traffic-profile-profile_p2p] quit

# Configure a traffic policy for P2P and online video services.

The following example describes the bandwidth management configuration for BitTorrent (BT) and YouTube services. You can specify other P2P services as required.

HRP_M[FWA-policy-traffic] rule name policy_p2p
HRP_M[FWA-policy-traffic-rule-policy_p2p] source-zone trust
HRP_M[FWA-policy-traffic-rule-policy_p2p] destination-zone untrust
HRP_M[FWA-policy-traffic-rule-policy_p2p] application app BT YouKu
HRP_M[FWA-policy-traffic-rule-policy_p2p] action qos profile profile_p2p
HRP_M[FWA-policy-traffic-rule-policy_p2p] quit

# Configure a traffic profile for email and ERP applications.

HRP_M[FWA-policy-traffic] profile profile_email
HRP_M[FWA-policy-traffic-profile-profile_email] bandwidth guaranteed-bandwidth whole both 60000
HRP_M[FWA-policy-traffic-profile-profile_email] quit

# Configure a traffic policy for email and ERP applications.

The following example describes the bandwidth management configuration for Outlook Web Access (OWA) and Lotus Notes. You can specify other applications as required.

HRP_M[FWA-policy-traffic] rule name policy_email
HRP_M[FWA-policy-traffic-rule-policy_email] source-zone trust
HRP_M[FWA-policy-traffic-rule-policy_email] destination-zone untrust
HRP_M[FWA-policy-traffic-rule-policy_email] application app LotusNotes OWA
HRP_M[FWA-policy-traffic-rule-policy_email] action qos profile profile_email
HRP_M[FWA-policy-traffic-rule-policy_email] quit

Configure online behavior audit and management.

# Configure an audit profile to audit HTTP, FTP, and mail behaviors.

HRP_M[FWA] profile type audit name profile_audit_1
HRP_M[FWA-profile-audit-profile_audit_1] http-audit url all
HRP_M[FWA-profile-audit-profile_audit_1] http-audit url recorded-title
HRP_M[FWA-profile-audit-profile_audit_1] http-audit file direction download
HRP_M[FWA-profile-audit-profile_audit_1] ftp-audit file direction download
HRP_M[FWA-profile-audit-profile_audit_1] http-audit bbs-content
HRP_M[FWA-profile-audit-profile_audit_1] http-audit micro-blog
HRP_M[FWA-profile-audit-profile_audit_1] quit

# Configure an audit policy and reference the audit profile.

HRP_M[FWA] audit-policy
HRP_M[FWA-policy-audit] rule name policy_audit_1
HRP_M[FWA-policy-audit-rule-policy_audit_1] description Policy of auditing for priuser.
HRP_M[FWA-policy-audit-rule-policy_audit_1] source-zone trust
HRP_M[FWA-policy-audit-rule-policy_audit_1] destination-zone untrust
HRP_M[FWA-policy-audit-rule-policy_audit_1] user user-group /default/priuser
HRP_M[FWA-policy-audit-rule-policy_audit_1] action audit profile profile_audit_1
HRP_M[FWA-policy-audit-rule-policy_audit_1] quit

# Commit the configuration.

HRP_M[FWA] engine configuration commit
Info: The operation may last for several minutes, please wait.
Info: Audit submitted configurations successfully.
Info: Finish committing engine compiling.

# Follow-up procedure

By viewing various reports, audit logs, and user activity logs, you can obtain the online behavior of employees to implement more refined security policy control.

Verifying the Deployment

Internal network users can access education/science and search/portal websites, but cannot access other websites.
Internal network users fail to upload documents, compressed files, and code files from the Internet, as well as download executable files and video files from the Internet.
When an internal network user sends confidential information to the Internet or browse and search content that contains violation information, the content is blocked.
When an internal network user attempts to download virus-infected files using HTTP, the download connection is blocked.
When an internal network user attempts to download a virus-infected mail using POP3, the attachments in the mail are deleted.
The system blocks attacks such as worms, Trojan horses, and botnets.
External network users can access the HTTP server on the internal network. When the server receives SYN flood, UDP flood, or HTTP flood attack, the attack is blocked.

Configuration Files

FWA configuration file

#
sysname FWA
#
interface GigabitEthernet1/0/0     
 anti-ddosflow-statistic enable
#
keyword-group name keyword1
 pre-defined-keyword name confidentiality weight 1
 user-defined-keyword name abc
  expression match-mode text "abcd"
  weight 1
#
profile type audit name profile_audit_1
 description Profile of auditing for research.
 http-audit url all
 http-audit url recorded-title
 http-audit bbs-content
 http-audit micro-blog
 http-audit file direction download
 ftp-audit file direction download
profile type av name av_http_pop3   
 http-detect direction download       
 pop3-detect action delete-attachment  
 exception application name Netease_WebMail action allow   
 exception av-signature-id 1000 
profile type data-filter name profile_data_research
 rule name rule1
  keyword-group name keyword1
  file-type all
  application all
  direction upload
  action block
profile type file-block name profile_file_user1
 rule name rule1
  file-type pre-defined name DOC PPT XLS MSOFFICE DOCX PPTX XLSX PDF VSD MPP
  file-type pre-defined name ODS ODT ODP EML UOF RAR TAR ZIP GZIP CAB
  file-type pre-defined name BZ2 C CPP JAVA
  application all
  direction upload
  action block
 rule name rule2
  file-type pre-defined name EXE MSI RPM OCX A ELF DLL PE MDI MOV
  file-type pre-defined name MPEG AVI RMVB ASF SWF MP3 MP4 MIDI
  application all
  direction download
  action block
profile type ips name profile_ips_pc
 description profile for intranet users
 collect-attack-evidence enable
 signature-set name filter1
  target client
  severity high 
  protocol HTTP
#
profile type url-filter name profile_url_research
 category pre-defined subcategory-id 101 action block
 category pre-defined subcategory-id 102 action block
 category pre-defined subcategory-id 162 action block
 category pre-defined subcategory-id 163 action block
 category pre-defined subcategory-id 164 action block
 category pre-defined subcategory-id 165 action block
 category pre-defined subcategory-id 103 action block
 category pre-defined subcategory-id 166 action block
 category pre-defined subcategory-id 167 action block
 category pre-defined subcategory-id 168 action block
 category pre-defined subcategory-id 104 action block
 category pre-defined subcategory-id 169 action block
 category pre-defined subcategory-id 170 action block
 category pre-defined subcategory-id 105 action block
 category pre-defined subcategory-id 171 action block
 category pre-defined subcategory-id 172 action block
 category pre-defined subcategory-id 173 action block
 category pre-defined subcategory-id 174 action block
 category pre-defined subcategory-id 106 action block
 category pre-defined subcategory-id 108 action block
 category pre-defined subcategory-id 177 action block
 category pre-defined subcategory-id 251 action block
 category pre-defined subcategory-id 109 action block
 category pre-defined subcategory-id 110 action block
 category pre-defined subcategory-id 111 action block
 category pre-defined subcategory-id 112 action block
 category pre-defined subcategory-id 114 action block
 category pre-defined subcategory-id 115 action block
 category pre-defined subcategory-id 117 action block
 category pre-defined subcategory-id 178 action block
 category pre-defined subcategory-id 179 action block
 category pre-defined subcategory-id 180 action block
 category pre-defined subcategory-id 181 action block
 category pre-defined subcategory-id 248 action block
 category pre-defined subcategory-id 118 action block
 category pre-defined subcategory-id 119 action block
 category pre-defined subcategory-id 122 action block
 category pre-defined subcategory-id 182 action block
 category pre-defined subcategory-id 183 action block
 category pre-defined subcategory-id 184 action block
 category pre-defined subcategory-id 123 action block
 category pre-defined subcategory-id 124 action block
 category pre-defined subcategory-id 186 action block
 category pre-defined subcategory-id 187 action block
 category pre-defined subcategory-id 188 action block
 category pre-defined subcategory-id 189 action block
 category pre-defined subcategory-id 125 action block
 category pre-defined subcategory-id 127 action block
 category pre-defined subcategory-id 128 action block
 category pre-defined subcategory-id 130 action block
 category pre-defined subcategory-id 131 action block
 category pre-defined subcategory-id 132 action block
 category pre-defined subcategory-id 197 action block
 category pre-defined subcategory-id 198 action block
 category pre-defined subcategory-id 199 action block
 category pre-defined subcategory-id 200 action block
 category pre-defined subcategory-id 227 action block
 category pre-defined subcategory-id 228 action block
 category pre-defined subcategory-id 133 action block
 category pre-defined subcategory-id 201 action block
 category pre-defined subcategory-id 202 action block
 category pre-defined subcategory-id 204 action block
 category pre-defined subcategory-id 205 action block
 category pre-defined subcategory-id 134 action block
 category pre-defined subcategory-id 135 action block
 category pre-defined subcategory-id 136 action block
 category pre-defined subcategory-id 137 action block
 category pre-defined subcategory-id 138 action block
 category pre-defined subcategory-id 139 action block
 category pre-defined subcategory-id 140 action block
 category pre-defined subcategory-id 141 action block
 category pre-defined subcategory-id 206 action block
 category pre-defined subcategory-id 207 action block
 category pre-defined subcategory-id 208 action block
 category pre-defined subcategory-id 209 action block
 category pre-defined subcategory-id 210 action block
 category pre-defined subcategory-id 229 action block
 category pre-defined subcategory-id 142 action block
 category pre-defined subcategory-id 143 action block
 category pre-defined subcategory-id 144 action block
 category pre-defined subcategory-id 145 action block
 category pre-defined subcategory-id 146 action block
 category pre-defined subcategory-id 147 action block
 category pre-defined subcategory-id 211 action block
 category pre-defined subcategory-id 212 action block
 category pre-defined subcategory-id 213 action block
 category pre-defined subcategory-id 240 action block
 category pre-defined subcategory-id 253 action block
 category pre-defined subcategory-id 149 action block
 category pre-defined subcategory-id 150 action block
 category pre-defined subcategory-id 214 action block
 category pre-defined subcategory-id 215 action block
 category pre-defined subcategory-id 216 action block
 category pre-defined subcategory-id 217 action block
 category pre-defined subcategory-id 151 action block
 category pre-defined subcategory-id 218 action block
 category pre-defined subcategory-id 219 action block
 category pre-defined subcategory-id 220 action block
 category pre-defined subcategory-id 221 action block
 category pre-defined subcategory-id 222 action block
 category pre-defined subcategory-id 223 action block
 category pre-defined subcategory-id 230 action block
 category pre-defined subcategory-id 252 action block
 category pre-defined subcategory-id 152 action block
 category pre-defined subcategory-id 153 action block
 category pre-defined subcategory-id 238 action block
 category pre-defined subcategory-id 154 action block
 category pre-defined subcategory-id 155 action block
 category pre-defined subcategory-id 224 action block
 category pre-defined subcategory-id 225 action block
 category pre-defined subcategory-id 156 action block
 category pre-defined subcategory-id 157 action block
 category pre-defined subcategory-id 158 action block
 category pre-defined subcategory-id 231 action block
 category pre-defined subcategory-id 232 action block
 category pre-defined subcategory-id 159 action block
 category pre-defined subcategory-id 254 action block
 category pre-defined subcategory-id 160 action block
 category pre-defined subcategory-id 161 action block
 category pre-defined subcategory-id 176 action block
 category pre-defined subcategory-id 226 action block
 category pre-defined subcategory-id 234 action block
 category pre-defined subcategory-id 235 action block
 category pre-defined subcategory-id 236 action block
 category pre-defined subcategory-id 237 action block
 category pre-defined subcategory-id 239 action block
 category pre-defined subcategory-id 241 action block
 category pre-defined subcategory-id 233 action block
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/3
#
firewall zone name untrust 
 set priority 5
 add interface GigabitEthernet1/0/0
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
security-policy 
 rule name policy_dmz 
  source-zone local  
  source-zone dmz 
  destination-zone local 
  destination-zone dmz 
  action permit  
 rule name trust_to_untrust 
  source-zone trust
  destination-zone untrust
  source-address 10.6.0.0 mask 255.255.255.0
  action permit
 rule name untrust_to_trust
  source-zone untrust
  destination-zone trust
  destination-address 10.7.0.0 mask 255.255.255.0
  action permit
 rule name policy_av_1
  source-zone trust
  destination-zone untrust
  profile av av_http_pop3
  action permit
 rule name policy_sec_1
  source-zone trust
  destination-zone untrust
  source-address 10.6.0.0 mask 255.255.255.0
  profile ips profile_ips_pc
  action permit
 rule name policy_sec_research
  source-zone trust
  destination-zone untrust
  user user-group /default/priuser
  profile url-filter profile_url_research
  action permit
 rule name policy_sec_user1
  source-zone trust
  destination-zone untrust
  user user-group /default/priuser
  profile file-block profile_file_user1
  action permit
 rule name policy_sec_research
  source-zone trust
  destination-zone untrust
  user user-group /default/priuser
  profile data-filter profile_data_research
  action permit
#
audit-policy
 rule name policy_audit_1
  description Policy of auditing for research.
  source-zone trust
  destination-zone untrust
  user user-group /default/priuser
  action audit profile profile_audit_1
#
traffic-policy
 profile profile_p2p
  bandwidth maximum-bandwidth whole both 30000
  bandwidth connection-limit whole both 10000
 profile profile_email
  bandwidth guaranteed-bandwidth whole both 60000
 rule name policy_p2p
  source-zone trust
  destination-zone untrust
  application app BT
  application app YouKu
  action qos profile profile_p2p
 rule name policy_email
  source-zone trust
  destination-zone untrust
  application app LotusNotes
  application app OWA
  action qos profile profile_email
#
return

FWB configuration file

#
sysname FWB
#
interface GigabitEthernet1/0/0     
 anti-ddosflow-statistic enable
#
keyword-group name keyword1
 pre-defined-keyword name confidentiality weight 1
 user-defined-keyword name abc
  expression match-mode text "abcd"
  weight 1
#
profile type audit name profile_audit_1
 description Profile of auditing for research.
 http-audit url all
 http-audit url recorded-title
 http-audit bbs-content
 http-audit micro-blog
 http-audit file direction download
 ftp-audit file direction download
profile type av name av_http_pop3   
 http-detect direction download       
 pop3-detect action delete-attachment  
 exception application name Netease_WebMail action allow   
 exception av-signature-id 1000 
profile type data-filter name profile_data_research
 rule name rule1
  keyword-group name keyword1
  file-type all
  application all
  direction upload
  action block
profile type file-block name profile_file_user1
 rule name rule1
  file-type pre-defined name DOC PPT XLS MSOFFICE DOCX PPTX XLSX PDF VSD MPP
  file-type pre-defined name ODS ODT ODP EML UOF RAR TAR ZIP GZIP CAB
  file-type pre-defined name BZ2 C CPP JAVA
  application all
  direction upload
  action block
 rule name rule2
  file-type pre-defined name EXE MSI RPM OCX A ELF DLL PE MDI MOV
  file-type pre-defined name MPEG AVI RMVB ASF SWF MP3 MP4 MIDI
  application all
  direction download
  action block
profile type ips name profile_ips_pc
 description profile for intranet users
 collect-attack-evidence enable
 signature-set name filter1
  target client
  severity high 
  protocol HTTP
#
profile type url-filter name profile_url_research
 category pre-defined subcategory-id 101 action block
 category pre-defined subcategory-id 102 action block
 category pre-defined subcategory-id 162 action block
 category pre-defined subcategory-id 163 action block
 category pre-defined subcategory-id 164 action block
 category pre-defined subcategory-id 165 action block
 category pre-defined subcategory-id 103 action block
 category pre-defined subcategory-id 166 action block
 category pre-defined subcategory-id 167 action block
 category pre-defined subcategory-id 168 action block
 category pre-defined subcategory-id 104 action block
 category pre-defined subcategory-id 169 action block
 category pre-defined subcategory-id 170 action block
 category pre-defined subcategory-id 105 action block
 category pre-defined subcategory-id 171 action block
 category pre-defined subcategory-id 172 action block
 category pre-defined subcategory-id 173 action block
 category pre-defined subcategory-id 174 action block
 category pre-defined subcategory-id 106 action block
 category pre-defined subcategory-id 108 action block
 category pre-defined subcategory-id 177 action block
 category pre-defined subcategory-id 251 action block
 category pre-defined subcategory-id 109 action block
 category pre-defined subcategory-id 110 action block
 category pre-defined subcategory-id 111 action block
 category pre-defined subcategory-id 112 action block
 category pre-defined subcategory-id 114 action block
 category pre-defined subcategory-id 115 action block
 category pre-defined subcategory-id 117 action block
 category pre-defined subcategory-id 178 action block
 category pre-defined subcategory-id 179 action block
 category pre-defined subcategory-id 180 action block
 category pre-defined subcategory-id 181 action block
 category pre-defined subcategory-id 248 action block
 category pre-defined subcategory-id 118 action block
 category pre-defined subcategory-id 119 action block
 category pre-defined subcategory-id 122 action block
 category pre-defined subcategory-id 182 action block
 category pre-defined subcategory-id 183 action block
 category pre-defined subcategory-id 184 action block
 category pre-defined subcategory-id 123 action block
 category pre-defined subcategory-id 124 action block
 category pre-defined subcategory-id 186 action block
 category pre-defined subcategory-id 187 action block
 category pre-defined subcategory-id 188 action block
 category pre-defined subcategory-id 189 action block
 category pre-defined subcategory-id 125 action block
 category pre-defined subcategory-id 127 action block
 category pre-defined subcategory-id 128 action block
 category pre-defined subcategory-id 130 action block
 category pre-defined subcategory-id 131 action block
 category pre-defined subcategory-id 132 action block
 category pre-defined subcategory-id 197 action block
 category pre-defined subcategory-id 198 action block
 category pre-defined subcategory-id 199 action block
 category pre-defined subcategory-id 200 action block
 category pre-defined subcategory-id 227 action block
 category pre-defined subcategory-id 228 action block
 category pre-defined subcategory-id 133 action block
 category pre-defined subcategory-id 201 action block
 category pre-defined subcategory-id 202 action block
 category pre-defined subcategory-id 204 action block
 category pre-defined subcategory-id 205 action block
 category pre-defined subcategory-id 134 action block
 category pre-defined subcategory-id 135 action block
 category pre-defined subcategory-id 136 action block
 category pre-defined subcategory-id 137 action block
 category pre-defined subcategory-id 138 action block
 category pre-defined subcategory-id 139 action block
 category pre-defined subcategory-id 140 action block
 category pre-defined subcategory-id 141 action block
 category pre-defined subcategory-id 206 action block
 category pre-defined subcategory-id 207 action block
 category pre-defined subcategory-id 208 action block
 category pre-defined subcategory-id 209 action block
 category pre-defined subcategory-id 210 action block
 category pre-defined subcategory-id 229 action block
 category pre-defined subcategory-id 142 action block
 category pre-defined subcategory-id 143 action block
 category pre-defined subcategory-id 144 action block
 category pre-defined subcategory-id 145 action block
 category pre-defined subcategory-id 146 action block
 category pre-defined subcategory-id 147 action block
 category pre-defined subcategory-id 211 action block
 category pre-defined subcategory-id 212 action block
 category pre-defined subcategory-id 213 action block
 category pre-defined subcategory-id 240 action block
 category pre-defined subcategory-id 253 action block
 category pre-defined subcategory-id 149 action block
 category pre-defined subcategory-id 150 action block
 category pre-defined subcategory-id 214 action block
 category pre-defined subcategory-id 215 action block
 category pre-defined subcategory-id 216 action block
 category pre-defined subcategory-id 217 action block
 category pre-defined subcategory-id 151 action block
 category pre-defined subcategory-id 218 action block
 category pre-defined subcategory-id 219 action block
 category pre-defined subcategory-id 220 action block
 category pre-defined subcategory-id 221 action block
 category pre-defined subcategory-id 222 action block
 category pre-defined subcategory-id 223 action block
 category pre-defined subcategory-id 230 action block
 category pre-defined subcategory-id 252 action block
 category pre-defined subcategory-id 152 action block
 category pre-defined subcategory-id 153 action block
 category pre-defined subcategory-id 238 action block
 category pre-defined subcategory-id 154 action block
 category pre-defined subcategory-id 155 action block
 category pre-defined subcategory-id 224 action block
 category pre-defined subcategory-id 225 action block
 category pre-defined subcategory-id 156 action block
 category pre-defined subcategory-id 157 action block
 category pre-defined subcategory-id 158 action block
 category pre-defined subcategory-id 231 action block
 category pre-defined subcategory-id 232 action block
 category pre-defined subcategory-id 159 action block
 category pre-defined subcategory-id 254 action block
 category pre-defined subcategory-id 160 action block
 category pre-defined subcategory-id 161 action block
 category pre-defined subcategory-id 176 action block
 category pre-defined subcategory-id 226 action block
 category pre-defined subcategory-id 234 action block
 category pre-defined subcategory-id 235 action block
 category pre-defined subcategory-id 236 action block
 category pre-defined subcategory-id 237 action block
 category pre-defined subcategory-id 239 action block
 category pre-defined subcategory-id 241 action block
 category pre-defined subcategory-id 233 action block
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/3
#
firewall zone name untrust 
 set priority 5
 add interface GigabitEthernet1/0/0
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
security-policy 
 rule name policy_dmz 
  source-zone local  
  source-zone dmz 
  destination-zone local 
  destination-zone dmz 
  action permit  
 rule name trust_to_untrust 
  source-zone trust
  destination-zone untrust
  source-address 10.6.0.0 mask 255.255.255.0
  action permit
 rule name untrust_to_trust
  source-zone untrust
  destination-zone trust
  destination-address 10.7.0.0 mask 255.255.255.0
  action permit
 rule name policy_av_1
  source-zone trust
  destination-zone untrust
  profile av av_http_pop3
  action permit
 rule name policy_sec_1
  source-zone trust
  destination-zone untrust
  source-address 10.6.0.0 mask 255.255.255.0
  profile ips profile_ips_pc
  action permit
 rule name policy_sec_research
  source-zone trust
  destination-zone untrust
  user user-group /default/priuser
  profile url-filter profile_url_research
  action permit
 rule name policy_sec_user1
  source-zone trust
  destination-zone untrust
  user user-group /default/priuser
  profile file-block profile_file_user1
  action permit
 rule name policy_sec_research
  source-zone trust
  destination-zone untrust
  user user-group /default/priuser
  profile data-filter profile_data_research
  action permit
#
audit-policy
 rule name policy_audit_1
  description Policy of auditing for research.
  source-zone trust
  destination-zone untrust
  user user-group /default/priuser
  action audit profile profile_audit_1
#
traffic-policy
 profile profile_p2p
  bandwidth maximum-bandwidth whole both 30000
  bandwidth connection-limit whole both 10000
 profile profile_email
  bandwidth guaranteed-bandwidth whole both 60000
 rule name policy_p2p
  source-zone trust
  destination-zone untrust
  application app BT
  application app YouKu
  action qos profile profile_p2p
 rule name policy_email
  source-zone trust
  destination-zone untrust
  application app LotusNotes
  application app OWA
  action qos profile profile_email
#
return

Device Requirements and Versions
Deployment Roadmap
Data Plan
Procedure
Verifying the Deployment
Configuration Files

Translation

Español 日本語 Русский 简体中文

Download

Updated: 2023-07-29

Document ID: EDOC1000069520

Downloads: 41274

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

Device Requirements and Versions

Deployment Roadmap

Data Plan

Procedure

Verifying the Deployment

Configuration Files

Related Version

Related Documents

Digital Signature File