No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring URL Filtering

Configuring URL Filtering

This section describes how to configure URL filtering.

Configuring a URL Filtering Profile

Context

To accurately manage online behaviors of users, a URL filtering profile defines the predefined URL categories, user-defined URL categories, blacklist, and whitelist to control URLs. The device filters the content of an HTTP request, extracts the URL, and matches the URL with the whitelist, blacklist, user-defined URL category, or predefined URL category. If the URL is matched, the device processes the HTTP request according to the configured action.

The whitelist, blacklist, and predefined and user-defined URL categories are applicable to the following scenarios:
  • A predefined URL category is used to define many common websites accessed by enterprise employees.
  • A user-defined URL category is used to define new websites not in the predefined URL category and customized websites meeting special requirements.
  • A blacklist is used to define websites that enterprise employees are not allowed to access.
  • A whitelist is used to define websites that enterprise employees are allowed to access.

Generally, a predefined URL category is mandatory, and the user-defined URL category, whitelist, and blacklist are optional.

Procedure

  • Configuring a URL filtering profile that defines a predefined URL category

    1. (Optional) Configure a predefined URL category.

      1. Run:

        system-view

        The system view is displayed.

      2. Run:

        url-filter category pre-defined subcategory-id subcategory-id

        The predefined URL subcategory view is displayed.

        NOTE:

        During factory delivery, there is a predefined URL category database. When the predefined URL category database fails to be loaded or the security service center updates the predefined URL category database, run the import url-sdb file filename command to import a URL category database.

      3. Run:

        add { url url-text | host host-text }

        A URL or domain name rule is added to a predefined category.

        By default, no URL or domain name rule is configured for a predefined URL subcategory.

      4. Run:

        quit

        Return to the system view.

    2. Configure an action for the predefined URL category.

      1. Run the following commands as required.

        • Run the profile type url-filter name name command to create a URL filtering profile and enter the URL filtering profile view if no URL filtering profile exists on the device.
        • To speed up configuration of a URL filtering profile, run the profile type url-filter copy old-name [ new-name ] command to create a URL filtering profile by copying an existing one and enter the view of the created URL filtering profile if a URL filtering profile exists on the device.

        By default, no URL filtering profile is configured.

      2. (Optional) Run:

        category action mode { strict | loose }

        The action mode of URL filtering is configured.

        By default, the action mode of URL filtering is the strict mode.

      3. (Optional) Run:

        description description

        The description is configured for the URL filtering profile.

        By default, no description is configured for a URL filtering profile.

      4. Run:

        category pre-defined control-level { high | low | medium }

        A control level is configured for the predefined URL category.

        By default, the control level of a predefined URL category is low.

        The system defines high, medium, and low control levels, and configures an action for all predefined URL categories according to each control level. A high control level indicates a strict action for URL categories, for example, the device blocks HTTP requests matching porn, P2P download, and video categories. A low control level indicates a loose action for URL categories, for example, the device blocks HTTP requests matching porn categories only.

      5. Run:

        category pre-defined [ category-id category-id | subcategory-id subcategory-id ] action { allow | block | alert }

        An action is configured for the predefined URL category.

        By default, the action in a predefined URL category is allow.

      6. (Optional) Run:

        default action { allow | block | alert }

        The default action is configured for the URL filtering profile.

        By default, the default action in a predefined URL category is allow.

      7. Run:

        quit

        Return to the system view.

      8. Run:

        engine configuration commit

        The URL filtering configuration is committed.

        After the security policy configurations including intrusion defense and URL filtering configurations are created or modified, you must run the engine configuration commit command to commit the configurations to make the configurations take effect. Committing the configurations takes a long period of time. It is recommended that you commit the configurations after modifying all security policy configurations.

  • Configuring a URL filtering profile that defines a user-defined URL category

    1. Configure a user-defined URL category.

      1. Run:

        system-view

        The system view is displayed.

      2. Run the following commands as required.

        • Run the url-filter category user-defined name category-name command to create a user-defined URL category and enter the view of the user-defined URL category.
        • Run the url-filter category pre-defined copy subcategory-id new-name command to create a user-defined URL category by copying an existing predefined URL category and enter the view of the created user-defined URL category if the content of the new user-defined URL category is similar to the content of the existing predefined URL category.
        • Run the url-filter category user-defined copy old-name [ new-name ] command to create a user-defined URL category by copying an existing one and enter the view of the created user-defined URL category if the content of the new user-defined URL category is similar to the content of the existing one.

        By default, no user-defined URL category exists.

      3. (Optional) Run:

        description description

        The description is configured for the user-defined URL category.

        By default, no description is configured for a user-defined URL category.

      4. Run:

        add { url url-text | host host-text }

        A URL or domain name rule is added to the user-defined category.

        By default, no URL or domain name rule is added to the user-defined category.

      5. Run:

        quit

        Return to the system view.

    2. Configure an action for the user-defined URL category.

      1. Run the following commands as required.

        • Run the profile type url-filter name name command to create a URL filtering profile and enter the URL filtering profile view if no URL filtering profile exists on the device.
        • To speed up configuration of a URL filtering profile, run the profile type url-filter copy old-name [ new-name ] command to create a URL filtering profile by copying an existing one and enter the view of the created URL filtering profile if a URL filtering profile exists on the device.

        By default, no URL filtering profile is configured.

      2. (Optional) Run:

        description description

        The description is configured for the URL filtering profile.

        By default, no description is configured for a URL filtering profile.

      3. Run:

        category user-defined [ name category-name ] action { allow | block | alert }

        An action is configured for the user-defined URL category.

        By default, the action in a user-defined URL category is allow.

      4. Run:

        quit

        Return to the system view.

      5. Run:

        engine configuration commit

        The URL filtering configuration is committed.

  • Configuring a URL filtering profile that defines the blacklist and whitelist
    1. Run:

      system-view

      The system view is displayed.

    2. Run the following commands as required.

      • Run the profile type url-filter name name command to create a URL filtering profile and enter the URL filtering profile view if no URL filtering profile exists on the device.
      • To speed up configuration of a URL filtering profile, run the profile type url-filter copy old-name [ new-name ] command to create a URL filtering profile by copying an existing one and enter the view of the created URL filtering profile if a URL filtering profile exists on the device.

      By default, no URL filtering profile is configured.

    3. (Optional) Run:

      description description

      The description is configured for the URL filtering profile.

      By default, no description is configured for a URL filtering profile.

    4. Run the following commands as required.

      • Run:

        add whitelist { url url-text | host host-text }

        A whitelist rules is added to the URL filtering profile.

      • Run:

        add blacklist { url url-text | host host-text }

        A blacklist rules is added to the URL filtering profile.

    5. Run:

      quit

      Return to the system view.

    6. Run:

      engine configuration commit

      The URL filtering configuration is committed.

Follow-up Procedure

After the URL filtering profile is configured, you can rename the user-defined URL category or URL filtering profile to facilitate management.
  • Run the rename new-name command in the URL filtering profile view to rename an existing URL filtering profile and enter the view of the new profile.
  • Run the rename new-name command in the URL filtering profile view to rename an existing user-defined URL category and enter the view of the new user-defined URL category.

Binding a URL Filtering Profile to a Security Policy

Prerequisites

If an ACL needs to be referenced when you bind a URL filtering profile to a security policy, ensure that the ACL has been created using the acl (system view) command.

Context

The device uses a security policy to implement integrated detection of content security. After a URL filtering profile is configured, you need to bind the URL filtering profile to a security policy and apply the security policy to an interzone so that the device can regulate online behaviors according to the security policy.

There are various types of service traffic on a network and multiple security policies are configured on the device. A security policy can be bound to profiles of different types and only one profile of the same type.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    security-policy policy-name

    A security policy is created and the security policy view is displayed.

    By default, no security policy is created.

  3. Run:

    profile urlf urlf-name [ acl acl-id ]

    A URL filtering profile is bound to the security policy.

    By default, no URL filtering profile is bound to a security policy.

    NOTE:

    When URL filtering profile is bound to ACL4, create bidirectional rules in the ACL to make the configuration take effect.

Binding the Security Policy to an Interzone

Prerequisites

Context

URL filtering takes effect only when the range that the URL filtering rule is applied is specified.

Security check is triggered only when data flows between different interzones. To make URL filtering take effect, bind a security policy to an interzone.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    firewall interzone zone-name1 zone-name2

    An interzone is created and the interzone view is displayed.

    By default, no interzone is created.

    You must specify two existing zones for the interzone.

  3. Run:

    security-policy policy-name

    The security policy is bound to the interzone.

    By default, no security policy is bound to an interzone.

    If no ACL is configured when a URL filtering profile is bound to a security policy, the device performs URL filtering for traffic in all interzones. If an ACL is configured when a URL filtering profile is bound to a security policy, the device determines whether to perform URL filtering for traffic according to the ACL rule:
    • If the ACL rule defines a permit clause, the device detects traffic matching the ACL rule.
    • If the ACL rule defines a deny clause, the device does not detect traffic matching the ACL rule.
    • If traffic does not match the ACL, the device does not detect the traffic.

  4. Run:

    quit

    Return to the system view.

(Optional) Configuring the Device to Control generating of URL Filtering Logs

Context

If URL requests of many users in a period of time match the URL blacklist, user-defined URL category, or predefined URL category, the URL filtering module reports many logs to the device in a short time. If the device outputs logs in real time, the administrator has to flood the screen.

To address this issue, configure the log cache function to control the frequency in generating URL filtering logs, or disable the URL filtering module from generating logs so that the URL filtering module does not report logs.

Procedure

  • Configuring the log cache function
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      engine log url-filter enable

      The URL filtering module is enabled to generate logs.

      By default, the URL filtering module is enabled to generate logs.

    3. Run:

      engine log timeout time

      The period for caching logs is set.

      By default, the period for caching logs is 1 minute.

  • Disabling the URL filtering module from generating logs
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      undo engine log url-filter enable

      The URL filtering module is disabled from generating logs.

      By default, the URL filtering module is enabled to generate logs.

Checking the Configuration

Prerequisites

The URL filtering configuration is complete.

Procedure

  • Run the display url-filter category pre-defined [ category-id category-id | subcategory-id subcategory-id | url url-text | host host-text ] command to check predefined URL category information.
  • Run the display url-filter category user-defined [ name category-name | url url-text | host host-text ] command to check user-defined URL category information.
  • Run the display profile type url-filteror display profile type url-filter name name [ blacklist [ url url-text | host host-text ] | whitelist [ url url-text | host host-text ] | pre-defined [ category-id category-id | subcategory-id subcategory-id ] | user-defined [ name category-name ] ] command to check URL filtering profile information.
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 14681

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next