No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This section provides configuration examples of URL filtering.

Example for Configuring URL Filtering to Regulate Online Behaviors of Employees

Networking Requirements

As shown in Figure 6-7, the Router as the gateway is deployed at the enterprise network edge. Online behaviors of users that access web resources through HTTP need to be regulated.

The company has R&D and marketing departments. The requirements are as follows:
  • All employees are allowed to access websites containing huawei.com.
  • All employees are prevented from accessing websites containing youtube.com.
  • R&D employees are allowed to access only www.google.com websites.
  • Marketing employees are allowed to access only education/science, search/portal, and social focus websites from 09:00 to 17:00 at workdays.
Figure 6-7  Networking for configuring URL filtering to regulate online behaviors of employees

Configuration Roadmap

The configuration roadmap is as follows:

  1. Divide the R&D department, marketing department, and external network in trust1, trust2, and untrust zones, and add interfaces to different zones so that the device monitors network traffic of the R&D department, marketing department, and external network.
  2. Configure a URL filtering profile research for the R&D department.
    1. Add URLs containing huawei.com to the whitelist to allow employees to access these websites.
    2. Add URLs containing youtube.com to the blacklist to prevent employees from accessing these websites.
    3. Add www.google.com to customized URL category and set the action to permit.
    4. Configure URL filtering for all the websites not included in URL categories and set the action to block.
  3. Configure a URL filtering profile market for the marketing department.
    1. Add URLs containing huawei.com to the whitelist to allow employees to access these websites.
    2. Add URLs containing youtube.com to the blacklist to prevent employees from accessing these websites.
    3. Configure URL filtering for the education/science, search/portal, and social focus websites mentioned in this example and set the action to permit.
    4. Configure URL filtering for all the websites not included in URL categories and set the action to block.
  4. Configure objects requiring content security detection, that is, the time range in which content detection needs to be performed.
  5. Configure two security policies test1 and test2, bind them to URL filtering profiles research and market respectively, and reference the objects to perform content security detection for network traffic.
  6. Apply the security policy test1 between trust1 and untrust zones and the security policy test2 between trust2 and untrust zones to control Internet access.

Procedure

  1. Upgrade the SA signature database locally. By default, the SA signature database is stored in sd1:/default-sdb/sa-sdb.zip.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] engine enable
    [Router] update local sa-sdb file sd1:/default-sdb/sa-sdb.zip
    

  2. Create zones.

    # Create trust1, trust2, and untrust zones.

    [Router] firewall zone trust1
    [Router-zone-trust1] priority 14
    [Router-zone-trust1] quit
    [Router] firewall zone trust2
    [Router-zone-trust2] priority 10
    [Router-zone-trust2] quit
    [Router] firewall zone untrust
    [Router-zone-untrust] priority 1
    [Router-zone-untrust] quit
    

  3. Assign IP addresses to interfaces and add interfaces to the zones.

    # Assign IP addresses to Ethernet1/0/0, Ethernet1/0/1, and GE2/0/0, add Ethernet1/0/0 to the trust1 zone, GE1/0/2 to the trust2 zone, and GE2/0/0 to the untrust zone.

    [Router] interface ethernet 1/0/0
    [Router-Ethernet1/0/0] ip address 192.168.100.1 24
    [Router-Ethernet1/0/0] zone trust1
    [Router-Ethernet1/0/0] quit
    [Router] interface ethernet 1/0/1
    [Router-Ethernet1/0/1] ip address 192.168.200.1 24
    [Router-Ethernet1/0/1] zone trust2
    [Router-Ethernet1/0/1] quit
    [Router] interface gigabitethernet 2/0/0
    [Router-GigabitEthernet2/0/0] ip address 1.1.1.1 24
    [Router-GigabitEthernet2/0/0] zone untrust
    [Router-GigabitEthernet2/0/0] quit

  4. Configure URL filtering.

    # Configure a user-defined URL category named url_userdefine_category and add www.google.com to url_userdefine_category.

    [Router] url-filter category user-defined name url_userdefine_category
    [Router-category-user-defined-url_userdefine_category] add url www.google.com 
    [Router-category-user-defined-url_userdefine_category] quit
    

    # Configure a URL filtering profile named research to filter traffic from R&D employees.

    [Router] profile type url-filter name research
    [Router-profile-url-filter-research] add whitelist url *huawei.com*
    [Router-profile-url-filter-research] add blacklist url *youtube.com*
    [Router-profile-url-filter-research] category pre-defined action block
    [Router-profile-url-filter-research] category user-defined action block
    [Router-profile-url-filter-research] category user-defined name url_userdefine_category action allow
    [Router-profile-url-filter-research] default action block
    [Router-profile-url-filter-research] quit
    

    # Configure a URL filtering profile named market to filter traffic from marketing employees.

    NOTE:

    The display url-filter category pre-defined command output displays that the IDs of social focus, search/portal, and education/science categories are 5, 15 and 17.

    When configuring the predefined URL category, run the import url-sdb file command in the system view to import the URL predefined URL category database to the cache of the device. By default, the URL predefined URL category database is stored in sd1:/default-sdb/url.sdb. Therefore, you need to run the import url-sdb file sd1:/default-sdb/url.sdb command.

    [Router] profile type url-filter name market
    [Router-profile-url-filter-market] add whitelist url *huawei.com*
    [Router-profile-url-filter-market] add blacklist url *youtube.com*
    [Router-profile-url-filter-market] category pre-defined action block
    [Router-profile-url-filter-market] category pre-defined category-id 5 action allow
    [Router-profile-url-filter-market] category pre-defined category-id 15 action allow
    [Router-profile-url-filter-market] category pre-defined category-id 17 action allow
    [Router-profile-url-filter-market] default action block
    [Router-profile-url-filter-market] quit
    

  5. Configure objects requiring content security detection.

    # Configure the device to perform content security detection for all traffic passing through the device from 9:00 to 17:00 at workdays.

    [Router] time-range test 09:00 to 17:00 working-day
    [Router] acl 2000
    [Router-acl-basic-2000] rule 5 permit time-range test
    [Router-acl-basic-2000] quit
    

  6. Bind URL filtering profiles to security policies.

    # Create a security policy named test1 and bind the URL filtering profile research to the security policy test1.

    [Router] security-policy test1 
    [Router-security-policy-test1] profile urlf research
    [Router-security-policy-test1] quit
    

    # Create a security policy named test2 and bind the URL filtering profile market to the security policy test2.

    [Router] security-policy test2
    [Router-security-policy-test2] profile urlf market acl 2000
    [Router-security-policy-test2] quit
    

  7. Apply security policies to interzones.

    # Apply the security policy test1 between trust1 and untrust zones.

    [Router] firewall interzone trust1 untrust
    [Router-interzone-trust1-untrust] security-policy test1
    [Router-interzone-trust1-untrust] quit
    

    # Apply the security policy test2 between trust2 and untrust zones.

    [Router] firewall interzone trust2 untrust
    [Router-interzone-trust2-untrust] security-policy test2
    [Router-interzone-trust2-untrust] quit
    

  8. Commit the configuration.

    [Router] engine configuration commit
    

  9. Verify the configuration.

    • All employees can access websites containing huawei.com.
    • None of employees can access websites containing youtube.com.
    • R&D employees can access websites containing huawei.com and huawei.com, but cannot access other websites.
    • Marketing employees can access education/science, search/portal, and social focus websites and websites containing huawei.com from 09:00 to 17:00 at workdays, but cannot access other websites.

Configuration Files

# Configuration file of the Router

#                                                                               
 sysname Router
#
 time-range test 09:00 to 17:00 working-day
#
 engine enable
#
acl number 2000
 rule 5 permit time-range test
#
url-filter category user-defined name url_userdefine_category
 add url www.google.com
#
profile type url-filter name research
 add blacklist url *youtube.com*
 add whitelist url *huawei.com*
 ...
 default action block
profile type url-filter name market
 add blacklist url *youtube.com*
 add whitelist url *huawei.com*
 category pre-defined subcategory-id 101 action block
 category pre-defined subcategory-id 102 action block
 category pre-defined subcategory-id 162 action block
 ...
 default action block
#
security-policy test1
  profile urlf research
security-policy test2
  profile urlf market acl 2000
#
firewall zone trust2
 priority 10
#
firewall zone untrust
 priority 1
#
firewall zone trust1
 priority 14
#
firewall interzone trust1 untrust
 security-policy test1
#
firewall interzone trust2 untrust 
 security-policy test2
#
interface Ethernet1/0/0
 ip address 192.168.100.1 255.255.255.0
 zone trust1
#
interface Ethernet1/0/1
 ip address 192.168.200.1 255.255.255.0
 zone trust2
#
interface GigabitEthernet2/0/0
 ip address 1.1.1.1 255.255.255.0
 zone untrust
#
return
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13313

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next