No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring URL Filtering

Configuring URL Filtering

Configuring a URL Filtering Profile

Context

To accurately manage online behaviors of users, a URL filtering profile defines the predefined URL categories, user-defined URL categories, blacklist, and whitelist to control URLs. The device filters the content of an HTTP request, extracts the URL, and matches the URL with the whitelist, blacklist, user-defined URL category, or predefined URL category. If the URL is matched, the device processes the HTTP request according to the configured action.

The whitelist, blacklist, and predefined and user-defined URL categories are applicable to the following scenarios:
  • A predefined URL category is used to define many common websites accessed by enterprise employees.
  • A user-defined URL category is used to define new websites not in the predefined URL category and customized websites meeting special requirements.
  • A blacklist is used to define websites that enterprise employees are not allowed to access.
  • A whitelist is used to define websites that enterprise employees are allowed to access.

Generally, a predefined URL category is mandatory, and the user-defined URL category, whitelist, and blacklist are optional.

If duplicate rules are configured for the predefined URL category, user-defined URL category, blacklist, or whitelist, they are recorded as only one rule.

Procedure

  • Configuring a URL filtering profile that defines a predefined URL category

    1. (Optional) Configure a predefined URL category.

      1. Run system-view

        The system view is displayed.

      2. Run url-filter category pre-defined subcategory-id subcategory-id

        The predefined URL subcategory view is displayed.

        NOTE:

        During factory delivery, there is a predefined URL category database. When the predefined URL category database fails to be loaded or the security service center updates the predefined URL category database, run the import url-sdb file filename command to import a URL category database.

      3. Run add { url url-text | host host-text }

        A URL or domain name rule is added to a predefined category.

        By default, no URL or domain name rule is configured for a predefined URL subcategory.

      4. Run quit

        Return to the system view.

    2. Configure an action for the predefined URL category.

      1. Run the following commands as required.

        • Run the profile type url-filter name name command to create a URL filtering profile and enter the URL filtering profile view if no URL filtering profile exists on the device.
        • To speed up configuration of a URL filtering profile, run the profile type url-filter copy old-name [ new-name ] command to create a URL filtering profile by copying an existing one and enter the view of the created URL filtering profile if a URL filtering profile exists on the device.

        By default, no URL filtering profile is configured.

      2. (Optional) Run category action mode { strict | loose }

        The action mode of URL filtering is configured.

        By default, the action mode of URL filtering is the strict mode.

      3. (Optional) Run description description

        The description is configured for the URL filtering profile.

        By default, no description is configured for a URL filtering profile.

      4. Run category pre-defined control-level { high | low | medium }

        A control level is configured for the predefined URL category.

        By default, the control level of a predefined URL category is low.

        The system defines high, medium, and low control levels, and configures an action for all predefined URL categories according to each control level. A high control level indicates a strict action for URL categories, for example, the device blocks HTTP requests matching porn, P2P download, and video categories. A low control level indicates a loose action for URL categories, for example, the device blocks HTTP requests matching porn categories only.

      5. Run category pre-defined [ category-id category-id | subcategory-id subcategory-id ] action { allow | block | alert }

        An action is configured for the predefined URL category.

        By default, the action in a predefined URL category is allow.

      6. (Optional) Run default action (URL filtering profile view) { allow | block | alert }

        The default action is configured for the URL filtering profile.

        By default, the default action in a predefined URL category is allow.

      7. (Optional) Run https-filter enable

        Enable the encrypted traffic filtering function.

        By default, the function is disabled.

      8. Run quit

        Return to the system view.

      9. Run engine configuration commit

        The URL filtering configuration is committed.

        After the security policy configurations including intrusion defense and URL filtering configurations are created or modified, you must run the engine configuration commit command to commit the configurations to make the configurations take effect. Committing the configurations takes a long period of time. It is recommended that you commit the configurations after modifying all security policy configurations.

  • Configuring a URL filtering profile that defines a user-defined URL category

    1. Configure a user-defined URL category.

      1. Run system-view

        The system view is displayed.

      2. Run the following commands as required.

        • Run the url-filter category user-defined name category-name command to create a user-defined URL category and enter the view of the user-defined URL category.
        • Run the url-filter category pre-defined copy subcategory-id new-name command to create a user-defined URL category by copying an existing predefined URL category and enter the view of the created user-defined URL category if the content of the new user-defined URL category is similar to the content of the existing predefined URL category.
        • Run the url-filter category user-defined copy old-name [ new-name ] command to create a user-defined URL category by copying an existing one and enter the view of the created user-defined URL category if the content of the new user-defined URL category is similar to the content of the existing one.

        By default, no user-defined URL category exists.

      3. (Optional) Run description description

        The description is configured for the user-defined URL category.

        By default, no description is configured for a user-defined URL category.

      4. Run add { url url-text | host host-text }

        A URL or domain name rule is added to the user-defined category.

        By default, no URL or domain name rule is added to the user-defined category.

      5. Run quit

        Return to the system view.

    2. Configure an action for the user-defined URL category.

      1. Run the following commands as required.

        • Run the profile type url-filter name name command to create a URL filtering profile and enter the URL filtering profile view if no URL filtering profile exists on the device.
        • To speed up configuration of a URL filtering profile, run the profile type url-filter copy old-name [ new-name ] command to create a URL filtering profile by copying an existing one and enter the view of the created URL filtering profile if a URL filtering profile exists on the device.

        By default, no URL filtering profile is configured.

      2. (Optional) Run description description

        The description is configured for the URL filtering profile.

        By default, no description is configured for a URL filtering profile.

      3. Run category user-defined [ name category-name ] action { allow | block | alert }

        An action is configured for the user-defined URL category.

        By default, the action in a user-defined URL category is allow.

      4. (Optional) Run https-filter enable

        Enable the encrypted traffic filtering function.

        By default, the function is disabled.

      5. Run quit

        Return to the system view.

      6. Run engine configuration commit

        The URL filtering configuration is committed.

  • Configuring a URL filtering profile that defines the blacklist and whitelist
    1. Run system-view

      The system view is displayed.

    2. Run the following commands as required.

      • Run the profile type url-filter name name command to create a URL filtering profile and enter the URL filtering profile view if no URL filtering profile exists on the device.
      • To speed up configuration of a URL filtering profile, run the profile type url-filter copy old-name [ new-name ] command to create a URL filtering profile by copying an existing one and enter the view of the created URL filtering profile if a URL filtering profile exists on the device.

      By default, no URL filtering profile is configured.

    3. (Optional) Run description description

      The description is configured for the URL filtering profile.

      By default, no description is configured for a URL filtering profile.

    4. (Optional) Run https-filter enable

      Enable the encrypted traffic filtering function.

      By default, the function is disabled.

    5. Run the following commands as required.

      • Run add whitelist { url url-text | host host-text }

        A whitelist rule is added to the URL filtering profile.

      • Run add blacklist { url url-text | host host-text }

        A blacklist rule is added to the URL filtering profile.

    6. Run add referer-host host-text

      Add a referer-host rule to the URL filtering profile.

      The referer field in an HTTP request will be matched with the referer-host rule. If a match is found, the URL request is allowed. If the referer field in the HTTP request does not match the configured referer-host rule, the user can determine whether to match the referer field with all whitelist rules.
      • When the function of matching the referer field in a URL request with whitelist rules is enabled, the referer field will be matched with all whitelist rules. If a match is found, the URL request is allowed.
      • When the function of matching the referer field with whitelist rules is disabled, the referer field will not be matched with all whitelist rules.

      By default, the function of matching the referer field in a URL request with whitelist rules is enabled. If the function is disabled, you can run the undo referer-filter whitelist-all enable command to disable it. If referer-host is not configured and the function of matching the referer field with the whitelist is enabled, the Router matches the referer field in the HTTP request with all whitelist rules. If the referer field matches a whitelist rule, the URL request is allowed.

    7. Run quit

      Return to the system view.

    8. Run engine configuration commit

      The URL filtering configuration is committed.

Follow-up Procedure

After the URL filtering profile is configured, you can rename the user-defined URL category or URL filtering profile to facilitate management.
  • Run the rename new-name command in the URL filtering profile view to rename an existing URL filtering profile and enter the view of the new profile.
  • Run the rename new-name command in the URL filtering profile view to rename an existing user-defined URL category and enter the view of the new user-defined URL category.

Binding a URL Filtering Profile to a Security Policy

Prerequisites

If an ACL needs to be referenced when you bind a URL filtering profile to a security policy, ensure that the ACL has been created using the acl (system view) command.

Context

The device uses a security policy to implement integrated detection of content security. After a URL filtering profile is configured, you need to bind the URL filtering profile to a security policy and apply the security policy to an interzone so that the device can regulate online behaviors according to the security policy.

There are various types of service traffic on a network and multiple security policies are configured on the device. A security policy can be bound to profiles of different types and only one profile of the same type.

NOTE:

To configure various content security protection functions (for example, URL filtering and IPS need to be configured simultaneously), configure a URL filtering profile and IPS profile, and run the profile (security policy view) command to bind the URL filtering profile and IPS profile to a security policy.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run security-policy policy-name

    A security policy is created and the security policy view is displayed.

    By default, no security policy is created.

  3. Run profile urlf urlf-name [ acl acl-id ]

    A URL filtering profile is bound to the security policy.

    By default, no URL filtering profile is bound to a security policy.

    NOTE:

    When URL filtering profile is bound to ACL4, create bidirectional rules in the ACL to make the configuration take effect.

Binding the Security Policy to an Interzone

Prerequisites

Context

URL filtering takes effect only when the range that the URL filtering rule is applied is specified.

Security check is triggered only when data flows between different interzones. To make URL filtering take effect, bind a security policy to an interzone.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run firewall interzone zone-name1 zone-name2

    An interzone is created and the interzone view is displayed.

    By default, no interzone is created.

    You must specify two existing zones for the interzone.

  3. Run security-policy policy-name

    The security policy is bound to the interzone.

    By default, no security policy is bound to an interzone.

    If no ACL is configured when a URL filtering profile is bound to a security policy, the device performs URL filtering for traffic in all interzones. If an ACL is configured when a URL filtering profile is bound to a security policy, the device determines whether to perform URL filtering for traffic according to the ACL rule:
    • If the ACL rule defines a permit clause, the device detects traffic matching the ACL rule.
    • If the ACL rule defines a deny clause, the device does not detect traffic matching the ACL rule.
    • If traffic does not match the ACL, the device does not detect the traffic.

  4. Run quit

    Return to the system view.

(Optional) Configuring the Device to Control generating of URL Filtering Logs

Context

If URL requests of many users in a period of time match the URL blacklist, user-defined URL category, or predefined URL category, the URL filtering module reports many logs to the device in a short time. If the device outputs logs in real time, the administrator has to flood the screen.

To address this issue, configure the log cache function to control the frequency in generating URL filtering logs, or disable the URL filtering module from generating logs so that the URL filtering module does not report logs.

Procedure

  • Configuring the log cache function
    1. Run system-view

      The system view is displayed.

    2. Run engine log url-filter enable

      The URL filtering module is enabled to generate logs.

      By default, the URL filtering module is enabled to generate logs.

    3. Run engine log timeout time

      The period for caching logs is set.

      By default, the period for caching logs is 1 minute.

  • Disabling the URL filtering module from generating logs
    1. Run system-view

      The system view is displayed.

    2. Run undo engine log url-filter enable

      The URL filtering module is disabled from generating logs.

      By default, the URL filtering module is enabled to generate logs.

(Optional) Configuring user group-based URL Filtering

Context

The Web management system supports user group management and user group-based URL filtering. Managing users' online behavior can control the network access rights of users. You can bind a URL filtering profile to a user group and enable URL filtering to manage online behavior of all users in the user group.

NOTE:

Only the models that support the web system of the EasyOperation edition support this configuration. For details, see EasyOperation Edition.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run profile type url-filter name name

    A URL filtering profile is created and its view is displayed.

    By default, no URL filtering profile is configured.

  3. Run quit

    Return to the system view.

  4. Run web

    The web view is displayed.

  5. Run user-set user-set-name

    A web user group is created and the web user group view is displayed, or the view of an existing web user group is displayed.

    By default, the device contains two web user groups named VIP and Default.

  6. Run quit

    Return to the web view.

  7. Run web-url-filter user-set user-set-name profile profile-name [ time-range time-range-name ] [ description description-text ]

    User group-based URL filtering is enabled.

    By default, user group-based URL filtering is disabled.

  8. Run quit

    Return to the system view.

Verifying the URL Filtering Configuration

Prerequisites

The URL filtering configuration is complete.

Procedure

  • Run the display url-filter category pre-defined [ category-id category-id | subcategory-id subcategory-id | url url-text | host host-text ] command to check predefined URL category information.
  • Run the display url-filter category user-defined [ name category-name | url url-text | host host-text ] command to check user-defined URL category information.
  • Run the display profile type url-filteror display profile type url-filter name name [ blacklist [ url url-text | host host-text ] | whitelist [ url url-text | host host-text ] | pre-defined [ category-id category-id | subcategory-id subcategory-id ] | user-defined [ name category-name ] ] command to check URL filtering profile information.
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 119855

Downloads: 221

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next