No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R010C00 Command Reference

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
url-filter https-filter consistency-check enable

url-filter https-filter consistency-check enable

Function

The url-filter https-filter consistency-check enable command enables the encrypted traffic consistency check function.

The undo url-filter https-filter consistency-check enable command disables the encrypted traffic consistency check function.

Format

url-filter https-filter consistency-check enable

undo url-filter https-filter consistency-check enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, this function is disabled.

Usually, URL requests are transmitted through HTTP or HTTPS. The Central AP can filter HTTP traffic without any additional configuration. To filter HTTPS traffic, the Central AP must have the encrypted traffic filtering function enabled.

Encrypted traffic filtering of URL filtering does not decrypt HTTPS. Instead, it obtains the domain name (HOST) of the website that a user wants to access by parsing packets.

After the url-filter https-filter consistency-check enable command is used to enable encrypted traffic consistency check, the Central AP extracts the target website domain name (HOST) from the Server Name Indication field in the Client Hello packet of the client and the Common Name and Subject Alternative Name fields in the Certificate packet of the server and verifies the three values during TLS negotiation. In addition, the Central AP verifies the values of the three fields. If the verification succeeds, the Central AP performs URL filtering. If the verification fails, the Central AP performs URL filtering by directly blocking traffic as abnormal packets.

The website information contained in the three fields may be tampered with by malicious users. Therefore, some traffic evades URL filtering due to a field verification failure, which affects the detection accuracy of the device.

Example

# Enable encrypted traffic consistency check.

<Huawei> system-view
[Huawei] url-filter https-filter consistency-check enable
Translation
Download
Updated: 2019-11-21

Document ID: EDOC1100064352

Views: 201240

Downloads: 122

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next