No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
Huawei Firewall Security Policy Essentials
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Referencing Regions and Region Groups in Security Policies

Referencing Regions and Region Groups in Security Policies

A region maps a public IP address to a geographical location, and a region group is a set of regions. Therefore, a region and a region group are essentially IP address groups. You can use regions and region groups to configure security policies based on geographical locations. For example, an enterprise provides web services for external users and denies access from country A for security purposes. In this case, you can configure a security policy with the source address set to country A and the action set to denial to prevent users in country A from accessing the web service.

To simplify user operations, Huawei firewalls provide the geolocation database (pre-defined regions). Pre-defined regions in China can be set at the province or city level, and pre-defined regions outside China can be set at the country level.

The geolocation database is an IP address group divided by country and region. It is collected and maintained by Huawei and can be updated periodically or manually through the upgrade center. The geolocation database is not updated in time. Therefore, three user-defined configuration methods are available for firewalls. The priority of a user-defined region is higher than that of a pre-defined region.

  • User-defined region: You can manually create a region and add IP addresses that meet the requirements to it.
  • Adding an IP address to a pre-defined region: If an IP address is missing in a pre-defined region, you can add it to the pre-defined region.
  • Excluding an IP address from a pre-defined region: If an IP address is incorrectly classified into a region, you can add the IP address to the correct region or an unknown region.

User-defined Region

User-defined regions are isolated and do not belong to pre-defined regions. Private IP addresses are used on the local area network (LAN) and do not belong to any geographical country or region. By default, private IP addresses belong to the unknown zone. To manage and display LAN services by region, you can create a user-defined region for the private IP addresses of the LAN.

# Create a user-defined region named HangZhouBranch and add the local LAN address segment to it.

location
 geo-location user-defined HangZhouBranch
  description Hangzhou branch
  add address 10.10.1.0 mask 24

Adding IP Addresses to a Pre-defined Region

If an IP address is not added to a region, service access may be affected. For example, an administrator configures a security policy to allow users from region A to access web services, but a PC in region A fails to access the web services. If the security policy is correctly configured, the IP address of the PC must be incorrectly allocated to another region. In this case, you can add the IP address to region A.

# Add IP address segment 10.20.20.20 to 10.20.20.30 to a pre-defined region named BeiJing.

location
 geo-location pre-defined BeiJing
  add address range 10.20.20.20 10.20.20.30

Excluding IP Addresses from a Pre-defined Region

You can exclude IP addresses by adding the IP addresses to another region. You cannot run a command to delete the IP addresses from the current region. If you know the actual region to which these IP addresses belong, you can add these IP addresses to the corresponding region by referring to "Adding IP Addresses to a Pre-defined Region". Otherwise, you can add them to the unknown region.

# Exclude IP address range 10.10.10.1 to 10.10.10.20 from pre-defined region BeiJing and add it to the unknown zone.

location
 geo-location pre-defined unknown-zone
  add address range 10.10.10.1 10.10.10.20

Referencing Region Groups in Security Policies

The following describes how to use a region group to prevent certain countries from accessing the HTTPS service in the DMZ.

# Create region group Five. When adding countries in the command line, you can use the two-digit country code defined by the ISO standard or directly enter the country names.

location
 geo-location-set Five
  add geo-location AU          //Add Australia using a two-digit country code.
  add geo-location CA
  add geo-location NewZealand    //Enter the country name directly. Pay attention to the case of and delete spaces between the country name.
  add geo-location UnitedKingdom
  add geo-location UnitedStates

Many countries and regions exist, and the country and region names need to be strictly input in the command line, which brings inconvenience. You are advised to configure region groups on the web page. In the Available area, you can enter a country name in the search box to quickly locate and select the country.

# Configure a security policy to deny traffic from source address Five to access the HTTPS service.

security-policy   
  rule name "Deny Five"  
    source-zone untrust
    destination-zone dmz 
    source-address geo-location Five   // Specify the source addresses using the region group
    service protocol https
    action deny
Translation
简体中文
Download
Updated: 2023-04-06

Document ID: EDOC1100172313

Views: 124674

Downloads: 564

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :