NetEngine AR5700, AR6700, and AR8000 V600R022C00 Configuration Guide - Security Configuration
Example for Using URL Categories, Blacklist, and Whitelist to Control Website Access
Networking Requirements
On the network shown in Figure 5-7, DeviceA is deployed as a gateway at the border of an enterprise network. This device is used to implement URL filtering on users' requests for Internet access. The enterprise allows employees to access only education/science, search engine/portal, and social networking websites. In addition, the enterprise wants to control the following specific websites:
- Allow employees to access internal forum websites www.example3.com and www.example4.com.
- Deny access to the education/science website www.example2.com and social networking website www.example1.com.
Configuration Roadmap
- Configure an IP address for each interface and add interfaces to security zones.
- Create a URL filtering profile named url_profile_01. Then, add websites www.example1.com and www.example2.com to the blacklist, and add websites www.example3.com and www.example4.com to the whitelist. Set the allow action for the predefined URL categories education/science, search engine/portal, and social networking, and set the block action for other websites.
- Configure a security policy and reference the url_profile_01 profile to control URL access.
Procedure
- Configure an IP address for each interface and add interfaces to security zones.
<HUAWEI> system-view [HUAWEI] sysname DeviceA [DeviceA] interface 10ge 0/0/1 [DeviceA-10GE0/0/1] ip address 1.1.1.1 24 [DeviceA-10GE0/0/1] quit [DeviceA] interface 10ge 0/0/2 [DeviceA-10GE0/0/2] ip address 10.1.1.1 255.255.255.0 [DeviceA-10GE0/0/2] quit [DeviceA] firewall zone untrust [DeviceA-zone-untrust] add interface 10ge 0/0/1 [DeviceA-zone-untrust] quit [DeviceA] firewall zone trust [DeviceA-zone-trust] add interface 10ge 0/0/2 [DeviceA-zone-trust] quit
- Configure a URL filtering profile.
![]()
You can run the display url-filter category pre-defined command to query the mappings between the following predefined categories and IDs:
- 17: Education/Science
- 15: Search Engines/Portals
- 7: Social Network
[DeviceA] profile type url-filter name url_profile_01 [DeviceA-profile-url-filter-url_profile_01] add blacklist url www.example1.com [DeviceA-profile-url-filter-url_profile_01] add blacklist url www.example2.com [DeviceA-profile-url-filter-url_profile_01] add whitelist url www.example3.com [DeviceA-profile-url-filter-url_profile_01] add whitelist url www.example4.com [DeviceA-profile-url-filter-url_profile_01] category pre-defined action block [DeviceA-profile-url-filter-url_profile_01] category pre-defined category-id 15 action allow [DeviceA-profile-url-filter-url_profile_01] category pre-defined category-id 17 action allow [DeviceA-profile-url-filter-url_profile_01] category pre-defined category-id 7 action allow [DeviceA-profile-url-filter-url_profile_01] quit
![]()
To block non-whitelisted URLs, set the default action to block. If the remote query service is unavailable, DeviceA will take the default action.
To allow non-blacklisted URLs, set the default action to allow. If the remote query service is unavailable, DeviceA will take the default action.
- Reference the URL filtering profile in the security policy.
[DeviceA] security-policy [DeviceA-policy-security] rule name policy_sec_01 [DeviceA-policy-security-rule-policy_sec_01] source-zone trust [DeviceA-policy-security-rule-policy_sec_01] destination-zone untrust [DeviceA-policy-security-rule-policy_sec_01] source-address 10.1.1.0 mask 255.255.255.0 [DeviceA-policy-security-rule-policy_sec_01] action permit [DeviceA-policy-security-rule-policy_sec_01] profile url-filter url_profile_01 [DeviceA-policy-security-rule-policy_sec_01] quit [DeviceA-policy-security] quit
- Commit the content security profile.
[DeviceA] engine configuration commit Info: The operation may last for several minutes, please wait. Info: URL submitted configurations successfully. Info: Finish committing engine compiling.
Verifying the Configuration
Enterprise employees can access only URLs that belong to education/science, search engine/portal, and social networking categories.
If an employee attempts to access other websites, the device generates a URL log (URL/4/FILTER), in which Type (indicates the filtering type) is Pre-defined and Action is Block.
Employees can access websites www.example3.com and www.example4.com but not websites www.example1.com and www.example2.com.
If an employee attempts to access the website www.example3.com or www.example4.com, the device generates a URL log (URL/4/FILTER), in which Type (indicates the filtering type) is Whitelist and Action is Allow.
If an employee attempts to access the website www.example1.com or www.example2.com, the device generates a URL log (URL/4/FILTER), in which Type (indicates the filtering type) is Blacklist and Action is Block.
Configuration Scripts
# sysname DeviceA # interface 10GE0/0/1 ip address 1.1.1.1 255.255.255.0 # interface 10GE0/0/2 ip address 10.1.1.1 255.255.255.0 # firewall zone trust set priority 85 add interface 10GE0/0/2 # firewall zone untrust set priority 5 add interface 10GE0/0/1 # profile type url-filter name url_profile_01 add blacklist url www.example1.com add blacklist url www.example2.com add whitelist url www.example3.com add whitelist url www.example4.com category pre-defined subcategory-id 101 action block category pre-defined subcategory-id 102 action block category pre-defined subcategory-id 162 action block category pre-defined subcategory-id 163 action block category pre-defined subcategory-id 164 action block category pre-defined subcategory-id 165 action block category pre-defined subcategory-id 103 action block category pre-defined subcategory-id 166 action block category pre-defined subcategory-id 167 action block category pre-defined subcategory-id 168 action block category pre-defined subcategory-id 104 action block category pre-defined subcategory-id 169 action block category pre-defined subcategory-id 170 action block category pre-defined subcategory-id 105 action block category pre-defined subcategory-id 171 action block category pre-defined subcategory-id 172 action block category pre-defined subcategory-id 173 action block category pre-defined subcategory-id 174 action block category pre-defined subcategory-id 106 action block category pre-defined subcategory-id 109 action block category pre-defined subcategory-id 110 action block category pre-defined subcategory-id 111 action block category pre-defined subcategory-id 112 action block category pre-defined subcategory-id 114 action block category pre-defined subcategory-id 115 action block category pre-defined subcategory-id 117 action block category pre-defined subcategory-id 178 action block category pre-defined subcategory-id 179 action block category pre-defined subcategory-id 180 action block category pre-defined subcategory-id 181 action block category pre-defined subcategory-id 248 action block category pre-defined subcategory-id 118 action block category pre-defined subcategory-id 119 action block category pre-defined subcategory-id 122 action block category pre-defined subcategory-id 182 action block category pre-defined subcategory-id 183 action block category pre-defined subcategory-id 184 action block category pre-defined subcategory-id 123 action block category pre-defined subcategory-id 124 action block category pre-defined subcategory-id 186 action block category pre-defined subcategory-id 187 action block category pre-defined subcategory-id 188 action block category pre-defined subcategory-id 189 action block category pre-defined subcategory-id 125 action block category pre-defined subcategory-id 127 action block category pre-defined subcategory-id 128 action block category pre-defined subcategory-id 130 action block category pre-defined subcategory-id 131 action block category pre-defined subcategory-id 132 action block category pre-defined subcategory-id 197 action block category pre-defined subcategory-id 198 action block category pre-defined subcategory-id 199 action block category pre-defined subcategory-id 200 action block category pre-defined subcategory-id 227 action block category pre-defined subcategory-id 228 action block category pre-defined subcategory-id 133 action block category pre-defined subcategory-id 201 action block category pre-defined subcategory-id 202 action block category pre-defined subcategory-id 204 action block category pre-defined subcategory-id 205 action block category pre-defined subcategory-id 134 action block category pre-defined subcategory-id 135 action block category pre-defined subcategory-id 136 action block category pre-defined subcategory-id 137 action block category pre-defined subcategory-id 138 action block category pre-defined subcategory-id 139 action block category pre-defined subcategory-id 140 action block category pre-defined subcategory-id 141 action block category pre-defined subcategory-id 206 action block category pre-defined subcategory-id 207 action block category pre-defined subcategory-id 208 action block category pre-defined subcategory-id 209 action block category pre-defined subcategory-id 210 action block category pre-defined subcategory-id 229 action block category pre-defined subcategory-id 142 action block category pre-defined subcategory-id 143 action block category pre-defined subcategory-id 144 action block category pre-defined subcategory-id 145 action block category pre-defined subcategory-id 146 action block category pre-defined subcategory-id 147 action block category pre-defined subcategory-id 211 action block category pre-defined subcategory-id 212 action block category pre-defined subcategory-id 213 action block category pre-defined subcategory-id 240 action block category pre-defined subcategory-id 253 action block category pre-defined subcategory-id 149 action block category pre-defined subcategory-id 150 action block category pre-defined subcategory-id 214 action block category pre-defined subcategory-id 215 action block category pre-defined subcategory-id 216 action block category pre-defined subcategory-id 217 action block category pre-defined subcategory-id 151 action block category pre-defined subcategory-id 218 action block category pre-defined subcategory-id 219 action block category pre-defined subcategory-id 220 action block category pre-defined subcategory-id 221 action block category pre-defined subcategory-id 222 action block category pre-defined subcategory-id 223 action block category pre-defined subcategory-id 230 action block category pre-defined subcategory-id 252 action block category pre-defined subcategory-id 152 action block category pre-defined subcategory-id 153 action block category pre-defined subcategory-id 238 action block category pre-defined subcategory-id 154 action block category pre-defined subcategory-id 155 action block category pre-defined subcategory-id 224 action block category pre-defined subcategory-id 225 action block category pre-defined subcategory-id 156 action block category pre-defined subcategory-id 157 action block category pre-defined subcategory-id 158 action block category pre-defined subcategory-id 231 action block category pre-defined subcategory-id 232 action block category pre-defined subcategory-id 159 action block category pre-defined subcategory-id 254 action block category pre-defined subcategory-id 160 action block category pre-defined subcategory-id 161 action block category pre-defined subcategory-id 176 action block category pre-defined subcategory-id 226 action block category pre-defined subcategory-id 234 action block category pre-defined subcategory-id 235 action block category pre-defined subcategory-id 236 action block category pre-defined subcategory-id 237 action block category pre-defined subcategory-id 239 action block category pre-defined subcategory-id 241 action block category pre-defined subcategory-id 233 action block # security-policy rule name policy_sec_01 source-zone trust destination-zone untrust source-address 10.1.1.0 mask 255.255.255.0 profile url-filter url_profile_01 action permit
Document ID:EDOC1100262541
Views:113002
Downloads:102
Average rating:0.0Points