华为CLI举例:通过URL分类控制用户访问的网站
配置基于URL分类的URL过滤功能,可以实现对用户访问的某一类网站的控制。既可以是FW自带的预定义分类,也可以是管理员配置的自定义分类。
组网需求
如图1所示,FW作为企业网关部署在网络边界,对用户访问外部网络的HTTP请求进行URL过滤。
公司有研发部门员工和市场部门员工两类,具体需求如下:
- 研发部门员工只可以在每天的09:00~17:00访问教育/科学类、搜索/门户类网站。其他网站均不能访问。
- 市场部门员工只可以在每天的09:00~17:00访问教育/科学类、搜索/门户类、社会焦点类网站和一个特定的URL(www.example.com/news)和域名(www.example.net)。其他网站均不能访问。
配置思路
- 配置接口IP地址和安全区域,完成网络基本参数配置。
- 配置远程查询服务器,用来获取URL与预定义分类的对应关系。本例中教育/科学类、搜索/门户类、社会焦点类网站可以通过预定义分类来进行URL过滤控制。为了可以正常使用远程查询功能,需要如下配置:
- 配置自定义分类url_userdefine_category,将www.example.com/news加入自定义URL中,将www.example.net加入自定义域名中。
- 针对研发部门员工和市场部门员工,新建两个URL过滤配置文件profile_url_research和profile_url_marketing,设置URL自定义分类和预定义分类的控制动作。
- 配置两个安全策略,引用时间段、用户组、URL过滤配置文件等信息,实现针对不同用户组和不同时间段的URL访问控制。
操作步骤
- 配置接口IP地址和安全区域,完成网络基本参数配置。
配置GigabitEthernet 1/0/1接口IP地址,将接口加入untrust域。<FW> system-view [FW] interface GigabitEthernet 1/0/1 [FW-GigabitEthernet1/0/1] ip address 1.1.1.1 24 [FW-GigabitEthernet1/0/1] quit [FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 1/0/1 [FW-zone-untrust] quit配置GigabitEthernet 1/0/3接口IP地址,将接口加入trust域。[FW] interface GigabitEthernet 1/0/3 [FW-GigabitEthernet1/0/3] ip address 10.3.0.1 24 [FW-GigabitEthernet1/0/3] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 1/0/3 [FW-zone-trust] quit - 配置远程查询服务器,用来获取URL与预定义分类的对应关系。
激活License并且确保该License在有效服务期内。具体配置请参见License管理。 加载URL远程查询组件包。具体配置请参见系统更新。 配置DNS服务器。 [FW] dns resolve [FW] dns server 10.2.0.70 配置远程查询服务器的相关参数,包括查询方式、国家名称和超时时间。 [FW] country CN [FW] url-filter query timeout time 3 action allow 配置自定义服务。 [FW] ip service-set service_sec_huawei_com type object [FW-object-service-set-service_sec_huawei_com] service protocol TCP source-port 0 to 65535 destination-port 443 [FW-object-service-set-service_sec_huawei_com] service protocol TCP source-port 0 to 65535 destination-port 12612 [FW-object-service-set-service_sec_huawei_com] service protocol UDP source-port 0 to 65535 destination-port 12600 [FW-object-service-set-service_sec_huawei_com] quit 配置安全策略,引用自定义服务,允许FW访问调度中心。 [FW] security-policy [FW-policy-security] rule name policy_sec_huawei_com [FW-policy-security-rule-policy_sec_huawei_com] source-zone local [FW-policy-security-rule-policy_sec_huawei_com] destination-zone untrust [FW-policy-security-rule-policy_sec_huawei_com] service service_sec_huawei_com [FW-policy-security-rule-policy_sec_huawei_com] action permit [FW-policy-security-rule-policy_sec_huawei_com] quit [FW-policy-security] quit - 配置URL自定义分类。
[FW] url-filter category user-defined name url_userdefine_category [FW-cate-user-defined-url_userdefine_category] description url userdefine category of access control for marketing. [FW-cate-user-defined-url_userdefine_category] add url www.example.com/news [FW-cate-user-defined-url_userdefine_category] add host www.example.net [FW-cate-user-defined-url_userdefine_category] quit - 配置URL过滤配置文件。
通过display url-filter category pre-defined命令,可以查询到如下预定义分类和ID的对应关系。17:教育/科学类(Education/Science) 15:搜索/门户类(Search Engines/Portals) 5:社会焦点类(Social Focus)为研发部门配置URL过滤配置文件。[FW] profile type url-filter name profile_url_research [FW-profile-url-filter-profile_url_research] description URL filter profile of web access control for research. [FW-profile-url-filter-profile_url_research] category user-defined action block [FW-profile-url-filter-profile_url_research] category pre-defined action block [FW-profile-url-filter-profile_url_research] category pre-defined category-id 15 action allow [FW-profile-url-filter-profile_url_research] category pre-defined category-id 17 action allow [FW-profile-url-filter-profile_url_research] quit为市场部门配置URL过滤配置文件。[FW] profile type url-filter name profile_url_marketing [FW-profile-url-filter-profile_url_marketing] description URL filter profile of web access control for marketing. [FW-profile-url-filter-profile_url_marketing] category user-defined action block [FW-profile-url-filter-profile_url_marketing] category pre-defined action block [FW-profile-url-filter-profile_url_marketing] category pre-defined category-id 5 action allow [FW-profile-url-filter-profile_url_marketing] category pre-defined category-id 15 action allow [FW-profile-url-filter-profile_url_marketing] category pre-defined category-id 17 action allow [FW-profile-url-filter-profile_url_marketing] category user-defined name url_userdefine_category action allow [FW-profile-url-filter-profile_url_marketing] quit - 配置时间段。
[FW] time-range time_range [FW-time-range-time_range] period-range 09:00:00 to 17:00:00 daily [FW-time-range-time_range] quit - 在安全策略中应用URL过滤配置文件。
本例中引用到的用户组research(研发部门员工)和用户组marketing(市场部门员工)假设已经创建完成。为研发部门配置安全策略。[FW] security-policy [FW-policy-security] rule name policy_sec_research [FW-policy-security-rule-policy_sec_research] description Security policy of web access protect for research. [FW-policy-security-rule-policy_sec_research] source-zone trust [FW-policy-security-rule-policy_sec_research] destination-zone untrust [FW-policy-security-rule-policy_sec_research] source-address 10.3.0.0 mask 255.255.255.0 [FW-policy-security-rule-policy_sec_research] user user-group /default/research [FW-policy-security-rule-policy_sec_research] time-range time_range [FW-policy-security-rule-policy_sec_research] action permit [FW-policy-security-rule-policy_sec_research] profile url-filter profile_url_research [FW-policy-security-rule-policy_sec_research] quit为市场部门配置安全策略。[FW-policy-security] rule name policy_sec_marketing [FW-policy-security-rule-policy_sec_marketing] description Security policy of web access protect for marketing. [FW-policy-security-rule-policy_sec_marketing] source-zone trust [FW-policy-security-rule-policy_sec_marketing] destination-zone untrust [FW-policy-security-rule-policy_sec_marketing] source-address 10.3.0.0 mask 255.255.255.0 [FW-policy-security-rule-policy_sec_marketing] user user-group /default/marketing [FW-policy-security-rule-policy_sec_marketing] time-range time_range [FW-policy-security-rule-policy_sec_marketing] action permit [FW-policy-security-rule-policy_sec_marketing] profile url-filter profile_url_marketing [FW-policy-security-rule-policy_sec_marketing] quit [FW-policy-security] quit - 提交内容安全配置文件。
[FW] engine configuration commit Info: The operation may last for several minutes, please wait. Info: URL submitted configurations successfully. Info: Finish committing engine compiling.
结果验证
-
研发部门任何员工在09:00~17:00之间,可以访问教育/科学类、搜索/门户类网站,但是访问社会焦点类、论坛类等网站时,都被阻断不能访问。
管理员通过查看URL日志URL/4/FILTER,可以看到研发部门员工访问社会焦点类、论坛类等网站时,命中了过滤类型Type为“Pre-defined”以及动作Action为“Block”的日志信息。
-
管理员通过查看URL日志URL/4/FILTER,可以看到市场部门员工访问论坛类等网站时,命中了过滤类型Type为“Pre-defined”以及动作Action为“Block”的日志信息。
配置脚本
#
sysname FW
# dns resolve dns server 10.2.0.70
#
ip service-set service_sec_huawei_com type object service 0 protocol tcp source-port 0 to 65535 destination-port 443 service 1 protocol tcp source-port 0 to 65535 destination-port 12612 service 2 protocol udp source-port 0 to 65535 destination-port 12600
# country CN
# time-range time_range period-range 09:00:00 to 17:00:00 daily
#
interface GigabitEthernet1/0/1 undo shutdownip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3 undo shutdownip address 10.3.0.1 255.255.255.0
#
firewall zone trust set priority 85 add interface GigabitEthernet1/0/3
#
firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1
#
url-filter category user-defined name url_userdefine_category description url userdefine category of access control for marketing. add url www.example.com/news add host www.example.net
profile type url-filter name profile_url_research description URL filter profile of web access control for research. category pre-defined subcategory-id 101 action blockcategory pre-defined subcategory-id 102 action blockcategory pre-defined subcategory-id 162 action blockcategory pre-defined subcategory-id 163 action blockcategory pre-defined subcategory-id 164 action blockcategory pre-defined subcategory-id 165 action blockcategory pre-defined subcategory-id 103 action blockcategory pre-defined subcategory-id 166 action blockcategory pre-defined subcategory-id 167 action blockcategory pre-defined subcategory-id 168 action blockcategory pre-defined subcategory-id 104 action blockcategory pre-defined subcategory-id 169 action blockcategory pre-defined subcategory-id 170 action blockcategory pre-defined subcategory-id 105 action blockcategory pre-defined subcategory-id 171 action blockcategory pre-defined subcategory-id 172 action blockcategory pre-defined subcategory-id 173 action blockcategory pre-defined subcategory-id 174 action blockcategory pre-defined subcategory-id 106 action blockcategory pre-defined subcategory-id 108 action blockcategory pre-defined subcategory-id 177 action blockcategory pre-defined subcategory-id 251 action blockcategory pre-defined subcategory-id 109 action blockcategory pre-defined subcategory-id 110 action blockcategory pre-defined subcategory-id 111 action blockcategory pre-defined subcategory-id 112 action blockcategory pre-defined subcategory-id 114 action blockcategory pre-defined subcategory-id 115 action blockcategory pre-defined subcategory-id 117 action blockcategory pre-defined subcategory-id 178 action blockcategory pre-defined subcategory-id 179 action blockcategory pre-defined subcategory-id 180 action blockcategory pre-defined subcategory-id 181 action blockcategory pre-defined subcategory-id 248 action blockcategory pre-defined subcategory-id 118 action blockcategory pre-defined subcategory-id 119 action blockcategory pre-defined subcategory-id 122 action blockcategory pre-defined subcategory-id 182 action blockcategory pre-defined subcategory-id 183 action blockcategory pre-defined subcategory-id 184 action blockcategory pre-defined subcategory-id 123 action blockcategory pre-defined subcategory-id 124 action blockcategory pre-defined subcategory-id 186 action blockcategory pre-defined subcategory-id 187 action blockcategory pre-defined subcategory-id 188 action blockcategory pre-defined subcategory-id 189 action blockcategory pre-defined subcategory-id 125 action blockcategory pre-defined subcategory-id 127 action blockcategory pre-defined subcategory-id 128 action blockcategory pre-defined subcategory-id 130 action blockcategory pre-defined subcategory-id 131 action blockcategory pre-defined subcategory-id 132 action blockcategory pre-defined subcategory-id 197 action blockcategory pre-defined subcategory-id 198 action blockcategory pre-defined subcategory-id 199 action blockcategory pre-defined subcategory-id 200 action blockcategory pre-defined subcategory-id 227 action blockcategory pre-defined subcategory-id 228 action blockcategory pre-defined subcategory-id 133 action blockcategory pre-defined subcategory-id 201 action blockcategory pre-defined subcategory-id 202 action blockcategory pre-defined subcategory-id 204 action blockcategory pre-defined subcategory-id 205 action blockcategory pre-defined subcategory-id 134 action blockcategory pre-defined subcategory-id 135 action blockcategory pre-defined subcategory-id 136 action blockcategory pre-defined subcategory-id 137 action blockcategory pre-defined subcategory-id 138 action blockcategory pre-defined subcategory-id 139 action blockcategory pre-defined subcategory-id 140 action blockcategory pre-defined subcategory-id 141 action blockcategory pre-defined subcategory-id 206 action blockcategory pre-defined subcategory-id 207 action blockcategory pre-defined subcategory-id 208 action blockcategory pre-defined subcategory-id 209 action blockcategory pre-defined subcategory-id 210 action blockcategory pre-defined subcategory-id 229 action blockcategory pre-defined subcategory-id 142 action blockcategory pre-defined subcategory-id 143 action blockcategory pre-defined subcategory-id 144 action blockcategory pre-defined subcategory-id 145 action blockcategory pre-defined subcategory-id 146 action blockcategory pre-defined subcategory-id 147 action blockcategory pre-defined subcategory-id 211 action blockcategory pre-defined subcategory-id 212 action blockcategory pre-defined subcategory-id 213 action blockcategory pre-defined subcategory-id 240 action blockcategory pre-defined subcategory-id 253 action blockcategory pre-defined subcategory-id 149 action blockcategory pre-defined subcategory-id 150 action blockcategory pre-defined subcategory-id 214 action blockcategory pre-defined subcategory-id 215 action blockcategory pre-defined subcategory-id 216 action blockcategory pre-defined subcategory-id 217 action blockcategory pre-defined subcategory-id 151 action blockcategory pre-defined subcategory-id 218 action blockcategory pre-defined subcategory-id 219 action blockcategory pre-defined subcategory-id 220 action blockcategory pre-defined subcategory-id 221 action blockcategory pre-defined subcategory-id 222 action blockcategory pre-defined subcategory-id 223 action blockcategory pre-defined subcategory-id 230 action blockcategory pre-defined subcategory-id 252 action blockcategory pre-defined subcategory-id 152 action blockcategory pre-defined subcategory-id 153 action blockcategory pre-defined subcategory-id 238 action blockcategory pre-defined subcategory-id 154 action blockcategory pre-defined subcategory-id 155 action blockcategory pre-defined subcategory-id 224 action blockcategory pre-defined subcategory-id 225 action blockcategory pre-defined subcategory-id 156 action blockcategory pre-defined subcategory-id 157 action blockcategory pre-defined subcategory-id 158 action blockcategory pre-defined subcategory-id 231 action blockcategory pre-defined subcategory-id 232 action blockcategory pre-defined subcategory-id 159 action blockcategory pre-defined subcategory-id 254 action blockcategory pre-defined subcategory-id 160 action blockcategory pre-defined subcategory-id 161 action blockcategory pre-defined subcategory-id 176 action blockcategory pre-defined subcategory-id 226 action blockcategory pre-defined subcategory-id 234 action blockcategory pre-defined subcategory-id 235 action blockcategory pre-defined subcategory-id 236 action blockcategory pre-defined subcategory-id 237 action blockcategory pre-defined subcategory-id 239 action blockcategory pre-defined subcategory-id 241 action blockcategory pre-defined subcategory-id 233 action blockcategory user-defined name url_userdefine_category action block
profile type url-filter name profile_url_marketing description URL filter profile of web access control for marketing. category pre-defined subcategory-id 101 action blockcategory pre-defined subcategory-id 102 action blockcategory pre-defined subcategory-id 162 action blockcategory pre-defined subcategory-id 163 action blockcategory pre-defined subcategory-id 164 action blockcategory pre-defined subcategory-id 165 action blockcategory pre-defined subcategory-id 103 action blockcategory pre-defined subcategory-id 166 action blockcategory pre-defined subcategory-id 167 action blockcategory pre-defined subcategory-id 168 action blockcategory pre-defined subcategory-id 104 action blockcategory pre-defined subcategory-id 169 action blockcategory pre-defined subcategory-id 170 action blockcategory pre-defined subcategory-id 106 action blockcategory pre-defined subcategory-id 108 action blockcategory pre-defined subcategory-id 177 action blockcategory pre-defined subcategory-id 251 action blockcategory pre-defined subcategory-id 109 action blockcategory pre-defined subcategory-id 110 action blockcategory pre-defined subcategory-id 111 action blockcategory pre-defined subcategory-id 112 action blockcategory pre-defined subcategory-id 114 action blockcategory pre-defined subcategory-id 115 action blockcategory pre-defined subcategory-id 117 action blockcategory pre-defined subcategory-id 178 action blockcategory pre-defined subcategory-id 179 action blockcategory pre-defined subcategory-id 180 action blockcategory pre-defined subcategory-id 181 action blockcategory pre-defined subcategory-id 248 action blockcategory pre-defined subcategory-id 118 action blockcategory pre-defined subcategory-id 119 action blockcategory pre-defined subcategory-id 122 action blockcategory pre-defined subcategory-id 182 action blockcategory pre-defined subcategory-id 183 action blockcategory pre-defined subcategory-id 184 action blockcategory pre-defined subcategory-id 123 action blockcategory pre-defined subcategory-id 124 action blockcategory pre-defined subcategory-id 186 action blockcategory pre-defined subcategory-id 187 action blockcategory pre-defined subcategory-id 188 action blockcategory pre-defined subcategory-id 189 action blockcategory pre-defined subcategory-id 125 action blockcategory pre-defined subcategory-id 127 action blockcategory pre-defined subcategory-id 128 action blockcategory pre-defined subcategory-id 130 action blockcategory pre-defined subcategory-id 131 action blockcategory pre-defined subcategory-id 132 action blockcategory pre-defined subcategory-id 197 action blockcategory pre-defined subcategory-id 198 action blockcategory pre-defined subcategory-id 199 action blockcategory pre-defined subcategory-id 200 action blockcategory pre-defined subcategory-id 227 action blockcategory pre-defined subcategory-id 228 action blockcategory pre-defined subcategory-id 133 action blockcategory pre-defined subcategory-id 201 action blockcategory pre-defined subcategory-id 202 action blockcategory pre-defined subcategory-id 204 action blockcategory pre-defined subcategory-id 205 action blockcategory pre-defined subcategory-id 134 action blockcategory pre-defined subcategory-id 135 action blockcategory pre-defined subcategory-id 136 action blockcategory pre-defined subcategory-id 137 action blockcategory pre-defined subcategory-id 138 action blockcategory pre-defined subcategory-id 139 action blockcategory pre-defined subcategory-id 140 action blockcategory pre-defined subcategory-id 141 action blockcategory pre-defined subcategory-id 206 action blockcategory pre-defined subcategory-id 207 action blockcategory pre-defined subcategory-id 208 action blockcategory pre-defined subcategory-id 209 action blockcategory pre-defined subcategory-id 210 action blockcategory pre-defined subcategory-id 229 action blockcategory pre-defined subcategory-id 142 action blockcategory pre-defined subcategory-id 143 action blockcategory pre-defined subcategory-id 144 action blockcategory pre-defined subcategory-id 145 action blockcategory pre-defined subcategory-id 146 action blockcategory pre-defined subcategory-id 147 action blockcategory pre-defined subcategory-id 211 action blockcategory pre-defined subcategory-id 212 action blockcategory pre-defined subcategory-id 213 action blockcategory pre-defined subcategory-id 240 action blockcategory pre-defined subcategory-id 253 action blockcategory pre-defined subcategory-id 149 action blockcategory pre-defined subcategory-id 150 action blockcategory pre-defined subcategory-id 214 action blockcategory pre-defined subcategory-id 215 action blockcategory pre-defined subcategory-id 216 action blockcategory pre-defined subcategory-id 217 action blockcategory pre-defined subcategory-id 151 action blockcategory pre-defined subcategory-id 218 action blockcategory pre-defined subcategory-id 219 action blockcategory pre-defined subcategory-id 220 action blockcategory pre-defined subcategory-id 221 action blockcategory pre-defined subcategory-id 222 action blockcategory pre-defined subcategory-id 223 action blockcategory pre-defined subcategory-id 230 action blockcategory pre-defined subcategory-id 252 action blockcategory pre-defined subcategory-id 152 action blockcategory pre-defined subcategory-id 153 action blockcategory pre-defined subcategory-id 238 action blockcategory pre-defined subcategory-id 154 action blockcategory pre-defined subcategory-id 155 action blockcategory pre-defined subcategory-id 224 action blockcategory pre-defined subcategory-id 225 action blockcategory pre-defined subcategory-id 156 action blockcategory pre-defined subcategory-id 157 action blockcategory pre-defined subcategory-id 158 action blockcategory pre-defined subcategory-id 231 action blockcategory pre-defined subcategory-id 232 action blockcategory pre-defined subcategory-id 159 action blockcategory pre-defined subcategory-id 254 action blockcategory pre-defined subcategory-id 160 action blockcategory pre-defined subcategory-id 161 action blockcategory pre-defined subcategory-id 176 action blockcategory pre-defined subcategory-id 226 action blockcategory pre-defined subcategory-id 234 action blockcategory pre-defined subcategory-id 235 action blockcategory pre-defined subcategory-id 236 action blockcategory pre-defined subcategory-id 237 action blockcategory pre-defined subcategory-id 239 action blockcategory pre-defined subcategory-id 241 action blockcategory pre-defined subcategory-id 233 action block
#
security-policy rule name policy_sec_huawei_com source-zone local destination-zone untrust service service_sec_huawei_com action permit rule name policy_sec_research description Security policy of web access protect for research. source-zone trust destination-zone untrustsource-address 10.3.0.0 mask 255.255.255.0user user-group /default/research time-range time_range profile url-filter profile_url_research action permit rule name policy_sec_marketing description Security policy of web access protect for marketing. source-zone trust destination-zone untrust source-address 10.3.0.0 mask 255.255.255.0user user-group /default/marketing time-range time_range profile url-filter profile_url_marketing action permit 
