华为CLI举例:通过URL分类控制用户访问的网站
配置基于URL分类的URL过滤功能,可以实现对用户访问的某一类网站的控制。既可以是FW自带的预定义分类,也可以是管理员配置的自定义分类。
组网需求
如图1所示,FW作为企业网关部署在网络边界,对用户访问外部网络的HTTP请求进行URL过滤。
公司有研发部门员工和市场部门员工两类,具体需求如下:
- 研发部门员工只可以在每天的09:00~17:00访问教育/科学类、搜索/门户类网站。其他网站均不能访问。
- 市场部门员工只可以在每天的09:00~17:00访问教育/科学类、搜索/门户类、社会焦点类网站和一个特定的URL(www.example.com/news)和域名(www.example.net)。其他网站均不能访问。
配置思路
- 配置接口IP地址和安全区域,完成网络基本参数配置。
- 配置远程查询服务器,用来获取URL与预定义分类的对应关系。本例中教育/科学类、搜索/门户类、社会焦点类网站可以通过预定义分类来进行URL过滤控制。为了可以正常使用远程查询功能,需要如下配置:
- 配置自定义分类url_userdefine_category,将www.example.com/news加入自定义URL中,将www.example.net加入自定义域名中。
- 针对研发部门员工和市场部门员工,新建两个URL过滤配置文件profile_url_research和profile_url_marketing,设置URL自定义分类和预定义分类的控制动作。
- 配置两个安全策略,引用时间段、用户组、URL过滤配置文件等信息,实现针对不同用户组和不同时间段的URL访问控制。
操作步骤
- 配置接口IP地址和安全区域,完成网络基本参数配置。
配置GigabitEthernet 1/0/1接口IP地址,将接口加入untrust域。 <FW> system-view [FW] interface GigabitEthernet 1/0/1 [FW-GigabitEthernet1/0/1] ip address 1.1.1.1 24 [FW-GigabitEthernet1/0/1] quit [FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 1/0/1 [FW-zone-untrust] quit 配置GigabitEthernet 1/0/3接口IP地址,将接口加入trust域。 [FW] interface GigabitEthernet 1/0/3 [FW-GigabitEthernet1/0/3] ip address 10.3.0.1 24 [FW-GigabitEthernet1/0/3] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 1/0/3 [FW-zone-trust] quit - 配置远程查询服务器,用来获取URL与预定义分类的对应关系。
激活License并且确保该License在有效服务期内。具体配置请参见License管理。 加载URL远程查询组件包。具体配置请参见系统更新。 配置DNS服务器。 [FW] dns resolve [FW] dns server 10.2.0.70 配置远程查询服务器的相关参数,包括查询方式、国家名称和超时时间。 [FW] country CN [FW] url-filter query timeout time 3 action allow 配置自定义服务。 [FW] ip service-set service_sec_huawei_com type object [FW-object-service-set-service_sec_huawei_com] service protocol TCP source-port 0 to 65535 destination-port 443 [FW-object-service-set-service_sec_huawei_com] service protocol TCP source-port 0 to 65535 destination-port 12612 [FW-object-service-set-service_sec_huawei_com] service protocol UDP source-port 0 to 65535 destination-port 12600 [FW-object-service-set-service_sec_huawei_com] quit 配置安全策略,引用自定义服务,允许FW访问调度中心。 [FW] security-policy [FW-policy-security] rule name policy_sec_huawei_com [FW-policy-security-rule-policy_sec_huawei_com] source-zone local [FW-policy-security-rule-policy_sec_huawei_com] destination-zone untrust [FW-policy-security-rule-policy_sec_huawei_com] service service_sec_huawei_com [FW-policy-security-rule-policy_sec_huawei_com] action permit [FW-policy-security-rule-policy_sec_huawei_com] quit [FW-policy-security] quit - 配置URL自定义分类。
[FW] url-filter category user-defined name url_userdefine_category [FW-cate-user-defined-url_userdefine_category] description url userdefine category of access control for marketing. [FW-cate-user-defined-url_userdefine_category] add url www.example.com/news [FW-cate-user-defined-url_userdefine_category] add host www.example.net [FW-cate-user-defined-url_userdefine_category] quit - 配置URL过滤配置文件。
通过display url-filter category pre-defined命令,可以查询到如下预定义分类和ID的对应关系。 17:教育/科学类(Education/Science) 15:搜索/门户类(Search Engines/Portals) 5:社会焦点类(Social Focus) 为研发部门配置URL过滤配置文件。 [FW] profile type url-filter name profile_url_research [FW-profile-url-filter-profile_url_research] description URL filter profile of web access control for research. [FW-profile-url-filter-profile_url_research] category user-defined action block [FW-profile-url-filter-profile_url_research] category pre-defined action block [FW-profile-url-filter-profile_url_research] category pre-defined category-id 15 action allow [FW-profile-url-filter-profile_url_research] category pre-defined category-id 17 action allow [FW-profile-url-filter-profile_url_research] quit 为市场部门配置URL过滤配置文件。 [FW] profile type url-filter name profile_url_marketing [FW-profile-url-filter-profile_url_marketing] description URL filter profile of web access control for marketing. [FW-profile-url-filter-profile_url_marketing] category user-defined action block [FW-profile-url-filter-profile_url_marketing] category pre-defined action block [FW-profile-url-filter-profile_url_marketing] category pre-defined category-id 5 action allow [FW-profile-url-filter-profile_url_marketing] category pre-defined category-id 15 action allow [FW-profile-url-filter-profile_url_marketing] category pre-defined category-id 17 action allow [FW-profile-url-filter-profile_url_marketing] category user-defined name url_userdefine_category action allow [FW-profile-url-filter-profile_url_marketing] quit - 配置时间段。
[FW] time-range time_range [FW-time-range-time_range] period-range 09:00:00 to 17:00:00 daily [FW-time-range-time_range] quit - 在安全策略中应用URL过滤配置文件。
本例中引用到的用户组research(研发部门员工)和用户组marketing(市场部门员工)假设已经创建完成。 为研发部门配置安全策略。 [FW] security-policy [FW-policy-security] rule name policy_sec_research [FW-policy-security-rule-policy_sec_research] description Security policy of web access protect for research. [FW-policy-security-rule-policy_sec_research] source-zone trust [FW-policy-security-rule-policy_sec_research] destination-zone untrust [FW-policy-security-rule-policy_sec_research] source-address 10.3.0.0 mask 255.255.255.0 [FW-policy-security-rule-policy_sec_research] user user-group /default/research [FW-policy-security-rule-policy_sec_research] time-range time_range [FW-policy-security-rule-policy_sec_research] action permit [FW-policy-security-rule-policy_sec_research] profile url-filter profile_url_research [FW-policy-security-rule-policy_sec_research] quit 为市场部门配置安全策略。 [FW-policy-security] rule name policy_sec_marketing [FW-policy-security-rule-policy_sec_marketing] description Security policy of web access protect for marketing. [FW-policy-security-rule-policy_sec_marketing] source-zone trust [FW-policy-security-rule-policy_sec_marketing] destination-zone untrust [FW-policy-security-rule-policy_sec_marketing] source-address 10.3.0.0 mask 255.255.255.0 [FW-policy-security-rule-policy_sec_marketing] user user-group /default/marketing [FW-policy-security-rule-policy_sec_marketing] time-range time_range [FW-policy-security-rule-policy_sec_marketing] action permit [FW-policy-security-rule-policy_sec_marketing] profile url-filter profile_url_marketing [FW-policy-security-rule-policy_sec_marketing] quit [FW-policy-security] quit - 提交内容安全配置文件。
[FW] engine configuration commit Info: The operation may last for several minutes, please wait. Info: URL submitted configurations successfully. Info: Finish committing engine compiling.
结果验证
研发部门任何员工在09:00~17:00之间,可以访问教育/科学类、搜索/门户类网站,但是访问社会焦点类、论坛类等网站时,都被阻断不能访问。
管理员通过查看URL日志URL/4/FILTER,可以看到研发部门员工访问社会焦点类、论坛类等网站时,命中了过滤类型Type为“Pre-defined”以及动作Action为“Block”的日志信息。
市场部门任何员工在09:00~17:00之间,可以访问教育/科学类、搜索/门户类、社会焦点类网站、特定的URL(www.example.com/news)和域名(www.example.net),但是访问论坛类等网站时,都被阻断不能访问。
管理员通过查看URL日志URL/4/FILTER,可以看到市场部门员工访问论坛类等网站时,命中了过滤类型Type为“Pre-defined”以及动作Action为“Block”的日志信息。
配置脚本
#
sysname FW
#
dns resolve
dns server 10.2.0.70
#
ip service-set service_sec_huawei_com type object
service 0 protocol tcp source-port 0 to 65535 destination-port 443
service 1 protocol tcp source-port 0 to 65535 destination-port 12612
service 2 protocol udp source-port 0 to 65535 destination-port 12600
#
country CN
#
time-range time_range
period-range 09:00:00 to 17:00:00 daily
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
url-filter category user-defined name url_userdefine_category
description url userdefine category of access control for marketing.
add url www.example.com/news
add host www.example.net
profile type url-filter name profile_url_research
description URL filter profile of web access control for research.
category pre-defined subcategory-id 101 action block
category pre-defined subcategory-id 102 action block
category pre-defined subcategory-id 162 action block
category pre-defined subcategory-id 163 action block
category pre-defined subcategory-id 164 action block
category pre-defined subcategory-id 165 action block
category pre-defined subcategory-id 103 action block
category pre-defined subcategory-id 166 action block
category pre-defined subcategory-id 167 action block
category pre-defined subcategory-id 168 action block
category pre-defined subcategory-id 104 action block
category pre-defined subcategory-id 169 action block
category pre-defined subcategory-id 170 action block
category pre-defined subcategory-id 105 action block
category pre-defined subcategory-id 171 action block
category pre-defined subcategory-id 172 action block
category pre-defined subcategory-id 173 action block
category pre-defined subcategory-id 174 action block
category pre-defined subcategory-id 106 action block
category pre-defined subcategory-id 108 action block
category pre-defined subcategory-id 177 action block
category pre-defined subcategory-id 251 action block
category pre-defined subcategory-id 109 action block
category pre-defined subcategory-id 110 action block
category pre-defined subcategory-id 111 action block
category pre-defined subcategory-id 112 action block
category pre-defined subcategory-id 114 action block
category pre-defined subcategory-id 115 action block
category pre-defined subcategory-id 117 action block
category pre-defined subcategory-id 178 action block
category pre-defined subcategory-id 179 action block
category pre-defined subcategory-id 180 action block
category pre-defined subcategory-id 181 action block
category pre-defined subcategory-id 248 action block
category pre-defined subcategory-id 118 action block
category pre-defined subcategory-id 119 action block
category pre-defined subcategory-id 122 action block
category pre-defined subcategory-id 182 action block
category pre-defined subcategory-id 183 action block
category pre-defined subcategory-id 184 action block
category pre-defined subcategory-id 123 action block
category pre-defined subcategory-id 124 action block
category pre-defined subcategory-id 186 action block
category pre-defined subcategory-id 187 action block
category pre-defined subcategory-id 188 action block
category pre-defined subcategory-id 189 action block
category pre-defined subcategory-id 125 action block
category pre-defined subcategory-id 127 action block
category pre-defined subcategory-id 128 action block
category pre-defined subcategory-id 130 action block
category pre-defined subcategory-id 131 action block
category pre-defined subcategory-id 132 action block
category pre-defined subcategory-id 197 action block
category pre-defined subcategory-id 198 action block
category pre-defined subcategory-id 199 action block
category pre-defined subcategory-id 200 action block
category pre-defined subcategory-id 227 action block
category pre-defined subcategory-id 228 action block
category pre-defined subcategory-id 133 action block
category pre-defined subcategory-id 201 action block
category pre-defined subcategory-id 202 action block
category pre-defined subcategory-id 204 action block
category pre-defined subcategory-id 205 action block
category pre-defined subcategory-id 134 action block
category pre-defined subcategory-id 135 action block
category pre-defined subcategory-id 136 action block
category pre-defined subcategory-id 137 action block
category pre-defined subcategory-id 138 action block
category pre-defined subcategory-id 139 action block
category pre-defined subcategory-id 140 action block
category pre-defined subcategory-id 141 action block
category pre-defined subcategory-id 206 action block
category pre-defined subcategory-id 207 action block
category pre-defined subcategory-id 208 action block
category pre-defined subcategory-id 209 action block
category pre-defined subcategory-id 210 action block
category pre-defined subcategory-id 229 action block
category pre-defined subcategory-id 142 action block
category pre-defined subcategory-id 143 action block
category pre-defined subcategory-id 144 action block
category pre-defined subcategory-id 145 action block
category pre-defined subcategory-id 146 action block
category pre-defined subcategory-id 147 action block
category pre-defined subcategory-id 211 action block
category pre-defined subcategory-id 212 action block
category pre-defined subcategory-id 213 action block
category pre-defined subcategory-id 240 action block
category pre-defined subcategory-id 253 action block
category pre-defined subcategory-id 149 action block
category pre-defined subcategory-id 150 action block
category pre-defined subcategory-id 214 action block
category pre-defined subcategory-id 215 action block
category pre-defined subcategory-id 216 action block
category pre-defined subcategory-id 217 action block
category pre-defined subcategory-id 151 action block
category pre-defined subcategory-id 218 action block
category pre-defined subcategory-id 219 action block
category pre-defined subcategory-id 220 action block
category pre-defined subcategory-id 221 action block
category pre-defined subcategory-id 222 action block
category pre-defined subcategory-id 223 action block
category pre-defined subcategory-id 230 action block
category pre-defined subcategory-id 252 action block
category pre-defined subcategory-id 152 action block
category pre-defined subcategory-id 153 action block
category pre-defined subcategory-id 238 action block
category pre-defined subcategory-id 154 action block
category pre-defined subcategory-id 155 action block
category pre-defined subcategory-id 224 action block
category pre-defined subcategory-id 225 action block
category pre-defined subcategory-id 156 action block
category pre-defined subcategory-id 157 action block
category pre-defined subcategory-id 158 action block
category pre-defined subcategory-id 231 action block
category pre-defined subcategory-id 232 action block
category pre-defined subcategory-id 159 action block
category pre-defined subcategory-id 254 action block
category pre-defined subcategory-id 160 action block
category pre-defined subcategory-id 161 action block
category pre-defined subcategory-id 176 action block
category pre-defined subcategory-id 226 action block
category pre-defined subcategory-id 234 action block
category pre-defined subcategory-id 235 action block
category pre-defined subcategory-id 236 action block
category pre-defined subcategory-id 237 action block
category pre-defined subcategory-id 239 action block
category pre-defined subcategory-id 241 action block
category pre-defined subcategory-id 233 action block
category user-defined name url_userdefine_category action block
profile type url-filter name profile_url_marketing
description URL filter profile of web access control for marketing.
category pre-defined subcategory-id 101 action block
category pre-defined subcategory-id 102 action block
category pre-defined subcategory-id 162 action block
category pre-defined subcategory-id 163 action block
category pre-defined subcategory-id 164 action block
category pre-defined subcategory-id 165 action block
category pre-defined subcategory-id 103 action block
category pre-defined subcategory-id 166 action block
category pre-defined subcategory-id 167 action block
category pre-defined subcategory-id 168 action block
category pre-defined subcategory-id 104 action block
category pre-defined subcategory-id 169 action block
category pre-defined subcategory-id 170 action block
category pre-defined subcategory-id 106 action block
category pre-defined subcategory-id 108 action block
category pre-defined subcategory-id 177 action block
category pre-defined subcategory-id 251 action block
category pre-defined subcategory-id 109 action block
category pre-defined subcategory-id 110 action block
category pre-defined subcategory-id 111 action block
category pre-defined subcategory-id 112 action block
category pre-defined subcategory-id 114 action block
category pre-defined subcategory-id 115 action block
category pre-defined subcategory-id 117 action block
category pre-defined subcategory-id 178 action block
category pre-defined subcategory-id 179 action block
category pre-defined subcategory-id 180 action block
category pre-defined subcategory-id 181 action block
category pre-defined subcategory-id 248 action block
category pre-defined subcategory-id 118 action block
category pre-defined subcategory-id 119 action block
category pre-defined subcategory-id 122 action block
category pre-defined subcategory-id 182 action block
category pre-defined subcategory-id 183 action block
category pre-defined subcategory-id 184 action block
category pre-defined subcategory-id 123 action block
category pre-defined subcategory-id 124 action block
category pre-defined subcategory-id 186 action block
category pre-defined subcategory-id 187 action block
category pre-defined subcategory-id 188 action block
category pre-defined subcategory-id 189 action block
category pre-defined subcategory-id 125 action block
category pre-defined subcategory-id 127 action block
category pre-defined subcategory-id 128 action block
category pre-defined subcategory-id 130 action block
category pre-defined subcategory-id 131 action block
category pre-defined subcategory-id 132 action block
category pre-defined subcategory-id 197 action block
category pre-defined subcategory-id 198 action block
category pre-defined subcategory-id 199 action block
category pre-defined subcategory-id 200 action block
category pre-defined subcategory-id 227 action block
category pre-defined subcategory-id 228 action block
category pre-defined subcategory-id 133 action block
category pre-defined subcategory-id 201 action block
category pre-defined subcategory-id 202 action block
category pre-defined subcategory-id 204 action block
category pre-defined subcategory-id 205 action block
category pre-defined subcategory-id 134 action block
category pre-defined subcategory-id 135 action block
category pre-defined subcategory-id 136 action block
category pre-defined subcategory-id 137 action block
category pre-defined subcategory-id 138 action block
category pre-defined subcategory-id 139 action block
category pre-defined subcategory-id 140 action block
category pre-defined subcategory-id 141 action block
category pre-defined subcategory-id 206 action block
category pre-defined subcategory-id 207 action block
category pre-defined subcategory-id 208 action block
category pre-defined subcategory-id 209 action block
category pre-defined subcategory-id 210 action block
category pre-defined subcategory-id 229 action block
category pre-defined subcategory-id 142 action block
category pre-defined subcategory-id 143 action block
category pre-defined subcategory-id 144 action block
category pre-defined subcategory-id 145 action block
category pre-defined subcategory-id 146 action block
category pre-defined subcategory-id 147 action block
category pre-defined subcategory-id 211 action block
category pre-defined subcategory-id 212 action block
category pre-defined subcategory-id 213 action block
category pre-defined subcategory-id 240 action block
category pre-defined subcategory-id 253 action block
category pre-defined subcategory-id 149 action block
category pre-defined subcategory-id 150 action block
category pre-defined subcategory-id 214 action block
category pre-defined subcategory-id 215 action block
category pre-defined subcategory-id 216 action block
category pre-defined subcategory-id 217 action block
category pre-defined subcategory-id 151 action block
category pre-defined subcategory-id 218 action block
category pre-defined subcategory-id 219 action block
category pre-defined subcategory-id 220 action block
category pre-defined subcategory-id 221 action block
category pre-defined subcategory-id 222 action block
category pre-defined subcategory-id 223 action block
category pre-defined subcategory-id 230 action block
category pre-defined subcategory-id 252 action block
category pre-defined subcategory-id 152 action block
category pre-defined subcategory-id 153 action block
category pre-defined subcategory-id 238 action block
category pre-defined subcategory-id 154 action block
category pre-defined subcategory-id 155 action block
category pre-defined subcategory-id 224 action block
category pre-defined subcategory-id 225 action block
category pre-defined subcategory-id 156 action block
category pre-defined subcategory-id 157 action block
category pre-defined subcategory-id 158 action block
category pre-defined subcategory-id 231 action block
category pre-defined subcategory-id 232 action block
category pre-defined subcategory-id 159 action block
category pre-defined subcategory-id 254 action block
category pre-defined subcategory-id 160 action block
category pre-defined subcategory-id 161 action block
category pre-defined subcategory-id 176 action block
category pre-defined subcategory-id 226 action block
category pre-defined subcategory-id 234 action block
category pre-defined subcategory-id 235 action block
category pre-defined subcategory-id 236 action block
category pre-defined subcategory-id 237 action block
category pre-defined subcategory-id 239 action block
category pre-defined subcategory-id 241 action block
category pre-defined subcategory-id 233 action block
#
security-policy
rule name policy_sec_huawei_com
source-zone local
destination-zone untrust
service service_sec_huawei_com
action permit
rule name policy_sec_research
description Security policy of web access protect for research.
source-zone trust
destination-zone untrust
source-address 10.3.0.0 mask 255.255.255.0
user user-group /default/research
time-range time_range
profile url-filter profile_url_research
action permit
rule name policy_sec_marketing
description Security policy of web access protect for marketing.
source-zone trust
destination-zone untrust
source-address 10.3.0.0 mask 255.255.255.0
user user-group /default/marketing
time-range time_range
profile url-filter profile_url_marketing
action permit