Configuring a Security Policy Using the CLI

This section describes the procedure for configuring a security policy on the CLI.

Context

The system has a default security policy (all conditions are any, and the action is deny). The default security policy cannot be deleted, but the action and log recording function can be modified.

If the action of the default security policy is set to permit, all packets are allowed to pass through, which may bring security risks. Therefore, you are advised to retain the default action for the default security policy. That is, prohibit any traffic from passing through.

If traffic does not match other security policies, the traffic will match the default security policy. The control of intrazone and interzone traffic by the default security policy is as follows:

The default security policy controls interzone traffic, including but not limited to the traffic sent from and received by the FW and traffic exchanged between security zones.
For intrazone traffic, if the function of controlling intrazone traffic is disabled, the intrazone traffic is not controlled by the default security policy, and the default forwarding action is permit. If you need to control the forwarding of intrazone traffic, configure specific security policies. If the function of controlling intrazone traffic is enabled, the default security policy takes effect on the intrazone traffic, including the action of the default security policy and the log function.

In the security policy view, run the default packet-filter intrazone enable command to enable the default security policy to control intrazone traffic.

Procedure

Access the security policy view from the system view.
security-policy
Create a security policy rule and access the security policy rule view.

In commands, security policies exist by means of rules, and therefore security policy rules are equal to security policies in this topic.

rule name rule-name
Optional: Configure the security policy rule description.
description description

The description must be clearly specified, so that an administrator can easily find and maintain the policy.

Define the match conditions of the security policy.

Function	Command
Set the VLAN ID.	vlan-id { vlan-id \| any } By default, the FW parses the outer VLAN tags of QinQ packets. If you need to filter traffic based on inner VLAN tags, run the firewall transparent inside-vlan inspect enable command to enable the detection of inner VLAN tags.
Set the source security zone.	source-zone { zone-name &<1-6> \| any }
Set the destination security zone.	destination-zone { zone-name &<1-6> \| any }
Set the source IP address and region.	source-address { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } [ description description ] \| ipv6-address ipv6-prefix-length [ description description ] \| range { ipv4-start-address ipv4-end-address \| ipv6-start-address ipv6-end-address } [ description description ] \| geo-location geo-location-name &<1-6> \| geo-location-set geo-location-set-name &<1-6> \| domain-set domain-set-name &<1-6> \| mac-address &<1-6> \| any } source-address-exclude { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } \| ipv6-address ipv6-prefix-length \| range { ipv4-start-address ipv4-end-address \| ipv6-start-address ipv6-end-address } } [ description description ] NOTE: Do not reference only empty address objects, address groups, region groups, or domain groups. Otherwise, the matching condition cannot be matched.
Set the destination IP address and region.	destination-address { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } [ description description ] \| ipv6-address ipv6-prefix-length [ description description ] \| range { ipv4-start-address ipv4-end-address \| ipv6-start-address ipv6-end-address } [ description description ] \| geo-location geo-location-name &<1-6> \| geo-location-set geo-location-set-name &<1-6> \| domain-set domain-set-name &<1-6> \| mac-address &<1-6> \| any } destination-address-exclude { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } \| ipv6-address ipv6-prefix-length \| range { ipv4-start-address ipv4-end-address \| ipv6-start-address ipv6-end-address } } [ description description ] NOTE: Do not reference only empty address objects, address groups, region groups, or domain groups. Otherwise, the matching condition cannot be matched.
Set a user, user group, or security group.	user { username user-name &<1-6> \| user-group user-group-name &<1-6> \| security-group security-group-name &<1-6> \| any } NOTE: If security policy control needs to be implemented for users who use redirected authentication and packets exchanged between the users and DNS server are forwarded by the FW, a security policy that permits DNS packets needs to be configured on the FW. Otherwise, redirected authentication fails because HTTP requests of users cannot be redirected to the authentication page. You can reference local users, user groups, or security groups or create new ones. The FW allows importing and referencing users, user groups, and security groups from the AD or LDAP server. NOTE: Before using this function, configure a server import policy in the New User Authentication Options and set the server type to AD or LDAP. For details, see Importing Users, User Groups or Security Groups from a Server. The server import policy determines the target groups and remote query path. However, the import type and filtering parameter configured in the server import policy do not take effect in this function. The user name (cn value) on the server is suggested to be the same as the login name (sAMAccountName value). A policy can reference a maximum of 64 users, user groups, or security groups.
Configure access mode	access-authentication { wired-802.1x \| wireless-802.1x \| wired-portal \| wireless-portal \| any }
Configure device	device-classification { device-group group-name \| device-category category-name \| any }
Configure an application.	application { any \| app app-name &<1-6> \| app-group app-group-name &<1-6> \| category category-name [ sub-category sub-category-name &<1-6> ] \| label label-name &<1-6> \| software softwar-name &<1-6> } If the policy has application identification configured, the performance of the FW may be affected. Configure this as required.
Specify a URL category.	url { pre-defined { category { name category-name \| category-id } \| sub-category { name sub-category-name \| sub-category-id } } \| user-defined sub-category sub-category-name \| any }
Configure a service (by referencing a service or service group).	service { service-name &<1-6> \| any } service-exclude service-name &<1-6>
Configure a service (by referencing a TCP/UDP/SCTP port or IP-layer protocol).	service protocol { { 17 \| udp } \| { 6 \| tcp } \| { 132 \| sctp } } [ source-port { source-port \| start-source-port to end-source-port } &<1-64> \| destination-port { destination-port \| start-destination-port to end-destination-port } &<1-64> ] ^* service protocol { 1 \| icmp } [ icmp-type { icmp-name \| icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ] service protocol { 58 \| icmpv6 } [ icmpv6-type { icmpv6-name \| icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ] service protocol protocol-number service-exclude protocol { { 17 \| udp } \| { 6 \| tcp } \| { 132 \| sctp } } [ source-port { source-port \| start-source-port to end-source-port } &<1-64> \| destination-port { destination-port \| start-destination-port to end-destination-port } &<1-64> ] ^* service-exclude protocol { 1 \| icmp } [ icmp-type { icmp-name \| icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ] service-exclude protocol { 58 \| icmpv6 } [ icmpv6-type { icmpv6-name \| icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ] service-exclude protocol protocol-number
Specify the validity period of the policy.	time-range time-range-name

Set the action of the security policy.
- Set the action of a non-default security policy rule.
  
  action { permit | deny }
- Set the action of the default security policy rule.
  
  default action { permit | deny }
Configure the sending of feedback packets.
send-deny-packet { reset { to-client | to-server }^* | icmp destination-unreachable }
If the action of a security policy is deny, the FW not only discards the packets matching the security policy but also sends feedback packets to the packet sender and responder. The type of sent feedback packets varies with the packet type:
- For TCP packets, the send-deny-packet reset { to-client | to-server }^* command can be executed to send TCP reset packets to the TCP client or server or to both of them.
- For UDP/ICMP packets, the send-deny-packet icmp destination-unreachable command can be executed to send ICMP unreachable packets to the client.
  
  When working at Layer 2, the FW cannot send IGMP unreachable packets.
After the initiator or recipient receives the blocking packets, the application layer rapidly terminates sessions and lets users sense that their requests have been blocked.
When the FW serves as a bypass detection device, an interference interface needs to be configured to send reset packets. For details, see ids-response command.

However, when the FW suffers from an attack, the device may constantly send a large number of feedback packets. To protect device performance, you can configure send-deny-packet rate-limit in the security policy view to limit the rate of feedback packets. When the rate of feedback packets reaches the maximum value, the FW does not send feedback packets.

If cross-virtual system packets, packets processed by NAT64, VPN encapsulated packets, or TCP proxy packets are blocked, the FW does not send feedback packets.
Optional: Configure the security policy rule to reference a content security profile. The profile takes effect only when the action of the security policy rule is permit.
profile { aapt | app-control | av | data-filter | dns-filter | file-block | ips | mail-filter | url-filter | casa | aie } name

name must be the name of an existing content security profile. A default profile is available for each type of profile except for the artificial intelligence engine.

When the FW performs integrated content security detection, such as IPS or antivirus, on the traffic, the device performance is affected. When you configure the security policy to reference the content security profile, perform the configuration according to your actual requirements.

When you perform creation, modification, or deletion operations on the content security profile except for the artificial intelligence engine, you need to run the engine configuration commit command in the system view to submit the configurations for them to take effect in the profile as well as the security policy that references the profile.

Before committing configurations, ensure that the IAE is available. Otherwise the configurations committed using the engine configuration commit command do not take effect.

Configuration Example

An enterprise deploys a FW as a security gateway at the network border to prohibit enterprise employees from playing games during working hours.

<sysname> system-view
[sysname] security-policy
[sysname-policy-security] rule name policy_sec_01
[sysname-policy-security-rule-policy_sec_01] source-zone trust
[sysname-policy-security-rule-policy_sec_01] destination-zone untrust
[sysname-policy-security-rule-policy_sec_01] application category Entertainment sub-category Game
[sysname-policy-security-rule-policy_sec_01] time-range worktime
[sysname-policy-security-rule-policy_sec_01] action deny
[sysname-policy-security-rule-policy_sec_01] quit