Identification and Query of Security Policies

This section describes how to configure the tags of security policies and how to query the security policies.

Configuring a Tag

When the device has a large number of policies created, you can identify and categorize the policies with tags. If you attempt to view and process in batches policies of a certain type, you can search for the policies based on their tags.

Configuration on the Web UI

Choose Policy > Security Policy > Security Policy.
Click Add Security Policy or enter the view of an existing security policy rule.
Configure a tag for the security policy.

Under Tag, select an existing tag or create a tag.

For example, an enterprise administrator creates a tag named marketing and adds the tag to the security policies of the marketing department to facilitate the search and management of the control rules of the marketing department.

If the enterprise administrator wants to search for a marketing policy, he can directly search for the marketing tag. In addition, the enterprise administrator can delete, move, enable, and disable policies in batches based on query results.

Configuration on the CLI

Access the security policy view from the system view.

security-policy
Create a security policy rule and access the security policy rule view.

rule name rule-name
Configure a tag for the security policy.

add tag tag-name

Select an existing tag or create a tag.

Querying Security Policies

On the Security Policy List page, you can query security policies by keyword or field or query only matched security policies.

Keyword query

Keyword query is fuzzy query. After you enter a keyword (for example, trust), all security policies will be displayed if any field of the policies contains the specified keyword, as shown in the following figure. You can click on the right side to cancel the query.

Query by field

You can add one or more fields as the filtering conditions. You can enter one or more keywords in each field, and the keywords are logically ORed. If the field of a security policy contains any keyword, the security policy will be displayed. If you add multiple fields, the fields are logically ANDed. For example, if you add the source security zone and destination address/area fields, enter "trust" and "local" as the keywords in the source security zone field, and enter "333" as the keyword in the destination address/area field, the displayed result page resembles the following figure. You can click on the right side to cancel the query.

Matched policies query

Matched policies are queried based on the 5-tuple (source security zone, destination security zone, protocol, source address, and destination address). You can display the security policies that have been matched based on the 5-tuple so that you can adjust security policies if they do not meet the expectations.

Query on the web UI

Click Match Query. On the page that is displayed, select one or more fields, enter the value of each field, and click Search. You can enter only one value for each field, and the fields are logically ANDed. A security policy will be displayed only when all the specified fields are matched. In addition, when the protocol is set to TCP, UDP, or SCTP, you can also specify the source port and destination port. When the protocol is set to IP, you need to enter the protocol number to be queried. For example, if you display matched security policies whose source security zone is trust, destination security zone is untrust, and protocol is TCP, the result page resembles the following figure. Click Clear Match Query to cancel the query.
Query using the display security-policy rule command