Web: Example for Configuring Security Policies for Bypass Detection
This section provides an example for configuring security policies when the FW functions as a bypass detection device.
Networking Requirements
As shown in Figure 1, a router connects an intranet and the Internet. The FW functions as a bypass detection device to implement content security checks on the traffic that passes through the router.
Configuration Roadmap
- When the FW functions as a bypass detection device, set detection interface GE0/0/1 to a Layer-2 interface and connect this interface to a switch. The switch mirrors traffic to the FW for detection.
- Configure bypass detection on the detection interface so that the FW only detects traffic.
- Configure a security policy and reference an applicable security profile to implement content security checks on the traffic.
When the FW has only one interface to receive mirroring traffic or has multiple interfaces to receive mirroring traffic but applies the same security policy to the traffic, you can add the interface or interfaces to any security zone and set the source and destination security zones to any.
When the FW has multiple interfaces to receive mirroring traffic and applies different security policies to the interfaces, you must add the interfaces to different security zones and set the source and destination security zones of each security policy to the security zone where the corresponding interface resides.
Procedure
- Configure the interface and assign the interfaces to security zones.
- Click
of GE0/0/1 and set the following parameters:Mode
Bypass
Connection Type
Trunk
Trunk VLAN ID
2-4094
- Set the security zone of GE0/0/1 to the Untrust zone.
- Click
- Configure a security policy for bypass detection.
- Choose .
- Set the parameters of the security policy for bypass detection.
Name
policy_sec_bypass_detection
Source Zone
untrust
Destination Zone
untrust
Action
Permit
Content Security
Antivirus
default
Intrusion Prevention
default
Record Policy Matching Log
Enable
The antivirus and intrusion prevention profiles are used as examples. You can select other types of profiles as required.
- Choose .
Verification
- Choose to check whether the traffic from the router matches the security policy.
- Choose to view and analyze whether the traffic contains any virus or threat.
Configuration Script
# vlan batch 2 to 4094 # interface GigabitEthernet0/0/1 portswitch undo shutdown port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 2 to 4094 detect-mode tap # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # security-policy rule name policy_sec_bypass_detection policy logging source-zone untrust destination-zone untrust profile av default profile ips default action permit