< Home

action (data filtering rule view)

Function

The action command configures the action for a data filtering rule.

The undo action command restores the default action for a data filtering rule. The default action is alert.

Format

action { alert | block | by-threshold { alert-value alert-value | block-value block-value } * }

undo action [ by-threshold { alert-value | block-value } * ]

Parameters

Parameter Description Value
alert Allows the data transfer and generates an event log. -
block Blocks the data transfer and generates an event log. -
by-threshold Performs an action based on the weight and threshold.

Each keyword (including predefined and user-defined keywords) in the group has a weight. The device calculates the sum of all keyword weights based on the times the keywords appear in the data to be detected.

  • If the sum of all keyword weights is smaller than the alarm threshold, the device allows the data transfer.

  • If the sum of all keyword weights is greater than or equal to the alarm threshold and smaller than the blocking threshold, the device generates an alarm. The alarm is sent only once.

  • If the sum of all keyword weights is greater than or equal to the blocking threshold, the device blocks the traffic.
alert-value alert-value Specifies the alert threshold for a data filtering rule. -
block-value block-value Specifies the block threshold for a data filtering rule. -

Views

Data filtering rule view

Default Level

2: Configuration level

Usage Guidelines

The default action for a data filtering rule is alert.

  • The device does not support blocking NFS. Therefore, in a scenario where the application is NFS, and the action is block or the weight is no smaller than the block threshold, the device takes the alert action.

  • In a scenario where the application is IMAP or POP3, and the action is block or the weight is no smaller than block threshold:

    • If the email attachment matches the keyword, the device deletes the body and attachment of the email.

    • If the email body matches the keyword, the device deletes the body and attachment of the email.

    • If the email subject matches the keyword, the device deletes the subject, body and attachment of the email.

Example

# Set the action for data filtering rule def to block.

<sysname> system-view
[sysname] profile type data-filter name abc
[sysname-profile-data-filter-abc] rule name def
[sysname-profile-data-filter-abc-rule-def] action block

# Configure a threshold-based action for data filtering rule def: set the alert threshold to 100 and the block threshold to 200.

<sysname> system-view
[sysname] profile type data-filter name abc
[sysname-profile-data-filter-abc] rule name def
[sysname-profile-data-filter-abc-rule-def] action by-threshold alert-value 100 block-value 200
Parent Topic: Data Filtering Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >