Application behavior control manages the HTTP and FTP behavior
of intranet users.
Networking Requirements
As shown in Figure 1, the FW is deployed at the intranet egress as the enterprise egress gateway.
Employees of the enterprise are classified into R&D personnel
and marketing personnel. User groups research and marketing are created, and the related configuration of authentication is
complete. It is required to configure application behavior control
on the FW to control the HTTP and FTP Internet access behavior of R&D
personnel and marketing personnel.
All HTTP and FTP behavior of the R&D personnel are denied
during working hours (09:00:00 to 17:00:00 on workdays) to avoid degrading
the working efficiency.
R&D personnel can browse web pages and download files through
HTTP during non-working hours (including weekends and the non-working
hours on workdays), but other HTTP and FTP behavior is denied.
Due to the need for information security and communicating
with customers, the marketing personnel can upload files not larger
than 100M through HTTP or FTP. In addition, the size of the content
to be posted each time on the Internet is limited within 2000 bytes.
Figure 1 Networking diagram of application behavior control
Data Planning
Item
|
Data
|
Description
|
Application behavior control profile
|
|
Controls the HTTP and FTP behavior of R&D personnel
during working hours.
|
Name: profile_app_research_rest
Control option: Only HTTP web browsing, HTTP proxy and HTTP
file download are permitted.
|
Controls the HTTP and FTP behavior of R&D personnel
during non-working hours.
|
Name: profile_app_marketing
Control option: All HTTP and FTP behavior is permitted, the
block threshold in HTTP POST operations is set to 2000 bytes, and
the block threshold in HTTP and FTP file upload is set to 102400 KB
(100M).
|
Controls the HTTP and FTP behavior of the marketing personnel.
|
Security policy
|
Name: policy_sec_research_work
Source zone: trust
Destination zone: untrust
Employee: research (R&D user group)
Schedule: working_hours (09:00:00 to 17:00:00 on workdays)
Action: permit
Application behavior control configuration profile: profile_app_research_work
|
R&D personnel are allowed to access the Internet. Schedule working_hours and application behavior control profile profile_app_research_work are referenced to control the application behavior of R&D personnel
during working hours.
|
Name: policy_sec_research_rest
Source zone: trust
Destination zone: untrust
Employee: research (R&D user group)
Schedule: off_hours (weekends and 00:00:00 to 08:59:59 and
17:01:00 to 23:59:59 on workdays)
Action: permit
Application behavior control configuration profile: profile_app_research_rest
|
R&D personnel are allowed to access the Internet. Schedule off_hours and application behavior control profile profile_app_research_rest are referenced to control the application behavior of R&D personnel
during non-working hours.
|
Name: policy_sec_marketing
Source zone: trust
Destination zone: untrust
Employee: marketing (marketing user group)
Action: permit
Application behavior control configuration profile: profile_app_marketing
|
Marketing personnel are allowed to access the Internet.
Application behavior control profile profile_app_marketing is
referenced to control the application behavior of the marketing personnel.
|
Procedure
- Set the IP address and security zone of the interface.
- Set an IP address for interface GigabitEthernet 0/0/1 and assign the interface
to the untrust zone.
<FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet0/0/1] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit
- Set an IP address for interface GigabitEthernet 0/0/3 and add the interface
to the trust zone.
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.1.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit
- Create three application behavior control profiles: profile_app_research_work for R&D personnel during working
hours, profile_app_research_rest for R&D personnel during
non-working hours, and profile_app_marketing for marketing
personnel.
- Create application behavior control profile profile_app_research_work for R&D personnel in working hours.
[FW] profile type app-control name profile_app_research_work
[FW-profile-app-control-profile_app_research_work] http-control post action deny
[FW-profile-app-control-profile_app_research_work] http-control web-browse action deny
[FW-profile-app-control-profile_app_research_work] http-control proxy action deny
[FW-profile-app-control-profile_app_research_work] http-control file direction upload action deny
[FW-profile-app-control-profile_app_research_work] http-control file direction download action deny
[FW-profile-app-control-profile_app_research_work] ftp-control file direction upload action deny
[FW-profile-app-control-profile_app_research_work] ftp-control file direction download action deny
[FW-profile-app-control-profile_app_research_work] ftp-control file delete action deny
[FW-profile-app-control-profile_app_research_work] quit
- Create application behavior control profile profile_app_research_rest for R&D personnel in non-working hours.
[FW] profile type app-control name profile_app_research_rest
[FW-profile-app-control-profile_app_research_rest] http-control post action deny
[FW-profile-app-control-profile_app_research_rest] http-control web-browse action permit
[FW-profile-app-control-profile_app_research_rest] http-control proxy action permit
[FW-profile-app-control-profile_app_research_rest] http-control file direction upload action deny
[FW-profile-app-control-profile_app_research_rest] http-control file direction download action permit
[FW-profile-app-control-profile_app_research_rest] ftp-control file direction upload action deny
[FW-profile-app-control-profile_app_research_rest] ftp-control file direction download action deny
[FW-profile-app-control-profile_app_research_rest] ftp-control file delete action deny
[FW-profile-app-control-profile_app_research_rest] quit
- Create application behavior control profile profile_app_marketing for marketing personnel.
[FW] profile type app-control name profile_app_marketing
[FW-profile-app-control-profile_app_marketing] http-control post action permit
[FW-profile-app-control-profile_app_marketing] http-control post block-size 2000
[FW-profile-app-control-profile_app_marketing] http-control web-browse action permit
[FW-profile-app-control-profile_app_marketing] http-control proxy action permit
[FW-profile-app-control-profile_app_marketing] http-control file direction upload action permit
[FW-profile-app-control-profile_app_marketing] http-control file direction upload block-size 102400
[FW-profile-app-control-profile_app_marketing] http-control file direction download action permit
[FW-profile-app-control-profile_app_marketing] ftp-control file direction upload action permit
[FW-profile-app-control-profile_app_marketing] ftp-control file direction upload block-size 102400
[FW-profile-app-control-profile_app_marketing] ftp-control file direction download action permit
[FW-profile-app-control-profile_app_marketing] ftp-control file delete action permit
[FW-profile-app-control-profile_app_marketing] quit
- Create schedule working_hours covering 09:00:00
to 17:00:00 on workdays.
[FW] time-range working_hours
[FW-time-range-working_hours] period-range 09:00:00 to 17:00:00 mon tue wed thu fri
[FW-time-range-working_hours] quit
- Create schedule off_hours, covering weekends and
00:00:00 to 08:59:59 and 17:01:00 to 23:59:59 on workdays.
[FW] time-range off_hours
[FW-time-range-off_hours] period-range 00:00:00 to 23:59:59 sat sun
[FW-time-range-off_hours] period-range 00:00:00 to 08:59:59 mon tue wed thu fri
[FW-time-range-off_hours] period-range 17:01:00 to 23:59:59 mon tue wed thu fri
[FW-time-range-off_hours] quit
- Create security policy.
- Create security policy policy_sec_research_work and reference the user, schedule, and application behavior control
profile to control the application behavior of R&D personnel during
working hours.
[FW] security-policy
[FW-policy-security] rule name policy_sec_research_work
[FW-policy-security-rule-policy_sec_research_work] source-zone trust
[FW-policy-security-rule-policy_sec_research_work] destination-zone untrust
[FW-policy-security-rule-policy_sec_research_work] user user-group /default/research
[FW-policy-security-rule-policy_sec_research_work] time-range working_hours
[FW-policy-security-rule-policy_sec_research_work] profile app-control profile_app_research_work
[FW-policy-security-rule-policy_sec_research_work] action permit
[FW-policy-security-rule-policy_sec_research_work] quit
- Repeat the preceding steps to create security policy policy_sec_research_rest and reference the user, schedule, and
application behavior control profile to control the application behavior
of R&D personnel during non-working hours.
[FW-policy-security] rule name policy_sec_research_rest
[FW-policy-security-rule-policy_sec_research_rest] source-zone trust
[FW-policy-security-rule-policy_sec_research_rest] destination-zone untrust
[FW-policy-security-rule-policy_sec_research_rest] user user-group /default/research
[FW-policy-security-rule-policy_sec_research_rest] time-range off_hours
[FW-policy-security-rule-policy_sec_research_rest] profile app-control profile_app_research_rest
[FW-policy-security-rule-policy_sec_research_rest] action permit
[FW-policy-security-rule-policy_sec_research_rest] quit
- Repeat the preceding steps to create security policy policy_sec_marketing and reference the user and application behavior
control profile to control the application behavior of marketing personnel.
[FW-policy-security] rule name policy_sec_marketing
[FW-policy-security-rule-policy_sec_marketing] source-zone trust
[FW-policy-security-rule-policy_sec_marketing] destination-zone untrust
[FW-policy-security-rule-policy_sec_marketing] user user-group /default/marketing
[FW-policy-security-rule-policy_sec_marketing] profile app-control profile_app_marketing
[FW-policy-security-rule-policy_sec_marketing] action permit
[FW-policy-security-rule-policy_sec_marketing] quit
- Commit the content security profiles.
[FW] engine configuration commit
Info: The operation may last for several minutes, please wait.
Info: App-control submitted configurations successfully.
Info: Finish committing engine compiling.
Configuration Verification
After the configuration
is complete, verify the HTTP and FTP permissions on the PCs of the
R&D personnel and marketing personnel. If the result meets the
requirement, applying the application behavior control profile and
security policy succeeds. Otherwise, check and correct the configuration
of the application behavior control profile and security policy.
Configuration Scripts
The following lists
related scripts of this configuration example.
#
sysname FW
#
time-range off_hours
period-range 00:00:00 to 23:59:59 off-day
period-range 00:00:00 to 08:59:59 working-day
period-range 17:01:00 to 23:59:59 working-day
time-range working_hours
period-range 09:00:00 to 17:00:00 working-day
#
interface GigabitEthernet0/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
undo shutdown
ip address 10.3.1.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
#
profile type app-control name profile_app_research_work
http-control web-browse action deny
http-control proxy action deny
http-control post action deny
http-control file direction upload action deny
http-control file direction download action deny
ftp-control file delete action deny
ftp-control file direction upload action deny
ftp-control file direction download action deny
#
profile type app-control name profile_app_research_rest
http-control post action deny
http-control file direction upload action deny
ftp-control file delete action deny
ftp-control file direction upload action deny
ftp-control file direction download action deny
#
profile type app-control name profile_app_marketing
http-control post block-size 2000
http-control file direction upload block-size 102400
ftp-control file direction upload block-size 102400
#
security-policy
rule name policy_sec_research_work
source-zone trust
destination-zone untrust
user user-group /default/research
time-range working_hours
profile app-control profile_app_research_work
action permit
rule name policy_sec_research_rest
source-zone trust
destination-zone untrust
user user-group /default/research
time-range off_hours
profile app-control profile_app_research_rest
action permit
rule name policy_sec_marketing
source-zone untrust
destination-zone trust
user user-group /default/marketing
profile app-control profile_app_marketing
action permit
#
return