< Home

CLI: Configuring the Google Account Control Function

Networking Requirements

As shown in Figure 1, the FW is deployed as a gateway on the network edge of an enterprise. Some enterprises attempt to allow employees to log in to Google services only with specified enterprise accounts but not their personal accounts. To achieve this, configure the Google account control function on the FW.

Figure 1 Configuring the Google Account Control Function

Configuration Roadmap

  1. Set IP addresses for interfaces and assign the interfaces to security zones.
  2. Create the URL filtering profile google account and Configure the google account control function.
  3. Configure the security policy and reference the URL filtering profile google account.
  4. Configure SSL-encrypted traffic detection to decrypt HTTPS traffic.
    • Configure the SSL decryption certificate and import and install the SSL decryption certificate to the intranet PC.
    • Optional: Import the CA certificate of the certificate authority trusted by the enterprise and specify the imported CA certificate as the server CA certificate. The FW checks whether the server certificate is trusted based on the server CA certificate.

      Note that over 100 common server CA certificates have been preset on the FW by default, which can be used to verify most server certificates. Generally, these default CA certificates are enough and you do not need to import other CA certificates. In some cases, however, if the preset CA certificates cannot verify the peer server certificates, you need to import other CA certificates. This section describes how to import a CA certificate as a configuration step.

    • Configure the detection profile and SSL-encrypted traffic detection policy.

Procedure

  1. Configure IP addresses for interfaces and assign interfaces to security zones.

    1. Set an IP address for GE0/0/1 and assign the interface to the Untrust zone.

      <FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet0/0/1] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit

    2. Set an IP address for GE0/0/2 and assign the interface to the Trust zone.

      [FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 10.3.0.1 24
[FW-GigabitEthernet0/0/2] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/2
[FW-zone-trust] quit

  2. Create the URL filtering profile google account and Configure the google account control function.

    [FW] web-apps-control type restrict-google-account name google
[FW-restrict-google-account-google] add header content huawei.com 
[FW-restrict-google-account-google] quit 
[FW] profile type url-filter name google_account
[FW-profile-url-filter-google_account] restrict-google-account name google
[FW-profile-url-filter-google_account] quit

  3. Configure the security policy and reference the URL filtering profile google account.

    [FW] security-policy
[FW-policy-security] rule name secpolicy-trust2untrust
[FW-policy-security-rule-secpolicy-trust2untrust] source-zone trust
[FW-policy-security-rule-secpolicy-trust2untrust] destination-zone untrust
[FW-policy-security-rule-secpolicy-trust2untrust] source-address 10.3.0.1 mask 255.255.255.0
[FW-policy-security-rule-secpolicy-trust2untrust] service https
[FW-policy-security-rule-secpolicy-trust2untrust] profile url-filter google_account
[FW-policy-security-rule-secpolicy-trust2untrust] action permit
[FW-policy-security-rule-secpolicy-trust2untrust] quit
[FW-policy-security] quit

  4. Configure an SSL decryption certificate and import and install the SSL decryption certificates on an intranet PC.
    1. Configure an RSA key pair for the SSL decryption certificate.

      [FW] pki rsa built-in-ca ssl-server-ca create exportable
 Info: The name of the new key-pair will be: ssl-server-ca                      
 The size of the public key ranges from 2048 to 4096.                            
 Input the bits in the modules:2048                                             
 Generating key-pairs...                                                        
............................................+++                                 
...................................................+++

    2. Create a PKI entity.

      [FW] pki entity ssl-server-ca
[FW-pki-entity-ssl-server-ca] common-name ssl-server-ca
[FW-pki-entity-ssl-server-ca] fqdn www.example.com
[FW-pki-entity-ssl-server-ca] locality trust-Network
[FW-pki-entity-ssl-server-ca] country CN
[FW-pki-entity-ssl-server-ca] quit

    3. Generate an SSL decryption certificate and mark it as trusted.

      [FW] pki generate built-in-ca certificate rsa-key-pair ssl-server-ca entity ssl-server-ca
 Please enter the file name for built in CA certificate <length 1-64>: ssl-server-ca.cer
 Info: Generate built in CA certificate successfully.
[FW] pki import-certificate built-in-ca filename ssl-server-ca.cer
 Info: Succeeded in importing the built in CA certificate. 
[FW] app-proxy built-in-ca trust filename ssl-server-ca.cer

    4. Export the trusted certificate and key pair.

      [FW] pki export built-in-ca rsa-key-pair ssl-server-ca and-certificate ssl-server-ca.cer pem ssl-server-ca.pem password Mypassword@123
[FW] quit

      The password specified here is used to protect the key file in the certificate. You are required to enter this password when you install the certificate later.

    5. Use FTP to download the exported certificate file, send it to intranet users, and require the users to install it on their PCs and trust it. For how to install the trusted certificate, see Installing an SSL Decryption Certificate on a Client. If the certificate is not installed, normal access may be blocked.
  5. Optional: Import the CA certificates of the certificate authorities that the enterprise trusts and specify them for server certificate verification.
    1. In the example, the FW is used as an FTP client to describe how to download the CA certificate to the FW.

      <FW> ftp 10.3.0.100
Trying 10.3.0.100...
Press CTRL+K to abort
Connected to 10.3.0.100.
220 FTP service ready.
User(10.3.0.100:(none)):ftpuser
331 Password required for ftpuser
Enter password:
230 User logged in.
[ftp] get server_ca.cer
200 Port command okay.
150 Opening ASCII mode data connection for server_ca.cer.
226 Transfer complete.
FTP: 393 byte(s) received in 8.190 second(s) .48byte(s)/sec.
[ftp] bye

    2. Import the CA certificate to the memory.

      <FW> system-view
[FW] pki import-certificate ca der filename server_ca.cer

    3. Specify the CA certificate used by the FW to verify the server certificate.

      [FW] app-proxy ca trust filename server_ca.cer

  6. Configure an SSL-encrypted traffic detection profile.

    [FW] profile type decryption name proxy
[FW-profile-decryption-profile-proxy] detect type outbound
[FW-profile-decryption-profile-proxy] quit

  7. Configure an SSL-encrypted traffic detection policy.

    [FW] decryption-policy
[FW-policy-decryption] rule name proxy
[FW-policy-decryption-rule-proxy] source-zone trust
[FW-policy-decryption-rule-proxy] destination-zone untrust
[FW-policy-decryption-rule-proxy] source-address 10.3.0.1 mask 255.255.255.0
[FW-policy-decryption-rule-proxy] service https
[FW-policy-decryption-rule-proxy] action decrypt profile proxy
[FW-policy-decryption-rule-proxy] quit
[FW-policy-decryption] quit

  8. Commit the configuration.

    [FW] engine configuration commit
Info: The operation may last for several minutes, please wait.
Info: URL submitted configurations successfully.
Info: Finish committing engine compiling.

Verification

  1. Enterprise users use their individual accounts for login. A message is displayed, indicating that the service is inaccessible. If they use accounts ending with huawei.com for login, the login succeeds.

  2. Check URL logs URL/4/FILTER. You can find logs whose type field is Restrict google account.

Configuration Scripts

#                                                                               
sysname FW      
# 
 app-proxy built-in-ca trust filename ssl-server-ca
 app-proxy ca trust filename server_ca.cer
#                       
pki entity ssl-server-ca     
 common-name ssl-server-ca   
 fqdn www.example.com
 locality Trust Network
 country CN
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
web-apps-control type restrict-google-account name google                       
 add header content huawei.com                                                  
#                                                                               
profile type url-filter name google_account                                     
 restrict-google-account name google  
#
security-policy
 rule name secpolicy-trust2untrust
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.1 mask 255.255.255.0
  service https
  profile url-filter google_account
  action permit
#
profile type decryption name proxy
  detect type outbound
#
decryption-policy
 rule name proxy
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.1 mask 255.255.255.0
  service https
  action decrypt profile proxy
#
return
Parent Topic: Content Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >