Configuring Application Behavior Control
This section describes how to configure application behavior control.
Context
The FW has a default profile named default for application behavior control, which defines the default action for each application behavior, as shown in the following figure. You cannot modify or delete the default profile.
You can run the display profile type app-control name default command on the CLI to view the configuration information about the default profile. IF you use the CLI to reference the default profile in a security policy, you must enter the complete profile name (such as default). Otherwise, the profile fails to be referenced. To view the configuration result, run the display current-configuration command. Then you can view that the security policy references the default profile, but the configuration information about the default profile is not displayed.
Name |
Protocol |
Application Behavior |
Default Action |
|---|---|---|---|
default |
HTTP |
POST |
Permit |
Web Browsing |
Permit |
||
Proxy |
Permit |
||
File Upload |
Deny |
||
File Download |
Permit |
||
FTP |
File Upload |
Permit |
|
File Download |
Permit |
||
File Deletion |
Permit |
||
IM |
Login to QQ |
Permit |
The FW supports user-defined profiles. You can specify the action for each protocol. To implement differentiated management of application behavior, you need to configure multiple application behavior control profiles. Set the parameters in each profile according to your requirements on application behavior control.
Procedure
- Access the application behavior control profile view from the system view.
- Optional: Configure a description for the application behavior control profile.
description description
- Control HTTP behavior.
Controlled Item
Command
Control HTTP POST operations.
http-control post action { permit | deny }
Control the content size of HTTP POST operations.
http-control post { alert-size alert-size | block-size block-size } *
Control HTTP web page browsing behavior.
http-control web-browse action { permit | deny }
Control HTTP proxy-based Internet access behavior.
http-control proxy action { permit | deny }
Control HTTP-based file upload and download behavior.
http-control file direction { upload | download } action { permit | deny }
Control the size of files uploaded or downloaded through HTTP.
http-control file direction { upload | download } { alert-size alert-size | block-size block-size } *
- Control FTP behavior.
Controlled Item
Command
Control FTP-based file upload and download behavior.
ftp-control file direction { upload | download } action { permit | deny }
Control the size of files uploaded or downloaded through FTP.
ftp-control file direction { upload | download } { alert-size alert-size | block-size block-size } *
Control FTP-based file deletion behavior.
ftp-control file delete action { permit | deny }
- Control IM behavior.
Controlled Item
Command
Control QQ login behavior.
im-control qq action { permit | deny }
Configure QQ account blacklists or whitelists.
im-control qq account { blacklist | whitelist } account
- Reference the application behavior control profile in the security policy.
For details on how to configure the security policy, see Configuring a Security Policy.
- Return to the system view and commit the configuration.
The new or modified security profile does not take effect until you run the engine configuration commit command to commit the configuration. To save time, you can submit the configuration after all operations on the profile are complete.
Follow-up Procedure
After configuring the application behavior control profile, adjust it as follows:
- In the application behavior control profile view, run the rename new-name command to rename the profile.
- In the system view, run the profile type app-control copy old-name [ new-name ] command to create a profile by copying an existing one.