Configuring the Audit Profile

This section describes how the audit profile helps log the Internet access of intranet users by enabling the audit of HTTP, FTP, mail sending and receiving, IM activities.

Context

Select the traffic attributes based on the actual situations you encounter when you configure the audit profile.

To log and audit non-work-related behavior, you can choose to record URL access, titles of the accessed web pages, BBS posts and microblogs, HTTP-based searched keywords, HTTP status code, file uploads through HTTP and FTP, and QQ account and login and logout time.
To log and audit the behavior that leads to data leaks, select the attributes to instruct the device to log BBS posts, microblogs, file uploads through HTTP and FTP, and QQ account and login and logout time.

By default, the FW does not audit any HTTP, FTP, mail sending and receiving or IM activities.

Procedure

Create an audit profile in the system view and access the audit profile view.
profile type audit name name
Optional: Configure a description for the audit profile.
description description

The description must be clearly specified, so that an administrator can easily find and maintain the profile.

Set audit parameters.

Function	Command
HTTP behavior audit
Audit HTTP access URLs.	http-audit url { pre-defined sub-category-id sub-category-id \| user-defined category-name category-name \| all } NOTE: Afer specifying the URL category to be audited by using the http-audit url { pre-defined sub-category-id sub-category-id \| user-defined category-name category-name } command, you can use the http-audit url category-exclude-mode command to enable the excluded audit mode. Then the FW will audit all URLs excluding the specified URL category.
Record web page titles for audited URLs.	http-audit url recorded-title
Audit the content of BBS posts.	http-audit bbs-content [ accurate-identify ]
Audit the content of micro-blog posts.	http-audit micro-blog
Audit search keywords.	http-audit search-keyword
Audit HTTP-based file upload or download behavior.	http-audit file direction { upload \| download \| both }
Audit the HTTP status code.	http-audit status-code
FTP behavior audit
Audit the commands executed through FTP.	ftp-audit command
Audit FTP-based file upload or download behavior.	ftp-audit file direction { upload \| download \| both }
Mail behavior audit
Audit mail sending and receiving behavior.	mail-audit { send \| receive }
IM behavior audit
Audit QQ login or logout behavior.	im-audit qq { online \| offline \| both }
Audit IM file transfer behavior.	im-audit file-transfer
Bank reminder system audit
Audit behavior in the bank reminder system.	brd-audit operate
Virtual identity information audit
Audit the accounts for logging in to websites, mailboxes, or applications.	virtual-identity-audit record

Optional: In the system view, configure the audit of a specific HTTP status code.
The default mode of HTTP status code audit audits only common HTTP status codes.

To audit a specific HTTP status code, run the audit status-code custom-mode command to set the HTTP status code audit mode to the user-defined mode and then run the audit status-code status-code command to configure the audit of the specific HTTP status code.
Optional: In the system view, enable the function of generating audit logs when sessions are blocked.
audit session-block log enable
In the system view, commit the configuration.
engine configuration commit

The new or modified audit profile does not take effect until you run the engine configuration commit command to commit the configuration. To save time, you can submit the configuration after all operations on the profile are complete.

Follow-up Procedure

After configuring the audit profile, adjust it as follows:

Run the rename new-name command in the audit profile view to rename the profile.
In the system view, run the profile type audit copy old-name [ new-name ] command to create a profile by copying an existing one.