Configuring an Audit Policy

Procedure

1. Access the audit policy view from the system view.

   audit-policy

2. Create a audit policy rule and access the audit policy rule view.
   

   In commands, audit policies exist by means of rules, and therefore audit policy rules are equal to audit policies in this topic.

   rule name rule-name

3. Optional: Configure the audit policy rule description.

   description description

   The description must be clearly specified, so that an administrator can easily find and maintain the policy.

4. Optional: Configure a tag for the policy.

   add tag tag-name

   After policies reference tags, you can query policies based on tags and delete, move, enable, or disable policies in batches based on query results. For the tag description and configuration, see Tag.

5. Define the match conditions of the audit policy.
   

   • Audit policies are processed from top to bottom. If the traffic matches a policy, the rest policies are ignored. Therefore, policies must be configured in order from the most specific to the least specific.

   • Each policy contains multiple matching conditions, such as security zones and interfaces. The traffic matches a policy only if the attributes of the traffic meet all the conditions defined in the policy. By default, all the conditions are set to any. In such a case, all traffic matches the policy.

   • Each condition in a policy has multiple values. If one of the values in a condition is met, the traffic meets the condition.

   Function	Command
   Set the source security zone.	source-zone { zone-name &<1-6> | any }
   Set the destination security zone.	destination-zone { zone-name &<1-6> | any }
   Set the source IP address and region.	source-address { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } [ description description ] | ipv6-address ipv6-prefix-length [ description description ] | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } [ description description ] | geo-location geo-location-name &<1-6> | geo-location-set geo-location-set-name &<1-6> | mac-address &<1-6> | domain-set domain-set-name &<1-6> | any } source-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } } [ description description ]
   Set the destination IP address and region.	destination-address { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } [ description description ] | ipv6-address ipv6-prefix-length [ description description ] | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } [ description description ] | geo-location geo-location-name &<1-6> | geo-location-set geo-location-set-name &<1-6> | mac-address &<1-6> | domain-set domain-set-name &<1-6> | any } destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } } [ description description ]
   Set a user, user group, or security group.	user { username user-name &<1-6> | user-group user-group-name &<1-6> | security-group security-group-name &<1-6> | any } Users and user groups reflect the horizontal organizational structure. Users and security groups reflect the vertical organization structure. You can configure users and user groups based on company departments or add users from different departments to one security group for management.
   Configure a service (by referencing a service or service group).	service { service-name &<1-6> | any } service-exclude service-name &<1-6>
   Configure a service (by referencing a TCP/UDP port or IP-layer protocol).	service protocol { { 132 | sctp } | { 6 | tcp } | { 17 | udp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] * service protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ] service protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ] service protocol protocol-number service-exclude protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] * service-exclude protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ] service-exclude protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ] service-exclude protocol protocol-number
   Specify the validity period of the policy.	time-range time-range-name

6. Configure an action in the audit policy.

   action { audit profile audit-profile | no-audit }

7. Optional: Commit the audit profile.

   engine configuration commit

   After creating, modifying, or deleting an audit profile, you need to commit the audit profile to make the audit profile and the audit policy that references the audit profile take effect.