CLI: Example for Configuring the Audit Function
This section provides the networking requirements and a step-by-step procedure for configuring the audit function. After the audit function is enabled, Internet access activities are logged for future audits and analysis.
Networking Requirements
As shown in Figure 1, the FW serves as the gateway at the border of an enterprise network. Log the Internet access behavior of employees by configuring the audit function.
The employees of the enterprise are either R&D personnel or marketing personnel. The requirements are as follows:
- Logs non-work-related Internet access behavior of R&D personnel during working hours (09:00:00 to 17:00:00). The behavior includes URL accessing, BBS posting, microblogging, and file upload and download through HTTP and FTP.
- Logs email transmission and file upload activities as well as HTTP or FTP upload and download activities of marketing personnel.
Configuration Roadmap
- Set the interface IP address and add the interface to a security zone.
- Configure one audit profile specific to R&D personnel and another specific to marketing personnel. Audit HTTP, FTP, and mail behavior.
- Configure two audit policies, reference the preceding profiles in the policies, and apply the policies to the trust -> untrust interzone.
Procedure
- Set the interface IP address and add the interface to a security zone.
- Configure the schedule.
[FW] time-range time_range [FW-time-range-time_range] period-range 09:00:00 to 17:00:00 daily [FW-time-range-time_range] quit
- Configure an audit profile for R&D personnel.
After you specified the interface IP address, security zone, and schedule, use the audit administrator account to log in to the FW and complete the configurations related to the audit function.
[FW] profile type audit name profile_audit_1 [FW-profile-audit-profile_audit_1] description Profile of auditing for research. [FW-profile-audit-profile_audit_1] http-audit url all [FW-profile-audit-profile_audit_1] http-audit url recorded-title [FW-profile-audit-profile_audit_1] http-audit file direction download [FW-profile-audit-profile_audit_1] ftp-audit file direction download [FW-profile-audit-profile_audit_1] http-audit bbs-content [FW-profile-audit-profile_audit_1] http-audit micro-blog [FW-profile-audit-profile_audit_1] quit
- Configure an audit profile for marketing personnel.
[FW] profile type audit name profile_audit_2 [FW-profile-audit-profile_audit_2] description Profile of auditing for marketing. [FW-profile-audit-profile_audit_2] http-audit url all [FW-profile-audit-profile_audit_2] http-audit file direction both [FW-profile-audit-profile_audit_2] ftp-audit file direction both [FW-profile-audit-profile_audit_2] mail-audit send [FW-profile-audit-profile_audit_2] mail-audit receive [FW-profile-audit-profile_audit_2] quit
- Configure an audit policy for R&D personnel and reference the corresponding audit profile.
In this example, user group for research (R&D personnel) to be referenced has been created.
[FW] audit-policy [FW-policy-audit] rule name policy_audit_1 [FW-policy-audit-rule-policy_audit_1] description Policy of auditing for research. [FW-policy-audit-rule-policy_audit_1] source-zone trust [FW-policy-audit-rule-policy_audit_1] destination-zone untrust [FW-policy-audit-rule-policy_audit_1] user user-group /default/research [FW-policy-audit-rule-policy_audit_1] time-range time_range [FW-policy-audit-rule-policy_audit_1] action audit profile profile_audit_1 [FW-policy-audit-rule-policy_audit_1] quit
- Configure an audit policy for marketing personnel and reference the corresponding audit profile.
In this example, user group for marketing (marketing personnel) to be referenced has been created.
[FW-policy-audit] rule name policy_audit_2 [FW-policy-audit-rule-policy_audit_2] description Policy of auditing for marketing. [FW-policy-audit-rule-policy_audit_2] source-zone trust [FW-policy-audit-rule-policy_audit_2] destination-zone untrust [FW-policy-audit-rule-policy_audit_2] user user-group /default/marketing [FW-policy-audit-rule-policy_audit_2] action audit profile profile_audit_2 [FW-policy-audit-rule-policy_audit_2] quit [FW-policy-audit] quit
- Commit the audit profile.
[FW] engine configuration commit Info: The operation may last for several minutes, please wait. Info: Audit submitted configurations successfully. Info: Finish committing engine compiling.
Follow-up Procedure
After the configuration is complete, you can view various reports, audit logs, and user activity logs to identify the users and user behavior that leads to low productivity. You can also use this information to fine-tune security policies in the future.
Configuration Scripts
This section provides only the script related to the example.
# sysname FW # time-range time_range period-range 09:00:00 to 17:00:00 daily # interface GigabitEthernet0/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/3 undo shutdown ip address 10.3.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # profile type audit name profile_audit_1 description Profile of auditing for research. http-audit url all http-audit url recorded-title http-audit bbs-content http-audit micro-blog http-audit file direction download ftp-audit file direction download # profile type audit name profile_audit_2 description Profile of auditing for marketing. http-audit url all http-audit file direction upload http-audit file direction download ftp-audit file direction upload ftp-audit file direction download mail-audit send mail-audit receive # audit-policy rule name policy_audit_1 description Policy of auditing for research. source-zone trust destination-zone untrust user user-group /default/research time-range time_range action audit profile profile_audit_1 rule name policy_audit_2 description Policy of auditing for marketing. source-zone trust destination-zone untrust user user-group /default/marketing action audit profile profile_audit_2