< Home

Configuring Data Filtering

The data filtering profile determines the types of applications and files to be filtered. You must reference keyword groups in the data filtering profile.

Prerequisites

Configuring a Keyword Group

Context

Data filtering falls into file data filtering and application data filtering.

File data filtering filters the uploaded and downloaded files by keyword. Application data filtering filters application content by keyword.

The FW has a default data filtering profile named default. It references the default keyword group and alert is the action for the transfer of all types of files in the upload direction. You cannot modify or delete the default profile.

You can run the display profile type data-filter name default command on the CLI to view the configuration information about the default profile. IF you use the CLI to reference the default profile in a security policy, you must enter the complete profile name (such as default). Otherwise, the profile fails to be referenced. To view the configuration result, run the display current-configuration command. Then you can view that the security policy references the default profile, but the configuration information about the default profile is not displayed.

The FW supports user-defined profiles. You can create keyword groups to specify different actions for the upload and download directions of each application or file type.

Procedure

  1. Access the system view.

    system-view

  2. Create a data filtering profile and display the data filtering profile view.

    profile type data-filter name name

  3. Configure the description of a data filtering profile.

    description description

  4. Create a data filtering rule and display the data filtering view.

    rule name name

  5. Configure a keyword group for data filtering rules.

    keyword-group name name

    The value must be the name of an existing keyword group.

  6. Configure the application type for a data filtering rule.

    application { type type &<1-10> | all }

    By default, the FW checks all types of applications.

  7. Configure the type of files on which data filtering is implemented.

    file-type { name name &<1-10> | all }

    name specifies the type of files on which data filtering is implemented. If the name value is set to TEXT/HTML, the device implements data filtering on application contents.

  8. Enable search engine keyword-based exact match.

    word-boundary enable

    If the function is disabled, the device performs the fuzzy match between the search keyword in the search engine and the keyword specified in the data filtering rule. For example, the search keyword mytest matches keyword test in the data filtering rule, and the action (such as alert and block) of the rule will be taken.

    After the function is enabled, the device performs the exact match between the search keyword in the search engine and the keyword specified in the data filtering rule. The action (such as alert and block) of the rule will be taken only when the search keyword exactly matches the keyword specified in the rule.

    The function can be configured successfully only when the Search Engine Keywords option is selected in File Type.

  9. Configure the transfer direction of the data to be filtered.

    direction { both | download | upload }

    The default direction for data filtering is upload.

    upload indicates that a user uploads data to a security zone. download indicates that a user downloads data from a security zone.

  10. Configure the action for a data filtering rule.

    action { alert | block | by-threshold { alert-value alert-value | block-value block-value } * }

    Each keyword in a keyword group has a weight. The device calculates the sum of all keyword weights based on the times the keywords appear in the data to be detected.

    • If the sum of all keyword weights is smaller than the alarm threshold, the device allows the data transfer.

    • If the sum of all keyword weights is greater than or equal to the alarm threshold and smaller than the blocking threshold, the device generates an alarm. The alarm is sent only once.

    • If the sum of all keyword weights is greater than or equal to the blocking threshold, the device blocks the traffic.

      • The device does not support blocking NFS. Therefore, in a scenario where the application is NFS, and the action is block or the weight is no smaller than the block threshold, the device takes the alert action.

      • In a scenario where the application is IMAP or POP3, and the action is block or the weight is no smaller than block threshold:

        • If the email attachment matches the keyword, the device deletes the body and attachment of the email.

        • If the email body matches the keyword, the device deletes the body and attachment of the email.

        • If the email subject matches the keyword, the device deletes the subject, body and attachment of the email.

  11. Return to the system view, commit the profile.

    engine configuration commit

    The new or modified security profile does not take effect until you run the engine configuration commit command to commit the configuration. To save time, you can commit changes after all changes are made.

Follow-up Procedure

  • In the data filtering profile view, rename the existing data filtering profile and enter the new data filtering profile view.

    rename new-name

  • In the system view, clone the existing data filtering profile and access the new data filtering profile view.

    profile type data-filter copy old-name [ new-name ]

  • In the data filtering rule view, rename the existing data filtering rule and enter the new data filtering rule view.

    rename new-name

Parent Topic: Configuring Data Filtering Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >