Security Policies

Overview

security policy is one of the basic security functions of the device. It can permit or deny packets based on certain conditions. Packet filtering conditions include source/destination IP addresses, source/destination ports, services, time ranges, users, and applications. You can rapidly filter packets based on users and applications. The device integrates packet filtering and content security into security policy configuration. You can perform unified configuration and management based on the configured policies, simplifying administrative operations and improving network security. You can configure security policies to enable the device to identify traffic with attack features and permit or deny the traffic as required. You can also configure IPS, antivirus, file blocking, and mail filtering to defend against viruses, worms, Trojan horses, and illegitimate files.

If general security policies are used, unauthorized users can freely access the network and launch attacks. As such, you are advised to carefully analyze a network's traffic model and configure refined security policies to permit all required traffic and block all unauthorized traffic.

By default, BGP, LDP, BFD, DHCP unicast, DHCPv6 unicast, and OSPF unicast packets are controlled by security policies and default security policies. To enable the device to quickly access the network, run the undo firewall packet-filter basic-protocol enable to stop these packets from being controlled by security policies and default security policies.

For details, see section Configuration Guide > Security Policy.

Impact on the System

By default, traffic that does not match any security policy is blocked.

Procedure

The following provides an example for configuring a security policy for traffic passing through a device.

# A client at 1.1.1.1 in the trust zone needs to access the FTP service on a server at 10.0.0.10 in the DMZ.

<HUAWEI> system-view
[HUAWEI] security-policy
[HUAWEI-policy-security] rule name policy_sec_permit
[HUAWEI-policy-security-rule-policy_sec_perimt] source-zone trust
[HUAWEI-policy-security-rule-policy_sec_permit] destination-zone dmz
[HUAWEI-policy-security-rule-policy_sec_permit] source-address 1.1.1.1 32
[HUAWEI-policy-security-rule-policy_sec_permit] destination-address 10.0.0.10 32
[HUAWEI-policy-security-rule-policy_sec_permit] service ftp
[HUAWEI-policy-security-rule-policy_sec_permit] action permit
[HUAWEI-policy-security-rule-policy_sec_permit] quit
[HUAWEI-policy-security] quit

The following provides an example for configuring a security policy for communication between devices.

# A device needs to exchange OSPF packets with other devices in the trust zone. The network segment of the interconnection interfaces is 10.10.10.0/24.

<HUAWEI> system-view
[HUAWEI] security-policy
[HUAWEI-policy-security] rule name policy_ospf
[HUAWEI-policy-security-rule-policy_ospf] source-zone trust local
[HUAWEI-policy-security-rule-policy_ospf] destination-zone trust local
[HUAWEI-policy-security-rule-policy_ospf] source-address 10.10.10.0 24
[HUAWEI-policy-security-rule-policy_ospf] destination-address 10.10.10.0 24
[HUAWEI-policy-security-rule-policy_ospf] service ospf
[HUAWEI-policy-security-rule-policy_ospf] action permit
[HUAWEI-policy-security-rule-policy_ospf] quit
[HUAWEI-policy-security] quit

Checking the Security Hardening Result

Run the display security-policy rule all command in any view to check the security policy configuration and matching status.