- Table of Contents
-
- 08-Configuration Examples
- 01-Web Login Configuration Examples
- 02-Internet Access Through a Static IP Address Configuration Examples
- 03-Internet access through PPPoE configuration examples
- 04-Signature Library Upgrade Configuration Examples
- 04-Software Upgrade Examples(only for F50X0-D and F5000-AK5X5 firewalls)
- 05-Software Upgrade Examples
- 06-Static routing configuration examples
- 07-OSPF configuration examples
- 08-BGP configuration examples
- 09-RIP configuration examples
- 10-DHCP configuration examples
- 11-DNS configuration examples
- 12-Object Group Configuration Examples
- 13-Public key management configuration examples
- 14-Security Policy Configuration Examples
- 15-Attack defense configuration examples
- 16-Connection Limit Configuration Examples
- 17-IPS Configuration Examples
- 18-URL Filtering Configuration Examples
- 19-Anti-Virus Configuration Examples
- 20-Data Filtering Configuration Examples
- 21-File Filtering Configuration Examples
- 22-APR-Based Security Policy Configuration Examples
- 23-Bandwidth Management Configuration Examples
- 24-NAT configuration examples
- 25-NAT hairpin configuration examples
- 26-IPsec configuration examples
- 27-SSL VPN configuration examples
- 28-Server Load Balancing Configuration Examples
- 29-Outbound Link Load Balancing Configuration Examples
- 30-Inbound Link Load Balancing Configuration Examples
- 31-Transparent DNS Proxy Configuration Examples
- 32-Context Configuration Examples
- 32-Context Configuration Examples(only for F50X0-D and F5000-AK5X5 firewalls)
- 33-IRF configuration examples
- 34-High Availability Group Configuration Examples
- 35-NAT Flow Logging Configuration Examples
- 36-User identification configuration examples
- 37-Server Connection Detection Configuration Examples
- 38-IP Reputation Configuration Examples
- 39-NPTv6 Configuration Examples
- 40-SSL Decryption Configuration Examples
- 41-MAC Address Learning Through a Layer 3 Device Configuration Examples
- 42-WAF Configuration Examples
- 43-NetShare Control Configuration Examples
- 44-4G Configuration Examples
- 45-WLAN Configuration Examples
- Related Documents
-
Title | Size | Download |
---|---|---|
20-Data Filtering Configuration Examples | 173.40 KB |
Data filtering configuration examples
The following information provides data filtering configuration examples.
Data filtering filters packets based on application layer information. You can use data filtering to effectively prevent leakage of internal information, distribution of illegal information, and unauthorized access to the Internet.
This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of the data filtering feature.
Restrictions and guidelines
Data filtering supports filtering packets of the following protocols:
· HTTP.
· FTP.
· SMTP.
· IMAP.
· NFS.
· POP3.
· RTMP.
· SMB.
For data filtering to inspect HTTPS protocol packets, you must also configure the application proxy feature. To configure the application proxy feature, access the Policies > Application Proxy page.
Example: Configuring data filtering
Network configuration
As shown in Figure 1, a security gateway device is deployed at the border of the enterprise network. Configure data filtering on the device to block and log the following Internet access behaviors of internal users:
· Browsing, publishing, or downloading information containing the illegal keyword on the Internet.
· Transferring files marked as for internal use only on the Internet.
Software versions used
This configuration example was created and verified on F9345 of the F1060 device.
Procedure
1. Assign IP addresses to interfaces and add the interfaces to security zones:
# On the top navigation bar, click Network.
# From the navigation pane, select Interface Configuration > Interfaces.
# Click the Edit icon for GE 1/0/1.
# In the dialog box that opens, configure the interface:
a. Select the Trust security zone.
b. Click the IPv4 Address tab, and then enter the IP address and mask of the interface. In this example, enter 10.1.1.1/24.
c. Click OK.
# Add GE 1/0/2 to the Untrust security zone and set its IP address to 20.1.1.1./24 in the same way you configure GE 1/0/1.
2. Configure a route:
This example configures a static route. If dynamic routes are required, configure a dynamic routing protocol.
# On the top navigation bar, click Network.
# From the navigation pane, select Routing > Static Routing.
# On the IPv4 Static Routing tab, click Create.
# In the dialog box that opens, create an IPv4 static route:
¡ Enter destination address 0.0.0.0.
¡ Enter mask length 0.
¡ Enter next hop address 20.1.1.2.
# Click OK.
3. Configure keyword groups.
# Create keyword group keywordgroup1.
a. On the top navigation bar, click Objects.
b. From the navigation pane, select APPSecurity > Data Filtering > Keyword Groups.
c. Click Create.
d. In the dialog box that opens, configure the keyword group:
- Enter keywordgroup1 in the Name field.
- In the User defined keyword list area, click Create.
- In the Create Keyword dialog box, enter keyword1 in the Name field, select the Text type, and enter for internal use only in the Match pattern field.
- Click OK.
Figure 2 Creating a keyword
The newly created keyword keyword1 is displayed in the Create Keyword Group dialog box.
Figure 3 Creating keyword group keywordgroup1
e. Click OK.
# Create keyword group keywordgroup2.
a. On the Keyword Group page, click Create.
b. In the dialog box that opens, configure the keyword group:
- Enter keywordgroup2 in the Name field.
- In the User defined keyword list area, click Create.
- In the Create Keyword dialog box, enter keyword2 in the Name field, select the Text type, and enter illegal in the Match pattern field.
¡ Click OK.
Figure 4 Creating a keyword
The newly created keyword keyword2 is displayed in the Create Keyword Group dialog box.
Figure 5 Creating keyword group keywordgroup2
c. Click OK.
4. Configure a data filtering profile.
# On the top navigation bar, click Objects.
# From the navigation pane, select APPSecurity > Data Filtering > Profiles.
# Click Create.
# In the dialog box that opens, configure a data filtering profile.
a. Enter the name datafilter.
b. In the Data filtering rules area, click Create.
c. In the dialog box that opens, create data filtering rule rule1 as shown in Figure 6, and then click OK.
Figure 6 Creating data filtering rule rule1
d. Create data filtering rule rule2 (as shown in Figure 7) in the same way you configure data filtering rule rule1.
Figure 7 Creating data filtering rule rule2
The data filtering rules are displayed in the Create Data Filtering Profile dialog box, as shown in Figure 8.
e. Click OK.
Figure 8 Creating a data filtering profile
5. Create a security policy:
# On the top navigation bar, click Policies.
# From the navigation pane, select Security Policies > Security Policies.
# Click Create.
# In the dialog box that opens, configure a security policy:
¡ Enter policy name datafilter.
¡ Select source zone Trust.
¡ Select destination zone Untrust.
¡ Select type IPv4.
¡ Select action Permit.
¡ Select source IP address 10.1.1.0/24.
¡ Select data filtering profile datafilter in the Content security area.
# Cilck OK.
6. On the Data Filtering Profiles page, click Submit to make the data filtering profile take effect.
Verifying the configuration
Verify that data filtering can log and block the following Internet access behaviors of internal users:
· Browsing, publishing, or downloading information containing the illegal keyword on the Internet.
· Transferring files marked as for internal use only on the Internet.
To view the logs generated for these behaviors, perform either of the following tasks:
· At the CLI, execute the display logbuffer module dfilter command to view the data filtering logs.
· On the Web interface, click System on the top navigation bar, and then select Log Settings > Basic Settings from the navigation pane. On the Syslog Settings tab, create a log host to receive the logs. You can access the log host to view data filtering logs.