Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-Object group commands
- 04-Object policy commands
- 05-AAA commands
- 06-IPoE commands
- 07-Portal commands
- 08-User identification commands
- 09-Password control commands
- 10-Public key management commands
- 11-PKI commands
- 12-SSH commands
- 13-SSL commands
- 14-ASPF commands
- 15-APR commands
- 16-Session management commands
- 17-Connection limit commands
- 18-Attack detection and prevention commands
- 19-DDoS protection commands
- 20-uRPF commands
- 21-ARP attack protection commands
- 22-ND attack defense commands
- 23-IP-MAC binding commands
- 24-Keychain commands
- 25-Crypto engine commands
- 26-SMS commands
- 27-Terminal identification commands
- 28-Flow manager commands
- 29-Trusted access control commands
- 30-Location identification commands
- 31-Server connection detection commands
- 32-MAC authentication commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-Security zone commands | 116.31 KB |
Security zone commands
Non-default vSystems do not support some of the security zone commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.
display security-zone
Use display security-zone to display security zone information.
Syntax
display security-zone [ name zone-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
name zone-name: Specifies the security zone name, a case-insensitive string of 1 to 31 characters. If you do not specify this option, the command displays all security zones, including system-defined and user-defined security zones.
Usage guidelines
When displaying all security zones, the command uses the following order:
1. System-defined security zones.
2. User-defined security zones in alphabetical order of security zone names.
Examples
# Display information about security zone myZone.
<Sysname> display security-zone name myZone
Name: myZone
Members:
Service path 2 reversed
GigabitEthernet1/0/1
GigabitEthernet1/0/2 in VLAN 3
192.168.1.0 255.255.255.0
192.168.0.0 255.255.0.0 vpn-instance abc
1001:1002::0 32
Table 1 Command output
|
Field |
Description |
|
Name |
Security zone name. |
|
Members |
Members in the security zone: · Type and number of a Layer 3 interface. · Type and number of a Layer 2 Ethernet interface, and IDs of the VLANs to which the interface belongs. · Address and mask (or mask length) of an IPv4 subnet on the public network. · Address and prefix length of an IPv6 subnet on the public network. · Address, mask (or mask length), and VPN instance name of an IPv4 subnet on a VPN. · Address, prefix length, and VPN instance name of an IPv6 subnet on a VPN. · Service chain ID. · Service chain ID with the reversed flag If a security zone does not have members, this field displays None. |
display zone-pair security
Use display zone-pair security to display all zone pairs.
Syntax
display zone-pair security
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Display all zone pairs.
<Sysname> display zone-pair security
Source zone Destination zone
DMZ Local
Trust Local
import interface
Use import interface to add a Layer 3 interfaces to a security zone.
Use undo import interface to remove Layer 3 interfaces from a security zone.
Syntax
import interface layer3-interface-type layer3-interface-number
undo import interface layer3-interface-type layer3-interface-number
Default
A security zone does not have Layer 3 interface members.
Views
Security zone view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
interface layer3-interface-type layer3-interface-number: Specifies a Layer 3 interface by its type and number. Layer 3 interfaces include Layer 3 Ethernet interfaces, Layer 3 Ethernet subinterfaces, and other types of Layer 3 logical interfaces.
Usage guidelines
You cannot add a member to the system-defined security zone Local. You can add members to the other system-defined security zones.
To add multiple Layer 3 interfaces to a security zone, execute this command multiple times.
A Layer 3 interface can belong to only one security zone. To move a Layer 3 interface from one security zone to another security zone, perform the following tasks:
1. Use the undo import interface command to remove the interface from the current security zone.
2. Use the import interface command to add the interface to the new security zone.
Examples
# Add Layer 3 Ethernet interface GigabitEthernet 1/0/1 to security zone Trust.
<Sysname> system-view
[Sysname] security-zone name trust
[Sysname-security-zone-Trust] import interface gigabitethernet 1/0/1
import interface vlan
Use import interface vlan to add Layer 2 interface-VLAN combinations to a security zone.
Use undo import interface vlan to remove Layer 2 interface-VLAN combinations from a security zone .
Syntax
import interface layer2-interface-type layer2-interface-number vlan vlan-list
undo import interface layer2-interface-type layer2-interface-number vlan vlan-list
Default
A security zone does not have Layer 2 interface-VLAN combination members.
Views
Security zone view
Predefined user roles
network-admin
context-admin
Parameters
interface layer2-interface-type layer2-interface-number: Specifies a Layer 2 interface by its type and number.
vlan vlan-list: Specifies a list of VLANs. The vlan-list argument must be a space-separated list of up to 10 VLAN items that meet the following requirements:
· Each item specifies a VLAN by its ID or a range of VLANs in the form of start-VLAN-ID to end-VLAN-ID. The end-VLAN-ID is greater than the start-VLAN-ID.
· The VLAN IDs are in the range of 1 to 4094.
· The VLANs already exist.
Usage guidelines
Non-default vSystems do not support this command.
You cannot add a member to the system-defined security zone Local. You can add members to the other system-defined security zones.
To add multiple Layer 2 Ethernet interface-VLAN combinations to a security zone, execute this command multiple times.
A Layer 2 interface-VLAN combination can belong to only one security zone. To move a Layer 2 interface-VLAN combination from one security zone to another security zone, perform the following tasks:
1. Use the undo import interface vlan command to remove the combination from the current security zone.
2. Use the import interface vlan command to add the combination to the new security zone.
Examples
# Add the combination of Layer 2 Ethernet interface GigabitEthernet 1/0/1 and VLAN 10 to security zone Untrust.
<Sysname> system-view
[Sysname] security-zone name untrust
[Sysname-security-zone-Untrust] import interface gigabitethernet 1/0/1 vlan 10
import ip
Use import ip to add an IPv4 subnet to a security zone.
Use undo import ip to remove an IPv4 subnet from a security zone.
Syntax
import ip ip-address { mask-length | mask } [ vpn-instance vpn-instance-name ]
undo import ip ip-address { mask-length | mask } [ vpn-instance vpn-instance-name ]
Default
A security zone does not have IPv4 subnet members.
Views
Security zone view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address: Specifies an IPv4 subnet by its subnet address or a host address on the subnet.
mask-length: Specifies the mask length in the range of 0 to 32.
mask: Specifies the subnet mask in dotted decimal notation.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the subnet belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the subnet resides on the public network, do not specify this option. As a best practice, specify an existing VPN instance. If you specify a non-existent VPN instance, this command will be successfully executed but will not take effect. Additionally, this command will get lost after the device restarts.
Usage guidelines
You cannot add a member to the system-defined security zone Local. You can add members to the other system-defined security zones.
To add multiple IPv4 subnets to a security zone, execute this command multiple times.
A subnet can be added to only one security zone.
If one subnet includes another subnet, the system identifies them as different subnets. You can add them to the same security zone or different security zones. If you add them to different security zones, packets that match both subnets are identified as packets of the security zone to which the smaller subnet belongs. For example, you can assign 1.1.1.1/24 and 1.1.2.2/16 to different security zones. A packet with the IP address 1.1.1.3 is identified as a packet of the security zone to which 1.1.1.1/24 belongs.
For a dynamic routing protocol to operate correctly, add the multicast and broadcast addresses used by the protocol to security zones as needed.
Examples
# Add the 192.168.1.0/24 subnet to security zone a.
<Sysname> system-view
[Sysname] security-zone name a
[Sysname-security-zone-a] import ip 192.168.1.0 24
# Add the subnet that is identified by the address 192.168.2.1 and mask 255.255.255.0 to security zone a.
<Sysname> system-view
[Sysname] security-zone name a
[Sysname-security-zone-a] import ip 192.168.2.1 255.255.255.0
# Add the subnet that is identified by the address 192.168.2.1 and mask 255.255.255.0 on VPN abc to the security zone a.
<Sysname> system-view
[Sysname] security-zone name a
[Sysname-security-zone-a] import ip 192.168.2.1 255.255.255.0 vpn-instance abc
import ipv6
Use import ipv6 to add an IPv6 subnet to a security zone.
Use undo import ipv6 to remove an IPv6 subnet from a security zone.
Syntax
import ipv6 ipv6-address prefix-length [ vpn-instance vpn-instance-name ]
undo import ipv6 ipv6-address prefix-length [ vpn-instance vpn-instance-name ]
Default
A security zone does not have IPv6 subnet members.
Views
Security zone view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address: Specifies an IPv6 subnet by its subnet address or a host address on the subnet.
prefix-length: Specifies the prefix length in the range of 1 to 128.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the subnet belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the subnet resides on the public network, do not specify this option. As a best practice, specify an existing VPN instance. If you specify a non-existent VPN instance, this command will be successfully executed but will not take effect. Additionally, this command will get lost after the device restarts.
Usage guidelines
You cannot add a member to the system-defined security zone Local. You can add members to the other system-defined security zones.
To add multiple IPv6 subnets to a security zone, execute this command multiple times.
A subnet can be added to only one security zone.
If one subnet includes another subnet, the system identifies them as different subnets. You can add them to the same security zone or different security zones. If you add them to different security zones, packets that match both subnets are identified as packets of the security zone to which the smaller subnet belongs. For example, you can assign 1:1:1::0/48 and 1:1:1::0/32 to different security zones. A packet with the address 1:1:1::2 is identified as a packet of the security zone to which 1:1:1::0/48 belongs.
Examples
# Add IPv6 subnet 1001:1002::0/32 (on the public network) to security zone a.
<Sysname> system-view
[Sysname] security-zone name a
[Sysname-security-zone-a] import ipv6 1001:1002::1 32
# Add IPv6 subnet 1001:1002::0/32 (on VPN abc) to security zone a.
<Sysname> system-view
[Sysname] security-zone name a
[Sysname-security-zone-a] import ipv6 1001:1002::1 32 vpn-instance abc
import service-chain path
Use import service-chain path to add a service chain to a security zone.
Use undo import service-chain path to remove a service chain from a security zone.
Syntax
import service-chain path path-id [ reversed ]
undo Import service-chain path path-id [ reversed ]
Default
A security zone does not have service chain members.
Views
Security zone view
Predefined user roles
network-admin
context-admin
Parameters
path-id: Specifies a service chain by its ID. The value range is 1 to 8388606.
reversed: Matches the backward traffic. If you do not specify this keyword, the service chain matches the forward traffic.
Usage guidelines
Non-default vSystems do not support this command.
You cannot add a member to the system-defined security zone Local. You can add members to the other system-defined security zones.
To add multiple service chains to a security zone, execute this command multiple times.
A service chain can be added to only one security zone.
For more information about service chains, see Service Chain Configuration Guide.
Examples
# Add service chain 100 to security zone zonetest.
<Sysname> system
[Sysname] security-zone name zonetest
[Sysname-security-zone-zonetest] import service-chain path 100
Related commands
display service-chain path (Service Chain Command Reference)
service-chain path (Service Chain Command Reference)
manage
Use manage to specify a permitted protocol on an interface.
Use undo manage to remove a permitted protocol.
Syntax
manage { { http | https | ping | ssh | telnet } { inbound | outbound } | { netconf-http | netconf-https | netconf-ssh | snmp } inbound }
undo manage { { http | https | ping | ssh | telnet } { inbound | outbound } | { netconf-http | netconf-https | netconf-ssh | snmp } inbound }
Default
The device permits packets only from other devices that are connected through interfaces in security zone Management.
Views
Interface view
Predefined user roles
network-admin
context-admin
Parameters
http: Specifies the HTTP protocol.
https: Specifies the HTTPS protocol.
netconf-http: Specifies the NETCONF over SOAP over HTTP protocol.
netconf-https: Specifies the NETCONF over SOAP over HTTPS protocol.
netconf-ssh: Specifies the NETCONF over SSH protocol.
ping: Specifies the Ping protocol.
snmp: Specifies the SNMP protocol.
ssh: Specifies the SSH protocol.
telnet: Specifies the Telnet protocol.
inbound: Permits incoming packets of the specified protocol.
outbound: Permits outgoing packets of the specified protocol.
Usage guidelines
After you specify a permitted protocol on an interface, the device will permit packets of the specified protocol from the device that is connected to the interface. The packets will not be limited based on security policies or traffic policies.
You can configure this command multiple times to specify multiple permitted protocols.
Examples
# Specify HTTP and HTTPS as permitted protocols on GigabitEthernet1/0/1.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] manage http inbound
[Sysname-GigabitEthernet1/0/1] manage https inbound
security-zone
Use security-zone to create a security zone and enter its view, or enter the view of an existing security zone.
Use undo security-zone to delete a security zone.
Syntax
security-zone name zone-name
undo security-zone name zone-name
Default
The device has the following security zones: Local, Trust, DMZ, Management, and Untrust.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
name zone-name: Specifies the security zone name, a case-insensitive string of 1 to 31 characters. It cannot be any. To include a backward slash (\) or quotation mark (") in the security zone name, you must use the escape character (\).
Usage guidelines
The device provides the following system-defined security zones: Local, Trust, DMZ, Management, and Untrust. The system creates these security zones automatically when one of following events occurs:
· The first command for creating a security zone is executed.
· The first command related to creating an interzone policy is executed.
System-defined security zones cannot be deleted.
You can use this command multiple times to create multiple security zones.
Deleting a security zone also deletes the following items:
· All zone pairs that use the security zone as the source or destination security zone.
· All interzone policy applications on the zone pairs.
Examples
# Create a security zone named zonetest and enter security zone view.
<Sysname> system-view
[Sysname] security-zone name zonetest
[Sysname-security-zone-zonetest]
Related commands
display security-zone
security-zone intra-zone default permit
Use security-zone intra-zone default permit to set the default action to permit for packets exchanged between interfaces in the same security zone.
Use undo security-zone intra-zone default permit to set the default action to deny for packets exchanged between interfaces in the same security zone.
Syntax
security-zone intra-zone default permit
undo security-zone intra-zone default permit
Default
The default action is deny for packets exchanged between interfaces in the same security zone.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
The system uses the default action for packets that are exchanged between interfaces in the same security zone in the following situations:
· A zone pair from the security zone to the security zone itself is not configured.
· A zone pair from the security zone to the security zone itself is configured, but no interzone policy is applied to the zone pair.
Examples
# Set the default action to permit for packets exchanged between interfaces in the same security zone.
<Sysname> system-view
[Sysname] security-zone intra-zone default permit
security-zone no-zone default
Use security-zone no-zone default to set the default action for packets exchanged between interfaces that are not in any security zone.
Use undo security-zone no-zone default to restore the default.
Syntax
security-zone no-zone default { deny | permit }
undo security-zone no-zone default
Default
The default action is deny.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
deny: Sets the default action to deny for packets exchanged between interfaces that are not in any security zone.
permit: Sets the default action to permit for packets exchanged between interfaces that are not in any security zone.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Set the default action to permit for packets exchanged between interfaces that are not in any security zone.
<Sysname> system-view
[Sysname] security-zone no-zone default permit
zone-pair security
Use zone-pair security to create a zone pair and enter its view, or enter the view of an existing zone pair.
Use undo zone-pair security to delete a zone pair.
Syntax
zone-pair security source { source-zone-name | any } destination { destination-zone-name | any }
undo zone-pair security source { source-zone-name | any } destination { destination-zone-name | any }
Default
No zone pair exists.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
source source-zone-name: Specifies the name of the source security zone, a case-insensitive string of 1 to 31 characters. This security zone must already exist.
destination destination-zone-name: Specifies the name of the destination security zone, a case-insensitive string of 1 to 31 characters. This security zone must already exist.
any: Specifies any security zone.
Usage guidelines
Non-default vSystems do not support this command.
A zone pair has a source security zone and a destination security zone. The device examines received first data packets and uses zone pairs to identify data flows. You can apply interzone policies to zone pairs so the device processes data flows based on interzone policies.
You can use the zone-pair security source any destination any command to define the any-to-any zone pair. This zone pair matches all packets from one security zone to another security zone.
A zone pair between specific security zones has a higher priority than the any-to-any zone pair.
A packet between the Management and Local zones matches only zone pairs of the two zones. It does not match the any-to-any zone pair.
Deleting a zone pair deletes all interzone policy applications on the zone pair.
Examples
# Create a zone pair with the source security zone Trust and destination zone Untrust.
<Sysname> system-view
[Sysname] zone-pair security source trust destination untrust
[Sysname-zone-pair-security-Trust-Untrust]
Related commands
display zone-pair security
zone-pair vsip-filter enable
Use zone-pair vsip-filter enable to enable filtering based on virtual service IP address for zone pairs.
Use undo zone-pair vsip-filter enable to restore the default.
Syntax
zone-pair vsip-filter enable
undo zone-pair vsip-filter enable
Default
Filtering based on virtual service IP address is disabled for zone pairs.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
In scenarios where server load balancing is deployed, configure this command to enable the device to filter packets from external networks to internal servers by virtual service IP address. By default, filtering based on virtual service IP address is disabled. Before matching each of the packets against ACLs, the device translates the destination IP address (the virtual service IP address) to the real server IP address. For more information about packet filtering, see ACL configuration in ACL and QoS Configuration Guide.
Examples
# Configure an IPv4 advanced ACL to permit packets destined for virtual server IP address 10.10.10.10. Configure a zone pair from Untrust to DMZ, apply the ACL to the zone pair, and enable filtering based on virtual service IP address.
<Sysname> system-view
[Sysname] acl advanced 3000
[Sysname-acl-ipv4-adv-3000] rule permit ip source any destination 10.10.10.10 0
[Sysname-acl-ipv4-adv-3000] quit
[Sysname] zone-pair security source untrust destination dmz
[Sysname-zone-pair-security-Untrust-DMZ] packet-filter 3000
[Sysname-zone-pair-security-Untrust-DMZ] quit
[Sysname] zone-pair vsip-filter enable
