Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-Object group commands
- 04-Object policy commands
- 05-AAA commands
- 06-IPoE commands
- 07-Portal commands
- 08-User identification commands
- 09-Password control commands
- 10-Public key management commands
- 11-PKI commands
- 12-SSH commands
- 13-SSL commands
- 14-ASPF commands
- 15-APR commands
- 16-Session management commands
- 17-Connection limit commands
- 18-Attack detection and prevention commands
- 19-DDoS protection commands
- 20-uRPF commands
- 21-ARP attack protection commands
- 22-ND attack defense commands
- 23-IP-MAC binding commands
- 24-Keychain commands
- 25-Crypto engine commands
- 26-SMS commands
- 27-Terminal identification commands
- 28-Flow manager commands
- 29-Trusted access control commands
- 30-Location identification commands
- 31-Server connection detection commands
- 32-MAC authentication commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-Security policy commands | 447.96 KB |
Contents
description (security policy rule view)
description (security policy view)
destination-ip-host (IPv4 security policy view)
destination-ip-host (IPv6 security policy view)
destination-ip-range (IPv4 security policy view)
destination-ip-range (IPv6 security policy view)
destination-ip-subnet (IPv4 security policy view)
destination-ip-subnet (IPv6 security policy view)
display security-policy ip query
display security-policy ipv6 query
display security-policy statistics
display security-policy switch-result
reset security-policy statistics
security-policy config-changelog enable
security-policy config-logging send-time
security-policy switch-from object-policy
source-ip-host (IPv4 security policy view)
source-ip-host (IPv6 security policy view)
source-ip-range (IPv4 security policy view)
source-ip-range (IPv6 security policy view)
source-ip-subnet (IPv4 security policy view)
Security policy commands
Non-default vSystems do not support some of the security policy commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.
accelerate enhanced enable
Use accelerate enhanced enable to manually activate rule matching acceleration.
Syntax
accelerate enhanced enable
Views
IPv4 security policy view
IPv6 security policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
Rule matching acceleration enhances connection establishment and packet forwarding performance, especially for a device using multiple rules to match packets from multiple users.
Rule matching acceleration does not take effect on newly added, modified, and moved rules unless the feature is activated for the rules. By default, the system automatically activates rule matching acceleration for such rules at dynamically calculated intervals.
To activate rule matching acceleration immediately after a rule change, you can execute this command.
If no rule change is detected, the system does not perform an activation operation.
Insufficient memory can cause rule matching acceleration failures. Unaccelerated rules do not take effect, and rules that have been accelerated are not affected.
Examples
# Activate rule matching acceleration.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] accelerate enhanced enable
action
Use action to set the action for a security policy rule.
Syntax
action { drop | pass }
Default
The action for a security policy rule is drop.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
drop: Discards matched packets.
pass: Allows matched packets to pass.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the action for security policy rule rule1 to drop.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action drop
Related commands
display security-policy
app-group
Use app-group to specify an application group as a filtering criterion of a security policy rule.
Use undo app-group to remove the specified application group filtering criterion from a security policy rule.
Syntax
app-group app-group-name
undo app-group [ app-group-name ]
Default
No application group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
app-group-name: Specifies the name of an application policy, a case-insensitive string of 1 to 63 characters. The name cannot be invalid or other. If you do not specify this argument when executing the undo app-group command, the command removes all application groups from the rule. For more information about application groups, see APR in Security Configuration Guide.
Usage guidelines
Non-default vSystems do not support this command.
You can execute the command multiple times to specify multiple application groups as the filtering criteria.
Examples
# Specify application groups app1 and app2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] app-group app1
[Sysname-security-policy-ip-0-rule1] app-group app2
Related commands
app-group
display security-policy
application
Use application to specify an application as a filtering criterion of a security policy rule.
Use undo application to remove the specified application filtering criterion from a security policy rule.
Syntax
application application-name
undo application [ application-name ]
Default
No application is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
application-name: Specifies the name of an application, a case-insensitive string of 1 to 63 characters. The name cannot be invalid or other. If you do not specify this argument when executing the undo application command, the command removes all applications from the rule. For more information about applications, see APR in Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple applications as the filtering criteria.
For the application filtering criteria to be identified, you must permit the packets of the protocols on which the applications depend to pass through. If port-based packet filtering is configured and a dependent protocol uses a non-default port, you must permit the packets from the port to pass.
Examples
# Specify applications 139Mail and 51job as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] application 139Mail
[Sysname-security-policy-ip-0-rule1] application 51job
Related commands
display security-policy
nbar application
port-mapping
counting enable
Use counting enable to enable statistics collection for matched packets.
Use undo counting enable to disable statistics collection for matched packets.
Syntax
counting enable [ period value ]
undo counting enable
Default
Statistics collection for matched packets is disabled.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
period value: Specifies the period during which the statistics collection feature is enabled, in the range of 1 to 4294967295 minutes. If you do not specify this option, the command enables statistics collection permanently.
Usage guidelines
This feature enables the device to collect statistics about matched packets. The collected statistics can be viewed by executing the display security-policy statistics command.
If an enabling period is specified, the system disables the statistics collection feature and removes the configuration at period expiration. If no enabling period is specified, you must execute the undo counting enable command to disable the statistics collection feature.
Examples
# Enable matched packet statistics collection for security policy rule rule1 and set the enabling period to 20 minutes.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] counting enable period 20
Related commands
display security-policy
display security-policy statistics
description (security policy rule view)
Use description to configure a description for a security policy rule.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Examples
# Configure the description as This rule is used for source-ip ip1 for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] description This rule is used for source-ip ip1
Related commands
display object-policy ip
display object-policy ipv6
description (security policy view)
Use description to configure a description for the IPv4 or IPv6 security policy.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for the IPv4 or IPv6 security policy.
Views
IPv4 security policy view
IPv6 security policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Examples
# Configure the description as zone-pair security office to library for the IPv4 security policy.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] description zone-pair security office to library
Related commands
display security-policy
destination-ip
Use destination-ip to specify a destination IP address object group as a filtering criterion of a security policy rule.
Use undo destination-ip to remove the specified destination IP address object group from a security policy rule.
Syntax
destination-ip object-group-name
undo destination-ip [ object-group-name ]
Default
No destination IP address object group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
object-group-name: Specifies the name of a destination IP address object group, a case-insensitive string of 1 to 63 characters. The name cannot be any. If you do not specify this argument when executing the undo destination-ip command, the command removes all destination IP address object groups from the rule. For more information about object groups, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple destination IP address object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
For a security policy rule, the number of configured destination IP address object groups cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify destination IP address object groups client1 and client2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-ip client1
[Sysname-security-policy-ip-0-rule1] destination-ip client2
Related commands
display security-policy
object-group
destination-ip-host (IPv4 security policy view)
Use destination-ip-host to specify a destination IPv4 host address as a filtering criterion of a security policy rule.
Use undo destination-ip-host to remove the specified destination IPv4 host address from a security policy rule.
Syntax
destination-ip-host ip-address
undo destination-ip-host [ ip-address ]
Default
No destination IPv4 host address is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address: Specifies the IPv4 address of a host. If you do not specify this argument when executing the undo destination-ip-host command, the command removes all destination IPv4 host addresses from the rule.
Usage guidelines
You can execute the command multiple times to specify multiple destination IPv4 host addresses as the filtering criteria.
If you specify an IP address that has been configured as a destination host filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured destination host addresses, destination subnets, and destination address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify destination IPv4 host address 192.167.0.1 as the filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-ip-host 192.167.0.1
Related commands
display security-policy
destination-ip-host (IPv6 security policy view)
Use destination-ip-host to specify a destination IPv6 host address as a filtering criterion of a security policy rule.
Use undo destination-ip-host to remove the specified destination IPv6 host address from a security policy rule.
Syntax
destination-ip-host ipv6-address
undo destination-ip-host [ ipv6-address ]
Default
No destination IPv6 host address is specified as a filtering criterion for a security policy rule.
Views
IPv6 security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-address: Specifies the IPv6 address of a host. If you do not specify this argument when executing the undo destination-ip-host command, the command removes all destination IPv6 host addresses from the rule.
Usage guidelines
You can execute the command multiple times to specify multiple destination IPv6 host addresses as the filtering criteria.
If you specify an IP address that has been configured as a destination host filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured destination host addresses, destination subnets, and destination address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify destination IPv6 host address 192::167:1 as the filtering criteria of IPv6 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ipv6
[Sysname-security-policy-ipv6] rule 0 name rule1
[Sysname-security-policy-ipv6-0-rule1] destination-ip-host 192::167:1
Related commands
display security-policy
destination-ip-range (IPv4 security policy view)
Use destination-ip-range to specify a destination IPv4 address range as a filtering criterion of a security policy rule.
Use undo destination-ip-range to remove the specified destination IPv4 address range from a security policy rule.
Syntax
destination-ip-range ip-address1 ip-address2
undo destination-ip-range [ ip-address1 ip-address2 ]
Default
No destination IPv4 address range is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address1 ip-address2: Specifies an IPv4 address range. The ip-address1 argument represents the start IP address and the ip-address2 argument represents the end IP address. If you do not specify the arguments when executing the undo destination-ip-range command, the command removes all destination IPv4 address ranges from the rule.
Usage guidelines
You can execute the command multiple times to specify multiple destination IPv4 address ranges as the filtering criteria.
If you specify an IP address range that has been configured as a destination IP range filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured destination host addresses, destination subnets, and destination address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
When you specify an IP address range, follow these restrictions and guidelines:
· If the start IP address is the same as the end IP address, the command creates a host address filtering criteria.
· If the start IP address and the end IP address define a subnet, the command creates a subnet filtering criteria.
· If ip-address1 is greater than ip-address2, the system automatically adjusts the range to [ ip-address2, ip-address1 ].
Examples
# Specify destination IPv4 address range 192.165.0.100 to 192.165.0.200 as the filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-ip-range 192.165.0.100 192.165.0.200
Related commands
display security-policy
destination-ip-range (IPv6 security policy view)
Use destination-ip-range to specify a destination IPv6 address range as a filtering criterion of a security policy rule.
Use undo destination-ip-range to remove the specified destination IPv6 address range from a security policy rule.
Syntax
destination-ip-range ipv6-address1 ipv6-address2
undo destination-ip-range [ ipv6-address1 ipv6-address2 ]
Default
No destination IPv6 address range is specified as a filtering criterion for a security policy rule.
Views
IPv6 security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-address1 ipv6-address2: Specifies an IPv6 address range. The ipv6-address1 argument represents the start IP address and the ipv6-address2 argument represents the end IP address. If you do not specify the arguments when executing the undo destination-ip-range command, the command removes all destination IPv6 address ranges from the rule.
Usage guidelines
You can execute the command multiple times to specify multiple destination IPv6 address ranges as the filtering criteria.
If you specify an IP address range that has been configured as a destination IP range filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured destination host addresses, destination subnets, and destination address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
When you specify an IP address range, follow these restrictions and guidelines:
· If the start IP address is the same as the end IP address, the command creates a host address filtering criteria.
· If the start IP address and the end IP address define a subnet, the command creates a subnet filtering criteria.
· If ipv6-address1 is greater than ipv6-address2, the system automatically adjusts the range to [ ipv6-address2, ipv6-address1 ].
Examples
# Specify destination IPv6 address range 192:165::100 to 192:165::200 as the filtering criteria of IPv6 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ipv6
[Sysname-security-policy-ipv6] rule 0 name rule1
[Sysname-security-policy-ipv6-0-rule1] destination-ip-range 192:165::100 192:165::200
Related commands
display security-policy
destination-ip-subnet (IPv4 security policy view)
Use destination-ip-subnet to specify a destination IPv4 subnet as a filtering criterion of a security policy rule.
Use undo destination-ip-subnet to remove the specified destination IPv4 subnet from a security policy rule.
Syntax
destination-ip-subnet ip-address { mask-length | mask }
undo destination-ip-subnet [ ip-address { mask-length | mask } ]
Default
No destination IPv4 subnet is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address { mask-length | mask }: Specifies an IPv4 subnet. You can specify the mask length or the mask in dotted decimal notation. The mask length is in the range of 0 to 32. If you set the mask length to 32 or the mask to 255.255.255.255, the command creates a host address filtering criterion. If you do not specify the arguments when executing the undo destination-ip-subnet command, the command removes all destination IPv4 subnets from the rule.
Usage guidelines
You can execute the command multiple times to specify multiple destination IPv4 subnets as the filtering criteria.
If you specify a subnet that has been configured as a destination subnet filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured destination host addresses, destination subnets, and destination address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify the destination subnet with IP address 192.167.0.0 and mask length 24 as a filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-ip-subnet 192.167.0.0 24
# Specify the destination subnet with IP address 192.166.0.0 and mask 255.255.0.0 as a filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-ip-subnet 192.166.0.0 255.255.0.0
Related commands
display security-policy
destination-ip-subnet (IPv6 security policy view)
Use destination-ip-subnet to specify a destination IPv6 subnet as a filtering criterion of a security policy rule.
Use undo destination-ip-subnet to remove the specified destination IPv6 subnet from a security policy rule.
Syntax
destination-ip-subnet ipv6-address prefix-length
undo destination-ip-subnet [ ipv6-address prefix-length ]
Default
No destination IPv6 subnet is specified as a filtering criterion for a security policy rule.
Views
IPv6 security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-address prefix-length: Specifies an IPv6 subnet. The prefix length is in the range of 1 to 128. If you set the prefix length to 128, the command creates a host address filtering criterion. If you do not specify the arguments when executing the undo destination-ip-subnet command, the command removes all destination IPv4 subnets from the rule.
Usage guidelines
You can execute the command multiple times to specify multiple destination IPv6 subnets as the filtering criteria.
If you specify a subnet that has been configured as a destination subnet filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured destination host addresses, destination subnets, and destination address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify the destination subnet with IP address 192::167:0 and prefix length 64 as a filtering criteria of IPv6 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ipv6
[Sysname-security-policy-ipv6] rule 0 name rule1
[Sysname-security-policy-ipv6-0-rule1] destination-ip-subnet 192::167:0 64
Related commands
display security-policy
destination-location
Use destination-location to specify a destination location as a filtering criterion of a security policy rule.
Use undo destination-location to remove the specified destination location from a security policy rule.
Syntax
destination-location location-name
undo destination-location [ location-name ]
Default
No destination location is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
location-name: Specifies the name of a destination location, a case-insensitive string of 1 to 63 characters. The name cannot contain hyphens (-). If you do not specify this argument when executing the undo destination-location command, the command removes all destination locations from the rule.
Usage guidelines
Non-default vSystems do not support this command.
You can execute the command multiple times to specify multiple destination locations as the filtering criteria.
Examples
# Specify destination location location1 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-location location1
Related commands
display security-policy
destination-location-group
Use destination-location group to specify a destination location group as a filtering criterion of a security policy rule.
Use undo destination-location group to remove the specified destination location group from a security policy rule.
Syntax
destination-location-group location-group-name
undo destination-location-group [ location-group-name ]
Default
No destination location group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
Location-group-name: Specifies the name of a destination location group, a case-insensitive string of 1 to 63 characters. The name cannot contain hyphens (-). If you do not specify this argument when executing the undo destination-location-group command, the command removes all destination location groups from the rule.
Usage guidelines
Non-default vSystems do not support this command.
You can execute the command multiple times to specify multiple destination location groups as the filtering criteria.
Examples
# Specify destination location group location-group1 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-location-group location-group1
Related commands
display security-policy
destination-zone
Use destination-zone to specify a destination security zone as a filtering criterion of a security policy rule.
Use undo destination-zone to remove the specified destination security zone from a security policy rule.
Syntax
destination-zone destination-zone-name
undo destination-zone [ destination-zone-name ]
Default
No destination security zone is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
object-group-name: Specifies the name of a destination security zone, a case-insensitive string of 1 to 31 characters. If you do not specify this argument when executing the undo destination-zone command, the command removes all destination security zones from the rule. For more information about security zones, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple destination security zones as the filtering criteria.
When you configure a destination security zone as a filtering condition, the configuration can still succeed even if the destination security zone does not exist. However, this filtering condition does not match any packets.
Examples
# Specify destination security zones trust and server as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] destination-zone trust
[Sysname-security-policy-ip-0-rule1] destination-zone server
Related commands
display security-policy
security-zone
disable
Use disable to disable a security policy rule.
Use undo disable to enable a security policy rule.
Syntax
disable
undo disable
Default
A security policy rule is enabled.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Examples
# Disable security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] disable
Related commands
display security-policy
display security-policy
Use display security-policy to display information about the specified security policy.
Syntax
display security-policy { ip | ipv6 } [ brief | rule name rule-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
ip: Specifies the IPv4 security policy.
ipv6: Specifies the IPv6 security policy.
brief: Displays brief information. If you do not specify this keyword, the command displays all security policy rule configurations.
rule name rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127 characters.
Examples
# Display information about the IPv4 security policy.
<Sysname> display security-policy ip
Security-policy ip
rule 0 name der (Inactive)
action pass
profile er
vrf re
logging enable
counting enable period 20
counting enable TTL 1200
time-range dere
track positive 23
session aging-time 5000
session persistent aging-time 2400
source-zone trust
destination-zone trust
source-ip erer
source-ip-host 1.1.1.4
source-ip-subnet 1.1.1.0 255.255.255.0
source-ip-range 2.2.1.1 3.3.3.3
source-location location1
source-location-group location-group1
destination-ip client1
destination-ip-host 5.5.1.2
destination-ip-subnet 5.5.1.0 255.255.255.0
destination-ip-range 2.2.1.1 3.3.3.3
destination-location location2
destination-location-group location-group2
service ftp
service-port tcp
service-port tcp source lt 100 destination eq 104
service-port tcp source eq 100 destination range 104 2000
service-port udp
service-port udp source gt 100 destination eq 104
service-port udp destination eq 100
service-port icmp 100 122
service-port icmp
service-port sctp
service-port sctp source lt 100 destination eq 104
service-port sctp destination range 104 2000
app-group ere
application 110Wang
terminal-group group1
terminal terminal1
user der
user-group ere
# Display information about IPv4 security policy rule der.
<Sysname> display security-policy ip rule name der
rule 0 name der (Inactive)
action pass
profile er
vrf re
logging enable
counting enable period 20
counting enable TTL 1200
time-range dere
track positive 23
session aging-time 5000
session persistent aging-time 2400
source-zone trust
destination-zone trust
source-ip erer
source-ip-host 1.1.1.4
source-ip-subnet 1.1.1.0 255.255.255.0
source-ip-range 2.2.1.1 3.3.3.3
source-location location1
source-location-group location-group1
destination-ip client1
destination-ip-host 5.5.1.2
destination-ip-subnet 5.5.1.0 255.255.255.0
destination-ip-range 2.2.1.1 3.3.3.3
destination-location location2
destination-location-group location-group2
service ftp
service-port tcp
service-port tcp source lt 100 destination eq 104
service-port tcp source eq 100 destination range 104 2000
service-port udp
service-port udp source gt 100 destination eq 104
service-port udp destination eq 100
service-port icmp 100 122
service-port icmp
app-group ere
application 110Wang
terminal-group group1
terminal terminal1
user der
user-group ere
# Display brief information about all IPv4 security policy rules.
<Sysname> display security-policy ip brief
ID Name State Action Hits
------------------------------------------------------------------------------------
0 default_any active pass 11221440
1 test active drop 0
------------------------------------------------------------------------------------
Table 1 Command output
|
Field |
Description |
|
rule id name rule-name (Inactive) |
Rule ID, rule name, and state of the rule. The state is displayed only when the rule is associated with a Track entry. · Active—The rule is enabled. · Inactive—The rule is disabled. |
|
action pass |
Rule action: · pass—Allows matched packets to pass. · drop—Drops matched packets. |
|
profile app-profile-name |
DPI application profile applied to the rule. |
|
vrf vrf-name |
MPLS L3VPN instance whose packets can be filtered by the rule. |
|
logging enable |
Indicates that logging for matched packets is enabled. |
|
counting enable period value |
Indicates that statistics collection for matched packets is enabled. The value argument represents the enabling period in minutes. |
|
counting enable TTL time-value |
Indicates that statistics collection for matched packets is enabled. The time-value argument represents the remaining enabling period in seconds. |
|
time-range time-range-name |
Time range during which the rule is in effect. |
|
track negative 1 |
Track entry and track entry state associated with the security policy rule. |
|
session aging-time time-value |
Session aging time. |
|
session persistent aging-time time-value |
Persistent session aging time. |
|
source-zone zone-name |
Source security zone that acts as a filtering criterion. |
|
destination-zone zone-name |
Destination security zone that acts as a filtering criterion. |
|
source-ip object-group-name |
Source IP address object group that acts as a filtering criterion. |
|
source-ip-host ip-address |
Source IP host address that acts as a filtering criterion. |
|
source-ip-subnet ip-address |
Source IP subnet that acts as a filtering criterion. |
|
source-ip-range ip-address1 ip-address2 |
Source IP address range that acts as a filtering criterion. |
|
destination-ip object-group-name |
Destination IP address object group that acts as a filtering criterion. |
|
destination-ip-host ip-address |
Destination IP host address that acts as a filtering criterion. |
|
destination-ip-subnet ip-address |
Destination IP subnet that acts as a filtering criterion. |
|
destination-ip-range ip-address1 ip-address2 |
Destination IP address range that acts as a filtering criterion. |
|
source-location location-name |
Source location that acts as a filtering criterion. |
|
source-location-group location-group-name |
Source location group that acts as a filtering criterion. |
|
destination-location location-name |
Destination location that acts as a filtering criterion. |
|
destination-location-group location-group-name |
Destination location group that acts as a filtering criterion. |
|
service object-group-name |
Service object group that acts as a filtering criterion. |
|
service-port protocol |
Service port that acts as a filtering criterion. |
|
app-group app-group-name |
Application group that acts as a filtering criterion. |
|
application application-name |
Application that acts as a filtering criterion. |
|
terminal terminal-name |
Terminal that acts as a filtering criterion. |
|
terminal-group terminal-group-name |
Terminal group that acts as a filtering criterion. |
|
user user-name |
User that acts as a filtering criterion. |
|
user-group user-group-name |
User group that acts as a filtering criterion. |
|
ID |
Rule ID. |
|
Name |
Rule name. |
|
State |
State of the rule. The state is associated with a Track entry. · active. · inactive. |
|
Action |
Action of the rule. · pass. · drop. |
|
Hits |
Number of rule hit times. |
Related commands
security-policy ip
security-policy ipv6
display security-policy ip query
Use display security-policy ip query to display configuration information about IPv4 security policy rules using the specified filtering criteria.
Syntax
display security-policy ip query { destination-ip { destination-ip-address | any } | destination-zone { name destination-zone-name | any } | protocol { protocol-number | any | { tcp | udp | sctp } [ source-port source-port | destination-port destination-port ] * | icmp [ icmp-type icmp-type [ icmp-code icmp-code ] ] } | source-ip { source-ip-address | any } | source-zone { name source-zone-name | any } } * [ brief ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
destination-ip destination-ip-address: Specifies a destination IPv4 address.
destination-ip any: Specifies rules not configured with destination IP addresses.
destination-zone name destination-zone-name: Specifies a destination security zone by its name, a case-insensitive string of 1 to 31 characters.
destination-zone any: Specifies rules not configured with destination security zones.
protocol protocol-number: Specifies a protocol by its number in the range of 0 to 57 or 59 to 255.
protocol any: Specifies rules not configured with protocols.
tcp: Specifies the TCP protocol.
udp: Specifies the UDP protocol.
sctp: Specifies the SCTP protocol.
source-port source-port: Specifies the source port number in the range of 0 to 65535.
destination-port destination-port: Specifies the destination port number in the range of 0 to 65535.
icmp: Specifies the ICMP protocol.
icmp-type icmp-type: Specifies the ICMP type in the range of 0 to 255.
icmp-code icmp-code: Specifies the ICMP code in the range of 0 to 255.
source-ip source-ip-address: Specifies a source IPv4 address.
source-ip any: Specifies rules not configured with source IPv4 addresses.
source-zone name source-zone-name: Specifies a source security zone by its name, a case-insensitive string of 1 to 31 characters.
source-zone any: Specifies rules not configured with source security zones.
brief: Displays summary information. If you do not specify this option, this command displays detailed information.
Usage guidelines
If a specified filtering criterion does not exsit, the command displays information about policy rules that are not configured with this criterion.
Examples
# Display detailed information about IPv4 security policy rules that use source IP address 1.2.3.4 as a filtering criterion.
<Sysname> display security-policy ip query source-ip 1.2.3.4
rule 1 name test
action drop
source-zone aa
destination-zone bb
source-ip-host 1.2.3.4
destination-ip-host 2.3.4.5
service udp-s1110-d80
service icmp-3-3
# Display summary information about IPv4 security policy rules that use source IP address 1.2.3.4 as a filtering criterion.
<Sysname> display security-policy ip query source-ip 1.2.3.4 brief
ID Name State Action Hits
------------------------------------------------------------------------------------
1 test active drop 0
------------------------------------------------------------------------------------
Table 2 Command output
|
Field |
Description |
|
rule id name rule-name (Inactive) |
Rule ID, name, and state. Rule state: · Active—The rule is enabled. · Inactive—The rule is disabled. This field is displayed only when the rule state is associated with a Track entry. |
|
action pass |
Rule action: · pass—Allows matched packets to pass. · drop—Drops matched packets. |
|
profile app-profile-name |
DPI application profile applied to the rule. |
|
vrf vrf-name |
MPLS L3VPN instance whose packets can be filtered by the rule. |
|
logging enable |
Indicates that logging for matched packets is enabled. |
|
counting enable period value |
Indicates that statistics collection for matched packets is enabled. The value argument represents the enabling period in minutes. |
|
counting enable TTL time-value |
Indicates that statistics collection for matched packets is enabled. The time-value argument represents the remaining enabling period in seconds. |
|
time-range time-range-name |
Time range during which the rule is in effect. |
|
track negative 1 |
Indicates the rule state is associated with the Negative state of the Track entry. |
|
track positive 1 |
Indicates the rule state is associated with the Positive or NotReady state of the Track entry. |
|
session aging-time time-value |
Session aging time in seconds. |
|
session persistent aging-time time-value |
Persistent session aging time in hours. |
|
source-zone zone-name |
Source security zone that acts as a filtering criterion. |
|
destination-zone zone-name |
Destination security zone that acts as a filtering criterion. |
|
source-ip object-group-name |
Source IP address object group that acts as a filtering criterion. |
|
source-ip-host ip-address |
Source IP host address that acts as a filtering criterion. |
|
source-ip-subnet ip-address |
Source IP subnet that acts as a filtering criterion. |
|
source-ip-range ip-address1 ip-address2 |
Source IP address range that acts as a filtering criterion. |
|
destination-ip object-group-name |
Destination IP address object group that acts as a filtering criterion. |
|
destination-ip-host ip-address |
Destination IP host address that acts as a filtering criterion. |
|
destination-ip-subnet ip-address |
Destination IP subnet that acts as a filtering criterion. |
|
destination-ip-range ip-address1 ip-address2 |
Destination IP address range that acts as a filtering criterion. |
|
source-location location-name |
Source location that acts as a filtering criterion. |
|
source-location-group location-group-name |
Source location group that acts as a filtering criterion. |
|
destination-location location-name |
Destination location that acts as a filtering criterion. |
|
destination-location-group location-group-name |
Destination location group that acts as a filtering criterion. |
|
service object-group-name |
Service object group that acts as a filtering criterion. |
|
service-port protocol |
Service port that acts as a filtering criterion. |
|
app-group app-group-name |
Application group that acts as a filtering criterion. |
|
application application-name |
Application that acts as a filtering criterion. |
|
terminal terminal-name |
Terminal that acts as a filtering criterion. |
|
terminal-group terminal-group-name |
Terminal group that acts as a filtering criterion. |
|
user user-name |
User that acts as a filtering criterion. |
|
user-group user-group-name |
User group that acts as a filtering criterion. |
|
ID |
Security policy rule ID. |
|
Name |
Name of a security policy rule. |
|
State |
Rule state. The state of a rule is associated with a Track entry. Options: · Active—The rule is enabled. · Inactive—The rule is disabled. |
|
Action |
Rule actions: · pass—Allows matched packets to pass. · drop—Drops matched packets. |
|
Hits |
Number of times that the security policy rule matches a packet. |
display security-policy ipv6 query
Use display security-policy ipv6 query to display configuration information about IPv6 security policy rules using the specified querying criteria.
Syntax
display security-policy ipv6 query { destination-ip { destination-ipv6-address | any } | destination-zone { name destination-zone-name | any } | protocol { protocol-number | any | { tcp | udp | sctp } [ source-port source-port | destination-port destination-port ] * | icmpv6 [ icmpv6-type icmpv6-type [ icmpv6-code icmpv6-code ] ] } | source-ip { source-ipv6-address | any } | source-zone { name source-zone-name | any} } * [ brief ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
destination-ip destination-ipv6-address: Specifies a destination IPv6 address.
destination-ip any: Specifies rules not configured with destination IPv6 addresses.
destination-zone name destination-zone-name: Specifies a destination security zone by its name, a case-insensitive string of 1 to 31 characters.
destination-zone any: Specifies rules not configured with destination security zones.
protocol protocol-number: Specifies a protocol number of 0 or the range of 2 to 255.
protocol any: Specifies rules not configured with protocols.
tcp: Specifies the TCP protocol.
udp: Specifies the UDP protocol.
sctp: Specifies the SCTP protocol.
source-port source-port: Specifies the source port number in the range of 0 to 65535.
destination-port destination-port: Specifies the destination port number in the range of 0 to 65535.
icmpv6: Specifies the ICMPv6 protocol.
mpv6-type icmpv6-type: Specifies the ICMP type in the range of 0 to 255.
icmpv6-code icmpv6-code: Specifies the ICMP code in the range of 0 to 255.
source-ip source-ipv6-address: Specifies a source IPv6 address.
source-ip any: Specifies rules not configured with source IPv6 addresses.
source-zone name source-zone-name: Specifies a source security zone by its name, a case-insensitive string of 1 to 31 characters.
source-zone any: Specifies rules not configured with source security zones.
brief: Displays summary information. If you do not specify this option, this command displays the detailed information.
Usage guidelines
If a specified querying criterion does not exist, the command displays information about policy rules that are not configured with this criterion.
Examples
# Display detailed information about IPv6 security policy rules that use source IPv6 address 1:2:3:4:5:6:7:8 as a filtering criterion.
<Sysname> display security-policy ipv6 query source-ip 1:2:3:4:5:6:7:8
rule 0 name test
action drop
source-zone aa
destination-zone bb
source-ip-host 1:2:3:4:5:6:7:8
destination-ip-host 2:3:4:5:6:7:8:9
service sctp-s1110-d80
service-port icmpv6 3 3
# Display summary information about IPv6 security policy rules that use source IPv6 address 1:2:3:4:5:6:7:8 as a filtering criterion.
<Sysname> display security-policy ipv6 query source-ip 1:2:3:4:5:6:7:8 brief
ID Name State Action Hits
------------------------------------------------------------------------------------
0 test active drop 0
------------------------------------------------------------------------------------
Table 3 Command output
|
Field |
Description |
|
rule id name rule-name |
Rule ID, name, and state. Rule state: · Active—The rule is enabled. · Inactive—The rule is disabled. This field is displayed only when the rule state is associated with a Track entry. |
|
action pass |
Rule action: · pass—Allows matched packets to pass. · drop—Drops matched packets. |
|
profile app-profile-name |
DPI application profile applied to the rule. |
|
vrf vrf-name |
MPLS L3VPN instance whose packets can be filtered by the rule. |
|
logging enable |
Indicates that logging for matched packets is enabled. |
|
counting enable period value |
Indicates that statistics collection for matched packets is enabled. The value argument represents the enabling period in minutes. |
|
counting enable TTL time-value |
Indicates that statistics collection for matched packets is enabled. The time-value argument represents the remaining enabling period in seconds. |
|
time-range time-range-name |
Time range during which the rule is in effect. |
|
track negative 1 |
Indicates the rule state is associated with the Negative state of the Track entry. |
|
track positive 1 |
Indicates the rule state is associated with the Positive or NotReady state of the Track entry. |
|
session aging-time time-value |
Session aging time in seconds. |
|
session persistent aging-time time-value |
Persistent session aging time in hours. |
|
source-zone zone-name |
Source security zone that acts as a filtering criterion. |
|
destination-zone zone-name |
Destination security zone that acts as a filtering criterion. |
|
source-ip object-group-name |
Source IP address object group that acts as a filtering criterion. |
|
source-ip-host ip-address |
Source IP host address that acts as a filtering criterion. |
|
source-ip-subnet ip-address |
Source IP subnet that acts as a filtering criterion. |
|
source-ip-range ip-address1 ip-address2 |
Source IP address range that acts as a filtering criterion. |
|
destination-ip object-group-name |
Destination IP address object group that acts as a filtering criterion. |
|
destination-ip-host ip-address |
Destination IP host address that acts as a filtering criterion. |
|
destination-ip-subnet ip-address |
Destination IP subnet that acts as a filtering criterion. |
|
destination-ip-range ip-address1 ip-address2 |
Destination IP address range that acts as a filtering criterion. |
|
source-location location-name |
Source location that acts as a filtering criterion. |
|
source-location-group location-group-name |
Source location group that acts as a filtering criterion. |
|
destination-location location-name |
Destination location that acts as a filtering criterion. |
|
destination-location-group location-group-name |
Destination location group that acts as a filtering criterion. |
|
service object-group-name |
Service object group that acts as a filtering criterion. |
|
service-port protocol |
Service port that acts as a filtering criterion. |
|
app-group app-group-name |
Application group that acts as a filtering criterion. |
|
application application-name |
Application that acts as a filtering criterion. |
|
terminal terminal-name |
Terminal that acts as a filtering criterion. |
|
terminal-group terminal-group-name |
Terminal group that acts as a filtering criterion. |
|
user user-name |
User that acts as a filtering criterion. |
|
user-group user-group-name |
User group that acts as a filtering criterion. |
|
ID |
Security policy rule ID. |
|
Name |
Name of a security policy rule. |
|
State |
Rule state. The state of a rule is associated with a Track entry. Options: · Active—The rule is enabled. · Inactive—The rule is disabled. |
|
Action |
Rule actions: · pass—Allows matched packets to pass. · drop—Drops matched packets. |
|
Hits |
Number of times that the security policy rule matches a packet. |
display security-policy statistics
Use display security-policy statistics to display security policy statistics.
Syntax
display security-policy statistics { ip | ipv6 } [ rule rule-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
ip: Specifies the IPv4 security policy.
ipv6: Specifies the IPv6 security policy.
rule rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127 characters. If you do not specify this option, the command displays statistics about all security policy rules of the specified IP version.
Examples
# Display statistics about IPv4 security policy rule abc.
<Sysname> display security-policy statistics ip rule abc
rule 0 name abc
action: pass (5 packets, 1000 bytes)
Table 4 Command output
|
Field |
Description |
|
rule id name rule-name |
Rule ID and rule name. |
|
action |
Rule action: · pass—Allows matched packets to pass. · drop—Drops matched packets. |
|
x packets, y bytes |
The rule has matched x packets, a total of y bytes. This field is displayed only if the counting enable or the logging enable command has been executed for the rule. |
Related commands
reset security-policy statistics
display security-policy switch-result
Use display security-policy switch-result to display the security policy switching result.
Syntax
display security-policy switch-result
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Usage guidelines
Non-default vSystems do not support this command.
If the security-policy switch-from object-policy command has not been executed, nothing is displayed. Otherwise, the switching result is displayed even if the switching operation failed.
Examples
# Display the result of a successful security policy switching.
<Sysname> display security-policy switch-result
Time: 2017-03-13 18-11-17
Result: Successful
Object policy file: flash:/chenlu_concon.cfg
Security policy file: flash:/chenlu_concon_secp.cfg
# Display the result of a failed security policy switching.
<Sysname> display security-policy switch-result
Time: 2017-03-13 18-11-15
Result: Failed
Object policy file: flash:/chenlu_convert.cfg
Security policy file: flash:/chenlu_convert_secp.cfg
Failure reason: The switching operation fails because the source or destination security zone is set to any for the zone pair and the action of an object policy rule is set to drop.
Table 5 Command output
|
Field |
Description |
|
Time |
Switching time in the format of year-month-day hour-minute-second. |
|
Result |
Switching result: · Successful. · Failed. |
|
Failure reason |
This field is displayed only for a failed switching operation. |
Related commands
security-policy switch-from object-policy
group move
Use group move to move a security policy rule group to change the match order of security policy rules.
Syntax
group move group-name1 { after | before } { group group-name2 | rule rule-name }
Views
Security policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
group-name1: Specifies the name of the security policy rule group to be moved, a case-insensitive string of 1 to 63 characters.
after: Moves the security policy rule group to the place after the target security policy rule group or the target security policy rule.
before: Moves the security policy rule group to the place before the target security policy rule group or the target security policy rule.
group group-name2: Specifies the name of the target security policy rule group, a case-insensitive string of 1 to 63 characters.
rule rule-name: Specifies the name of the target security policy rule, a case-insensitive string of 1 to 127 characters.
Usage guidelines
If you specify a target security policy rule that belongs to a security policy rule group, follow these restrictions and guidelines:
· If the target rule is neither the start nor end rule of the group, you cannot move a security policy rule group to the place before or after the rule.
· If the target rule is the start rule of the group, you can only move a security policy rule group to the place before the rule.
· If the target rule is the end rule of the group, you can only move a security policy rule group to the place after the rule.
Examples
# Move security policy rule group group1 to the place before security policy rule group group2.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] group move group1 before group group2
group name
Use group name to create a security policy rule group and add security policy rules to the group, or add security policy rules to an existing security policy rule group.
Use undo group name to delete a security policy rule group.
Syntax
group name group-name [ from rule-name1 to rule-name2 ] [ disable | enable ] [ description description-text ]
undo group name group-name [ description | include-member ]
Default
No security policy rule group exists.
Views
Security policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
group-name: Specifies a security policy rule group name, a case-insensitive string of 1 to 63 characters.
from rule-name1: Specifies the start rule of a rule list. The rule-name1 argument represents the security policy rule name, a case-insensitive string of 1 to 127 characters.
to rule-name2: Specifies the end rule of the rule list. The rule-name2 argument represents the security policy rule name, a case-insensitive string of 1 to 127 characters.
disable: Disables the security policy rule group.
enable: Enables the security policy rule group. By default, a security policy rule group is enabled.
description description-text: Specifies the security policy description, a case-sensitive string of 1 to 127 characters. By default, no description is specified for a security policy rule group.
include-member: Specifies security policy rules in the security policy rule group.
Usage guidelines
Security policy rule grouping allows users to enable, disable, delete, and move security policy rules in batches.
A security policy rule in a security policy rule group takes effect only when both the rule and the group are enabled.
To add a list of security policy rules, make sure the end rule is listed behind the start rule and the specified rules do not belong to any other security policy rule group.
When you execute the undo group name command, follow these restrictions and guidelines:
· The undo group name group-name command deletes only the specified security policy rule group.
· The undo group name group-name description command deletes only the description for the specified security policy rule group.
· The undo group name group-name include-member command deletes both the specified security policy rule group and all the security policy rules in the group.
Examples
# Create security policy rule group group1, add security policy rules rule-name1 through rule-name10 to the group, and specify the group description as marketing.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] group name group1 from rule-name1 to rule-name10 enable description marketing
group rename
Use group rename to rename a security policy rule group.
Syntax
group rename old-name new-name
Views
Security policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
old-name: Specifies the name of a security policy rule group, a case-insensitive string of 1 to 63 characters.
new-name: Specifies a new name for the security policy rule group, a case-insensitive string of 1 to 63 characters.
Examples
# Rename security policy rule group group1 to group2.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] group rename group1 group2
logging enable
Use logging enable to enable logging for matched packets.
Use undo logging enable to disable logging for matched packets.
Syntax
logging enable
undo logging enable
Default
Logging for matched packets is disabled.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This feature enables the security policy module to send log messages to the information center or fast output log messages when packets match a security policy.
With the information center or fast log output, you can set log message filtering and output rules, including output destinations.
The information center can output packet matching logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view packet matching logs stored on the device, use the display logbuffer command or open the security policy log page from the Web interface of the device. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable matched packet logging for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] logging enable
Related commands
display security-policy
move rule
Use move rule to move a security policy rule by rule ID.
Syntax
move rule rule-id1 { { after | before } rule-id2 | bottom | down | top | up }
Views
IPv4 security policy view
IPv6 security policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
rule-id1: Specifies the ID of a rule to be moved, in the range of 0 to 4294967290.
after: Moves the rule to the position after the target rule.
before: Moves the rule to the position before the target rule.
rule-id2: Specifies the ID of the target rule. The target rule ID is in the range of 0 to 4294967290 or 4294967295. If you specify 4294967295, the command moves the rule to the end of the list.
bottom: Moves the rule to the end of the list.
down: Moves the rule one position down.
top: Moves the rule to the beginning of the list.
up: Moves the rule one position up.
Usage guidelines
The system does not execute the command in the following situations:
· You specify the same value for the rule-id1 and rule-id2 arguments.
· You specify a nonexistent rule.
Examples
# Insert rule 5 to the position before rule 2 for the IPv4 security policy.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] move rule 5 before 2
Related commands
rule
security-policy ip
security-policy ipv6
move rule name
Use move rule name to move a security policy rule by rule name.
Syntax
move rule name rule-name1 { { after | before } name rule-name2 | bottom | down | top | up }
Views
Security policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
rule-name1: Specifies the name of the rule to move, a case-insensitive string of 1 to 127 characters.
after: Move the rule to the place after the destination rule.
before: Move the rule to the place before the destination rule.
name rule-name2: Specify the name of the destination rule, a case-insensitive string of 1 to 127 characters.
bottom: Move the rule to the end of the security policy.
down: Move the rule down one place.
top: Move the rule to the beginning of the security policy.
up: Move the rule up one place.
Usage guidelines
You can move a rule to change its packet matching priority.
Examples
# Move rule rule1 to the place before rule rule2.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] move rule name rule1 before name rule2
Related commands
rule
security-policy ip
security-policy ipv6
parent-group
Use parent-group to specify a security policy rule group for a security policy rule.
Use undo parent-group to restore the default.
Syntax
parent-group group-name
undo parent-group
Default
A security policy rule does not belong to any security policy rule group.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
group-name: Specifies the name of a security policy rule group, a case-insensitive string of 1 to 63 characters.
Examples
# Assign security policy rule rule1 to security policy rule group group1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 1 name rule1
[Sysname-security-policy-ip-1-rule1] parent-group group1
profile
Use profile to apply a DPI application profile to a security policy rule.
Use undo profile to remove the DPI application profile applied to a security policy rule.
Syntax
profile app-profile-name
undo profile
Default
No DPI application profile is applied to a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
app-profile-name: Specifies the name of a DPI application profile, a case-insensitive string of 1 to 63 characters. For more information about DPI application profiles, see DPI engine in DPI Configuration Guide.
Usage guidelines
This feature enables the device to perform DPI on packets matching the specified rule. For more information about DPI, see DPI Configuration Guide.
This feature takes effect only when the rule action is pass.
Examples
# Apply DPI application profile p1 to IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action pass
[Sysname-security-policy-ip-0-rule1] profile p1
Related commands
action pass
app-profile (DPI Command Reference)
display security-policy ip
reset security-policy statistics
Use reset security-policy statistics to clear security policy statistics.
Syntax
reset security-policy statistics [ ip | ipv6 ] [ rule rule-name ]
Views
Any view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip: Specifies the IPv4 security policy.
ipv6: Specifies the IPv6 security policy.
rule rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127 characters.
Usage guidelines
If you do not specify any keyword or option, the command clears all security policy statistics.
Examples
# Clear the security policy statistics about IPv4 security policy rule abc.
<Sysname> reset security-policy statistics ip rule abc
Related commands
display security-policy statistics
rule
Use rule to create a security policy rule and enter its view, or enter the view of an existing security policy rule.
Use undo rule to delete the specified security policy rule.
Syntax
rule { rule-id | [ rule-id ] name rule-name }
undo rule { rule-id | name rule-name } *
Default
No security policy rules exist.
Views
IPv4 security policy view
IPv6 security policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify an ID for the rule, the system automatically assigns the rule the integer next to the greatest ID being used. If the greatest ID is 65534, the system assigns the rule the smallest unused number in the range.
rule-name: Specifies a globally unique rule name, a case-insensitive string of 1 to 127 characters. The name cannot be default. You must specify a rule name when creating a rule.
Examples
# Create an IPv4 security policy rule with rule ID 0 and rule name rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1]
Related commands
display security-policy ip
display security-policy ipv6
rule rename
Use rule rename to rename a security policy rule.
Syntax
rule rename old-name new-name
Views
Security policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
old-name: Specifies the current name, a case-insensitive string of 1 to 127 characters.
new-name: Specifies the new name, a case-insensitive string of 1 to 127 characters. The name must be globally unique and cannot be default.
Examples
# Change the name of security policy rule rule1 to rule2.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule rename rule1 rule2
Related commands
rule
security-policy ip
security-policy ipv6
security-policy
Use security-policy to enter security policy view.
Use undo security-policy to delete all configurations in security policy view.
Syntax
security-policy { ip | ipv6 }
undo security-policy { ip | ipv6 }
Default
No configurations exist in security policy view.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip: Specifies the IPv4 security policy.
ipv6: Specifies the IPv6 security policy.
Usage guidelines
|
|
CAUTION: If the security policy feature is enabled, object policy settings lose effect the first time you enter security policy view. Make sure object policy settings have been switched to security policy settings before you enter security policy view. |
Examples
# Enter IPv4 security policy view.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip]
Related commands
display security-policy
security-policy config-changelog enable
Use security-policy config-changelog enable to enable logging for security policy configuration changes.
Use undo security-policy config-changelog enable to disable logging for security policy configuration changes.
Syntax
security-policy config-changelog enable
undo security-policy config-changelog enable
Default
Logging is enabled for security policy configuration changes.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
This feature logs security policy configuration changes. With this feature disabled, the system generates no log when security policy configuration is changed.
Examples
# Disable logging for security policy configuration changes.
<Sysname> system-view
[Sysname] security-policy config-changelog enable
security-policy config-logging send-time
Use security-policy config-logging send-time to set the time at which the device fast outputs security policy settings as logs every day.
Use undo security-policy config-logging send-time to restore the default.
Syntax
security-policy config-logging send-time time
undo security-policy config-logging send-time
Default
The device fast outputs security policy settings as logs every day at 0 o'clock.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
time: Specify the time at which the device fast outputs security policy settings as logs, in the format of hh:mm. The value range for the hh argument is 00 to 23 and the value range for the mm argument is 00 to 59.
Usage guidelines
Non-default vSystems do not support this command.
After the customlog format security-policy sgcc command is executed, the device fast outputs settings of enabled security policies as logs in SGCC format every day at the specified time. For more information about fast log output, see Network Management and Monitoring Configuration Guide.
Examples
# Configure the device to fast output security policy settings as logs every day at 13:15.
<Sysname>system-view
[Sysname] security-policy config-loggging send-time 13:15
Related commands
customlog format security-policy sgcc (Network Management and Monitoring Command Reference)
customlog host export security-policy (Network Management and Monitoring Command Reference)
security-policy disable
Use security-policy disable to disable the security policy feature.
Use undo security-policy disable to enable the security policy feature.
Syntax
security-policy disable
undo security-policy disable
Default
The security policy feature is enabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
|
|
CAUTION: This command disables the security policy feature and might cause traffic interruption. |
Non-default vSystems do not support this command.
Security policy settings take effect only when the security policy feature is enabled.
After the device starts up, the device automatically executes the security-policy disable command to disable the security policy feature if object policy settings exist in the configuration file. If object policy settings do not exist in the configuration file, the device enables the security policy feature.
Security policies and object policies cannot take effect at the same time on a device. If security policy is enabled, object policies lose effect at the first time security policy view is entered. If you are to manually configure security policies item by item based on object policy settings, keep the security policy feature disabled until you finish the configuration.
After a configuration rollback from security policies to object policies, disable the security feature for the object policies to take effect.
Examples
# Disable the security policy feature.
<Sysname> system-view
[Sysname] security-policy disable
security-policy switch-from object-policy
Use security-policy switch-from object-policy to switch object policy settings to security policy settings.
Syntax
security-policy switch-from object-policy object-filename security-filename
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
object-filename: Specifies the configuration file to be switched by its name, a case-sensitive string of 1 to 255 characters. The name must end with .cfg and cannot contain forward slashes (/). Make sure the specified configuration file exist in the root directory of the storage medium.
security-filename: Specifies the name of the configuration file to be created, a case-sensitive string of 1 to 255 characters. The name must end with .cfg and cannot contain forward slashes (/). The created configuration file will be saved in the root directory of the storage medium.
Usage guidelines
Non-default vSystems do not support this command.
This feature enables you to achieve fast switching from object policy settings to security policy settings.
For the switched security policy settings to take effect, reboot the device after the switching process completes.
Examples
# Switch object policy settings in configuration file startup.cfg to security policy settings.
<Sysname> system-view
[Sysname] security-policy switch-from object-policy startup.cfg startup_secp.cfg
Configuration switching begins...
Object policies in the specified configuration file have been switched to security policies.
This command will reboot the device. Continue? [Y/N]:
service
Use service to specify a service object group as a filtering criterion of a security policy rule.
Use undo service to remove the specified service object group from a security policy rule.
Syntax
service { object-group-name | any }
undo service [ object-group-name | any ]
Default
No service object group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
object-group-name: Specifies the name of a service object group, a case-insensitive string of 1 to 63 characters.
any: Specifies all service object groups.
Usage guidelines
You can execute the command multiple times to specify multiple service object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
If you specify neither an object group nor the any keyword when executing the undo service command, the command removes all service object groups from the security policy rule.
For a security policy rule, the number of configured service object groups cannot exceed 1024. If the limit has been exceeded, any command execution to add such filtering criterion fails and the system prompts an error.
Examples
# Specify service object groups http and ftp as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] service http
[Sysname-security-policy-ip-0-rule1] service ftp
Related commands
display security-policy
object-group
service-port
Use service-port to specify a service port as a filtering criterion of a security policy rule.
Use undo service-port to remove the specified service port range from a security policy rule.
Syntax
service-port protocol [ { destination { { eq | lt | gt } port | range port1 port2 } | source { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ]
undo service-port [ protocol [ { destination { { eq | lt | gt } port | range port1 port2 } | source { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ] ]
Default
No service port is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
IPv6 security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
protocol: Specify the number or name of a protocol. The protocol number value range and available protocol names vary by command execution view.
· In IPv4 security policy view, the value range of protocol numbers is 0 to 57 and 59 to 255. Available protocol names include tcp, udp, sctp, and icmp, whose protocol numbers are 6, 17, 132, and 1, respectively.
· In IPv6 security policy view, the value range of protocol numbers is 0 and 2 to 255. Available protocol names include tcp, udp, sctp, and icmpv6, whose protocol numbers are 6, 17, 132, and 58, respectively.
destination: Specifies the destination port. This configuration takes effect only when the protocol is TCP, UDP, or SCTP.
source: Specifies the source port. This configuration takes effect only when the protocol is TCP , UDP, or SCTP.
eq: Specifies the specified port.
lt: Specifies all ports whose port numbers are smaller than the specified port. If you specify this keyword, the specified port number cannot be 0.
gt: Specifies all ports whose port numbers are larger than the specified port. If you specify this keyword, the specified port number cannot be 65535.
port: Specifies a port number in the range of 0 to 65535.
range port1 port2: Specifies a range of port numbers. The port1 argument represents the start port and the port2 argument represents the end port. Each port number is in the range of 0 to 65535.
icmp-type: Specifies an ICMP message type in the range of 0 to 255. This configuration takes effect only when the protocol is ICMP.
icmp-code: Specifies the ICMP message code in the range of 0 to 255.
icmpv6-type: Specifies an ICMPv6 message type in the range of 0 to 255. This configuration takes effect only when the protocol is ICMPv6.
icmpv6-code: Specifies the ICMPv6 message code in the range of 0 to 255.
Usage guidelines
You can execute this command multiple times to specify multiple service ports as the filtering criteria.
If you specify a service port that has been configured as a service port filtering criterion, the command execution fails.
For a security policy rule, the number of configured service ports cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
When you specify the range keyword, following these restrictions and guidelines:
· If port1 is the same as port2, the command takes effect as if you specified the eq keyword.
· If port1 is 0, the command takes effect as if you specified the lt keyword with port2 as the specified port.
· If port2 is 65535, the command takes effect as if you specified the gt keyword with port1 as the specified port.
· If port1 is larger than port2, the system automatically changes the port range to [port2, port1].
If you do not specify any keyword or argument when executing the undo command, the command removes all service ports from the security policy rule.
Examples
# Specify TCP destination and source ports as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] service-port tcp destination range 100 200 source eq 100
# Specify ICMP destination and source ports as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] service-port icmp 100 150
Related commands
display security-policy
session aging-time
Use session aging-time to set the session aging time for a security policy rule.
Use undo session aging-time to restore the default.
Syntax
session aging-time time-value
undo session aging-time
Default
The session aging time is not configured for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
time-value: Specifies the aging time in the range of 1 to 2000000 seconds.
Usage guidelines
This command sets the aging time for stable sessions created for packets matching the specified security policy rule, and takes effect on both existing sessions and newly created sessions.
If the aging time is not configured for a rule, the stable sessions use the aging time set by using the session aging-time application or the session aging-time state command. For more information about session management, see Security Configuration Guide.
Unstable sessions age based on the default session aging time.
Examples
# Set the session aging time to 5000 seconds for security policy rule rule1.
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action pass
[Sysname-security-policy-ip-0-rule1] session aging-time 5000
Related commands
session aging-time application
session aging-time state
session persistent acl
session persistent aging-time
Use session persistent aging-time to set the aging time for persistent sessions.
Use undo session persistent aging-time to restore the default.
Syntax
session persistent aging-time time-value
undo session persistent aging-time
Default
The persistent session aging time is not configured for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
time-value: Specifies the aging time in the range of 0 to 24000 hours. If you set the aging time to 0, persistent sessions do not age out.
Usage guidelines
|
|
CAUTION: Setting too long an aging time might cause persistent sessions to increase rapidly and therefore cause the CPU usage to be high. |
This command is effective only on TCP sessions in ESTABLISHED state.
It sets the aging time for persistent sessions created for packets matching the specified security policy rule, and takes effect on both existing sessions and newly created sessions.
The aging time configured by using this command takes precedence over the aging times configured by using the session aging-time and session persistent acl commands.
Examples
# Set the persistent session aging time to one hour for security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] action pass
[Sysname-security-policy-ip-0-rule1] session persistent aging-time 1
Related commands
display security-policy
session persistent acl
source-ip
Use source-ip to specify a source IP address object group as a filtering criterion of a security policy rule.
Use undo source-ip to remove the specified source IP address object group from a security policy rule.
Syntax
source-ip object-group-name
undo source-ip [ object-group-name ]
Default
No source IP address object group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
object-group-name: Specifies the name of a source IP address object group, a case-insensitive string of 1 to 63 characters. The name cannot be any. If you do not specify this argument when executing the undo source-ip command, the command removes all source IP address object groups from the rule. For more information about object groups, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple source IP address object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
For a security policy rule, the number of configured source IP address object groups cannot exceed 1024. If the limit has been exceeded, any command execution to add such filtering criterion fails and the system prompts an error.
Examples
# Specify source IP address object groups server1 and server2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-ip server1
[Sysname-security-policy-ip-0-rule1] source-ip server2
Related commands
display security-policy
object-group
source-ip-host (IPv4 security policy view)
Use source-ip-host to specify a source IPv4 host address as a filtering criterion of a security policy rule.
Use undo source-ip-host to remove the specified source IPv4 host address from a security policy rule.
Syntax
source-ip-host ip-address
undo source-ip-host [ ip-address ]
Default
No source IPv4 host address is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address: Specifies the IPv4 address of a host. If you do not specify this argument when executing the undo command, the command removes all source IPv4 host addresses from the security policy rule.
Usage guidelines
You can execute the command multiple times to specify multiple source IPv4 host addresses as the filtering criteria.
If you specify an IP address that has been configured as a source host filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured source host addresses, source subnets, and source address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify source IPv4 host address 192.167.0.1 as the filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-ip-host 192.167.0.1
Related commands
display security-policy
source-ip-host (IPv6 security policy view)
Use source-ip-host to specify a source IPv6 host address as a filtering criterion of a security policy rule.
Use undo source-ip-host to remove the specified source IPv6 host address from a security policy rule.
Syntax
source-ip-host ipv6-address
undo source-ip-host [ ipv6-address ]
Default
No source IPv6 host address is specified as a filtering criterion for a security policy rule.
Views
IPv6 security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-address: Specifies the IPv6 address of a host. If you do not specify this argument when executing the undo command, the command removes all source IPv6 host addresses from the security policy rule.
Usage guidelines
You can execute the command multiple times to specify multiple source IPv6 host addresses as the filtering criteria.
If you specify an IP address that has been configured as a source host filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured source host addresses, source subnets, and source address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify source IPv6 host address 192::167:1 as the filtering criteria of IPv6 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ipv6
[Sysname-security-policy-ipv6] rule 0 name rule1
[Sysname-security-policy-ipv6-0-rule1] source-ip-host 192::167:1
Related commands
display security-policy
source-ip-range (IPv4 security policy view)
Use source-ip-range to specify a source IPv4 address range as a filtering criterion of a security policy rule.
Use undo source-ip-range to remove the specified source IPv4 address range from a security policy rule.
Syntax
source-ip-range ip-address1 ip-address2
undo source-ip-range [ ip-address1 ip-address2 ]
Default
No source IPv4 address range is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address1 ip-address2: Specifies an IPv4 address range. The ip-address1 argument represents the start IP address and the ip-address2 argument represents the end IP address. If you do not specify the arguments when executing the undo command, the command removes all source IPv4 address ranges from the security policy rule.
Usage guidelines
You can execute the command multiple times to specify multiple source IPv4 address ranges as the filtering criteria.
If you specify an IP address range that has been configured as a source IP range filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured source host addresses, source subnets, and source address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
When you specify an IP address range, follow these restrictions and guidelines:
· If the start IP address is the same as the end IP address, the command creates a host address filtering criteria.
· If the start IP address and the end IP address define a subnet, the command creates a subnet filtering criteria.
· If ip-address1 is greater than ip-address2, the system automatically adjusts the range to [ ip-address2, ip-address1 ].
Examples
# Specify source IPv4 address range 192.165.0.100 to 192.165.0.200 as the filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-ip-range 192.165.0.100 192.165.0.200
Related commands
display security-policy
source-ip-range (IPv6 security policy view)
Use source-ip-range to specify a source IPv6 address range as a filtering criterion of a security policy rule.
Use undo source-ip-range to remove the specified source IPv6 address range from a security policy rule.
Syntax
source-ip-range ipv6-address1 ipv6-address2
undo source-ip-range [ ipv6-address1 ipv6-address2 ]
Default
No source IPv6 address range is specified as a filtering criterion for a security policy rule.
Views
IPv6 security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-address1 ipv6-address2: Specifies an IPv6 address range. The ipv6-address1 argument represents the start IP address and the ipv6-address2 argument represents the end IP address. If you do not specify the arguments when executing the undo command, the command removes all source IPv6 address ranges from the security policy rule.
Usage guidelines
You can execute the command multiple times to specify multiple source IPv6 address ranges as the filtering criteria.
If you specify an IP address range that has been configured as a source IP range filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured source host addresses, source subnets, and source address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
When you specify an IP address range, follow these restrictions and guidelines:
· If the start IP address is the same as the end IP address, the command creates a host address filtering criteria.
· If the start IP address and the end IP address define a subnet, the command creates a subnet filtering criteria.
· If ipv6-address1 is greater than ipv6-address2, the system automatically adjusts the range to [ ipv6-address2, ipv6-address1 ].
Examples
# Specify source IPv6 address range 192::165:100 to 192::165:200 as the filtering criteria of IPv6 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ipv6
[Sysname-security-policy-ipv6] rule 0 name rule1
[Sysname-security-policy-ipv6-0-rule1] source-ip-range 192::165:100 192::165:200
Related commands
display security-policy
source-ip-subnet (IPv4 security policy view)
Use source-ip-subnet to specify a source IPv4 subnet as a filtering criterion of a security policy rule.
Use undo source-ip-subnet to remove the specified source IPv4 subnet from a security policy rule.
Syntax
source-ip-subnet ip-address { mask-length | mask }
undo source-ip-subnet [ ip-address { mask-length | mask } ]
Default
No source IPv4 subnet is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address { mask-length | mask }: Specifies an IPv4 subnet. You can specify the mask length or the mask in dotted decimal notation. The mask length is in the range of 0 to 32. If you set the mask length to 32 or the mask to 255.255.255.255, the command creates a host address filtering criterion. If you do not specify the arguments when executing the undo command, the command removes all source IPv4 subnets from the security policy rule.
Usage guidelines
You can execute the command multiple times to specify multiple source IPv4 subnets as the filtering criteria.
If you specify a subnet that has been configured as a source subnet filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured source host addresses, source subnets, and source address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify the source subnet with IP address 192.167.0.0 and mask length 24 as a filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-ip-subnet 192.167.0.0 24
# Specify the source subnet with IP address 192.166.0.0 and mask 255.255.0.0 as a filtering criteria of IPv4 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-ip-subnet 192.166.0.0 255.255.0.0
Related commands
display security-policy
source-ip-subnet (IPv6 security policy view)
Use source-ip-subnet to specify a source IPv6 subnet as a filtering criterion of a security policy rule.
Use undo source-ip-subnet to remove the specified source IPv6 subnet from a security policy rule.
Syntax
source-ip-subnet ipv6-address prefix-length
undo source-ip-subnet [ ipv6-address prefix-length ]
Default
No source IPv6 subnet is specified as a filtering criterion for a security policy rule.
Views
IPv6 security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-address prefix-length: Specifies an IPv6 subnet. The prefix length is in the range of 1 to 128. If you set the prefix length to 128, the command creates a host address filtering criterion. If you do not specify the arguments when executing the undo command, the command removes all source IPv6 subnets from the security policy rule.
Usage guidelines
You can execute the command multiple times to specify multiple source IPv6 subnets as the filtering criteria.
If you specify a subnet that has been configured as a source subnet filtering criterion, the command execution fails and the system prompts an error.
For a security policy rule, the sum of configured source host addresses, source subnets, and source address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.
Examples
# Specify the source subnet with IPv6 address 192: 167::0 and prefix length 64 as a filtering criteria of IPv6 security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ipv6
[Sysname-security-policy-ipv6] rule 0 name rule1
[Sysname-security-policy-ipv6-0-rule1] source-ip-subnet 192:167::0 64
Related commands
display security-policy
source-location
Use source-location to specify a source location as a filtering criterion of a security policy rule.
Use undo source-location to remove the specified source location from a security policy rule.
Syntax
source-location location-name
undo source-location [ location-name ]
Default
No source location is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
location-name: Specifies the name of a source location, a case-insensitive string of 1 to 63 characters. The name cannot contain hyphens (-). If you do not specify this argument when executing the undo source-location command, the command removes all source locations from the rule.
Usage guidelines
Non-default vSystems do not support this command.
You can execute the command multiple times to specify multiple source locations as the filtering criteria.
Examples
# Specify source location location1 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-location location1
Related commands
display security-policy
source-location-group
Use source-location group to specify a source location group as a filtering criterion of a security policy rule.
Use undo source-location group to remove the specified source location group from a security policy rule.
Syntax
source-location-group location-group-name
undo source-location-group [ location-group-name ]
Default
No source location group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
Location-group-name: Specifies the name of a source location group, a case-insensitive string of 1 to 63 characters. The name cannot contain hyphens (-). If you do not specify this argument when executing the undo source-location-group command, the command removes all source location groups from the rule.
Usage guidelines
Non-default vSystems do not support this command.
You can execute the command multiple times to specify multiple source location groups as the filtering criteria.
Examples
# Specify source location group location-group1 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-location-group location-group1
Related commands
display security-policy
source-mac
Use source-mac to specify a source MAC address object group as a filtering criterion of a security policy rule.
Use undo source-mac to remove the specified source MAC address object group from a security policy rule.
Syntax
source-mac object-group-name
undo source-mac [ object-group-name ]
Default
No source MAC address object group is specified as a filtering criterion for a security policy rule.
Views
IPv4 security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
object-group-name: Specifies the name of a source MAC address object group, a case-insensitive string of 1 to 63 characters. The name cannot be any. If you do not specify this argument when executing the undo source-mac command, the command removes all source MAC address object groups from the rule. For more information about MAC address object groups, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple source MAC address object groups as the filtering criteria.
If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
Examples
# Specify source MAC address object groups mac1 and mac2 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-mac mac1
[Sysname-security-policy-ip-0-rule1] source-mac mac2
Related commands
display security-policy
object-group
source-zone
Use source-zone to specify a source security zone as a filtering criterion of a security policy rule.
Use undo source-zone to remove the specified source security zone from a security policy rule.
Syntax
source-zone source-zone-name
undo source-zone [ source-zone-name ]
Default
No source security zone is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
source-zone-name: Specifies the name of a source security zone, a case-insensitive string of 1 to 63 characters. If you do not specify this argument when executing the undo source-zone command, the command removes all source security zones from the rule. For more information about security zones, see Security Configuration Guide.
Usage guidelines
You can execute the command multiple times to specify multiple source security zones as the filtering criteria.
When you configure a destination security zone as a filtering condition, the configuration can still succeed even if the destination security zone does not exist. However, this filtering condition does not match any packets.
Examples
# Specify source security zones trust and dmz as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] source-zone trust
[Sysname-security-policy-ip-0-rule1] source-zone dmz
Related commands
display security-policy
security-zone
terminal
Use terminal to specify a terminal as a filtering criterion of a security policy rule.
Use undo terminal to remove the specified terminal from a security policy rule.
Syntax
terminal terminal-name
undo terminal [ terminal-name ]
Default
No terminal is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
terminal-name: Specifies the name of a terminal, a case-insensitive string of 1 to 63 characters. The name cannot be invalid or other. If you do not specify this argument when executing the undo terminal command, the command removes all terminals from the rule.
Usage guidelines
Non-default vSystems do not support this command.
A terminal represents a network camera. You can execute the command multiple times to specify multiple terminals as the filtering criteria.
For the terminal filtering criteria to be identified, you must permit the packets of protocols on which the terminals depend to pass through. If port-based packet filtering is configured and a dependent protocol uses a non-default port, you must permit the packets from the port to pass.
Examples
# Specify terminal terminal1 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] terminal terminal1
Related commands
display security-policy
terminal-group
Use terminal-group to specify a terminal group as a filtering criterion of a security policy rule.
Use undo terminal-group to remove the specified terminal group from a security policy rule.
Syntax
terminal-group terminal-group-name
undo terminal-group [ terminal-group-name ]
Default
No terminal group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
terminal-group-name: Specifies the name of a terminal group, a case-insensitive string of 1 to 63 characters. The name cannot be invalid or other. If you do not specify this argument when executing the undo terminal-group command, the command removes all terminal groups from the rule.
Usage guidelines
Non-default vSystems do not support this command.
You can execute the command multiple times to specify multiple terminal groups as the filtering criteria.
For the terminal filtering criteria to be identified, you must permit the packets of protocols on which the terminals in the terminal group depend to pass through. If port-based packet filtering is configured and a dependent protocol uses a non-default port, you must permit the packets from the port to pass.
Examples
# Specify terminal group group1 as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] terminal-group group1
Related commands
display security-policy
time-range
Use time-range to specify the time range during which a security policy rule is in effect.
Use undo time-range to restore the default.
Syntax
time-range time-range-name
undo time-range [ time-range-name ]
Default
A security policy rule is in effect at any time.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
time-range-name: Specifies the name of a time range, a case-insensitive string of 1 to 63 characters. If you use the undo command without specifying this argument, this command deletes the time range during which the rule takes effect. For more information about time ranges, see ACL and QoS Configuration Guide.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable security policy rule rule1 to be in effect during time range work.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] time-range work
Related commands
display security-policy
time-range (ACL and QoS Command Reference)
track
Use track to associate a security policy rule with a track entry.
Use undo track to disassociate a security policy rule from the track entry.
Syntax
track { negative | positive } track-entry-number
undo track
Default
No track entry is associated with a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
negative: Specifies the Negative state of a track entry.
positive: Specifies the Positive state of a track entry.
track-entry-number: Specifies the number of a track entry, in the range of 1 to 1024. For more information about Track, see Network Management and Monitoring Configuration Guide.
Usage guidelines
Non-default vSystems do not support this command.
Use this command to enable the collaboration between the track module and a security policy rule. The collaboration operates as follows:
· If a rule is associated with the Negative state of a track entry, the device:
¡ Sets the rule state to Active if the track entry is in Negative state.
¡ Sets the rule state to Inactive if the track entry is in Positive state.
· If a rule is associated with the Positive state of a track entry, the device:
¡ Sets the rule state to Active if the track entry is in Positive state.
¡ Sets the rule state to Inactive if the track entry is in Negative state.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Associate security policy rule rule1 with the Positive state of track entry 10.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] track positive 10
Related commands
display security-policy
track bfd (Network Management and Monitoring Command Reference)
track interface (Network Management and Monitoring Command Reference)
track ip route reachability (Network Management and Monitoring Command Reference)
track nqa (Network Management and Monitoring Command Reference)
url-category
Use url-category to specify a URL category as a filtering criterion of a security policy rule.
Use undo url-category to remove the specified user filtering criterion from a security policy rule.
Syntax
url-category url-category-name
undo url-category [ url-category-name ]
Default
No URL category is specified as a filtering criterion of a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
url-category-name: Specifies the name of a URL category, a case-insensitive string of 1 to 63 characters. If you do not specify this argument when executing the undo url-category command, the command removes all URL categories from the rule. For more information about URL categories, see DPI Configuration Guide.
Usage guidelines
Non-default vSystems do not support this command.
You can execute this command multiple times to specify multiple URL categories as the filtering criteria.
Examples
# Specify URL category category1 as a filtering criterion of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] url-category category1
Related commands
display security-policy
url-filter category (DPI Command Reference)
user
Use user to specify a user as a filtering criterion of a security policy rule.
Use undo user to remove the specified user filtering criterion from a security policy rule.
Syntax
user username [ domain domain-name ]
undo user [ username [ domain domain-name ] ]
Default
No user is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
username: Specifies a username, a case-sensitive string of 1 to 55 characters. The name cannot be a, al, or all and cannot contain at signs (@). If you do not specify this argument when executing the undo user command, the command removes all users from the rule. For more information about users and identity domains, see user identification in Security Configuration Guide.
domain domain-name: Matches the user in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The string cannot contain forward slashes (/), backslashes (\), vertical bars (|), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), or at signs (@). If you do not specify this option, the command matches the user among users that do not belong to any identity domain.
Usage guidelines
You can execute the command multiple times to specify multiple users as the filtering criteria.
Examples
# Specify users usera and userb in identity domain test as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] user usera domain test
[Sysname-security-policy-ip-0-rule1] user userb domain test
Related commands
display security-policy
user-identity enable
user-identity static-user
user-group
Use user-group to specify a user group as a filtering criterion of a security policy rule.
Use undo user-group to remove the specified user group filtering criterion from a security policy rule.
Syntax
user-group user-group-name [ domain domain-name ]
undo user-group [ user-group-name [ domain domain-name ] ]
Default
No user group is specified as a filtering criterion for a security policy rule.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
user-group-name: Specifies the name of a user group, a case-insensitive string of 1 to 200 characters. If you do not specify this argument when executing the undo user-group command, the command removes all user groups from the rule. For more information about user groups and identity domains, see user identification in Security Configuration Guide.
domain domain-name: Matches the user group in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The string cannot contain forward slashes (/), backslashes (\), vertical bars (|), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), or at signs (@). If you do not specify this option, the command matches the user group among user groups that do not belong to any identity domain.
Usage guidelines
You can execute the command multiple times to specify multiple user groups as the filtering criteria.
Examples
# Specify user groups groupa and groupb in identity domain test as the filtering criteria of security policy rule rule1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] user-group groupa domain test
[Sysname-security-policy-ip-0-rule1] user-group groupb domain test
Related commands
display security-policy
user-group
vrf
Use vrf to configure a security policy rule to take effect on received packets of the specified MPLS L3VPN instance.
Use undo vrf to restore the default.
Syntax
vrf vrf-name
undo vrf
Default
A security policy rule takes effect on received packets of the public network.
Views
Security policy rule view
Predefined user roles
network-admin
context-admin
Parameters
vrf-name: Specifies the name of an MPLS L3VPN instance, a case-sensitive string of 1 to 31 characters.
Usage guidelines
Non-default vSystems do not support this command.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure security policy rule rule1 to take effect on received packets of MPLS L3VPN instance vpn1.
<Sysname> system-view
[Sysname] security-policy ip
[Sysname-security-policy-ip] rule 0 name rule1
[Sysname-security-policy-ip-0-rule1] user-group groupa
[Sysname-security-policy-ip-0-rule1] user-group groupb
Related commands
display security-policy
