通过黑名单和白名单控制用户访问的网站

小乔

组网需求

如图5-5所示，DeviceA作为企业网关部署在网络边界，对用户访问外部网络的URL访问请求进行URL过滤。

公司有研发部门员工和市场部门员工两类，具体需求如下：

• 对研发部门员工实行白名单管理，只允许访问与工作相关的URL（以www.example.com/working开头的URL）和hostname为www.example.org的URL，除此之外，其他URL均不允许访问。
• 对市场部门员工实行黑名单管理，除了以www.example.net开头的URL不允许访问之外，其他URL均可以正常访问。
  

图5-5 通过黑名单和白名单控制用户访问的网站

                               
登录/注册后可看大图

本例中interface1、interface2分别代表10GE0/0/1、10GE0/0/2。

                               
登录/注册后可看大图

配置思路

• 配置接口IP地址和安全区域，完成网络基本参数配置。
• 针对研发部门员工，新建URL过滤配置文件profile_url_research，增加白名单URL规则（www.example.com/working/*）和HOST规则（www.example.org），并设置所有预定义分类的动作为阻断，同时设置缺省动作为阻断（URL未匹配白名单和预定义分类时，设备采取缺省动作，以此实现对白名单之外的URL进行访问控制）。
• 针对市场部门员工，新建URL过滤配置文件profile_url_marketing，增加黑名单URL规则（www.example.net*），并设置所有预定义分类的动作为允许，同时设置缺省动作为允许（URL未匹配黑名单和预定义分类时，设备采取缺省动作，以此实现对黑名单之外的URL进行访问控制）。
• 配置两个安全策略，分别引用URL过滤配置文件，实现对来自不同部门的员工的URL访问控制。
  

操作步骤
配置接口IP地址和安全区域，完成网络基本参数配置。
<HUAWEI> system-view
[HUAWEI] sysname DeviceA
[DeviceA] interface 10ge 0/0/1
[DeviceA-10GE0/0/1] ip address 1.1.1.1 24
[DeviceA-10GE0/0/1] quit
[DeviceA] interface 10ge 0/0/2
[DeviceA-10GE0/0/2] ip address 10.1.1.1 255.255.255.0
[DeviceA-10GE0/0/2] ip address 10.1.2.1 255.255.255.0 sub
[DeviceA-10GE0/0/2] quit
[DeviceA] firewall zone untrust
[DeviceA-zone-untrust] add interface 10ge 0/0/1
[DeviceA-zone-untrust] quit
[DeviceA] firewall zone trust
[DeviceA-zone-trust] add interface 10ge 0/0/2
[DeviceA-zone-trust] quit
配置URL过滤配置文件。
为研发部门配置URL过滤配置文件。
[DeviceA] profile type url-filter name profile_url_research
[DeviceA-profile-url-filter-profile_url_research] default action block
[DeviceA-profile-url-filter-profile_url_research] category pre-defined action block
[DeviceA-profile-url-filter-profile_url_research] add whitelist url www.example.com/working/*
[DeviceA-profile-url-filter-profile_url_research] add whitelist host www.example.org
[DeviceA-profile-url-filter-profile_url_research] quit
为市场部门配置URL过滤配置文件。
[DeviceA] profile type url-filter name profile_url_marketing
[DeviceA-profile-url-filter-profile_url_marketing] default action allow
[DeviceA-profile-url-filter-profile_url_marketing] category pre-defined action allow
[DeviceA-profile-url-filter-profile_url_marketing] add blacklist url www.example.net*
[DeviceA-profile-url-filter-profile_url_marketing] quit
在安全策略中应用URL过滤配置文件。
为研发部门配置安全策略。
[DeviceA] security-policy
[DeviceA-policy-security] rule name policy_sec_research
[DeviceA-policy-security-rule-policy_sec_research] description Security policy of web access protect for research.
[DeviceA-policy-security-rule-policy_sec_research] source-zone trust
[DeviceA-policy-security-rule-policy_sec_research] destination-zone untrust
[DeviceA-policy-security-rule-policy_sec_research] source-address 10.1.2.0 mask 255.255.255.0
[DeviceA-policy-security-rule-policy_sec_research] action permit
[DeviceA-policy-security-rule-policy_sec_research] profile url-filter profile_url_research
[DeviceA-policy-security-rule-policy_sec_research] quit
为市场部门配置安全策略。
[DeviceA-policy-security] rule name policy_sec_marketing
[DeviceA-policy-security-rule-policy_sec_marketing] description Security policy of web access protect for marketing.
[DeviceA-policy-security-rule-policy_sec_marketing] source-zone trust
[DeviceA-policy-security-rule-policy_sec_marketing] destination-zone untrust
[DeviceA-policy-security-rule-policy_sec_marketing] source-address 10.1.1.0 mask 255.255.255.0
[DeviceA-policy-security-rule-policy_sec_marketing] action permit
[DeviceA-policy-security-rule-policy_sec_marketing] profile url-filter profile_url_marketing
[DeviceA-policy-security-rule-policy_sec_marketing] quit
[DeviceA-policy-security] quit
提交内容安全配置文件。
[DeviceA] engine configuration commit
Info: The operation may last for several minutes, please wait.
Info: URL submitted configurations successfully.
Info: Finish committing engine compiling.
检查配置结果
研发部门任何员工只能正常访问与工作相关的URL（以www.example.com/working开头的URL）和hostname为www.example.org的URL，其余均被阻断。可访问URL举例：
www.example.com/working/index.htm
www.example.com/working/todo
www.example.org
www.example.org/network
研发部门员工访问其他网站时，管理员可以看到Type（过滤类型）为“Timeout or default action”或“Pre-defined”，Action（动作）为“Block”的URL日志信息（URL/4/FILTER）。

市场部门任何员工访问以www.example.net开头的URL均被阻断，其余网站均可以正常访问。不可访问URL举例：
www.example.net
www.example.net/index.html
www.example.net/game
市场部门员工访问以www.example.net开头的URL时， 管理员可以看到Type（过滤类型）为“Blacklist”，Action（动作）为“Block”的URL日志信息（URL/4/FILTER）。

配置脚本
#
sysname DeviceA
#
interface 10GE0/0/1
ip address 1.1.1.1 255.255.255.0
#
interface 10GE0/0/2
ip address 10.1.1.1 255.255.255.0
ip address 10.1.2.1 255.255.255.0 sub
#
firewall zone trust
set priority 85
add interface 10GE0/0/2
#
firewall zone untrust
set priority 5
add interface 10GE0/0/1
#
profile type url-filter name profile_url_research
add whitelist url www.example.com/working/*
add whitelist host www.example.org
category pre-defined subcategory-id 101 action block
category pre-defined subcategory-id 102 action block
category pre-defined subcategory-id 162 action block
category pre-defined subcategory-id 163 action block
category pre-defined subcategory-id 164 action block
category pre-defined subcategory-id 165 action block
category pre-defined subcategory-id 103 action block
category pre-defined subcategory-id 166 action block
category pre-defined subcategory-id 167 action block
category pre-defined subcategory-id 168 action block
category pre-defined subcategory-id 104 action block
category pre-defined subcategory-id 169 action block
category pre-defined subcategory-id 170 action block
category pre-defined subcategory-id 105 action block
category pre-defined subcategory-id 171 action block
category pre-defined subcategory-id 172 action block
category pre-defined subcategory-id 173 action block
category pre-defined subcategory-id 174 action block
category pre-defined subcategory-id 106 action block
category pre-defined subcategory-id 108 action block
category pre-defined subcategory-id 251 action block
category pre-defined subcategory-id 177 action block
category pre-defined subcategory-id 109 action block
category pre-defined subcategory-id 110 action block
category pre-defined subcategory-id 248 action block
category pre-defined subcategory-id 178 action block
category pre-defined subcategory-id 111 action block
category pre-defined subcategory-id 112 action block
category pre-defined subcategory-id 179 action block
category pre-defined subcategory-id 114 action block
category pre-defined subcategory-id 115 action block
category pre-defined subcategory-id 180 action block
category pre-defined subcategory-id 181 action block
category pre-defined subcategory-id 117 action block
category pre-defined subcategory-id 118 action block
category pre-defined subcategory-id 119 action block
category pre-defined subcategory-id 122 action block
category pre-defined subcategory-id 182 action block
category pre-defined subcategory-id 183 action block
category pre-defined subcategory-id 184 action block
category pre-defined subcategory-id 123 action block
category pre-defined subcategory-id 186 action block
category pre-defined subcategory-id 187 action block
category pre-defined subcategory-id 188 action block
category pre-defined subcategory-id 189 action block
category pre-defined subcategory-id 124 action block
category pre-defined subcategory-id 125 action block
category pre-defined subcategory-id 126 action block
category pre-defined subcategory-id 190 action block
category pre-defined subcategory-id 127 action block
category pre-defined subcategory-id 128 action block
category pre-defined subcategory-id 191 action block
category pre-defined subcategory-id 192 action block
category pre-defined subcategory-id 193 action block
category pre-defined subcategory-id 194 action block
category pre-defined subcategory-id 195 action block
category pre-defined subcategory-id 196 action block
category pre-defined subcategory-id 129 action block
category pre-defined subcategory-id 130 action block
category pre-defined subcategory-id 131 action block
category pre-defined subcategory-id 197 action block
category pre-defined subcategory-id 198 action block
category pre-defined subcategory-id 199 action block
category pre-defined subcategory-id 132 action block
category pre-defined subcategory-id 227 action block
category pre-defined subcategory-id 228 action block
category pre-defined subcategory-id 200 action block
category pre-defined subcategory-id 133 action block
category pre-defined subcategory-id 201 action block
category pre-defined subcategory-id 202 action block
category pre-defined subcategory-id 204 action block
category pre-defined subcategory-id 205 action block
category pre-defined subcategory-id 134 action block
category pre-defined subcategory-id 135 action block
category pre-defined subcategory-id 136 action block
category pre-defined subcategory-id 206 action block
category pre-defined subcategory-id 207 action block
category pre-defined subcategory-id 208 action block
category pre-defined subcategory-id 137 action block
category pre-defined subcategory-id 209 action block
category pre-defined subcategory-id 210 action block
category pre-defined subcategory-id 138 action block
category pre-defined subcategory-id 139 action block
category pre-defined subcategory-id 229 action block
category pre-defined subcategory-id 140 action block
category pre-defined subcategory-id 141 action block
category pre-defined subcategory-id 142 action block
category pre-defined subcategory-id 211 action block
category pre-defined subcategory-id 212 action block
category pre-defined subcategory-id 143 action block
category pre-defined subcategory-id 144 action block
category pre-defined subcategory-id 145 action block
category pre-defined subcategory-id 240 action block
category pre-defined subcategory-id 146 action block
category pre-defined subcategory-id 213 action block
category pre-defined subcategory-id 147 action block
category pre-defined subcategory-id 253 action block
category pre-defined subcategory-id 149 action block
category pre-defined subcategory-id 150 action block
category pre-defined subcategory-id 214 action block
category pre-defined subcategory-id 215 action block
category pre-defined subcategory-id 216 action block
category pre-defined subcategory-id 217 action block
category pre-defined subcategory-id 218 action block
category pre-defined subcategory-id 219 action block
category pre-defined subcategory-id 220 action block
category pre-defined subcategory-id 221 action block
category pre-defined subcategory-id 222 action block
category pre-defined subcategory-id 223 action block
category pre-defined subcategory-id 252 action block
category pre-defined subcategory-id 151 action block
category pre-defined subcategory-id 230 action block
category pre-defined subcategory-id 152 action block
category pre-defined subcategory-id 238 action block
category pre-defined subcategory-id 153 action block
category pre-defined subcategory-id 154 action block
category pre-defined subcategory-id 155 action block
category pre-defined subcategory-id 224 action block
category pre-defined subcategory-id 225 action block
category pre-defined subcategory-id 156 action block
category pre-defined subcategory-id 157 action block
category pre-defined subcategory-id 158 action block
category pre-defined subcategory-id 231 action block
category pre-defined subcategory-id 232 action block
category pre-defined subcategory-id 159 action block
category pre-defined subcategory-id 254 action block
category pre-defined subcategory-id 160 action block
category pre-defined subcategory-id 161 action block
category pre-defined subcategory-id 176 action block
category pre-defined subcategory-id 226 action block
category pre-defined subcategory-id 234 action block
category pre-defined subcategory-id 235 action block
category pre-defined subcategory-id 236 action block
category pre-defined subcategory-id 237 action block
category pre-defined subcategory-id 239 action block
category pre-defined subcategory-id 241 action block
category pre-defined subcategory-id 233 action block
default action block
profile type url-filter name profile_url_marketing
add blacklist url www.example.net*
#
security-policy
rule name policy_sec_research
  description Security policy of web access protect for research.
  source-zone trust
  destination-zone untrust
  source-address 10.1.2.0 mask 255.255.255.0
  profile url-filter profile_url_research
  action permit
rule name policy_sec_marketing
  description Security policy of web access protect for marketing.
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  profile url-filter profile_url_marketing
  action permit
#
return

mawr1985

wlcbhrss

wlcbhrss