通过URL分类、黑名单和白名单控制用户访问的网站

小乔

组网需求

如图5-7所示，DeviceA作为企业网关部署在网络边界，对用户访问外部网络的URL访问请求进行URL过滤。企业只允许员工访问教育/科学类、搜索/门户类网站和社交网络，其他网站均不能访问。此外，企业希望对如下几个网站进行单独的控制：

• 允许员工访问内部论坛网站www.example3.com和[url]www.example4.com[/url]。
• 不允许员工访问教育/科学类中的www.example2.com和社交网络类中的[url]www.example1.com[/url]。
  

图5-7 通过URL分类、黑名单和白名单控制用户访问的网站

                               
登录/注册后可看大图

本例中interface1、interface2分别代表10GE0/0/1、10GE0/0/2。

                               
登录/注册后可看大图

配置思路

• 配置接口IP地址和安全区域，完成网络基本参数配置。
• 新建URL过滤配置文件“url_profile_01”，然后将www.example1.com和[url]www.example2.com[/url]添加到黑名单中，将www.example3.com和[url]www.example4.com[/url]添加到白名单中。利用预定义URL分类，将教育/科学类、搜索/门户类网站和社交网络的控制动作设置为允许，其他网站设置为阻断。
• 配置安全策略，引用URL过滤配置文件url_profile_01，实现URL访问控制。
  

操作步骤操作步骤
配置接口IP地址和安全区域，完成网络基本参数配置。
<HUAWEI> system-view
[HUAWEI] sysname DeviceA
[DeviceA] interface 10ge 0/0/1
[DeviceA-10GE0/0/1] ip address 1.1.1.1 24
[DeviceA-10GE0/0/1] quit
[DeviceA] interface 10ge 0/0/2
[DeviceA-10GE0/0/2] ip address 10.1.1.1 255.255.255.0
[DeviceA-10GE0/0/2] quit
[DeviceA] firewall zone untrust
[DeviceA-zone-untrust] add interface 10ge 0/0/1
[DeviceA-zone-untrust] quit
[DeviceA] firewall zone trust
[DeviceA-zone-trust] add interface 10ge 0/0/2
[DeviceA-zone-trust] quit
配置URL过滤配置文件。


通过display url-filter category pre-defined命令，可以查询到如下预定义分类和ID的对应关系。


17：教育/科学类（Education/Science）
15：搜索/门户类（Search Engines/Portals）
7：社交网络类（Social Network）
[DeviceA] profile type url-filter name url_profile_01
[DeviceA-profile-url-filter-url_profile_01] add blacklist url www.example1.com
[DeviceA-profile-url-filter-url_profile_01] add blacklist url www.example2.com
[DeviceA-profile-url-filter-url_profile_01] add whitelist url www.example3.com
[DeviceA-profile-url-filter-url_profile_01] add whitelist url www.example4.com
[DeviceA-profile-url-filter-url_profile_01] category pre-defined action block
[DeviceA-profile-url-filter-url_profile_01] category pre-defined category-id 15 action allow
[DeviceA-profile-url-filter-url_profile_01] category pre-defined category-id 17 action allow
[DeviceA-profile-url-filter-url_profile_01] category pre-defined category-id 7 action allow
[DeviceA-profile-url-filter-url_profile_01] quit


如果用户希望阻断白名单之外的URL，则可以设置缺省动作为阻断，以便远程查询服务不可用时，DeviceA采取缺省动作，以此实现对白名单之外的URL进行阻断。


如果用户希望允许黑名单之外的URL，则可以设置缺省动作为允许，以便远程查询服务不可用时，DeviceA采取缺省动作，以此实现对黑名单之外的URL进行放行。


在安全策略中应用URL过滤配置文件。
[DeviceA] security-policy
[DeviceA-policy-security] rule name policy_sec_01
[DeviceA-policy-security-rule-policy_sec_01] source-zone trust
[DeviceA-policy-security-rule-policy_sec_01] destination-zone untrust
[DeviceA-policy-security-rule-policy_sec_01] source-address 10.1.1.0 mask 255.255.255.0
[DeviceA-policy-security-rule-policy_sec_01] action permit
[DeviceA-policy-security-rule-policy_sec_01] profile url-filter url_profile_01
[DeviceA-policy-security-rule-policy_sec_01] quit
[DeviceA-policy-security] quit
提交内容安全配置文件。
[DeviceA] engine configuration commit
Info: The operation may last for several minutes, please wait.
Info: URL submitted configurations successfully.
Info: Finish committing engine compiling.
检查配置结果
企业员工可以访问“教育/科学类”、“搜索/门户类”和“社交网络”，其他网站不允许访问。


企业员工访问其他网站时，管理员可以看到Type（过滤类型）为“Pre-defined”，Action（动作）为“Block”的URL日志信息（URL/4/FILTER）。


企业员工可以访问www.example3.com和[url]www.example4.com[/url]，不可以访问www.example1.com和[url]www.example2.com[/url]。


企业员工访问www.example3.com或[url]www.example4.com[/url]时，管理员可以看到Type（过滤类型）为“Whitelist”，Action（动作）为“Allow”的URL日志信息（URL/4/FILTER）。


企业员工访问www.example1.com或[url]www.example2.com[/url]时，管理员可以看到Type（过滤类型）为“Blacklist”，Action（动作）为“Block”的URL日志信息（URL/4/FILTER）。


配置脚本
#
sysname DeviceA
#
interface 10GE0/0/1
ip address 1.1.1.1 255.255.255.0
#
interface 10GE0/0/2
ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface 10GE0/0/2
#
firewall zone untrust
set priority 5
add interface 10GE0/0/1
#
profile type url-filter name url_profile_01
add blacklist url www.example1.com
add blacklist url www.example2.com
add whitelist url www.example3.com
add whitelist url www.example4.com
category pre-defined subcategory-id 101 action block
category pre-defined subcategory-id 102 action block
category pre-defined subcategory-id 162 action block
category pre-defined subcategory-id 163 action block
category pre-defined subcategory-id 164 action block
category pre-defined subcategory-id 165 action block
category pre-defined subcategory-id 103 action block
category pre-defined subcategory-id 166 action block
category pre-defined subcategory-id 167 action block
category pre-defined subcategory-id 168 action block
category pre-defined subcategory-id 104 action block
category pre-defined subcategory-id 169 action block
category pre-defined subcategory-id 170 action block
category pre-defined subcategory-id 105 action block
category pre-defined subcategory-id 171 action block
category pre-defined subcategory-id 172 action block
category pre-defined subcategory-id 173 action block
category pre-defined subcategory-id 174 action block
category pre-defined subcategory-id 106 action block
category pre-defined subcategory-id 109 action block
category pre-defined subcategory-id 110 action block
category pre-defined subcategory-id 111 action block
category pre-defined subcategory-id 112 action block
category pre-defined subcategory-id 114 action block
category pre-defined subcategory-id 115 action block
category pre-defined subcategory-id 117 action block
category pre-defined subcategory-id 178 action block
category pre-defined subcategory-id 179 action block
category pre-defined subcategory-id 180 action block
category pre-defined subcategory-id 181 action block
category pre-defined subcategory-id 248 action block
category pre-defined subcategory-id 118 action block
category pre-defined subcategory-id 119 action block
category pre-defined subcategory-id 122 action block
category pre-defined subcategory-id 182 action block
category pre-defined subcategory-id 183 action block
category pre-defined subcategory-id 184 action block
category pre-defined subcategory-id 123 action block
category pre-defined subcategory-id 124 action block
category pre-defined subcategory-id 186 action block
category pre-defined subcategory-id 187 action block
category pre-defined subcategory-id 188 action block
category pre-defined subcategory-id 189 action block
category pre-defined subcategory-id 125 action block
category pre-defined subcategory-id 127 action block
category pre-defined subcategory-id 128 action block
category pre-defined subcategory-id 130 action block
category pre-defined subcategory-id 131 action block
category pre-defined subcategory-id 132 action block
category pre-defined subcategory-id 197 action block
category pre-defined subcategory-id 198 action block
category pre-defined subcategory-id 199 action block
category pre-defined subcategory-id 200 action block
category pre-defined subcategory-id 227 action block
category pre-defined subcategory-id 228 action block
category pre-defined subcategory-id 133 action block
category pre-defined subcategory-id 201 action block
category pre-defined subcategory-id 202 action block
category pre-defined subcategory-id 204 action block
category pre-defined subcategory-id 205 action block
category pre-defined subcategory-id 134 action block
category pre-defined subcategory-id 135 action block
category pre-defined subcategory-id 136 action block
category pre-defined subcategory-id 137 action block
category pre-defined subcategory-id 138 action block
category pre-defined subcategory-id 139 action block
category pre-defined subcategory-id 140 action block
category pre-defined subcategory-id 141 action block
category pre-defined subcategory-id 206 action block
category pre-defined subcategory-id 207 action block
category pre-defined subcategory-id 208 action block
category pre-defined subcategory-id 209 action block
category pre-defined subcategory-id 210 action block
category pre-defined subcategory-id 229 action block
category pre-defined subcategory-id 142 action block
category pre-defined subcategory-id 143 action block
category pre-defined subcategory-id 144 action block
category pre-defined subcategory-id 145 action block
category pre-defined subcategory-id 146 action block
category pre-defined subcategory-id 147 action block
category pre-defined subcategory-id 211 action block
category pre-defined subcategory-id 212 action block
category pre-defined subcategory-id 213 action block
category pre-defined subcategory-id 240 action block
category pre-defined subcategory-id 253 action block
category pre-defined subcategory-id 149 action block
category pre-defined subcategory-id 150 action block
category pre-defined subcategory-id 214 action block
category pre-defined subcategory-id 215 action block
category pre-defined subcategory-id 216 action block
category pre-defined subcategory-id 217 action block
category pre-defined subcategory-id 151 action block
category pre-defined subcategory-id 218 action block
category pre-defined subcategory-id 219 action block
category pre-defined subcategory-id 220 action block
category pre-defined subcategory-id 221 action block
category pre-defined subcategory-id 222 action block
category pre-defined subcategory-id 223 action block
category pre-defined subcategory-id 230 action block
category pre-defined subcategory-id 252 action block
category pre-defined subcategory-id 152 action block
category pre-defined subcategory-id 153 action block
category pre-defined subcategory-id 238 action block
category pre-defined subcategory-id 154 action block
category pre-defined subcategory-id 155 action block
category pre-defined subcategory-id 224 action block
category pre-defined subcategory-id 225 action block
category pre-defined subcategory-id 156 action block
category pre-defined subcategory-id 157 action block
category pre-defined subcategory-id 158 action block
category pre-defined subcategory-id 231 action block
category pre-defined subcategory-id 232 action block
category pre-defined subcategory-id 159 action block
category pre-defined subcategory-id 254 action block
category pre-defined subcategory-id 160 action block
category pre-defined subcategory-id 161 action block
category pre-defined subcategory-id 176 action block
category pre-defined subcategory-id 226 action block
category pre-defined subcategory-id 234 action block
category pre-defined subcategory-id 235 action block
category pre-defined subcategory-id 236 action block
category pre-defined subcategory-id 237 action block
category pre-defined subcategory-id 239 action block
category pre-defined subcategory-id 241 action block
category pre-defined subcategory-id 233 action block
#
security-policy
rule name policy_sec_01
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  profile url-filter url_profile_01
  action permit        

mawr1985

mawr1985

wlcbhrss

云中之舟