R3303-HP HSR6800 Routers Security Configuration Guide
374
ActiveX blocking
ActiveX blocking protects networks from being attacked by malicious ActiveX plugins.
After the ActiveX blocking function is enabled, requests for ActiveX plugins to all webpages will be
filtered. If the ActiveX plugins in some webpages are expected, you can configure ACL rules to permit
requests to the ActiveX plugins of these webpages.
Processing procedure
• If the ActiveX blocking function is enabled but no ACL is configured for it, the device replaces the
suffix .ocx with .block in all Web requests before forwarding the requests.
• If the ActiveX blocking function is enabled and an ACL is configured for it, the device determines
whether to replaces suffix .ocx with .block in Web requests according to the ACL rules. If the
destination server in a Web request is a server permitted by the ACL, no replacement occurs and
the request is forwarded. Otherwise, the suffix is replaced with .block and then the request is
forwarded.
• In addition to the default suffix .ocx, you can add ActiveX blocking suffixes (that is, the filename
suffixes to be replaced in Web requests) through command lines.
Configuring Web filtering
IP address-supported URL filtering can take effect only after the URL address filtering is enabled, while
URL parameter filtering, Java blocking, and ActiveX blocking can be enabled independently.
Configuring URL address filtering
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the URL address
filtering function.
firewall http url-filter host enable Disabled by default.
3. Specify the default filtering
action.
firewall http url-filter host default { deny
| permit }
Optional.
The default is deny.
4. Add a URL address filtering
entry.
firewall http url-filter host url-address
{ deny | permit } url-address
N/A
5. Display information about
URL address filtering.
display firewall http url-filter host [ all |
item keywords | verbose ] [ | { begin |
exclude | include } regular-expression ]
Optional.
Configuring IP address-supported URL address filtering
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A