R3303-HP HSR6800 Routers Security Configuration Guide
380
[Router-acl-basic-2200] rule 0 permit source 192.168.1.0 0.0.0.255
[Router-acl-basic-2200] rule 1 deny source any
[Router-acl-basic-2200] quit
[Router] nat address-group 1 2.2.2.10 2.2.2.11
[Router] interface gigabitethernet 3/0/1
[Router-GigabitEthernet3/0/1] nat outbound 2200 address-group 1
[Router-GigabitEthernet3/0/1] quit
# Configure an ACL numbered 2100 for Java blocking.
[Router] acl number 2100
[Router-acl-basic-2100] rule 0 permit source 5.5.5.5 0.0.0.0
[Router-acl-basic-2100] rule 1 deny source any
[Router-acl-basic-2100] quit
# Enable the Java blocking function, add blocking suffix keyword .js, and specify ACL 2100 for Java
blocking.
[Router] firewall http java-blocking enable
[Router] firewall http java-blocking suffix .js
[Router] firewall http java-blocking acl 2100
Use the display firewall http java-blocking verbose command to display detailed Java blocking
information.
[Router] display firewall http java-blocking verbose
Java blocking is enabled.
The configured ACL group is 2100.
There are 0 packet(s) being filtered.
There are 1 packet(s) being passed.
Use the display firewall http java-blocking all command to display Java blocking information about all
blocking suffix keywords.
[Router] display firewall http java-blocking all
SN Match-Times Keywords
------------------------------------
1 0 .CLASS
2 0 .JAR
3 1 .js
The above output shows that there are three Java blocking suffix keywords, of which .CLASS and .JAR are
the default ones and .js is a user-defined one and has been matched once.
Troubleshooting Web filtering
Failed to add filtering entry or suffix keyword due to upper limit
Symptom
• When you try to add a URL address filtering entry or URL parameter filtering entry, the system
prompts you that no more entry can be added.
• When you add a Java blocking or ActiveX blocking suffix keyword, the system prompts you that no
more keyword can be added.