Manualshelf

R3166-R3206-HP High-End Firewalls Attack Protection Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
61626364656667686970
59
[Firewall] nat address-group 1 2.2.2.10 2.2.2.11
[Firewall] interface gigabitethernet 0/0
[Firewall-GigabitEthernet0/0] nat outbound 2200 address-group 1
[Firewall-GigabitEthernet0/0] quit
# Configure an ACL numbered 2100 for Java blocking.
[Firewall] acl number 2100
[Firewall-acl-basic-2100] rule 0 permit source 5.5.5.5 0.0.0.0
[Firewall-acl-basic-2100] rule 1 deny source any
[Firewall-acl-basic-2100] quit
# Enable the Java blocking function, add blocking suffix keyword .js, and specify ACL 2100 for Java
blocking.
[Firewall] firewall http java-blocking enable
[Firewall] firewall http java-blocking suffix .js
[Firewall] firewall http java-blocking acl 2100
Use the display firewall http java-blocking verbose command to display detailed Java blocking
information .
[Firewall] display firewall http java-blocking verbose
Java blocking is enabled.
The configured ACL group is 2100.
There are 0 packet(s) being filtered.
There are 1 packet(s) being passed.
Use the display firewall http java-blocking all command to display Java blocking information about all
blocking suffix keywords.
[Firewall] display firewall http java-blocking all
SN Match-Times Keywords
------------------------------------
1 0 .CLASS
2 0 .JAR
3 1 .js
The above output shows that there are three Java blocking suffix keywords, of which .CLASS and .JAR are
the default ones and .js is a user-defined one and has been matched once.
Configuration guidelines
Note the following when configuring web filtering:
1. When configuring a URL address filtering keyword, follow the principles of wildcards:
^ matches website addresses starting with the keyword and can be present once at the beginning
of a filtering keyword.
$ matches website addresses ending with the keyword and can be present once at the end of a
filtering keyword.
& stands for a valid character other than dot (.) and can be present multiple times at any position
of a filtering keyword, consecutively or non-consecutively, but cannot be used next to *.
* stands for any number of valid characters and spaces excluding dot (.) and can be present once
at the beginning or in the middle of a filtering keyword. It cannot be at the end and cannot be used
next to ^ or $.