Content Security Filtering Technologies

Foreword

⚫ With the development of the times, the society has entered the mobile Internet era. Security
threats gradually extend to the application layer. More and more enterprises start to pay
attention to the security of internal information, such as the leakage of core confidential
information. Therefore, the administrator needs to identify risks in service scenarios based
on service security requirements and take corresponding risk control measures. The content
security filtering technology of Huawei firewalls helps enterprises manage and control
content security.
⚫ This course describes the concepts and implementation of content security filtering
technologies on firewalls.

1 Huawei Confidential
 Objectives
⚫ On completion of this course, you will be able to:
 Describe the technical background of the content security filtering technologies.
 Describe basic principles of content security filtering technologies.
 Master the configuration of content security filtering technologies.

2 Huawei Confidential
 Contents

1. Overview of Content Security Filtering Technologies

2. Principles of Content Security Filtering Technologies

3. Examples for Configuring Content Security Filtering Technologies

3 Huawei Confidential
Technical Background of Content Security Filtering Technologies
⚫ With the development of communications, security threats are evolving from simple cyber threats to application
and data security threats. In addition, the requirements for internal service security of enterprises are increasing. It
is a great challenge for enterprises to identify confidential information or illegitimate and low-quality information
in service scenarios, generate alarms, and block such information.
⚫ User behavior management and control is a powerful measure to solve the security problems enterprises are facing.
Deploying content security filtering technologies on Huawei firewalls can help implement refined management and
control on user behaviors.

Viruses and Trojan horses Hacker attack

Enterprise users

Phishing mail Illegitimate website

4 Huawei Confidential
 Introduction to Content Security Filtering Technologies
• Content security filtering technologies deployed on Huawei firewalls can be applied to different security protection solutions based
on scenario requirements. These technologies help enterprises manage and control content security while preventing core
information leakage and adverse impacts caused by improper user behaviors.
• The content security filtering technology helps enterprises manage content security and prevent core information leakage.

HTTP and FTP

Trust behavior control Untrust
Game Virus Information Access a website with
violence leakage a valid domain name
1 URL Filtering
1 3 4 6 2
Firewall 2 DNS Filtering
R&D
File server 3 File Blocking
department Internet
4 Data filtering
5 5 5 Mail filtering
Control the Restrict the 6 Application
Confidential mail sending attachment size
Sales department Web server behavior control
and receiving

Intranet Mail server File server DMZ Internet

5 Huawei Confidential

• Content security filtering technologies can be used to control enterprise user

behaviors. For example, users are not allowed to access illegitimate websites to
prevent adverse impacts on enterprises as well as entertainment websites during
working hours to improve work efficiency.
• Content security filtering:
▫ URL filtering regulates online behaviors by controlling URLs that users can
access, thereby permitting or rejecting users' access to specified web page
resources.
▫ DNS filtering is implemented in the domain name resolution phase to
prevent employees from accessing illegitimate content or malicious
websites, which may cause threats such as viruses, Trojan horses, and
worms.
▫ File blocking blocks the transmission of certain types of files, which reduces
risks of executing malicious codes and viruses on the internal network and
prevents employees from transmitting enterprises' confidential files to the
Internet.
▫ Data filtering falls into two types: file data filtering and application data
filtering. File data filtering filters the uploaded and downloaded files by
keyword. You can specify the protocols for file transfer or the types of files
to be filtered. Application data filtering filters application content by
keyword. The device filters different data for different applications.
▫ Mail filtering: filters mails by checking the email addresses of the sender
and recipient, attachment size, and number of attachments.
▫ The application behavior control function is used to accurately control
users' HTTP and FTP behaviors (such as upload and download).
 Contents

1. Overview of Content Security Filtering Technologies

2. Principles of Content Security Filtering Technologies

◼ URL Filtering

▫ DNS Filtering

▫ File Blocking

▫ Data Filtering

▫ Mail Filtering

▫ Application Behavior Control

3. Examples for Configuring Content Security Filtering Technologies

6 Huawei Confidential
Overview of URL Filtering
⚫ The URL filtering function regulates online behaviors by controlling URLs that users can access, thereby permitting
or rejecting users' access to specified web page resources. This function allows enterprises to allocate Internet
bandwidth resources in a refined manner and accurate control employees' Internet access permissions.

Prohibiting Access to Blocking Low-Reputation Controlling URL Access by

Irrelevant Websites and Malicious URLs Schedules

• The URL category and • Identifying low- • Defining URL access

blacklist/whitelist reputation and policies for different
functions allow users to malicious URLs can schedules can
access only specified effectively block implement schedule-
URLs, improving office network attacks from based URL access
efficiency. malicious websites and control, thus effectively
enhance network utilizing enterprise
security protection. network bandwidth
resources.

7 Huawei Confidential
 URL Structure
⚫ Each web page on the Internet has a unique identifier, that is, the URL. A URL is a specific address
assigned to each available resource on the network so that the resource can be located or identified.
Therefore, each resource (page, site, document, file, folder) on the Internet has a URL.
⚫ A URL consists of fields such as Protocol, Host, Path, and Parameter.

http://www.example.com:8080/news/education.aspx? name=tom&age=20

Protocol Host Port Path Parameter

URL

8 Huawei Confidential

• The field meanings are as follows:

▫ Protocol: scheme/protocol. It tells the browser how to handle the file to be

opened. HTTP is most commonly used. Generally, this parameter is optional
for HTTP.

▫ Host: indicates the domain name or IP address of the web server. If the web
server uses a non-standard port (not port 80, for example, 8080), the Host
field also needs to contain the port number, for example,
www.example.com:8080.

▫ Path: indicates the directory or file name on the web server, separated by
slashes (/).

▫ Parameter: indicates the parameter transferred to the web page. This

parameter is generally used for dynamic data query from the database.
Principles of URL Filtering
⚫ The basic principles of URL filtering are as follows:
 A user uses a browser to initiate a website access request. The request packet reaches the firewall through the
enterprise intranet.
 The firewall parses the received HTTP/HTTPS request packet, obtains the URL information, and analyzes the URL
information.
 If the URL is legitimate, the HTTP request is passed and the user can browse the website.
 If the URL is illegitimate, the HTTP request is blocked and an alarm page is pushed.

Allow data flows from legitimate websites

Firewall
Office Area

Block data flows from illegitimate websites

9 Huawei Confidential
Process of URL Filtering
⚫ If the URL filtering function is enabled on the firewall, the firewall performs URL filtering when a user
accesses a network resource using HTTP or HTTPS through the firewall. The process is as follows:
The firewall
If the URL matches
receives an
If the HTTP/HTTPS the whitelist, the If the referer field
HTTP/HTTPS
packet is abnormal, URL is permitted. If matches the
packet and extracts
it is directly the URL matches whitelist, the URL is
the URL
blocked. the blacklist, the permitted.
information from
URL is blocked.
the packet.

If no URL category If the URL matches

If the URL matches
is found in the local a predefined URL If the URL is
a user-defined URL
cache, the firewall category in the identified as a
category, the
starts remote query local cache, the malicious or low-
corresponding
and performs corresponding reputation URL, it
control action is
corresponding control action is is blocked.
performed.
processing. performed.

10 Huawei Confidential
URL Filtering Mode
⚫ When a user's URL access request matches a URL rule, the firewall processes the URL access request
based on the URL filtering mode. URL filtering can be implemented in the following modes:
Blacklist and Whitelist
• The blacklist is a list of
URLs inaccessible to
users.
• The whitelist is a list of
URLs accessible to users.
• The processing priority
of the whitelist is higher
than that of the blacklist.
11 Huawei Confidential
URL Categories
• A large number of URLs • URL reputation reflects
are classified into
different URL categories
to control a certain type
of websites.
• URL categories are
classified into predefined
categories and user- • Malicious URLs refer to
defined categories.
• User-defined URL
categories take
precedence over
predefined URL
categories.
Low-Reputation or
Malicious URL
• The external dynamic
the reliability of the URL
that a user accesses.
After URL reputation
detection is enabled,
low-reputation URLs can
be blocked.
URLs containing
malicious information.
After malicious URL
detection is enabled,
malicious URLs can be
blocked.
External Dynamic
Malicious URL
malicious URL list is a
text file of some
malicious URLs released
by external official
websites. You can load
the external dynamic
malicious URL list to
identify and block the
latest malicious URLs,
preventing users from
new attacks.
 Blacklist and Whitelist URL Categories Low-Reputation or Malicious URL External Dynamic Malicious URL

URL Blacklist and Whitelist

⚫ The blacklist is a list of URLs inaccessible to users, and the whitelist is a list of URLs accessible to users. The blacklist
and whitelist are generally used to filter simple and fixed websites.
⚫ When a user requests to access a URL, the device matches the extracted URL information with the blacklist and
whitelist. If the URL matches the whitelist, the URL is permitted. If the URL matches the blacklist, the URL is
blocked.
⚫ The blacklist and whitelist identify URLs at a finer granularity. Therefore, in URL filtering, the priority of the
blacklist/whitelist-based filtering mode is higher than that of user-defined and predefined URL categories. The
priority of the whitelist is higher than that of the blacklist.
The URL matches the whitelist, and the
firewall permits the URL.

Firewall
Office Area

If the URL matches the blacklist, the

User Web server
firewall blocks the URL.

12 Huawei Confidential

• The blacklist and whitelist are generally used to filter simple and fixed websites.
Compared with URL categories, the blacklist and whitelist have finer category
granularities. When a user requests to access a URL, the device matches the
extracted URL information with the blacklist and whitelist.

▫ If the URL matches the whitelist, the URL request is permitted. For example,
an enterprise allows employees to access only some work-related websites.
To achieve this requirement, you can add some work-related websites to
the whitelist.

▫ If the URL matches the blacklist, the URL request is blocked. For example,
to improve work efficiency of employees and fully utilize network
bandwidth, enterprises need to control online behaviors of employees and
prevent them from accessing entertainment, game, and video websites. To
achieve this requirement, you can add entertainment, game, and video
websites to the blacklist.
 Blacklist and Whitelist URL Categories Low-Reputation or Malicious URL External Dynamic Malicious URL

Whitelist for Embedded Links

⚫ Generally, large web pages are embedded with links to other web pages. If only the main web page is added to the
whitelist, the embedded links to other web pages in the main web page cannot be accessed. To access the
embedded links, all of them need to be whitelisted, which, however, involves complex configurations.
⚫ To solve this problem, whitelist for embedded links is added. The system matches the referer field in a user's HTTP
request with the whitelist for embedded links. If they are matched, the user can access the web page. Therefore, if a
web page is added to the whitelist for embedded links, users can access all embedded web pages in the web page,
simplifying the configuration.

The URL matches the whitelist, and the

firewall permits the URL.

Firewall
Office Area

The referer field matches the whitelist for

embedded links, and the firewall permits the access.

13 Huawei Confidential

• The whitelist for embedded links can be implemented in either of the following
ways:

▫ Use the manually configured referer-host to match the referer field in the
HTTP request. If a match is found, the URL request is permitted. If no
match is found, you can choose whether to match the referer field with all
configured whitelist rules. After matching the referer field against the
whitelist is enabled, the URL request is permitted if the referer field
matches a whitelist rule.

▫ After matching the referer field against the whitelist is enabled, the
configured whitelist is directly used to match the referer field in the HTTP
request. If a match is found, the URL request is permitted.

• The function of matching the referer field against the whitelist is enabled by
default. You can disable this function as required.
 Blacklist and Whitelist URL Categories Low-Reputation or Malicious URL External Dynamic Malicious URL

URL Categories
⚫ A large number of URLs can be classified into different categories. A URL category can contain multiple URLs. URL
categories can be used to control a type of websites. URL categories are classified into predefined categories and
user-defined categories. User-defined URL categories take precedence over predefined URL categories.
 Predefined URL categories: Huawei maintains a large number of mainstream websites and classifies these websites. These
websites are embedded in the firewall system and are called predefined URL categories, which are used to control access to
common websites. Predefined URL categories cannot be created, deleted, or renamed.
 User-defined URL categories are URL categories manually configured by the administrator. They are used to cover new websites
and meet special filtering requirements.

⚫ You can configure a user-defined URL category in either of the following ways:

Create a user-defined URL category and add a URL to the user-defined

URL category.
User-defined
URL categories
Add a URL to a predefined URL category. The URL belongs to a user-
defined URL category.

14 Huawei Confidential
 Blacklist and Whitelist URL Categories Low-Reputation or Malicious URL External Dynamic Malicious URL

Actions for URL Categories

⚫ The firewall can perform different actions based
on the URL category information.
 Allow: allows user access to such websites.
 Alert: allows user access and records logs.
 Block: denies user access.

⚫ To simplify operations, Huawei firewalls provide

three default URL filtering levels and define the
actions for each URL category.
 High: Restricts access to websites related to
pornography, illegitimate activities, social
networking, and video sharing.
 Medium: Restricts access to websites related to
pornography and illegitimate activities.
 Low: Restricts access to websites related to
pornography.

15 Huawei Confidential

• After the administrator uses the filtering level, the actions of all URL categories
are automatically generated based on the filtering level.

• In a predefined category, the category also contains subcategories. However, in a

security policy, the application of the processing action is always based on the
subcategory. An enterprise administrator can set an action for a category so that
all subcategories can inherit the action. An enterprise administrator can also
adjust the action for a subcategory to meet differentiated management and
control requirements. As shown in the figure, the IT-related category contains
subcategories which inherit the processing action of the category. You can also
set processing actions for subcategories separately.
 Blacklist and Whitelist URL Categories Low-Reputation or Malicious URL External Dynamic Malicious URL

Process of Querying Predefined URL Categories

⚫ Predefined URL categories can be queried in two modes:
predefined URL category cache and remote query server. The
Remote
process is as follows: Web server query
server
1. After the firewall is powered on, the predefined URL category database
is automatically loaded to the predefined URL category cache. The
predefined URL category database is preset before delivery and does User HTTP traffic 4
not need to be manually loaded. 2
User
2. A user requests to access a URL resource. After receiving the request,
Firewall Query
the firewall extracts the URL information from the request packet.
Predefined URL
3. The firewall queries the category to which the URL belongs in the category cache
predefined URL category cache. If the category is found, the firewall 3
takes the action configured for the URL category. 1

4. If the category is not found, the firewall continues to query the Load
category on the remote query server, processes the URL based on the
query result, and saves the queried URL and its category information to Predefined URL
category database
the predefined URL category cache for quick query next time.

16 Huawei Confidential
 Blacklist and Whitelist URL Categories Low-Reputation or Malicious URL External Dynamic Malicious URL

URL Reputation and Malicious URLs

⚫ URL reputation reflects the reliability of the URL that a user accesses. URL reputation values can be queried in two
modes: URL reputation hotspot database and remote query server.
 URL reputation hotspot database: The URL reputation hotspot database is released by sec.huawei.com. It is used to quickly obtain
the latest URL reputation from the cloud to block untrusted URLs in a timely manner.
 Remote query server: The URL reputation hotspot database update is disabled on the firewall and no URL reputation value is
found in the predefined URL category cache. In this case, you can use the URL remote query function to obtain the latest URL
reputation value.

⚫ A malicious URL is a URL that contains malicious information. The sources of malicious URLs are as follows:

Malicious URLs reported by the antivirus function.

User-defined Malicious URLs reported by the sandbox that works with

URL categories the firewall.

Malicious URLs contained in the local reputation which is

obtained from the HiSec Insight.

17 Huawei Confidential

• A sandbox is a virtual system program that allows you to run browsers or other
programs in a sandbox environment. Therefore, changes generated during the
running can be deleted later. It creates a sandbox-like independent operating
environment where programs running inside do not have a permanent impact on
the hard drive. It is an independent virtual environment that can be used to test
untrusted applications or online behaviors.

• Huawei's HiSec Insight is a big data-based advanced persistent threat (APT)

defense product that helps with advanced threat analysis. It can effectively collect
massive basic network data, such as traffic on the network, and network and
security logs of various devices and perform real-time and offline big data
analysis. Combined with machine learning technologies, expert reputation, and
intelligence-driven technologies, HiSec Insight can effectively detect potential and
advanced threats on the network to implement network-wide security situation
awareness. In addition, HiSec Insight can work with Huawei HiSec solution to
efficiently handle threats and prevent potential risks.
 Blacklist and Whitelist URL Categories Low-Reputation or Malicious URL External Dynamic Malicious URL

External Dynamic Malicious URL List

⚫ The external dynamic malicious URL list is a text file of some malicious URLs released by external official websites.
By updating the external malicious URL signature database, the firewall downloads the latest external dynamic
malicious URL list from external official websites and loads it to its cache.
⚫ After external dynamic malicious URL filtering is enabled, when a user requests to access a URL, the firewall
matches the URL information with the external dynamic malicious URL list in the cache. If a match is found, the
firewall directly blocks the URL request.
⚫ The external malicious URL signature database supports only online update. Online update is classified into
scheduled update and immediate update.

Update the external

User malicious URL signature External
database update server
Internal
network
Firewall

18 Huawei Confidential

• Scheduled update: Periodically connects to the external update server to check

whether a new version of the external malicious URL signature database is
available. If a new version of the external malicious URL signature database is
available, the firewall automatically downloads and updates the local external
malicious URL signature database at the specified time.

• Immediate update: This update mode applies when a new external malicious URL
signature database is detected on the network but the scheduled update time of
the firewall is not reached or the scheduled update function is not enabled on
the firewall. The download address for immediate update is the same as that for
scheduled update, and the update processes in both modes are the same. The
difference between two update modes is the update time. The immediate update
can be implemented at any time.
 URL Matching Rules (1/3)
⚫ When filtering URLs based on the whitelist, blacklist, user-defined categories, and predefined categories, the firewall
must comply with URL matching rules. There are four URL matching modes:

Matching Mode Definition Example

To control access to all websites starting
Matches all URLs starting with a specified character string, such as
Prefix matching with www.example, configure the URL
www.example*.
filtering rule www.example*.

To control access to all image web pages

at www.example.com, configure URL
Suffix matching Matches all URLs ending with a specified character string, such as *aspx.
filtering rules *.jpg, *.jpeg, *.gif, *.png, and
*.bmp.

To control access to all websites

Keyword matching Matches all URLs containing a specified character string, such as *sport*. containing the word sport, configure the
URL filtering rule *sport*.

The system checks whether a URL matches the specified string. If not, the
system removes the last directory from the URL and matches the URL with
To control the access to all websites at
the specified string. If the URL is still not matched, the system removes the
Exact matching www.example.com, configure the URL
last directory from the URL and matches the URL with the specified string.
filtering rule www.example.com.
The process repeats until the URL contains only the domain name, for
example, www.example.com.

19 Huawei Confidential

• You can configure URL and host rules in the whitelist, blacklist, user-defined
categories, and predefined categories. A URL rule matches all parts of a URL,
whereas a host rule matches only a domain name (or IP address). The two types
of rules apply to the following scenarios:

▫ If the URLs to be permitted or blocked are domain names, both URL rules
and host rules apply in most cases, and the two types of rules have the
same filtering effect. For example, permit or block the access to domain
name www.example.com.

▫ If the permitted or blocked URLs are in the second-level domain name

format and a small number of URLs need to be configured, either URL rules
or host rules can be configured. If a large number of URLs need to be
configured, configuring host rules is simple. For example, permit or block
the access to domain name news.example.com.

▫ If the permitted or blocked URLs carry directory and parameter

information, only URL rules can be configured, and no host rule is suitable.
For example, permit or block the access to URL www.example.com/news.
URL Matching Rules (2/3)
⚫ URL matching modes are listed as follows in descending order of priority:
 Exact matching > suffix matching > prefix matching > keyword matching

⚫ For example, the URL www.example.com/news can match the following three modes at the same time. Based on
the priority, the URL category corresponding to the exact matching condition www.example.com/news is used.
 Exact matching: www.example.com/news
 Prefix matching: www.example.com/*
 Keyword matching: *example*

⚫ In the same matching mode, a longer matching rule has a higher priority. For example, URL
www.example.com/news/index.html first matches www.example.com/news/* in the following prefix matching rules:
 www.example.com/news/*
 www.example.com/*

20 Huawei Confidential
URL Matching Rules (3/3)
⚫ If the matching rules in the same mode have the same length, the configured action mode is used to determine the
rule that a URL matches.
 If the action mode is Strict, the URL category with the strictest action is used.
 If the action mode is Loose, the URL category with the loosest action is used.

⚫ As described in the following table, the two URL rules are in keyword matching mode and have the same length.
For URL www.example.com, if two categories can be matched at the same time but the control actions are
different:
 If the action mode is Strict, the URL will match the category with a stricter action. In this example, the URL matches category B
whose action is Block.
 If the action mode is Loose, the URL will match the category with a looser action. In this example, the URL matches category A
whose action is Allow.

Category Action
www.example.com/A Allow
www.example.com/B Block

21 Huawei Confidential
 Contents

1. Overview of Content Security Filtering Technologies

2. Principles of Content Security Filtering Technologies

▫ URL Filtering
◼ DNS Filtering

▫ File Blocking

▫ Data Filtering

▫ Mail Filtering

▫ Application Behavior Control

3. Examples for Configuring Content Security Filtering Technologies

22 Huawei Confidential
 Application Scenarios of DNS Filtering
⚫ DNS filtering filters domain names in DNS request packets to allow or prohibit users' access to certain websites,
regulating online behaviors.
⚫ The firewall is deployed at the network border as the enterprise's gateway. When enterprise users initiate web
requests, the firewall can allow, alert, or block users' requests by filtering domain names in the request packets.
⚫ As shown in the following figure, DNS filtering is applied to:
 Users' access requests to websites with legitimate domain names are permitted.
 Users' access requests to websites with illegitimate domain names are blocked.

DNS server

User Firewall Web server

Office area
DNS request packet
Legitimate, permit
Extract domain
names from DNS Illegitimate, block
request packets.

23 Huawei Confidential

• DNS filtering can allow or block requests based on the different schedules, user,
or user group by referencing these configuration items to control users' Internet
access permissions in a more refined and accurate manner.
 Process of DNS Filtering
⚫ If traffic matches a security policy that has a DNS filtering profile configured, the device extracts the domain name
from the DNS request packet and sends the domain name for DNS filtering. The following figure shows the DNS
filtering process:
Traffic

Extract the domain Start remote query and

name from a DNS perform corresponding
request packet operations

Yes

No No No
Matched the Matched a Is the remote
Matched a user-
blacklist or predefined query server
defined category?
whitelist? category? available?

Yes Yes Yes No

Permit the traffic when Perform the Perform the

matching the whitelist corresponding corresponding
Default control action
Block the traffic when control action to control action to
matching the blacklist process the traffic process the traffic

24 Huawei Confidential

• Similar to URLs, DNS categories may be user-defined or predefined. You can

either create user-defined categories or use predefined categories to filter
domain names.

• Predefined categories

▫ A large number of common domain names are already added to

predefined categories. You can easily manage the accessible and
inaccessible domain name categories.

▫ Predefined DNS categories are embedded in the system and are the same
as predefined URL categories. You cannot create, delete, or rename
predefined DNS categories, or add user-defined domain name rules to
predefined DNS categories.

• User-defined categories

▫ Although predefined categories cover mainstream websites, some new

websites may not be covered. On the other hand, you can create user-
defined categories to meet special filtering requirements or enhance
predefined DNS categories.
Comparison Between URL Filtering and DNS Filtering
⚫ The DNS filtering function filters domain names in DNS request packets to allow or prohibit users' access to certain
websites, regulating their online behaviors. Compared with URL filtering, DNS filtering performs access control
earlier, which effectively reduces the traffic of HTTP packets on the entire network.
⚫ Compared with DNS filtering, URL filtering controls users' access to network resources in a more refined manner.

Item URL Filtering DNS Filtering

Perform the control when an HTTP/HTTPS URL Perform the control in the domain name
Access control phase
request is initiated. resolution phase.

Fine-grained. Coarse-grained.
Control granularity The control can be performed at the directory and The control can be performed only at the
file levels. domain name level.

Impact on performance Big Small

Control all services corresponding to the

Control scope Control only the HTTP/HTTPS access.
domain name.

25 Huawei Confidential
 Contents

1. Overview of Content Security Filtering Technologies

2. Principles of Content Security Filtering Technologies

▫ URL Filtering

▫ DNS Filtering
◼ File Blocking

▫ Data Filtering

▫ Mail Filtering

▫ Application Behavior Control

3. Examples for Configuring Content Security Filtering Technologies

26 Huawei Confidential
 Overview of File Blocking
⚫ File blocking is a security mechanism used to filter files based on the file type. The firewall can block or
generate alarms for specific types of files by identifying the file types.
⚫ File blocking blocks the transmission of certain types of files, which reduces risks of executing malicious
codes and viruses on the internal network and prevents employees from transmitting enterprises'
confidential files to the Internet.
DMZ
Internal Virus-infected files
server Confidential documents

Trust Untrust
Firewall
Intranet

Enterprise
employees Virus-infected files and
confidential documents

27 Huawei Confidential

• The firewall identifies the types of files transferred through itself, and blocks or
generates alarms for files of the specified type.

• If the file (traffic) that passes through the firewall matches a security policy rule,
the action in the rule is permit, and the rule references the file blocking profile,
file blocking detection is required.

• The administrator configures the file blocking function on the firewall to

implement security protection as follows:

▫ Reducing the risks of confidential information disclosure

▪ Generally, the confidential information is stored in a document that

can be compressed. If employees upload confidential documents to
the Internet or hackers steal confidential documents from intranet
servers, enterprises' confidential information or user information will
be leaked. File blocking blocks the upload of documents and
compressed files to the Internet and prevents Internet users from
downloading documents and compressed files on the intranet server.
Therefore, the risks of information leaks are greatly reduced.
▫ Reducing the risk of virus-infected files entering the internal enterprise
network

▪ Viruses often attach to executable files to evade detection and

penetrate firewalls. File blocking prevents intranet users from
downloading executable files from the Internet and blocks Internet
users from uploading executable files to the intranet server. Therefore,
the risks of virus infection are greatly reduced.

▫ Preventing file transfer that occupies bandwidth and affects employees'

work efficiency

▪ Downloading a large number of non-work-related video or image

files does not only occupy network bandwidth but also reduce
employees' work efficiency. Therefore, preventing intranet users from
downloading video, image, and compressed files from the Internet
ensures normal service bandwidth and employees' work efficiency.
 Process of File Blocking
⚫ After file blocking is configured on the enterprise gateway, files uploaded or downloaded by employees
match the configured file blocking rules and the corresponding action is performed based on the
identification result.

1 2 3
File Control item Action
identification analysis execution

Firewall
Intranet
Enterprise
employees Confidential files, Untrust
Trust
virus-infected files, etc.

29 Huawei Confidential

• Control items refer to the user-defined file type, file name extension, and file
transfer direction. File analysis is performed based on these settings.
Principles of File Blocking Technologies (1/2)
⚫ The firewall can identify received files as follows:
 File application protocol: Files are transmitted over an application protocol, such as HTTP, FTP, SMTP, POP3, or IMAP.
 File transfer direction: The value can be upload or download.
 File type: The firewall can identify the actual file type. For example, the file name of file.doc can be changed to file.exe, but the
file type is still .doc.
 File name extension: It indicates the suffix of the file name (including the compressed file). For example, the file name extensions
of file.doc and file.exe are .doc and .exe, respectively.

⚫ If the firewall file identification result is abnormal, you need to configure the next action. Generally, the default
value is used. The abnormal file type identification results are as follows:
 Mismatched file name extension: The file type is inconsistent with the file name extension.
 Unidentified file type: The file type cannot be identified and the file name extension is not available.
 File damage: The file type cannot be identified because the file is damaged.

30 Huawei Confidential
 Principles of File Blocking Technologies (2/2)
⚫ The firewall determines whether to match files with filtering rules as well as matching conditions based on file identification results
and the action for file identification exceptions.

File Identification Actions for File Identification Exceptions Rule Matching

If the device matches the file with file
The file type and file
blocking rules by type, the matching
name extension are ——
conditions are Application, Pre-defined
consistent.
file type, and Direction.
The device implements the action for the mismatched file name extension. If the firewall matches the file with file
The file type and file
• Allow: allows file transfer and matches the file with the file blocking rules. blocking rules by type, the matching
name extension are
• Alert: allows file transfer, records logs, and matches files with file blocking rules. conditions are Application, File Type,
inconsistent.
• Block: blocks file transfer and records logs. and Direction.
If the device matches the file with file
The file type cannot be blocking rules by name extension, the
identified, but the file —— matching conditions are Application,
name extension exists. User-defined File Name Extension, and
Direction.
The device implements the action for the unidentified file type.
The file type cannot be
• Allow: allows file transfer.
identified and no file ——
• Alert: allows file transfer and records logs.
name extension exists.
• Block: blocks file transfer and records logs.
The firewall implements the action for the damaged file.
• Allow: allows file transfer.
The file is damaged. ——
• Alert: allows file transfer and records logs.
• Block: blocks file transfer and records logs.

31 Huawei Confidential

• The firewall sets an action for file identification exceptions and determines the
next step based on the action.

• To match file blocking rules, the firewall matches file attributes (application,
direction, file type, and file name extension) with the rules in the file blocking
profile defined by the administrator.

▫ If the attributes of a file meet all conditions in a file blocking rule, the file
matches the rule successfully. Otherwise, the next rule is matched. If the file
does not match any rule, the firewall allows the file transfer.

▫ If the file matches a rule, the firewall implements the action defined in the
rule. If the action is Block, the firewall blocks the file transfer. If the action
is Alert, the firewall allows the file transfer and records a log.

• Note: If the file type cannot be identified, the system checks whether the file
name extension exists. If the file name extension exists, the system matches the
file against file blocking rules. If the file name extension does not exist, the
system performs the action defined for files without file name extensions.
 Contents

1. Overview of Content Security Filtering Technologies

2. Principles of Content Security Filtering Technologies

▫ URL Filtering

▫ DNS Filtering

▫ File Blocking
◼ Data Filtering

▫ Mail Filtering

▫ Application Behavior Control

3. Examples for Configuring Content Security Filtering Technologies

32 Huawei Confidential
 Introduction to Data Filtering
⚫ Data filtering is a security mechanism that filters the content of a file or an application. The firewall implements in-
depth identification of traffic content and performs the block or alert action on traffic containing specified
keywords.
⚫ Content filtering prevents disclosure of confidential information and transmission of violation information.

DMZ
Internal Confidential content
server Unpermitted content

Trust Untrust
Firewall
Intranet

Enterprise Confidential content Content unrelated

employees Unpermitted content to work

33 Huawei Confidential

• The administrator configures the data filtering function on the firewall to

implement security protection as follows:

▫ Reduce the risks of enterprise confidential information disclosure.

▫ Reduce legal risks because employees browse, release, or spread violation

information.

▫ Prevent employees from browsing and searching for content unrelated to

work, improving working efficiency.
 Process of Data Filtering
⚫ If the traffic that passes through the device matches a security policy, the action in the security policy
rule is permit, and the rule references the data filtering profile, data filtering detection is required for
the traffic. The procedure is as follows:

Yes Yes
Identify the
If a data filtering If any keyword Execute
content attributes
rule matched? detected? the action
of traffic

No No

The traffic
matches a
security policy Permit Permit
and the action is
permit

Traffic

34 Huawei Confidential

• The data filtering process is as follows:

▫ The device detects the traffic content and identifies the traffic content
attribute.

▪ For an application, the identified content includes the application type

and transmission direction.

▪ For a file, the identified content includes the protocol used for
transmitting the file, file type, and transmission direction.

▫ The device compares the traffic features with the conditions in the data
filtering rule. If all conditions are matched, the traffic matches the data
filtering rule. Otherwise, the next rule is compared. If no data filtering rule
is matched, the device permits the traffic.

▫ If the traffic matches a data filtering rule, the device checks whether any
keyword defined in the data filtering rule exists in the traffic content. If a
keyword is identified, the device performs the response action. If no
keyword is identified, the device permits the traffic.
Traffic Identification for Data Filtering
⚫ The data filtering technology implements in-depth identification of traffic content and the device
performs the block or alert action on traffic containing specified keywords. Data filtering falls into two
types: file data filtering and application data filtering.
 File data filtering filters the uploaded and downloaded files by keyword. You can specify the protocols for file
transfer or the types of files to be filtered.
 Application data filtering filters application content by keyword. The content filtered varies according to different
applications.
For file data, the application type, file type, and file transfer direction of the file are
identified.

Identify the content

attributes of traffic

For application data, the application type and application content transmission
direction are identified.

35 Huawei Confidential
Filtering Content Supported by Common Protocols

Protocol Supported Filtering Content

Upload direction: content of microblogs posted by users, content of posts posted by users,
content entered by users for search, content of information submitted by users, and names of
HTTP
uploaded files
Download direction: content of browsed web pages, and names of files downloaded using HTTP
FTP Names and content of uploaded and downloaded files

SMTP Title, body, and attachment name of the sent mail

POP3 Title, body, and attachment name of the received email

IMAP Title, body, and attachment name of the received mail

NFS Content of the file uploaded or downloaded

SMB Content of the file uploaded or downloaded

36 Huawei Confidential
 Keyword Detection for Data Filtering
⚫ A keyword refers to the content to be identified by the device in data filtering. The device performs the
specified action for the files or applications containing a specified keyword. Generally, the keyword is
confidential or illegitimate information.
⚫ The keyword includes pre-defined keywords and user-defined keywords.
 Pre-defined keywords include bank card numbers, credit card numbers, social security numbers, ID card numbers,
and confidentiality (including confidential, secret, and top secret information).
 User-defined keywords can be texts or regular expressions.

Text mode: indicates the keyword to be identified in text mode. For example, if you
want to identify the keyword "confidential document", you only need to customize
the keyword "confidential file" in text mode.
User-defined
keyword
Regular expression mode: indicates that the keywords to be identified are defined in
regular expressions. For example, the period (.) in the regular expression abc.de can
match any single character.

37 Huawei Confidential

• The following are common characters:

▫ "." indicates that any non-line feed character is matched.

▫ "()" indicates the start and end positions of a subexpression.

▫ "*" indicates that the preceding character or expression is matched for zero
or multiple times.

▫ "\d" indicates that a digit is matched, ranging from 1 to 9.

▫ "\w" indicates that digits, letters, and underscores (_) are matched.
 Actions for Data Filtering
⚫ When the device identifies keywords during data filtering detection, it performs a response action.

Action Description

Alert The device generates logs but does not block the content.

The device blocks the content and generates logs. For users, the web pages cannot be
Block
displayed, files cannot be uploaded or downloaded, and mails cannot be sent or received.

Each keyword has a weight. The device adds the weights of identified keywords by matching
Weight-based count. If the sum of weights is less than the block threshold and greater than or equal to the
operations alert threshold, the device generates an alarm. If the sum of weights is greater than or equal
to the block threshold, the device blocks the traffic.

38 Huawei Confidential

• The following is an example of weight-based operations:

▫ Two keywords are defined on the device. The weight of keyword a is 1, and
that of keyword b is 2. The alert threshold for data filtering is 1, and the
block threshold is 5. Assuming that keyword a appears once on the web
page browsed by a user, the sum of weights is 1, which is equal to the alert
threshold. The device generates a log, but the user can continue browsing
the web page. If keyword a appears three times and keyword b appears
twice on the web page browsed by a user, the sum of weights is 7 (3 x 1 +
2 x 2 = 7), which is greater than block threshold 5. The device blocks the
web page and generates a log, and the web page cannot be displayed for
the user.
 Contents

1. Overview of Content Security Filtering Technologies

2. Principles of Content Security Filtering Technologies

▫ URL Filtering

▫ DNS Filtering

▫ File Blocking

▫ Data Filtering
◼ Mail Filtering

▫ Application Behavior Control

3. Examples for Configuring Content Security Filtering Technologies

39 Huawei Confidential
 Process of Mail Transfer
⚫ The following figure shows the mechanism for sending and receiving mails.
 The user encapsulates the mail content into an SMTP message and sends it to the sender's SMTP server.
 The sender's SMTP server encapsulates the mail into an SMTP message and sends it to the recipient's SMTP server for storage.
 After receiving the request from the user, the POP3/IMAP server obtains the mail stored on the SMTP server.
 The POP3/IMAP server encapsulates the mail into a POP3/IMAP message and sends it to the receiver.

2 Encapsulate the mail

into an SMTP message Receiver's SMTP server
and send it to the
receiver's SMTP server
1 SMTP server
Send a mail: send
SMTP message 3 Read the stored
mail

4 Receive a mail:
Sender Sender's SMTP server
send a POP3/
IMAP message

Receiver's POP3/IMAP server Receiver

40 Huawei Confidential

• The network administrator needs to deploy the SMTP and POP3 (or IMAP)
services on the mail server, and mail client software (such as Microsoft Outlook
or Foxmail) is installed on an end user's PC.

• Mail transfer protocols:

▫ SMTP defines how PCs send mails to an SMTP server and how mails are
transferred between SMTP servers.

▫ Post Office Protocol 3 (POP3) and Internet Mail Access Protocol (IMAP)
specify how PCs manage and download mails on the mail server through
client software.

▫ The differences between IMAP and POP3 are as follows: When POP3 is
used, after the client software downloads unread mails to the PC, the mail
server deletes the mails. If IMAP is used, users can directly manage mails on
the server without downloading all mails to the local PC.
 Overview of Mail Filtering
⚫ Mail filtering manages and controls the mail receiving and sending behavior, including preventing flooding of spam
and anonymous mails and controlling unauthorized mail receiving and sending.
⚫ Mail filtering checks IP addresses and filters mail content to enhance mail system security for LAN users.
 The IP address check prevents flood of spam on the intranet.
 Mail content filtering filters out anonymous mails and checks mail content to control permission of intranet users for sending or
receiving mails.
DMZ

Mail server
R&D Trust
Anonymous Spam
Mails can only be Mail server
mail
received.
Mails cannot be sent.

Sales Firewall
Mails can be sent but Untrust
the attachment size is
limited.

41 Huawei Confidential

• As shown in the figure, the firewall functions as the security gateway of an office
network and the mail server is deployed on the intranet. Intranet users send and
receive mails through the intranet mail server.

• After mail filtering is configured on the firewall, the following mail security
protection can be implemented:

▫ Enable the anti-spam function to prevent the intranet SMTP server from
receiving a large amount of spam.

▫ Enable the anonymous mail check function to prevent illegitimate

information from being transmitted over the entire network in anonymous
mails.

▫ Enable the mailbox address check function. In this way, only the specified
mail address can be used to send or receive mails. With the mail sending
and receiving permissions being controlled, important information
disclosure by intranet users can be prevented.

▫ Enable the mail attachment control function to control the size and number
of attachments, preventing a large amount of information from being
leaked through attachments.
 IP Address-based Filtering (1/2)
⚫ According to the mail working mechanism, no authentication is performed between the PC and the mail server or
between the mail servers. Attackers can send mails through any SMTP server on the Internet.
⚫ To prevent spam flooding, you can check the validity of the source IP address of the sender's SMTP server.
 Query the local blacklist and whitelist
 Query the Real-time Blackhole List (RBL)

SMTP server
1 Receive
an SMTP
3 Permit legitimate Message
connections and
DMZ block spam Authorized user

SMTP server Firewall

2 Obtain the source IP
address, and perform
validity check Normal mail, permit

SMTP server Hacker Spam, block

42 Huawei Confidential

• The RBL is a large online database jointly collected anti-spam organizations and
lists the IP address of the SMTP servers that frequently forward spam.
• Spam refers to a mail that is sent to a user's mailbox without permission. The
spam usually contains advertisements, publicity materials, or even virus
programs. A large amount of spam not only consumes network bandwidth,
occupies mailbox space, but also brings security risks.
• In IP address check, the firewall checks the source IP address of the sender's
SMTP server. The implementation process is as follows:
▫ The firewall receives SMTP messages from other SMTP servers, including
normal mails and spam.
▫ The firewall checks the IP address.
▪ Parses the SMTP message and obtains the source IP address of the
sender's SMTP server from the SMTP message.
▪ Checks the validity of the source IP address. The firewall compares the
IP address with the blacklist and whitelist to determine the validity of
the IP address:
− If the source IP address matches the local whitelist, the mail is
legitimate. Otherwise, the mail is searched against the local
blacklist.
− If the mail matches the local blacklist, the mail is considered as
spam. Otherwise, the mail is searched against the RBL.
− If the mail matches the RBL, the mail is spam. Otherwise, the
mail is legitimate.
▫ Allows legitimate mails and blocks spam.
 IP Address-based Filtering (2/2)
⚫ RBL query mechanism:
 The firewall obtains the IP address of the sender's SMTP server and sends a query request to the RBL server.
 The RBL server maintains a real-time blacklist. All SMTP servers in the blacklist have sent spam.
 The firewall determines whether the IP address belongs to the spam server based on the result returned by the RBL server and
takes the corresponding actions.
Sender's
1 Extract the source IP
SMTP server
address of the SMTP server

6 Block mails

2 Send a DNS
parsing request
SMTP server
Firewall 3 Send an RBL
query request
DMZ
5 Forward the
response code
DNS 4 Reply the RBL
server response code server

43 Huawei Confidential

• The query process is as follows:

1. After receiving an SMTP message, the firewall extracts the IP address of
the sender's SMTP server.
2. The firewall adds the IP address parsed in the preceding step and the RBL
service name specified by the third-party RBL server to a message and
sends a parsing request to the DNS server. For example, if the source IP
address of the SMTP server is 1.2.3.4 and the RBL service name is
sbl.spamhaus.org, the firewall sends 4.3.2.1.sbl.spamhaus.org to the DNS
server.
3. The DNS server reads the RBL service name in the received message,
parses the IP address of the RBL server, and forwards the query request to
the RBL server.
4. After receiving the query request, the RBL server returns an IP address as a
response code to the DNS server. The response code indicates whether an
IP address is found for this RBL query.
5. The DNS server forwards the response code obtained from the RBL server
to the firewall.
6. The firewall determines whether the mail sent by the SMTP server is spam
based on the response code.
▪ If the response code obtained from the RBL server is the same as that
configured on the firewall, the SMTP mail is regarded as spam.
▪ If the response code obtained from the RBL server is different from
that configured on the firewall, the SMTP mail will be allowed to pass
through.
 Mail Content-based Filtering
⚫ When the firewall functions as the security gateway, all
data information must be forwarded by the firewall.
Before forwarding the information, the firewall checks
the information and filters out the information that
3 Discard 1 Receive messages
contains illegitimate mails. The implementation illegitimate mails

process is as follows:
1. The data reaches the firewall. Mail server
Firewall
2. The firewall performs mail content filtering. Trust
◼ Traffic identification: The firewall identifies mail content to be 2 Mail content filtering
filtered based on the matching conditions, such as the source
Mail Traffic
security zone, destination security zone, source IP address, and filtering identification
destination IP address.
◼ Mail filtering: The firewall analyzes which traffic contains mail
content, checks the mail address and attachment size, and identifies
illegitimate mails.

3. Discard the messages containing illegitimate mails.

44 Huawei Confidential

• Anonymous mail check, mail address check, and mail attachment control filter
out illegitimate mails based on their content. They check the mail addresses of
the sender and receiver, the attachment size, and the number of attachments.

• The mail content filtering detection is classified into the sending direction and
receiving direction.

▫ If the mail content is encapsulated in an SMTP message, the firewall

performs detection in the sending direction.

▫ If the mail content is encapsulated in a POP3 or an IMAP message, the

firewall determines that the mail is in the receiving direction and performs
detection in the same direction.
 Contents

1. Overview of Content Security Filtering Technologies

2. Principles of Content Security Filtering Technologies

▫ URL Filtering

▫ DNS Filtering

▫ File Blocking

▫ Data Filtering

▫ Mail Filtering
◼ Application Behavior Control

3. Examples for Configuring Content Security Filtering Technologies

45 Huawei Confidential
 Application Scenarios of Application Behavior Control
⚫ Enterprises need to manage HTTP and FTP behaviors of intranet users, and grant different permissions for different users to access
network resources through HTTP and FTP and also for one user to access network resources at different schedules.

⚫ The application behavior control function of the firewall can accurately control users' HTTP, FTP, and IM behaviors to meet the
preceding requirements.

Trust Untrust
User A Web server

Switch Firewall

User B Intranet user FTP server

46 Huawei Confidential

• The firewall functions as an egress gateway of the enterprise and is deployed at

the intranet egress. The application behavior control function is deployed on the
firewall to effectively manage the HTTP, FTP and IM behaviors of intranet users
when they access the Internet.

• Multiple application behavior control profiles are created on the firewall. Each
profile is used to grant different HTTP, FTP and IM permissions to intranet users.
Then objects such as the profiles, users, and schedules (working hours and non-
working hours) are referenced in security policies to deliver differentiated and
fine-grained control on HTTP, FTP and IM behaviors of intranet users.
 Process of Application Behavior Control
⚫ Traditional devices control HTTP and FTP behaviors by protocol or port. However, the firewall can implement more
refined control over HTTP and FTP behaviors.
⚫ As shown in the figure, the firewall analyzes the behavior type, performs the action corresponding to the
application behavior control item, and even performs control based on different users and schedules.

Web browsing and file download

Intranet
Firewall
Enterprise
employees Untrust
Trust

1 2 3
Behavior type Control item Action
analysis analysis execution

47 Huawei Confidential

• The firewall performs the following steps to control application behaviors:

▫ Analyze the behavior type to determine the behavior type (such as HTTP
and FTP).

▫ Analyze control items based on the behavior type, such as file upload and
download.

▫ Perform the corresponding action (Permit, Deny, Alert, or Block).

 HTTP-based Behavior Control Technologies
Behavior Type Control Item Description Action
The POST method of HTTP is commonly used to send
information to the server through web pages. For example,
POST you are using this method when you post on BBS, submit
forms, and use your user name and password to log in to a
specific system.

Web browsing You can use a web browser to browse web pages. Permit/Deny

You can use a proxy server to access specified websites. To

Internet access using a
HTTP behavior implement this function, you must deploy the firewall between
proxy
the intranet and the proxy server.

File upload/download Uploads or downloads files.

Size of the posted content When HTTP POST is permitted, you can configure an alert
in HTTP POST operations threshold and a block threshold to control the POST operation
(Alert/Block threshold) content size. Alert/Block
Upload/Download file size When file upload is allowed, you can configure an alert
(Alert/Block threshold) threshold and a block threshold to control the file size.

48 Huawei Confidential

• Alert threshold: When the size of the file to be uploaded or downloaded (or the
size of the POST operation content reaches the alert threshold), the system
generates a log and displays it to the administrator.

• Block threshold: When the size of the uploaded or downloaded file or the size of
the POST operation content reaches the block threshold, the system blocks the
uploaded or downloaded file or POST operation and generates a log to notify the
device administrator.

• When you create security policies, you can combine the application behavior
control profile and objects such as the user and schedule to implement
differentiated management of users in different schedules.
 FTP-based Behavior Control Technologies

Behavior Type Control Item Description Action

You can set an alarm threshold and a

File upload block threshold to limit the size of the
upload file if file upload is allowed.

FTP behavior You can set an alarm threshold and a Permit/Deny

File download block threshold to limit the size of the
download file if file download is allowed.

File deletion You can delete a file from the FTP server.

49 Huawei Confidential

• By default, no alarm threshold or block threshold is configured, and the system

does not control the size of the uploaded or downloaded file or the content size
of the POST operation

• The alarm threshold and block threshold can be separately or both configured. If
both thresholds are configured, ensure that the alarm threshold is lower than the
block threshold.
 Contents

1. Overview of Content Security Filtering Technologies

2. Principles of Content Security Filtering Technologies

3. Examples for Configuring Content Security Filtering Technologies

50 Huawei Confidential
Example for Configuring Content Security - Requirement
Description
⚫ An enterprise has deployed a firewall as a Internet users
security gateway at the intranet egress. In
addition to normal network running, the
enterprise requires: Web server

 Prohibit employees from uploading executable files

to the intranet server to reduce the risk of viruses Firewall
FTP server
entering the intranet.
 Prevent internal employees from disclosing
Core switch Access switch
confidential information while ensuring normal
network usage.
 A website www.example.com is suspected to have Access switch HTTP server

security risks. Intranet employees cannot access this

Intranet users
website or social network websites.

51 Huawei Confidential
Example for Configuring Content Security - Configuration
Roadmap
⚫ Configuration roadmap:
 Configure IP addresses and routes for devices to ensure
Start
interconnection.
 Configure file blocking to prevent employees from
Configure basic network
uploading suspicious files. File blocking
 Configure data filtering to prevent employees from
Configure content security
disclosing confidential information. Data filtering
filtering
 Configure URL filtering to prevent employees from accessing
Configure a security policy URL filtering
unpermitted websites.
and invoke a content
 Configure URL remote query to expand the local predefined security profile

URL category database for quick query.

End
 Configure a security policy and invoke the content security
profile.

52 Huawei Confidential
Configuring File Blocking
⚫ Choose Object > Security Profile > File Blocking and set the parameters as follows:
 Create the file blocking profile profile_file_1.
 Create file blocking rule rule1 and configure a policy to block the upload of executable files.

1
2

53 Huawei Confidential
Configuring Data Filtering
⚫ Choose Object > Security Profile > Data Filtering and set the parameters as follows:
 Create data filtering profile profile_data_1 and data filtering rule rule.
 Create keyword group key1 and keyword Enterprise Secret to match the text Secret.

2
5
3

54 Huawei Confidential
Configuring URL Filtering (1/2)
⚫ Choose Object > Security Profiles > URL Filtering, create a URL filtering profile, and set the filtering
level to User-defined.
1

55 Huawei Confidential
Configuring URL Filtering (2/2)
⚫ Set the action (Allow, Alert, or Block) for the URL category as required, create the URL category
untrust, match URL www.example.com, and set the action to Block.

56 Huawei Confidential
 Configuring URL Remote Query (1/2)
⚫ To ensure that the local firewall can communicate with the remote server, you need to configure security policies to
allow the traffic of the services to pass through the firewall:
 Choose Object > Service > Service to create a user-defined service.
 Choose Policy > Security Policy > Add Security Policy and reference the user-defined service.

1 4

5
2

3
6

57 Huawei Confidential

• To use the URL remote query service, ensure that the following operations have
been performed:

▫ The license has been activated and is within the valid service period.

▫ The firewall is reachable to sec.huawei.com.

▫ A DNS server address is configured, and the DNS server can correctly
resolve the domain name sec.huawei.com.

• Note: sec.huawei.com is the website of Huawei security center platform.

Configuring URL Remote Query (2/2)
⚫ Set the parameters of the URL remote query server.
 Choose Object > Security Profiles > Global Configuration.

58 Huawei Confidential
Referencing a Content Security Profile
⚫ Choose Policy > Security Policy > Security Policy > Add Security Policy.
 Set the security policy name to to_Internet, configure the source and destination security zones, and reference a content security
profile.

59 Huawei Confidential
 Quiz

1. (True or false) When the HTTP file download action is set to Deny, you can set the block
threshold. ( )
A. True

B. False

2. (Multiple-answer question) Which of the following are content security filtering

technologies? ( )
A. File blocking

B. Data filtering

C. Mail filtering

D. Application behavior control

60 Huawei Confidential

1. B

2. ABCD
 Summary
⚫ This course describes the functions related to content security filtering. By deploying the
content security filtering function on the firewall, you can implement refined management
and control on enterprise users. For example, access to illegitimate websites is not allowed
to prevent adverse impacts on enterprises, access to entertainment websites during working
hours is not allowed to improve work efficiency, and core confidential information leakage
is prevented.
⚫ Upon completion of this course, you have understood the implementation of content
security filtering technologies and been able to independently configure URL filtering, file
blocking, and data filtering on Huawei firewalls.

61 Huawei Confidential
 Recommendations
⚫ Huawei official websites:
 Enterprise service: https://e.huawei.com/en/
 Technical support: https://support.huawei.com/enterprise/en/index.html
 Online learning: http://learning.huawei.com/en/

62 Huawei Confidential
Acronyms and Abbreviations

Acronym/Abbreviation Full Name

DNS Domain Name Service
FTP File Transfer Protocol
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
IM Instant Messaging
IMAP Interactive Mail Access Protocol
NFS Networked File System
POP3 Post Office Protocol 3
RBL Real-time Blackhole List
SMB Server Message Block
SMTP Simple Mail Transfer Protocol
URL Uniform Resource Locator

63 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright© 2022 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ
materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference
purpose only and constitutes neither an offer nor an acceptance.
Huawei may change the information at any time without notice.