0% found this document useful (0 votes)

131 views

StoneOS CLI User Guide Network Behavior Control 5.5R4

The Hillstone StoneOS User Manual provides comprehensive configuration instructions for the StoneOS CLI, detailing command usage, modes, and error handling. It covers features such as Network Behavior Control, including URL filtering, email filtering, and log management, aimed at optimizing internet resource utilization. The document also includes contact information and links for further assistance and feedback.

Uploaded by

Carlos Moreno

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

131 views

StoneOS CLI User Guide Network Behavior Control 5.5R4

Uploaded by

Carlos Moreno

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 70

Hillstone StoneOS User Manual

Hillstone Networks Inc.

StoneOS CLI User Guide

Network Behavior Control
Version 5.5R4
Hillstone StoneOS User Manual

Copyright 2017 Hillstone Networks Inc. All rights reserved.

Information in this document is subject to change without notice. The software described in this
document is furnished under a license agreement or nondisclosure agreement. The software may
be used or copied only in accordance with the terms of those agreements. No part of this
publication may be reproduced, stored in a retrieval system, or transmitted in any form or any
means electronic or mechanical, including photocopying and recording for any purpose other
than the purchaser's personal use without the written permission of Hillstone Networks Inc.

Hillstone Networks Inc

Contact Information:

US Headquarters:

Hillstone Networks

292 Gibraltar Drive, Suite 105

Sunnyvale, CA 94089

Phone: 1-408-508-6750

http://www.hillstonenet.com/about-us/contact/

About this Guide:

This guide gives you comprehensive configuration instructions of Hillstone Networks StoneOS.

For more information, refer to the documentation site: http://docs.hillstonenet.com.

To provide feedback on the documentation, please write to us at:

[email protected]

TWNO: TW-CUG-UNI-NBC-5.5R4-EN-V1.0-Y17M01
Hillstone StoneOS User Manual

Table of Contents
Table of Contents ........................................................................................................ 1
About This Guide ......................................................................................................... 1
Content ................................................................................................................ 1
CLI....................................................................................................................... 1
WebUI .................................................................................................................. 1
Command Line Interface ......................................................................................... 2
Network Behavior Control ............................................................................................. 8
Overview .............................................................................................................. 8
Introduction to NBC ............................................................................................... 8
Configuring an Object ............................................................................................. 9
URL Filter ............................................................................................................ 19
Web Content ....................................................................................................... 23
Web Posting ........................................................................................................ 26
Email Filter.......................................................................................................... 29
IM Control ........................................................................................................... 34
HTTP/FTP Control ................................................................................................. 36
Log Management ................................................................................................. 39
Typical Configuration Examples ............................................................................. 42
File Filter .................................................................................................................. 52
Configuring File Filtering ....................................................................................... 52
Viewing File Filter Profile ....................................................................................... 55
SSL Proxy ................................................................................................................. 56
Overview ............................................................................................................ 56
Work Mode .......................................................................................................... 56
Working as Gateway of Web Clients ....................................................................... 57
Working as Gateway of Web Servers ...................................................................... 64
Binding the SSL Proxy Profile to a Policy Rule .......................................................... 66
Viewing SSL Proxy Information .............................................................................. 67
About This Guide
This document follows the conventions below:

Content
 Tip: provides reference.

 Note: indicates important instructions for you better understanding, or cautions

for possible system failure.

 Bold font: indicates links, tags, buttons, checkboxes, text boxes, or options. For
example, “Click Login to log into the homepage of the Hillstone device”, or
“Select Objects > Address Book from the menu bar”.

CLI
 Braces ({ }): indicate a required element.

 Square brackets ([ ]): indicate an optional element.

 Vertical bar (|): separates multiple mutually exclusive options.

 Bold: indicates an essential keyword in the command. You must enter this part
correctly.

 Italic: indicates a user-specified parameter.

 The command examples may vary from different platforms.

 In the command examples, the hostname in the prompt is referred to as host-

name.

WebUI
When clicking objects (menu, sub-menu, button, link, etc.) on WebUI, the objects are
separated by an angled bracket (>).

1
Command Line Interface
Overview
A command line interface (CLI) is a mechanism for you to interact with the operating
system by typing commands which instruct the device to perform specific tasks. This
chapter describes how to use StoneOS command line interface.

Note: All command keywords are not case sensitive, but user input is case
sensitive.

CLI Modes and Prompts

StoneOS CLI commands and statements are organized under various hierarchical
modes. Some of the CLI commands can work only under a particular mode, which can
prevent accidental misoperations. For example, configuration commands can only be
used in configuration modes. StoneOS uses different prompts to indicate modes.

Execution Mode
When you log in StoneOS CLI, you are in the execution mode. Execution mode
prompt is a pound sign (#):

hostname#

Global Configuration Mode

Commands in the global configuration mode are used to change device settings. To
enter the global configuration mode, in the execution mode, use the command
configuration. The global configuration mode prompt is shown as follows:

hostname(config)#

Sub-module Configuration Mode

StoneOS has various functional modules. Some CLI commands only work in their
corresponding sub-module configuration modes. To enter a sub-module configuration
mode, in the global configuration mode, type a certain command. For example, to
enter interface ethernet0/0 configuration mode, type interface ethernet0/0 , and
its command prompt is shown as follows:

hostname(config-if-eth0/0)#

Switching between CLI Modes

When you log into StoneOS CLI, you are in the execution mode. To switch to other
CLI mode, type the commands in the table below.

Table 1: CLI Mode Switching Commands

Mode Command

2
From execution mode to global configure
configuration mode
From global configuration mode to sub- The command may vary, specifically
module configuration mode depending on the sub-module
configuration mode you want to enter
Return to a higher hierarchy exit
From any mode to execution mode end

CLI Error Message

StoneOS CLI checks the command syntax. Only correct command can be executed.
StoneOS shows error message for incorrect syntax. The following table provides
messages of common command errors:

Table 2: Error Messages and Description

Message Description
Unrecognized command StoneOS is unable to find the command
or keyword
Incorrect parameter type
Input value excesses its defined value
range
Incomplete command User input is incomplete
Ambiguous command User input is not clear

Command Input
To simplify input operation, you can use the short form of CLI commands. In addition,
StoneOS CLI can automatically list available command keywords and fill incomplete
commands.

Command Short Form

You can use only some special characters in a command to shorten your typing. Most
of the commands have short form. For example, you can use sho int to check the
interface information instead of typing show interface , and use conf to enter the
configuration mode to replace the complete command configure .

Listing Available Commands

When you type a question mark (?), the system completes the unfinished commands
or gives a list of available commands.

 If you type a question mark (?) behind an incomplete command, the system
gives available commands (with short description) started with the last typed
letter.

 If you type a question mark (?) at any level, the system displays a list of the
available commands along with a short description of each command.

3
Completing Partial Commands
Command completion for command keywords is available at each level of the
hierarchy. To complete a command that you have partially typed, press the Tab key.
If the partially typed letters begin a string that uniquely identifies a command,
pressing the Tab key completes the command; otherwise, it gives a list of command
suggestions. For example, type conf in the execution mode and press TAB, the
command configure appears.

Using CLI
This topic describes how to view previously typed commands and how to use CLI
shortcut keys.

Previous Commands
StoneOS CLI can record the latest 64 commands. To scroll the list of the recently
executed commands, press the up arrow key or use Ctrl-P; to scroll forward the list,
press the down arrow key or use Ctrl-N. You can execute or edit the command texts
displayed in the prompt.

Shortcut Keys
StoneOS CLI supports shortcut keys to save time when entering commands and
statements. The following table gives the supported shortcut keys and their functions.

Table 3: Shortcut Key List

Shortcut Key Action

Ctrl-A Moves cursor to the beginning of the command line.
Ctrl-B Moves cursor back one letter.
Ctrl-D Deletes the letter at the cursor.
Ctrl-E Moves cursor to the end of the command line.
Ctrl-F Moves cursor forward one letter.
Ctrl-H Deletes the letter before the cursor.
Ctrl-K Deletes all characters from the cursor to the end of the command
line.
Ctrl-N Scrolls forward the list of recently executed commands.
Ctrl-P Scrolls backward the list of recently executed commands.
Ctrl-T Switches the character at the cursor and the one before it.
Ctrl-U Deletes all characters on the command line.
Ctrl-W Deletes all characters before the cursor.
META-B Moves cursor to the beginning of the word.
META-D Deletes the word after the cursor.
META-F Moves cursor to the end of the word.
META-Backspace Deletes the word before the cursor.
META-Ctrl-H Deletes the word before the cursor.

4
Note: For the computer without the META key, press ESC first and then press the
letter. For example, to use shortcut key META-B, press ESC and then press B.

Filtering Output of Show Commands

In StoneOS CLI, the show commands display device configuration information. You
can filter command output according to filter conditions separated by the pipe symbol
(|). The filter conditions include:

 include {filter-condition}: Shows results that only match the filter condition. The
filter condition is case sensitive.

 exclude {filter-condition}: Shows results that do not match the filter condition.
The filter condition is case sensitive.

 begin {filter-condition}: Shows results that match the filter condition from the
first one. The filter condition is case sensitive.

CLI output filter syntax is shown as follows:

hostname# show command | {include | exclude | begin} {filter-

condition}

In this syntax, the first pipe symbol (|) is part of the command, while other pipe
symbols just separate keywords, so they should not appear in the command line.

The filter conditions comply with the format of regular expression. The table below
shows some common regular expressions and their meanings.

Table 4: Regular Expression and Meaning

Regular Expression Meaning

. (period) Represents any character.
* (star) Indicates that there is zero or more of the preceding
element.
+ (plus) Indicates that there is one or more of the preceding
element.
^ (caret) Used at the beginning of an expression, denotes where a
match should begin.
$ (dollar) Used at the end of an expression, denotes that a term must
be matched exactly up to the point of the $ character.
_(underscore) Represents “,”, “{”, “}”, “(”, “)”, beginning of a line, end of
a line or space.
[] (square bracket) Matches a single character that is contained within the
brackets.
- (hyphen) Separates the start and the end of a range.

5
CLI Page Display
The output messages of a command may be more than one page. When the output
texts exceed one page, the CLI shows -- More -- at the end of a page to indicate
that there are more messages. In such a situation, you can make the following
operations:

 To view the next line: press Enter.

 To terminate the output display: press the Q key.

 To view the next page, press any key other than Enter and Q.

Specifying Screen Size

You can specify the width and length of the CLI output screen which determines the
extent of the output displayed before -- More -- appears. The default screen length
is 25 lines and the width is 80 characters.

To change the size of output screen, use the following commands:

Width: terminal width character-number

 character -number - Specifies the number of characters. The value range is 64

to 512.

Length: terminal length line-number

 line-number - Specifies the number of lines. CLI displays message lines one
line less than the value specified here, but if the value is 1, the screen shows
one line. The value range is 0 to 256. Setting the length to 0 disables page
display option, which means it displays all messages without page split.

These settings are only available for the current connection and won’t be saved to the
configuration file of the device. If you close the terminal and login again, the screen
width and length are restored to their default values.

Specifying Connection Timeout

Specifying connection timeout value is to set the maximum time that a session (over
Console, SSH or Telnet) can be idle before the user is forced to log out.

To set the timeout value, in the global configuration mode, use the following
commands:

console timeout timeout-value

 timeout-value - Specifies the timeout value for Console session. The range is 0
to 60 minutes. 0 means the session will never time out. The default value is 10.

To restore to the default value, in the global configuration mode, use the command
no console timeout .

6
ssh timeout timeout-value

 timeout-value - Specifies the timeout value for SSH session. The range is from
1 to 60 minutes. The default value is 10.

To restore to the default value, in the global configuration mode, use the command
no ssh timeout .

telnet timeout timeout-value

 timeout-value - Specifies the timeout value for Telnet session. The range is 1
to 60 minutes. The default value is 10.

To restore to the default value, in the global configuration mode, use the command
no telnet timeout .

Redirecting the Output of Show Commands

StoneOS allows you to redirect the output messages of show commands to other
destinations including FTP server and TFTP server.

To redirect the output of show commands, use the following command:

show command | redirect dst-address

The destination address (dst-address ) can be one of the following formats:

 FTP - ftp://[useranme:password@]x.x.x.x[:port]/filename

 TFTP - tftp://x.x.x.x/filename

Diagnostic Commands
You can use ping to determine if a remote network is reachable, or use traceroute
to trace the route to a network device.

7
Network Behavior Control
Overview
The booming and popularization of Internet bring significant convenience to people’s
work and life. However, problems caused by access to Internet, like bandwidth
misuse, low efficiency, information leakage, legal risks, security potentials, etc., are
also becoming increasingly prominent. For example, in some enterprises, online
chatting and Internet forum browsing during the office hours, or disclose some
confidential information to the public in emails; in some public places like net bar,
netizens randomly visit illegal websites, post irresponsible topics, or even get involved
in illegal network movement.

To solve the above problems, StoneOS provides the Network Behavior Control (NBC)
function to control and audit network behaviors, effectively optimizing the utilization
of Internet resources.

Introduction to NBC
The NBC function of StoneOS allows you to flexibly configure control rules for different
users, network behaviors and schedules, in order to perform comprehensive control
and audit (by behavior logs) on users’ network behavior. Combined with Hillstone
HSM, you can query and analyze the audit logs, and then provide important data
evidence for network administrators so that they can make correct decision.

StoneOS NBC includes the following features. The main functions and description is
listed in the table below.

 Objects

 URL filter

 Keyword filter

 Web posting

 Email filter

 IM control

 HTTP/FTP control

 Log management

Table 5: Main Function of StoneOS NBC

Function Description
Provides URL categories for the functions of URL filter, web
Predefined URL content, and web posting. The predefined URL database is
Objects database divided into 39 categories, with a total number of URLs up to
20 million.
User-defined URL Provides URL categories for the functions of URL filter, web

8
database content, and web posting.
URL lookup Inquires URL information from the URL database.
Customized keyword categories which can be referenced by
Keyword category the functions of URL filter, web content, web posting and email
filter.
 Block warning: When your network access is blocked, you
will be prompted with a warning page in the Web browser.
Warning page
 Audit warning: When your network access is audited, you
will be prompted with a warning page in the Web browser.
Bypass domain Domains that are not controlled by the NBC rules.
User exception Users that are not controlled by the NBC rules.
Controls the access to some certain websites (e.g., forbid
URL filter
access to entertaining websites) and log the access behaviors.
Controls the network behavior of visiting the webpages
URL keyword (including the webpages encrypted by HTTPS) that contain
certain keywords, and log the actions.
Controls the network behavior of posting on websites
Web posting (including the webpages encrypted by HTTPS) and posting
specific keywords, and logs the posting.
Controls and audit SMTP mails and the web mails (including
Network the encrypted Gmail mails):
behavior Email filter  Control and audit all the behaviors of sending emails;
control  Control and audit the behaviors of sending emails that
contain specific sender, recipient, keyword or attachment.
Controls and audits the MSN, QQ and Yahoo! Messenger
IM control
chatting.
Controls and audits the actions of HTTP and FTP applications:
 FTP methods, including Login, Get, and Put;
HTTP/FTP control  HTTP methods, including Connect, Get, Put, Head, Options,
Post, and Trace;
 Block downloading of HTTP binary file (such as .bat, .com),
ActiveX and Jave Applets.
Rich NBC log export and storage solution; combined with HSM,
Log -
allows in-depth log statistics and audit analysis.

Configuring an Object
Object refer to the collection of public NBC configurations that are used for
configuring NBC rules, including:

 Predefined URL database

 User-defined URL database

 URL lookup

 Keyword category

 Warning page

 Bypass domain

9
 User exception

Predefined URL Database

StoneOS ships with a license controlled predefined URL database. The predefined URL
database will not take effect on the supported platforms until a URL license is installed.

Predefined URL database provides URL categories for the configurations of URL filter,
web content, and web posting. The predefined URL database is divided into 39
categories, with a total number of URLs up to 20 million.

Updating the Predefined URL Database

By default, the system updates the predefined URL database every day. You can
change the update parameters according to your own requirements. Hillstone
provides two default URL database update servers: update1.hillstonenet.com and
update2.hillstonenet.com. You can update your URL database online or manually. For
more information about how to configure the predefined URL database, see the
following table:

Table 6: Predefined URL Database Update Configuration

Configuration CLI
In the global configuration mode, use the following
To specify the update mode command:
url-db update mode {auto | manual }

In the global configuration mode, use the following

To configure the update command:
server
url-db update {server1 | server2 |
server3} {ip-address | domain-name}
[vrouter vr-name]

In the global configuration mode, use the following

To specify the update command:
schedule
url-db update schedule {daily | weekly
{mon | tue | wed | thu | fri | sat | sun}}
[HH:MM]

In the execution mode, use the following

command:
To update now
exec url-db update

In the execution mode, use the following

command:

To update manually import url-db from {ftp server ip-

address [vrouter vrouter-name][user
user-name password password] | tftp
server ip-address | usb0 | usb1} file-
name

10
Note:Non-root VSYS does not support this
command.
show url-db info
To view URL DB info

To view URL DB update show url-db update

configuration
show statistics-set name [{current |
history | history-max} [sort-by {up |
To view URL statistics down | item}]]

Specifying a HTTP Proxy Server

When the device accesses the Internet through a HTTP proxy server, you need to
specify the IP address and the port number of the HTTP proxy server. With the HTTP
proxy server specified, various signature database can update automatically and
normally.

To specify the HTTP proxy server for the URL category signature database updating,
use the following command in the global configuration mode:

url-db update proxy-server {main | backup} ip-address port-number

 main | backup – Use the main parameter to specify the main proxy server
and use the backup parameter to specify the backup proxy server.

 ip-address port-number – Specify the IP address and the port number of

the proxy server.

To cancel the proxy server configurations, use the no url-db update proxy-server
{main | backup} command.

User-defined URL Database

Besides categories in predefined URL database, you can also customize user-defined
URL categories. User-defined URL database provides URL categories for the
configurations of URL filter, web content, and web posting.

System provides three predefined URL categories: custom1, custom2, custom3. You
can import your own URL lists into one of the predefined URL category.

For more information about user-defined URL database, see the table below:

Table 7: User-defined URL Database

Configuration CLI

In the global configuration mode, use the following

To create a URL command:
category
url-category category-name

11
In the global configuration mode, use the following
command:
To add a URL entry
url url url-category category-name

To enable this function, use the following command in the

global configuration mode:

url-db-https-enable
Enable/Disable the
To disable this function, use the following command in the
function that the
global configuration mode:
user-defined URL
database supports no url-db-https-enable
the domain name of
the HTTPS protocol
To view the status of this function, use the command in any
mode:

show url-db-https

import url-file {custom1 | custom2 | custom3}

from ftp server IP [vrouter vrouter-name][user
username password password] file-name
import url-file {custom1 | custom2 | custom3}
from tftp server IP [vrouter vrouter-name] file-
Import User-defined name
URL
Note: The URL file directory is /flash/urldb/url_file. The file
should be less than 1 M, and has at most 1000 URLs.
Wildcard is supported to use once in the URL file, which
should be located at the start of the address. Non-root VSYS
does not support this function.

exec url-file {custom1 | custom2 | custom3}

Clear User-defined clear
URL

To view URL category show url-category

info
To view all the user- show url
defined URLs

URL Lookup
You can inquire a URL to view the details by URL lookup, including the URL category
and the category type. For more information about how to inquire a URL, see the
table below:

Table 8: URL Lookup

Configuration CLI
show url url-string
To inquire a URL

12
Configuring a URL Inquiry Server
URL inquiry server can classify an uncategorized URL (an uncatergorized URL is an
address that is neither in predefined URL database nor in user-defined URL database)
you have accessed, and then add it to the URL database during database updating.
Hillstone provides two default URL inquiry servers: url1.hillstonenet.com and
url2.hillstonenet.com. By default, the URL inquiry servers are enabled. For more
information about how to configure the URL inquiry server, see the table below:

Table 9: URL Inquiry Server Configurations

Configuration CLI

Enable: in the global configuration mode, use the following

command:

url-db-query {server1 | server2} enable

To enable/disable a
URL inquiry server
Disable: in the global configuration mode, use the following
command:

no url-db-query {server1 | server2} enable

In the global configuration mode, use the following

command:
To configure a URL
inquiry server url-db-query {server1 | server2} {ip-address
| domain-name} [vrouter vr-name] [port port]
[encrypt-type BCAP]

To view the URL show url-db-query [server1 | server2]

inquiry server info

Keyword Category
Keyword categories referenced by URL filter, web content, web posting, and email
filter can be customized. For more information about how to customize a keyword
category, see the table below:

Table 10: Customizing a Keyword Category

Configuration CLI

In the content filter configuration mode, use the following

command:

To create a keyword category category-name

category
Tip: To enter the content filter configuration mode, in the
global configuration mode, use the command
contentfilter .

To add a keyword entry

In the content filter configuration mode, use the following

13
command:

keyword keyword {regexp | simple} [category

category-name] [confidence value]

To commit the changes

In the execution mode, use the following command:
to keywords (number
increase/decrease, exec contentfilter apply
content changes)

Keyword Matching Rules

System will scan traffic according to the configured keywords and calculate the trust
value for the hit keywords. The calculating method is: adding up the results of times
* trust value of each keyword that belongs to the category. The system will perform
the following actions according to the added up value:

 If the sum is larger than or equal to the category threshold (100), the
configured category action will be triggered;

 If more than one category action can be triggered and there is a block action
configured, the final action is to block;

 If more than one category action can be triggered and all the configured actions
are permit, the final action is to permit.

For example, a web content rule contains two keyword categories C1 with action
block and C2 with action permit. Both of C1 and C2 contain the same keywords K1
and K2. Trust values of K1 and K2 in C1 are 20 and 40. Trust values of K1 and K2 in
C2 are 30 and 80.

If the system detects one occurrence of K1 and K2 each on a web page, then C1 trust
value is 20*1+40*1=60<100, and C2 trust value is 30*1+80*1=110>100. As a
result, the C2 action is triggered and the web page access is permitted.

If the system detects three occurrences of K1 and 1 occurrence of K2 on a web page,

then C1 trust value is 20*3+40*1=100, and C2 trust value C2 is
30*3+80*1=170>100. Conditions for both C1 and C2 are satisfied, but the block
action for C2 is triggered, so the web page access is denied.

Notes:
 The keyword category threshold is 100.
 To implement network behavior control accurately and effectively, you are
recommended to configure multiple keywords. E.g., if only web game is
configured to block accesses to web game websites, lots of other websites
will be blocked together. However, if you configure web game, experience
value, and equipment as the keywords, and give proper trust values to these
keywords, the control accuracy will be improved. And if you can collect all
the game related terms and assign a proper trust value to each term, the
control will be implemented completely and precisely.

14
Warning Page
The warning page shows the user block information and user audit information.

Configuring Block Warning

If the network behavior is blocked by the NBC function (URL filter, web content, web
post, email filter, HTTP/FTP control), the access to the Internet will be denied. The
information of Access Denied will be displayed in your browser, and some web surfing
rules will be shown to you on the warning page at the same time. You can also define
the displayed information by yourself. According to the different network behaviors,
the default block warning page includes the following three situations:

 Visiting a certain type of URL.

 Visiting the URL that contains a certain type of keyword category.

 Posting information to a certain type of website or posting a certain type of keywords;

HTTP actions of Connect, Get, Put, Head, Options, Post, and Trace; downloading HTTP

binary files, such as .bat, .com; downloading ActiveX and Java Applets.

By default the block warning function is enabled. For more information about the
configuration of the function, see the table below:

15
Table 11: Block Warning Configurations

Configuration CLI

Enable: In the global configuration mode, use the

following command:

block-notification
To enable/disable block
warning
Disable: In the global configuration mode, use the
following command:

no block-notification

To customize the block warning information, use the

following command in the global configuration mode:

Customize the block customize-block-notification title title-

warning information or name body string
restore the block warning To restore the block warning information to the default
information to the default one, use the following command in the global
one configuration mode:

no customize-block-notification

To view the status of block show block-notification

warning
show customize-block-notification

 If you have customized your own block warning

To view the user-defined information, the customized information will
block warning information display.

 If you do not use the customized information,

the default block information will display.

Configuring Audit Warning

After enabling the audit warning function, when your network behavior matches the
configured NBC rule, your HTTP request will be redirected to a warning page, on
which the audit and privacy protection information is displayed. For example, if a
keyword rule is configured to monitor HTTPS access to websites that contain the
specified keyword, then after enabling the audit warning function, when you’re
accessing a website that contains the keyword over HTTPS, a warning page will be
displayed in your Web browser, as shown in the figure below:

16
Figure 1: SSL Proxy Audit Warning Page

Audit warning is disabled by default. For more information about the configurations of
the function, see the table below:

Table 12: Audit Warning Configurations

Configuration CLI

Enable: In the global configuration mode, use the following

command:

nbc-user-notification
To enable/disable
audit warning
Disable: In the global configuration mode, use the
following command:

no nbc-user-notification

To customize the audit warning information, use the

Customize the following command in the global configuration mode:
audit warning customize-audit-notification title title-name
information or body string
restore the audit To restore the audit warning information to default, use
warning the following command in the global configuration mode:
information to
default no customize-audit-notification

show customize-audit-notification

 If you have customized your own audit warning

To view the user-
information, the customized information will be
defined audit
displayed.
warning
information
If you do not use the customized information, the default
audit information will be displayed.

After enabling audit warning, if your network behavior originating from one single
source IP is matched to any configured network behavior control rule, you will be
prompted with the audit warning page every 24 hours when visiting the web page.

17
Bypass Domain
Regardless of the NBC configurations (URL filter, keyword filter, web posting control,
email filter, and HTTP/FTP control), requests to the specified bypass domains will be
allowed unconditionally. To add a bypass domain via WebUI, take the following steps:

1. Select Policy > Internet Behavior Control > Web Content/Web

Posting/Email Filter/HTTP/FTP Control.

2. At the top-right corner, Select Configuration > Bypass Domain. The Bypass
Domain dialog appears.

3. Click Add. The domain name will be added to the system and displayed in the
bypass domain list.Repeat Step 3 to add more bypass domains.

4. Click OK to save your settings.

Notes:
 Bypass domains must be precisely matched..
 Bypass domains are effective to the entire system.

User Exception
The user exception function is used to specify the users who will not be controlled by
NBC, including URL filter, Web content, Web posting control, email filter, IM control,
and HTTP/FTP control. The system supports the following types of user exception: IP,
IP range, role, user, user group, and address entry.

To configure user exception via WebUI, take the following steps:

1. Select Policy > Internet Behavior Control > Web Content/Web

Posting/Email Filter/HTTP/FTP Control.

2. At the top-right corner, Select Configuration > User Exception. The User
Exception dialog appears.

3. Select the type of the user from the Type drop-down list.

4. Configure the corresponding options.

5. Click Add. The user will be added to the system and displayed in the user
exception list.

6. Click OK to save the settings.

Note: User exceptions are effective to the entire system.

18
URL Filter
URL filter is designed to control the access to some websites and record log messages
for the access actions. This function helps you control the network behaviors in the
following aspects:

 Access control to certain category of websites, such as gambling and

pornographic websites;

 Access control to certain category of websites during the specified period. For
example, forbid to access IM websites during the office hours;

 Access control to the website whose URL contains the specified keywords. For
example, forbid to access the URL that contains the keyword of game.

Configuring URL Filter via CLI

The URL filter configurations are based on security zones or policies.

To configure URL filter via CLI, take the following steps:

1. Create a URL filter profile, and specify the URL category, URL keyword category
and action in the profile.

2. Bind the URL filter profile to a security zone or policy rule.

Creating a URL Filter Profile

You need to specify the control type of the URL filter profile. The control types are
URL category, URL keyword category, and Web surfing record. URL category controls
the access to some certain category of website; URL keyword category controls the
access to the website who's URL contains the specific keywords; Web surfing record
logs the GET and POST methods of HTTP, and the posted content. You can select only
one control type for each URL filter profile. There is a default URL filter profile named
no-url. It can not be edited and deleted. After you bind it to a policy, URL filter is
disabled. To create a URL filter profile, in the global configuration mode, use the
following command:

url-profile profile-name

 profile-name - Specifies the name of the URL filter profile, and enter the
configuration mode of the URL filter profile. If the specified name exists, the
system will directly enter the URL filter profile configuration mode. You can
configure same URL profile name in different VSYSs.

To delete the specified URL filter profile, in the global configuration mode, use the
command no url-profile profile-name.

19
Specifying the URL Category and Action

To specify the URL category that will be filtered and the corresponding action, in the
URL filter profile configuration mode, use the following command:

url-category {all | url-category-name} [block] [log]

 all | url-category-name - Specifies the URL category that will be filtered. It

can be all the URL categories (all ) or a specific URL category (url-category -
name ). You can not specify URL category of other VSYSs. For more information
about how to create a URL category, see Specifying a HTTP Proxy Server.

 block - Blocks access to the corresponding URL category.

 log - Logs access to the corresponding URL category.

Repeat the command to specify more URL categories and the corresponding actions.

To cancel the specified URL category and action, in the URL filter profile configuration
mode, use the command no url-category {all | url-category -name} .

Inspecting SSL Negotiation Packets

For HTTPS traffic, the system can acquire the domain name of the site which you
want to access from the SSL negotiation packets after this feature is configured. Then,
the system will perform URL filter in accordance with the domain name. This feature
is only applicable to the URL filter profile whose control type is URL category. If SSL
proxy is configured at the same time, SSL negotiation packets inspection method will
be preferred for URL filter. To configure the SSL negotiation packets inspection, in the
URL filter profile configuration mode, use the following command:

url-category ssl-inspection

In the URL filter profile configuration mode, use no url-category ssl-inspection

to cancel the SSL negotiation packets inspection.

Specifying the URL Keyword and Action

To specify the URL keyword that will be filtered and the corresponding action, in the
URL filter profile configuration mode, use the following command:

keyword-category {keyword-category-name | other}[block] [log]

 keyword-category-name | other - Specifies the URL keyword that will be filtered.

The URL keyword can be a specific keyword category (keyword-category-name)
or all the other URL keyword categories that are not listed (other). For more
information about how to create a keyword category, see Keyword Category.

 block - Blocks the access to the website whose URL contains the specified
keyword.

 log - Logs the access to the website whose URL contains the specified keyword.

Repeat the command to specify more URL keywords and the corresponding actions.

20
To cancel the specified URL keyword and action, in the URL filter profile configuration
mode, use the command no keyword-categor y {keyword-category-name | other}.

Recording Web Surfing Log

In the URL filter profile configuration mode, you can use the following command to
enable the system to record the web surfing log:

web-surfing-record method [get | get-post [post-content] | post

[post-content]]

 get – Records the web surfing log using the GET method.

 get-post – Records the web surfing log using the GET and POST methods.

 post – Records the web surfing log using the POST method.

 post-content – Records the POST content.

In the URL filter profile configuration mode, use the following command:

no web-surfing-record

Note: The type of the web surfing log is traffic log. By default, the system disables
the traffic logs. To make the system record the web surfing logs, you must enable the
traffic logs simultaneously.

Binding the URL Filter Profile to a Security Zone

If the URL filter profile is bound to a security zone, the system will detect the traffic
destined to the specified security zone based on the profile configuration. If the policy
rule is bound with an URL filter Profile, and the destination zone of the policy rule is
also bound with an URL filter profile, then the URL filter profile bound to the policy
rule will be valid.

To bind the URL filter profile to a security zone, in the security zone configuration
mode, use the following command:

url enable url-profile-name

 url-profile-name - Specifies the name of the URL filter profile that will be
bound to the security zone. One security zone can only be bound with one URL
filter profile.

To cancel the binding settings, in the security zone configuration mode, use the
following command:

no url enable

Binding the URL Filter Profile to a Policy Rule

After binding the URL filter profile to a policy rule, the system will process the traffic
that is matched to the rule according to the profile configuration. To bind the URL
filter profile to a policy rule, enter the policy rule configuration mode in two steps.

21
First, in the global configuration mode, use the following command to enter the policy
configuration mode:

policy-global

Then, in the policy configuration mode, use the following command to enter the policy
rule configuration mode:

rule [id id-number]

To bind the URL filter profile to a policy rule, in the policy rule configuration mode,
use the following command:

url profile-name

 profile-name - Specifies the name of URL filter profile that will be bound.

Note: Only after cancelling the binding can you delete the URL filter profile.

After the binding, you need to modify the priority of the policy rule to assure the
traffic matching to this rule is prioritized. Then, you need to specify the user,
destination zone and schedule of the rule. You can also enable or disable the rule.

To perform the URL filter function on the HTTPS traffic, you need to enable the SSL
proxy function for the above specified security policy rule. The system will decrypt the
HTTPS traffic according to the SSL proxy profile and then perform the URL filter
function on the decrypted traffic. According to the various configurations of the
security policy rule, the system will perform the following actions:

Policy Rule
Actions
Configurations

SSL proxy enabled The system decrypts the HTTPS traffic according to the SSL
proxy profile but it does not perform the URL filter function
URL filter disabled on the decrypted traffic.

SSL proxy enabled The system decrypts the HTTPS traffic according to the SSL
proxy profile and performs the URL filter function on the
URL filter enabled decrypted traffic.

SSL proxy disabled The system performs the URL filter function on the HTTP
traffic according to the URL filter profile. The HTTPS traffic
URL filter enabled will not be decrypted and the system will transfer it.

If the SSL proxy and URL filter functions are enabled on a security policy rule but the
control type of the selected URL filter profile is the Web surfing record, the system will
not record the GET and POST methods and the posted contents via HTTPS.

If the zone which the security policy rule binds with is also configured with URL filter,
the system will perform the following actions:

22
Policy Rule Zone Actions
Configurations Configurations

SSL proxy enabled URL filter The system decrypts the HTTPS traffic
enabled according to the SSL proxy profile and
URL filter disabled performs the URL filter function on the
decrypted traffic according to the URL filter
rule of the zone.

SSL proxy enabled URL filter The system decrypts the HTTPS traffic
enabled according to the SSL proxy profile and
URL filter enabled performs the URL filter function on the
decrypted traffic according to the URL filter
rule of the policy rule.

SSL proxy disabled URL filter The system performs the URL filter
enabled function on the HTTP traffic according to
URL filter enabled the URL filter rule of the policy rule. The
HTTPS traffic will not be decrypted and the
system will transfer it.

For more information about SSL proxy, see the SSL Proxy chapter in
StoneOS_CLI_User_Guide_Network_Behavior_Control.

Viewing URL Filter Profile Information

To view the URL filter profile information, in any mode, use the following command:

show url-profile [profile-name]

 profile-name - Shows the specified URL filter profile information. If this

parameter is not specified, the command will show the information of all the
URL filter profiles.

Web Content
The web content function is designed to control the network behavior of visiting the
webpages that contain certain keywords, and log the actions. For example, you can
configure to block the access to webpage that contains the keyword "gamble", and
record the access action and content in the log.

With the combination of web content and SSL proxy, the encrypted HTTPS access can
be controlled.

Configuring Web Content via CLI

The Web content function is mainly implemented by binding a profile to a policy rule.
Once the Web content profile is bound to a policy rule, the system will process the
traffic that is matched to the rule according to the profile configuration.

23
To configure Web content via CLI, take the following steps:

1. Create a Web content profile, and specify the keyword category, action and
control range in the profile. You can also configure to exclude HTML tags from
the Web content.

2. Bind the Web content profile to an appropriate policy rule.

Creating a Web Content Profile

You need to specify the keyword category, action and control range in the Web
content profile. To create a Web content profile, in the global configuration mode, use
the following command:

contentfilter-profile profile-name

 profile-name - Specifies the name of the Web content profile, and enter the
configuration mode of the Web content profile. If the specified name exists, the
system will directly enter the Web content profile configuration mode.

To delete the specified Web content profile, in the global configuration mode, use the
command no contentfilter -profile profile-name .

Specifying the Keyword Category and Action

To specify the keyword category that will be filtered and the corresponding action, in
the Web content profile configuration mode, use the following command:

keyword-category keyword-category-name [block] [log]

 keyword-category-name - Specifies the keyword category that will be filtered.

For more information about how to create a keyword category, see Keyword
Category.

 block - Blocks access to the website that contains the specified keyword.

 log - Logs access to the website that contains the specified keyword.

Repeat the command to add more keyword categories and actions.

To cancel the specified the keyword category and action, in the Web content profile
configuration mode, use the command no keyword-category keyword-category-
name .

Specifying the Control Range

The system will only control the keyword within the specified websites. To specify the
control range, in the Web content profile configuration mode, use the following
command:

url-category {all | url-category-name}

24
 all | url-category-name - Specifies the URL category that will be controlled.
It can be all the URL categories (all ) or a specific URL category (url-
category-name ). For more information about how to create a URL category, see

 Specifying a HTTP Proxy Server

To specify the HTTP proxy server for the URL category signature database updating,
use the following command in the global configuration mode:

url-db update proxy-server {main | backup} ip-address port-number

 main | backup – Use the main parameter to specify the main proxy server
and use the backup parameter to specify the backup proxy server.

 ip-address port-number – Specify the IP address and the port number of

the proxy server.

To cancel the proxy server configurations, use the no url-db update proxy-server
{main | backup} command.

 User-defined URL.

Repeat the command to add more URL categories.

To cancel the specified URL category, in the Web content configuration mode, use the
command no url-category {all | url-category -name} .

Excluding HTML Tags

By default the system with Web content enabled will not only filter the content
displayed in the webpage, but also filter the codes in the HTML tag. To exclude the
HTML tags from the filtering, in the Web content profile configuration mode, use the
following command:

exclude-html-tag

To restore to the default value, in the Web content profile configuration mode, use the
following command:

no exclude-html-tag

Note: This function only takes effect when the HTML content type is set to text/html,
i.e., content="text/html".

25
Binding the Web Content Profile to a Policy Rule
After binding the Web content profile to a policy rule, the system will process the
traffic that is matched to the rule according to the profile configuration. To bind the
Web content profile to a policy rule, enter the policy rule configuration mode in two
steps. First, in the global configuration mode, use the following command to enter the
policy configuration mode:

policy-global

Then, in the policy configuration mode, use the following command to enter the policy
rule configuration mode:

rule [id id-number]

To bind the Web content profile to a policy rule, in the policy rule configuration mode,
use the following command:

contentfilter profile-name

 profile-name - Specifies the name of Web content profile that will be bound.

After the binding, you need to modify the priority of the policy rule to assure the
traffic matching to this rule is prioritized. After then, you need to specify the user,
destination zone and schedule of the rule. You can also enable or disable the rule. For
more information, see the “Policy”.

Viewing Web Content Profile Information

To view the Web content profile information, in any mode, use the following command:

show contentfilter -profile [profile-name]

 profile-name - Shows the specified Web content profile information. If this

parameter is not specified, the command will show the information of all the
Web content profiles.

Web Posting
The web posting function is designed to control the network behavior of posting on
websites and posting specific keywords, and can log the posting action and posted
content. For example, forbid the users to post information containing the keyword X,
and record the action log.

With the combination of web posting and SSL proxy, posting action on the encrypted
HTTPS websites can be controlled.

26
Configuring Web Posting via CLI
The Web posting can be configured via CLI by binding a profile to a policy rule. Once
the Web posting profile is bound to a policy rule, the system will process the matching
traffic according to the profile configuration.

To configure Web posting via CLI, take the following steps

1. Create a Web posting profile, and specify the control type, action and control
range in the profile.

2. Bind the Web posting profile to an appropriate policy rule.

Creating a Web Posting Profile

You need to specify control type, action and control range in the Web posting profile.
To create a Web posting profile, in the global configuration mode, use the following
command:

webpost-profile profile-name

 profile-name - Specifies the name of the Web posting profile, and enter the
configuration mode of the Web posting profile. If the specified name exists, the
system will directly enter the Web posting profile configuration mode.

To delete the specified Web posting profile, in the global configuration mode, use the
command no webpost-profile profile-name .

Specifying the Control Type and Action of Web Posting

You can control all the posting information, or only control the posting information
with specific keyword.

To control all the posting information and specify the action, in the Web posting
profile configuration mode, use the following command:

webpost all [block] [log]

 block - Blocks all the posting actions.

 log - Logs all the posting actions.

To cancel the specified control type, in the Web posting profile configuration mode,
use the command no webpost all .

To control the posting information with specific keyword and specify the action, in the
Web posting profile configuration mode, use the following command:

keyword-category keyword-category-name [block] [log]

27
 keyword-category-name - Specifies the keyword category that will be filtered.
For more information about how to create a keyword category, see Keyword
Category.

 block - Blocks postings that contain the specified keywords.

 log - Logs postings that contain the specified keywords.

Repeat the command to specify more keyword categories and actions.

To cancel the specified keyword category and action, in the Web posting profile
configuration mode, use the command no keyword-category keyword-category-
name .

Specifying the Control Range

The system will only control the postings within the specified websites. To specify the
control range, in the Web posting profile configuration mode, use the following
command:

url-category {all | url-category-name}

 all | url-category-name - Specifies the URL category that will be controlled.

It can be all the URL categories (all ) or a specific URL category (url-
category-name ). For more information about how to create a URL category, see

 Specifying a HTTP Proxy Server

To specify the HTTP proxy server for the URL category signature database updating,
use the following command in the global configuration mode:

url-db update proxy-server {main | backup} ip-address port-number

 main | backup – Use the main parameter to specify the main proxy server
and use the backup parameter to specify the backup proxy server.

 ip-address port-number – Specify the IP address and the port number of

the proxy server.

To cancel the proxy server configurations, use the no url-db update proxy-server
{main | backup} command.

 User-defined URL.

Repeat the command to add more URL categories.

To cancel the specified URL category, in the Web posting profile configuration mode,
use the command no url-category {all | url-category-name} .

28
Binding the Web Posting Profile to a Policy Rule

After binding the Web posting profile to a policy rule, the system will process the
traffic that is matched to the rule according to the profile configuration. To bind the
Web posting profile to a policy rule, enter the policy rule configuration mode in two
steps. First, in the global configuration mode, use the following command to enter the
policy configuration mode:

policy-global

Then, in the policy configuration mode, use the following command to enter the policy
rule configuration mode:

rule [id id-number]

To bind the Web posting profile to a policy rule, in the policy rule configuration mode,
use the following command:

webpost profile-name

 profile-name - Specifies the name of Web posting profile that will be bound.

Viewing Web Posting Profile Information

To view the Web posting profile information, in any mode, use the following command:

show webpost-profile [profile-name]

 profile-name - Shows the specified Web posting profile information. If this

parameter is not specified, the command will show the information of all the
Web posting profiles.

Email Filter
The email filter function is designed to control the email sending actions according to
the sender, receiver, email content and attachment, and record the sending log
messages and content. Both the SMTP emails and the web mails (including the
encrypted Gmail) can be controlled.

With the combination of email filter and SSL proxy, the encrypted Gmail can be
controlled.

29
Configuring Email Filter via CLI
The email filter can be configured via CLI by binding a profile to a policy rule. Once
the email filter profile is bound to a policy rule, the system will process the traffic that
is matched to the rule according to the profile configuration.

To configure email filter via CLI, take the following steps

1. Create an email filter profile, and specify the control type, action, controlled
mailbox and mailbox exception in the profile.

2. Bind the email filter profile to an appropriate policy rule.

Creating a Mail Filter Profile

You need to specify control type, action, controlled mailbox and mailbox exception in
the email filter profile. To create an email filter profile, in the global configuration
mode, use the following command

mail-profile profile-name

 profile-name - Specifies the name of the email filter profile, and enter the
configuration mode of the email filter profile. If the specified name exists, the
system will directly enter the email filter profile configuration mode.

To delete the specified email filter profile, in the global configuration mode, use the
command no mail-profile profile-name .

Specifying the Control Type

By default the email filter rule is applied to all the supported mailboxes. To specify the
control type, in the email filter profile configuration mode, use the following command:

mail control {all | webmail | smtp | 126 | 139 | 163 | 188 |

21cn | eyou | gmail | hotmail | qq | sina | sogou | sohu | tom |
yahoo | yeah}

 all | webmail | smtp | 126 | 139 | 163 | 188 | 21cn | eyou |

To cancel the specified control type, in the email filter profile configuration mode, use
the command no mail control { all | webmail | smtp | 126 | 139 | 163 |
188 | 21cn | eyou | gmail | hotmail | qq | sina | sogou | sohu | tom |
yahoo | yeah} .

30
Controlling All the Emails and Specifying the Action

To control all the emails and specify the action, in the email filter profile configuration
mode, use the following command:

mail any [log]

 log - Logs all the behaviors of sending emails.

To cancel the specified action, in the email filter profile configuration mode, use the
command no mail any .

Specifying the Sender/Recipient and Action

To specify the sender/recipient that will be controlled and the corresponding action, in
the email filter profile configuration mode, use the following command:

mail {sender | recipient} email-address [block] [log]

 sender | recipient - Specifies to control the sender or recipient.

 email-address - Specifies the email address of the sender or recipient.

 block - Blocks the emails that contain the specified sender or recipient.

 log - Logs the behaviors of sending emails that contain the specified sender or
recipient.

Repeat the command to specify more senders/recipients and the corresponding

actions.

To cancel the specified sender/recipient and action, in the email filter profile
configuration mode, use the command no {sender | recipient} email-address .

Specifying the Attachment and Action

To specify the attachment that will be controlled and the corresponding action, in the
email filter profile configuration mode, use the following command:

mail attach [attach-name] [block] [log]

 attach-name - Specifies the name of the attachment that will be controlled. If

the parameter is not specified, the system will control all the attachments.

 block - Blocks the emails that contain the specified attachment (with attach-
name set), or contain any attachment (with no attach-name set).

 log - Logs the behaviors of sending emails that contain the specified
attachment.

Repeat the command to specify more attachments and the corresponding actions.

To cancel the specified attachment and action, in the email filter profile configuration
mode, use the command no mail attach [attach-name] .

31
To specify the maximum attachment size and the corresponding action, in the email
filter profile configuration mode, use the following command:

mail max-attach-size attach-size [log]

 attach-size - Specifies the maximum attachment size. Any email that

contains attachment exceeding the size will be blocked.

 log - Logs the behavior of sending emails that contain attachments exceeding
the size.

To cancel the maximum attachment size and the corresponding action, in the email
filter profile configuration mode, use the command no max-attach-size .

Note: In one email filter rule, if both the attachment name and maximum attachment
size are configured, the block action has a higher priority when both conditions are
matched.

Specifying the Keyword Category and Action

To control the email that contains the specified keyword category and the
corresponding action, in the email filter profile configuration mode, use the following
command:

keyword-category keyword-category-name [block] [log]

 keyword-category-name - Specifies the keyword category that will be filtered.

For more information about how to create a keyword category, see Keyword
Category.

 block - Blocks the emails that contain the specified keyword(s).

 log - Logs the behaviors of sending emails that contain the specified
keyword(s).

Repeat the command to specify more keyword categories and actions.

To cancel the specified keyword category and the corresponding action, in the email
filter profile configuration mode, use the command no keyword-category keyword-
category-name .

Specifying the Control Type

To specify the control type, in the email filter profile configuration mode, use the
following command:

mail enable {sender | recipient | attach | keyword-category}

 sender | recipient | attach | keyword-category - Specifies to control

the sender, recipient, attach or keyword-category.

32
To disable the specified control type, in the email filter profile configuration mode, use
the command no mail enable {sender | recipient | attach | keyword-
category} .

Specifying the Action for other emails

Other emails refer to the emails that do not match any of the specified conditions
(including sender, recipient, keyword category and attachment). To specify the action
for other emails, in the email filter profile configuration mode, use the following
command:

mail others [block] [log]

 block - Blocks other emails.

 log - Logs the behaviors of sending other emails.

To cancel the specified action for other emails, in the email filter profile configuration
mode, use the command no mail others .

Specifying the Account Exception

The account exception, either a sender or a recipient account, is not controlled by the
email filter rule. To specify an account exception, in the email filter profile
configuration mode, use the following command:

mail whitelist mail-address

 mail-address - Specifies the email address of the exception account.

Repeat the command to specify more account exceptions.

To remove the specified account from the whitelist, in the email filter profile
configuration mode, use the command no mail whitelist mail-address .

Binding the Email Filter Profile to a Policy Rule

After binding the email filter profile to a policy rule, the system will process the traffic
that is matched to the rule according to the profile configuration. To bind the email
filter profile to a policy rule, enter the policy rule configuration mode in two steps.
First, in the global configuration mode, use the following command to enter the policy
configuration mode:

policy-global

Then, in the policy configuration mode, use the following command to enter the policy
rule configuration mode:

rule [id id-number]

To bind the email filter profile to a policy rule, in the policy rule configuration mode,
use the following command:

33
mail profile-name

 profile-name - Specifies the name of email filter profile that will be bound.

Viewing Email Filter Profile Information

To view the email filter profile information, in any mode, use the following command:

show mail-profile [profile-name]

 profile-name - Shows the specified email filter profile information. If this

parameter is not specified, the command will show the information of all the
email filter profiles.

To view the control type information, in any mode, use the following command:

show mail-object [mail-profile profile-name]

 profile-name - Shows the control type information of the specified email filter
profile. If this parameter is not specified, the command will show all the control
type information.

IM Control
The IM control function is designed to control and audit the IM chatting. By creating
IM control rules, you can control MSN, QQ, and Yahoo! Messenger, and record the
login/logout messages.

Configuring an IM Control Rule via CLI

The IM control function is mainly implemented by binding a profile to a policy rule.
Once the IM control profile is bound to a policy rule, the system will process the traffic
that is matched to the rule according to the profile configuration.

To configure IM control via CLI, take the following steps:

1. Create an IM control profile, and specify the IM tool and action in the profile.

2. Bind the IM control profile to an appropriate policy rule.

Creating an IM Control Profile

You need to specify the IM tool that will be controlled and action in the IM control
profile. To create an IM control profile, in the global configuration mode, use the
following command:

34
im-profile profile-name

 profile-name - Specifies the name of the IM control profile, and enter the
configuration mode of the IM control profile. If the specified name exists, the
system will directly enter the IM control profile configuration mode.

To delete the specified IM control profile, in the global configuration mode, use the
command no im-profile profile-name .

To specify the IM account that will be controlled and the corresponding action, in the
IM control profile configuration mode, use the following command:

{msn | ymsg | qq} {others | im-account} [block] [log]

 msn | ymsg | qq - Control MSN (msn ), Yahoo! Messenger (ymsg ) or QQ (qq ).

 others | im-account - Specifies the account of the controlled Yahoo!

Messenger, MSN or QQ (im-account ), or other IM accounts (others ).

 block - Blocks the corresponding MSN, Yahoo! Messenger or QQ account.

 log - Records the login/logout log messages of the corresponding MSN, Yahoo!
Messenger or QQ account.

Repeat the command to specify more IM tools and corresponding actions.

To cancel the specified IM account and the corresponding action, in the IM control
profile configuration mode, use the command no {msn | ymsg | qq} {others |
im-account} .

Binding the IM Control Profile to a Policy Rule

After binding the IM control profile to a policy rule, the system will process the traffic
that is matched to the rule according to the profile configuration. To bind the IM
control profile to a policy rule, enter the policy rule configuration mode in two steps.
First, in the global configuration mode, use the following command to enter the policy
configuration mode:

policy-global

Then, in the policy configuration mode, use the following command to enter the policy
rule configuration mode:

rule [id id-number]

To bind the IM control profile to a policy rule, in the policy rule configuration mode,
use the following command:

im profile-name

 profile-name - Specifies the name of IM control profile that will be bound.

35
After the binding, you need to modify the priority of the policy rule to assure the
traffic matching to this rule is prioritized. After then, you need to specify the user,
destination zone and schedule of the rule. You can also enable or disable the rule. For
more information, see the “Policy”.

Viewing IM Control Profile Information

To view the IM control profile information, in any mode, use the following command:

show im-profile [profile-name]

 profile-name - Shows the specified IM control profile information. If this

parameter is not specified, the command will show the information of all the IM
control profiles.

To view the controlled IM account information, in any mode, use the following
command:

show im-object [im-profile profile-name]

 im-profile profile-name - Shows the IM account information in the specified

IM control profile. If this parameter is not specified, the command will show the
information of all the controlled IM accounts in the system.

HTTP/FTP Control
The HTTP/FTP control function is designed to control and audit (record log messages)
the actions of HTTP and FTP applications, including:

 Control and audit the FTP methods, including Login, Get, and Put;

 Control and audit the HTTP methods, including Connect, Get, Put, Head, Options,
Post, and Trace;

 Block downloading of HTTP binary file (such as .bat, .com), ActiveX and Jave
Applets.

Configuring HTTP/FTP Control via CLI

The HTTP/FTP control function is mainly implemented by binding a profile to a policy
rule. Once the HTTP/FTP control profile is bound to a policy rule, the system will
process the traffic that is matched to the rule according to the profile configuration.

To configure HTTP/FTP control via CLI, take the following steps:

1. Create an HTTP/FTP control profile, and specify the FTP method, HTTP method
or HTTP download that will be controlled and action in the profile.

2. Bind the HTTP/FTP control profile to an appropriate policy rule.

36
Creating an HTTP/FTP Control Profile
You need to specify the FTP method, HTTP method or HTTP download that will be
controlled and action in the HTTP/FTP control profile. To create an HTTP/FTP control
profile, in the global configuration mode, use the following command:

behavior-profile profile-name

 profile-name - Specifies the name of the HTTP/FTP control profile, and enter
the configuration mode of the HTTP/FTP control profile. If the specified name
exists, the system will directly enter the HTTP/FTP control profile configuration
mode.

To delete the specified HTTP/FTP control profile, in the global configuration mode, use
the command no behavior-profile profile -name .

Controlling FTP Methods

To configure the action for the FTP method, in the HTTP/FTP control profile
configuration mode, use the following command:

ftp {login [user-name] | get [file-name] | put [file-name]}

{block | permit} [log]

 login [user-name] - Controls FTP login method. To control the login method
of the specified user, use parameter user-name .

 get [file-name] -Controls FTP Get method. To control the Get method to the
specified file, use parameter file-name .

 put [file-name] - Controls FTP Put method. To control the Put method to the
specified file, use parameter file-name .

 block | permit - Specifies the action. It can be block or permit.

 log - Logs the FTP method.

To cancel the specified action for the FTP method, in the HTTP/FTP control profile
configuration mode, use the following command:

no ftp {login [user-name] | get [file-name] | put [file-name]}

Controlling HTTP Methods

To configure the action for the HTTP method, in the HTTP/FTP control profile
configuration mode, use the following command:

http {connect | delete [host] | get [host] | head [host] |

options [host] | post [host] | put [host] | trace [host]} {block
| permit} [log]

 connect | delete [host] | get [host] | head [host] | options

[host] | post [host] | put [host] | trace [host] - Controls the

37
specified HTTP method. To control the HTTP method to the specified host, use
parameter host.

 block | permit - Specifies the action. It can be block or permit.

 log - Logs the HTTP method.

To cancel the specified action for the HTTP method, in the HTTP/FTP control profile
configuration mode, use the following command:

no http {connect | delete [host] | get [host] | head [host] |

options [host] | post [host] | put [host] | trace [host]}

Blocking HTTP Downloads

The HTTP/FTP control function can control the downloading of ActiveX and Java
Applets, as well as binary files of .bat, .com, .exe, .msi, .pif and .scr types.

To configure the action for ActiveX or Java Applet, in the HTTP/FTP control profile
configuration mode, use the following command:

object {active-x | java-applet} {deny | permit}

 active-x | java-applet - Specifies the HTTP object.

 deny | permit - Denies or permits to download the specified HTTP object.

To cancel the specified action, in the HTTP/FTP control profile configuration mode, use
the command no object {active-x | java-applet} .

To configure the action for binary files, in the HTTP/FTP control profile configuration
mode, use the following command:

bin-type {bat | com | exe | msi | pif | scr} {deny | permit}

 bat | com | exe | msi | pif | scr - Specified the type of binary files.

 deny | permit - Denies or permits to download the specified binary files.

To cancel the specified action, in the HTTP/FTP control profile configuration mode, use
the command no bin -type {bat | com | exe | msi | pif | scr} .

Binding the HTTP/FTP Control Profile to a Policy Rule

After binding the HTTP/FTP control profile to a policy rule, the system will process the
traffic that is matched to the rule according to the profile configuration. To bind the
HTTP/FTP control profile to a policy rule, enter the policy rule configuration mode in
two steps. First, in the global configuration mode, use the following command to enter
the policy configuration mode:

policy-global

Then, in the policy configuration mode, use the following command to enter the policy
rule configuration mode:

38
rule [id id-number]

To bind the HTTP/FTP control profile to a policy rule, in the policy rule configuration
mode, use the following command:

behavior profile-name

 profile-name - Specifies the name of HTTP/FTP control profile that will be

bound.

Viewing HTTP/FTP Control Profile Information

To view the HTTP/FTP control profile information, in any mode, use the following
command:

show behavior-profile [profile-name]

 profile-name - Shows the specified HTTP/FTP control profile information. If this

parameter is not specified, the command will show the information of all the
HTTP/FTP control profiles.

To view the object information in the HTTP/FTP control profile, in any mode, use the
following command:

show behavior-object [behavior-profile profile-name]

 behavior-profile profile-name - Shows the object information of the

specified HTTP/FTP control profile. If this parameter is not specified, the
command will show the object information of all the HTTP/FTP control profiles.

Log Management
The NBC logs of StoneOS provide comprehensive records of users’ network
behaviours, including visiting URLs, sending emails, content of the emails and the
attachments, Web postings, IM and chatting content, and FTP/HTTP methods, etc.
These records are the data source for HSM (Hillstone Security Management TM) to
provide log query, statistics, audit, analysis and other services. For more information,
see Hillstone Security Management help document.

Log Severity and Format

The NBC logs belong to the severity of Information.

To facilitate the access and analysis of the system logs, StoneOS logs follow a fixed
pattern of information layout, i.e. date/time, severity level@module:
descriptions. See the example below.

39
2009-08-17 11:34:27, NBC INFO@FLOW: IM: IP 100.100.10.55 ( -)
vrouter trust-vr, MSN, user1 -> user2, title user1, time
1250480067

Output Destinations
Log files can be sent to the following destinations. You can specify one of them at
your own choice:

 Console - Console port of the device.

 Buffer - Memory buffer.

 File - By default, the logs are sent to the specified USB disk or CF card in form
of a file.

 Remote - Includes Telnet and SSH.

 Syslog Server - Sends logs to a UNIX or Windows Syslog Server.

 Email - Sends logs to a specified email account.

 Localdb - Sends logs to the local database of the device. The local database
locates at the storage media, including SD card, USB disk or the storage
expansion module provided by Hillstone.

When the log is sent to Localdb, the system will generate a database file with the
filename in form of year_month_date-nbc.db. For example, the NBC log generated on
August 1st, 2009 is saved in 2009_8_1-nbc.db. If there is no hard disk space left on
the storage media, the system will delete the earliest database file automatically. For
example, suppose the NBC logs generated from June 1st, 2009 to August 1st, 2009
are stored in the storage media. When there is no disk space left, the system will
delete 2009_6_1-nbc.db automatically in order to store new NBC log.

Configuring Log
The configurations of NBC logs include enabling/disabling NBC log, specifying the
output destination, exporting and clearing logs, clearing local database log
information, and viewing local database information. For more information about the
configurations, see the table below.

Table 13: NBC Log Configurations

Configuration CLI
In the global configuration mode, use the following
command:
To enable/disable the log function
 Enable: logging nbc on
 Disable: no logging nbc on
In the global configuration mode, use the following
command:
To record the login/logout log
messages of IM
 To record the login/logout log messages of QQ, MSN,
Fetion, and 9158: im {qq | msn | fetion | 9158}

40
log enable
 To disable the recording of the login/logout log messages
of QQ, MSN, Fetion, and 9158: no im {qq | msn |
fetion | 9158} log enable

In the global configuration mode, use the following

command:

 To Console, remote terminal or syslog server, or enabling

the email notification function: logging nbc to
{console | remote | syslog [binary-format
[distributed [src-ip-hash | round-robin]] |
To specify the output destination custom-format] | email}
 To buffer: logging nbc to buffer [size buffer-
size]
 To a file: logging nbc to file [size file-size]
[name {usb0 | usb1 | compactflash } file-name]
 To local DB: logging nbc to localdb [size storage-
percentage] [location sd0 | usb0 | usb1 |
storageX]

In the execution mode, use the following command:

To export NBC logs export log nbc to {ftp server ip-address user
user-name password password | tftp server ip-
address | {usb0 | usb1}} [file-name]

clear logging nbc

To clear NBC logs

In any mode, use the following command:

To clear local DB log information
remove database {active | all | date}

In any mode, use the following command:

To view local DB information
show database

Identifying UID from Webchat Traffic and Recording Logs

The system can identify the UID (unique identification) from the Wechat traffic, as
well as the related IP address, MAC address, and occurred time. Then it records the
corresponding logs in IM logs.

To enable this function, in the global configuration mode, use the following command:

im wechat log enable

To disable the identification and log recording, in the global configuration mode, user
the im wechat log enable command.

41
Configuring Timeout Value
During the timeout period, the wechat traffic of the same UID will not trigger the new
logs and after the timeout reaches, it will trigger new logs. To configure the timeout
value, in the global configuration mode, use the command below:

im wechat timeout value

 value – Specifies the timeout value. The unit is minute. The default value is 20.

In the global configuration mode, use no im wechat timeout command to restore to

the default value.

Viewing Logs
Use the show logging nbc command to view the information of UID, IP address,
MAC address, and online time.

Typical Configuration Examples

This section describes five NBC configuration examples, including:

 Example 1: URL filter

 Example 2: Web content

 Example 3: Web posting

 Example 4: Mail filter

 Example 5: IM control

The network topology is shown in the figure below. Hillstone device works as the
gateway of an enterprise. Ethernet0/0 connects to Internet and belongs to the untrust
zone; ethernet0/1 connects to the Intranet of R&D Department and belongs to the
trust zone; ethernet0/3 connects to the Intranet of Marketing Department and
belongs to the trust1 zone.

42
Figure 2: NBC Configuration Network Topology

Notes:
 Do not use CLI and WebUI to configure NBC at the same time. Choose only
one method.
 For more information about how to configure the interface, security zone and
log, see other related chapters. This section only describes NBC
configuration.

Example1: URL Filter Configuration

The goal is to configure a URL filter rule that forbids the members in the R&D
department (the network segment is 10.100.0.0/16) to access the news websites
(except for www.abc.com) and an entertainment websites www.bcd.com during office
hours (09:00 to 18:00, Monday to Friday), also forbids searching the keyword ef, and
logs the access and search attempts.

Preparations
Before configuring the URL filter function, finish the following preparations first:

1. Install the URL service license and reboot the device.

2. Update the predefined URL database.

Configuration Steps on CLI

Step 1: Configure a schedule:
hostname(config)# schedule workday

43
hostname(config-schedule)# periodic weekdays 09:00 to 18:00
hostname(config-schedule)# exit
hostname(config)#

Step 2: Configure the user-defined URL category named bcd that contains
www.bcd.com:
hostname(config)# url-category bcd
hostname(config)# url www.bcd.com url-category bcd

Step 3: Configure the keyword category named url-keyword:

hostname(config)# contentfilter
hostname(config-contentfilter)# category url-keyword
hostname(config-contentfilter)# keyword ef simple category url -
keyword
hostname(config-contentfilter)# exit
hostname(config)#

Step 4: Configure the URL filter profile named urlcontrol:

hostname(config)# url-profile urlcontrol
hostname(config-url-profile)# url-category News block log
hostname(config-url-profile)# keyword-category url-keyword block
log
hostname(config-url-profile)# exit
hostname(config)#

Step 5: Bind the URL filter profile to a policy rule:

hostname(config)# policy-global
hostname(config-policy)# rule id 1
hostname(config-policy-rule)# url urlcontrol
hostname(config-policy-rule)# src-ip 10.100.0.0/16
hostname(config-policy-rule)# dst-zone untrust
hostname(config-policy-rule)# schedule workday
hostname(config-policy-rule)# exit
hostname(config)#

Step 6: Configure a bypass domain that excludes www.abc.com from control:

hostname(config)# address abc
hostname(config-addr)# host www.abc.com
hostname(config-addr)# exit
hostname(config)# policy-global
hostname(config-policy)# rule from any to abc service any permit
hostname(config-policy)# exit
hostname(config)#

44
After the configuration, modify the priority of the policy rule to assure the traffic
matching to the configured rule is prioritized. When the rule takes effect, during the
office hours, the member in the R&D department cannot access the news websites
(except for www.abc.com) and www.bcd.com, and cannot search the keyword ef. The
system will log the access and search attempts.

Example 2: Web Content Configuration

The goal of Exmaple 2 is to configure a Web content rule that forbids the members in
the R&D department to access the web pages containing the keywords X and Y
(except for the member a. The network segment of the R&D department is
10.100.0.0/16), and logs the access attempts.

Preparations
Before configuring the Web content function, finish the following preparations first:

1. Install the URL service license and reboot the device.

2. Update the predefined URL database.

Configuration Steps on CLI

Step 1: Configure the keyword category named web-keyword:
hostname(config)# contentfilter
hostname(config-contentfilter)# category web-keyword
hostname(config-contentfilter)# keyword X simple category stock -
keyword
hostname(config-contentfilter)# keyword Y simple category stock -
keyword
hostname(config-contentfilter)# exit
hostname(config)#

Step 2: Configure the Web content profile named webkeyword-control:

hostname(config)# contentfilter-profile webkeyword-control
hostname(config-contentfilter-profile)# keyword-category web-
keyword block log
hostname(config-contentfilter-profile)# exit
hostname(config)#

Step 3: Bind the Web content profile to a policy rule:

hostname(config)# policy-global
hostname(config-policy)# rule id 2
hostname(config-policy-rule)# contentfilter webkeyword -control
hostname(config-policy-rule)# src-ip 10.100.0.0/16
hostname(config-policy-rule)# dst-zone untrust

45
hostname(config-policy-rule)# exit
hostname(config)#

Step 4: Set the user exception that excludes member a from control:
hostname(config)# aaa-server local
hostname(config-aaa-server)# user a
hostname(config-user)# exit
hostname(config-aaa-server)# exit
hostname(config)# policy-global
hostname(config-policy)# rule from trust to untrust service any
permit
Rule id 3 is created
hostname(config-policy)# rule id 3
hostname(config-policy-rule)# user local a
hostname(config-policy-rule)# exit
hostname(config)#

After the configuration, modify the priority of the policy rule to assure the traffic
matching to the configured rule is prioritized. When the rule takes effect, the
members in the R&D department cannot access web pages containing the keyword X
or Y. And also, the system will log the access attempts.

Example 3: Web Posting Configuration

The goal is to configure a Web posting rule that logs the actions of posting
information with keyword X on the website www.abc.com.

Preparations
Before configuring the Web posting function, finish the following preparations first:

1. Install the URL service license and reboot the device.

2. Update the predefined URL database.

Configuration Steps on CLI

Step 1: Configure the keyword category named reactionary-keyword:
hostname(config)# contentfilter
hostname(config-contentfilter)# category reactionary-keyword
hostname(config-contentfilter)# keyword X simple category
reactionary-keyword
hostname(config-contentfilter)# exit
hostname(config)#

Step 2: Configure the use-defined URL category named abc that contains
www.abc.com:

46
hostname(config)# url-category abc
hostname(config)# url www.abc.com url-category abc

Step 3: Configure the Web posting profile named webpost-control:

hostname(config)# webpost-profile webpost-control
hostname(config-webpost-profile)# keyword-category reactionary-
keyword log
hostname(config-webpost-profile)# url-category abc
hostname(config-webpost-profile)# exit
hostname(config)#

Step 4: Bind the Web posting profile to a policy rule:

hostname(config)# policy-global
hostname(config-policy)# rule id 3
hostname(config-policy-rule)# webpost webpost-control
hostname(config-policy-rule)# dst-zone untrust
hostname(config-policy-rule)# exit
hostname(config)#

After the configuration, modify the priority of the policy rule to assure the traffic
matching to the configured rule is prioritized. When the rule takes effect, the system
will record log messages when someone is posting information with keyword X in the
website www.abc.com.

Example 4: Email Filter Configuration

The goal is to forbid the employees to send emails through QQ mailbox, and record
log messages when any is sending emails through other mailboxes.

Configuration Steps on CLI

Step 1: Configure the Email filter profile named mailfilter:
hostname(config)# mail-profile mailfilter
hostname(config-mail-profile)# mail sender *@qq.com block
hostname(config-mail-profile)# mail others log
hostname(config-mail-profile)# mail control all
hostname(config-mail-profile)# exit
hostname(config)#

Step 2: Bind the Email filter profile to a policy rule:

hostname(config)# policy-global
hostname(config-policy)# rule id 4
hostname(config-policy-rule)# mail mailfilter
hostname(config-policy-rule)# dst-zone untrust
hostname(config-policy-rule)# exit

47
hostname(config-policy)# exit
hostname(config)#

After the configuration, modify the priority of the policy rule to assure the traffic
matching to the configured rule is prioritized. When the rule takes effect, the
employees cannot send emails through QQ mailbox, and all the sending actions
through other mailboxes will be logged.

Example 5: IM Control Configuration

The goal is to configure an IM control rule that records the MSN login/logout log
messages of the Marketing department members (the role is marketing).

Configuration Steps on CLI

Step 1: Configure the user, role, and role mapping rule (take user1 as the example):
hostname(config)# aaa-server local
hostname(config-aaa-server)# user-group usergroup1
hostname(config-user-group)# exit
hostname(config-aaa-server)# user user1
hostname(config-user)# password 123456
hostname(config-user)# group usergroup1
hostname(config-user)# exit
hostname(config-aaa-server)# exit
hostname(config)# role marketing
hostname(config)# role-mapping-rule role-mapping1
hostname(config-role-mapping)# match user-group usergroup1 role
marketing
hostname(config-role-mapping)# exit
hostname(config)#

Step 2: Configure the role mapping rule for the local AAA server:
hostname(config)# aaa-server local
hostname(config-aaa-server)# role-mapping-rule role-mapping1
hostname(config-aaa-server)# exit
hostname(config)#

Step 3: Configure interfaces and zones:

hostname(config)# internet ethernet0/3
hostname(config-if-eth0/3)# zone trust1
hostname(config-if-eth0/3)# ip address 192.168.1.1/16
hostname(config-if-eth0/3)# exit
hostname(config)# interface ethernet0/0
hostname(config-if-eth0/0)# zone untrust

48
hostname(config-if-eth0/0)# ip address 66.1.200.1/16
hostname(config-if-eth0/0)# exit
hostname(config)#

Step 4: Configure WebAuth and DNS policy:

hostname(config)# webauth http
set enabled service to HTTP
hostname(config)# policy-global
hostname(config-policy)# rule from any to any service any
webauth local
Rule id 1 is created
hostname(config-policy)# rule id 1
hostname(config-policy-rule)# src-ip 192.168.1.1/16
hostname(config-policy-rule)# src-zone trust1
hostname(config-policy-rule)# dst-zone untrust
hostname(config-policy-rule)# role unknown
hostname(config-policy-rule)# exit
hostname(config-policy)# rule from any to any service dns permit
Rule id 2 is created
hostname(config-policy)# rule id 2
hostname(config-policy-rule)# src-zone trust1
hostname(config-policy-rule)# dst-zone untrust
hostname(config-policy-rule)# exit
hostname(config)#

Step 5: Configure the policy rule:

hostname(config-policy)# rule from any to any service any permit
Rule id 3 is created
hostname(config-policy)# rule id 3
hostname(config-policy-rule)# src-zone trust1
hostname(config-policy-rule)# dst-zone untrust
hostname(config-policy-rule)# role marketing
hostname(config-policy-rule)# exit
hostname(config)#

Step 6: Configure the IM control profile named marketim:

hostname(config)# im-profile marketim
hostname(config-im-profile)# msn others log
hostname(config-im-profile)# exit
hostname(config)#

Step 7: Control the IM control rule named imcontrol:

hostname(config)# policy-global

49
hostname(config-policy)# rule id 4
hostname(config-policy-rule)# im marketim
hostname(config-policy-rule)# dst-zone untrust
hostname(config-policy-rule)# role marketing
hostname(config-policy-rule)# exit
hostname(config)#

After the configuration, modify the priority of the policy rule to assure the traffic
matching to the configured rule is prioritized. When the rule takes effect, the system
will log the MSN login/logout actions of the Marketing department members.

50
51
File Filter
The file filter function checks the files transported through HTTP, FTP, SMTP, POP3
protocols and control them according to the file filter rules.

 Be able to check and control the files transported through GET and POST
methods of HTTP, FTP, SMTP, and POP3.

 Support file size, file type, and file name filter conditions. Do not support the file
size filter condition for FTP.

 Support block, log, and permit actions.

The filter conditions supported by each protocol area shown below:

HTTP
FTP SMTP POP3
GET POST
File size √ √ × √ √
File type √ √ √ √ √
File name √ √ √ √ √

Configuring File Filtering

After bind the file filter profile to a policy rule, the system will process the traffic that
matches the rule according to the profile.

To configure file filter via CLI, take the following steps:

1. Create a file filter profile, and configure the file filter rule.

2. Specify the protocol to be checked, the filter condition, and the actions in the
file filter rule.

3. Bind the file filter profile to an appropriate policy rule.

Creating a File Filter Profile

To create a file filter profile, in the global configuration mode, use the following
command:

dlp-profile profile-name

 profile-name - Specifies the name of the file filter profile, and enter the
configuration mode of the file filter profile. If the specified name exists, the
system will directly enter the file filter profile configuration mode.

To delete the file filter profile, use the no dlp-profile profile-name command.

52
Creating a File Filter Rule
Use the file filter rule to specify the protocol that you want to check, the filter
conditions, and the actions. To create a filter rule, in the file filter profile configuration
mode, use the following command:

filter id id-number
 id-number - Specifies the ID of the created file filter rule, and enter the
configuration mode of the file filter rule. If the specified ID exists, the system
will directly enter the file filter rule configuration mode. The ID value ranges
from 1 to 3.

If one filter rule is configured with the block action and the file happens to match this
rule, then the system will block the uploading/downloading of this file; if the file rules
that the file matches to have no block action configured, then the system will permit
this file and log this file.

Use the no filter id id-number to delete the specified filter id.

Specifying the Protocol

The file filter function will check the files transpored through the protocols you
specified. To specify the protocol, in the file filter rule, use the following command:

protocol-type { all | http-get | http-post | ftp | smtp | pop3 }

 all | http-get | http-post | ftp | smtp | pop3 - Specifies the
protocols. all represents to check the files transported through the GET and
POST methods of HTTP, FTP, SMTP and POP3. http-get represents to check
the files transported through the GET method of HTTP. http-post represents
to check the files transported through the POST method of HTTP. ftp
represents to check the files transported through FTP. smtp represents to check
the files transported through SMTP. pop3 represents to check the files
transported through POP3.

To cancle the settings, use the no protocol-type command.

Specifying the File Size

When the size of the transported file reaches the specied file size, the system will
trigger the actions. Note that the file filter function does not support the file size filter
condition for FTP. To specify the file size, in the file filter rule configuration mode, use
the following command:

file-size-threshold size-value
 size-value – Specify the file size. The value ranges from 1 to 512,000. The
unit KB.

To cancel the file size settings, use the no file-size-threshold command.

53
Specifying the File Name
When the name of the transported file matches the specified file name, the system
will trigger the actions. To specify the file name, in the file filter rule configuration
mode, use the following command:

file-name name
 name – Specify the file name. The value ranges from 1 to 255 charactrs. You
can specify up to 32 file names. If there is no wildcard in this specified name,
then the transported file whose name is the same as the this specfied name will
trigger the actions. If the asterisk (*) appears in this specified name, then the
transported file whose name contains the part that followes the asterisk will
trigger the actions.

Use the no file-name name command to cancel the settings.

Specifying the File Type

When the transmitted file is a particular type, the system will trigger the actions. The
file filter function can identify the following file types:

7Z, AI, APK, ASF, AVI, BAT, BMP, CAB, CATPART, CDR, CIN, CLASS, CMD, CPL, DLL,
DOC, DOCX, DPX, DSN, DWF, DWG, DXF, EDIT, EMF, EPS, EPUB, EXE, EXR, FLA, FLV,
GDS, GIF, GZ, HLP, HTA, HTML, IFF, ISO, JAR, JPG, KEY, LNK, LZH, MA, MB, MDB,
MDI, MIF, MKV, MOV, MP3, MP4, MPEG, MPKG, MSI, NUMBERS, OCX, PAGES, PBM,
PCL, PDF, PGP, PIF, PL, PNG, PPT, PPTX, PSD, RAR, REG, RLA, RMVB, RPF, RTF, SGI,
SH, SHK, STP, SVG, SWF, TAR, TDB, TIF, TORRENT, TXT, VBE, WAV, WEBM, WMA,
WMF, WMV, WRI, WSF, XLS, XLSX, XML, XPM, ZIP, UNKNOWN

To specify the file type, in the file filter rule configuration mode, use the following
command:

file-type type

 type –Specify the file type. The type names are described above. You can
specify one type once and repeat this command to specify multiple types. To
control the file type that not supported, you can use the UNKNOWN type.

Use the no file-type type command to cancel the settings.

Specifying the Action

Specify the action to control the files that matches the filter conditions. To specify the
action, in the file filter rule configuration mode, use the following command:

action { log | block [log] }

 block [log] – block represents to block the uploading or downloading of the

file that matches the filter conditions without logs. To log the blocking, use
block log.

 log – Permit the transporting of the file that matches the filter conditions with
logs.

Use the no action command to cancel the settings.

54
Binding the URL Filter Profile to a Policy Rule
After binding the file filter profile to a policy rule, the system will process the traffic
that matches the rule according to the profile. To bind the file filter profile to a policy
rule, enter the policy rule configuration mode in two steps.

In the global configuration mode, use the following command to enter the policy
configuration mode:

policy-global

Then, in the policy configuration mode, use the following command to enter the policy
rule configuration mode:

rule [id id-number]

To bind the file filter profile to a policy rule, in the policy rule configuration mode, use
the following command:

dlp-profile profile-name

 profile-name - Specifies the name of file filter profile that will be bound.

To cancel the binding, use the no dlp-profile command.

Viewing File Filter Profile

To view the file filter profile, in any mode, use the following command:

show dlp-profile profile-name

 profile-name - Shows the specified file filter profile.

55
SSL Proxy
Overview
To assure the security of sensitive data when being transmitting over networks, more and
more websites adopt SSL encryption to protect their information. The device provides the
SSL proxy function to decrypt HTTPS traffic. The SSL proxy function works in the following
two scenarios:

The first scenario, the device works as the gateway of Web clients. The SSL proxy function
replaces the certificates of encrypted websites with the SSL proxy certificate to get the
encrypted information and send the SSL proxy certificate to the client’s Web browser.
During the process, the device acts as a SSL client and SSL server to establish connections
to the Web server and Web browser respectively. The SSL proxy certificate is generated by
using the device's local certificate and re-signing the website certificate. The process is
described as below:

Figure 3: SSL Proxy Process

The second scenario, the device works as the gateway of Web servers. The device with SSL
proxy enabled can work as the SSL server, use the certificate of the Web server to
establish the SSL connection with Web clients (Web browsers), and send the decrypted
traffic to the internal Web server.

Work Mode
There are three work modes. For the first scenario, the SSL proxy function can work in the
Require mode and the Exempt mode; for the second scenario, the SSL proxy function can
work in the Offload mode.

When the SSL proxy function works in the Require mode and the Exempt mode, it can
perform the SSL proxy on specified websites.

For the websites that do not need SSL proxy, it dynamically adds the IP address and port
of the websites to a bypass list, and the HTTPS traffic will be bypassed.

For the websites proxied by the SSL proxy function, the device will check the parameters of
the SSL negotiation. When a parameter matches an item in the checklist, the
corresponding HTTPS traffic can be blocked or bypassed according to the action you
specified.

 If the action is Block, the HTTPS traffic will be blocked by the device.

56
 If the action is Bypass, the HTTPS traffic will not be decrypted. Meanwhile, the
device will dynamically add the IP address and port number of the Website to
the bypass list, and the HTTPS traffic will be bypassed.

The device will decrypte the HTTPS traffic that are not blocked or bypassed.

When the SSL proxy function works in the Offload mode, it will proxy the SSL connections
initialized by Web clients, decrypt the HTTPS traffic, and send the HTTPS traffic as plaintext
to the Web server. You can integrate SSL proxy function with the followings:

 Integrate with the application identification function. Devices can decrypte the
HTTPS traffic encrypted using SSL by the applications and identify the
application. After the application identification, you can configure the policy rule,
QoS, session limit, policy-based route.

 Integrate with the Web content function, Web post function, and email filter
function. Devices can audit the actions that access the HTTPS website.

 Integrate with AV, IPS, and URL. Devices can perform the AV protection, IPS
protection, and URL filter on the decrypted HTTPS traffic.

Working as Gateway of Web Clients

To implement SSL proxy, you need to bind a SSL proxy profile to the policy rule. After
binding the SSL proxy profile to a policy rule, the system will use the SSL proxy profile to
deal with the traffic that matches the policy rule. To implement SSL proxy, take the
following steps:

1. Configure the corresponding parameters of SSL negotiation, including the following

items: specify the PKI trust domain of the device certificates, obtain the CN value
of the subject field from the website certificate, configure the trusted SSL certificate
list, and import a device certificate to the Web browser.
2. Configure a SSL proxy profile, including the following items: choose the work mode,
set the website list (use the CN value of the Subject field of the website certificate),
configure the actions to the HTTPS traffic when its SSL negotiation matches the
item in the checklist, enable the aduite warning page, and so on.
3. Bind a SSL proxy profile to a proper policy rule. The device will decrypte the HTTPS
traffic that matches the policy rule and is not blocked or bypassed by the device.

Configuring SSL Proxy Parameters

Configuring SSL proxy parameters includes the following items:

 Specify the PKI trust domain of the device certificate

 Obtain the CN value of the website certificate

 Configure a trusted SSL certificate list

 Import a device certificate to a Web browser

57
Specifying the PKI Trust Domain of Device Certificate
By default, the device will use the PKI trust domain of trust_domain_ssl_proxy_2048 to
re-sign the Web server certificate, i.e. SSL proxy certificate. You can change the PKI trust
domain by using the following command in the global configuration mode:

sslproxy trust-domain trust-domain-name

 trust-domain-name – Select a trust domain. You can select

trust_domain_ssl_proxy or trust_domain_ssl_proxy_2048. The trust
domain of trust_domain_ssl_proxy uses RSA and the modulus is 1024; the trust
domain of trust_domain_ssl_proxy_2048 uses RSA and the modulus is 2048.

To restore the trust domain settings to the default one, use the no sslproxy trust-domain
command.

Specifying Key Pair Modulus Size

Specify the key pair modulus size of the private/public keys that are associated with the
SSL proxy certificate. The generated private key is stored by the device and the public key
is stored in the SSL proxy certificate. By default, the system uses key modulus size of 2048
bits. You can change it to 1024 bits by using the following command in the SSL proxy
profile configuration mode:

cert-key-modulus 1024

To use the modules size of 2048 bits, use the no cert-key-modulus command in the
SSL proxy profile configuration mode.

Obtaining the CN Value

To get the CN value in the Subject field of the website certificate, take the following steps
(take www.gmail.com as the example):

1. Open the IE Web browser, and visit https://www.gmail.com.

2. Click the Security Report button ( ) next to the URL.
3. In the pop-up dialog, click View certificates.
4. In the Details tab, click Subject. You can view the CN value in the text box.

Configuring a Trusted SSL Certificate List

The trusted SSL certificate list contains the well-known CA certificates in the industry,
which are used to verify the validity of site certificates. For the valid certificates, the
system will send a SSL proxy certificate to the client browser; while for the invalid
certificates, the system will send an internal certificate to the browser to inform you that
the certificate of the website is invalid. You can import one or multiple trusted SSL
certificates, or delete the specified trusted SSL certificate.

To import one or multiple trusted SSL certificates, in the execution mode, use the following
command:

58
import sslproxy {trustca-single | trustca-package} from {ftp server
ip-address [user user-name password password] | tftp server ip-
address | usb0 | usb1} file-name

 trustca-single | trustca-package - Imports one (trustca-single ) or

multiple (trustca-package ) trusted SSL certificates.

 ftp server ip-address [user user-name password password ] - Specifies

the IP address of the FTP server, and the username and password of the server.
If the username and password are not specified, you will log into the server
anonymously.

 tftp server ip-address - Specifies the IP address of the TFTP server.

 usb0 | usb1 - Imports the trusted SSL certificate from the root directory of
USB disk inserted to usb0 or usb1 port.

 file-name - Specifies the file name of the trusted SSL certificate that will be
imported.

To delete the specified trusted SSL certificate, in the global configuration mode, use the
following command:

sslproxy trustca-delete file-name

 file-name - Specifies the file name of the trusted SSL certificate that will be
deleted.

Importing a Device Certificate to a Web Browser

In the proxy process, the SSL proxy certificate will be used to replace the website
certificate. However, there is no SSL proxy certificate's root certificate in the client browser,
and the client cannot visit the proxy website properly. To address this problem, you have
to import the root certificate (certificate of the device) to the browser. To import a device
to the client browser, take the following steps:

1. Export the device certificate to your local PC. Use the following command:
CLI:
export pki trust-domain-name {cacert | cert | pkcs12 password |
pkcs12-der password } to {ftp server ip-address [user user -name
password password ] | tftp server ip-address | usb0 | usb1 } [file-
name]

Example:
hostname# export pki trust_domain_ssl_proxy cacert to tftp server
10.10.10.1
Export ok,target filename 1252639478
hostname#

2. Import the certificate (before importing the certificate, change the extension
name of the certificate to .crt) to the web browser (take Internet Explore as the
example). Start IE, from the toolbar, select Tools > Internet Options. On the
Content tab, click Certificates. In the Certificates dialog, click the Trusted
Root Certification Authorities tab, and then click Import, as shown in the

59
figure below. Import the certificate as prompted by the Certificate Import
Wizard.

Figure 4: Importing the Certificate

If the encryption standard you select in step 1 is pkcs12 or pkcs12-der, you

need to enter the certificate password in the pop-up window when importing the
certificate to the web browser. The password is the one that you specified in the
pkcs12 password | pkcs12-der password command.

Configuring a SSL Proxy Profile

Configuring a SSL proxy profile includes the following items: choose the work mode, set
the website list (use the CN value of the Subject field of the website certificate), configure
the actions to the HTTPS traffic when its SSL negotiation matches the item in the checklist,
enable the aduite warning page, and so on. The system supports up to 32 SSL proxy
profiles and each profile supports up to 10,000 statistic website entries. To create a SSL
proxy profile, use the following command in the global configuration mode:

sslproxy-profile profile-name

 profile-name – Specify the name of the SSL proxy profile and enter the SSL
proxy profile configuration mode. If the name already exists, the system will
enter the SSL proxy profile configuration mode directly.

To delete a SSL proxy profile, use the no sslproxy-profile profile-name command.

60
Choosing a Work Mode
When the device works as the gateway of Web clients, the SSL proxy function can work in
the Require mode or the Exempt mode.

 In the Require mode, the device perform the SSL proxy function on the
communication encrypted by the specified website certificate. The
communication encrypted by other website certificates will be bypassed.

 In the Exempt mode, the device does not perform the SSL proxy function on the
communication encrypted by the specified website certificate. The
communication encrypted by other website certificates will be proxied by SSL
proxy function.

In in the SSL Profile configuration mode, use the following command to choose the work
mode:

mode {require | exempt}

 require | exempt – Choose the work mode.

To cancel the work mode setting, use the no form of this command.

Setting the Website List

Set the website list based on the work mode. When the SSL proxy is in the Require mode,
set the websites that will be proxied by the SSL proxy function. When the SSL proxy is in
the Exempt mode, set the websites that will not be proxied by the SSL proxy function and
the device will perform the SSL proxy on other websites.

To set the website list, specify the CN value of the subject field of the website certificate.
In the SSL proxy profile configuration mode, use the following command to add the CN
value to the website list:

cert-subject-name value

 value – Enters the CN value of the subject filed of the website certificate.

To delete a certain CN value from the list, use the no cert-subject-name value
command.

Configuring the Actions to the HTTPS Traffic

Before performing the SSL proxy process, the device will chek the parameters of the SSL
negotiation. When a parameter matches an item in the checklist, the corresponding HTTPS
traffic can be blocked or bypassed according to the action you specified.

 If the action is Block, the HTTPS traffic will be blocked and cannot display in the
Web browser.

 If the action is Bypass, the HTTPS traffic will not be decrypted. Meanwhile, the
device will dynamically add the IP address and port number of the Website to
the bypass list. When connecting to the Websites that are dynamically added to

61
the bypass list, the first connection will be disconnected. Uses need to re-
connect to the Websites and the content will be displayed.

The device will decrypt the HTTPS traffic that are not blocked or bypassed.

Notice the following items during the configurations:

 When the parameters match multiple items in the checklist and you configure
difference actions to different items, the Block action will take effect. THe
corresponding HTTPS traffic will be blocked.

 If the HTTPS traffic is not bypassed or blocked after the SSL negotiation check,
the system will decrypt the HTTPS traffic.

Checking Whether the SSL Server Verifies the Client Certificate

Check whether the SSL server verifies the client certificate. When the server verifies the
client certificate, the system can block or bypass the HTTPS traffic. By default, the system
bypass the HTTPS traffic and the traffic will not be decrypted. To bypass the traffic, use
the following command in the SSL proxy profile configuration mode:

verify-client bypass

To restore the setting to the default one, use the no verify-client command.

Checking Whether the SSL Server Certificate is Overdue

Check whether the SSL server certificate is overdue. When the SSL server certificate is
overdue, the system can block or bypass the HTTPS traffic. Use the following command in
the SSL proxy profile configuration mode to specify the action:

expired-cert {block | bypass}

 block | bypass – Use the block parameter to block the HTTPS traffic. Use
the bypass parameter to bypass the HTTPS traffic and the system will not
decrypt the HTTPS traffic. By default, the system will decrypt the traffic no
matter the SSL server certificate is overdue or not.

To restore the value to the default one, use no expired-cert command.

Checking the SSL Protocol Version

Check the SSL protocol version used by the server. When the SSL server uses the specified
version of SSL protocol, the system can block its HTTPS traffic. Use the following command
in the SSL proxy profile mode to check the SSL protocol version and specify the Block
action:

ssl-version {sslv3 | tlsv1.0 | tlsv 1.1} block

 sslv3 | tlsv1.0 | tlsv 1.1 – Specify a SSL protocol version whose HTTPS
traffic you want to block.

 block – When the SSL server uses the specified version of SSL protocol, use the
block parameter to block its HTTPS traffic. By default, the system will not block
the HTTPS traffic based on any SSL protocol version.

62
To restore the setting to the default one, use the no ssl-version command.

When the system does not support the SSL protocol version used by the SSL server, the
system can block or bypass the HTTPS traffic. By default, the system block the HTTPS
traffic. To bypass the HTTPS traffic, in the SSL proxy profile configuration mode, use the
following command. When the HTTPS traffic is bypassed, it will not be decrypted:

unsupported-ssl-version bypass

To restore the setting to the default value, use the no unsupported-ssl-version

command.

Checking the Encryption Algorithm

Check the encryption algorithm used by the SSL server. When the SSL server uses the
specified encryption algorithm, the system can block its HTTPS traffic. In the SSL proxy
profile configuration mode, use the following command to check the encryption algorithm
and specify the Block action:

cipher {des | 3des | rc2 | rc4} block

 des | 3des | rc2 | rc4 – Specify the encryption algorithm used by the SSL
server.

 block - When the SSL server uses the specified encryption algorithm, use the
block parameter to block its HTTPS traffic. By default, the system will not block
the HTTPS traffic based on any encryption algorithm.

To restore the setting to the default one, use the no cipher command.

When the system does not support the encryption algorithm used by the SSL server, the
system can block or bypass the HTTPS traffic. By default, the system block the HTTPS
traffic. To bypass the HTTPS traffic, in the SSL proxy profile configuration mode, use the
following command. When the HTTPS traffic is bypassed, it will not be decrypted:

unsupported-cipher bypass

To restore the setting to the default one, use the no unsupported-cipher command.

Verifying the Web Server Certificate

Network will become unsafe when users access the untrusted web server. In order to
block the traffic that accesses the untrusted server, system supports to use the root
certificate list to verify the server certificate. In the SSL proxy profile configuration mode,
use the following command:

untrusted-server-cert block

By default, system will perform proxy when users access the untrusted server. To restore
to default, in the SSL proxy profile configuration mode, use no untrusted-server-cert
command.

63
Enable Warning Page
When the HTTPS traffic is decrypted by the SSL proxy function, the request to a HTTPS
website will be redirected to a warning page of SSL proxy. In this page, the system notifies
the users that their accesses to HTTPS websites are being monitored and asks the uses to
protect their privacy.

In the SSL proxy profile configuration mode, use the following command to enable/disable
the warning page:

Enable the warning page: no ssl-notification-disable

Disable the warning page: ssl-notification-disable

After enabling the warning page, if your HTTPS access behavior originating from one single
source IP is matched to any configured policy rule and SSL proxy profile, you will be
prompted with the warning page every 30 minutes when visiting the website over HTTPS.

You can clear the SSL proxy warning history. After that, even that you have received the
warning page before, you will be prompted immediately when you visit the website over
HTTPS again. To clear the SSL proxy audit warning history, in any mode, use the following
command:

clear sslproxy notification

Configuring the Description

To add the description to a SSL proxy profile, in the SSL proxy profile configuration mode,
use the following command:

description description

 description – Enters the description.

Use no description to delete the description.

Working as Gateway of Web Servers

1. Configure a SSL proxy profile, including the following items: choose the work mode,
specify the trust domain of the Web server certificate and the HTTP port number of
the Web server.
2. Bind a SSL proxy profile to a proper policy rule. The device will decrypte the HTTPS
traffic that matches the policy rule.

64
Configuring a SSL Proxy Profile
Configuring a SSL proxy profile includes the following items: choose the work mode,
specify the trust domain of the Web server certificate and the HTTP port number of the
Web server.

To create a SSL proxy profile, use the following command in the global configuration mode:

sslproxy-profile profile-name

To delete a SSL proxy profile, use the no sslproxy-profile profile-name command.

Choosing a Work Mode

When the device works as the gatetway of Web servers, the SSL proxy function can work
in the Offload mode. In in the SSL Profile configuration mode, use the following command
to specify the work mode:

mode offlaod

To cancel the work mode setting, use the no form of this command.

Specifying Trust Domain

Since the device will work as the SSL server and use the certificate of the Web server
to establish the SSL connection with Web clients (Web browsers), you need to import
the certificate and the key pair into a trust domain in the device. For more
information about importing the certificate and the key pair, see the PKI chapter in
StoneOS_CLI_User_Guide_User_Authentication.

After you complete the importing, specify the trust domain used by this SSL Profile.
In the SSL Profile configuration mode, use the following command to specify the trust
domain:

ssl-offload server-trust-domain trust-domain-name

 trust-domain-name - Specifies the trust domain name that will be used by

this SSL Profile.

To cancel the setting, use the no ssl-offload server-trust-domain command.

Specifying HTTP Port Number

To specify the HTTP port number of the Web server, in the SSL Profile configuration
mode, use the following command:

ssl-offload server-port port

65
 port - Specifies the port number.

Use the no ssl-offload server-port command to cancel the setting.

Enable Warning Page

When the HTTPS traffic is decrypted by the SSL proxy function, the request to a HTTPS
website will be redirected to a warning page of SSL proxy. In this page, the system notifies
the users that their accesses to HTTPS websites are being monitored and asks the uses to
protect their privacy.

In the SSL proxy profile configuration mode, use the following command to enable/disable
the warning page:

Enable the warning page: no ssl-notification-disable

Disable the warning page: ssl-notification-disable

clear sslproxy notification

Configuring the Description

To add the description to a SSL proxy profile, in the SSL proxy profile configuration mode,
use the following command:

description description

 description – Enters the description.

Use no description to delete the description.

Binding the SSL Proxy Profile to a Policy Rule

After binding the SSL proxy profile to a policy rule, the system will process the traffic that
is matched to the rule according to the profile configuration. To bind the SSL proxy profile
to a policy rule, enter the policy rule configuration mode in two steps. First, in the global
configuration mode, use the following command to enter the policy configuration mode:

policy-global

66
Then, in the policy configuration mode, use the following command to enter the policy rule
configuration mode:

rule [id id-number]

To bind the SSL proxy profile to a policy rule, in the policy rule configuration mode, use the
following command:

sslproxy profile-name

 profile-name - Specifies the name of profile that is bound to the SSL proxy.

After the binding, you need to modify the priority of the policy rule to assure the traffic
matching to this rule is prioritized. After then, you need to specify the user, destination
zone and schedule of the rule. You can also enable or disable the rule. For more
information, see the “Policy”.

Viewing SSL Proxy Information

To view the SSL proxy information, use the following commands:

 View the trusted SSL certificates: show sslproxy trustca [file-name]

 View the certificates in the dynamic bypass list: show tcproxy exempt

 View the SSL proxy state, including the SSL proxy work mode, statistics, and
the PKI domain of the SSL proxy certificate: show sslproxy state

 View the SSL profile information: show sslproxy-profile [profile -name]

HPE Mellanox Switch Training, Part 1
No ratings yet
HPE Mellanox Switch Training, Part 1
101 pages
Versa SD-WAN Training: Lab Guide
50% (2)
Versa SD-WAN Training: Lab Guide
77 pages
Securebasebook PDF
No ratings yet
Securebasebook PDF
184 pages
Practice Test #6 (AWS Certified Developer Associate - DVA-C01)
No ratings yet
Practice Test #6 (AWS Certified Developer Associate - DVA-C01)
67 pages
Nokia 7750 SR OS Basic System Configuration Guide
No ratings yet
Nokia 7750 SR OS Basic System Configuration Guide
52 pages
CLI Usage: in This Chapter
No ratings yet
CLI Usage: in This Chapter
46 pages
Juniper Cheat Sheet
No ratings yet
Juniper Cheat Sheet
12 pages
Cisco CCNA Command Guide: An Introductory Guide for CCNA & Computer Networking Beginners: Computer Networking, #3
From Everand
Cisco CCNA Command Guide: An Introductory Guide for CCNA & Computer Networking Beginners: Computer Networking, #3
Ramon Nastase
4.5/5 (2)
Akamai Kona WAF Help Manual
100% (1)
Akamai Kona WAF Help Manual
39 pages
Free AWS Solutions Architect Practice Test Questions - Exam Prep - Simplilearn
No ratings yet
Free AWS Solutions Architect Practice Test Questions - Exam Prep - Simplilearn
24 pages
StoneOS CLI User Guide Monitor 5.5R6
No ratings yet
StoneOS CLI User Guide Monitor 5.5R6
103 pages
StoneOS CLI User Guide HA 5.5R4
No ratings yet
StoneOS CLI User Guide HA 5.5R4
46 pages
StoneOS CLI User Guide 5.5R1 PDF
No ratings yet
StoneOS CLI User Guide 5.5R1 PDF
1,148 pages
StoneOS CLI User Guide Complete Book 5.5R6-1
No ratings yet
StoneOS CLI User Guide Complete Book 5.5R6-1
1,346 pages
StoneOS CLI User Guide Complete Book 5.5R7 Completo
No ratings yet
StoneOS CLI User Guide Complete Book 5.5R7 Completo
1,933 pages
ECS4510-Series CLI-R03 0904
No ratings yet
ECS4510-Series CLI-R03 0904
954 pages
Ecs4130-28t Cli-R01 20210706
No ratings yet
Ecs4130-28t Cli-R01 20210706
894 pages
StoneOS CLI User Guide Complete Book 5.5R10
No ratings yet
StoneOS CLI User Guide Complete Book 5.5R10
2,509 pages
Chapter 3 - System Management
No ratings yet
Chapter 3 - System Management
44 pages
command-line-modern-introduction-2021-12
No ratings yet
command-line-modern-introduction-2021-12
82 pages
aw-iht-1271climanual_en
No ratings yet
aw-iht-1271climanual_en
303 pages
Impinj RShell Reference Manual
No ratings yet
Impinj RShell Reference Manual
76 pages
Ecs4120-Ec Cli R01 20160627 PDF
No ratings yet
Ecs4120-Ec Cli R01 20160627 PDF
917 pages
OM10K LUA CLI (Command Line Interface) Overview: Relevant Application Notes
No ratings yet
OM10K LUA CLI (Command Line Interface) Overview: Relevant Application Notes
11 pages
Command+Line+Interface PART1
No ratings yet
Command+Line+Interface PART1
1 page
Rshell Reference Manual
No ratings yet
Rshell Reference Manual
89 pages
Cookbook V10 1
No ratings yet
Cookbook V10 1
400 pages
Mobileiron Core 10.1.0.0 Command Line Interface (Cli) Reference
No ratings yet
Mobileiron Core 10.1.0.0 Command Line Interface (Cli) Reference
52 pages
Command Line For Beginners
No ratings yet
Command Line For Beginners
32 pages
Pan-Os Cli Quick Start
No ratings yet
Pan-Os Cli Quick Start
44 pages
88 y 7947
No ratings yet
88 y 7947
482 pages
StoneOS CLI User Guide V5.5R11
No ratings yet
StoneOS CLI User Guide V5.5R11
2,831 pages
Pan-Os Cli Command PDF
100% (1)
Pan-Os Cli Command PDF
48 pages
Book Linux
No ratings yet
Book Linux
33 pages
GS Command Line 2019 Nov11
No ratings yet
GS Command Line 2019 Nov11
10 pages
StoneOS WebUI User Guide (a Series) V5.5R11
100% (1)
StoneOS WebUI User Guide (a Series) V5.5R11
1,906 pages
NetApp ONTAP9 Use - The - ONTAP - Command - Line - Interface
No ratings yet
NetApp ONTAP9 Use - The - ONTAP - Command - Line - Interface
17 pages
Chapter 13 - Monitor and Log
No ratings yet
Chapter 13 - Monitor and Log
44 pages
Openshift Container Platform 3.11: Cli Reference
No ratings yet
Openshift Container Platform 3.11: Cli Reference
44 pages
BIG-IP TMSH Manual
No ratings yet
BIG-IP TMSH Manual
8 pages
Ruijie RG s6500 Series Switch Rgos Configuration Guide Release 11.05b9p66 Compressed
No ratings yet
Ruijie RG s6500 Series Switch Rgos Configuration Guide Release 11.05b9p66 Compressed
2,985 pages
QLogic CLI Reference Guide
No ratings yet
QLogic CLI Reference Guide
130 pages
Chapter 3 - System Management - 5.5R7
No ratings yet
Chapter 3 - System Management - 5.5R7
41 pages
7705 SAR Command Line Interface QRC
No ratings yet
7705 SAR Command Line Interface QRC
4 pages
Nortel Command Line
100% (1)
Nortel Command Line
286 pages
Chapter 2-Basic Switch and End Device Configuration 4
No ratings yet
Chapter 2-Basic Switch and End Device Configuration 4
34 pages
GigaVUE OS CLI ReferenceGuide v5700
No ratings yet
GigaVUE OS CLI ReferenceGuide v5700
734 pages
CLI User Guide
No ratings yet
CLI User Guide
30 pages
Shell: Manpage
No ratings yet
Shell: Manpage
5 pages
JBoss Enterprise Application Platform-6.1-Administration and Configuration Guide-En-US
100% (2)
JBoss Enterprise Application Platform-6.1-Administration and Configuration Guide-En-US
411 pages
All About CLI Structures
No ratings yet
All About CLI Structures
11 pages
01 Basic Configuration
No ratings yet
01 Basic Configuration
219 pages
DevOps Course Content
No ratings yet
DevOps Course Content
20 pages
Tcs Ipa Unix Part 1, 2
100% (1)
Tcs Ipa Unix Part 1, 2
50 pages
2 System Management
No ratings yet
2 System Management
44 pages
3HE06623AAABTQZZA01 - V1 - 7705 SAR Command Line Interface Quick Reference Card
No ratings yet
3HE06623AAABTQZZA01 - V1 - 7705 SAR Command Line Interface Quick Reference Card
3 pages
Lab 1 HK22023-2
No ratings yet
Lab 1 HK22023-2
39 pages
Chapter 4 - LAB
No ratings yet
Chapter 4 - LAB
35 pages
Linux Commands Handbook
No ratings yet
Linux Commands Handbook
133 pages
02 Security Management and Operation
No ratings yet
02 Security Management and Operation
45 pages
Ciscodevice&Ios Basic
No ratings yet
Ciscodevice&Ios Basic
120 pages
Hacks for Minecrafters: Command Blocks: The Unofficial Guide to Tips and Tricks That Other Guides Won't Teach You
From Everand
Hacks for Minecrafters: Command Blocks: The Unofficial Guide to Tips and Tricks That Other Guides Won't Teach You
Megan Miller
4.5/5 (4)
Basics with Windows Powershell
From Everand
Basics with Windows Powershell
Prometheus MMS
No ratings yet
Windows Batch File Programming
From Everand
Windows Batch File Programming
Michael Elliott
2/5 (2)
3 Chapter3 Lab Environment Settings v5.5-2018
No ratings yet
3 Chapter3 Lab Environment Settings v5.5-2018
38 pages
12 Chapter12 Threat Protection v5.5-2018
No ratings yet
12 Chapter12 Threat Protection v5.5-2018
33 pages
10 Chapter10 iQoS v5.5-2018
No ratings yet
10 Chapter10 iQoS v5.5-2018
20 pages
Examen Hcsa Hillstone _ PDF _ Virtual Private Network _ Ip Address 4
No ratings yet
Examen Hcsa Hillstone _ PDF _ Virtual Private Network _ Ip Address 4
23 pages
TP Enterprise 5.2.2 - Rev2 SAAS User Guide
No ratings yet
TP Enterprise 5.2.2 - Rev2 SAAS User Guide
150 pages
Ba Nas 440 420 400 Data Sheet en Us
No ratings yet
Ba Nas 440 420 400 Data Sheet en Us
2 pages
Question Bank
No ratings yet
Question Bank
42 pages
GIT Model Paper TL Academy
No ratings yet
GIT Model Paper TL Academy
14 pages
Armatura Intelligent Operations Centre (IOC) Platform Datesheet 20240516
No ratings yet
Armatura Intelligent Operations Centre (IOC) Platform Datesheet 20240516
11 pages
Bartender 2016 Manual
No ratings yet
Bartender 2016 Manual
21 pages
Message Analyzer 1.2 Known Issues
No ratings yet
Message Analyzer 1.2 Known Issues
16 pages
Consuming Webservices With Abap: Thomas Jung Business Card Business Server Pages Abap Application Server
No ratings yet
Consuming Webservices With Abap: Thomas Jung Business Card Business Server Pages Abap Application Server
11 pages
Unziploc PDF
No ratings yet
Unziploc PDF
37 pages
Operator Client
No ratings yet
Operator Client
2 pages
Module 3: The Web and The Internet: College of Computer and Information Sciences
No ratings yet
Module 3: The Web and The Internet: College of Computer and Information Sciences
9 pages
Unit 1 - Web Engineering - WWW - Rgpvnotes.in
No ratings yet
Unit 1 - Web Engineering - WWW - Rgpvnotes.in
9 pages
EDR&Sandbox
No ratings yet
EDR&Sandbox
19 pages
Web Programming One
No ratings yet
Web Programming One
23 pages
Option C - Web Science - Youtube
No ratings yet
Option C - Web Science - Youtube
116 pages
Assignment 2
No ratings yet
Assignment 2
13 pages
Examen Fortinet
No ratings yet
Examen Fortinet
43 pages
SANGFOR NGAF V8.0.47 Associate 2022 05 Content Security
No ratings yet
SANGFOR NGAF V8.0.47 Associate 2022 05 Content Security
48 pages
Red Hat Enterprise Linux 7: Load Balancer Administration
No ratings yet
Red Hat Enterprise Linux 7: Load Balancer Administration
53 pages
HCIP-WLAN-CEWA V1.0 Lab Guide (Web-Based)
No ratings yet
HCIP-WLAN-CEWA V1.0 Lab Guide (Web-Based)
364 pages
2 MP PTZ Camera PDF
No ratings yet
2 MP PTZ Camera PDF
18 pages
Developers
No ratings yet
Developers
88 pages
Aws Route 53 and Elb: Syed Sameer AWS Enterprise Architect
No ratings yet
Aws Route 53 and Elb: Syed Sameer AWS Enterprise Architect
41 pages
How To Install Webmin With SSL On Ubuntu 14
No ratings yet
How To Install Webmin With SSL On Ubuntu 14
6 pages
emPower-API-Specification-v0 90 PDF
No ratings yet
emPower-API-Specification-v0 90 PDF
26 pages
Spring Edge: HTTP API Documentation (Transactional SMS)
No ratings yet
Spring Edge: HTTP API Documentation (Transactional SMS)
14 pages