You configure content filtering rules at the security-policy content-filtering level. For more details on the command structure, see Configuring Rules Using UPL.
To create a content filtering rule, use the following command:
Admin@nodename# create security-policy content-filtering <position> upl-rule
Content filtering rule parameters:
Parameter |
Description |
---|---|
PASS DENY WARNING |
Rule action:
|
enabled |
Enable/disable a rule:
|
name |
Rule name. Example: name("Content filtering rule example"). |
desc |
A description of the rule. Example: desc("Content filtering rule example set via CLI"). |
rule_log |
Log traffic information if the rule is triggered. The available options are:
|
scenario |
Scenario that needs to be active for the rule to trigger. To specify a scenario: scenario = "Example of a scenario". For more details on configuring scenarios, see Configuring scenarios. |
virus_usergate |
UserGate stream virus check. Required if the selected action is Deny. Enumerated options:
|
Blocking page |
Select a block page. If no page is specified, a default page template is used. Specify the block page in parentheses after the action, e.g. DENY("Blockpage (AE)"). For more details on configuring block pages, see Configuring Response Pages. To specify an external page, provide an external URL: redirect(302, "http://www.example.com"). |
src.zone |
Traffic source zone. To specify a source zone, such as Trusted: src.zone = Trusted. For more details about how to configure zones using CLI, see the Zones section. |
src.ip |
Add source IP address or domain lists. To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section. To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section. |
src.geoip |
Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! The maximum number of GeoIPs that can be specified is limited to 15. |
user |
Users and user groups for which the content filtering rule applies (local or LDAP). To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section). Examples of adding users to a rule: user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1") |
dst.zone |
Traffic destination zone, for example, dst.zone = Untrusted. For more details about how to configure zones using CLI, see the Zones section. |
dst.ip |
Add lists of destination IP addresses or domains. To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section. To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section. |
dst.geoip |
To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! The maximum number of GeoIPs that can be specified is limited to 15. |
service |
Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring services groups). To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...). To specify a service group: service = lib.service(). Provide the services group name in parentheses. |
category |
Lists of categories and URL filtering categories for which the rule will be applied. You need to have the appropriate license for URL filtering. To specify a URL category list: category = lib.category(). Specify the URL category list name in parentheses. For more details about how to create and configure URL categories using CLI, see Configuring URL Categories. To specify a URL category: category = "URL category name". |
url |
The URL lists to which the rule will be applied. To specify a URL list: url = lib.url(). Specify a URL list name in parentheses. For more details about creating and configuring URL lists, see Configuring URL Lists. |
response.header.Content-Type |
Lists of content types to which the rules will be applied. To specify a content type list: response.header.Content-Type = lib.mime(). Provide the name for the content type list in parentheses. For more details about how to create and configure lists using CLI, see Configuring Content Types. |
morphology |
The list of morphological dictionary databases that will be used to check webpages. To specify the list of morphology databases: morphology = lib.morphology(). Provide the list name in parentheses. For more details about how to create and configure your own lists using CLI, see Configuring Morphology. |
request.header.User-Agent |
The user browser useragents for which this rule will be applied. To specify a useragent: request.header.User-Agent = lib.useragent(). Provide the useragent browser category in parentheses. For more details about how to create and configure your own lists using CLI, see Configuring Useragents. |
http.method |
Method used in HTTP requests. To specify an HTTP method, for example: http.method = GET. |
request.header.Referer |
A list of URLs of referrers for the current page, or the URL category to which the referrer belongs. To specify a URL list or a URL category: request.header.Referer = lib.url() (specify the name of the list in parentheses) or request.header.Referer = "URL category". For more details on configuring URL lists using CLI, see Configuring URL Lists. For more details on configuring URL categories using CLI, see Configuring URL Categories. |
time |
Set a schedule for a rule. To set a schedule: time = lib.time(). Specify a time set group name in parentheses. For more details on configuring time sets, see Configuring time sets. |
To edit a content filtering rule, use the following command:
Admin@nodename# set security-policy content-filtering <position> upl-rule
To view all content filtering rules that were created, use the following command:
Admin@nodename# show security-policy content-filtering
To view a specific content filtering rule, use the following command:
Admin@nodename# show security-policy content-filtering <position>
Example of creating a content filtering rule using UPL:
Admin@nodename# create security-policy content-filtering 1 upl-rule PASS \ ...src.zone = Trusted \ ...url = lib.url("Test URL list") \ ...user = known \ ...rule_log(yes) \ ...name("Test content-filtering rule") \ ...desc("Test content-filtering rule description") \ ...enabled(true) ... Admin@nodename# show security-policy content-filtering 1 % ----------------- 1 --- "Content Rules" -------------- PASS \ user = known \ url = lib.url("Test URL list") \ src.zone = Trusted \ desc("Test content-filtering rule description") \ rule_log(yes) \ enabled(true) \ id("96b2ee34-528a-4b06-8726-69711ba639ba") \ name("Test content-filtering rule")
To remove an existing content filtering rule, use the following command:
Admin@nodename# delete security-policy content-filtering <position>