Configuring the Security Policies Section


Configuring Content Filtering

You configure content filtering rules at the security-policy content-filtering level. For more details on the command structure, see Configuring Rules Using UPL.

To create a content filtering rule, use the following command:

Admin@nodename# create security-policy content-filtering <position> upl-rule

Content filtering rule parameters:

Parameter

Description

PASS

DENY

WARNING

Rule action:

  • PASS: allow the web page to be visited

  • DENY: block the web page

  • WARNING: warn the user that it is not advisable to visit the page It is up to the user to decide whether to visit the page or not. If they do proceed to the page, the visit is logged.

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

Rule name.

Example: name("Content filtering rule example").

desc

A description of the rule.

Example: desc("Content filtering rule example set via CLI").

rule_log

Log traffic information if the rule is triggered. The available options are:

  • rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled.

  • rule_log(yes) or rule_log(true): enable logging.

scenario

Scenario that needs to be active for the rule to trigger.

To specify a scenario: scenario = "Example of a scenario".

For more details on configuring scenarios, see Configuring scenarios.

virus_usergate

UserGate stream virus check. Required if the selected action is Deny. Enumerated options:

  • virus_usergate = yes or virus_usergate = true: use UserGate stream virus check.

  • virus_usergate = no or virus_usergate = false: do not use UserGate stream virus check.

Blocking page

Select a block page. If no page is specified, a default page template is used. Specify the block page in parentheses after the action, e.g. DENY("Blockpage (AE)").

For more details on configuring block pages, see Configuring Response Pages.

To specify an external page, provide an external URL: redirect(302, "http://www.example.com").

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about how to configure zones using CLI, see the Zones section.

src.ip

Add source IP address or domain lists.

To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

user

Users and user groups for which the content filtering rule applies (local or LDAP).

To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section).

Examples of adding users to a rule:

user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1")

dst.zone

Traffic destination zone, for example, dst.zone = Untrusted.

For more details about how to configure zones using CLI, see the Zones section.

dst.ip

Add lists of destination IP addresses or domains.

To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

dst.geoip

To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

service

Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring services groups).

To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).

To specify a service group: service = lib.service(). Provide the services group name in parentheses.

category

Lists of categories and URL filtering categories for which the rule will be applied. You need to have the appropriate license for URL filtering.

To specify a URL category list: category = lib.category(). Specify the URL category list name in parentheses.

For more details about how to create and configure URL categories using CLI, see Configuring URL Categories.

To specify a URL category: category = "URL category name".

url

The URL lists to which the rule will be applied.

To specify a URL list: url = lib.url(). Specify a URL list name in parentheses.

For more details about creating and configuring URL lists, see Configuring URL Lists.

response.header.Content-Type

Lists of content types to which the rules will be applied.

To specify a content type list:

response.header.Content-Type = lib.mime(). Provide the name for the content type list in parentheses.

For more details about how to create and configure lists using CLI, see Configuring Content Types.

morphology

The list of morphological dictionary databases that will be used to check webpages.

To specify the list of morphology databases: morphology = lib.morphology(). Provide the list name in parentheses.

For more details about how to create and configure your own lists using CLI, see Configuring Morphology.

request.header.User-Agent

The user browser useragents for which this rule will be applied.

To specify a useragent: request.header.User-Agent = lib.useragent(). Provide the useragent browser category in parentheses.

For more details about how to create and configure your own lists using CLI, see Configuring Useragents.

http.method

Method used in HTTP requests.

To specify an HTTP method, for example: http.method = GET.

request.header.Referer

A list of URLs of referrers for the current page, or the URL category to which the referrer belongs.

To specify a URL list or a URL category: request.header.Referer = lib.url() (specify the name of the list in parentheses) or request.header.Referer = "URL category".

For more details on configuring URL lists using CLI, see Configuring URL Lists. For more details on configuring URL categories using CLI, see Configuring URL Categories.

time

Set a schedule for a rule.

To set a schedule: time = lib.time(). Specify a time set group name in parentheses.

For more details on configuring time sets, see Configuring time sets.

To edit a content filtering rule, use the following command:

Admin@nodename# set security-policy content-filtering <position> upl-rule

To view all content filtering rules that were created, use the following command:

Admin@nodename# show security-policy content-filtering

To view a specific content filtering rule, use the following command:

Admin@nodename# show security-policy content-filtering <position>

Example of creating a content filtering rule using UPL:

Admin@nodename# create security-policy content-filtering 1 upl-rule PASS \ ...src.zone = Trusted \ ...url = lib.url("Test URL list") \ ...user = known \ ...rule_log(yes) \ ...name("Test content-filtering rule") \ ...desc("Test content-filtering rule description") \ ...enabled(true) ... Admin@nodename# show security-policy content-filtering 1 % ----------------- 1 --- "Content Rules" -------------- PASS \ user = known \ url = lib.url("Test URL list") \ src.zone = Trusted \ desc("Test content-filtering rule description") \ rule_log(yes) \ enabled(true) \ id("96b2ee34-528a-4b06-8726-69711ba639ba") \ name("Test content-filtering rule")

To remove an existing content filtering rule, use the following command:

Admin@nodename# delete security-policy content-filtering <position>


Configuring Safe Browsing

You configure safe browsing at the security-policy safe-browsing level. For more details on the command structure, see Configuring Rules Using UPL.

To create a safe browsing rule, use the following command:

Admin@nodename# create security-policy safe-browsing <position> upl-rule

Safe browsing rule parameters:

Parameter

Description

PASS

OK

Action to create a rule using UPL.

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

Safe browsing rule name.

Example: name("Safe browsing rule example").

desc

Rule description, for example, desc("Safe browsing rule example set via CLI").

rule_log

Log traffic information if the rule is triggered. The available options are:

  • rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled.

  • rule_log(yes) or rule_log(true): enable logging.

enable_adblock

Block advertising (AdBlock).

  • enable_adblock(yes) or enable_adblock(true)

  • enable_adblock(no) or enable_adblock(false)

url_list_exclusions

List of websites for which advertisements should not be blocked: url_list_exclusions("URL list name").

For more details about how to create and configure URL lists using CLI, see Configuring URL Lists.

enable_injector

Inject code into web pages:

  • enable_injector(yes) or enable_injector(true)

  • enable_injector(no) or enable_injector(false)

custom_injector

Injector code.

safe_search

Use the safe search feature:

  • safe_search(yes) or safe_search(true)

  • safe_search(no) or safe_search(false)

search_history_logging

Log user search requests:

  • search_history_logging(no) or search_history_logging(false): disable logging user search requests If search_history_logging is not specified, logging is disabled.

  • search_history_logging(yes) or search_history_logging(true): enable logging user search requests.

cocial_sites_block

Block social network apps:

  • cocial_sites_block(yes) or cocial_sites_block(true)

  • cocial_sites_block(no) or cocial_sites_block(false)

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about how to configure zones using CLI, see the Zones section.

src.ip

Add source IP address or domain lists.

To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

user

Users and groups for which the safe browsing rule applies (local or LDAP).

To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section).

Examples of adding users to a rule:

user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1")

time

Set a schedule for a rule.

To set a schedule: time = lib.time(). Specify a time set group name in parentheses. For more details on configuring time sets, see Configuring time sets.

To edit a safe browsing rule, use the following command:

Admin@nodename# set security-policy safe-browsing <position> upl-rule

To view all safe browsing rules that were created, use the following command:

Admin@nodename# show security-policy safe-browsing

To view a specific safe browsing rule, use the following command:

Admin@nodename# show security-policy safe-browsing <position>

Example of creating a safe browsing rule using UPL:

Admin@nodename# create security-policy safe-browsing 1 upl-rule PASS \ ...user = known \ ...src.zone = Trusted \ ...enable_adblock(yes) \ ...safe_search(yes) \ ...rule_log(yes) \ ...name("Test safe browsing rule") \ ...desc("Test safe browsing rule description") \ ...enabled(true) ... Admin@nodename# show security-policy safe-browsing 1 % ----------------- 1 ----------------- OK \ user = known \ src.zone = Trusted \ rule_log(yes) \ enable_adblock(yes) \ safe_search(yes) \ desc("Test safe browsing rule description") \ enabled(true) \ id("406a2753-750e-4830-82a8-583043e72359") \ name("Test safe browsing rule")

To remove a safe browsing rule, use the following command:

Admin@nodename# delete security-policy safe-browsing <position>


Configuring Tunnel Inspection Rules

You configure tunnel inspection rules on the security-policy tunnel-inspection level. For more details on the command structure, see Configuring Rules Using UPL.

To create a tunnel inspection rule, use the following command:

Admin@nodename# create security-policy tunnel-inspection <position> upl-rule

Tunnel inspection rule parameters:

Parameter

Description

OK

PASS

Tunnel inspection rule action:

  • OK: inspect

  • PASS: bypass

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

Tunnel inspection rule name.

Example: name("Tunnel inspection rule example").

desc

A description of the rule.

Example: desc("Tunnel inspection rule example configured via CLI").

service

Tunnel type:

  • service = gre: GRE tunnel inspection.

  • service = gtpu: GTP-U tunnel inspection.

  • service = ipsec_null: non-encrypted IPsec tunnel inspection.

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about how to configure zones using CLI, see the Zones section.

src.ip

Add source IP address or domain lists.

To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

dst.zone

Traffic destination zone, for example, dst.zone = "Tunnel inspection zone".

For more details about how to configure zones using CLI, see the Zones section.

dst.ip

Add lists of destination IP addresses or domains.

To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

dst.geoip

To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

To edit a tunnel inspection rule, use the following command:

Admin@nodename# set security-policy tunnel-inspection <position> upl-rule

To view all tunnel inspection rules that were created, use the following command:

Admin@nodename# show security-policy tunnel-inspection

To view a specific tunnel inspection rule, use the following command:

Admin@nodename# show security-policy tunnel-inspection <position>

Example of creating a tunnel inspection rule:

Admin@nodename# create security-policy tunnel-inspection 1 upl-rule PASS \ ...src.zone = Untrusted \ ...dst.zone = Trusted \ ...service = ipsec_null \ ...name("Test tunnel-inspection rule") \ ...desc("Test nunnel-inspection rule description") \ ...enabled(true) ... Admin@nodename# show security-policy tunnel-inspection 1 % ----------------- 1 ----------------- PASS \ src.zone = Untrusted \ dst.zone = Trusted \ service = ipsec_null \ desc("Test nunnel-inspection rule description") \ enabled(true) \ id("051cf677-3d36-4d5c-968f-73c3421c2b28") \ name("Test tunnel-inspection rule")

To remove a tunnel inspection rule, use the following command:

Admin@nodename# delete security-policy tunnel-inspection <position>


Configuring SSL Inspection

You configure SSL inspection rules at the security-policy ssl-inspection level. For more details on the command structure, see Configuring Rules Using UPL.

To create a SSL inspection rule, use the following command:

Admin@nodename# create security-policy ssl-inspection <position> upl-rule

SSL inspection rule parameters:

Parameter

Description

OK

PASS

SSL inspection rule action:

  • OK: decrypt

  • PASS: bypass

  • OK ... forward: decrypt and forward. Specify forward in the rule properties. If you configure a rule with the "Decrypt and forward" action, specify the SSL forwarding profile. For more details on how to create and configure forward profiles using the CLI, see Configuring SSL Forward Profiles.

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

SSL inspection rule name.

Example: name("SSL inspection rule example").

desc

A description of the rule.

Example: desc("SSL inspection rule example configured in CLI").

ssl_forward_profile

SSL forwarding profile. Required if you configure an SSL inspection rule property with the "Decrypt and forward" action. Use the following format: ssl_forward_profile("SSL forward profile example").

ssl_profile

SSL profile; use the following: ssl_profile("Default SSL profile").

For more details about working with SSL profiles using the CLI, see Configuring SSL Profiles.

rule_log

Log traffic information if the rule is triggered. The available options are:

  • rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled.

  • rule_log(yes) or rule_log(true): enable logging.

block_invalid_cert

Block access to servers that provide an incorrect HTTPS certificate, for example, if the certificate is revoked, expired, issued to another domain name, or by an untrusted CA. Available for rules with the Decrypt action:

  • block_invalid_cert(yes) or block_invalid_cert(true): enable blocking

  • block_invalid_cert(no) or block_invalid_cert(false): disable blocking.

check_revoc_cert

Check if the site certificate is found in the revoked certificate list (CRL) and if yes, block the access. Available for rules with the Decrypt action:

  • check_revoc_cert(yes) or check_revoc_cert(true): enable certificate checking

  • check_revoc_cert(no) or check_revoc_cert(false): disable certificate checking.

block_expired_cert

Block expired certificates. Available for rules with the Decrypt action:

  • block_expired_cert(yes) or block_expired_cert(true): enable blocking of expired certificates

  • block_expired_cert(no) or block_expired_cert(false): disable blocking of expired certificates.

block_self_signed_cert

Block self signed certificates. Available for rules with the Decrypt action:

  • block_self_signed_cert(yes) or block_self_signed_cert(true): enable blocking of self signed certificates

  • block_self_signed_cert(no) or block_self_signed_cert(false): disable blocking of self signed certificates.

user

Users and user groups for which the SSL inspection rule applies (local or LDAP).

To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section).

Examples of adding users to a rule:

user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1")

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about how to configure zones using CLI, see the Zones section.

src.ip

Add source IP address or domain lists.

To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

dst.ip

Add lists of destination IP addresses or domains.

To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

dst.geoip

To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

service

Service type: HTTPS, SMTPS, or POP3S.

To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).

category

Lists of categories and URL filtering categories for which the rule will be applied. You need to have the appropriate license for URL filtering.

To specify a URL category list: category = lib.category(). Specify the URL category list name in parentheses.

For more details about how to create and configure URL category lists using the CLI, see Configuring URL Categories.

To specify a URL category: category = "URL category name".

url

Lists of domain names for which the SSL inspection rule is applied. You create domain names just like URL lists except that only domain names like www.example.com can be used for HTTPS inspection, not http://www.example.com/home/.

To specify a domain list: url = lib.url(). Specify a URL list name in parentheses.

For more details about how to create and configure URL lists using the CLI, see Configuring URL Lists.

time

Set a schedule for a rule.

To set a schedule: time = lib.time(). Specify a time set group name in parentheses.

For more details on configuring time sets, see Configuring time sets.

To edit an SSL inspection rule, use the following command:

Admin@nodename# set security-policy ssl-inspection <position> upl-rule

To view parameters for all SSL inspection rules that were created, use the following command:

Admin@nodename# show security-policy ssl-inspection

To view parameters for a specific SSL inspection rule, use the following command:

Admin@nodename# show security-policy ssl-inspection <position>

Example of creating a SSL inspection rule:

Admin@nodename# create security-policy ssl-inspection 1 upl-rule OK \ ...user = unknown \ ...ssl_profile("Default SSL profile") \ ...rule_log(yes) \ ...name("Decrypt all test rule") \ ...desc("Description for decrypt all rest rule") \ ...enabled(true) ... Admin@nodename# show security-policy ssl-inspection 1 % ----------------- 1 ----------------- OK \ user = unknown \ desc("Description for decrypt all rest rule") \ rule_log(yes) \ ssl_profile("Default SSL profile") \ enabled(true) \ id("134b7274-01ee-47db-9fc1-a2f06b340b94") \ name("Decrypt all test rule")

To remove a SSL inspection rule, use the following command:

Admin@nodename# delete security-policy ssl-inspection <position>


Configuring SSH Inspection

You configure SSH inspection rules at the security-policy ssh-inspection level. For more details on the command structure, see Configuring Rules Using UPL.

To create an SSH inspection rule, use the following command:

Admin@nodename# create security-policy ssh-inspection <position> upl-rule

SSH inspection rule parameters:

Parameter

Description

OK

PASS

SSH inspection rule action:

  • OK: decrypt

  • PASS: bypass

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

SSH inspection rule name.

Example: name("SSH inspection rule example").

desc

A description of the rule.

Example: desc("SSH inspection rule example configured in CLI").

rule_log

Log traffic information if the rule is triggered. The available options are:

  • rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled.

  • rule_log(yes) or rule_log(true): enable logging.

block_ssh_shell

Block SSH remote shell (command line interpreter). Available for rules with the Decrypt action:

  • block_ssh_shell(yes) or block_ssh_shell(true): enable blocking

  • block_ssh_shell(no) or block_ssh_shell(false): disable blocking.

block_ssh_exec

Block SSH remote execution. Available for rules with the Decrypt action:

  • block_ssh_exec(yes) or block_ssh_exec(true): enable blocking

  • block_ssh_exec(no) or block_ssh_exec(false): disable blocking.

ssh_command

The Linux command to transmit in the format

ssh user@host 'command'

Example: ssh_command("ssh root@192.168.1.1 reboot").

You can edit SSH commands for rules with the Decrypt action.

block_sftp

Block SFTP (Secure File Transfer Protocol) connection. Available for rules with the Decrypt action:

  • block_sftp(yes) or block_sftp(true)r: enable connection blocking

  • block_sftp(no) or block_sftp(false): disable connection blocking.

user

Users and user groups for which the SSH inspection rule applies (local or LDAP).

To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section).

Examples of adding users to a rule:

user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1")

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about how to configure zones using CLI, see the Zones section.

src.ip

Add source IP address or domain lists.

To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

dst.ip

Add lists of destination IP addresses or domains.

To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

dst.geoip

To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

service

Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring services groups).

To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).

To specify a service group: service = lib.service(). Provide the services group name in parentheses.

time

Set a schedule for a rule.

To set a schedule: time = lib.time(). Specify a time set group name in parentheses.

To edit a SSH inspection rule, use the following command:

Admin@nodename# set security-policy ssh-inspection <position> upl-rule

To view all SSH inspection rules that were created, use the following command:

Admin@nodename# show security-policy ssh-inspection

To view a specific SSH inspection rule, use the following command:

Admin@nodename# show security-policy ssh-inspection <position>

Example of creating a SSH inspection rule using UPL:

Admin@nodename# create security-policy ssh-inspection 1 upl-rule OK \ ...service = ("Any TCP") \ ...block_ssh_shell(yes) \ ...block_sftp(yes) \ ...rule_log(yes) \ ...name("Test SSH inspection rule") \ ...desc("Test SSH inspection rule description") \ ...enabled(true) ... Admin@nodename# show security-policy ssh-inspection 1 % ----------------- 1 ----------------- OK \ service = "Any TCP" \ block_ssh_shell(yes) \ block_sftp(yes) \ desc("Test SSH inspection rule description") \ rule_log(yes) \ enabled(true) \ id(d703f390-896f-47c2-91bd-69c6d37aa6d2) \ name("Test SSH inspection rule")

To remove a SSH inspection rule, use the following command:

Admin@nodename# delete security-policy ssh-inspection <position>


Configuring IDPS

You configure the intrusion detection and prevention system at the security-policy intrusion-prevention level.

Admin@nodename# set security-policy intrusion-prevention <parameter>

Available parameters:

Parameter

Description

mode

Enabling/disabling of the smart scan mode (in the smart scan mode only the first bytes of each session are scanned):

  • on

  • off

limit

Number of the first kilobytes of each session that the IPS system will scan. Available values: from 50 to 200kB.

To view the current state, use the following command:

Admin@nodename# show security-policy intrusion-prevention

By default, Smart scan is enabled. It checks the first 200kB of each session.

IDPS profiles are created in the item library and added to the firewall rules to activate the IDPS system.


Configuring Scenarios

General Rules for Creating Scenarios

Scenarios are configured at the level security-policy scenarios using UPL (for more details about UserGate Policy Language, see Configuring Rules Using UPL).

To set and combine conditions for scenarios, definitions are used. A unique custom name is assigned to each definition by which the definition can be referred to. Scenario conditions can be written in a single line or separated to multiple lines using a backslash (as when multiline input is used).

To create or change scenario conditions, def scenario_cond function is used which has the following general structure:

def scenario_cond <scenario_condition_name> <scenario_conditions> end

Parameters which are used to set different condition types will be detailed in the following sections.

Conditions are followed by general properties of the scenario, which are described in the table below:

Name

Description

OK

Action used to create the scenario.

scenario_cond

Custom name of the definition containing the list of conditions of the scenario: scenario_cond = condition_example.

enabled

Enable/disable the scenario:

  • enabled(true)

  • enabled(false)

name

Set the name of the scenario: name("Example scenario name").

desc

Set the description of the scenario: desc("Description for scenario created as an example").

trigger

Application:

  • trigger(one_user): when the scenario is triggered, the rule which uses the scenario will be applied only to the user for which the scenario was triggered.

  • trigger(all_users): when the scenario is triggered, the rule which uses the scenario will be applied to all users mentioned in the properties of the scenario.

duration

Set the duration time for the scenario in minutes.

operation_mode

Set the triggering mode for the scenario:

  • operation_mode(all): the scenario will be triggered if all conditions are true

  • operation_mode(any): the scenario will be triggered if any condition is true.
Note When a scenario is updated, it is necessary to specify all conditions: current conditions will be replaced with the conditions specified when the scenario is changed.

For example, configuration of the scenario with Traffic volume condition is shown below. The scenario will be applied to all users within one minute; traffic volume restriction: 1 Gb/day:

Admin@nodename# create security-policy scenarios 1 upl-rule \ ... def scenario_cond scenario_cond_test ... traffic_limit(1GB) \ ... period(day) \ ... scond_type(traffic) ... end ... OK \ ... scenario_cond = scenario_cond_test ... name(test) \ ... trigger(all_users) \ ... duration (1) ...

If you need to change traffic volume, for example, use the following command:

Admin@nodename# set security-policy scenarios 3 upl-rule \ ...def scenario_cond scenario_cond_test ...traffic_limit(2GB) \ ...period(day) \ ...scond_type(traffic) ...end ...OK \ ...scenario_cond = scenario_cond_test

Types of Conditions Used When Creating Scenarios

URL category conditions

To create or update a condition of URL category type, specify the following parameters:

Name

Description

scond_type

Condition type: scond_type(url_category).

category

Site categories or site group categories:

category = (lib.category(URL_CATEGORY_GROUP), URL_CATEGORY_NAME)

count_interval

Time interval during which a specified number of triggered events should occur (specified in minutes): count_interval().

max_event_count

Number of triggered events: max_event_count().

Virus detected conditions

To configure a condition of Virus detected type, specify the following parameters:

Name

Description

scond_type

Condition type: scond_type(virus_detection).

Application conditions

To create or edit a condition of Application type, use the parameters provided in the table below:

Name

Description

scond_type

Condition type: scond_type(app).

application

Application categories or application groups:

  • application = lib.applicationgroup(APP_GROUP) or application = lib.applicationgroup(all)

  • application = lib.category(APPS_CATEGORY_NAME)

count_interval

Time interval during which a specified number of triggered events should occur (specified in minutes): count_interval().

max_event_count

Number of triggered events: max_event_count().

IPS conditions

Parameters of a condition of IDPS type:

Name

Description

scond_type

Condition type: scond_type(ips).

ips_tl

Threat level:

  • ips_tl(very_low)

  • ips_tl(low)

  • ips_tl(medium)

  • ips_tl(high)

  • ips_tl(very_high)

Content type conditions

Parameters of a condition of Content types type:

Name

Description

scond_type

Condition type: scond_type(mime_type).

response.header.Content-Type

Content type: response.header.Content-Type = lib.mime(MIME_CATEGORIES_LIST).

count_interval

Time interval during which a specified number of triggered events should occur (specified in minutes): count_interval().

max_event_count

Number of triggered events: max_event_count().

Packet size conditions

To create or configure a condition of Packet size type, use the following parameters:

Name

Description

scond_type

Condition type: scond_type(net_packet_size).

packet_size

The packet size exceeding which causes the condition to be met is specified as follows:

  • packet_size(1): packet size is 1 byte

  • packet_size(1KB): packet size is 1KB

  • packet_size(1MB) packet size is 1MB

  • packet_size(1GB) packet size is 1GB

Sessions per IP address conditions

To configure a condition of Session per IP type, use the following parameters:

Name

Description

scond_type

Condition type: scond_type(sessions_per_ip).

sessions_limit

Maximum number of sessions allowed from one IP address: sessions_limit().

Traffic limit conditions

To create or configure a condition of Traffic volume type, use the following parameters:

Name

Description

scond_type

Condition type: scond_type(traffic).

traffic_limit

Traffic limit:

  • traffic_limit(1): 1 byte

  • traffic_limit(1KB): 1KB

  • traffic_limit(1MB): 1MB

  • traffic_limit(1GB) 1GB

period

Period:

  • period(minute) minute

  • period(hour): hour

  • period(day) day

  • period(week): week

  • period(month) month

Health check conditions

To configure a condition of Health check type, use the following parameters:

Name

Description

scond_type

Condition type: scond_type(health_check).

health_check_method

Checking method:

  • health_check_method(ping): ping

  • health_check_method(dns): DNS request

  • health_check_method(get): GET HTTP method

url.address

Address for ping and DNS requests: url.address = "1.1.1.1".

url.domain

FQDN for health checking using DNS request or URL for HTTP GET method: url.domain = "example.ru".

gateway

Name of the gateway used: gateway().

Important! The gateway should be created in advance.

health_result

Check result:

  • health_result(positive): positive

  • health_result(negative): negative

health_request_timeout

Connection timeout (in seconds): health_request_timeout().

health_answer_timeout

HTTP GET request answer timeout (in seconds): health_answer_timeout().

health_type_request

DNS query type:

  • health_type_request(a)

  • health_type_request(aaaa)

  • health_type_request(cname)

  • health_type_request(ns)

  • health_type_request(ptr)

count_interval

Time interval during which a specified number of triggered events should occur (specified in minutes): count_interval().

max_event_count

Number of triggered events: max_event_count().


Configuring Mail Security

Configuring Mail Security Rules

You configure mail security rules at the security-policy mail-security level. For more details on the command structure, see Configuring Rules Using UPL.

To create a mail security rule, use the following command:

Admin@nodename# create security-policy mail-security <position> upl-rule

Mail security rule parameters:

Parameter

Description

PASS

WARNING

DENY("with error")

DENY

Action for the mail security rule:

  • PASS: pass the traffic unchanged.

  • WARNING: mark email messages with a special tag in the subject line or additional field.

  • DENY("with error"): block the email and report an error in mail delivery to the SMTP server (for SMTP(S) traffic) or the client (for POP3(S) traffic).

  • DENY: drop without error: block the mail without reporting that it has been blocked.

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

Name for the mail security rule.

Example: name("Mail security rule example").

desc

A description of the rule.

Example: desc("Mail security rule example configured in CLI").

rule_log

Logging information on mail security rule triggering. The available options are:

  • rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled.

  • rule_log(yes) or rule_log(true): enable logging.

antispam_usergate

Checking email traffic with UserGate antispam check (configured for rules with Mark, Block with error or Block without error actions):

  • antispam_usergate(yes) or antispam_usergate(true): enable check.

  • antispam_usergate(no) or antispam_usergate(false): disable checking.

dnsbl

Antispam check using the DNSBL technology. Can be applied only to SMTP traffic in rules with Mark, Block with error or Block without error actions:

  • dnsbl(yes) or dnsbl(true): enable antispam checking.

  • dnsbl(no) or dnsbl(false): disable antispam checking.

When email traffic is checked using DNSBL, the IP address of the spam sender's SMTP server is blocked when the SMTP connection is created, thus helping to substantially decrease the load on other methods of checking email for spam and viruses.

mark_hdr

Header. Field where the mark tag should be inserted. Specify it for rules with Mark: mark_hdr(Subject).

mark

Text of the tag to mark the email; specified for rules with the Mark action, e.g. mark("Text for marking emails").

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about how to configure zones using CLI, see the Zones section.

src.ip

Add source IP address or domain lists.

To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

user

Users and user groups for which the mail security rule applies (local or LDAP).

To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section).

Examples of adding users to a rule:

user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1")

dst.zone

Traffic destination zone, for example, dst.zone = Untrusted.

For more details about how to configure zones using CLI, see the Zones section.

dst.ip

Add lists of destination IP addresses or domains.

To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

dst.geoip

To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

service

The email protocol (POP3 or SMTP), to which this rule will be applied.

To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).

envelope_from

Sender's email address (for SMTP protocol only). Email group should be specified in the following format: envelope_from = "Sender email group".

For more details about creating and configuring email groups, see Configuring Email Addresses.

envelop_to

Recipient's email address (for SMTP protocol only). Email group should be specified in the following format: envelope_to = "Receiver email group".

For more details about creating and configuring email groups, see Configuring Email Addresses.

To edit a mail security rule, use the following command:

Admin@nodename# set security-policy mail-security <position> upl-rule

To view parameters for all mail security rules that were created, use the following command:

Admin@nodename# show security-policy mail-security

To view parameters for a specific mail security rule, use the following command:

Admin@nodename# show security-policy mail-security <position>

Example of creating a mail security rule:

Admin@nodename# create security-policy mail-security 1 upl-rule WARNING \ ...src.zone = Untrusted \ ...service = (SMTP, POP3, SMTPS, POP3S) \ ...mark_hdr(Subject) \ ...mark("[SPAM]") \ ...antispam_usergate(yes) \ ...rule_log(yes) \ ...name("Test SMTP and POP3 filtering") \ ...desc("Test SMTP and POP3 filtering description") \ ...enabled(true) ... Admin@nodename# show security-policy mail-security 1 % ----------------- 1 ----------------- WARNING \ src.zone = Untrusted \ service = (SMTP, POP3, SMTPS, POP3S) \ rule_log(yes) \ desc("Test SMTP and POP3 filtering description") \ mark_hdr(Subject) \ mark("[SPAM]") \ antispam_usergate(yes) \ enabled(true) \ id("7d86d348-9619-4097-94d1-bad4f3e85554") \ name("Test SMTP and POP3 filtering")

To remove a mail security rule, use the following command:

Admin@nodename# delete security-policy mail-security <position>

Setting up Antispam

Antispam settings are configured at the security-policy mail-security-antispam level.

To configure antispam settings, use the following command:

Admin@nodename# set security-policy mail-security-antispam <parameters>

Antispam settings:

Parameter

Description

batv-enabled

on/off. Enable/disable BATV (Bounce Address Tag Validation) protection, which prevents spam messages from being sent as bounce messages.

dnsbl-servers

Specifying a list of DNSBL servers for checking SMTP traffic.

dnsbl-black-list

A list of prohibited servers in addition to those listed in DNSBLs. You can add a list by GeoIP, or a list of IP addresses.

dnsbl-white-list

A list of servers excluded from DNSBL check. You can add a list by GeoIP, or a list of IP addresses.

To view antispam settings, use the following command:

Admin@nodename# show security-policy mail-security-antispam <parameters>

You can view all antispam settings (by pressing Enter), or separately the DNSBL white/black lists by specifying the parameters dnsbl-white-list or dnsbl-black-list.

To delete antispam settings, use the following command:

Admin@nodename# delete security-policy mail-security-antispam <parameters>

You can delete DNSBL servers and DNSBL white/black lists.


Configuring ICAP Rules

You create and configure ICAP rules at the security-policy icap-rules level. For more details on the command structure, see Configuring Rules Using UPL.

To create an ICAP rule, use the following command:

Admin@nodename# create security-policy icap-rules <position> upl-rule

ICAP rule parameters:

Parameter

Description

PASS

OK

ICAP rule action:

  • PASS: Pass: do not send data to the ICAP server. By creating a rule with this action, the administrator can explicitly exclude certain types of traffic from being forwarded to ICAP servers.

  • OK: Redirect: redirect data to the ICAP server and wait for response from the ICAP server (this is the standard working mode for most ICAP servers).

  • OK ... ignore: Redirect and ignore: redirect data to the ICAP server and ignore the server's response (regardless of the response, the data goes to the user unmodified, but the ICAP server receives a full copy of user traffic). Specify ignore in the rule properties.

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

ICAP rule name.

Example: name("ICAP rule example").

desc

A description of the rule.

Example: desc("ICAP rule example set via CLI").

profile

ICAP servers to which UserGate will redirect requests. Format: profile("Example ICAP server").

For more information about how to configure ICAP servers using the CLI, see Configuring ICAP Servers.

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about how to configure zones using CLI, see the Zones section.

src.ip

Add source IP address or domain lists.

To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

user

Users and user groups for which the ICAP rule applies (local or LDAP).

To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section).

Examples of adding users to a rule:

user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1")

dst.ip

Add lists of destination IP addresses or domains.

To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

dst.geoip

To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

response.header.Content-Type

Lists of content types to which the rules will be applied.

To specify a list:

response.header.Content-Type = lib.mime(). Provide the name for the content type list in parentheses.

For more details about how to create and configure lists using CLI, see Configuring Content Types.

category

List of categories or URL filtering categories for which the rule will be applied. You need to have the appropriate license for URL filtering.

To specify a URL category list: category = lib.category(). Specify the URL category list name in parentheses.

For more details about how to create and configure URL categories using CLI, see Configuring URL Categories.

To specify a URL category: category = "URL category name".

url

The URL lists to which the rule will be applied.

To specify a URL list: url = lib.url(). Specify a URL list name in parentheses.

For more details about creating and configuring URL lists, see Configuring URL Lists.

http.method

Method used in HTTP requests.

To specify an HTTP method, for example: http.method = GET.

service

Service type: HTTP, SMTP, or POP3.

To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).

To edit an ICAP rule, use the following command:

Admin@nodename# set security-policy icap-rules <position> upl-rule

To view parameters for all ICAP rules that were created, use the following command:

Admin@nodename# show security-policy icap-rules

To view parameters of a specific ICAP rule, use the following command:

Admin@nodename# show security-policy icap-rules <position>

Example of creating an ICAP inspection rule:

Admin@nodename# create security-policy icap-rules 1 upl-rule PASS \ ...src.zone = Trusted \ ...http.method = (GET, POST) \ ...profile("ICAP server1") \ ...name("Test ICAP rule") \ ...desc("Test ICAP rule description") \ ...enabled(true) ... Admin@nodename# show security-policy icap-rules 1 % ----------------- 1 ----------------- PASS \ src.zone = Trusted \ http.method = (GET, POST) \ desc("Test ICAP rule description") \ profile("ICAP server1") \ enabled(true) \ id("80a7dca6-96f7-42c8-baad-8716be8d3b93") \ name("Test ICAP rule")

To remove an ICAP rule, use the following command:

Admin@nodename# delete security-policy icap-rules <position>


Configuring ICAP Servers

You configure ICAP servers at the security-policy icap-server level.

To create an ICAP server, use the following command:

Admin@nodename# create security-policy icap-server <parameter>

Available parameters:

Parameter

Description

name

ICAP server name.

description

ICAP server description.

ip

ICAP server IP address.

port

TCP port of the ICAP server. Default value: 1344.

max-msg-size

Maximum message size sent to the ICAP server (in kilobytes). By default: 0 (the request body will not be transmitted to the ICAP server).

check-icap

Period to check ICAP server availability.

bypass

If enabled, UserGate will not send data to the ICAP server when the server is unavailable.

reqmod-path

Use Reqmod:

  • <text> --- set the directory path on the ICAP server.

  • off: disable Reqmod mode.

respmod-path

Use Respmod:

  • <text> --- set the directory path on the ICAP server.

  • off: disable Respmod mode.

user-header

Set sending of the user name to the ICAP server:

  • <text> --- specify the header name in which the username will be sent to the ICAP server.

  • off: do not send the username to the ICAP server.

user-encode

Specify if the username is in Base64 encoding:

  • on

  • off

ip-header

Specify whether the user's IP address should be sent to the ICAP server:

  • <text> --- specify the header name in which the user's IP address will be sent to the ICAP server.

  • off: do not send the user's IP address to the ICAP server.

mac-header

Specify whether the user's MAC address should be sent to the ICAP server:

  • <text>: specify the header name in which the user's MAC address will be sent to the ICAP server.

  • off: do not send the user's MAC address to the ICAP server.

To update an existing ICAP server, use the following command:

Admin@nodename# set security-policy icap-server <server-name> <parameter>

The parameters available to update are the same as those used to create an ICAP server.

To display information about an ICAP server, use the following command:

Admin@nodename# show security-policy icap-server <server-name>

To delete an ICAP server, use the following command:

Admin@nodename# delete security-policy icap-server <server-name>


Configuring DoS Profiles

You configure DoS profiles at the security-policy dos-profile level.

To create a DoS profile, use the following command:

Admin@nodename# create security-policy dos-profile <parameter>

Available parameters:

Parameter

Description

name

Set profile name.

description

Set profile description.

aggregate

Aggregate the number of packets transmitted per second for all IP addresses or count them individually for each IP address.

syn

Protect against network flooding for TCP protocol.

  • enabled: set network flooding protection for selected protocol

  • alert-threshold: set alert threshold

  • drop-threshold: set drop threshold.

udp

Protect against network flooding for UDP protocol.

  • enabled: set network flooding protection for selected protocol

  • alert-threshold: set alert threshold

  • drop-threshold: set drop threshold.

icmp

Protect against network flooding for ICMP protocol.

  • enabled: set network flooding protection for selected protocol

  • alert-threshold: set alert threshold

  • drop-threshold: set drop threshold.

max-sessions

Set a limit for the number of sessions:

  • <num> --- specify the number of sessions

  • off: do not limit the number of sessions.

To edit an existing DoS profile, use the following command:

Admin@nodename# set security-policy dos-profile <profile-name> <parameter>

The parameters available to update are the same as those used to create a new DoS profile.

To delete a profile, use the following command:

Admin@nodename# delete security-policy dos-profile <profile-name>

To display information about a DoS profile, use the following command:

Admin@nodename# show security-policy dos-profile <profile-name>


Configuring DoS Rules

You configure DoS rules at the security-policy dos-rules level. For more details on the command structure, see Configuring Rules Using UPL.

To create a DoS protection rule, use the following command:

Admin@nodename# create security-policy dos-rules <position> upl-rule <parameters>

DoS protection rule parameters:

Parameter

Description

PASS

WARNING

DENY

DoS rule action:

  • PASS: allow traffic. DoS protection is not applied.

  • WARNING: apply DoS protection profile.

  • DENY: block traffic unconditionally.

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

Name of the DoS rule.

Example: name("DoS rule example").

desc

A description of the rule.

Example: desc("DoS rule example configured in CLI").

profile

DoS protection profile. You can only select a profile for rules with the Protect action (WARNING). To specify a profile: profile("DoS profile example").

For more details about how to create and configure protection profiles, see Configuring DoS Profiles.

scenario

Scenario that needs to be active for the rule to trigger.

To specify a scenario: scenario = "Example of a scenario".

For more details on configuring scenarios, see Configuring scenarios.

rule_log

Log traffic information if the rule is triggered. The available options are:

  • rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled.

  • rule_log(yes) or rule_log(true): log all network packets without setting any limits. To set a limit, you need to specify the number of events to be logged per time unit (s for second, min for minute, h for hour, and d for day; the minimum log limit is 5 packets per day) and the maximum number of packets logged per event. For example, rule_log(yes, "3/h", 5) enables logging with the following limits: 3 events per hour with a maximum number of packets per event of 5.

  • rule_log(session): log the session start.

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about how to configure zones using CLI, see the Zones section.

src.ip

Add source IP address or domain lists.

To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

user

Users and user groups for which the DoS protection rule applies (local or LDAP).

To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section).

Examples of adding users to a rule:

user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1")

dst.zone

Traffic destination zone.

To specify a source zone, such as Untrusted: src.zone = Untrusted.

For more details about how to configure zones using CLI, see the Zones section.

dst.ip

Add lists of destination IP addresses or domains.

To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

dst.geoip

To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

service

Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring services groups).

To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).

To specify a service group: service = lib.service(). Provide the services group name in parentheses.

time

Set a schedule for a rule.

To set a schedule: time = lib.time(). Specify a time set group name in parentheses. For more details on configuring time sets, see Configuring time sets.

To edit a DoS protection rule, use the following command:

Admin@nodename# set security-policy dos-rules <position> upl-rule <parameters>

To view a DoS protection rule, use the following command:

Admin@nodename# show security-policy dos-rules Admin@nodename# show security-policy dos-rules <position>

Example of creating a DoS protection rule using UPL:

Admin@nodename# create security-policy dos-rules 1 upl-rule WARNING \ ...src.zone = Untrusted \ ...dst.zone = DMZ \ ...service = (HTTP, HTTPS) \ ...profile("Test DoS profile") \ ...rule_log(session) \ ...name("Test DoS rule") \ ...desc("Test DoS rule description") \ ...enabled(true) ... Admin@nodename# show security-policy dos-rules 1 % ----------------- 1 ----------------- WARNING \ src.zone = Untrusted \ dst.zone = DMZ \ service = (HTTP, HTTPS) \ desc("Test DoS rule description") \ rule_log(session) \ profile("Test DoS profile") \ enabled(true) \ id("68da2f83-59ae-4a7d-b595-f6ff31bf34c6") \ name("Test DoS rule")

To remove a DoS protection rule, use the following command:

Admin@nodename# delete security-policy dos-rules <position>