V7防火墙文件txt 文件过滤典型配置

客户在上网过程中，不想通过FTP或者http方式进行对TXT文件内容的上传和下载，在阻断的同时还要记录相关的阻断日志。

配置接口IP地址

#

interface GigabitEthernet4/0/5

port link-mode route

ip address 192.168.1.1 255.255.255.0

application statistics enable inbound

application statistics enable outbound

#

interface GigabitEthernet4/0/9

port link-mode route

ip address 192.168.207.11 255.255.254.0

nat outbound 2000

application statistics enable inbound

application statistics enable outbound

#

将接口加入安全域

 #

security-zone name Trust

import interface GigabitEthernet4/0/5

#

security-zone name Untrust

import interface GigabitEthernet4/0/9

acl advanced 3000

rule 0 permit ip

#

配置文件过滤组，匹配文本txt

#

file-filter filetype-group fg

pattern fg1 text txt

#

配置文件过滤策略，配置两条过滤规则，其中一个匹配http类型，另外一个匹配ftp类型

#

file-filter policy fp

rule r1

  filetype-group fg

  application type http

  direction both

  action drop logging

rule r2

  filetype-group fg

  application type ftp

  direction both

  action drop logging

#

配置app-profile且绑定文件过滤策略

#

app-profile fp_profile

file-filter apply policy fp

#

配置对象组策略，且深度检测

#             

object-policy ip Trust-Untrust

rule 1 inspect fp_profile

#

配置域间策略，

#

zone-pair security source Trust destination Untrust

object-policy apply ip Trust-Untrust

#

zone-pair security source Untrust destination Trust

object-policy apply ip Untrust-Trust

#

激活配置

#

[H3C]inspect activate

在域间策略里调用并在全局激活。