客户在上网过程中,不想通过FTP或者http方式进行对TXT文件内容的上传和下载,在阻断的同时还要记录相关的阻断日志。
配置接口IP地址
#
interface GigabitEthernet4/0/5
port link-mode route
ip address 192.168.1.1 255.255.255.0
application statistics enable inbound
application statistics enable outbound
#
interface GigabitEthernet4/0/9
port link-mode route
ip address 192.168.207.11 255.255.254.0
nat outbound 2000
application statistics enable inbound
application statistics enable outbound
#
将接口加入安全域
#
security-zone name Trust
import interface GigabitEthernet4/0/5
#
security-zone name Untrust
import interface GigabitEthernet4/0/9
acl advanced 3000
rule 0 permit ip
#
配置文件过滤组,匹配文本txt
#
file-filter filetype-group fg
pattern fg1 text txt
#
配置文件过滤策略,配置两条过滤规则,其中一个匹配http类型,另外一个匹配ftp类型
#
file-filter policy fp
rule r1
filetype-group fg
application type http
direction both
action drop logging
rule r2
filetype-group fg
application type ftp
direction both
action drop logging
#
配置app-profile且绑定文件过滤策略
#
app-profile fp_profile
file-filter apply policy fp
#
配置对象组策略,且深度检测
#
object-policy ip Trust-Untrust
rule 1 inspect fp_profile
#
配置域间策略,
#
zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust
#
zone-pair security source Untrust destination Trust
object-policy apply ip Untrust-Trust
#
激活配置
#
[H3C]inspect activate
在域间策略里调用并在全局激活。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作