Configuring security rules on the command line

You can configure and view security rules on the command line using the pf and mf families of commands. For a description of command families and a link to the complete list of Kaspersky NGFW configuration commands, see the Managing Kaspersky NGFW using the command line document.

Filtering by MAC addresses

Kaspersky NGFW supports pre-filtering of network frames based on the source and destination MAC addresses. Configuration is performed on the command line using the mf family of commands without using the PF filtering module.

Depending on the settings, the following special considerations are involved in filtering by MAC addresses:

• Filtering is applied before processing by the NAT and PF modules.
• No session is created if a rule is triggered.
• Rules are checked from top to bottom.
• The maximum number of rules is 100.
• Filtering works based on information from data link layer protocol headers.

Each rule can contain a value:

• src-mac, the source MAC address. If not specified, defaults to any.
• dst-mac, the destination MAC address. If not specified, defaults to any.
• action, allow (default) or block.

In one rule, you can specify only one source MAC address and only one destination MAC address. Ranges and lists are not supported.

There are no additional fields or descriptions, and the rules cannot be moved.

Example of creating a rule:

Example: mac-filter <rule name> src-mac <source MAC address> dst-mac <destination MAC address> action block.

Filtering HTTP methods

Kaspersky NGFW supports filtering HTTP methods in traffic passing through a security rule with an enabled Anti-Virus profile.

Filtering is supported:

• For the HTTP protocol, if Object Anti-Virus is enabled
• For the HTTPS protocol, if SSL decryption is enabled

By default, HTTP method filtering is disabled.

To enable HTTP method filtering:

1. Enable the global HTTP filter by running the following command on the command line:

   http-methods-filter> enable

2. Specify the list of HTTP methods that you want to block by running the following command on the command line:

   block-http-methods <list of HTTP methods>

The specified list is included in the filtering.

The standard HTTP methods are supported: get, head, post, put, delete, connect, options, trace. Non-standard HTTP methods are not filtered and not blocked.

Sending custom events when filtering HTTP methods

When HTTP method filtering is triggered, a custom event is generated. Events are logged in the Stream and Object Anti-Virus logs only when filtering is enabled and when a blocking is triggered. Whether an event is logged is determined by the settings of the Anti-Virus profile that is applied to the HTTP method security rule.

The following table describes the custom event parameters.

Custom events

Field	Value
msg	HTTP method name
cs4	Low
cat	Unknown
fsize	–
cs1	–
cs3	–

Page top