====== Filtering rules management interface ======
{{indexmenu_n>6}}
====== Universal Locking Rules UI ======
===== Introduction =====
Universal locking rules (ULR) UI is designed to manage filtering rules on multiple DPIs simultaneously using a graphical interface.
===== Installation =====
Equipment or virtual machines with the following characteristics are suitable for the subsystem:
- CPU 2.5 GHz, 2-4 cores
- RAM from 8 GB (mainly for sphinx)
- Hard drive (HDD) 50 GB - 250 GB
- Cent OS 7+ operating system (we do not recommend to not install minimal, because most of the dependencies will have to be installed manually)
- Network Card (NIC) from 10 Mbps
We recommend Cent OS 7+ operating system. **Do not not install minimal, because most of the dependencies will have to be installed manually.** If you need to install software on Cent OS 6, make sure that supervisor 3+ is installed. If you do not have the package, please contact technical support.
The locking rules management interface is a special section of [[en:dpi:dpi_components:dpiui:start|The VAS Experts DPI Graphical User Management Interface ver.2]]. The installation is similar to the script of [[en:dpi:dpi_components:dpiui:install_and_update:install:start|The VAS Experts DPI Graphical User Management Interface ver.2]].
===== Configuration =====
==== .env Configuration ====
The subnet configuration is handled with .env file.
/var/www/html/dpiui2/backend/.env
The file contents:
#Redirect URL for "White list" service
ULR_WHITE_LIST_REDIRECT_URL=https://google.com
#The period after Ulr tasks data is deleted (days)
ULR_QUEUE_DELETE_TASKS_DAYS_INTERVAL=1
#ASN for IP-exception rules
ULR_IP_EXCLUDE_ASN=64401
#The host for blocked resources list deployment. To connect the blocked resources server.
ULR_BLACK_LIST_DEPLOY_HOST=
#The port for blocked resources list deployment. To connect the blocked resources server.
ULR_BLACK_LIST_DEPLOY_PORT=22
#Username for blocked resources list deployment. To connect the blocked resources server.
ULR_BLACK_LIST_DEPLOY_USER=default
#Password for blocked resources list deployment. To connect the blocked resources server.
ULR_BLACK_LIST_DEPLOY_PASS=
#To use sudo for blocked resources list deployment. (0 - do not use, 1 - use)
ULR_BLACK_LIST_DEPLOY_SUDO=1
#Black lists saving path.
ULR_BLACK_LIST_DEPLOY_PATH=/var/www/html/blacklists/
#Log Detail Level (0 - info, 1 - debug, 2 - tracing).
ULR_LOAD_LOG_LEVEL=0
After changing the .env file, you need to run the command
php /var/www/html/dpiui2/backend/artisan queue:restart
These settings can be added to the configuration in the Administrator → DPIUI2 Server Configuration section in the The VAS Experts DPI Graphical User Interface ver.2.
==== Key Installation ====
To use the Universal Locking Rules UI, you need to activate the ULR-license in DPIUI2 with a command:
dpiui2 ulr_lic --make=1
Next:
- Enter license level: standard
- Enter the license completion date in the Y-m-d format (e.g. 2099-12-31)
- Enter the license password.
If the data is correct, a success message will be displayed:
dpiui2 ulr_lic --make=1
Enter level:
> standard
Enter expire date in Y-m-d format:
> 2099-12-31
Enter password:
>
stdClass Object
(
[success] => 1
)
==== Roles Management ====
In the DPIUI2 interface visit the Administrator → Roles section. Create a new role and set read and write permissions in the ulr_admin section:
{{ :en:dpi:dpi_components:dpiui:dpiui2:role.png?direct&600 |}}
Next, go to the Administrator-> Users section. Create a new user and set him the role that you created earlier.
{{ :en:dpi:dpi_components:dpiui:dpiui2:user.png?direct&300 |}}
After the user logs in, he is moved to the locking rules management section.
{{ :en:dpi:dpi_components:dpiui:dpiui2:ulr.png?direct&600 |}}
==== Dictionaries Configuration ====
* Category Dictionary
* Regulators Dictionary
These dictionaries are used for creating/editing locking rules.
=== Category Dictionary ===
In the Locking Rules management interface go to the Dictionaries → Categories section.
{{ :en:dpi:dpi_components:dpiui:dpiui2:cat.png?direct&600 |}}
== Creating ==
Fill in the form with category name and description and click the "Add" button.
{{ :en:dpi:dpi_components:dpiui:dpiui2:add_cat.png?direct&600 |}}
== Editing ==
To edit: click on the category editing button in the categories table. In the form, change the name and/or description of the category, then click the "Save" button.
{{ :en:dpi:dpi_components:dpiui:dpiui2:cat_edit.png?direct&600 |}}
== Deleting ==
Сlick on the delete category button in the categories table. In the pop-up window confirm or cancel the action.
{{ :en:dpi:dpi_components:dpiui:dpiui2:cat_delete.png?direct&600 |}}
**Attention:** Before deleting a category, make sure there are no rules referring to this category!
=== Regulators Dictionary ===
In the Locking Rules management interface go to the Dictionaries → Regulators section.
{{ :en:dpi:dpi_components:dpiui:dpiui2:reg.png?direct&600 |}}
== Creating ==
Fill in the form with regulator name and description and click the "Add" button.
{{ :en:dpi:dpi_components:dpiui:dpiui2:add_reg.png?direct&600 |}}
== Editing ==
To edit: click on the regulator editing button in the regulators table. In the form, change the name and/or description of the regulator, then click the "Save" button.
{{ :en:dpi:dpi_components:dpiui:dpiui2:reg_edit.png?direct&600 |}}
== Deleting ==
Сlick on the delete regulator button in the categories table. In the pop-up window confirm or cancel the action.
{{ :en:dpi:dpi_components:dpiui:dpiui2:reg_delete.png?direct&600 |}}
**Attention:** Before deleting a regulator, make sure there are no rules referring to this regulator!
==== IGW Profiles Management ====
Change to the section "ISPS & IGWS Profiles" -> "IGWs List".
{{ :en:dpi:dpi_components:dpiui:dpiui2:igw.png?direct&600 |}}
=== Creating ===
To create new IGW profile change to the section "ISPS & IGWS Profiles"->"Add new IGW profile".
In the form specify:
* Profile name;
* Operation mode (Standalone/Cluster)
* Nodes for the profile (Node name, DPI from the list of available equipment and number of bridges)
{{ :en:dpi:dpi_components:dpiui:dpiui2:add_igw.png?direct&600 |}}
Before creating IGW profile add FastDPI server in the main section of DPIUI 2 [[en:dpi:dpi_components:dpiui:user_guide:admin_section:equipment_management:start|Administrator -> Devices]]
=== Editing ===
In the "ISPS & IGWS Profiles" -> "IGWs List" section click the button "Edit profile".
{{ :en:dpi:dpi_components:dpiui:dpiui2:igw_edit.png?direct&600 |}}
The IGW profile creation/editing form will open. Make the changes you need and click "Save Changes".
=== Deleting ===
In the "ISPS & IGWS Profiles" -> "IGWs List" section click the button "Delete" and confirm/cancel the operation.
{{ :en:dpi:dpi_components:dpiui:dpiui2:igw_delete.png?direct&600 |}}
**Attention**: Before deleting a profile, make sure there are no ISP profiles referring to this category!
===== Web Server for Global Lists Configuration =====
==== Web-server ====
1. Prepare a machine with CentOS7+ installed
2. Create a sudo user without password as described in [[en:dpi:dpi_components:dpiui:dpiui2#dpi_connection_details|Dpiui2: DPI connection details]] section
3. Run the script:
rpm --import http://vasexperts.ru/centos/RPM-GPG-KEY-vasexperts.ru
rpm -Uvh http://vasexperts.ru/centos/6/x86_64/vasexperts-repo-1-0.noarch.rpm
yum install dpiutils -y
yum install httpd -y
yum install unzip -y
mkdir /var/www/html/blacklists
chmod -R 777 /var/www/html/blacklists
echo "
DocumentRoot \"/var/www/html/blacklists\"
Order deny,allow
Allow from all
" > /etc/httpd/conf.d/bl_lists.conf
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload
systemctl enable httpd.service
systemctl restart httpd.service
4. In dpiui2 configuration [[en:dpi:dpi_components:dpiui:ulr_ui:start#env_configuration|specify the web-server access parameters in ULR settings section]]
5. Specify the path to Custom lock list in the settings of all connected FastDPI servers:
# URL dictionary for blocking by HTTP (custom_url_black_list)
custom_url_black_list=http:///blacklist.dict
# Names dictionary for blocking HTTPS protocol by certificate (custom_cname_black_list)
custom_cname_black_list=http:///blacklistcn.dict
# IP addresses dictionary for blocking HTTPS by IP (custom_ip_black_list)
custom_ip_black_list=http:///blacklistip.dict
# Host names dictionary for blocking HTTPS by SNI (custom_sni_black_list)
custom_sni_black_list=http:///blacklistsni.dict
===== DSCP Rules =====
Change to "Applications and policings" section -> "DSCP Rules".
{{ :en:dpi:dpi_components:dpiui:dpiui2:dscp_rules.png?direct&600 |}}
=== Creating ===
In the form of rule creating:
* Enter the name of application protocol and choose one from the list;
* Choose the priority from the list.
Save the rule by clicking on "Set DSCP" button.
=== Editing ===
In the list of DSCP rules click on "Edit rule" button. In the popup editing form set the necessary priority and save changes by clicking on "Set DSCP" button.
{{ :en:dpi:dpi_components:dpiui:dpiui2:dscp_edit.png?direct&600 |}}
=== Deleting ===
In the DSCP rules list click the button “Delete rule” and confirm/cancel the operation.
{{ :en:dpi:dpi_components:dpiui:dpiui2:dscp_delete.png?direct&600 |}}
===== ASN Filter =====
Change to the "ASN Filter" section.
{{ :en:dpi:dpi_components:dpiui:dpiui2:asn.png?direct&600 |}}
=== Creating ===
In the form of rule creating:
* Specify the number of AS;
* Choose the priority from the list;
* Enter the rule name;
* Enter the rule description.
Save the rule by clicking on "Set DSCP" button.
=== Editing ===
In the list of DSCP in ASN direction rules click on the "Edit rule" button. If necessary, in the popup editing form:
* choose the priority from the list;
* Enter the rule name;
* Enter the rule description.
{{ :en:dpi:dpi_components:dpiui:dpiui2:asn_edit.png?direct&600 |}}
Save the changes by clicking on "Set DSCP" button.
=== Deleting ===
In the list of DSCP in ASN direction rules click the button “Delete rule” and confirm/cancel the operation.
{{ :en:dpi:dpi_components:dpiui:dpiui2:asn_delete.png?direct&600 |}}
===== IP & ASN Excludes =====
Change to the "IP & ASN Excludes" section.
{{ :en:dpi:dpi_components:dpiui:dpiui2:as_exclude.png?direct&600 |}}
==== IP Excludes ====
Change to the "IP & ASN Excludes" section -> "IP Excludes".
{{ :en:dpi:dpi_components:dpiui:dpiui2:ip_exclude.png?direct&600 |}}
=== Creating ====
In the form of rule creating:
* Specify IP/CIDR;
* Enter the rule name;
* Enter the rule descriptuin;
Save the rule by clicking on "Set exclusion" button.
=== Editing ===
Click on the button "Edit exclusion".
In the form of rule editing you can change:
* name of the rule;
* its description.
{{ :en:dpi:dpi_components:dpiui:dpiui2:ip_exclude_edit.png?direct&400 |}}
Save the changes by clicking on "Set DSCP" button.
=== Deleting ===
In the list of exclusions click the button “Delete exclusion” and confirm/cancel the operation.
{{ :en:dpi:dpi_components:dpiui:dpiui2:ip_exclude_delete.png?direct&600 |}}
==== ASN Excludes ====
Change to the "IP & ASN Excludes" section -> "ASN Excludes".
{{ :en:dpi:dpi_components:dpiui:dpiui2:as_exclude.png?direct&600 |}}
== Creating ===
In the form of rule creating:
* Specify AS number;
* Enter the rule name;
* Enter the rule descriptuin;
Save the changes by clicking on "Set Exclusion" button.
=== Editing ===
Click on the button "Edit exclusion".
In the form of rule editing you can change:
* name of the rule;
* its description.
{{ :en:dpi:dpi_components:dpiui:dpiui2:as_exclude_edit.png?direct&400 |}}
Save the changes by clicking on "Set DSCP" button.
=== Deleting ===
In the list of exclusions click the button “Delete exclusion” and confirm/cancel the operation.
{{ :en:dpi:dpi_components:dpiui:dpiui2:as_exclude_delete.png?direct&600 |}}
==== VIP Subscriber Management ====
== VIP Subscribers and their privileges ==
**VIP Subscriber** is a special subscriber whose traffic is passed with a dedicated priority (default is cs0) regardless of the priority settings for application protocols.
The allocated priority is set by the special_dscp configuration parameter. See section [[en:dpi:dpi_components:dpiui:user_guide:ssg_control_section:dpi_configuration:start|Configuration]].
The subscriber is connected through the installation of service 15 on DPI.
Privilege:
* Unlimited access to applications and resources that are subject to restrictions on use.
== Purpose of section ==
This section is purpose to manage VIP Subscribers.
=== Getting started with section ===
Open section "IP & AC Exclusion"->"VIP Subscribers".
{{ :en:dpi:dpi_components:dpiui:ulr_ui:en_section_vip_subscriber.png?600 |}}
== Creation ==
In the VIP Subscriber`s creating form:
* Select the type from the drop-down list (IP/Login);
* Enter IP or Login in the Subscriber field, depending on what you have chosen in the drop-down list;
* You can apply the rule to an ISP from the list and select multiple ISPs or click on the "Select All" button. If you accidentally clicked the "Select All" button, then click on the "Uncheck All" button;
* If your slider is disabled on apply to specific ISPs, then the new rule will be set globally to all ISPs.
{{ :en:dpi:dpi_components:dpiui:ulr_ui:en_form_vip_subcribers.png?600 |}}
Save the VIP Subscriber by clicking the "Add" button.
== Editing ==
Click on the "Edit VIP Subscriber" button.
In the rule editing form, you can change:
* Application to certain ISPs from the list;
* Remove or add ISP.
{{ :en:dpi:dpi_components:dpiui:ulr_ui:en_edit_vip_subscribers.png?400 |}}
Save your changes by clicking the "Save" button.
== Deleting ==
In the VIP Subscribers list, click on the "Delete VIP Subscriber" button and, in the window that appears, confirm or cancel the deletion.
{{ :en:dpi:dpi_components:dpiui:ulr_ui:en_delete_vip_subscribers.png?600 |}}
===== ISP Configuration =====
Change to the "ISPS & IGWS Profiles" -> "ISPs List".
{{ :en:dpi:dpi_components:dpiui:dpiui2:isp_list.png?direct&600 |}}
==== Creating an ISP Profile ====
To create new IGW profile go to the "ISPS & IGWS Profiles" section -> "Add new ISP Profile".
In the form specify:
* Name of ISP profile;
* Choose the border from the list;
* Login to be used on the DPI node;
* Prefix for lists on the DPI node (it will be used as the name of service profile on the node);
* Choose bridges of the border;
* Choose Network training to get the addresses of this profile;
* Specify address/networks of the ISP (if necessary).
{{ :en:dpi:dpi_components:dpiui:dpiui2:isp_add.png?direct&600 |}}
Click on the button "Save changes" or "Save and Disable/Enable".
After creation the ISP profile is enabled by default. Only enabled profiles are uploaded to DPI nodes.
==== Editing ISP Profile ====
In the "ISPS & IGWS Profiles" section -> "ISPs list" click on the button "Edit Profile".
A modal form for creating/editing ISP profile will pop up; make the chenges you need and click on the "Save changes" or "Save and Disable/Enable" button.
==== Deleting ISP Profile ====
In the "ISPS & IGWS Profiles" section -> "ISPs List" click on the "Delete" button and confirm/cancel the action.
{{ :en:dpi:dpi_components:dpiui:dpiui2:isp_delete.png?direct&600 |}}
**Attention:** Before deleting the profile, make sure there are no rules referring to this profile!
==== Policing Profile ====
Chenge to the "Applications and Policings" prfoile -> "Policings Profiles".
{{ :en:dpi:dpi_components:dpiui:dpiui2:policing.png?direct&600 |}}
=== Editing Policing Profile ===
Click on the "Edit policing" button.
{{ :en:dpi:dpi_components:dpiui:dpiui2:policing_edit.png?direct&600 |}}
In the popup editing form:
* Enter policing description;
* Choose policing type TBF/HTB (form with class values will look different depending on the type selected)
You can use configuration autocomplete:
* For HTB type: rate=8Bps, ceil=value that was specified in autocomplete form;
* For TBF type: rate=value that was specified in autocomplete form.
Th save the changes click on the button "Save profile" or "Save and disable/eneble".
Thу policing profile is disabled by default.
=== Deletenig Policing Profile ===
There are two ways to delete the profile: by clicking "Delete profile" button in the list of policing profiles or the same button on Editing Profile page.
===== WEB and IP Filter =====
==== Locking Rules List ====
Change to the "WEB and IP Filter" section.
{{ :en:dpi:dpi_components:dpiui:dpiui2:blocked_resources.png?direct&600 |}}
==== Creating/Editing Locking Rules ====
* To create new locking rule for a resource, change to the "WEB and IP Filter" section -> "Add new rule";
* To edit an existing rule change to the "WEB and IP Filter" section and click on "Edit rule" button.
In the popup form:
* Choose the regulator;
* Choose the category;
* Enter rule public description;
* Enter rule hidden description;
{{ :en:dpi:dpi_components:dpiui:dpiui2:create_edit_web_rule.png?direct&600 |}}
In the resource validation form, enter the resource and choose its type:
* If it is not nesessary to validate the resourse, just click on "Add to the list" button;
* Click on the "Check" button. Information about the resource will be displayed. It can be added to the rule locking list. To do this, click the "Add to List" button.
{{ :en:dpi:dpi_components:dpiui:dpiui2:create_edit_web_rule2.png?direct&600 |}}
In the subsection for binding rules to ISP profiles:
* If the option "Apply the rule to ISP from the list" is **disabled,** such rule will be global. Resources from this rule will be included in the global lists of blocked resources.
* If the option "Apply the rule to ISP from the list" is **enabled,** such rule will be applied only to those ISP profiles, which are noted in this rule. Resources from this rule will be included in the locking lists for these ISP profiles.
==== Deleting the Locking Rule ====
Change to the "WEB and IP Filter" section and click on the "Edit the rule" button.
{{ :en:dpi:dpi_components:dpiui:dpiui2:delete_web_rule.png?direct&600 |}}
**Attention**: Before deleting a rule, make sure it does not refer to any ISP profile.
==== Domain Check ====
Change to the "WEB and IP Filter" section -> "Check domain".
{{ :en:dpi:dpi_components:dpiui:dpiui2:check_domain.png?direct&600 |}}
In the "Resourse Check" field type in the URL of resourse to be checked. Then click on the "Check" button. Information about the specified resource will be displayed below the form:
* SSL/TLS, locking type;
* Certificate information;
* DNS list;
* Recommendations about the values to use to lock this resource.
{{ :en:dpi:dpi_components:dpiui:dpiui2:check_domain_result1.png?direct&600 |}}
{{ :en:dpi:dpi_components:dpiui:dpiui2:check_domain_result2.png?direct&600 |}}
==== Search the Database (among the blocking rules) ====
Change to the "WEB and IP Filter" section -> "Search Database".
In the "IP, CIDR, Domain, Notes" field enter the value in accordance with the prompts at the top of the page. Then choose type of search: Full Text, By Resources or By Description. Click on "Search" button.
As a result, all blocking rules that match the selected search parameters will be displayed.
{{ :en:dpi:dpi_components:dpiui:dpiui2:web_rules_search.png?600 |}}
===== Whitelist =====
==== Whitelist rule list ====
Change to the "Whitelist" section.
{{ :en:dpi:dpi_components:dpiui:dpiui2:white_lists.png?direct&600 |}}
==== Creating/Editing the white list ====
* To create a new white list rule change to the "Whitelist" section -> "Add new rule";
* To edit an existing rule change to the "White list" section and click on the "Edit rule" button.
In the popup form:
* Choose the regulator;
* Choose the caregory;
* Enter rule public description;
* Enter rule hidden description;
{{ :en:dpi:dpi_components:dpiui:dpiui2:white_list_edit1.png?direct&600 |}}
In the resource validation form, enter the resource and choose its type:
* If it is not nesessary to validate the resourse, just click on “Add to the list” button;
* Click on the “Check” button. Information about the resource will be displayed. It can be added to the rule locking list. To do this, click the “Add to List” button.
{{ :en:dpi:dpi_components:dpiui:dpiui2:white_list_edit2.png?direct&600 |}}
In the subsection for binding rules to ISP profiles:
* If the option “Apply the rule to ISP from the list” is **disabled,** such rule will be global. Resources from this rule will be included in the global lists of blocked resources.
* If the option “Apply the rule to ISP from the list” is **enabled,** such rule will be applied only to those ISP profiles, which are noted in this rule. Resources from this rule will be included in the locking lists for these ISP profiles.
==== Deleting a white list rule ====
Change to the “Whitelist” section and click on the “Edit the rule” button.
{{ :en:dpi:dpi_components:dpiui:dpiui2:white_list_delete.png?direct&600 |}}
**Attention:** Before deleting a rule, make sure it does not refer to any ISP profile.
==== Whitelist operating mode management ====
Change to the “Whitelist” section -> "Mode".
{{ :en:dpi:dpi_components:dpiui:dpiui2:white_list_mode.png?direct&600 |}}
* With the global whitelist mode enabled, the whitelist service is applied to all ISP profiles and resource lists are formed only from global whitelist rules;
* When the whitelist mode is enabled for a separate ISP profile, the service is applied only to ISP which has it enabled. The lists are formed only from white list rules which refer to this ISP profile;
* If both mode are enabled, global and separate ISP rules lists are concatenated. For other ISPs, the whitelist service is used with only the global whitelist rules.
===== Database search (global) =====
Change to the "Database search" section.
In the "IP, CIDR, Domain, Comment" field enter the value in accordance with the prompts at the top of the page, choose search type: Full Text, By Resources or By Description. Click on “Search” button.
As a result, all blocking rules (with type specified) that match the selected search parameters will be displayed.
{{ :en:dpi:dpi_components:dpiui:dpiui2:db_search.png?direct&600 |}}
===== Task monitoring =====
Change to the "State of the system" section.
{{ :en:dpi:dpi_components:dpiui:dpiui2:ulr_queue.png?direct&600 |}}
This section displays the task queue, status and time.
To see the details of the task, click on "Task Details".
===== Logs =====
The logs for this section are stored in files: /var/www/html/dpiui2/backend/storage/logs/ulr*.log
Log detail level is specified with [[en:dpi:dpi_components:dpiui:ulr_ui:start#env_configuration|ULR_LOAD_LOG_LEVEL option in the .env configuration file]].