IM Control Configuration Example

This section describes an IM control configuration example.

Security Appliance works as the gateway of an enterprise. Ethernet0/0 connects to Internet and belongs to untrust zone; ethernet0/1 connects to the Intranet of R&D department and belongs to trust zone; ethernet0/3 connects to the Intranet of Marketing department and belongs to the trust1 zone.

It is required to record the MSN login/logout log messages of the marketing department.

See the topology below:

This section describes the IM control and role configurations in detail. For the configurations about interface, zone, and log, see the related chapters.

Configurations

Take the following steps:

Step 1: Configure user, role, and role mapping rule (take user1 as the example).

1. Select Object > Local User from the menu bar.
2. In the Local User dialog, select local from the Local server drop-down list, and click New > User. In the User Configuration dialog, configure the options as below:
   • Name: user1
   • Password: 123456
   • Confirm password: 123456
3. Click OK to save the changes and return to the Local User dialog.
4. Click New > User Group. In the User Group Configuration dialog, configure the options as below:
   • Name: usergroup1
   • Select the check box of user1 in the Available list
5. Click OK to save the changes and return to the Local User dialog.
6. Click OK in the Local User dialog.

Step 2: Configure the role mapping rule.

1. Click Object > Role from the menu bar.
2. In the Role dialog, click New > Role.
3. In the Role Configuration dialog, type marketing into the Role name box.
4. Click OK to save the changes and return to the Role dialog.
5. Click New > Role Mapping. In the Role Mapping Configuration dialog, configure the options as below:
   • Name: role-mapping1
   • Member: Select marketing, User group, and usergroup1 in turn, and then click Add.
6. Click OK to save the changes and return to the Role Mapping Configuration dialog.
7. Click OK in the Role Mapping Configuration dialog.
8. Click Object > AAA Server from the menu bar.
9. In the AAA Server dialog, select local from the list, and then click Edit.
10. Select role-mapping1 from the Role mapping rule drop-down list.
11. Click OK to save the changes and close the dialog.

Step 3: Configure interfaces and zones.

1. On the Navigation pane, click Configure > Network > Network to visit the Network page.
2. Select ethernet0/1 from the interface list, and click Edit. In the Interface Configuration dialog, configure the options as below:
   • Binding zone: Layer 3 zone
   • Zone: trust1
   • Type: Static IP
   • IP address: 192.168.1.1
   • Netmask: 16
3. Click OK to save the changes and return to the Network page.
4. Select ethernet0/0 from the interface list,, and click Edit. In the Interface Configuration dialog, configure the options as below:
   • Binding zone: Layer 3 zone
   • Zone: untrust
   • Type: Static IP
   • IP address: 66.1.200.1
   • Netmask: 16
5. Click OK to save the changes and return to the Network page.

Step 4: Enable WebAuth.

1. On the Navigation pane, click Configure > Network > WebAuth to visit the WebAuth page.
2. On the Task tab of the right pane, click WebAuth Wizard.
3. In the Parameter page of the WebAuth Configuration Wizard dialog, select HTTP for the Authentication mode option, and specify the HTTP port as 8181 in the HTTP port box.
4. Click Next.
5. In the Auth User page, select local from the AAA server drop-down list.
6. Click Next to go to the Policy page. Do the options as below:
   • Src zone: trust1
   • Dst zone: untrust
   • DNS zone: untrust
7. Click OK to save the changes and return to the WebAuth page.
8. On the Navigation pane, click Configure > Security > Policy to visit the Policy page.
9. Select the policy rule whose action is WebAuth, and click Edit. In the Policy Configuration dialog, select New addressbook from the Src address drop-down list.
10. In the Address Entry Configuration dialog, configure the options as below:
    • Name: addressentry1
    • Member: Select IP/netmask, and type 192.168.1.1 and 16 into the boxes. Click Add.
11. Click OK to save the changes and return to the Policy Configuration dialog.
12. Click OK to save the changes and close the Policy Configuration dialog.

Step 5: Configure the IM control rule named imcontrol.

1. On the Navigation pane, click Configure > Content > IM Control to visit the IM Control page.
2. Click New.
3. In the IM Control Rule Configuration dialog, type imcontrol into the Name box.
4. Under Match Conditions, finish the options as below to specify the conditions for the rule.
   • Dst zone: untrust
   • User: marketing
   • Schedule: Do not configure
5. Select the Record log check box of the Other MSN accounts option.
6. Click OK to save the changes and return to the IM Control page.

After finishing the above configurations, the MSN login/logout action of the marketing department will be recorded by log messages.