![](https://scientia-potentia-est.com/wp-content/uploads/2023/07/PAPolicy.png)
目錄
Any Policy
點選到POLICES的頁面
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/PolicyPage.jpg)
下方有一個Add的選項可以新增Policy,General是這條Policy的描述
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/NewPolicy.jpg)
Source可以直接選擇哪一個Zone當作來源,群組位置可以是單一組IP,也可以是一個Group,Group內也能夠限制是哪些user。
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/NewPolicySource.jpg)
Destination也跟source差不多,選擇source的zone要到哪一組destination的zone。
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/NewPolicyDestination.jpg)
而action就可以限制在這些zone裏面哪種類型的http, DNS請求是可以通過的,又或者可以設定哪種類型的請求要拒絕。
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/NewPolicyAction.jpg)
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/CheckYoutube.jpg)
封鎖URL類型
DNS Policy
在封鎖之前要先出得去DNS找IP然後才block,新增一條可以出去的policy,因為我block的都是web的功能,所以命中要封鎖的網站類別後,其他網站還是得透過DNS去找網站出去。
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/DNSPolicy.jpg)
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/PolicyRuleApplication.jpg)
封鎖URL Category Policy
若要封鎖URL Category就點到Service/URL Category頁面,測試封鎖遊戲類跟新聞類的網頁。
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/PolicyService.jpg)
因為是要封鎖,所以Actions的部分是選擇Drop或者Deny。
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/BlockActions.jpg)
測試的話我嘗試連線BBC News以及巴哈姆特
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/BlockNews.jpg)
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/BlockGames.jpg)
action裡面也有設定要記錄log,所以到log看應該也要有命中這條policy,新聞類跟遊戲類的請求都drop掉,就代表有成功。
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/BlockLogs.jpg)
封鎖應用服務
單純封鎖第七層的服務,就直接在application裡面設定
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/BlockApplicationLayer.jpg)
封鎖掉網頁服務需要的是ssl, telnet, web-browsing等,將這些服務設定drop。
通常Application跟URL Category會分開設定,是為了更精確的封鎖服務或網站。
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/BlockWeb.jpg)
並且可以到log裡面查看有沒有命中
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/BlockHit.jpg)
也可以看到SSL也被drop掉
![](https://scientia-potentia-est.com/wp-content/uploads/PAPolicySetup/SSLDrop.jpg)
就代表有封鎖成功。