Processing procedure, Java blocking, Overview – H3C Technologies H3C SecPath F1000-E User Manual

2

Processing procedure

After receiving an HTTP request containing URL parameters, the device obtains the parameters
according to the parameter transmission method:

•

If the parameters are transmitted by a method other than GET, POST and PUT, the device directly
forwards the request.

•

If the parameters are transmitted by the method of GET, POST or PUT, the device compares the URL
parameters against the configured filtering entries. If a match is found, the device denies the request;
otherwise, the device forwards the request.

Java Blocking

Overview

Java blocking can protect networks from being attacked by malicious Java applets.

After the Java blocking function is enabled, all requests for Java applets of webpages will be filtered. If
Java applets in some webpages are expected, you can configure ACL rules to permit requests to Java
applets of these webpages.

Processing procedure

•

If the Java blocking function is enabled but no ACL is configured for it, the device replaces suffixes
“.class” and “.jar” with “.block” in all HTTP requests and then forwards the requests.

•

If the Java blocking function is enabled and an ACL is configured for it, the device determines
whether to replaces suffixes “.class” and “.jar” with “.block” in HTTP requests according to the ACL
rules. If the destination server in an HTTP request is a server permitted by the ACL, no replacement
occurs and the request is forwarded; otherwise, the suffix in the request is replaced with “.block”
and then the request is forwarded.

•

In addition to the default suffixes “.class” and “.jar”, you can add Java blocking suffixes (that is, the
filename suffixes to be replaced in HTTP requests) through command lines.

ActiveX Blocking

Overview

ActiveX blocking can protect networks from being attacked by malicious ActiveX plugins.

After the ActiveX blocking function is enabled, requests for ActiveX plugins to all webpages will be
filtered. If the ActiveX plugins in some webpages are expected, you can configure ACL rules to permit
requests to the ActiveX plugins of these webpages.

Processing procedure

•

If the ActiveX blocking function is enabled but no ACL is configured for it, the device replaces suffix
“.ocx” with “.block” in all HTTP requests and then forwards the requests.

•

If the ActiveX blocking function is enabled and an ACL is configured for it, the device determines
whether to replaces suffix “.ocx” with “.block” in HTTP requests according to the ACL rules. If the
destination server in an HTTP request is a server permitted by the ACL, no replacement occurs and