CN113422778B - Firewall policy configuration method and device and electronic equipment - Google Patents

Firewall policy configuration method and device and electronic equipment Download PDF

Info

Publication number
CN113422778B
CN113422778B CN202110746396.4A CN202110746396A CN113422778B CN 113422778 B CN113422778 B CN 113422778B CN 202110746396 A CN202110746396 A CN 202110746396A CN 113422778 B CN113422778 B CN 113422778B
Authority
CN
China
Prior art keywords
code
policy
policy configuration
firewall
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110746396.4A
Other languages
Chinese (zh)
Other versions
CN113422778A (en
Inventor
李东杲
计弘融
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202110746396.4A priority Critical patent/CN113422778B/en
Publication of CN113422778A publication Critical patent/CN113422778A/en
Application granted granted Critical
Publication of CN113422778B publication Critical patent/CN113422778B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The disclosure provides a firewall policy configuration method, a firewall policy configuration device and electronic equipment, which are applied to the fields of information security or finance and the like. The method comprises the following steps: obtaining values of at least part of objects in a policy table, wherein the policy table comprises at least two objects, and each object has an object instruction code corresponding to the object; assembling the value of the object and an object instruction code corresponding to the object for each object in at least part of the objects to generate a strategy configuration code so as to carry out firewall strategy configuration based on the strategy configuration code; wherein, there is a corresponding relation between each object and at least one entity in the firewall, and the object instruction code accords with the requirement of the firewall for configuring the corresponding entity.

Description

Firewall policy configuration method and device and electronic equipment
Technical Field
The present disclosure relates to the field of information security and financial technology, and in particular, to a firewall policy configuration method and apparatus, and an electronic device.
Background
With the continuous expansion of the online services of organizations, the number of firewall policies that need to be matched and opened on the network is also increasing.
In carrying out the disclosed concept, the applicant has found that there are at least the following problems in the related art. The related art can not meet the requirement of a user on convenience for opening the firewall strategy.
Disclosure of Invention
In view of this, the present disclosure provides a firewall policy configuration method and apparatus for improving the convenience of opening a firewall policy, and an electronic device.
One aspect of the present disclosure provides a firewall policy configuration method performed by a first electronic device, including: obtaining values of at least part of objects in a policy table, wherein the policy table comprises at least two objects, and each object has an object instruction code corresponding to the object; assembling the value of the object and an object instruction code corresponding to the object for each object in at least part of the objects to generate a strategy configuration code so as to carry out firewall strategy configuration based on the strategy configuration code; wherein, there is a corresponding relation between each object and at least one entity in the firewall, and the object instruction code accords with the requirement of the firewall for configuring the corresponding entity.
According to an embodiment of the present disclosure, assembling a value of an object and an object instruction code corresponding to the object, and generating a policy configuration code includes: determining the type of the value of the object, wherein the type of the value of the object comprises a parameter type and a specific value type; if the type of the value of the object comprises a parameter type, determining a first designated code corresponding to the object based on the first mapping relation, assembling the value of the parameter and the first designated code, and generating a strategy configuration code; and if the type of the value of the object comprises a specific value type, determining a second specified code corresponding to the object based on the second mapping relation, assembling the specific value and the second specified code, and generating a policy configuration code.
According to an embodiment of the present disclosure, an object includes a service; a first corresponding relation exists between the value of the service and a port associated entity of the firewall, and a second corresponding relation exists between the port associated entity and a port range; assembling the value of the parameter and the first designated code, and generating a policy configuration code comprises: determining a port range corresponding to the value of the parameter based on the first corresponding relation and the second corresponding relation; and assembling the port range and the first designated code to generate a policy configuration code.
According to an embodiment of the present disclosure, assembling the port range and the first designated code, generating the policy configuration code comprises: assembling a port range and a first designated code, and generating a command line; and adding a command line in the policy configuration code.
According to an embodiment of the present disclosure, assembling a value of an object and an object instruction code corresponding to the object, and generating a policy configuration code includes: assembling the value of the object and an object instruction code corresponding to the object to generate a command line; and adding a command line in the policy configuration code.
According to an embodiment of the present disclosure, the method further includes: after the command line is generated, matching the command line in the generated strategy configuration code to obtain a matching result; if the matching result is null, adding a command line in the generated policy configuration code; and if the matching result is not null, prohibiting adding a command line in the generated policy configuration code, and adding annotation information in the generated policy configuration code.
According to an embodiment of the present disclosure, the at least two objects include: at least one of a source address, a destination address, a service, a translated source address, or a translated destination address.
According to an embodiment of the present disclosure, a policy table includes at least one of a source address translation policy part, a destination address translation policy part, or an interface part; the source address translation policy part comprises: a source name, a first source address, a first destination address, and a translated source address; the target address translation policy part includes: a destination name, a second source address, a second destination address, a destination service port, a translated destination address, and a translated port.
According to an embodiment of the present disclosure, the policy table further includes a policy identification; the method further comprises the following steps: receiving a policy identification; and determining a target policy table from a plurality of policy tables in response to the policy identification, wherein each of the plurality of policy tables corresponds to a type of firewall.
According to an embodiment of the present disclosure, the method further includes: after generating the policy configuration code, the policy configuration code is transmitted to the second electronic device for firewall policy configuration by the second electronic device based on the policy configuration code.
One aspect of the present disclosure provides a firewall policy configuration apparatus, provided in a first electronic device, including: the device comprises an object value acquisition module and a code generation module. The object value obtaining module is used for obtaining values of at least part of objects in a policy table, the policy table comprises at least two objects, each object has an object instruction code corresponding to the object, a corresponding relation exists between each object and at least one entity in a firewall, and the object instruction codes meet the requirement of the firewall for configuring the corresponding entities; and the code generation module is used for assembling the value of the object and an object instruction code corresponding to the object aiming at each object in at least part of the objects, and generating a strategy configuration code so as to carry out firewall strategy configuration based on the strategy configuration code.
Another aspect of the present disclosure provides an electronic device comprising one or more processors and a storage device, wherein the storage device is configured to store executable instructions, which when executed by the processors, implement the method as above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the above method when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as above when executed.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an exemplary system architecture to which a firewall policy configuration method, apparatus, and electronic device may be applied, according to an embodiment of the disclosure;
fig. 2 schematically illustrates a flow chart of a firewall policy configuration method according to an embodiment of the present disclosure;
figure 3 schematically illustrates a logic diagram of a firewall policy configuration method according to an embodiment of the disclosure;
FIG. 4 schematically illustrates a flow diagram for generating policy configuration code according to an embodiment of the disclosure;
fig. 5 schematically shows a schematic diagram of a correspondence between values of services and port ranges according to an embodiment of the present disclosure;
FIG. 6 schematically shows a flow diagram of redundant code detection according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates a schematic diagram of redundancy labeling in accordance with an embodiment of the present disclosure;
fig. 8 schematically illustrates a flow chart of a firewall policy configuration method according to another embodiment of the present disclosure;
fig. 9 schematically illustrates a block diagram of a firewall policy configuration apparatus according to an embodiment of the present disclosure; and
FIG. 10 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction should be interpreted in the sense one having ordinary skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B, a and C, B and C, and/or A, B, C, etc.). The terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or to implicitly indicate the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more features.
In recent years, with the online business expansion of financial institutions, the number of firewall policies to be matched and opened on a network is increasing. However, in the course of the firewall policy being opened, the applicant has found that the following problems exist.
For example, it takes a long time to open a firewall policy in a WEB (WEB) manner, and the efficiency is low. In addition, partial functions on the WEB page are unreasonable in arrangement, and the workload of opening the firewall strategy is increased.
For example, even though the firewall policy is opened in a command line manner, the time consumption is short, and automatic batch operation can be realized. However, when command lines are written manually, the command lines need to be written one by one, and are checked one by one, so that the writing workload is large. In addition, there is a risk of conflict caused by improper configuration, which is difficult to find by manual inspection, and it is urgently needed to implement intelligent automatic generation of command lines by a complete program developed by examining and judging logic.
In order to at least partially improve the above pain points, embodiments of the present disclosure provide a firewall policy configuration method, device and electronic device. The firewall policy configuration method comprises an object value acquisition process and a configuration code generation process. In the object value obtaining process, the values of at least part of the objects in a policy table are obtained, the policy table comprises at least two objects, and each object has an object instruction code corresponding to the object. And after the object value obtaining process is finished, entering a configuration code generating process, assembling the value of the object and an object instruction code corresponding to the object aiming at each object in at least part of objects, and generating a strategy configuration code so as to carry out firewall strategy configuration based on the strategy configuration code. Wherein, there is a corresponding relation between each object and at least one entity in the firewall, and the object instruction code accords with the requirement of the firewall for configuring the corresponding entity.
According to the embodiment of the disclosure, the configuration command can be automatically generated according to the firewall policy table (the policy table for short) through an automatic firewall configuration program, so that the workload of manually writing the command is greatly reduced, and the working efficiency is improved. In addition, the program has redundant codes and a conflict detection function, and the risk of covering the original configuration can be reduced.
The firewall policy configuration method and device and the electronic device provided by the embodiments of the present disclosure may be applied to the information security field in the aspects related to firewall policy configuration, and may also be applied to various fields other than the information security field, such as the financial field.
Fig. 1 schematically illustrates an exemplary system architecture to which the firewall policy configuration method, apparatus, and electronic device may be applied, according to an embodiment of the disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, the system architecture 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104, and servers 105, 106, 107. The network 104 may include a plurality of gateways, routers, hubs, network wires, etc. to provide a medium of communication links between the terminal devices 101, 102, 103 and the servers 105, 106, 107. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with other terminal devices and servers 105, 106, 107 via the network 104 to receive or send information, etc., such as policy configuration codes, firewall policy tables, etc. The terminal devices 101, 102, 103 may be installed with various communication client applications, such as firewall-like applications, software development-like applications, bank-like applications, government-affairs-like applications, monitoring-like applications, web browser applications, search-like applications, office-like applications, instant messaging tools, mailbox clients, social platform software, and the like (for example only). For example, the user may use terminal device 101 to populate a value for an object in the firewall policy table. For example, a user may receive a firewall policy table using terminal device 102 and generate a policy configuration code. For example, the user may receive a policy configuration code or the like using the terminal 103.
The terminal devices 101, 102, 103 include, but are not limited to, smart phones, virtual reality devices, augmented reality devices, tablets, laptop portable computers, desktop computers, etc. that are capable of using office software (e.g., excel, database, etc.).
The servers 105, 106, and 107 may receive the request and process the request, and may specifically be a storage server, a background management server, a server cluster, and the like. For example, server 105 may store the correspondence between applications and ports, server 106 may store firewall policies, policy configuration code, and the like, and server 107 may store object instruction code. Of course, at least one of the firewall policies, policy configuration codes or object instruction codes, etc. may also be stored on the terminal devices 101, 102, 103. The terminal devices 101, 102, and 103 may also transmit information in a manner other than a network, for example, the information may be stored in a computer-readable storage medium (e.g., a hard disk, a usb disk), and the like, which is not limited herein.
It should be noted that the firewall policy configuration method provided by the embodiment of the present disclosure may be generally executed by the terminal devices 101, 102, and 103. Accordingly, the firewall policy configuration apparatus provided by the embodiment of the present disclosure may be generally disposed in the terminal devices 101, 102, and 103. The firewall policy configuration method provided by the embodiment of the present disclosure may also be executed by a server or a server cluster that is different from the terminal devices 101, 102, and 103 and capable of communicating with the terminal devices 101, 102, and 103 and/or the servers 105, 106, and 107.
It should be understood that the number of terminal devices, networks, and servers are merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Fig. 2 schematically shows a flowchart of a firewall policy configuration method according to an embodiment of the present disclosure. The firewall policy configuration method is executed by a server side.
As shown in fig. 2, the firewall policy configuration method may include operations S210 to S220.
In operation S210, values of at least some of the objects in a policy table are obtained, where the policy table includes at least two objects, and each object has an object instruction code corresponding to the object.
Wherein, there is a corresponding relation between each object and at least one entity in the firewall, and the object instruction code accords with the requirement of the firewall for configuring the corresponding entity.
In some embodiments, the firewall policy table may refer to a collection of data having a particular data structure. For example, the firewall policy table may be an Excel table, a database table, a document embedded table, and the like, which is not limited herein.
Each object in the firewall policy table may be determined according to an entity included in the firewall that needs to be configured. For example, when performing firewall policy configuration, it is necessary for an entity in the firewall to: if the source address, the destination address, etc. are configured, the object in the firewall policy table may include the source address, the destination address, etc.
In certain embodiments, the at least two objects include: at least one of a source address, a destination address, a service, a translated source address, or a translated destination address.
The object instruction code corresponding to each object may be a preset set code template. For example, the value of the variable in the code template may be determined by the value of the object in the firewall policy table.
The value of the object may be manually filled in by the user based on expert experience. For example, a user may manually enter a value into the firewall policy table on a personal terminal device (such as a personal notebook) or an office terminal device.
In addition, the value of the object may be generated based on a preset rule. The value of the object can be searched from a database based on a preset rule. And is not limited thereto.
For example, the user 1 sets each object in the firewall policy table in the terminal apparatus 1, and develops an object instruction code corresponding to the object. When the user 2 needs to perform the firewall policy configuration, the firewall policy table may be obtained from the user 1. The user 2 then performs the filling in of the value of the object. The firewall policy table filled by the user 2 may be audited by the user 1, and after the audit is passed, the user 1 or an auditor automatically generates a policy configuration code for a value of each object in the firewall policy table by running a program or a script, so as to transmit the policy configuration code to the user 2.
It should be noted that, in the technical solution of the present disclosure, the values of the related objects are acquired, stored, and applied, which all conform to the regulations of the related laws and regulations, and necessary security measures are taken, and do not violate the good custom of the public order.
In operation S220, for each object in at least some of the objects, a value of the object and an object instruction code corresponding to the object are assembled, and a policy configuration code is generated, so as to perform firewall policy configuration based on the policy configuration code.
For example, the object instruction code has a variable, and the assembling process can be completed by using the value of the object as the value of the variable in the object instruction code.
In some embodiments, assembling the value of the object and an object instruction code corresponding to the object, and generating the policy configuration code includes: firstly, assembling the value of an object and an object instruction code corresponding to the object to generate a command line. Then, add a command line in the policy configuration code.
Compared with the firewall policy configuration in a Web mode, the firewall policy configuration is automatically performed by using the command line in the automatically generated policy configuration code, so that the problem that partial functions on a WEB page are unreasonably set and the workload of opening the firewall policy is increased can be effectively solved. In addition, the problem that manual command line writing needs writing one by one, checking one by one and writing workload is large can be effectively solved.
Fig. 3 schematically illustrates a logic diagram of a firewall policy configuration method according to an embodiment of the present disclosure.
As shown in fig. 3, the firewall policy setting requirement is first filled in the policy table according to the source address, the destination address, the service, the converted source address, the converted destination address, and other objects. These objects facilitate the firewall to filter packets according to the security policy.
The strategy configuration process firstly generates object instruction codes according to the strategy table definition and finally generates the strategy configuration instruction codes according to the objects.
For example, the program and the firewall configuration (which needs to be renamed to a specified name, such as firewall. Conf), and the firewall policy table can be run in the same directory, and after the running is completed, a code document is generated, for example, the name of the code document is firewall code.
In some embodiments, the policy table includes at least one of a source address translation policy part (source NAT), a destination address translation policy part (destination NAT), a Service (Service), or an interface part.
For example, the policy table may be as shown in table 1.
TABLE 1 Firewall policy Table
Source interface Source NAT Destination interface Destination NAT Service
Wherein, the source address translation policy part may include: a source name, a first source address, a first destination address, and a translated source address.
For example, the source address translation policy part (source NAT) may be as shown in table 2.
TABLE 2 Source Address translation policy section
Source name Source address s Destination address s Translated source address
FIG. 4 schematically shows a flow diagram for generating policy configuration code according to an embodiment of the disclosure.
As shown in fig. 4, assembling the value of the object and the object instruction code corresponding to the object, and generating the policy configuration code may include operations S401 to S403.
In operation S401, a value type of an object is determined, where the value type of the object includes a parameter type and a specific value type.
In operation S402, if the type of the value of the object includes a parameter type, a first designated code corresponding to the object is determined based on the first mapping relationship, and the value of the parameter and the first designated code are assembled to generate a policy configuration code.
In operation S403, if the type of the value of the object includes a specific value type, a second specific code corresponding to the object is determined based on the second mapping relationship, and the specific value and the second specific code are assembled to generate a policy configuration code.
With respect to source address s in table 2, the parameters supported: n sets the address object name:
supported formats: ip address
ip address [ -n ] [ object name ]
Example 1:
a source address s:192.168.1.1.
command line:
address 192.168.1.1|32
ip address 192.168.1.1
description of the drawings: |32 denotes wildcards.
Example 2:
a source address s:192.168.1.0/24.
Command line:
address 192.168.1.0|24
ip subnet 192.168.1.0/24
example 3:
source address s 192.168.1.0/24-n AAA.
Command line:
address AAA
ip subnet 192.168.1.0/24
with respect to the destination address s in table 2, the parameters supported: n sets the address object name:
supported formats: any
ip address
ip address [ -n ] [ object name ]
Example 1:
destination address s:172.16.xx.1.
Command line:
address 172.16.XX.1|32
ip address 172.16.XX.1
example 2:
destination address s:172.16.XX.0/24.
Command line:
address 172.16.XX.0|24
ip subnet 172.16.XX.0/24
example 3:
the destination address s is 172.16.XX.0/24-n CCC.
Command line:
address CCC
ip subnet 172.16.XX.0/24
for the translated source address in table 2, the supported parameters: n sets the address object name:
supported formats: the ip address.
ip address [ -n ] [ object name ]
no_trans
Example 1:
translated source address: 172.16.xx.1.
Command line:
ip nat pool 172.16.XX.1|32
ip address 172.16.XX.1 172.16.XX.1
example 2:
converted source address: 172.16.XX.1-172.16.XX.5-n BBB.
Command line:
ip nat pool BBB
ip address 172.16.XX.1 172.16.XX.5
note: if the "source address after conversion" is filled in the network segment and does not have the "-n" parameter, the default address pool name is AutoAddrPollName.
Example 3:
translated source address: no trans.
In the source NAT the "source address s" is not translated.
In some embodiments, the target address translation policy portion may include: a destination name, a second source address, a second destination address, a destination service port, a translated destination address, and a translated port.
For example, the destination address translation policy part (destination NAT) may be as shown in table 3.
TABLE 3 destination Address translation policy section
Figure BDA0003143034450000121
Regarding the source address d, the supported format is detailed in "destination address s".
Regarding the destination address d, the supported parameters: n sets the address object name:
supported formats: ip address
ip address [ -n ] [ object name ]
Example 1:
destination address d:192.168.xx.1.
Command line:
ip nat pool 192.168.XX.1|32
ip address 192.168.XX.1 192.168.34.1
example 2:
destination address d:192.168.XX.1-192.168.XX.5-n DDD.
Command line:
ip nat pool DDD
ip address 192.168.XX.1 192.168.XX.5
note: if the "source address after conversion" is filled in the network segment and does not have the "-n" parameter, the default address pool name is AutoAddrPollName.
Regarding the destination service port, if the destination service port is any, the "destination NAT" is destination address translation, and if the destination service port is the "service name", the "destination NAT" is port mapping:
supported formats: any
TCP port number
[ -n ] [ service name ] [ -t ] TCP port number/[ undefined port ]
[ -p ] [ service name ]/] defined port
Note: if the destination service port is any, the destination NAT is the destination address translation, if the destination service port is the service name, the destination NAT is the port mapping
Example 1:
destination service port: -n TestSrv1-t 500XX.
Command line:
service TestSrv1
tcp dst-port 500XX 500XX src-port 1024 655XX
example 2:
the destination service port: 500XX.
Command line:
service TCP_500XX
tcp dst-port 500XX 500XX src-port 10XX 655XX
example 3:
destination service port: -ptcp _500XX.
Defaults that the service is opened, and does not generate an additional command line
Regarding the translated destination address, the supported parameters: n sets the address object name:
supported formats: ip address
ip address [ -n ] [ object name ]
no_trans
Example 1:
translated destination address: 172.16.xx.1.
Command line:
address 172.16.XX.1|32
ip address 172.16.XX.1
example 2:
the translated destination address is 172.16.XX.1-n CCC.
Command line:
address CCC
ip address 172.16.XX.1
example 3:
translated destination address: no trans.
In the "destination NAT", the "destination address d" does not perform address translation.
Regarding the converted port, if the destination service port is any, the converted port is left empty; if the destination service port is the service name, filling the TCP port number:
if the destination service port is any, the entry is left blank, and if the destination service port is the service name, the TCP port number is filled.
In some embodiments, the object comprises a service. A first corresponding relation exists between the value of the service and a port associated entity of the firewall, and a second corresponding relation exists between the port associated entity and a port range.
Accordingly, assembling the values of the parameters and the first designated code, and generating the policy configuration code may include the following operations.
First, a port range corresponding to a value of a parameter is determined based on the first corresponding relationship and the second corresponding relationship.
Fig. 5 schematically shows a schematic diagram of a correspondence between a value of a service and a port range according to an embodiment of the present disclosure.
As shown in fig. 5, there is a first correspondence between-t 50001 and the TCP port number 50001 in fig. 5. A second correspondence between TCP port numbers 500XX and TCP dst-port 500XX src-port 1024 655XX is provided, so that TCP dst-port 500XX src-port 1024 655XX can be determined based on-t 500XX.
The port scope and the first specified code are then assembled to generate policy configuration code.
With respect to port service names, supported parameters include: -n service names, -t TCP port numbers, -u UDP port numbers.
Supported formats:
TCP port number
Preset services in firewall such as preset services/'FTP' and TFTP
[ -t ] TCP port number/' undefined TCP port, name default TCP _ + ' port number '
[ -u ] UDP port number/' undefined UDP port, name Default UDP _ + "port number"
[ -n ] [ service name ] [ -t ] TCP port number/[ undefined TCP port number ]
[ -u ] UDP port number/' undefined UDP port
[ -p ] [ service name ]/[ preset service or defined port ]
Example 1:
port service name: 500XX.
Command line:
service TCP_500XX
tcp dst-port 500XX 500XX src-port 1024 655XX
example 2:
port service name: -n testport1-t 500XX-500XX 500XX-u 500XX.
Command line:
service testport1
tcp dst-port 500XX 500XX src-port 10XX 655XX
tcp dst-port 500XX 500XX src-port 10XX 655XX
udp dst-port 500XX 500XX src-port 10XX 655XX
note: successive ports may be connected with a "-".
Example 3:
port service name: -p TCP _500XX.
After the-p parameter is added, the port is defaulted to be a preset port or defined, and no command line is generated additionally.
In some embodiments, assembling the port range and the first specified code, generating the policy configuration code comprises: assembling a port range and a first designated code, and generating a command line; and adding a command line in the policy configuration code.
The following is an exemplary description of policy configuration.
And each object in the strategy table generates a command line according to the following template:
the converted source address s of the policy 'source interface' destination interface 'source address s' is the destination address 'port service name' any and always permit 'policy number'.
description 'policy name'
log enable
ips-profile event-set IXXC-IPS log on
If there are multiple source addresses, destination addresses or ports in the security policy, the corresponding elements can be filled in the next row and the "policy number" is left blank, such as the examples shown in tables 4 to 6:
TABLE 4
Source interface Source name Source address s Destination address s Translated source address
bond1 Aggregated payments 84.36.XX.140 any 16.65.XX.140
bond1 Aggregated payments 84.36.XX.141 any 16.65.XX.141
bond1 Aggregated payments 76.36.XX.40 any 16.65.XX.40
bond1 Aggregated payments 76.36.XX.41 any 16.65.XX.41
TABLE 5
Figure BDA0003143034450000171
TABLE 6
Service Policy name
-tXX84 test-1
-n testport1-t XX86-XX89
As shown in tables 4 to 6, the source address has 84.36.xx.141, 76.36.xx.40 and 76.36.xx.41 in addition to 84.36.xx.140, which need to access XX84, XX86 and XX89 ports of the destination address 192.168.xx.1, and the generated security policy command lines are as follows:
Figure BDA0003143034450000181
if multiple ports need not be merged into a single "service", the port information can be filled separately in each row of corresponding cells, if the above example requires access to XX84 and XX86-XX89 ports, XX86-XX89 ports can be merged into a single "service", XX84 ports being defined separately, and the associated command rows are as follows:
Figure BDA0003143034450000182
the program automatically detects the available "policy number" and invokes it.
Relating to source address translation
And each object in the strategy table generates a command line according to the following template:
the source address ' source NAT serial number ' description ' source name ' of the ip NAT source ' destination interface ' source address s ' destination address s ' any ' after conversion.
Wherein the "source NAT number" program is automatically detected and invoked.
With respect to destination address translation
The destination address translation is divided into "address translation" and "port mapping" according to actual requirements, wherein the "address translation" generates a command line according to the following template:
the destination address ' destination NAT number ' description ' destination name ' after the ' source address d ' destination address d ' any ' translation of the ' source interface ' source address d ' destination address ' source address ' is ip NAT destination.
The "port map" generates the command line as follows:
the destination address ' service ' converted port ' destination NAT number ' destination name ' after the ip NAT destination ' source interface ' source address d ' destination service port ' is converted.
In some embodiments, redundancy detection may also be performed on the command line to be added.
Specifically, the policy instruction code generation process is compared with a policy table of the firewall to perform conflict redundancy detection, avoid conflicts, ignore redundant codes (a prompt is given in the codes), and reserve required codes.
FIG. 6 schematically shows a flow diagram of redundant code detection according to an embodiment of the present disclosure.
As shown in fig. 6, the method may further include operations S601 to S603 after generating the command line.
In operation S601, a command line is matched in the generated policy configuration code, and a matching result is obtained.
In operation S602, if the matching result is null, a command line is added in the generated policy configuration code.
In operation S603, if the matching result is non-null, addition of a command line in the generated policy configuration code is prohibited, and annotation information is added in the generated policy configuration code.
FIG. 7 schematically illustrates a schematic diagram of redundancy labeling according to an embodiment of the present disclosure.
As shown in fig. 7, the generated policy configuration code includes:
Figure BDA0003143034450000191
the following code is generated for the value of a new object:
service TCP_500XX
tcp dst-port 500XX 500XX src-port 10XX 655XX
since the command line is already present in the generated policy configuration code, the command line is a redundant command line and does not need to be added to the generated policy configuration code. In addition, to facilitate subsequent searching for redundant command lines, etc., hint information as shown below may be set in the policy configuration code.
Redundant deletion of # # # ## - #: service TCP _500XX
Redundant deletion of # # # # # -: tcp dst-port 500XX 500XX src-port 10XX 655XX
It should be noted that the above-mentioned indications are merely exemplary and should not be construed as limiting the present disclosure.
In some embodiments, since different users may use firewalls of different vendors or firewalls of different versions, in order to facilitate the users to determine the policy table corresponding to different types of firewalls, a corresponding policy table may be set for each type of firewall. Each policy table has a policy identification to facilitate finding the desired policy table.
In particular, the policy table further includes a policy identification.
Correspondingly, the method further comprises the following steps: receiving a strategy identification; and determining a target policy table from a plurality of policy tables in response to the policy identification, wherein the plurality of policy tables each correspond to a type of firewall.
Fig. 8 schematically shows a flowchart of a firewall policy configuration method according to another embodiment of the present disclosure.
As shown in fig. 8, the method may further include an operation S830 after performing the operation S220 to generate the policy configuration code.
In operation S830, the policy configuration code is transmitted to the second electronic device, so that the second electronic device performs firewall policy configuration based on the policy configuration code.
In the embodiment of the disclosure, the user can generate the policy configuration code for the firewall used by the user by himself through the method. In addition, the user can also generate the policy configuration code of the firewall used by the user for other users, so that the other users can conveniently perform firewall policy configuration based on the policy configuration code. On one hand, the problems that time consumption for opening a firewall strategy by using a WEB mode is consumed and partial functions on a WEB page are unreasonable in setting are solved. On one hand, the user does not need to write command lines one by one and core one by one, and the writing workload is effectively reduced, and the risk of covering the original configuration is effectively reduced.
The example is given by taking a dragon-horse guard firewall as an example.
For example, for a firewall with the dragon guard model number of WLM9000B-3100S, the correspondence between the objects in the policy table and the entities in the dragon guard firewall is shown in table 7.
TABLE 7
Figure BDA0003143034450000211
It should be noted that in the cells of the table in the WPS office software, the first character input of "-" may be mistaken for a formula, and may be solved by adding a space before "-" or setting the cell type as a text.
In the embodiment of the disclosure, the user sends the policy table to the user ready for firewall configuration, edits the value of the object in the policy table by the user, and then generates the policy configuration code based on the value of the object and the object instruction code for the object, so that the user can perform firewall policy configuration locally based on the policy configuration code, thereby effectively reducing the difficulty of performing firewall policy configuration by the user and improving the problem that remote configuration is inconvenient on the Web.
Another aspect of the present disclosure provides a firewall policy configuration apparatus.
Fig. 9 schematically shows a block diagram of a firewall policy configuration apparatus according to an embodiment of the present disclosure. The firewall policy configuration means may be provided in the first electronic device.
As shown in fig. 9, the firewall policy configuring apparatus 900 may include: an object value obtaining module 910 and a code generating module 920.
The object value obtaining module 910 is configured to obtain values of at least some objects in a policy table, where the policy table includes at least two objects, and each object has an object instruction code corresponding to the object, where a corresponding relationship exists between each object and at least one entity in a firewall, and the object instruction code meets a requirement of the firewall for configuring the corresponding entity.
The code generating module 920 is configured to, for each object in at least some of the objects, assemble a value of the object and an object instruction code corresponding to the object, and generate a policy configuration code, so as to perform firewall policy configuration based on the policy configuration code.
It should be noted that the implementation, solved technical problems, implemented functions, and achieved technical effects of each module/unit and the like in the apparatus part embodiment are respectively the same as or similar to the implementation, solved technical problems, implemented functions, and achieved technical effects of each corresponding step in the method part embodiment, and are not described in detail herein.
Any of the modules, units, or at least part of the functionality of any of them according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, units according to the embodiments of the present disclosure may be implemented at least partly as a hardware circuit, e.g. a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or by any other reasonable way of integrating or packaging a circuit in hardware or firmware, or in any one of three implementations, or in a suitable combination of any of them. Alternatively, one or more of the modules, units according to embodiments of the present disclosure may be implemented at least partly as computer program modules, which, when executed, may perform the respective functions.
For example, any multiple of the object value obtaining module 910 and the code generating module 920 may be combined and implemented in one module, or any one of the modules may be split into multiple modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the object value obtaining module 910 and the code generating module 920 may be implemented at least partially as a hardware circuit, for example, a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementation manners of software, hardware, and firmware, or an appropriate combination of any several of them. Alternatively, at least one of the object value obtaining module 910 and the code generating module 920 may be at least partially implemented as a computer program module, and when the computer program module is executed, the corresponding functions may be executed.
FIG. 10 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure. The electronic device shown in fig. 10 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 10, an electronic device 1000 according to an embodiment of the present disclosure includes a processor 1001 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1002 or a program loaded from a storage section 1008 into a Random Access Memory (RAM) 1003. Processor 1001 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 1001 may also include onboard memory for caching purposes. The processor 1001 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the present disclosure.
In the RAM 1003, various programs and data necessary for the operation of the electronic apparatus 1000 are stored. The processor 1001, the ROM 1002, and the RAM 1003 are communicatively connected to each other by a bus 1004. The processor 1001 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 1002 and/or the RAM 1003. Note that the program may also be stored in one or more memories other than the ROM 1002 and the RAM 1003. The processor 1001 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in one or more memories.
Electronic device 1000 may also include an input/output (I/O) interface 1005, the input/output (I/O) interface 1005 also being connected to bus 1004, according to an embodiment of the present disclosure. Electronic device 1000 may also include one or more of the following components connected to I/O interface 1005: an input section 1006 including a keyboard, a mouse, and the like; an output section 1007 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 1008 including a hard disk and the like; and a communication section 1009 including a network interface card such as a LAN card, a modem, or the like. The communication section 1009 performs communication processing via a network such as the internet. The driver 1010 is also connected to the I/O interface 1005 as necessary. A removable medium 1011 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1010 as necessary, so that a computer program read out therefrom is mounted into the storage section 1008 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer-readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication part 1009 and/or installed from the removable medium 1011. The computer program performs the above-described functions defined in the system of the embodiment of the present disclosure when executed by the processor 1001. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 1002 and/or the RAM 1003 described above and/or one or more memories other than the ROM 1002 and the RAM 1003.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method provided by the embodiments of the present disclosure, when the computer program product is run on an electronic device, the program code being configured to cause the electronic device to implement the image model training method or the image processing method provided by the embodiments of the present disclosure.
The computer program, when executed by the processor 1001, performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted in the form of a signal on a network medium, distributed, downloaded and installed via the communication part 1009, and/or installed from the removable medium 1011. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. These examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (11)

1. A firewall policy configuration method performed by a first electronic device, comprising:
obtaining values of at least part of objects in a policy table, wherein the policy table comprises at least two objects, each object has an object instruction code corresponding to the object, the object instruction code corresponding to each object is a preset code template, and the values of variables in the code template are determined by the obtained values of the objects in the policy table; and
for each object in at least part of the objects, assembling the value of the object and an object instruction code corresponding to the object, and generating a policy configuration code so as to perform firewall policy configuration based on the policy configuration code;
wherein, there is a corresponding relation between each object and at least one entity in the firewall, the object instruction code accords with the requirement of the firewall to configure the corresponding entity,
wherein the assembling the value of the object and the object instruction code corresponding to the object, and the generating the policy configuration code includes:
assembling the value of the object and an object instruction code corresponding to the object to generate a command line; and
adding the command line in policy configuration code;
after the generation of the command line has been described,
matching the command line in the generated strategy configuration code to obtain a matching result;
if the matching result is null, adding the command line in the generated policy configuration code; and
and if the matching result is not null, forbidding adding the command line in the generated policy configuration code, and adding marking information in the generated policy configuration code.
2. The method of claim 1, wherein the assembling the value of the object and an object instruction code corresponding to the object, and generating a policy configuration code comprises:
determining the value type of the object, wherein the value type of the object comprises a parameter type and a specific value type;
if the type of the value of the object comprises a parameter type, determining a first designated code corresponding to the object based on a first mapping relation, assembling the value of the parameter and the first designated code, and generating a strategy configuration code; and
and if the type of the value of the object comprises a specific value type, determining a second specified code corresponding to the object based on a second mapping relation, assembling the specific value and the second specified code, and generating a policy configuration code.
3. The method of claim 2, wherein the object comprises a service;
a first corresponding relation exists between the value of the service and a port associated entity of the firewall, and a second corresponding relation exists between the port associated entity and a port range;
the assembling the value of the parameter and the first designated code, and the generating a policy configuration code includes:
determining a port range corresponding to the value of the parameter based on the first corresponding relation and the second corresponding relation; and
and assembling the port range and the first specified code to generate the policy configuration code.
4. The method of claim 3, wherein the assembling the port range and the first specified code, generating the policy configuration code comprises:
assembling the port range and the first designated code to generate a command line; and
adding the command line in policy configuration code.
5. The method of claim 1, wherein the at least two objects comprise: at least one of a source address, a destination address, a service, a translated source address, or a translated destination address.
6. The method of claim 5, wherein the policy table includes at least one of a source address translation policy portion, a destination address translation policy portion, a service or an interface portion;
the source address translation policy part comprises: a source name, a first source address, a first destination address and a translated source address;
the target address translation policy section includes: a destination name, a second source address, a second destination address, a destination service port, a translated destination address, and a translated port.
7. The method of any of claims 1 to 6, wherein said policy table further comprises a policy identification;
the method further comprises the following steps:
receiving a policy identification; and
determining a target policy table from a plurality of policy tables in response to the policy identification, wherein the plurality of policy tables each correspond to a type of firewall.
8. The method of any of claims 1 to 6, further comprising: after the generation of the policy configuration code has been described,
and transmitting the policy configuration code to a second electronic device so that the second electronic device performs firewall policy configuration based on the policy configuration code.
9. A firewall policy configuration apparatus, provided in a first electronic device, the apparatus comprising:
an object value obtaining module, configured to obtain values of at least some objects in a policy table, where the policy table includes at least two objects, and each object has an object instruction code corresponding to the object, where the object instruction code corresponding to each object is a preset code template, and a value of a variable in the code template is determined by the obtained value of the object in the policy table, where a corresponding relationship exists between each object and at least one entity in a firewall, and the object instruction code meets a requirement of the firewall for configuring the corresponding entity; and
a code generating module, configured to assemble, for each object in the at least part of objects, a value of the object and an object instruction code corresponding to the object, and generate a policy configuration code, so as to perform firewall policy configuration based on the policy configuration code,
wherein the assembling the value of the object and the object instruction code corresponding to the object, and the generating the policy configuration code includes:
assembling the value of the object and an object instruction code corresponding to the object to generate a command line; and
adding the command line in policy configuration code; and
after the generation of the command line has been described,
matching the command line in the generated strategy configuration code to obtain a matching result;
if the matching result is null, adding the command line in the generated policy configuration code; and
and if the matching result is not null, forbidding adding the command line in the generated policy configuration code, and adding marking information in the generated policy configuration code.
10. An electronic device, comprising:
one or more processors;
storage means for storing executable instructions which, when executed by the processor, implement the method of any one of claims 1 to 8.
11. A computer-readable storage medium storing computer-executable instructions which, when executed by a processor, implement the method of any one of claims 1 to 8.
CN202110746396.4A 2021-07-01 2021-07-01 Firewall policy configuration method and device and electronic equipment Active CN113422778B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110746396.4A CN113422778B (en) 2021-07-01 2021-07-01 Firewall policy configuration method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110746396.4A CN113422778B (en) 2021-07-01 2021-07-01 Firewall policy configuration method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN113422778A CN113422778A (en) 2021-09-21
CN113422778B true CN113422778B (en) 2022-11-11

Family

ID=77719986

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110746396.4A Active CN113422778B (en) 2021-07-01 2021-07-01 Firewall policy configuration method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN113422778B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771669A (en) * 2008-12-30 2010-07-07 北京天融信网络安全技术有限公司 Method for setting firewall policy and device therefor
CN110348201A (en) * 2019-05-22 2019-10-18 中国科学院信息工程研究所 A kind of configuration method and device of device security policy
CN110430206A (en) * 2019-08-13 2019-11-08 上海新炬网络技术有限公司 Based on script template metaplasia at the method for configuration firewall security policy
CN110650037A (en) * 2019-09-06 2020-01-03 中盈优创资讯科技有限公司 Heterogeneous network device configuration method and device
CN112015429A (en) * 2020-08-21 2020-12-01 杭州指令集智能科技有限公司 Code generation method, device and equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9391955B2 (en) * 2014-06-04 2016-07-12 Bank Of America Corporation Firewall policy converter
CN112367211B (en) * 2021-01-13 2021-04-13 武汉思普崚技术有限公司 Method, device and storage medium for generating configuration template by device command line

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771669A (en) * 2008-12-30 2010-07-07 北京天融信网络安全技术有限公司 Method for setting firewall policy and device therefor
CN110348201A (en) * 2019-05-22 2019-10-18 中国科学院信息工程研究所 A kind of configuration method and device of device security policy
CN110430206A (en) * 2019-08-13 2019-11-08 上海新炬网络技术有限公司 Based on script template metaplasia at the method for configuration firewall security policy
CN110650037A (en) * 2019-09-06 2020-01-03 中盈优创资讯科技有限公司 Heterogeneous network device configuration method and device
CN112015429A (en) * 2020-08-21 2020-12-01 杭州指令集智能科技有限公司 Code generation method, device and equipment

Also Published As

Publication number Publication date
CN113422778A (en) 2021-09-21

Similar Documents

Publication Publication Date Title
US10862979B2 (en) Techniques for supporting remote micro-services as native functions in spreadsheet applications
EP1701254A1 (en) Resource authoring with re-usability score and suggested re-usable data
EP1701253A1 (en) Method and system for creating, storing, managing and consuming culture specific data
US10673835B2 (en) Implementing single sign-on in a transaction processing system
EP1701255B1 (en) Authoring implementing application localization rules
US10191946B2 (en) Answering natural language table queries through semantic table representation
CA3198981A1 (en) Constructing executable program code based on sequence codes
CN107145784B (en) Vulnerability scanning method and device and computer readable medium
US11048885B2 (en) Cognitive translation service integrated with context-sensitive derivations for determining program-integrated information relationships
CN108073429B (en) Payment mode configuration method, device, equipment and storage medium
US20190138647A1 (en) Designing conversational systems driven by a semantic network with a library of templated query operators
US20130204834A1 (en) Decision Tree Creation and Execution in an Interactive Voice Response System
CN111625638A (en) Question processing method, device and equipment and readable storage medium
CN112015374B (en) Cross-programming-language micro-service integration system based on natural language
CN113422778B (en) Firewall policy configuration method and device and electronic equipment
CN112732372A (en) Service calling method and device and server
CN111142863A (en) Page generation method and device
CN114186958A (en) Method, computing device and storage medium for exporting list data as spreadsheet
CN113220367A (en) Applet running method and device, electronic equipment and storage medium
CN113342646B (en) Use case generation method, device, electronic equipment and medium
CN115967545B (en) Edge computing security protection method, system, electronic equipment and readable storage medium
US10387554B1 (en) Applying matching data transformation information based on a user's editing of data within a document
CN115963934A (en) Method, device, equipment and medium for processing rarely-used character one-word multi-code
CN114338835A (en) Data message dynamic conversion method and device, storage medium and electronic device
CN116132399A (en) Automatic recommendation method, device, electronic equipment and medium for available IP and port

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant