随笔一篇,如有错误欢迎留言指正
ensp版本:1.3.00.100
目录
5500
命令
- [1/0/0] service-manage service permit:接口视图下开启对应服务
- [SRG] firewall zone (name) trust / dmz / untrust / xxxx:系统视图下进入对应安全区域视图 > firewall zone name xxxx:自定义策略名字
- [trust / dmz / untrust / xxxx] add int g1/0/0:区域视图下将接口加入对应安全区域
- [SRG] *policy interzone *trust**untrustoutbound**:系统视图下选择 源区域、目的区域、方向 进行配置
- [SRG-policy-interzone-trust-untrust-outbound] policy 1:自定义规则序号(防火墙从上到下按照序号从小到大依次匹配规则)
- [SRG-policy-interzone-trust-untrust-outbound-1] *policy source *192.168.1.0**0.0.0.255(反掩码)**:添加源地址
- [SRG-policy-interzone-trust-untrust-outbound-1] *policy destination *192.168.2.0**0.0.0.255(反掩码)**:添加目的地址
- [SRG-policy-interzone-trust-untrust-outbound-1] action permit / deny:设置动作允许/拒绝
- [SRG] **dis firewall session table (verbose)**:查看会话表五元组(协议、源地址、源端口、目的地址、目的端口)信息,加上“verbose”即查看详细信息
简例
要求:
- trust (PC1) ——> untrust (Server1) √
- trust (PC1) ——> untrust (PC2) ×
<SRG>sy
[SRG]undo info-center enable #关闭消息中心
Info: Information center is disabled
#配置接口IP并加入相应的安全区域
[SRG] int g0/0/1
[SRG-GigabitEthernet0/0/1] ip add 192.168.1.254 24
[SRG-GigabitEthernet0/0/1] service-manage ping permit #开启ping服务
[SRG-GigabitEthernet0/0/1] interface GigabitEthernet0/0/2
[SRG-GigabitEthernet0/0/2] ip address 192.168.2.254 24
[SRG-GigabitEthernet0/0/2] service-manage ping permit
[SRG-GigabitEthernet0/0/2] interface GigabitEthernet0/0/3
[SRG-GigabitEthernet0/0/3] ip add 192.168.3.254 24
[SRG-GigabitEthernet0/0/2] service-manage ping permit
[SRG-GigabitEthernet0/0/3] q
[SRG] firewall zone trust #进入trust安全区域
[SRG-zone-trust] add int g0/0/1 #将接口加入安全区域
[SRG-zone-trust] q
[SRG] firewall zone untrust
[SRG-zone-untrust] add int g0/0/2
[SRG-zone-untrust] q
[SRG] firewall zone untrust
[SRG-zone-untrust] add int g0/0/3
[SRG-zone-untrust] q
#配置安全策略:允许源地址为192.168.1.0网段的报文通过,拒绝目的地址为192.168.3.0网段的报文通过
[SRG] policy interzone trust untrust outbound #添加由trust到untrust区域出方向的规则
[SRG-policy-interzone-trust-untrust-outbound] policy 1 #添加规则1(按照规则序号从小到大依次执行)
[SRG-policy-interzone-trust-untrust-outbound-1] policy destination 192.168.3.0 0.0.0.255 #添加目的地址
[SRG-policy-interzone-trust-untrust-outbound-1] action deny #设置动作拒绝
[SRG-policy-interzone-trust-untrust-outbound] policy 2 #添加规则2(按照规则序号从小到大依次执行)
[SRG-policy-interzone-trust-untrust-outbound-2] policy source 192.168.1.0 0.0.0.255 #添加源地址
[SRG-policy-interzone-trust-untrust-outbound-2] policy destination 192.168.2.0 0.0.0.255 #添加目的地址
[SRG-policy-interzone-trust-untrust-outbound-2] action permit #设置动作允许
[SRG-policy-interzone-trust-untrust-outbound-2] q
#检查配置
[SRG-policy-interzone-trust-untrust-outbound] dis this
#
policy interzone trust untrust outbound
policy 1
action deny
policy destination 192.168.3.0 0.0.0.255
policy 2
action permit
policy source 192.168.1.0 0.0.0.255
policy destination 192.168.2.0 0.0.0.255
#
return
#ping命令验证
<PC1>ping 192.168.2.1
Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
From 192.168.2.1: bytes=32 seq=1 ttl=254 time=62 ms
From 192.168.2.1: bytes=32 seq=2 ttl=254 time=32 ms
From 192.168.2.1: bytes=32 seq=3 ttl=254 time=32 ms
From 192.168.2.1: bytes=32 seq=4 ttl=254 time=31 ms
From 192.168.2.1: bytes=32 seq=5 ttl=254 time=15 ms
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 15/34/62 ms
<PC1>ping 192.168.3.1
Ping 192.168.3.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.3.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
注意:华为5500防火墙安全策略的匹配是存在顺序之分的,依照从上到下逐条查找区域间存在的安全策略,如果报文命中了某一条策略,防火墙就会执行该策略的动作,并且不会再继续向下查找重复的部分,否则继续查找。所以配置策略时应遵循“先精细,后粗犷”的原则,先配置匹配范围较小,条件更精确的策略,然后再配置匹配范围大、条件宽泛的策略(和ACL匹配机制同理)。
6000V
命令
- [1/0/0] service-manage service permit:接口视图下开启对应服务
- [USG6000V] firewall zone (name) trust / dmz / untrust / xxxx:系统视图下进入对应安全区域视图 > firewall zone name xxxx:自定义策略名字
- [trust / dmz / untrust / xxxx] add int g1/0/0:区域视图下将接口加入对应安全区域
- [USG6000V] security-policy:进入安全策略视图
- [USG6000V-policy-security] rule name xxxx:创建并命名规则
- [USG6000V-policy-security-rule-xxxx] source-zone trust / dmz / untrust / xxxx:设置源区域
- [USG6000V-policy-security-rule-xxxx] destination-zone trust / dmz / untrust / xxxx:设置目的区域
- [USG6000V-policy-security-rule-xxxx] **source-address *192.168.1.0**0.0.0.255(反掩码)***:设置源地址
- [USG6000V-policy-security-rule-xxxx] **destination-address *192.168.2.0**0.0.0.255(反掩码)***:设置目的地址
- [USG6000V-policy-security-rule-xxxx] action permit / deny:设置动作允许 / 拒绝
- [USG6000V-policy-security] **dis firewall session table (verbose)**:查看会话表五元组(协议、源地址、源端口、目的地址、目的端口)信息,加上“verbose”即查看详细信息
简例
要求:
- trust (PC1) ——> dmz √
- trust (PC1) ——> untrust √
- trust (PC2) ——> dmz ×
- trust (PC2) ——> untrust ×
- dmz ——> untrust ×
<USG6000V1> sy
Enter system view,return user view with Ctrl+Z.[USG6000V1] sy FW #重命名防火墙名字
[FW] undo info-center enable #关闭消息中心
Info: Saving log files...Info: Information center is disabled.
#对应接口配置网关,并开启接口的ping服务
[FW] int g1/0/1[FW-GigabitEthernet1/0/1] ip add 192.168.1.25424[FW-GigabitEthernet1/0/1] service-manage ping permit #开启ping服务
[FW-GigabitEthernet1/0/1] int g1/0/2[FW-GigabitEthernet1/0/2] ip add 192.168.2.25424[FW-GigabitEthernet1/0/2] service-manage p p
[FW-GigabitEthernet1/0/2] int g1/0/3[FW-GigabitEthernet1/0/3] ip add 192.168.3.25424[FW-GigabitEthernet1/0/3] service-manage p p
[FW-GigabitEthernet1/0/3] int g1/0/4[FW-GigabitEthernet1/0/4] ip add 192.168.4.25424[FW-GigabitEthernet1/0/4] service-manage p p
[FW-GigabitEthernet1/0/4] q
#将接口添加进对应区域
[FW] firewall zone trust #进入trust区域添加接口
[FW-zone-trust] add int g1/0/1 #将接口添加进区域
[FW-zone-trust] add int g1/0/2[FW-zone-trust] q
[FW] firewall zone dmz
[FW-zone-dmz] add int g1/0/3[FW] firewall zone untrust
[FW-zone-untrust] add int g1/0/4[FW-zone-untrust] q
#配置安全策略
[FW] security-policy #进入策略试图
[FW-policy-security] rule name T-U #自定义创建策略名字:Trust_to_Untrust
[FW-policy-security-rule-T-U] source-zone trust #设置源区域为trust区域
[FW-policy-security-rule-T-U] destination-zone untrust #设置目标区域为untrust区域
[FW-policy-security-rule-T-U] source-address 192.168.1.00.0.0.255 #设置源IP地址
[FW-policy-security-rule-T-U] destination-address 192.168.4.00.0.0.255 #设置目的IP地址
[FW-policy-security-rule-T-U] action p #行为允许
[FW-policy-security-rule-T-U] q
[FW-policy-security] rule name T-D[FW-policy-security-rule-T-D] source-zone trust
[FW-policy-security-rule-T-D] destination-zone dmz
[FW-policy-security-rule-T-D] source-address 192.168.1.00.0.0.255[FW-policy-security-rule-T-D] destination-address 192.168.3.00.0.0.255[FW-policy-security-rule-T-D] action p
[FW-policy-security-rule-T-D] q
[FW-policy-security] rule name D-U[FW-policy-security-rule-D-U] source-zone dmz
[FW-policy-security-rule-D-U] destination-zone untrust
[FW-policy-security-rule-D-U] source-address 192.168.3.00.0.0.255[FW-policy-security-rule-D-U] destination-address 192.168.4.00.0.0.255[FW-policy-security-rule-D-U] action deny #动作不允许
[FW-policy-security-rule-D-U] q
#检查配置
[FW-policy-security] dis this #安全策略试图下查看当前配置
2023-03-1900:48:48.270
#
security-policy
rule name T-U
source-zone trust
destination-zone untrust
source-address 192.168.1.00.0.0.255
destination-address 192.168.4.00.0.0.255
action permit
rule name T-D
source-zone trust
destination-zone dmz
source-address 192.168.1.00.0.0.255
destination-address 192.168.3.00.0.0.255
action permit
rule name D-U
source-zone dmz
destination-zone untrust
source-address 192.168.3.00.0.0.255
destination-address 192.168.4.00.0.0.255
action deny
#
return
#ping检查
<PC1> ping 192.168.3.1
Ping 192.168.3.1:32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.3.1: bytes=32 seq=2 ttl=127 time<1 ms
From 192.168.3.1: bytes=32 seq=3 ttl=127 time=16 ms
From 192.168.3.1: bytes=32 seq=4 ttl=127 time<1 ms
---192.168.3.1 ping statistics ---4packet(s) transmitted
3packet(s) received
25.00% packet loss
round-trip min/avg/max =0/5/16 ms
<PC2> ping 192.168.3.1
Ping 192.168.3.1:32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!---192.168.3.1 ping statistics ---5packet(s) transmitted
0packet(s) received
100.00% packet loss
<PC3>ping 192.168.4.1
Ping 192.168.4.1:32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!---192.168.4.1 ping statistics ---5packet(s) transmitted
0packet(s) received
100.00% packet loss
本文转载自: https://blog.csdn.net/Red_guest/article/details/129646630
版权归原作者 PiB 所有, 如有侵权,请联系我们删除。
版权归原作者 PiB 所有, 如有侵权,请联系我们删除。