首页 > 其他分享 >FIREWALL 配置

FIREWALL 配置

时间:2023-11-03 22:34:46浏览次数:33  
标签:policy FIREWALL 配置 undo admin authentication user interface

FIREWALL 配置_sed

配置流程

1)接口配置IP地址

interface g1/0/0

ip address 10.1.1.1 24

interface g1/0/1

ip address 20.1.1.1 24

2)配置trust

firewall zone trust

set priority 85

add interface GigabitEthernet1/0/1

3)配置untrust

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

4)配置安全策略

 security-policy

rule name trust-to-untrust

 source-zone trust

 destination-zone untrust

 source-address 10.1.1.0 mask 255.255.255.0

 destination-address 20.1.1.0 mask 255.255.255.0

 service ftp

 action permit

结果展示

FIREWALL 配置_sed_02

完整配置

[fw01]display current-configuration  

2023-11-03 13:44:27.040  

!Software Version V500R005C10SPC300

#

sysname fw01

#

l2tp domain suffix-separator @

#

ipsec sha2 compatible enable

#

undo telnet server enable

undo telnet ipv6 server enable

#

clock timezone UTC add 00:00:00

#

update schedule location-sdb weekly Sun 00:30

#

firewall defend action discard

#

banner enable

#

user-manage web-authentication security port 8887

undo privacy-statement english

undo privacy-statement chinese

page-setting

user-manage security version tlsv1.1 tlsv1.2

password-policy

level high

user-manage single-sign-on ad

user-manage single-sign-on tsm

user-manage single-sign-on radius

user-manage auto-sync online-user

#

web-manager security version tlsv1.1 tlsv1.2

web-manager enable

web-manager security enable

#

firewall dataplane to manageplane application-apperceive default-action drop

#

undo ips log merge enable

#

decoding uri-cache disable

#

update schedule ips-sdb daily 23:01

update schedule av-sdb daily 23:01

update schedule sa-sdb daily 23:01

update schedule cnc daily 23:01

update schedule file-reputation daily 23:01

#

ip vpn-instance default

ipv4-family

#

time-range worktime

 period-range 08:00:00 to 18:00:00 working-day

#

ike proposal default

encryption-algorithm aes-256 aes-192 aes-128

dh group14

authentication-algorithm sha2-512 sha2-384 sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

#

aaa

authentication-scheme default

authentication-scheme admin_local

authentication-scheme admin_radius_local

authentication-scheme admin_hwtacacs_local

authentication-scheme admin_ad_local

authentication-scheme admin_ldap_local

authentication-scheme admin_radius

authentication-scheme admin_hwtacacs

authentication-scheme admin_ad

authorization-scheme default

accounting-scheme default

domain default

 service-type internetaccess ssl-vpn l2tp ike

 internet-access mode password

 reference user current-domain

manager-user audit-admin

 password cipher @%@%U\<A/-kP~5nr<NF6mIU>+Hl~M<H&7;hSu2M[KkFLrq8BHlB+@%@%

 service-type web terminal

 level 15


manager-user api-admin

 password cipher @%@%Qj!Q&(9Kl$q0s%~mW&[W;3X5NUx#AKc/#TuWH}I{f-lP3X8;@%@%

 level 15


manager-user admin

 password cipher @%@%/{tJ0Qk>:YXy_d(Qf1\+S&xFwB.R:*|AI7SEQHYra6,~&xIS@%@%

 service-type web terminal

 level 15


role system-admin

role device-admin

role device-admin(monitor)

role audit-admin

bind manager-user audit-admin role audit-admin

bind manager-user admin role system-admin

#

l2tp-group default-lns

#

interface GigabitEthernet0/0/0

undo shutdown

ip binding vpn-instance default

alias GE0/METH

#

interface GigabitEthernet1/0/0

undo shutdown

ip address 20.1.1.1 255.255.255.0

#

interface GigabitEthernet1/0/1

undo shutdown

ip address 10.1.1.1 255.255.255.0

#

interface GigabitEthernet1/0/2

undo shutdown

#

interface GigabitEthernet1/0/3

undo shutdown

#

interface GigabitEthernet1/0/4

undo shutdown

#

interface GigabitEthernet1/0/5

undo shutdown

#

interface GigabitEthernet1/0/6

undo shutdown

#

interface Virtual-if0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

set priority 85

add interface GigabitEthernet1/0/1

#

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

#

firewall zone dmz

set priority 50

#

undo ssh server compatible-ssh1x enable

ssh authentication-type default password

ssh server cipher aes256_ctr aes128_ctr

ssh server hmac sha2_256 sha1

ssh client cipher aes256_ctr aes128_ctr

ssh client hmac sha2_256 sha1

#

firewall detect ftp

#

user-interface con 0

authentication-mode aaa

idle-timeout 0 0

user-interface vty 0 4

authentication-mode aaa

protocol inbound ssh

user-interface vty 16 20

#

pki realm default

#

sa

#

location

#

multi-linkif

mode proportion-of-weight

#

right-manager server-group

#

device-classification

device-group pc

device-group mobile-terminal

device-group undefined-group

#

user-manage server-sync tsm

#

security-policy

rule name trust-to-untrust

 source-zone trust

 destination-zone untrust

 source-address 10.1.1.0 mask 255.255.255.0

 destination-address 20.1.1.0 mask 255.255.255.0

 service ftp

 action permit

#

auth-policy

#

traffic-policy

#

policy-based-route

#

nat-policy

#

quota-policy

#

pcp-policy

#

dns-transparent-policy

#

rightm-policy

#

return

[fw01]


标签:policy,FIREWALL,配置,undo,admin,authentication,user,interface
From: https://blog.51cto.com/u_13560030/8174893

相关文章

  • 『杂项』关于Sublime的配置
      知周所众,SublimeText是一款非常好用的C++IDE文本编辑器。而又众所周知,写代码就是在写文本,所以我们就可以使用一些奇技淫巧配置手段来让SublimeText乖乖成为我们的个性化IDE。基础配置  要想SublimeText成为我们的个性化IDE,首先他得是个C++IDE。想要在SublimeTe......
  • 年底赶项目?买核心板送开发板!T113核心板2款芯片6种配置选择
    全志T113系列芯片是目前比较受欢迎的国产入门级嵌入式工业芯片。米尔是基于T113芯片开发较早、提供配置最全的厂家,是目前唯一一家提供T113-S和T113-i两种芯片核心板的厂家。更好的消息是,T113-i的核心板兼容T113-S的核心板,同一个硬件设计,有多种更适合的选择。2种芯片,6种配置,总有一种......
  • Ubuntu安装, 配置mips
    ubuntu下载地址:ubuntu-releases安装包下载_开源镜像站-阿里云(aliyun.com)在vmware里安装ubuntu就可以了下载版本为:ubuntu-23.10.1-desktop-amd64.iso 配置mips环境http://buildroot.uclibc.org/downloads/snapshots/buildroot-snapshot.tar.bz2  sudoapt-getinstal......
  • 年底赶项目?买核心板送开发板!T113核心板2款芯片6种配置选择
    全志T113系列芯片是目前比较受欢迎的国产入门级嵌入式工业芯片。米尔是基于T113芯片开发较早、提供配置最全的厂家,是目前唯一一家提供T113-S和T113-i两种芯片核心板的厂家。更好的消息是,T113-i的核心板兼容T113-S的核心板,同一个硬件设计,有多种更适合的选择。2种芯片,6种配置,总有一......
  • Linux 文件目录配置及命令总结
    前言在Linux中,一切皆文件,而每一个文件和目录都是从根目录开始的Linux文件目录的作用/bin目录:用来存放二进制可执行命令的目录,用户常用的命令都存在该目录下。/sbin目录:用来存放二进制可执行文件,这里面的命令只供系统管理员,管理系统使用(root用户)。/dev目录:设备文件存放的......
  • 三层交换机配置的步骤
    【赠送】IT技术视频教程,白拿不谢!思科、华为、红帽、数据库、云计算等等网管不会配置三层交换机怎么办?学啊!交换机是企业组网的重要设备,掌握交换机配置是作为网管的必备技能。这里以三层交换机的配置为例子,说一说配置的步骤。配置管理地址每个交换机需要配置一个管理地址,方便后期的......
  • Veeam Backup&Replication V12 配置和优化代理服务器
    已经安装并完成了VeeamBackup&Replication所需的基本配置,接下来就可以配置和优化代理服务器:ProxyServers:代理服务器是VeeamBackup&Replicationv12应用程序,它们负责备份和还原作业的所有繁重任务或处理任务。VeeamBackup&Replicationv12引入了将Linux代理与持续数据保护Conti......
  • jenkins配置pre-steps
    一目的jenkins配置pre-step, 项目运行前,停止本项目当前正在运行的进程二步骤1.编写脚本脚本放到服务器端#删除历史数据#获取传入的参数arg1=$1if[-z$arg1]thenecho"第一个参数不能为空!"exit1fi#获取项目进程idpid=`ps-ef|grep$arg1......
  • matlab环境配置
    一.环境变量设置AMD处理器:右键单击我的电脑属性—>高级—>环境变量—>系统变量—>新建变量名:BLAS_VERSION,值为安装目录\atlas_Athlon.dll.路径是相对的,根据的安装的路径来设置变量的值,如默认安装于C盘则设为 C:\MATLAB7\bin\win32\atlas_Athlon.dll.atlas_Athlon.dll......
  • OSPF高级配置
    路由重分发从一个AS学习路由,然后向另一个AS广播的路由器上进行配置。路由重分发的考虑①度量值②管理距离重分发到OSPF域中路由的路径类型①类型1的外部路径(E1)②类型2的外部路径(E2)NSSANSSA:非纯末梢区域NSSA非纯末梢区域配置命令配置命令:Router(config-router)#area  area-id  n......