FIREWALL 配置

配置流程

1）接口配置IP地址

interface g1/0/0

ip address 10.1.1.1 24

interface g1/0/1

ip address 20.1.1.1 24

2）配置trust

firewall zone trust

set priority 85

add interface GigabitEthernet1/0/1

3）配置untrust

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

4）配置安全策略

 security-policy

rule name trust-to-untrust

 source-zone trust

 destination-zone untrust

 source-address 10.1.1.0 mask 255.255.255.0

 destination-address 20.1.1.0 mask 255.255.255.0

 service ftp

 action permit

结果展示

完整配置

[fw01]display current-configuration  

2023-11-03 13:44:27.040  

!Software Version V500R005C10SPC300

#

sysname fw01

#

l2tp domain suffix-separator @

#

ipsec sha2 compatible enable

#

undo telnet server enable

undo telnet ipv6 server enable

#

clock timezone UTC add 00:00:00

#

update schedule location-sdb weekly Sun 00:30

#

firewall defend action discard

#

banner enable

#

user-manage web-authentication security port 8887

undo privacy-statement english

undo privacy-statement chinese

page-setting

user-manage security version tlsv1.1 tlsv1.2

password-policy

level high

user-manage single-sign-on ad

user-manage single-sign-on tsm

user-manage single-sign-on radius

user-manage auto-sync online-user

#

web-manager security version tlsv1.1 tlsv1.2

web-manager enable

web-manager security enable

#

firewall dataplane to manageplane application-apperceive default-action drop

#

undo ips log merge enable

#

decoding uri-cache disable

#

update schedule ips-sdb daily 23:01

update schedule av-sdb daily 23:01

update schedule sa-sdb daily 23:01

update schedule cnc daily 23:01

update schedule file-reputation daily 23:01

#

ip vpn-instance default

ipv4-family

#

time-range worktime

 period-range 08:00:00 to 18:00:00 working-day

#

ike proposal default

encryption-algorithm aes-256 aes-192 aes-128

dh group14

authentication-algorithm sha2-512 sha2-384 sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

#

aaa

authentication-scheme default

authentication-scheme admin_local

authentication-scheme admin_radius_local

authentication-scheme admin_hwtacacs_local

authentication-scheme admin_ad_local

authentication-scheme admin_ldap_local

authentication-scheme admin_radius

authentication-scheme admin_hwtacacs

authentication-scheme admin_ad

authorization-scheme default

accounting-scheme default

domain default

 service-type internetaccess ssl-vpn l2tp ike

 internet-access mode password

 reference user current-domain

manager-user audit-admin

 password cipher @%@%U\<A/-kP~5nr<NF6mIU>+Hl~M<H&7;hSu2M[KkFLrq8BHlB+@%@%

 service-type web terminal

 level 15

manager-user api-admin

 password cipher @%@%Qj!Q&(9Kl$q0s%~mW&[W;3X5NUx#AKc/#TuWH}I{f-lP3X8;@%@%

 level 15

manager-user admin

 password cipher @%@%/{tJ0Qk>:YXy_d(Qf1\+S&xFwB.R:*|AI7SEQHYra6,~&xIS@%@%

 service-type web terminal

 level 15

role system-admin

role device-admin

role device-admin(monitor)

role audit-admin

bind manager-user audit-admin role audit-admin

bind manager-user admin role system-admin

#

l2tp-group default-lns

#

interface GigabitEthernet0/0/0

undo shutdown

ip binding vpn-instance default

alias GE0/METH

#

interface GigabitEthernet1/0/0

undo shutdown

ip address 20.1.1.1 255.255.255.0

#

interface GigabitEthernet1/0/1

undo shutdown

ip address 10.1.1.1 255.255.255.0

#

interface GigabitEthernet1/0/2

undo shutdown

#

interface GigabitEthernet1/0/3

undo shutdown

#

interface GigabitEthernet1/0/4

undo shutdown

#

interface GigabitEthernet1/0/5

undo shutdown

#

interface GigabitEthernet1/0/6

undo shutdown

#

interface Virtual-if0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

set priority 85

add interface GigabitEthernet1/0/1

#

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

#

firewall zone dmz

set priority 50

#

undo ssh server compatible-ssh1x enable

ssh authentication-type default password

ssh server cipher aes256_ctr aes128_ctr

ssh server hmac sha2_256 sha1

ssh client cipher aes256_ctr aes128_ctr

ssh client hmac sha2_256 sha1

#

firewall detect ftp

#

user-interface con 0

authentication-mode aaa

idle-timeout 0 0

user-interface vty 0 4

authentication-mode aaa

protocol inbound ssh

user-interface vty 16 20

#

pki realm default

#

sa

#

location

#

multi-linkif

mode proportion-of-weight

#

right-manager server-group

#

device-classification

device-group pc

device-group mobile-terminal

device-group undefined-group

#

user-manage server-sync tsm

#

security-policy

rule name trust-to-untrust

 source-zone trust

 destination-zone untrust

 source-address 10.1.1.0 mask 255.255.255.0

 destination-address 20.1.1.0 mask 255.255.255.0

 service ftp

 action permit

#

auth-policy

#

traffic-policy

#

policy-based-route

#

nat-policy

#

quota-policy

#

pcp-policy

#

dns-transparent-policy

#

rightm-policy

#

return

[fw01]