今天给大家介绍华为防火墙的安全策略配置实例。本文采用华为eNSP模拟器,设计了一个USG6000系列防火墙的配置实例,并安全要求完成了相应配置。
【微|信|公|众|号:厦门微思网络】
01
实验拓扑及要求
实验拓扑如上所示,现在要求配置如图所示的实验拓扑图,并配置防火墙安全策略实现:
1、Trust区域可以访问Untrust区域。
2、Trust区域可以访问DMZ区域的lo0,但不能访问其他IP地址。
02
实验配置命令
(一)华为防火墙默认安全策略
在华为系列防火墙中,默认的安全策略根据出入区域的不同而不同,具体如下所示:
1、域内流量。域内流量是指从一个区域流向同一个区域的流量,防火墙默认策略是允许。
**2、域间流量。**域间流量是指从一个区域流向另一个区域的流量,防火墙默认策略是拒绝。
**3、自身流量。**自身流量是指防火墙自身发出的流量或者是目的是防火墙的流量,默认是拒绝。自身流量除了可以在安全策略上配置外,还可以在接口上直接配置,并且在接口上配置的优先级要高于在安全策略中配置的优先级。
(二)安全区域划分相关配置命令
安全区域划分只需要把固定的接口放置到指定的区域中,相关命令如下所示:
1 |firewall zone trust
2 | set priority 85
3 | add interface GigabitEthernet0/0/0
4 | add interface GigabitEthernet1/0/2
5 |#
6 |firewall zone untrust
7 | set priority 5
8 | add interface GigabitEthernet1/0/0
9 |#
10 |firewall zone dmz
11 | set priority 50
12 | add interface GigabitEthernet1/0/1
(三)安全策略配置命令
安全策略配置时要按照要求配置相应策略,在这里要特别注意策略的配置顺序,相关配置命令如下所示:
1 |security-policy
2 | rule name p1
3 | source-zone trust
4 | destination-zone trust
5 | destination-zone untrust
6 | service icmp
7 | action permit
8 | rule name p2
9 | source-zone trust
10 | destination-zone dmz
11 | destination-address 2.2.2.2 mask 255.255.255.255
12 | action permit
13 | rule name p3
14 | source-zone trust
15 | destination-zone dmz
16 | action deny
03
实验现象
(一)Trust区域可以访问Untrust区域正常
[Huawei]ping 150.1.1.3
PING 150.1.1.3: 56 data bytes, press CTRL C to break
Reply from 150.1.1.3: bytes=56 Sequence=1 tt1=254 time=20 ms
Reply from 150.1.1.3: bytes=56 Sequence=2 tt1=254 time=20 ms
Reply from 150.1.1.3: bytes=56 Sequence=3 tt1=254 time=20 m3
Reply from 150.1.1.3: bytes=56 Sequence=4 tt1=254 time=30 ms
--- 150.1.1.3 ping statistics ---
4 packet(s)transmitted
4 packet(s) received
0.00* packet loss
round-trip min/avg/max = 20/22/30 ms
(二)Untrust区域访问Trust区域被禁止
[Huawei]ping 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.004 packet loss
[Huawei]
(三)Trust区域可以访问2.2.2.2正常
[Huawei] ping 2.2.2.2
PING 2.2.2.2: 56 data bytes, press cTRL C to break
Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=254 time=70 ms
Reply from 2.2.2.2: bytes=56 Sequence=2 tt1=254 time=30 ms
Reply from 2.2.2.2: bytes=56 Sequence=3 tt1=254 time=40 ms
Reply from 2.2.2.2: bytes=56 Sequence=4 tt1=254 time=20 ms
Reply from 2.2.2.2: bytes=56 Sequence=5 tt1=254 time=20 ms
--- 2.2.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00t packet loss
round-trip min/avg/max=20/36/70 ms
(四)Trust区域访问其他DMZ区域被禁止
[Huawei]ping 192.168.1.2
PING 192.168.1.2: 56 data bytes, press cTRL C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.1.2 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00* packet loss
04
附录——防火墙相关配置命令
防火墙相关配置命令如下所示:
1 |#
2 |interface GigabitEthernet0/0/0
3 | undo shutdown
4 | ip binding vpn-instance default
5 | ip address 192.168.0.1 255.255.255.0
6 | alias GE0/METH
7 |#
8 |interface GigabitEthernet1/0/0
9 | undo shutdown
10 | ip address 150.1.1.10 255.255.255.0
11 |#
12 |interface GigabitEthernet1/0/1
13 | undo shutdown
14 | ip address 192.168.1.10 255.255.255.0
15 |#
16 |interface GigabitEthernet1/0/2
17 | undo shutdown
18 | ip address 192.168.2.10 255.255.255.0
19 |#
20 |firewall zone trust
21 | set priority 85
22 | add interface GigabitEthernet0/0/0
23 | add interface GigabitEthernet1/0/2
24 |#
25 |firewall zone untrust
26 | set priority 5
27 | add interface GigabitEthernet1/0/0
28 |#
29 |firewall zone dmz
30 | set priority 50
31 | add interface GigabitEthernet1/0/1
32 |#
33 |ip route-static 2.2.2.2 255.255.255.255 192.168.1.2
34 |#
35 |security-policy
36 | rule name p1
37 | source-zone trust
38 | destination-zone trust
39 | destination-zone untrust
40 | service icmp
41 | action permit
42 | rule name p2
43 | source-zone trust
44 | destination-zone dmz
45 | destination-address 2.2.2.2 mask 255.255.255.255
46 | action permit
47 | rule name p3
48 | source-zone trust
49 | destination-zone dmz
50 | action deny