快速配置NETSCREEN防火墙

原创

sydney 2013-05-03 13:55:13 ©著作权

文章标签 快速配置NETSCREEN 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者sydney的原创作品，请联系作者获取转载授权，否则将追究法律责任

假设将网点和分公司的业务系统合并成1条策略则需要：

1、 IP地址组的定义：

set group address "Untrust" "业务系统IP"

set group address "Untrust" "业务系统IP" add "192.168.2.15"

set group address "Untrust" "业务系统IP" add "192.168.2.5"

set group address "Untrust" "业务系统IP" add "192.168.2.6"

set group address "Untrust" "业务系统IP" add "192.168.2.7"

set group address "Untrust" "业务系统IP" add "192.168.2.8"

set group address "Untrust" "业务系统IP" add "192.168.2.86"

1、定义业务系统的服务组
set group service "业务系统服务组"

set group service "业务系统服务组" add "ODS查询服务器"

set group service "业务系统服务组" add "SOA"

set group service "业务系统服务组" add "核心商务"

set group service "业务系统服务组" add "客服平台"

set group service "业务系统服务组" add "论坛"

set group service "业务系统服务组" add "税友通2"

set group service "ODS查询服务器"

set group service "ODS查询服务器" add "TCP_1521"

set group service "ODS查询服务器" add "tcp_7001"

set service "tcp_7001" protocol tcp src-port 0-65535 dst-port 7001-7001

set service "TCP_1521" protocol tcp src-port 0-65535 dst-port 1521-1521

set group service "SOA"

set group service "SOA" add "tcp_6518"

set group service "SOA" add "tcp_7001"

set group service "SOA" add "tcp_8008"

set service "tcp_8008" protocol tcp src-port 0-65535 dst-port 8008-8008

set service "tcp_6518" protocol tcp src-port 0-65535 dst-port 6518-6518

set group service "核心商务"

set group service "核心商务" add "TCP_7002"

set group service "核心商务" add "TCP_8000"

set group service "核心商务" add "tcp_8001"

set group service "核心商务" add "TCP_8080"

set group service "核心商务" add "TCP_8081"

set group service "核心商务" add "tcp_82"

set service "TCP_7002" protocol tcp src-port 0-65535 dst-port 7002-7002

set service "TCP_8000" protocol tcp src-port 0-65535 dst-port 8000-8000

set service "tcp_8001" protocol tcp src-port 0-65535 dst-port 8001-8001

set service "TCP_8080" protocol tcp src-port 0-65535 dst-port 8080-8080

set service "TCP_8081" protocol tcp src-port 0-65535 dst-port 8081-8081

set service "tcp_82" protocol tcp src-port 0-65535 dst-port 82-82

set group service "客服平台"

set group service "客服平台" add "tcp_5678"

set group service "客服平台" add "tcp_7000"

set group service "客服平台" add "tcp_7001"

set group service "客服平台" add "TCP_7002"

set group service "客服平台" add "TCP_8081"

set group service "客服平台" add "tcp_8082"

set service "tcp_5678" protocol tcp src-port 0-65535 dst-port 5678-5678

set service "tcp_7000" protocol tcp src-port 0-65535 dst-port 7000-7000

set service "tcp_8082" protocol tcp src-port 0-65535 dst-port 8082-8082

set group service "论坛"

set group service "论坛" add "HTTP"

set group service "论坛" add "tcp_5678"

set group service "论坛" add "tcp_7777"

set group service "论坛" add "TCP_8000"

set group service "论坛" add "tcp_8888"

set service "tcp_7777" protocol tcp src-port 0-65535 dst-port 7777-7777

set service "tcp_8888" protocol tcp src-port 0-65535 dst-port 8888-8888

2、策略的建立，以河北的一个网点为例：
set policy id 100 top from "Trust" to "Untrust" "10.5.2.0" "业务系统IP" "业务系统服务组" tunnel vpn-group 1 log //建立ID为100的策略，并且放在该区域的最上面若不带ID，也可自动生成ID，但是不利于我们多条策略的添加和位置摆放
提炼此策略中的变量：
1、策略ID
2、区段
3、源地址（段）
4、目标地址（段）（我们已经定义）
5、服务组（我们自定义）
6、通道或者通道组

3、删除无用的策略
unset policy id XX