华为USG6000V防火墙学习
程序员文章站
2024-03-20 23:50:46
...
华为USG6000V防火墙学习
实验示例:
实验要求:
1、登录防火墙,修改初始密码并保存保存设置;
2、开启对应接口https服务功能,修改端口IP地址,使用浏览器登录防火墙的web控制台;
格式:https://端口IP地址:8443
3、开启对用接口ping服务功能,使用本地Windows PowerShell命令行ping通对应端口的IP地址;
4、制定防火墙策略,用本地Windows PowerShell命令行ping通对应端口的IP地址,使得可以和本地通信。
实验配置:
User interface con0 is available
Please Press ENTER.
Login authentication
Username:admin
Password:
*************************************************************************
* Copyright (C) 2014-2018 Huawei Technologies Co., Ltd. *
* All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
*************************************************************************
<USG6000V1>
<USG6000V1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]interface GigabitEthernet 0/0/0
[USG6000V1-GigabitEthernet0/0/0]dis thi
2020-09-04 01:01:49.780
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.100.15 255.255.255.0
alias GE0/METH
service-manage https permit
service-manage ping permit
#
return
[USG6000V1-GigabitEthernet0/0/0]
在端口内,允许ping功能开启。使得端口可以和本地通信。
开启https服务功能,使用浏览器登录防火墙后台。
制定防火墙策略,端口和本地正常通信
配置如下:
<USG6000V1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name T2L_ping
Sep 4 2020 01:13:35 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 6, the change loop count is 0, and the maximum number of records is 4095.
[USG6000V1-policy-security-rule-T2L_ping]source-zone trust
[USG6000V1-policy-security-rule-T2L_ping]destination-zone local
[USG6000V1-policy-security-rule-T2L_ping]
Sep 4 2020 01:13:55 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 8, the change loop count is 0, and the maximum number of records is 4095.
[USG6000V1-policy-security-rule-T2L_ping]source-address 192.168.100.1 32
Sep 4 2020 01:14:25 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 9, the change loop count is 0, and the maximum number of records is 4095.
[USG6000V1-policy-security-rule-T2L_ping]service icmp
[USG6000V1-policy-security-rule-T2L_ping]dis thi
2020-09-04 01:15:02.670
#
rule name T2L_ping
source-zone trust
destination-zone local
source-address 192.168.100.1 mask 255.255.255.255
service icmp
(not configure the action)
#
return
[USG6000V1-policy-security-rule-T2L_ping]
Sep 4 2020 01:15:05 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 10, the change loop count is 0, and the maximum number of records is 4095.
[USG6000V1-policy-security-rule-T2L_ping]action permit
[USG6000V1-policy-security-rule-T2L_ping]dis thi
2020-09-04 01:15:34.550
#
rule name T2L_ping
source-zone trust
destination-zone local
source-address 192.168.100.1 mask 255.255.255.255
service icmp
action permit
#
return
制定防火墙出接口流量策略。
配置如下
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name L2T_ping
[USG6000V1-policy-security-rule-L2T_ping]source-zone local
[USG6000V1-policy-security-rule-L2T_ping]destination-zone trust
[USG6000V1-policy-security-rule-L2T_ping]source-address 192.168.100.15 32
[USG6000V1-policy-security-rule-L2T_ping]destination-address 192.168.100.1 32
[USG6000V1-policy-security-rule-L2T_ping]service icmp
[USG6000V1-policy-security-rule-L2T_ping]action permit
[USG6000V1-policy-security-rule-L2T_ping]dis thi
2020-09-04 01:41:04.390
#
rule name L2T_ping
source-zone local
destination-zone trust
source-address 192.168.100.15 mask 255.255.255.255
destination-address 192.168.100.1 mask 255.255.255.255
service icmp
action permit
#
return
[USG6000V1-policy-security-rule-L2T_ping]
修改iCMP会话超时时间并查询。