华为防火墙是一款功能强大的网络安全产品,除了基本的防火墙功能外,还提供了许多高级的安全策略配置。本文将从多个方面对华为防火墙配置进行详细阐述,帮助读者更好地掌握该产品。
一、基本配置
1、IP地址配置
[USG]sysname USG [USG]interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1]ip address 192.168.1.1 24 [USG-GigabitEthernet0/0/1]quit [USG]save
2、防火墙规则配置
[USG]firewall zone trust [USG-firewall-zone-trust]add interface GigabitEthernet 0/0/1 [USG-firewall-zone-trust]quit [USG]firewall zone untrust [USG-firewall-zone-untrust]add interface GigabitEthernet 0/0/0 [USG-firewall-zone-untrust]quit [USG]firewall interzone trust untrust [USG-firewall-interzone-trust-untrust]detect ftp [USG-firewall-interzone-trust-untrust]policy accept [USG-firewall-interzone-trust-untrust]quit [USG]save
二、高级配置
1、流量控制
1.1 带宽管理
[USG]interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1]traffic-shaping cir 20000 cbs 2000000 pir 30000 [USG-GigabitEthernet0/0/1]quit
1.2 QoS
[USG]traffic classifier tcp port1 operator and [USG-classifier-tcp-port1]if-match acl 3015 [USG-classifier-tcp-port1]quit [USG]traffic classifier udp port2 operator and [USG-classifier-udp-port2]if-match acl 3016 [USG-classifier-udp-port2]quit [USG]traffic behavior tcp priority [USG-behavior-tcp-priority]car cir 40000 cbs 2000000 green pass yellow discard [USG-behavior-tcp-priority]queue length 2000 [USG-behavior-tcp-priority]quit [USG]traffic behavior udp normal [USG-behavior-udp-normal]quit [USG]traffic policy tcp-udp [USG-trafficpolicy-tcp-udp]classifier tcp port1 behavior tcp priority [USG-trafficpolicy-tcp-udp]classifier udp port2 behavior udp normal [USG-trafficpolicy-tcp-udp]quit [USG]interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1]traffic-policy tcp-udp inbound [USG-GigabitEthernet0/0/1]quit
2、安全威胁防范
2.1 DDoS防御
[USG]ddos protect-template tpl1 [USG-ddos-protect-template-tpl1]blacklist duration 60 [USG-ddos-protect-template-tpl1]log enable [USG-ddos-protect-template-tpl1]quit [USG]ddos policy policy1 [USG-ddos-policy-policy1]mitigate-time 300 [USG-ddos-policy-policy1]undo enable [USG-ddos-policy-policy1]template tpl1 [USG-ddos-policy-policy1]quit [USG]interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1]ddos policy policy1 inbound
2.2 IPS/AV
[USG]object security security1 [USG-object-security-security1]threat-type web-attack [USG-object-security-security1]detect-mode preventive [USG-object-security-security1]reset [USG-object-security-security1]quit [USG]security-policy policy1 [USG-security-policy-policy1]rule 1 permit source 192.168.1.0 0.0.0.255 target any security-profile security1 action block [USG-security-policy-policy1]quit
3、VPN
3.1 IPSec VPN
[USG]ipsec proposal prop1 [USG-ipsec-proposal-prop1]esp authentication-algorithm sha1 [USG-ipsec-proposal-prop1]esp encryption-algorithm aes-256 [USG-ipsec-proposal-prop1]ah authentication-algorithm sha1 [USG-ipsec-proposal-prop1]quit [USG]ipsec policy policy1 [USG-ipsec-policy-policy1]proposal prop1 [USG-ipsec-policy-policy1]quit [USG]interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1-tunnel]ipsec policy policy1 [USG-GigabitEthernet0/0/1-tunnel]tunnel source 172.30.1.1 [USG-GigabitEthernet0/0/1-tunnel]tunnel destination 172.30.2.1 [USG-GigabitEthernet0/0/1-tunnel]quit
3.2 SSL VPN
[USG]ssl vpn server openvpn [USG-ssl-vpn-server-openvpn]port 8443 [USG-ssl-vpn-server-openvpn]ip 192.168.1.1 [USG-ssl-vpn-server-openvpn]quit [USG]interface Vlanif1 [USG-Vlanif1]ssl vpn gateway-policy policy1 [USG-Vlanif1]quit [USG]ssl vpn gateway policy1 [USG-ssl-vpn-gateway-policy1]interface GigabitEthernet 0/0/1 [USG-ssl-vpn-gateway-policy1]address 192.168.1.1 [USG-ssl-vpn-gateway-policy1]quit [USG]ssl vpn auth policy policy1 [USG-ssl-vpn-auth-policy-policy1]user-group huawei [USG-ssl-vpn-auth-policy-policy1]quit [USG]ssl vpn acl 1015 [USG-acl-adv-1015]rule 5 permit source 192.168.1.0 0.0.0.255 [USG-acl-adv-1015]quit [USG]interface Vlanif1 [USG-Vlanif1]ssl vpn acl 1015 [USG-Vlanif1]quit
三、总结
以上是华为防火墙配置的部分内容,其它功能如日志管理、社交应用防御、MAC地址绑定、静态NAT等配置,读者可以根据需要自行学习。总的来说,华为防火墙的安全性能非常出色,可以满足大多数企业的需求。
原创文章,作者:XCJNA,如若转载,请注明出处:https://www.506064.com/n/370840.html
微信扫一扫 
支付宝扫一扫 