HUAWEI 防火牆 綜合配置案例
- 防火牆在校園出口安全方案中的應用
-
- 簡介
-
- 方案簡介
- 方案一:基于IP位址的政策控制
-
- 典型組網
-
- 負載分擔
- 位址轉換
- 安全防護
- 帶寬管控
- 溯源審計
- 業務規劃
-
- 網絡基礎及通路控制配置
- 入侵防禦
- DNS透明代理
- 智能選路
- 伺服器負載均衡
- 智能DNS
- NAT
-
- NAT Server
- 源NAT
- NAT ALG
-
- 攻擊防範
- 審計政策
- 帶寬管理
- 日志伺服器裝置
- 配置步驟
-
- 結果驗證
- 配置腳本
防火牆在校園出口安全方案中的應用
簡介
本案例介紹了防火牆在校園出口安全方案中的應用。通過分析校園網安全面臨的主要問題以及校方在網絡通路管理中的常見需求,本案例給出了最典型的2個應用方案,可以解決大多數情況下的校園網安全方案部署。
基于USG6000&USG9500 V500R005C00版本寫作,可供USG6000&USG9500 V500R005C00、USG6000E V600R006C00及後續版本參考。不同版本之間可能存在差異,請以實際版本為準。
方案簡介
随着教育資訊化的加速,高校網絡建設日趨完善,在師生暢享豐富網絡資源的同時,校園網絡的安全問題也逐漸凸顯,并直接影響學校的教學、管理、科研等活動。如何建構一個安全、高速的校園網絡,已成為高校網絡管理者需要迫切解決的問題。
校園網從網絡層到應用層的各個層面都面臨着不同的安全威脅:
網絡邊界防護:校園網一般擁有多個出口,鍊路帶寬高,網絡結構複雜;病毒、蠕蟲的傳播成為最大安全隐患;越來越多的遠端網絡接入,對安全性構成極大挑戰。
内容安全防護:無法及時發現和阻斷網絡入侵行為;需要對使用者通路的URL進行控制,允許或禁止通路某些網頁資源,規範上網行為;需要防範不當的網絡留言和内容釋出,防止造成不良的社會影響。
FW作為高性能的下一代防火牆,可以部署在校園網出口,幫助高校降低安全威脅,實作有效的網絡管理。FW不僅可以提供安全隔離和日常攻擊防範,還具備多種進階應用安全能力,如攻擊防範、IPS、防病毒、上網行為審計等,在實施邊界防護的同時提供應用層防護。
如圖1-1所示,FW作為安全網關部署在校園網出口,提供内、外網互訪的安全隔離和防護。FW不僅可以提供傳統的基于IP位址的安全政策制定和網絡通路控制,還可以提供基于使用者的通路控制和行為溯源。這給予了網絡管理者極大的靈活性,可以依據網絡實際情況選擇最高效的管控政策,并減少安全維護的工作量。
圖1-1 FW在校園網中的應用
方案一:基于IP位址的政策控制
典型組網
如圖1-2所示,FW作為安全網關部署在校園網出口,為校内使用者提供寬帶服務,為校外使用者提供伺服器通路服務。由于校園網絡是逐漸、分期發展起來的,是以出口鍊路的帶寬并不均衡,其中教育網的鍊路帶寬為1G,ISP1的3條鍊路帶寬分别為200M、1G和200M,ISP2的2條鍊路帶寬均為1G。
圖1-2 基于IP位址的政策控制組網圖
由于學校網絡的主要用途是學習和工作,是以在保證内網使用者和伺服器安全的同時,要合理配置設定帶寬資源,并對網絡流量進行負載分擔,提升内外部使用者的通路體驗。校園網的主要需求如下:
負載分擔
為了保證内網使用者的上網體驗,充分利用多條ISP鍊路,學校希望通路特定ISP網絡的流量優先從該ISP對應的出接口轉發出去,例如通路教育網的流量優先從GE1/0/1轉發,通路ISP2的流量優先從GE1/0/5或GE1/0/6轉發。同時,對屬于同一ISP的多條鍊路,可以按照鍊路帶寬或權重的比例進行流量負載分擔。為提高轉發的可靠性,防止單條鍊路流量過大導緻丢包,各鍊路間還要實作鍊路備份。
各ISP鍊路的傳輸品質實際上是不同的,其中教育網和ISP2的鍊路品質較高,可以用來轉發對時延要求較高的業務流量(例如遠端教學系統的流量),ISP1的鍊路品質較差,可以用來轉發占用帶寬大、業務價值小的業務流量(例如P2P流量)。考慮到費用因素,通路其他高校伺服器的流量、圖書館内使用者的上網流量、所有比對預設路由的流量需要從教育網鍊路轉發出去。
由于校内使用者自動獲得的是同一個DNS伺服器位址,是以流量将從同一條ISP鍊路轉發出去。學校希望充分利用其他鍊路資源,是以要分流部分DNS請求封包到其他ISP鍊路上。如果隻是改變了封包的出接口,還是無法解決後續上網流量集中在一條鍊路上的問題。是以要将封包發送到不同ISP的DNS伺服器上,這樣解析後的位址就屬于不同的ISP,達到了分流的目的。
學校内部署了DNS伺服器提供域名解析服務,不同ISP的使用者通路學校網站時,可以解析到屬于自己ISP的位址,不會解析到其他ISP的位址,提高通路品質。
由于通路圖書館伺服器的流量較大,是以需要部署2台伺服器對流量進行負載分擔。
位址轉換
校内使用者通路Internet時需要使用公網IP位址。
校内伺服器使用公網IP位址同時為内、外網使用者提供服務,例如圖書館伺服器、Portal伺服器、DNS伺服器等。
安全防護
按照網絡裝置所處的位置劃分不同區域,并對各區域間的流量進行安全隔離,控制各區域間的互訪權限。例如,允許校内使用者通路外網資源,隻允許外網使用者通路校内伺服器的指定端口。
能夠防禦常見的DDoS攻擊(例如SYN flood攻擊)和單包攻擊(例如Land攻擊)。
能夠對網絡入侵行為進行阻斷或告警。
帶寬管控
由于帶寬資源有限,是以學校希望限制P2P流量占用的帶寬比例,并限制每個使用者的P2P流量帶寬。常見的P2P流量主要來源于下載下傳軟體(如迅雷、電驢、BT、Ares、Vuze)、音樂軟體(如酷我音樂盒、酷狗、SoulSeek)或視訊網站或軟體(如百度影音、愛奇藝、搜狐影音)。
溯源審計
為了防止個别校内使用者的不當網絡行為對學校聲譽造成傷害,并做到事後能夠回溯和還原事件,需要對校内使用者的網絡行為進行審計,供日後審查和分析。需要審計的行為主要包括URL通路記錄、BBS和微網誌的發帖内容、HTTP上傳和下載下傳行為、FTP上傳和下載下傳行為。
學校部署有日志伺服器,需要在日志伺服器上檢視攻擊防範和入侵檢測的日志,并且能夠檢視NAT轉換前後的IP位址。
業務規劃
FW可以滿足校園網的所有需求,下面給出具體功能的介紹并結合組網進行業務規劃。
網絡基礎及通路控制配置
FW通過設定安全區域将校園網的各個區域安全隔離,并通過安全政策控制各個區域間的互訪權限。
其中,校園網使用者處于Trust區域,安全級别最高,可以主動通路所有安全區域;伺服器也處于Trust區域,但是通過政策控制伺服器僅可以通路外網區域,不可以通路Trust區域内的裝置;分别為各ISP建立安全區域,這是為了友善單獨控制某兩個域間的政策,允許各ISP區域中的裝置通路伺服器區。同時,為了保證安全區域間多通道協定(例如FTP協定)的正常通信,還需要開啟ASPF功能。
表1-1 網絡基礎配置規劃
表1-2 通路控制配置規劃
入侵防禦
為了防止僵屍、木馬、蠕蟲的入侵,需要在FW上部署入侵防禦功能,對入侵行為進行告警或阻斷。為了更好地識别入侵行為,FW還需要定期通過安全中心平台(sec.huawei.com)更新入侵防禦特征庫。
表1-3 入侵防禦配置規劃
DNS透明代理
DNS透明代理功能可以修改DNS請求封包的目的位址,實作DNS伺服器的重定向。本例中結合政策路由智能選路,可以使DNS請求封包按照鍊路帶寬比例進行轉發,由于解析後的伺服器位址也屬于不同的ISP,是以後續的通路流量也會分擔到不同的ISP鍊路上。
表1-4 DNS透明代理配置規劃
智能選路
為了滿足校園網出口的流量轉發需求,可以在FW上部署政策路由智能選路功能,結合ISP位址集即可實作按照營運商轉發流量。此外,對于某些特殊流量的轉發需求,可以利用單出口政策路由指導流量從固定的出接口轉發。最後,對于沒有命中ISP位址集的流量,可以選擇鍊路品質最好的鍊路轉發出去。
表1-5 智能選路配置規劃
伺服器負載均衡
圖書館的2台伺服器對外展現為一台高性能、高可靠性的虛拟伺服器,對于使用者來說通路的就是虛拟伺服器,而并不知道實際處理業務的是其他伺服器。為了提升使用者通路體驗,虛拟伺服器向外釋出多個ISP的公網IP位址。
表1-6 伺服器負載均衡配置規劃
智能DNS
智能DNS是指存在私網DNS伺服器的情況下,FW對于來自不同ISP的DNS請求進行智能回複,使各ISP的使用者能夠獲得最适合的解析位址,即與使用者屬于同一ISP網絡的伺服器位址。
例如,學校内網有一台DNS伺服器,上面存放了Portal伺服器的域名(www.example.com)和教育網配置設定的公網位址1.1.15.15,并在FW的GE1/0/2接口上啟用智能DNS功能,映射後的位址為ISP1配置設定的公網位址2.2.15.15。
當教育網下的使用者通路Portal伺服器位址時,由于接口GE1/0/1沒有配置智能DNS功能,是以最終使用者得到的Portal伺服器位址就是其原本教育網配置設定的公網位址1.1.15.15。當ISP1下的使用者通路Portal伺服器位址時,DNS伺服器傳回給ISP1使用者的DNS響應消息到達FW的GE1/0/2接口時,FW會把響應消息中原始的教育網位址1.1.15.15替換成ISP1配置設定的公網位址2.2.15.15,ISP1下的使用者收到DNS響應消息後,就會和2.2.15.15這個位址進行通信。當然,在FW上還需要配置一條NAT Server映射,将Portal伺服器的私網位址10.1.10.20和2.2.15.15進行綁定,進而實作ISP1下的使用者通過ISP1的位址2.2.15.15和Portal伺服器進行通信。
表1-7 智能DNS配置規劃
NAT
NAT Server
為保證各個ISP的使用者能夠通路内網伺服器,需要在FW上部署NAT Server功能,将伺服器的私網位址轉換成公網位址。
表1-8 NAT Server配置規劃
源NAT
為保證大量内網使用者能夠利用有限的公網IP位址通路外網,需要在FW上部署源NAT功能,将封包的私網IP位址轉換成公網IP位址。
表1-9 源NAT配置規劃
NAT ALG
FW配置NAT功能後,如果需要轉發多通道協定封包(例如FTP協定),則必須開啟該協定對應的NAT ALG功能,保證多通道協定封包可以順利的進行位址轉換。本案例中以FTP、QQ和RTSP協定為例,開啟這些協定對應的NAT ALG功能。
攻擊防範
攻擊防範功能可以檢測出多種類型的網絡攻擊,包括DDoS攻擊和單包攻擊,保護内部網絡免受惡意攻擊。
表1-10 攻擊防範配置規劃
審計政策
FW支援審計功能,通過審計政策定義需要審計的上網行為并進行記錄,管理者後續可以對使用者的上網行為進行審查和分析。
表1-11 審計政策配置規劃
帶寬管理
由于P2P流量非常耗費帶寬資源,是以學校希望限制ISP1各鍊路上的P2P流量帶寬,并針對單個IP的P2P流量帶寬進行限制。帶寬管理功能可以針對特定類型的流量進行整體限流或者限制每IP/每使用者的流量。
表1-12 帶寬管理配置規劃
日志伺服器裝置
日志伺服器可以進行日志的收集、查詢和報表呈現。FW和日志伺服器進行配套使用後,可以在日志伺服器上檢視FW輸出的會話日志,其中也包含NAT轉換前後的會話日志,通過這些日志即可檢視到NAT轉換的位址資訊;也可以在日志伺服器上檢視FW輸出的IPS日志和攻擊防範日志,通過這些日志即可查詢出網絡中的攻擊行為和入侵行為。
表1-13 對接網管裝置配置規劃
注意事項
1、 ISP位址集中的IP位址是否齊全直接影響智能選路、智能DNS功能的實施效果,請定期從安全中心平台(isecurity.huawei.com)更新ISP位址庫。
2、多出口場景下,政策路由智能選路不能和IP欺騙攻擊防範功能或URPF(Unicast Reverse Path Forwarding,單點傳播逆向路徑轉發)功能一起使用。如果開啟IP欺騙攻擊防範功能或URPF功能,可能導緻FW丢棄封包。
3、智能DNS功能需要License授權,并通過動态加載功能加載相應元件包後方可使用。
4、伺服器負載均衡功能的虛拟伺服器的IP位址不能和下列IP位址相同:
(1)NAT Server的公網IP位址(global IP)
(2)NAT位址池中的IP位址
(3)網關的IP位址
(4)FW的接口IP位址
5、伺服器負載均衡功能的實伺服器的IP位址不能和下列IP位址相同:
(1)虛拟伺服器的IP位址
(2)NAT Server的公網IP(global IP)
(3)NAT Server的内網伺服器IP位址(inside IP)
6、配置伺服器負載均衡功能後,在配置安全政策和路由功能時,需針對實伺服器的IP位址進行配置,而不是虛拟伺服器的IP位址。
7、配置NAT位址池和NAT Server後,需要針對位址池中的位址和NAT Server的公網位址配置黑洞路由,防止産生路由環路。
8、隻有審計管理者才能配置審計功能和檢視審計日志。
9、隻有支援安裝硬碟且硬碟在位的裝置才能在Web界面上檢視和導出審計日志。
10、在封包來回路徑不一緻的組網環境中,審計日志記錄的内容可能不完整。
配置步驟
1、配置接口和安全區域,并為參與選路的出接口配置網關位址、帶寬和過載保護門檻值。
<FW> system-view
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] description connect_to_edu
[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.252
[FW-GigabitEthernet1/0/1] redirect-reverse next-hop 1.1.1.2
[FW-GigabitEthernet1/0/1] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/1] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/1] quit
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] description connect_to_isp1
[FW-GigabitEthernet1/0/2] ip address 2.2.2.1 255.255.255.252
[FW-GigabitEthernet1/0/2] redirect-reverse next-hop 2.2.2.2
[FW-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90
[FW-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90
[FW-GigabitEthernet1/0/2] quit
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] description connect_to_isp1
[FW-GigabitEthernet1/0/3] ip address 2.2.3.1 255.255.255.252
[FW-GigabitEthernet1/0/3] redirect-reverse next-hop 2.2.3.2
[FW-GigabitEthernet1/0/3] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/3] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/3] quit
[FW] interface GigabitEthernet 1/0/4
[FW-GigabitEthernet1/0/4] description connect_to_isp1
[FW-GigabitEthernet1/0/4] ip address 2.2.4.1 255.255.255.252
[FW-GigabitEthernet1/0/4] redirect-reverse next-hop 2.2.4.2
[FW-GigabitEthernet1/0/4] bandwidth ingress 200000 threshold 90
[FW-GigabitEthernet1/0/4] bandwidth egress 200000 threshold 90
[FW-GigabitEthernet1/0/4] quit
[FW] interface GigabitEthernet 1/0/5
[FW-GigabitEthernet1/0/5] description connect_to_isp2
[FW-GigabitEthernet1/0/5] ip address 3.3.3.1 255.255.255.252
[FW-GigabitEthernet1/0/5] redirect-reverse next-hop 3.3.3.2
[FW-GigabitEthernet1/0/5] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/5] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/5] quit
[FW] interface GigabitEthernet 1/0/6
[FW-GigabitEthernet1/0/6] description connect_to_isp2
[FW-GigabitEthernet1/0/6] ip address 3.3.4.1 255.255.255.252
[FW-GigabitEthernet1/0/6] redirect-reverse next-hop 3.3.4.2
[FW-GigabitEthernet1/0/6] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/6] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/6] quit
[FW] interface GigabitEthernet 1/0/7
[FW-GigabitEthernet1/0/7] description connect_to_campus
[FW-GigabitEthernet1/0/7] ip address 10.2.0.1 255.255.255.0
[FW-GigabitEthernet1/0/7] quit
2、配置安全政策。
(1)分别為教育網、ISP1、ISP2建立安全區域,并将各接口加入安全區域。
[FW] firewall zone name edu_zone
[FW-zone-edu_zone] set priority 20
[FW-zone-edu_zone] add interface GigabitEthernet 1/0/1
[FW-zone-edu_zone] quit
[FW] firewall zone name isp1_zone1
[FW-zone-isp1_zone1] set priority 30
[FW-zone-isp1_zone1] add interface GigabitEthernet 1/0/2
[FW-zone-isp1_zone1] quit
[FW] firewall zone name isp1_zone2
[FW-zone-isp1_zone2] set priority 40
[FW-zone-isp1_zone2] add interface GigabitEthernet 1/0/3
[FW-zone-isp1_zone2] quit
[FW] firewall zone name isp1_zone3
[FW-zone-isp1_zone3] set priority 50
[FW-zone-isp1_zone3] add interface GigabitEthernet 1/0/4
[FW-zone-isp1_zone3] quit
[FW] firewall zone name isp2_zone1
[FW-zone-isp2_zone1] set priority 60
[FW-zone-isp2_zone1] add interface GigabitEthernet 1/0/5
[FW-zone-isp2_zone1] quit
[FW] firewall zone name isp2_zone2
[FW-zone-isp2_zone2] set priority 70
[FW-zone-isp2_zone2] add interface GigabitEthernet 1/0/6
[FW-zone-isp2_zone2] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/7
[FW-zone-trust] quit
(2)為各域間配置安全政策,控制域間互訪。在安全政策中引用預設的入侵防禦配置檔案,配置入侵防禦功能。
[FW] security-policy
[FW-policy-security] rule name user_inside
[FW-policy-security-rule-user_inside] source-zone trust
[FW-policy-security-rule-user_inside] action permit
[FW-policy-security-rule-user_inside] profile ips default
[FW-policy-security-rule-user_inside] quit
[FW-policy-security] rule name user_outside
[FW-policy-security-rule-user_outside] source-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3 isp2_zone1 isp2_zone2
[FW-policy-security-rule-user_outside] destination-address 10.1.10.0 24
[FW-policy-security-rule-user_outside] action permit
[FW-policy-security-rule-user_outside] profile ips default
[FW-policy-security-rule-user_outside] quit
[FW-policy-security] rule name local_to_any
[FW-policy-security-rule-local_to_any] source-zone local
[FW-policy-security-rule-local_to_any] destination-zone any
[FW-policy-security-rule-local_to_any] action permit
[FW-policy-security-rule-local_to_any] quit
[FW-policy-security] quit
配置更新中心。
[FW] update server domain sec.huawei.com
裝置可通路更新伺服器或可通過代理伺服器通路更新伺服器。本例中以可直接通路更新伺服器為例。
[FW] dns resolve
[FW] dns server 10.1.10.30
配置定時更新功能,設定定時更新時間。
[FW] update schedule ips-sdb enable
[FW] update schedule sa-sdb enable
[FW] update schedule ips-sdb daily 02:30
[FW] update schedule sa-sdb daily 02:30
配置IP-Link功能,探測各ISP鍊路狀态是否正常。
3、IP-Link的配置指令在USG6000和USG9500上略有差異,此處使用的是USG6000進行舉例說明。
[FW] ip-link check enable
[FW] ip-link name edu_ip_link
[FW-iplink-edu_ip_link] destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp
[FW-iplink-edu_ip_link] quit
[FW] ip-link name isp1_ip_link
[FW-iplink-isp1_ip_link] destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp
[FW-iplink-isp1_ip_link] destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp
[FW-iplink-isp1_ip_link] destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp
[FW-iplink-isp1_ip_link] quit
[FW] ip-link name isp2_ip_link
[FW-iplink-isp2_ip_link] destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp
[FW-iplink-isp2_ip_link] destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp
[FW-iplink-isp2_ip_link] quit
4、配置路由。
除本例必需的路由資訊外,其他路由配置請管理者根據實際組網需要進行配置,本例不給出詳細指導。
#配置靜态路由,目的位址為内網網段,下一跳為内網交換機的位址,保證外網的流量能夠到達内網。
[FW] ip route-static 10.1.0.0 255.255.0.0 10.2.0.2
配置DNS透明代理。
#配置各接口綁定DNS伺服器的IP位址。
[FW] dns-transparent-policy
[FW-policy-dns] dns transparent-proxy enable
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/1 preferred 1.1.22.22 alternate 1.1.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/2 preferred 2.2.22.22 alternate 2.2.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/3 preferred 2.2.24.24 alternate 2.2.25.25
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/4 preferred 2.2.26.26 alternate 2.2.27.27
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/5 preferred 3.3.22.22 alternate 3.3.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/6 preferred 3.3.24.24 alternate 3.3.25.25
#配置排除域名。
[FW-policy-dns] dns transparent-proxy exclude domain www.example.com server preferred 1.1.25.25
#配置DNS透明代理政策。
[FW-policy-dns] rule name dns_trans_rule
[FW-policy-dns-rule-dns_trans_rule] action tpdns
[FW-policy-dns-rule-dns_trans_rule] quit
[FW-policy-dns] quit
#為DNS請求封包配置政策路由智能選路,使封包能夠負載分擔到各鍊路上。
[FW] policy-based-route
[FW-policy-pbr] rule name pbr_dns_trans
[FW-policy-pbr-rule-pbr_dns_trans] source-zone trust
[FW-policy-pbr-rule-pbr_dns_trans] service dns dns-tcp
[FW-policy-pbr-rule-pbr_dns_trans] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] quit
[FW-policy-pbr-rule-pbr_dns_trans] quit
[FW-policy-pbr] quit
6、配置智能選路。
#配置ISP位址集。
(1)上傳ISP位址檔案到FW,可以使用SFTP方式進行傳輸,具體步驟略。
*(2)為教育網、ISP1和ISP2分别建立營運商名稱,并關聯對應的ISP位址檔案。
[FW] isp name edu_address set filename edu_address.csv
[FW] isp name isp1_address set filename isp1_address.csv
[FW] isp name isp2_address set filename isp2_address.csv
[FW] isp name other_edu_server_address set filename other_edu_server_address.csv
#建立對應遠端教學系統軟體的應用,并在政策路由中引用,使遠端教學系統軟體的流量從教育網和ISP2鍊路轉發。
注:請確定FW上存在相應的路由配置,使遠端教學流量在沒有政策路由時仍然可以正常傳輸。
[FW] sa
[FW-sa] user-defined-application name UD_dis_edu_sys_app
[FW-sa-user-defined-app-UD_dis_edu_sys_app] category Business_Systems sub-category Enterprise_Application
[FW-sa-user-defined-app-UD_dis_edu_sys_app] data-model client-server
[FW-sa-user-defined-app-UD_dis_edu_sys_app] label Encrypted-Communications Business-Applications
[FW-sa-user-defined-app-UD_dis_edu_sys_app] rule name 1
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] ip-address 2.2.50.50 32
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] port 5000
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] quit
[FW-sa-user-defined-app-UD_dis_edu_sys_app] quit
[FW-sa] quit
[FW] policy-based-route
[FW-policy-pbr] rule name dis_edu_sys
[FW-policy-pbr-rule-dis_edu_sys] source-zone trust
[FW-policy-pbr-rule-dis_edu_sys] application app UD_dis_edu_sys_app
[FW-policy-pbr-rule-dis_edu_sys] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] quit
[FW-policy-pbr-rule-dis_edu_sys] quit
#配置政策路由智能選路,使P2P流量從ISP1鍊路轉發。
注:請確定FW上存在相應的路由配置,使P2P流量在沒有政策路由時仍然可以正常傳輸。
[FW-policy-pbr] rule name p2p_traffic
[FW-policy-pbr-rule-p2p_traffic] source-zone trust
[FW-policy-pbr-rule-p2p_traffic] application category Entertainment sub-category PeerCasting
[FW-policy-pbr-rule-p2p_traffic] application category General_Internet sub-category FileShare_P2P
[FW-policy-pbr-rule-p2p_traffic] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-p2p_traffic-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-p2p_traffic-multi-inter] quit
[FW-policy-pbr-rule-p2p_traffic] quit
#配置單出口政策路由。
(1)通路其他高校伺服器的流量和圖書館内使用者的上網流量從教育網鍊路轉發。
[FW-policy-pbr] rule name other_edu_server
[FW-policy-pbr-rule-other_edu_server] source-zone trust
[FW-policy-pbr-rule-other_edu_server] source-address 10.1.0.0 16
[FW-policy-pbr-rule-other_edu_server] destination-address isp other_edu_server_address
[FW-policy-pbr-rule-other_edu_server] action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2
[FW-policy-pbr-rule-other_edu_server] quit
[FW-policy-pbr] rule name lib_internet
[FW-policy-pbr-rule-lib_internet] source-zone trust
[FW-policy-pbr-rule-lib_internet] source-address 10.1.50.0 22
[FW-policy-pbr-rule-lib_internet] action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2
[FW-policy-pbr-rule-lib_internet] quit
#配置基于目的位址的政策路由智能選路。
(2)流量的目的位址屬于教育網位址集時,優先使用教育網鍊路轉發。
[FW-policy-pbr] rule name pbr_edu
[FW-policy-pbr-rule-pbr_edu] source-zone trust
[FW-policy-pbr-rule-pbr_edu] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_edu] destination-address isp edu_address
[FW-policy-pbr-rule-pbr_edu] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_edu-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/1 priority 8
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/2 priority 5
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/3 priority 5
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/4 priority 5
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/5 priority 1
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/6 priority 1
[FW-policy-pbr-rule-pbr_edu-multi-inter] quit
[FW-policy-pbr-rule-pbr_edu] quit
(3)流量的目的位址屬于ISP1位址集時,優先使用ISP1鍊路轉發。
[FW-policy-pbr] rule name pbr_isp1
[FW-policy-pbr-rule-pbr_isp1] source-zone trust
[FW-policy-pbr-rule-pbr_isp1] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_isp1] destination-address isp isp1_address
[FW-policy-pbr-rule-pbr_isp1] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_isp1-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/1 priority 5
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/2 priority 8
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/3 priority 8
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/4 priority 8
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/5 priority 1
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/6 priority 1
[FW-policy-pbr-rule-pbr_isp1-multi-inter] quit
[FW-policy-pbr-rule-pbr_isp1] quit
(4)流量的目的位址屬于ISP2位址集時,優先使用ISP2鍊路轉發。
[FW-policy-pbr] rule name pbr_isp2
[FW-policy-pbr-rule-pbr_isp2] source-zone trust
[FW-policy-pbr-rule-pbr_isp2] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_isp2] destination-address isp isp2_address
[FW-policy-pbr-rule-pbr_isp2] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_isp2-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/1 priority 5
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/2 priority 1
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/3 priority 1
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/4 priority 1
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/5 priority 8
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/6 priority 8
[FW-policy-pbr-rule-pbr_isp2-multi-inter] quit
[FW-policy-pbr-rule-pbr_isp2] quit
#沒有比對到任何ISP位址集的流量,通過政策路由pbr_rest選擇鍊路品質最好的鍊路來轉發。
[FW-policy-pbr] rule name pbr_rest
[FW-policy-pbr-rule-pbr_rest] source-zone trust
[FW-policy-pbr-rule-pbr_rest] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_rest] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_rest-multi-inter] mode priority-of-link-quality
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality protocol tcp-simple
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality parameter delay jitter loss
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality interval 3 times 5
[FW-policy-pbr-rule-pbr_rest-multi-inter] quit
[FW-policy-pbr-rule-pbr_rest] quit
[FW-policy-pbr] quit
7、配置伺服器負載均衡。
#開啟伺服器負載均衡功能。
#配置負載均衡算法。
[FW] slb
[FW-slb] group 1 grp1
[FW-slb-group-1] metric roundrobin
#向實伺服器組中添加實伺服器。
[FW-slb-group-1] rserver 1 rip 10.1.10.10
[FW-slb-group-1] rserver 2 rip 10.1.10.11
[FW-slb-group-1] quit
#配置虛拟伺服器的IP位址。
[FW-slb] vserver 1 vs1
[FW-slb-vserver-1] vip 1 1.1.111.111
[FW-slb-vserver-1] vip 2 2.2.112.112
[FW-slb-vserver-1] vip 3 3.3.113.113
#關聯虛拟伺服器和實伺服器組。
[FW-slb-vserver-1] group grp1
[FW-slb-vserver-1] quit
[FW-slb] quit
8、配置智能DNS。
#啟用智能DNS功能。
#建立智能DNS組,并在組中配置智能DNS映射。
[FW] dns-smart group 1 type single
[FW-dns-smart-group-1] real-server-ip 1.1.15.15
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/2 map 2.2.15.15
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/3 map 2.2.16.16
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/4 map 2.2.17.17
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/5 map 3.3.15.15
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/6 map 3.3.16.16
[FW-dns-smart-group-1] quit
[FW] dns-smart group 2 type single
[FW-dns-smart-group-2] real-server-ip 1.1.101.101
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/2 map 2.2.102.102
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/3 map 2.2.103.103
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/4 map 2.2.104.104
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/5 map 3.3.102.102
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/6 map 3.3.103.103
[FW-dns-smart-group-2] quit
9、配置基于安全區域的NAT Server,使不同ISP的使用者通過對應的公網IP通路内網伺服器。
#為Portal伺服器配置NAT Server。
[FW] nat server portal_server01 zone edu_zone global 1.1.15.15 inside 10.1.10.20
[FW] nat server portal_server02 zone isp1_zone1 global 2.2.15.15 inside 10.1.10.20 no-reverse
[FW] nat server portal_server03 zone isp1_zone2 global 2.2.16.16 inside 10.1.10.20 no-reverse
[FW] nat server portal_server04 zone isp1_zone3 global 2.2.17.17 inside 10.1.10.20 no-reverse
[FW] nat server portal_server05 zone isp2_zone1 global 3.3.15.15 inside 10.1.10.20 no-reverse
[FW] nat server portal_server06 zone isp2_zone2 global 3.3.16.16 inside 10.1.10.20 no-reverse
#為DNS伺服器配置NAT Server。
[FW] nat server dns_server01 zone edu_zone global 1.1.101.101 inside 10.1.10.30
[FW] nat server dns_server02 zone isp1_zone1 global 2.2.102.102 inside 10.1.10.30 no-reverse
[FW] nat server dns_server03 zone isp1_zone2 global 2.2.103.103 inside 10.1.10.30 no-reverse
[FW] nat server dns_server04 zone isp1_zone3 global 2.2.104.104 inside 10.1.10.30 no-reverse
[FW] nat server dns_server05 zone isp2_zone1 global 3.3.102.102 inside 10.1.10.30 no-reverse
[FW] nat server dns_server06 zone isp2_zone2 global 3.3.103.103 inside 10.1.10.30 no-reverse
#為NAT Server的公網位址配置黑洞路由,防止産生路由環路。
[FW] ip route-static 1.1.15.15 32 NULL 0
[FW] ip route-static 2.2.15.15 32 NULL 0
[FW] ip route-static 2.2.16.16 32 NULL 0
[FW] ip route-static 2.2.17.17 32 NULL 0
[FW] ip route-static 3.3.15.15 32 NULL 0
[FW] ip route-static 3.3.16.16 32 NULL 0
[FW] ip route-static 1.1.101.101 32 NULL 0
[FW] ip route-static 2.2.102.102 32 NULL 0
[FW] ip route-static 2.2.103.103 32 NULL 0
[FW] ip route-static 2.2.104.104 32 NULL 0
[FW] ip route-static 3.3.102.102 32 NULL 0
[FW] ip route-static 3.3.103.103 32 NULL 0
10、配置源NAT。
#為通路教育網的流量配置源NAT,位址池中為教育網的公網位址。
[FW] nat address-group edu_nat_address_pool
[FW-address-group-edu_nat_address_pool] mode pat
[FW-address-group-edu_nat_address_pool] section 0 1.1.30.31 1.1.30.33
[FW-address-group-edu_nat_address_pool] quit
[FW] nat-policy
[FW-policy-nat] rule name edu_nat_policy
[FW-policy-nat-rule-edu_nat_policy] source-zone trust
[FW-policy-nat-rule-edu_nat_policy] destination-zone edu_zone
[FW-policy-nat-rule-edu_nat_policy] source-address 10.1.0.0 16
[FW-policy-nat-rule-edu_nat_policy] action source-nat address-group edu_nat_address_pool
[FW-policy-nat-rule-edu_nat_policy] quit
[FW-policy-nat] quit
#配置域内源NAT,使内網使用者可以通過公網位址通路内網伺服器。
[FW] nat-policy
[FW-policy-nat] rule name inner_nat_policy
[FW-policy-nat-rule-inner_nat_policy] source-zone trust
[FW-policy-nat-rule-inner_nat_policy] destination-zone trust
[FW-policy-nat-rule-inner_nat_policy] source-address 10.1.0.0 16
[FW-policy-nat-rule-inner_nat_policy] action source-nat address-group edu_nat_address_pool
[FW-policy-nat-rule-inner_nat_policy] quit
[FW-policy-nat] quit
#為通路ISP1的流量配置源NAT,位址池中為ISP1的公網位址。
[FW] nat address-group isp1_nat_address_pool1
[FW-address-group-isp1_nat_address_pool1] mode pat
[FW-address-group-isp1_nat_address_pool1] section 0 2.2.5.1 2.2.5.3
[FW-address-group-isp1_nat_address_pool1] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy1
[FW-policy-nat-rule-isp1_nat_policy1] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy1] destination-zone isp1_zone1
[FW-policy-nat-rule-isp1_nat_policy1] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy1] action source-nat address-group isp1_nat_address_pool1
[FW-policy-nat-rule-isp1_nat_policy1] quit
[FW-policy-nat] quit
[FW] nat address-group isp1_nat_address_pool2
[FW-address-group-isp1_nat_address_pool2] mode pat
[FW-address-group-isp1_nat_address_pool2] section 0 2.2.6.1 2.2.6.3
[FW-address-group-isp1_nat_address_pool2] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy2
[FW-policy-nat-rule-isp1_nat_policy2] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy2] destination-zone isp1_zone2
[FW-policy-nat-rule-isp1_nat_policy2] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy2] action source-nat address-group isp1_nat_address_pool2
[FW-policy-nat-rule-isp1_nat_policy2] quit
[FW-policy-nat] quit
[FW] nat address-group isp1_nat_address_pool3
[FW-address-group-isp1_nat_address_pool3] mode pat
[FW-address-group-isp1_nat_address_pool3] section 0 2.2.7.1 2.2.7.3
[FW-address-group-isp1_nat_address_pool3] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy3
[FW-policy-nat-rule-isp1_nat_policy3] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy3] destination-zone isp1_zone3
[FW-policy-nat-rule-isp1_nat_policy3] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy3] action source-nat address-group isp1_nat_address_pool3
[FW-policy-nat-rule-isp1_nat_policy3] quit
[FW-policy-nat] quit
#為通路ISP2的流量配置源NAT,位址池中為ISP2的公網位址。
[FW] nat address-group isp2_nat_address_pool1
[FW-address-group-isp2_nat_address_pool1] mode pat
[FW-address-group-isp2_nat_address_pool1] section 0 3.3.1.1 3.3.1.3
[FW-address-group-isp2_nat_address_pool1] quit
[FW] nat-policy
[FW-policy-nat] rule name isp2_nat_policy1
[FW-policy-nat-rule-isp2_nat_policy1] source-zone trust
[FW-policy-nat-rule-isp2_nat_policy1] destination-zone isp2_zone1
[FW-policy-nat-rule-isp2_nat_policy1] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp2_nat_policy1] action source-nat address-group isp2_nat_address_pool1
[FW-policy-nat-rule-isp2_nat_policy1] quit
[FW-policy-nat] quit
[FW] nat address-group isp2_nat_address_pool2
[FW-address-group-isp2_nat_address_pool2] mode pat
[FW-address-group-isp2_nat_address_pool2] section 0 3.3.2.1 3.3.2.3
[FW-address-group-isp2_nat_address_pool2] quit
[FW] nat-policy
[FW-policy-nat] rule name isp2_nat_policy2
[FW-policy-nat-rule-isp2_nat_policy2] source-zone trust
[FW-policy-nat-rule-isp2_nat_policy2] destination-zone isp2_zone2
[FW-policy-nat-rule-isp2_nat_policy2] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp2_nat_policy2] action source-nat address-group isp2_nat_address_pool2
[FW-policy-nat-rule-isp2_nat_policy2] quit
[FW-policy-nat] quit
#為NAT位址池中的公網位址配置黑洞路由,防止産生路由環路。
[FW] ip route-static 1.1.30.31 32 NULL 0
[FW] ip route-static 1.1.30.32 32 NULL 0
[FW] ip route-static 1.1.30.33 32 NULL 0
[FW] ip route-static 2.2.5.1 32 NULL 0
[FW] ip route-static 2.2.5.2 32 NULL 0
[FW] ip route-static 2.2.5.3 32 NULL 0
[FW] ip route-static 2.2.6.1 32 NULL 0
[FW] ip route-static 2.2.6.2 32 NULL 0
[FW] ip route-static 2.2.6.3 32 NULL 0
[FW] ip route-static 2.2.7.1 32 NULL 0
[FW] ip route-static 2.2.7.2 32 NULL 0
[FW] ip route-static 2.2.7.3 32 NULL 0
[FW] ip route-static 3.3.1.1 32 NULL 0
[FW] ip route-static 3.3.1.2 32 NULL 0
[FW] ip route-static 3.3.1.3 32 NULL 0
[FW] ip route-static 3.3.2.1 32 NULL 0
[FW] ip route-static 3.3.2.2 32 NULL 0
[FW] ip route-static 3.3.2.3 32 NULL 0
11、配置Trust和其他安全域間的NAT ALG功能,下面以FTP、QQ和RTSP協定為例。配置NAT ALG功能的同時,也開啟了ASPF功能。
[FW] firewall interzone trust edu_zone
[FW-interzone-trust-edu_zone] detect ftp
[FW-interzone-trust-edu_zone] detect qq
[FW-interzone-trust-edu_zone] detect rtsp
[FW-interzone-trust-edu_zone] quit
[FW] firewall interzone trust isp1_zone1
[FW-interzone-trust-isp1_zone1] detect ftp
[FW-interzone-trust-isp1_zone1] detect qq
[FW-interzone-trust-isp1_zone1] detect rtsp
[FW-interzone-trust-isp1_zone1] quit
[FW] firewall interzone trust isp1_zone2
[FW-interzone-trust-isp1_zone2] detect ftp
[FW-interzone-trust-isp1_zone2] detect qq
[FW-interzone-trust-isp1_zone2] detect rtsp
[FW-interzone-trust-isp1_zone2] quit
[FW] firewall interzone trust isp1_zone3
[FW-interzone-trust-isp1_zone3] detect ftp
[FW-interzone-trust-isp1_zone3] detect qq
[FW-interzone-trust-isp1_zone3] detect rtsp
[FW-interzone-trust-isp1_zone3] quit
[FW] firewall interzone trust isp2_zone1
[FW-interzone-trust-isp2_zone1] detect ftp
[FW-interzone-trust-isp2_zone1] detect qq
[FW-interzone-trust-isp2_zone1] detect rtsp
[FW-interzone-trust-isp2_zone1] quit
[FW] firewall interzone trust isp2_zone2
[FW-interzone-trust-isp2_zone2] detect ftp
[FW-interzone-trust-isp2_zone2] detect qq
[FW-interzone-trust-isp2_zone2] detect rtsp
[FW-interzone-trust-isp2_zone2] quit
12、配置攻擊防範功能。
[FW] firewall defend land enable
[FW] firewall defend smurf enable
[FW] firewall defend fraggle enable
[FW] firewall defend ip-fragment enable
[FW] firewall defend tcp-flag enable
[FW] firewall defend winnuke enable
[FW] firewall defend source-route enable
[FW] firewall defend teardrop enable
[FW] firewall defend route-record enable
[FW] firewall defend time-stamp enable
[FW] firewall defend ping-of-death enable
13、配置審計配置檔案,并在審計政策中引用。
[FW] profile type audit name trust_to_internet_audit
[FW-profile-audit-trust_to_internet_audit] http-audit url all
[FW-profile-audit-trust_to_internet_audit] http-audit bbs-content
[FW-profile-audit-trust_to_internet_audit] http-audit micro-blog
[FW-profile-audit-trust_to_internet_audit] http-audit file direction both
[FW-profile-audit-trust_to_internet_audit] ftp-audit file direction both
[FW-profile-audit-trust_to_internet_audit] quit
[FW] audit-policy
[FW-policy-audit] rule name trust_to_internet_audit_policy
[FW-policy-audit-rule-trust_to_internet_audit_policy] source-zone trust
[FW-policy-audit-rule-trust_to_internet_audit_policy] destination-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3 isp2_zone1 isp2_zone2
[FW-policy-audit-rule-trust_to_internet_audit_policy] action audit profile trust_to_internet_audit
[FW-policy-audit-rule-trust_to_internet_audit_policy] quit
[FW-policy-audit] quit
14、配置帶寬管理。
#對GE1/0/2接口鍊路的P2P流量進行限流。
[FW] traffic-policy
[FW-policy-traffic] profile isp1_p2p_profile_01
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth whole both 100000
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth per-ip both 500
[FW-policy-traffic-profile-isp1_p2p_profile_01] quit
[FW-policy-traffic] rule name isp1_p2p_01
[FW-policy-traffic-rule-isp1_p2p_01] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_01] egress-interface GigabitEthernet 1/0/2
[FW-policy-traffic-rule-isp1_p2p_01] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_01] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_01] action qos profile isp1_p2p_profile_01
[FW-policy-traffic-rule-isp1_p2p_01] quit
#對GE1/0/3接口鍊路的P2P流量進行限流。
[FW-policy-traffic] profile isp1_p2p_profile_02
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth whole both 300000
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth per-ip both 1000
[FW-policy-traffic-profile-isp1_p2p_profile_02] quit
[FW-policy-traffic] rule name isp1_p2p_02
[FW-policy-traffic-rule-isp1_p2p_02] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_02] egress-interface GigabitEthernet 1/0/3
[FW-policy-traffic-rule-isp1_p2p_02] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_02] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_02] action qos profile isp1_p2p_profile_02
[FW-policy-traffic-rule-isp1_p2p_02] quit
#對GE1/0/4接口鍊路的P2P流量進行限流。
[FW-policy-traffic] profile isp1_p2p_profile_03
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth whole both 700000
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth per-ip both 2000
[FW-policy-traffic-profile-isp1_p2p_profile_03] quit
[FW-policy-traffic] rule name isp1_p2p_03
[FW-policy-traffic-rule-isp1_p2p_03] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_03] egress-interface GigabitEthernet 1/0/4
[FW-policy-traffic-rule-isp1_p2p_03] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_03] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_03] action qos profile isp1_p2p_profile_03
[FW-policy-traffic-rule-isp1_p2p_03] quit
[FW-policy-traffic] quit
15、配置系統日志和NAT溯源功能,在網管系統eSight上檢視日志。
#配置向日志主機(10.1.10.30)發送系統日志(本案例發送IPS日志和攻擊防範日志)。
[FW] info-center enable
[FW] engine log ips enable
[FW] info-center source IPS channel loghost log level emergencies
[FW] info-center source ANTIATTACK channel loghost
[FW] info-center loghost 10.1.10.30
#配置會話日志功能。
[FW] security-policy
[FW-policy-security] rule name trust_edu_zone
[FW-policy-security-rule-trust_edu_zone] source-zone trust
[FW-policy-security-rule-trust_edu_zone] destination-zone edu_zone
[FW-policy-security-rule-trust_edu_zone] action permit
[FW-policy-security-rule-trust_edu_zone] session logging
[FW-policy-security-rule-trust_edu_zone] quit
[FW-policy-security] rule name trust_isp1_zone
[FW-policy-security-rule-trust_isp1_zone] source-zone trust
[FW-policy-security-rule-trust_isp1_zone] destination-zone isp1_zone1 isp1_zone2 isp1_zone3
[FW-policy-security-rule-trust_isp1_zone] action permit
[FW-policy-security-rule-trust_isp1_zone] session logging
[FW-policy-security-rule-trust_isp1_zone] quit
[FW-policy-security] rule name trust_isp2_zone
[FW-policy-security-rule-trust_isp2_zone] source-zone trust
[FW-policy-security-rule-trust_isp2_zone] destination-zone isp2_zone1 isp2_zone2
[FW-policy-security-rule-trust_isp2_zone] action permit
[FW-policy-security-rule-trust_isp2_zone] session logging
[FW-policy-security-rule-trust_isp2_zone] quit
[FW-policy-security] quit
16、配置SNMP功能,日志伺服器上的SNMP參數需要與FW上保持一緻。
[FW] snmp-agent sys-info version v3
[FW] snmp-agent group v3 inside_snmp privacy
[FW] snmp-agent usm-user v3 snmp_user group inside_snmp
[FW] snmp-agent usm-user v3 snmp_user authentication-mode sha cipher [email protected]
[FW] snmp-agent usm-user v3 user-name privacy-mode aes256 cipher [email protected]
日志伺服器配置完成後,在日志伺服器上選擇“ 日志分析 > 會話分析 > IPv4會話日志”,可以檢視會話日志。
結果驗證
1、校内使用者通路外網時,目的位址屬于教育網的流量從接口GE1/0/1轉發,目的位址屬于ISP1的流量從接口GE1/0/2轉發,目的位址屬于ISP2的流量從接口GE1/0/3轉發。
2、通路其他高校伺服器的流量和圖書館内使用者的上網流量從GE1/0/1轉發。
3、檢視IPS特征庫的配置資訊和更新資訊。
#使用display update configuration指令檢視目前更新特征庫的配置資訊。
[sysname] display update configuration
Update Configuration Information:
------------------------------------------------------------
Update Server : sec.huawei.com
Update Port : 80
Proxy State : disable
Proxy Server : -
Proxy Port : -
Proxy User : -
Proxy Password : -
IPS-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
AV-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
SA-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
IP-REPUTATION:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
CNC:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
------------------------------------------------------------
#使用display version ips-sdb指令檢視IPS特征庫的資訊。
[sysname] display version ips-sdb
IPS SDB Update Information List:
----------------------------------------------------------------
Current Version:
Signature Database Version : 2015041503
Signature Database Size(byte) : 2659606
Update Time : 12:02:10 2015/05/27
Issue Time of the Update File : 16:06:30 2015/04/15
Backup Version:
Signature Database Version :
Signature Database Size(byte) : 0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
IPS Engine Information List:
----------------------------------------------------------------
Current Version:
IPS Engine Version : V200R002C00SPC060
IPS Engine Size(byte) : 3145728
Update Time : 12:02:10 2015/05/27
Issue Time of the Update File : 10:51:45 2015/05/20
Backup Version:
IPS Engine Version :
IPS Engine Size(byte) : 0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
使用display firewall server-map指令檢視伺服器負載均衡功能生成的Server-map表項資訊。
[sysname] display firewall server-map slb
Current Total Server-map : 3
Type: SLB, ANY -> 3.3.113.113[grp1/1], Zone:---, protocol:---
Vpn: public -> public
Type: SLB, ANY -> 2.2.112.112[grp1/1], Zone:---, protocol:---
Vpn: public -> public
Type: SLB, ANY -> 1.1.111.111[grp1/1], Zone:---, protocol:---
Vpn: public -> public
使用display firewall server-map指令檢視NAT Server功能生成的Server-map表項資訊。
[sysname] display firewall server-map nat-server
Current Total Server-map : 12
Type: Nat Server, ANY -> 1.1.15.15[10.1.10.20], Zone: edu_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.15.15[10.1.10.20], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.16.16[10.1.10.20], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.17.17[10.1.10.20], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.15.15[10.1.10.20], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.16.16[10.1.10.20], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 1.1.101.101[10.1.10.30], Zone: edu_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.102.102[10.1.10.30], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.103.103[10.1.10.30], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.104.104[10.1.10.30], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.102.102[10.1.10.30], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.103.103[10.1.10.30], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server Reverse, 10.1.10.20[3.3.16.16] -> ANY, Zone: isp2_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[3.3.15.15] -> ANY, Zone: isp2_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[2.2.17.17] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[2.2.16.16] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[2.2.15.15] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[1.1.15.15] -> ANY, Zone: edu_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[3.3.103.103] -> ANY, Zone: isp2_zone , protocol:--- Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[3.3.102.102] -> ANY, Zone: isp2_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[2.2.104.104] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[2.2.103.103] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[2.2.102.102] -> ANY, Zone: isp1_zone , protocol:--- Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[1.1.101.101] -> ANY, Zone: edu_zone , protocol:---
Vpn: public -> public, counter: 1
在eSight上可以檢視到會話日志。
配置腳本
#
sysname FW
#
info-center loghost 10.1.10.30 514
#
nat server portal_server01 zone edu_zone global 1.1.15.15 inside 10.1.10.20
nat server portal_server02 zone isp1_zone1 global 2.2.15.15 inside 10.1.10.20 no-reverse
nat server portal_server03 zone isp1_zone2 global 2.2.16.16 inside 10.1.10.20 no-reverse
nat server portal_server04 zone isp1_zone3 global 2.2.17.17 inside 10.1.10.20 no-reverse
nat server portal_server05 zone isp2_zone1 global 3.3.15.15 inside 10.1.10.20 no-reverse
nat server portal_server06 zone isp2_zone2 global 3.3.16.16 inside 10.1.10.20 no-reverse
nat server dns_server01 zone edu_zone global 1.1.101.101 inside 10.1.10.30
nat server dns_server02 zone isp1_zone1 global 2.2.102.102 inside 10.1.10.30 no-reverse
nat server dns_server03 zone isp1_zone2 global 2.2.103.103 inside 10.1.10.30 no-reverse
nat server dns_server04 zone isp1_zone3 global 2.2.104.104 inside 10.1.10.30 no-reverse
nat server dns_server05 zone isp2_zone1 global 3.3.102.102 inside 10.1.10.30 no-reverse
nat server dns_server06 zone isp2_zone2 global 3.3.103.103 inside 10.1.10.30 no-reverse
#
dns resolve
dns server 10.1.10.30
dns transparent-proxy server 10.1.0.50
#
dns-transparent-policy
dns transparent-proxy enable
dns server bind interface GigabitEthernet1/0/1 preferred 1.1.22.22 alternate 1.1.23.23
dns server bind interface GigabitEthernet1/0/2 preferred 2.2.22.22 alternate 2.2.23.23
dns server bind interface GigabitEthernet1/0/3 preferred 2.2.24.24 alternate 2.2.25.25
dns server bind interface GigabitEthernet1/0/4 preferred 2.2.26.26 alternate 2.2.27.27
dns server bind interface GigabitEthernet1/0/5 preferred 3.3.22.22 alternate 3.3.23.23
dns server bind interface GigabitEthernet1/0/6 preferred 3.3.24.24 alternate 3.3.25.25
dns transparent-proxy exclude domain www.example.com server preferred 1.1.25.25
#
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend teardrop enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
#
ip-link name edu_ip_link
destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp
ip-link name isp1_ip_link
destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp
destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp
destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp
ip-link name isp2_ip_link
destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp
destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp
#
dns-smart enable
#
update schedule ips-sdb daily 02:30
update schedule sa-sdb daily 02:30
#
interface GigabitEthernet1/0/1
description connect_to_edu
ip address 1.1.1.1 255.255.255.252
reverse-route nexthop 1.1.1.2
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
#
interface GigabitEthernet1/0/2
description connect_to_isp1
ip address 2.2.2.1 255.255.255.252
reverse-route nexthop 2.2.2.2
bandwidth ingress 200000 threshold 90
bandwidth egress 200000 threshold 90
#
interface GigabitEthernet1/0/3
description connect_to_isp1
ip address 2.2.3.1 255.255.255.252
reverse-route nexthop 2.2.3.2
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
#
interface GigabitEthernet1/0/4
description connect_to_isp1
ip address 2.2.4.1 255.255.255.252
reverse-route nexthop 2.2.4.2
bandwidth ingress 200000 threshold 90
bandwidth egress 200000 threshold 90
#
interface GigabitEthernet1/0/5
description connect_to_isp2
ip address 3.3.3.1 255.255.255.252
reverse-route nexthop 3.3.3.2
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
#
interface GigabitEthernet1/0/6
description connect_to_isp2
ip address 3.3.4.1 255.255.255.252
reverse-route nexthop 3.3.4.2
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
#
interface GigabitEthernet1/0/7
description connect_to_campus
ip address 10.2.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/7
#
firewall zone name edu_zone
set priority 20
add interface GigabitEthernet1/0/1
#
firewall zone name isp1_zone1
set priority 30
add interface GigabitEthernet1/0/2
#
firewall zone name isp1_zone2
set priority 40
add interface GigabitEthernet1/0/3
#
firewall zone name isp1_zone3
set priority 50
add interface GigabitEthernet1/0/4
#
firewall zone name isp2_zone1
set priority 60
add interface GigabitEthernet1/0/5
#
firewall zone name isp2_zone2
set priority 70
add interface GigabitEthernet1/0/6
#
firewall interzone trust edu_zone
detect ftp
detect rtsp
detect qq
#
firewall interzone trust isp1_zone1
detect ftp
detect rtsp
detect qq
#
firewall interzone trust isp1_zone2
detect ftp
detect rtsp
detect qq
#
firewall interzone trust isp1_zone3
detect ftp
detect rtsp
detect qq
#
firewall interzone trust isp2_zone1
detect ftp
detect rtsp
detect qq
#
firewall interzone trust isp2_zone2
detect ftp
detect rtsp
detect qq
#
ip route-static 1.1.15.15 255.255.255.255 NULL0
ip route-static 1.1.30.31 255.255.255.255 NULL0
ip route-static 1.1.30.32 255.255.255.255 NULL0
ip route-static 1.1.30.33 255.255.255.255 NULL0
ip route-static 1.1.101.101 255.255.255.255 NULL0
ip route-static 2.2.5.1 255.255.255.255 NULL0
ip route-static 2.2.5.2 255.255.255.255 NULL0
ip route-static 2.2.5.3 255.255.255.255 NULL0
ip route-static 2.2.6.1 255.255.255.255 NULL0
ip route-static 2.2.6.2 255.255.255.255 NULL0
ip route-static 2.2.6.3 255.255.255.255 NULL0
ip route-static 2.2.7.1 255.255.255.255 NULL0
ip route-static 2.2.7.2 255.255.255.255 NULL0
ip route-static 2.2.7.3 255.255.255.255 NULL0
ip route-static 2.2.15.15 255.255.255.255 NULL0
ip route-static 2.2.16.16 255.255.255.255 NULL0
ip route-static 2.2.17.17 255.255.255.255 NULL0
ip route-static 2.2.102.102 255.255.255.255 NULL0
ip route-static 2.2.103.103 255.255.255.255 NULL0
ip route-static 2.2.104.104 255.255.255.255 NULL0
ip route-static 3.3.1.1 255.255.255.255 NULL0
ip route-static 3.3.1.2 255.255.255.255 NULL0
ip route-static 3.3.1.3 255.255.255.255 NULL0
ip route-static 3.3.2.1 255.255.255.255 NULL0
ip route-static 3.3.2.2 255.255.255.255 NULL0
ip route-static 3.3.2.3 255.255.255.255 NULL0
ip route-static 3.3.15.15 255.255.255.255 NULL0
ip route-static 3.3.16.16 255.255.255.255 NULL0
ip route-static 3.3.102.102 255.255.255.255 NULL0
ip route-static 3.3.103.103 255.255.255.255 NULL0
ip route-static 10.1.0.0 255.255.0.0 10.2.0.2
#
snmp-agent sys-info version v3
snmp-agent group v3 inside_snmp privacy
snmp-agent usm-user v3 snmp_user group inside_snmp
snmp-agent usm-user v3 snmp_user authentication-mode sha cipher %$%$jQlL6J6-$X05<;Csj**]uVn>IEUb,
9<3.%$%$
snmp-agent usm-user v3 user-name privacy-mode aes256 cipher %$%$jQlL6J6-$X05<;Csj**]uVn>IEUb,
9<3.%$%$
#
isp name edu_address
isp name edu_address set filename edu_address.csv
isp name isp1_address
isp name isp1_address set filename isp1_address.csv
isp name isp2_address
isp name isp2_address set filename isp2_address.csv
isp name other_edu_server_address
isp name other_edu_server_address set filename other_edu_server_address.csv
#
slb
rserver 1 rip 10.1.10.10 weight 32 healthchk
rserver 2 rip 10.1.10.11 weight 32 healthchk
group grp1
metric roundrobin
addrserver 1
addrserver 2
vserver vs1 vip 1.1.111.111 group grp1
#
sa
#
sa
user-defined-application name UD_dis_edu_sys_app
category Business_Systems sub-category Enterprise_Application
data-model client-server
rule name 1
ip-address 2.2.50.50 32
port 5000
#
nat address-group edu_nat_address_pool
section 0 1.1.30.31 1.1.30.33
nat address-group isp1_nat_address_pool1
section 0 2.2.5.1 2.2.5.3
nat address-group isp1_nat_address_pool2
section 0 2.2.6.1 2.2.6.3
nat address-group isp1_nat_address_pool3
section 0 2.2.7.1 2.2.7.3
nat address-group isp2_nat_address_pool1
section 0 3.3.1.1 3.3.1.3
nat address-group isp2_nat_address_pool2
section 0 3.3.2.1 3.3.2.3
#
dns-smart group 1 type single
real-server-ip 1.1.15.15
out-interface GigabitEthernet1/0/2 map 2.2.15.15
out-interface GigabitEthernet1/0/3 map 2.2.16.16
out-interface GigabitEthernet1/0/4 map 2.2.17.17
out-interface GigabitEthernet1/0/5 map 3.3.15.15
out-interface GigabitEthernet1/0/6 map 3.3.16.16
#
dns-smart group 2 type single
real-server-ip 1.1.101.101
out-interface GigabitEthernet1/0/2 map 2.2.102.102
out-interface GigabitEthernet1/0/3 map 2.2.103.103
out-interface GigabitEthernet1/0/4 map 2.2.104.104
out-interface GigabitEthernet1/0/5 map 3.3.102.102
out-interface GigabitEthernet1/0/6 map 3.3.103.103
#
security-policy
rule name user_inside
source-zone trust
profile ips default
action permit
rule name user_outside
source-zone edu_zone
source-zone isp1_zone1
source-zone isp1_zone2
source-zone isp1_zone3
source-zone isp2_zone1
source-zone isp2_zone2
destination-address 10.1.10.0 mask 255.255.255.0
profile ips default
action permit
rule name local_to_any
source-zone local
destination-zone any
action permit
#
traffic-policy
profile isp1_p2p_profile_01
bandwidth total maximum-bandwidth 100000
bandwidth ip-car total maximum-bandwidth per-ip 500
profile isp1_p2p_profile_02
bandwidth total maximum-bandwidth 300000
bandwidth ip-car total maximum-bandwidth per-ip 1000
profile isp1_p2p_profile_03
bandwidth total maximum-bandwidth 700000
bandwidth ip-car total maximum-bandwidth per-ip 2000
rule name isp1_p2p_01
ingress-interface GigabitEthernet1/0/7
egress-interface GigabitEthernet1/0/2
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action qos profile isp1_p2p_profile_01
rule name isp1_p2p_02
ingress-interface GigabitEthernet1/0/7
egress-interface GigabitEthernet1/0/3
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action qos profile isp1_p2p_profile_02
rule name isp1_p2p_03
ingress-interface GigabitEthernet1/0/7
egress-interface GigabitEthernet1/0/4
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action qos profile isp1_p2p_profile_03
#
policy-based-route
rule name pbr_dns_trans
source-zone trust
service dns
service dns-tcp
action pbr egress-interface multi-interface
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
add interface GigabitEthernet1/0/5
add interface GigabitEthernet1/0/6
mode proportion-of-bandwidth
rule name dis_edu_sys
source-zone trust
application app UD_dis_edu_sys_app
action pbr egress-interface multi-interface
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/5
add interface GigabitEthernet1/0/6
mode proportion-of-bandwidth
rule name p2p_traffic
source-zone trust
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action pbr egress-interface multi-interface
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
mode proportion-of-bandwidth
rule name other_edu_server
source-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address isp other_edu_server_address
action pbr egress-interface GigabitEthernet1/0/1 next-hop 1.1.1.2
rule name lib_internet
source-zone trust
source-address 10.1.48.0 mask 255.255.252.0
action pbr egress-interface GigabitEthernet1/0/1 next-hop 1.1.1.2
rule name pbr_edu
source-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address isp edu_address
action pbr egress-interface multi-interface
add interface GigabitEthernet1/0/1 priority 8
add interface GigabitEthernet1/0/2 priority 5
add interface GigabitEthernet1/0/3 priority 5
add interface GigabitEthernet1/0/4 priority 5
add interface GigabitEthernet1/0/5
add interface GigabitEthernet1/0/6
mode priority-of-userdefine
rule name pbr_isp1
source-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address isp isp1_address
action pbr egress-interface multi-interface
add interface GigabitEthernet1/0/1 priority 5
add interface GigabitEthernet1/0/2 priority 8
add interface GigabitEthernet1/0/3 priority 8
add interface GigabitEthernet1/0/4 priority 8
add interface GigabitEthernet1/0/5
add interface GigabitEthernet1/0/6
mode priority-of-userdefine
rule name pbr_isp2
source-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address isp isp2_address
action pbr egress-interface multi-interface
add interface GigabitEthernet1/0/1 priority 5
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
add interface GigabitEthernet1/0/5 priority 8
add interface GigabitEthernet1/0/6 priority 8
mode priority-of-userdefine
rule name pbr_rest
source-zone trust
source-address 10.1.0.0 mask 255.255.0.0
action pbr egress-interface multi-interface
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
add interface GigabitEthernet1/0/5
add interface GigabitEthernet1/0/6
mode priority-of-link-quality
priority-of-link-quality parameter delay jitter loss
#
nat-policy
rule name inner_nat_policy
source-zone trust
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group edu_nat_address_pool
rule name edu_nat_policy
source-zone trust
destination-zone edu_zone
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group edu_nat_address_pool
rule name isp1_nat_policy1
source-zone trust
destination-zone isp1_zone1
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group isp1_nat_address_pool1
rule name isp1_nat_policy2
source-zone trust
destination-zone isp1_zone2
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group isp1_nat_address_pool2
rule name isp1_nat_policy3
source-zone trust
destination-zone isp1_zone3
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group isp1_nat_address_pool3
rule name isp2_nat_policy1
source-zone trust
destination-zone isp2_zone1
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group isp2_nat_address_pool1
rule name isp2_nat_policy2
source-zone trust
destination-zone isp2_zone2
source-address 10.1.0.0 mask 255.255.0.0
action source-nat address-group isp2_nat_address_pool2
#
return
注:文章轉自華為防火牆技術支援中心