0101(2019-06- 典型組 業(yè)務規(guī) 配置接口和安全區(qū) 配置智能選路及路 配置雙機熱 配置源 配置NATServer和智能 配置安全策略及安全防 配置用戶溯 查看流量統(tǒng) 結(jié)果驗 配置腳 110101(2019-06-基于USG6000&USG9500V500R005C00版本寫作，可供V500R005C00、USG6000EV600R006C00及后續(xù)版本參考。不同版本之間可能存在差220101(2019-06-2-1NAT：提供源NAT功能將寬帶用戶私網(wǎng)IP轉(zhuǎn)換為公網(wǎng)IP，提供NATServer功能將330101(2019-06-3-1通過防火墻的源NAT功能保證城域網(wǎng)的海量用戶能夠同時訪問Internet屬于同一個ISP引導P2P流量由資費較低、帶寬較大的ISP2

廣電網(wǎng)絡出口可能用到的設(shè)備如表3-所示，0和0如有差異將補充說明。3-1由于一個接入點無法與兩臺防火墻直接相連，因此需要在防火墻與匯聚交換機。出口匯聚交換機可以將的一條鏈路變?yōu)閮蓷l鏈路，然后分別將兩條鏈路與兩臺防火墻的上行接口相連。而防火墻與下行路由器之間運行F，所以這就組成了“兩臺防火墻上行連接交換機，下行連接路由器”的典型雙機熱備組網(wǎng)。該種組網(wǎng)方式防火墻上行配置P備份組，下行配置P組監(jiān)控業(yè)務口。3-2通過透明代理分擔內(nèi)網(wǎng)用戶上網(wǎng)的請求，從而達到在多個間分擔流量的目的。內(nèi)網(wǎng)用戶上網(wǎng)的第一步是用戶訪問某個域名，服務器將域名解析為地址。這一步存在一個問題，內(nèi)網(wǎng)C往往都配置了同一個的用戶只能解析到一個的地址，后續(xù)的選路也就無從談起了。防火墻提供透明代理功能解決這一問題，防火墻通過一定的規(guī)則將內(nèi)網(wǎng)用戶的請求分擔至不同的服務器，從而解析到不同的地址。本例采取指定鏈路權(quán)重的方式分擔請求。通過基于多出口的策略路由實現(xiàn)ISP防火墻的策略路由可以同時指定多個出接口，并配置多個出接口的流量分擔方式。例如指定目的地址為地址的流量從1的兩個出接口發(fā)送，同時指定兩個出接口間按權(quán)重進行負載分擔。通過基于應用的策略路由將P2P流量引導至ISP2NAT在FW配置源NAT使內(nèi)網(wǎng)用戶可以通過有限的公網(wǎng)IP地址訪問Internet根據(jù)向ISP申請的公網(wǎng)IP地址，配置兩個對應不同ISPVRRP備份組的公網(wǎng)IP、服務器對外發(fā)布的公網(wǎng)IP??NATServer

NAPT（NetworkAddressandPortNATALG：當防火墻既開啟NAT功能，又需要轉(zhuǎn)發(fā)多通道協(xié)議報文（例如等）時，必須開啟相應的NATALG功能。例如FTP、SIP、H323、RTSP和QQ等多要在防火墻上部署NATserver功能，將服務器的私網(wǎng)地址轉(zhuǎn)換成公網(wǎng)地址，而且需要如果服務器在內(nèi)網(wǎng)，則需要配置智能S析地址，即與用戶屬于同一網(wǎng)絡地址避免跨網(wǎng)絡訪問。

IP地址追蹤到其私網(wǎng)IP與ISP口和VRRP無法指定gatewayIPIPVRRP備份組VRRP備份組VGMPVGMPIPIPVRRP備份組VRRP備份組VGMPVGMPIPIPVRRP備份組VRRP備份組VGMPVGMPIPIPVRRP備份組VRRP備份組VGMPVGMPIPIPIPIPIPIPIPSIPS允許ISPWebIPSIPSIPS允許ISPDNSV500R001C80源ISP2_2NATWebISP2_2公網(wǎng)IPISP2_2公網(wǎng)IPDNSISP2_2公網(wǎng)IP主用DNS備用DNS主用DNS備用DNS440101(2019-06-功能和智能功能需要Lie支持，另外智能功能需要加載內(nèi)容安全組件包才能使用。對于USG9500，IPS、基于應用的策略路由、智能DNS（SPC-APPSEC-FW）使用IPS功能前，建議將IPS為了避免心跳接口故障導致雙機通信異常，心跳接口建議使用Eth-trun接口。對于支持擴展多個接口卡的設(shè)備（具體支持情況，請查閱硬件指南），必須使用跨板run接口，即一個runk的成員接口來自于不同的接口板，這樣既提高了可靠性，又增加了備份通道的帶寬。對于無接口擴展能力無法使用跨板run的設(shè)備，可能存在一塊接口卡故障導致所有P備份通道不可用、業(yè)務受損。策略路由智能選路不能和IP欺騙攻擊防范功能或URPF（UnicastReversePathForwarding，單播逆向路徑轉(zhuǎn)發(fā)）功能一起使用。如果開啟IP欺騙攻擊OSPF等動態(tài)路由協(xié)議中發(fā)布出去。對于NATServer來說，如果指定了協(xié)議和端550101(2019-06-5-1IP[FW_A]interfaceEth-Trunk[FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk1]undoservice-manage[FW_A-Eth-Trunk1]descriptionTo-[FW_A-Eth-Trunk1]quit[FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk2]undoservice-manage[FW_A-Eth-Trunk2]descriptionTo-[FW_A-Eth-Trunk2]quit[FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk1.1]descriptionTo-isp1-1[FW_A-Eth-Trunk1.1]vlan-typedot1q11[FW_A-Eth-Trunk1.1]ipaddress29[FW_A-Eth-Trunk1.1]quit[FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk2.1]descriptionTo-isp2-1[FW_A-Eth-Trunk2.1]vlan-typedot1q21[FW_A-Eth-Trunk2.1]ipaddress29[FW_A-Eth-Trunk2.1]quit[FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk1.2]descriptionTo-isp1-2[FW_A-Eth-Trunk1.2]vlan-typedot1q12[FW_A-Eth-Trunk1.2]ipaddress29[FW_A-Eth-Trunk1.2]quit[FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk2.2]descriptionTo-isp2-2[FW_A-Eth-Trunk2.2]vlan-typedot1q22[FW_A-Eth-Trunk2.2]ipaddress29[FW_A-Eth-Trunk2.2]quit[FW_A]interfaceGigabitEthernet[FW_A-GigabitEthernet1/0/3]undoservice-manage[FW_A-GigabitEthernet1/0/3]descriptionTo-router[FW_A-GigabitEthernet1/0/3]ipaddress24[FW_A-GigabitEthernet1/0/3]quit[FW_A]interfaceGigabitEthernet[FW_A-GigabitEthernet1/0/4]undoservice-manage[FW_A-GigabitEthernet1/0/4]descriptionTo-server[FW_A-GigabitEthernet1/0/4]ipaddress24[FW_A-GigabitEthernet1/0/4]quit[FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk0]undoservice-manageenable[FW_A-Eth-Trunk0]descriptionHrp-interface[FW_A-Eth-Trunk0]ipaddress24[FW_A-Eth-Trunk0][FW_A]interfaceGigabitEthernet[FW_A-GigabitEthernet2/0/0]undoservice-manage[FW_A-GigabitEthernet2/0/0]eth-trunk0[FW_A-GigabitEthernet2/0/0]quit[FW_A]interfaceGigabitEthernet1/0/5[FW_A-GigabitEthernet1/0/5]undoservice-manage[FW_A-GigabitEthernet1/0/5]eth-trunk[FW_A-GigabitEthernet1/0/5]步驟2將FW_A[FW_A][FW_A]firewallzonename[FW_A-zone-isp1_1]setpriority[FW_A-zone-isp1_1]addinterfaceEth-Trunk[FW_A-zone-isp1_1][FW_A]firewallzonename[FW_A-zone-isp1_2]setpriority[FW_A-zone-isp1_2]addinterfaceEth-Trunk[FW_A-zone-isp1_2][FW_A]firewallzonename[FW_A-zone-isp2_1]setpriority[FW_A-zone-isp2_1]addinterfaceEth-Trunk[FW_A-zone-isp2][FW_A]firewallzonename[FW_A-zone-isp2_2][FW_A-zone-isp2_2]setpriority[FW_A-zone-isp1_2]addinterfaceEth-Trunk[FW_A-zone-isp2][FW_A]firewallzone[FW_A-zone-trust]addinterfaceGigabitEthernet[FW_A-zone-trust][FW_A]firewallzone[FW_A-zone-dmz]addinterfaceGigabitEthernet[FW_A]firewallzonename[FW_A-zone-hrp]setpriority[FW_A-zone-hrp]addinterfaceEth-Trunk[FW_A-zone-hrp]步驟3參考上述步驟配置FW_B的接口IP和安全區(qū)域，不同之處是接口IP----步驟1配置FW_A的健康檢查功能，分別為ISP1和ISP2其中目的地址是Internet真實存在的IP地址，本例以ISP網(wǎng)關(guān)地址、DNS[FW_A][FW_A]healthcheck[FW_A]healthcheckname[FW_A-healthcheck-isp1_health1]destinationinterfaceEth-Trunk1.1protocolicmp[FW_A-healthcheck-isp1_health1]destination22interfaceEth-Trunk1.1protocoldns[FW_A-healthcheck-isp1_health1]quit[FW_A]healthcheckname[FW_A-healthcheck-isp1_health2]destinationinterfaceEth-Trunk1.2protocolicmp[FW_A-healthcheck-isp1_health2]destination22interfaceEth-Trunk1.2protocoldns[FW_A-healthcheck-isp1_health2]quit[FW_A]healthcheckname[FW_A-healthcheck-isp2_health1]destinationinterfaceEth-Trunk2.1protocolicmp[FW_A-healthcheck-isp2_health1]destination22interfaceEth-Trunk2.1protocoldns[FW_A-healthcheck-isp2_health1]quit[FW_A]healthcheckname[FW_A-healthcheck-isp2_health2]destinationinterfaceEth-Trunk2.2protocolicmp[FW_A-healthcheck-isp2_health2]destination22interfaceEth-Trunk2.2protocoldns[FW_A-healthcheck-isp2_health2]quitFW_B與FW_A步驟2[FW_A][FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk1.1]gateway[FW_A-Eth-Trunk1.1]bandwidthingress800000[FW_A-Eth-Trunk1.1]bandwidthegress800000[FW_A-Eth-Trunk1.1]healthcheckisp1_health1[FW_A-Eth-Trunk1.1]quit[FW_A]interfaceEth-[FW_A-Eth-Trunk1.2]gateway[FW_A-Eth-Trunk1.2]bandwidthingress400000[FW_A-Eth-Trunk1.2]bandwidthegress400000[FW_A-Eth-Trunk1.2]healthcheckisp1_health2[FW_A-Eth-Trunk1.2]quit[FW_A]interfaceEth-[FW_A-Eth-Trunk2.1]gateway[FW_A-Eth-Trunk2.1]bandwidthingress[FW_A-Eth-Trunk2.1]bandwidthegress[FW_A-Eth-Trunk2.1][FW_A-Eth-Trunk2.1]healthcheck[FW_A-Eth-Trunk2.1][FW_A]interfaceEth-[FW_A-Eth-Trunk2.2]gateway[FW_A-Eth-Trunk2.2]bandwidthingress600000[FW_A-Eth-Trunk2.2]bandwidthegress600000[FW_A-Eth-Trunk2.2]healthcheckisp2_health2[FW_A-Eth-Trunk2.2]quit步驟3配置DNS透明代理。配置DNS[FW_A][FW_A]dns-transparent-[FW_A-policy-dns]dnstransparent-proxy[FW_A-policy-dns]dnsserverbindinterfaceEth-Trunk1.1preferred22alternate23[FW_A-policy-dns]dnsserverbindinterfaceEth-Trunk1.2preferred22alternate23[FW_A-policy-dns]dnsserverbindinterfaceEth-Trunk2.1preferred22alternate23[FW_A-policy-dns]dnsserverbindinterfaceEth-Trunk2.2preferred22alternate23[FW_A-policy-dns]dnstransparent-proxyexcludedomainserverpreferred[FW_A-policy-dns]rulename[FW_A-policy-dns-rule-dns_proxy]action[FW_A-policy-dns-rule-dns_proxy]source-address[FW_A-policy-dns-rule-dns_proxy][FW_A-policy-dns]FW_B與FW_Adnstransparent-proxyexcludedomain命令用來配置不需要DNS透明代理的域配置基于DNS服務的策略路由使DNS[FW_A][FW_A]policy-based-[FW_A-policy-pbr]rulename[FW_A-policy-pbr-rule-dns_pbr]ingress-interface[FW_A-policy-pbr-rule-dns_pbr]service[FW_A-policy-pbr-rule-dns_pbr]actionpbregress-interfacemulti-interface[FW_A-policy-pbr-rule-dns_pbr-multi-inter]addinterfaceEth-Trunk1.1weight2[FW_A-policy-pbr-rule-dns_pbr-multi-inter]addinterfaceEth-Trunk1.2weight1[FW_A-policy-pbr-rule-dns_pbr-multi-inter]addinterfaceEth-Trunk2.1weight3[FW_A-policy-pbr-rule-dns_pbr-multi-inter]addinterfaceEth-Trunk2.2weight2[FW_A-policy-pbr-rule-dns_pbr-multi-inter]modeproportion-of-weight[FW_A-policy-pbr-rule-dns_pbr-multi-inter][FW_A-policy-pbr-rule-dns_pbr]步驟4配置策略路由智能選路。上傳ISP地址文件到FW_A為ISP1和ISP2分別創(chuàng)建運營商名稱isp1和isp2，并關(guān)聯(lián)對應的ISP[FW_A][FW_A]ispnameisp1setfilename[FW_A]ispnameisp2setfilename完成此配置后，防火墻自動生成以P名稱命名的地址集，地址集中包含對應的地址。該地址集中的內(nèi)容不能直接修改，只能通過重新導入P接修改。P地址集可以被策略路由引用，作為源地址或目的地址。FW_B與FW_A配置基于應用的策略路由，引導P2P流量從ISP2[FW_A][FW_A]policy-based-[FW_A-policy-pbr]rulename[FW_A-policy-pbr-rule-p2p_pbr]ingress-interfaceGigabitEthernet1/0/3[FW_A-policy-pbr-rule-p2p_pbr]applicationappBTThundereDonkey_eMule[FW_A-policy-pbr-rule-p2p_pbr]actionpbregress-interfacemulti-interface[FW_A-policy-pbr-rule-p2p_pbr-multi-inter]addinterfaceEth-Trunk2.1weight3[FW_A-policy-pbr-rule-p2p_pbr-multi-inter]addinterfaceEth-Trunk2.2weight2[FW_A-policy-pbr-rule-p2p_pbr-multi-inter]modeproportion-of-weight[FW_A-policy-pbr-rule-p2p_pbr-multi-inter][FW_A-policy-pbr-rule-p2p_pbr]說明配置基于服務和P應用的策略路由，再配置基于目的地址的策略路由，否則將先匹配基于目的地址的策略路由，基于服務和P應用的策略路由就不生效了。FW_B與FW_A[FW_A-policy-pbr][FW_A-policy-pbr]rulename[FW_A-policy-pbr-rule-isp1_pbr]ingress-interface[FW_A-policy-pbr-rule-isp1_pbr]destination-addressisp[FW_A-policy-pbr-rule-isp1_pbr]actionpbregress-interfacemulti-interface[FW_A-policy-pbr-rule-isp1_pbr-multi-inter]addinterfaceEth-Trunk1.1weight2[FW_A-policy-pbr-rule-isp1_pbr-multi-inter]addinterfaceEth-Trunk1.2weight1[FW_A-policy-pbr-rule-isp1_pbr-multi-inter]modeproportion-of-weight[FW_A-policy-pbr-rule-isp1_pbr-multi-inter][FW_A-policy-pbr-rule-isp1_pbr]FW_B與FW_A[FW_A-policy-pbr][FW_A-policy-pbr]rulename[FW_A-policy-pbr-rule-isp2_pbr]ingress-interface[FW_A-policy-pbr-rule-isp2_pbr]destination-addressisp[FW_A-policy-pbr-rule-isp2_pbr]actionpbregress-interfacemulti-interface[FW_A-policy-pbr-rule-isp2_pbr-multi-inter]addinterfaceEth-Trunk2.1weight3[FW_A-policy-pbr-rule-isp2_pbr-multi-inter]addinterfaceEth-Trunk2.2weight2[FW_A-policy-pbr-rule-isp2_pbr-multi-inter]modeproportion-of-weight[FW_A-policy-pbr-rule-isp2_pbr-multi-inter][FW_A-policy-pbr-rule-isp2_pbr]步驟5配置OSPF。在FW_A上配置OSPF[FW_A][FW_A]ospf[FW_A-ospf-1]area[FW_A-ospf-1-area-][FW_A-ospf-1]在FW_B上配置OSPF[FW_B][FW_B]ospf[FW_B-ospf-1]area[FW_B-ospf-1-area-][FW_B-ospf-1]----5-2[FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk1.1][FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk1.1]vrrpvrid1virtual-ip29[FW_A-Eth-Trunk1.1][FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk2.1]vrrpvrid2virtual-ip29[FW_A-Eth-Trunk2.1][FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk1.2]vrrpvrid3virtual-ip29[FW_A-Eth-Trunk1.2][FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk2.2]vrrpvrid4virtual-ip29[FW_A-Eth-Trunk2.2]步驟2在FW_A上配置VGMP[FW_A][FW_A]hrptrackinterfaceGigabitEthernet[FW_A]hrptrackinterfaceGigabitEthernet步驟3在FW_A配置根據(jù)VGMP狀態(tài)調(diào)整OSPFCost[FW_A]hrpadjustospf-cost 步驟4在FW_A上開啟搶占功能，并配置搶占延遲時間為300s[FW_A]hrppreemptdelay [FW_A]hrpinterfaceEth-Trunk0[FW_A]hrpinterfaceEth-Trunk0remote[FW_A]hrp步驟6參考上述步驟配置FW_B的雙機熱備功能，不同之處是VRRP步驟7在路由器上配置OSPF----

HRP_M[FW_A]nataddress-groupHRP_M[FW_A-address-group-pool_isp1_1]modeHRP_M[FW_A]nataddress-groupHRP_M[FW_A-address-group-pool_isp1_1]modeHRP_M[FW_A-address-group-pool_isp1_1]section02HRP_M[FW_A-address-group-pool_isp1_1]routeenableHRP_M[FW_A-address-group-pool_isp1_1]quit說明routeenable命令將會為NAT地址池中的地址生成UNR（UserNetworkRoute）路由，該步驟2配置Trust與isp1_1區(qū)域之間的NAT策略，將來自Trust區(qū)域用戶報文的源地址轉(zhuǎn)換成地HRP_M[FW_A]HRP_M[FW_A]nat-HRP_M[FW_A-policy-nat]rulenameHRP_M[FW_A-policy-nat-rule-policy_nat1]source-zoneHRP_M[FW_A-policy-nat-rule-policy_nat1]destination-zoneHRP_M[FW_A-policy-nat-rule-policy_nat1]actionsource-nataddress-groupHRP_M[FW_A-policy-nat-rule-policy_nat1]HRP_M[FW_A-policy-nat]步驟3配置NAT地址池pool_isp1_2，并指定地址池類型為NAPTHRP_M[FW_A]HRP_M[FW_A]nataddress-groupHRP_M[FW_A-address-group-pool_isp1_2]modeHRP_M[FW_A-address-group-pool_isp1_2]section02HRP_M[FW_A-address-group-pool_isp1_2]routeenableHRP_M[FW_A-address-group-pool_isp1_2]quit步驟4配置Trust與isp1_2區(qū)域之間的NAT策略，將來自Trust區(qū)域用戶報文的源地址轉(zhuǎn)換成地HRP_M[FW_A]HRP_M[FW_A]nat-HRP_M[FW_A-policy-nat]rulenameHRP_M[FW_A-policy-nat-rule-policy_nat2]source-zoneHRP_M[FW_A-policy-nat-rule-policy_nat2]destination-zoneHRP_M[FW_A-policy-nat-rule-policy_nat2]actionsource-nataddress-groupHRP_M[FW_A-policy-nat-rule-policy_nat2]HRP_M[FW_A-policy-nat]步驟5配置NAT地址池pool_isp2_1，并指定地址池類型為NAPTHRP_M[FW_A]HRP_M[FW_A]nataddress-groupHRP_M[FW_A-address-group-pool_isp2_1]modeHRP_M[FW_A-address-group-pool_isp2_1]section0HRP_M[FW_A-address-group-pool_isp2_1]HRP_M[FW_A-address-group-pool_isp2_1]routeHRP_M[FW_A-address-group-pool_isp2_1]步驟6配置Trust與isp2_1區(qū)域之間的NAT策略，將來自Trust區(qū)域用戶報文的源地址轉(zhuǎn)換成地HRP_M[FW_A]HRP_M[FW_A]nat-HRP_M[FW_A-policy-nat]rulenameHRP_M[FW_A-policy-nat-rule-policy_nat3]source-zoneHRP_M[FW_A-policy-nat-rule-policy_nat3]destination-zoneHRP_M[FW_A-policy-nat-rule-policy_nat3]actionsource-nataddress-groupHRP_M[FW_A-policy-nat-rule-policy_nat3]HRP_M[FW_A-policy-nat]步驟7配置NAT地址池pool_isp2_2，并指定地址池類型為NAPTHRP_M[FW_A]HRP_M[FW_A]nataddress-groupHRP_M[FW_A-address-group-pool_isp2_2]modeHRP_M[FW_A-address-group-pool_isp2_2]section02HRP_M[FW_A-address-group-pool_isp2_2]routeenableHRP_M[FW_A-address-group-pool_isp2_2]quit步驟8配置Trust與isp2_2區(qū)域之間的NAT策略，將來自Trust區(qū)域用戶報文的源地址轉(zhuǎn)換成地HRP_M[FW_A]HRP_M[FW_A]nat-HRP_M[FW_A-policy-nat]rulenameHRP_M[FW_A-policy-nat-rule-policy_nat4]source-zoneHRP_M[FW_A-policy-nat-rule-policy_nat4]destination-zoneHRP_M[FW_A-policy-nat-rule-policy_nat4]actionsource-nataddress-groupHRP_M[FW_A-policy-nat-rule-policy_nat4]HRP_M[FW_A-policy-nat]步驟9配置NATALG功能。HRP_M[FW_A]detectftpHRP_M[FW_A]detectsipHRP_M[FW_A]detecth323HRP_M[FW_A]detectrtspHRP_M[FW_A]detectqq----NATServer說明智能DNS受內(nèi)容安全組合License對于0，智能需要應用安全業(yè)務處理子卡（W）在位，否則功能不可用。步驟1配置NATServer配置NATServer功能，將Web服務器的私網(wǎng)地址分別映射成供ISP1和ISP2用戶訪HRP_M[FW_A]HRP_M[FW_A]natserverpolicy_web1zoneisp1_1protocoltcpglobal580800HRP_M[FW_A]natserverpolicy_web2zoneisp1_2protocoltcpglobal580800HRP_M[FW_A]natserverpolicy_web3zoneisp2_1protocoltcpglobal580800HRP_M[FW_A]natserverpolicy_web4zoneisp2_2protocoltcpglobal580800配置NATServer功能，將FTP服務器的私網(wǎng)地址分別映射成供ISP1和ISP2用戶訪問HRP_M[FW_A]HRP_M[FW_A]natserverpolicy_ftp1zoneisp1_1protocoltcpglobal6ftp1HRP_M[FW_A]natserverpolicy_ftp2zoneisp1_2protocoltcpglobal6ftp1HRP_M[FW_A]natserverpolicy_ftp3zoneisp2_1protocoltcpglobal6ftp1HRP_M[FW_A]natserverpolicy_ftp4zoneisp2_2protocoltcpglobal6ftp1配置NATServer功能，將DNS服務器的私網(wǎng)地址分別映射成供ISP1和ISP2用戶訪HRP_M[FW_A]HRP_M[FW_A]natserverpolicy_dns1zoneisp1_1protocoltcpglobal7domain0HRP_M[FW_A]natserverpolicy_dns2zoneisp1_2protocoltcpglobal7domain0HRP_M[FW_A]natserverpolicy_dns3zoneisp2_1protocoltcpglobal7domain0HRP_M[FW_A]natserverpolicy_dns4zoneisp2_2protocoltcpglobal7domain0步驟2說明接口和安全區(qū)域和5.2配置智能選路及路由中配置完成。接口下配置不支持備份，因此需要同時在FW_A和FW_BHRP_M[FW_A]HRP_M[FW_A]interfaceEth-TrunkHRP_M[FW_A-Eth-Trunk1.1]redirect-reversenext-hopHRP_M[FW_A-Eth-Trunk1.1]HRP_M[FW_A]interfaceEth-TrunkHRP_M[FW_A-Eth-Trunk2.1]redirect-reversenext-hopHRP_M[FW_A-Eth-Trunk2.1]HRP_M[FW_A]interfaceEth-TrunkHRP_M[FW_A-Eth-Trunk1.2]redirect-reversenext-hopHRP_M[FW_A-Eth-Trunk1.2]HRP_M[FW_A]interfaceEth-TrunkHRP_M[FW_A-Eth-Trunk2.2]redirect-reversenext-hopHRP_M[FW_A-Eth-Trunk2.2]HRP_S[FW_B]interfaceEth-TrunkHRP_S[FW_B-Eth-Trunk1.1]redirect-reversenext-hopHRP_S[FW_B-Eth-Trunk1.1]HRP_S[FW_B]interfaceEth-TrunkHRP_S[FW_B-Eth-Trunk2.1]redirect-reversenext-hopHRP_S[FW_B-Eth-Trunk2.1]HRP_S[FW_B]interfaceEth-TrunkHRP_S[FW_B-Eth-Trunk1.2]redirect-reversenext-hopHRP_S[FW_B-Eth-Trunk1.2]HRP_S[FW_B]interfaceEth-TrunkHRP_S[FW_B-Eth-Trunk2.2]redirect-reversenext-hopHRP_S[FW_B-Eth-Trunk2.2]步驟3配置智能DNS服務器部署在內(nèi)網(wǎng)且記錄了eb和P服務器域名與公網(wǎng)地址的對應關(guān)系，此時配置智能功能，確保各個的用戶訪問內(nèi)網(wǎng)服務器時，都能夠解析到自己為服務器分配的地址，從而提高訪問速度。例如使的用戶訪問內(nèi)網(wǎng)的eb服務器HRP_M[FW_A]HRP_M[FW_A]dns-smartHRP_M[FW_A]dns-smartgroup1typeHRP_M[FW_A-dns-smart-group-1]out-interfaceEth-Trunk1.1mapHRP_M[FW_A-dns-smart-group-1]out-interfaceEth-Trunk2.1mapHRP_M[FW_A-dns-smart-group-1]out-interfaceEth-Trunk1.2mapHRP_M[FW_A-dns-smart-group-1]out-interfaceEth-Trunk2.2mapHRP_M[FW_A-dns-smart-group-1]HRP_M[FW_A]dns-smartgroup2typeHRP_M[FW_A-dns-smart-group-2]out-interfaceEth-Trunk1.1mapHRP_M[FW_A-dns-smart-group-2]out-interfaceEth-Trunk2.1mapHRP_M[FW_A-dns-smart-group-2]out-interfaceEth-Trunk1.2mapHRP_M[FW_A-dns-smart-group-2]out-interfaceEth-Trunk2.2mapHRP_M[FW_A-dns-smart-group-2]步驟4配置NATServer公網(wǎng)地址的黑洞路由，避免防火墻與ISP路由器之間產(chǎn)生路由環(huán)路。HRP_M[FW_A]HRP_M[FW_A]iproute-static532NULLHRP_M[FW_A]iproute-static632NULLHRP_M[FW_A]iproute-static732NULLHRP_M[FW_A]iproute-static532NULLHRP_M[FW_A]iproute-static632NULLHRP_M[FW_A]iproute-static732NULLHRP_M[FW_A]iproute-static532NULLHRP_M[FW_A]iproute-static632NULLHRP_M[FW_A]iproute-static732NULLHRP_M[FW_A]iproute-static532NULLHRP_M[FW_A]iproute-static632NULLHRP_M[FW_A]iproute-static732NULLHRP_S[FW_B]iproute-static532NULLHRP_S[FW_B]iproute-static632NULLHRP_S[FW_B]iproute-static732NULLHRP_S[FW_B]iproute-static532NULLHRP_S[FW_B]iproute-static632NULLHRP_S[FW_B]iproute-static732NULLHRP_S[FW_B]iproute-static532NULLHRP_S[FW_B]iproute-static632NULLHRP_S[FW_B]iproute-static732NULLHRP_S[FW_B]iproute-static532NULLHRP_S[FW_B]iproute-static632NULLHRP_S[FW_B]iproute-static732NULL----步驟1配置Trust區(qū)域到isp1_1、isp1_2區(qū)域的安全策略，允許內(nèi)網(wǎng)用戶通過ISP1HRP_M[FW_A]security-HRP_M[FW_A]security-HRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-trust_to_isp1]source-zonetrustHRP_M[FW_A-policy-security-rule-trust_to_isp1]destination-zoneisp1_1isp1_2HRP_M[FW_A-policy-security-rule-trust_to_isp1]profileipsdefaultHRP_M[FW_A-policy-security-rule-trust_to_isp1]actionpermitHRP_M[FW_A-policy-security-rule-trust_to_isp1]步驟2配置Trust區(qū)域到isp2_1、isp2_2區(qū)域的安全策略，允許內(nèi)網(wǎng)用戶通過ISP2HRP_M[FW_A-policy-security]HRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-trust_to_isp2]source-zonetrustHRP_M[FW_A-policy-security-rule-trust_to_isp2]destination-zoneisp2_1isp2_2HRP_M[FW_A-policy-security-rule-trust_to_isp2]profileipsdefaultHRP_M[FW_A-policy-security-rule-trust_to_isp2]actionpermitHRP_M[FW_A-policy-security-rule-trust_to_isp2]步驟3配置isp1_1、isp1_2區(qū)域到DMZ區(qū)域的安全策略，允許外網(wǎng)用戶通過ISP1HRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-isp1_to_http]source-zoneisp1_1isp1_2HRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-isp1_to_http]source-zoneisp1_1isp1_2HRP_M[FW_A-policy-security-rule-isp1_to_http]destination-zonedmzHRP_M[FW_A-policy-security-rule-isp1_to_http]destination-address024HRP_M[FW_A-policy-security-rule-isp1_to_http]servicehttpHRP_M[FW_A-policy-security-rule-isp1_to_http]profileipsdefaultHRP_M[FW_A-policy-security-rule-isp1_to_http]actionpermitHRP_M[FW_A-policy-security-rule-isp1_to_http]quitHRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-isp1_to_ftp]source-zoneisp1_1isp1_2HRP_M[FW_A-policy-security-rule-isp1_to_ftp]destination-zonedmzHRP_M[FW_A-policy-security-rule-isp1_to_ftp]destination-address124HRP_M[FW_A-policy-security-rule-isp1_to_ftp]serviceftpHRP_M[FW_A-policy-security-rule-isp1_to_ftp]profileipsdefaultHRP_M[FW_A-policy-security-rule-isp1_to_ftp]actionpermitHRP_M[FW_A-policy-security-rule-isp1_to_ftp]quitHRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-isp1_to_dns]source-zoneisp1_1isp1_2HRP_M[FW_A-policy-security-rule-isp1_to_dns]destination-zonedmzHRP_M[FW_A-policy-security-rule-isp1_to_dns]destination-address024HRP_M[FW_A-policy-security-rule-isp1_to_dns]servicednsHRP_M[FW_A-policy-security-rule-isp1_to_dns]profileipsdefaultHRP_M[FW_A-policy-security-rule-isp1_to_dns]actionpermitHRP_M[FW_A-policy-security-rule-isp1_to_dns]quit步驟4配置isp2_1、isp2_2區(qū)域到DMZ區(qū)域的安全策略，允許外網(wǎng)用戶通過ISP2HRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-isp2_to_http]source-zoneisp2_1isp2_2HRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-isp2_to_http]source-zoneisp2_1isp2_2HRP_M[FW_A-policy-security-rule-isp2_to_http]destination-zonedmzHRP_M[FW_A-policy-security-rule-isp2_to_http]destination-address024HRP_M[FW_A-policy-security-rule-isp2_to_http]servicehttpHRP_M[FW_A-policy-security-rule-isp2_to_http]profileipsdefaultHRP_M[FW_A-policy-security-rule-isp2_to_http]actionpermitHRP_M[FW_A-policy-security-rule-isp2_to_http]quitHRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-isp2_to_ftp]source-zoneisp2_1isp2_2HRP_M[FW_A-policy-security-rule-isp2_to_ftp]destination-zonedmzHRP_M[FW_A-policy-security-rule-isp2_to_ftp]destination-address124HRP_M[FW_A-policy-security-rule-isp2_to_ftp]serviceftpHRP_M[FW_A-policy-security-rule-isp2_to_ftp]profileipsdefaultHRP_M[FW_A-policy-security-rule-isp2_to_ftp]actionpermitHRP_M[FW_A-policy-security-rule-isp2_to_ftp]quitHRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-isp2_to_dns]source-zoneisp2_1isp2_2HRP_M[FW_A-policy-security-rule-isp2_to_dns]destination-zonedmzHRP_M[FW_A-policy-security-rule-isp2_to_dns]destination-address024HRP_M[FW_A-policy-security-rule-isp2_to_dns]servicednsHRP_M[FW_A-policy-security-rule-isp2_to_dns]profileipsdefaultHRP_M[FW_A-policy-security-rule-isp2_to_dns]actionpermitHRP_M[FW_A-policy-security-rule-isp2_to_dns]quit步驟5配置Trust區(qū)域到DMZ區(qū)域的安全策略，允許內(nèi)網(wǎng)用戶訪問DMZ區(qū)域的WebHRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-trust_to_http]source-zoneHRP_M[FW_A-policy-security-rule-trust_to_http]destination-zonedmzHRP_M[FW_A-policy-security-rule-trust_to_http]destination-address024HRP_M[FW_A-policy-security-rule-trust_to_http]servicehttpHRP_M[FW_A-policy-security-rule-trust_to_http]HRP_M[FW_A-policy-security-rule-trust_to_http]profileipsdefaultHRP_M[FW_A-policy-security-rule-trust_to_http]actionpermitHRP_M[FW_A-policy-security-rule-trust_to_http]quitHRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-trust_to_ftp]source-zoneHRP_M[FW_A-policy-security-rule-trust_to_ftp]destination-zonedmzHRP_M[FW_A-policy-security-rule-trust_to_ftp]destination-address124HRP_M[FW_A-policy-security-rule-trust_to_ftp]serviceftpHRP_M[FW_A-policy-security-rule-trust_to_ftp]profileipsdefaultHRP_M[FW_A-policy-security-rule-trust_to_ftp]actionpermitHRP_M[FW_A-policy-security-rule-trust_to_ftp]quitHRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-trust_to_dns]source-zoneHRP_M[FW_A-policy-security-rule-trust_to_dns]destination-zonedmzHRP_M[FW_A-policy-security-rule-trust_to_dns]destination-address024HRP_M[FW_A-policy-security-rule-trust_to_dns]servicednsHRP_M[FW_A-policy-security-rule-trust_to_dns]profileipsdefaultHRP_M[FW_A-policy-security-rule-trust_to_dns]actionpermitHRP_M[FW_A-policy-security-rule-trust_to_dns]quitHRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-local_to_logcenter]HRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-local_to_logcenter]source-zoneHRP_M[FW_A-policy-security-rule-local_to_logcenter]destination-zonedmzHRP_M[FW_A-policy-security-rule-local_to_logcenter]destination-address024HRP_M[FW_A-policy-security-rule-local_to_logcenter]actionpermitHRP_M[FW_A-policy-security-rule-local_to_logcenter]步驟7配置Local到isp1和isp2區(qū)域的安全策略，允許FW連接安全中心升級特征庫、發(fā)送健康HRP_M[FW_A-policy-security]HRP_M[FW_A-policy-security]rulenameHRP_M[FW_A-policy-security-rule-local_to_isp]source-zoneHRP_M[FW_A-policy-security-rule-local_to_isp]destination-zoneisp1_1isp1_2isp2_1HRP_M[FW_A-policy-security-rule-local_to_isp]actionpermitHRP_M[FW_A-policy-security-rule-local_to_isp]quitHRP_M[FW_A-policy-security]quit說明對于00之前的版本，需要在上配置對應的安全策略，允許向目的設(shè)備發(fā)送健康檢查探測報文。對于0及之后的版本，健康檢查的探測報文不受安全策略控制，默認放行，無需配置相應安全策略。步驟8HRP_M[FW_A]HRP_M[FW_A]display :Enabled;serviceexpiretime:配置DNSHRP_M[FW_A]HRP_M[FW_A]dnsHRP_M[FW_A]dnsserverHRP_M[FW_A]HRP_M[FW_A]updatescheduleips-sdbenableHRP_M[FW_A]updateschedulesa-sdbenableHRP_M[FW_A]updatescheduleips-sdbdaily03:00HRP_M[FW_A]updateschedulesa-sdbweeklyMon03:00HRP_M[FW_A]firewalldefendlandenableHRP_M[FW_A]firewalldefendsmurfenableHRP_M[FW_A]HRP_M[FW_A]firewalldefendlandenableHRP_M[FW_A]firewalldefendsmurfenableHRP_M[FW_A]firewalldefendfraggleenableHRP_M[FW_A]firewalldefendip-fragmentenableHRP_M[FW_A]firewalldefendtcp-flagenableHRP_M[FW_A]firewalldefendwinnukeenableHRP_M[FW_A]firewalldefendteardropenableHRP_M[FW_A]HRP_M[FW_A]firewalldefendroute-recordenableHRP_M[FW_A]firewalldefendtime-stampenableHRP_M[FW_A]firewalldefendping-of-deathenable----

步驟1在FW_AHRP_M[FW_A]HRP_M[FW_A]firewallloghost10HRP_M[FW_A]firewalllogsource步驟2在FW_AHRP_M[FW_A]HRP_M[FW_A]security-HRP_M[FW_A-policy-security]rulenametrust_to_isp1HRP_M[FW_A-policy-security-rule-trust_to_isp1]sessionloggingHRP_M[FW_A-policy-security-rule-trust_to_isp1]quitHRP_M[FW_A-policy-security]rulenametrust_to_isp2HRP_M[FW_A-policy-security-rule-trust_to_isp2]sessionloggingHRP_M[FW_A-policy-security-rule-trust_to_isp2]quitHRP_M[FW_A-policy-security]quit步驟3在FW_A上開啟IMHRP_M[FW_A]firewalllogim 步驟4在FW_B上配置向日志主機發(fā)送日志的源IPHRP_S[FW_B]firewalllogsource 步驟5在FW_A上配置SNMPV3HRP_M[FW_A]HRP_M[FW_A]snmp-agentsys-infoversionHRP_M[FW_A]snmp-agentgroupv3NMS1HRP_M[FW_A]snmp-agentusm-userv3admin1groupHRP_M[FW_A]snmp-agentusm-userv3admin1authentication-modemd5cipherHRP_M[FW_A]snmp-agentusm-userv3admin1privacy-modeaes256cipher步驟6在FW_B上配置SNMPV3HRP_S[FW_B]snmp-agentgroupv3NMS1HRP_S[FW_B]snmp-agentusm-userv3admin1groupHRP_S[FW_B]snmp-agentusm-userv3admin1authentication-modemd5cipherHRP_S[FW_B]snmp-agentusm-userv3admin1privacy-modeaes256cipher步驟7eLog配置完成后，在eLog>>IPv4會話日志”，可以查看會話日志。選擇“日志分析>網(wǎng)絡安全分析>即時通信”，可以查看IM日志。----步驟1登錄Web步驟2步驟3對于USG6000>>流量報表”查看流量報----外網(wǎng)用戶可以通過公網(wǎng)IPeLog在主防火墻的接口GigabitEthernet1/0/1上執(zhí)行shutdown命令，模擬鏈路故障，sysnameFW_Ahrppreemptdelay300hrpenablehrptrackinterfaceGigabitEthernet1/0/3hrptrackinterfaceGigabitEthernet1/0/4hrpadjustospf-costenablefirewalllogimfirewallloghost0firewalllogsource6000firewalldefendsmurfenablefirewalldefendlandenablefirewalldefendfraggleenablefirewalldefendping-of-deathenablefirewalldefendwinnukeenablefirewalldefendroute-recordenablefirewalldefendsource-routeenablefirewalldefendtime-stampenableispnameisp1setfilenameisp1.csvispnameisp2setfilenameisp2.csvupdatescheduleips-sdbweeklyMon03:00updateschedulesa-sdbdaily03:00dnshealthcheckenablehealthchecknameisp1_health1protocoldnshealthchecknameprotocoldnshealthchecknameprotocoldnshealthchecknameprotocoldnsinterfaceEth-Trunk0descriptionHrp-interfaceundoservice-manageenabledescriptionTo-isp1sysnameFW_Bhrppreemptdelay300hrpenablehrptrackinterfaceGigabitEthernet1/0/3hrptrackinterfaceGigabitEthernet1/0/4hrpadjustospf-costenablefirewalllogimfirewallloghost0firewalllogsource6000firewalldefendsmurfenablefirewalldefendlandenablefirewalldefendfraggleenablefirewalldefendping-of-deathenablefirewalldefendwinnukeenablefirewalldefendroute-reco