2019防火墻在核心網(wǎng)PS域中的應(yīng)用_第1頁
2019防火墻在核心網(wǎng)PS域中的應(yīng)用_第2頁
2019防火墻在核心網(wǎng)PS域中的應(yīng)用_第3頁
2019防火墻在核心網(wǎng)PS域中的應(yīng)用_第4頁
2019防火墻在核心網(wǎng)PS域中的應(yīng)用_第5頁
已閱讀5頁,還剩28頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報或認(rèn)領(lǐng)

文檔簡介

PSPSPS0101(2019-06- 典型組 業(yè)務(wù)規(guī) 配置步 結(jié)果驗 配置腳 VRRP+OSPF(主備備份 OSPF(負(fù)載分擔(dān) PSPS10101(2019-06-基于X0版本寫作,可供X0、--G0及后續(xù)版本參考。不同版本之間可能存在差異,請以實際版本為準(zhǔn)。PSPS20101(2019-06-2-1FW2G/3G的移動核心網(wǎng)絡(luò)分為CS域(CircuitSwitch,電路交換)和PS域(PacketLTE(LongTermEvolution)是3G的演進(jìn)技術(shù),目前主流運營商都把LTE作為4G網(wǎng)絡(luò)(EvolvedPacketCore)FW如圖2-1所示,部署在移動核心網(wǎng)的t出口(2G/3的t出口叫做Gi口,4G的t出口叫做SGi口)。主要提供功能,除此之外,還有域間隔離和邊界防護(hù)的作用。

除了Gi/SGi流量外,有時Gn流量也會經(jīng)過防火墻。Gn流量是指本地的SGSN(S-GW)GGSN(P-GW)移動終端的報文經(jīng)過接入/匯聚網(wǎng)絡(luò)和核心網(wǎng)絡(luò)后到達(dá)Gi/SGi口,然后在轉(zhuǎn)換后到達(dá)t。這種情況下W處理的是來自移動終端的原始報文。WAPSGSN(S-GW)GGSN(P-GW)WAPPSPS30101(2019-06-

3-1FWFW備份數(shù)據(jù)較大時,建議部署多條心跳線。通常一條接口作為P可以承載萬/秒的新建速率、或者萬并發(fā)會話、或者5G的業(yè)務(wù)流量,可以根據(jù)現(xiàn)網(wǎng)業(yè)務(wù)實際流量大小來評估備份通道所需的接口數(shù)量,推薦用的方式增加冗余。比如業(yè)務(wù)流量有萬并發(fā)會話,至少需要個E口作為備份通道,規(guī)劃時則用個口捆綁增加冗余。配置padjust-ost命令,啟動根據(jù)主備狀態(tài)調(diào)整F的T值功能,用于P和F聯(lián)動。正常情況下,備用防火墻發(fā)布F路由時T值都加上,使路由優(yōu)先選擇走主用防火墻。當(dāng)W的接口或整機(jī)發(fā)生故障時,觸發(fā)雙機(jī)倒換,調(diào)整T值,原主用鏈路F路由T值加上0,原備用防火墻T不中斷。FW上下行接口配置hrptrack在OSPF2在FW與上下行設(shè)備間有傳輸設(shè)備的情況下,通過配置hrptrackbfd功能,用于監(jiān)通過配置命令bfdcfg-namebindpeer-ippeer-ip[interfaceinterface-typeinterface-number],創(chuàng)建BFD會話綁定,指定需要檢測鏈路。同時,配置

當(dāng)主用防火墻FW_A整機(jī)發(fā)生故障時,故障切換如圖3-23-23-3FW上的接口和安全區(qū)域規(guī)劃如表3-13-1HRPIPIPIPIP

3-2安全策略規(guī)劃Local-允許OSPFLocal-W自身訪問t區(qū)域的安全策略,可以配置為允許所有報文通過。如果要配置更加精細(xì)化的策略,注意需要允許F報文通過。允許OSPFLocal-Trust-針對GRE隧道的WAPGGSN防火墻從t側(cè)設(shè)備學(xué)習(xí)到默認(rèn)路由,并將默認(rèn)路由通過F非強(qiáng)制下發(fā)方式發(fā)布到核心網(wǎng)側(cè)設(shè)備。另外還需要配置路由策略,防火墻和t側(cè)引入靜態(tài)路由時,僅發(fā)布地址池路由,其他私網(wǎng)地址不發(fā)布。防火墻從核心網(wǎng)側(cè)設(shè)備學(xué)習(xí)到內(nèi)網(wǎng)服務(wù)器,及終端用戶地址,并將服務(wù)器的路由發(fā)布到t側(cè)設(shè)備。防火墻和核心網(wǎng)側(cè)設(shè)備配置過濾策略,不要從下面學(xué)習(xí)默認(rèn)路由。FW上的路由規(guī)劃如表3-33-3通過OSPF(RouterC的地址地址通過OSPF學(xué)習(xí)到的去往GGSN(RouterA的的IP地址地址

FW通常采用NATPAT方式,根據(jù)經(jīng)驗,一個NAT地址大概可以支持5000~10000私網(wǎng)3-4NATNAT策略規(guī)劃如表3-53-5NATsource-source-移動終端去往t的P、P、P多通道業(yè)務(wù)流量,經(jīng)過W時做了,需要在Gi/SGi接口所在的區(qū)域和區(qū)域之間配置F功能,確保這些應(yīng)用能正常運行。在FWfirewalldefendlandenablefirewalldefendsmurfenablefirewalldefendfraggleenablefirewalldefendip-fragmentenablefirewalldefendtcp-flagenablefirewalldefendwinnukeenablefirewalldefendsource-routeenablefirewalldefendteardropenablefirewalldefendroute-recordenablefirewalldefendtime-stampenablefirewalldefendping-of-deathenable簡單網(wǎng)絡(luò)管理協(xié)議(SNMP)是目前TCP/IPFW上配置SNMPPSPS40101(2019-06-

推薦配置VGMP管理組的搶占延遲時間為300雙機(jī)熱備僅支持F和路由調(diào)整,不支持。如果配置了F或路由調(diào)整,需要在域間配置允許F或報文通過。要把BGP路由的優(yōu)先級修改為大于10小于150配置路由過濾,避免從下行OSPFHRP和路由協(xié)議聯(lián)動調(diào)整COST值,其中路由支持情況如表4-14-1HRPBGP/OSPF支持HRPBGPBGPIPv4BGPVPNv4BGPIPv6從IBGP從EBGP支持HRPOSPFNetwork按LSAType1LSA:routerType3LSA:summaryType5LSA:AS-external-Type7LSA:NSSAexternal-

規(guī)劃NAT地址池時,公網(wǎng)地址和私網(wǎng)地址按照1:5,000如果核心網(wǎng)內(nèi)部有服務(wù)器提供給外網(wǎng)訪問,建議配置NATServer時基于端口進(jìn)行在負(fù)載分擔(dān)雙機(jī)熱備份模式下,兩臺設(shè)備都會承載業(yè)務(wù)流量。當(dāng)設(shè)備上配置了功能時,在這種可能存在的沖突,需要在兩臺設(shè)備上分別配置各自可使用的端口資源。可以在主設(shè)備上配置pnatesoueprimar-g命令,備設(shè)備上會自動生成pnatesoueseondar-g命令建議針對NAT

所有的流量都經(jīng)過一條或幾條GRE單個GRE隧道所在的CPU會話數(shù)大于100執(zhí)行firewallgreinnerhashenable命令,開啟根據(jù)GRE內(nèi)層報文信息計算的選擇CPU板CPU處理能力的70%??赏ㄟ^displayinterface命令查看接口帶寬利用率,displayPSPS50101(2019-06-步驟1配置FW_A創(chuàng)建Eth-Trunk0,配置Eth-Trunk0的IP[FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk0]description[FW_A-Eth-Trunk0]ipaddress24[FW_A-Eth-Trunk0]quit創(chuàng)建Eth-Trunk1,配置Eth-Trunk1的IP[FW_A][FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk1]description[FW_A-Eth-Trunk1]ipaddress[FW_A-Eth-Trunk1]undoservice-manage[FW_A-Eth-Trunk1]創(chuàng)建Eth-Trunk2,配置Eth-Trunk2的IP[FW_A][FW_A]interfaceEth-Trunk[FW_A-Eth-Trunk2]description[FW_A-Eth-Trunk2]ipaddress24[FW_A-Eth-Trunk2]undoservice-manageenable[FW_A-Eth-Trunk2]quit#[FW_A][FW_A]interfaceGigabitEthernet1/0/1[FW_A-GigabitEthernet2/0/0]Eth-Trunk0[FW_A-GigabitEthernet2/0/0]quit[FW_A]interfaceGigabitEthernet2/0/1[FW_A-GigabitEthernet2/0/1]Eth-Trunk0[FW_A-GigabitEthernet2/0/1]quit#[FW_A][FW_A]interfaceGigabitEthernet2/0/2[FW_A-GigabitEthernet2/0/2]Eth-Trunk1[FW_A-GigabitEthernet2/0/2]quit[FW_A]interfaceGigabitEthernet2/0/3[FW_A-GigabitEthernet2/0/3]Eth-Trunk1[FW_A-GigabitEthernet2/0/3]quit#[FW_A][FW_A]interfaceGigabitEthernet2/0/4[FW_A-GigabitEthernet2/0/4]Eth-Trunk2[FW_A-GigabitEthernet2/0/4]quit[FW_A]interfaceGigabitEthernet2/0/5[FW_A-GigabitEthernet2/0/5]Eth-Trunk2[FW_A-GigabitEthernet2/0/5]quit#將Eth-Trunk0加入hrpzone[FW_A][FW_A]firewallzonename[FW_A-zone-hrpzone]setpriority[FW_A-zone-hrpzone]addinterfaceEth-Trunk[FW_A-zone-hrpzone]#將Eth-Trunk1加入untrust[FW_A][FW_A]firewallzone[FW_A-zone-untrust]addinterfaceEth-Trunk[FW_A-zone-untrust]將Eth-Trunk2加入trust[FW_A][FW_A]firewallzone[FW_A-zone-trust]addinterfaceEth-Trunk[FW_A-zone-trust]配置FW_B創(chuàng)建Eth-Trunk0,配置Eth-Trunk0的IP[FW_B]interfaceEth-Trunk[FW_B-Eth-Trunk0]description[FW_B-Eth-Trunk0]ipaddress24[FW_B-Eth-Trunk0]undoservice-manageenable[FW_B-Eth-Trunk0]quit創(chuàng)建Eth-Trunk1,配置Eth-Trunk1的IP[FW_B][FW_B]interfaceEth-Trunk[FW_B-Eth-Trunk1]description[FW_B-Eth-Trunk1]ipaddress[FW_B-Eth-Trunk1]undoservice-manage[FW_B-Eth-Trunk1]創(chuàng)建Eth-Trunk2,配置Eth-Trunk2的IP[FW_B][FW_B]interfaceEth-Trunk[FW_B-Eth-Trunk2]description[FW_B-Eth-Trunk2]ipaddress24[FW_B-Eth-Trunk2]undoservice-manageenable[FW_B-Eth-Trunk2]quit#[FW_B][FW_B]interfaceGigabitEthernet1/0/1[FW_B-GigabitEthernet2/0/0]Eth-Trunk0[FW_B-GigabitEthernet2/0/0]quit[FW_B]interfaceGigabitEthernet2/0/1[FW_B-GigabitEthernet2/0/1]Eth-Trunk0[FW_B-GigabitEthernet2/0/1]quit#[FW_B][FW_B]interfaceGigabitEthernet2/0/2[FW_B-GigabitEthernet2/0/2]Eth-Trunk1[FW_B-GigabitEthernet2/0/2]quit[FW_B]interfaceGigabitEthernet2/0/3[FW_B-GigabitEthernet2/0/3]Eth-Trunk1[FW_B-GigabitEthernet2/0/3]quit#[FW_B][FW_B]interfaceGigabitEthernet2/0/4[FW_B-GigabitEthernet2/0/4]Eth-Trunk2[FW_B-GigabitEthernet2/0/4]quit[FW_B]interfaceGigabitEthernet2/0/5[FW_B-GigabitEthernet2/0/5][FW_B-GigabitEthernet2/0/5]Eth-Trunk[FW_B-GigabitEthernet2/0/5]#將Eth-Trunk0加入hrpzone[FW_B][FW_B]firewallzonename[FW_B-zone-hrpzone]setpriority[FW_B-zone-hrpzone]addinterfaceEth-Trunk[FW_B-zone-hrpzone]#將Eth-Trunk1加入untrust[FW_B][FW_B]firewallzone[FW_B-zone-untrust]addinterfaceEth-Trunk[FW_B-zone-untrust]將Eth-Trunk2加入trust[FW_B][FW_B]firewallzone[FW_B-zone-trust]addinterfaceEth-Trunk[FW_B-zone-trust]步驟2配置FW_A#配置Local和Trust[FW_A][FW_A]security-[FW_A-policy-security]rulename[FW_A-policy-security-rule-local_trust_outbound]source-zone[FW_A-policy-security-rule-local_trust_outbound]destination-zonetrust[FW_A-policy-security-rule-local_trust_outbound]source-address24[FW_A-policy-security-rule-local_trust_outbound]actionpermit[FW_A-policy-security-rule-local_trust_outbound][FW_A-policy-security]rulename[FW_A-policy-security-rule-local_trust_inbound]source-zone[FW_A-policy-security-rule-local_trust_inbound]destination-zone[FW_A-policy-security-rule-local_trust_inbound]destination-address[FW_A-policy-security-rule-local_trust_inbound]action[FW_A-policy-security-rule-local_trust_inbound]#配置Local和Untrust[FW_A-policy-security][FW_A-policy-security]rulename[FW_A-policy-security-rule-local_untrust_outbound]source-zone[FW_A-policy-security-rule-local_untrust_outbound]destination-zoneuntrust[FW_A-policy-security-rule-local_untrust_outbound]source-address24[FW_A-policy-security-rule-local_untrust_outbound]actionpermit[FW_A-policy-security-rule-local_untrust_outbound][FW_A-policy-security]rulename[FW_A-policy-security-rule-local_untrust_inbound]source-zone[FW_A-policy-security-rule-local_untrust_inbound]destination-zone[FW_A-policy-security-rule-local_untrust_inbound]destination-address[FW_A-policy-security-rule-local_untrust_inbound]action[FW_A-policy-security-rule-local_untrust_inbound]#配置Local和hrpzone[FW_A-policy-security][FW_A-policy-security]rulename[FW_A-policy-security-rule-local_hrpzone_outbound]source-zone[FW_A-policy-security-rule-local_hrpzone_outbound]destination-zonehrpzone[FW_A-policy-security-rule-local_hrpzone_outbound]source-address24[FW_A-policy-security-rule-local_hrpzone_outbound]actionpermit[FW_A-policy-security-rule-local_hrpzone_outbound][FW_A-policy-security]rulename[FW_A-policy-security-rule-local_hrpzone_inbound]source-zone[FW_A-policy-security-rule-local_hrpzone_inbound]destination-zone[FW_A-policy-security-rule-local_hrpzone_inbound]destination-address[FW_A-policy-security-rule-local_untrust_inbound]action[FW_A-policy-security-rule-local_untrust_inbound]#配置Trust和Untrust域間的安全策略,允許移動終端訪問WAP網(wǎng)關(guān)的隧道報文[FW_A-policy-security][FW_A-policy-security]rulename[FW_A-policy-interzone-trust_untrust_outbound1]source-zone[FW_A-policy-interzone-trust_untrust_outbound1]destination-zone[FW_A-policy-interzone-trust_untrust_outbound1]action[FW_A-policy-interzone-trust_untrust_outbound1][FW_A-policy-security]rulename[FW_A-policy-interzone-trust_untrust_inbound1]source-zoneuntrust[FW_A-policy-interzone-trust_untrust_inbound1]destination-zonetrust[FW_A-policy-interzone-trust_untrust_inbound1]actionpermit[FW_A-policy-interzone-trust_untrust_inbound1]#配置Trust和Untrust域間的安全策略,允許移動終端訪問Internet的報文通過。[FW_A-policy-security][FW_A-policy-security]rulename[FW_A-policy-security-rule-trust_untrust_outbound2]source-zone[FW_A-policy-security-rule-trust_untrust_outbound2]destination-zoneuntrust[FW_A-policy-security-rule-trust_untrust_outbound2]source-address16[FW_A-policy-security-rule-trust_untrust_outbound2]actionpermit[FW_A-policy-security-rule-trust_untrust_outbound2]配置FW_B#配置Local和Trust[FW_B][FW_B]security-[FW_B-policy-security]rulename[FW_B-policy-security-rule-local_trust_outbound]source-zone[FW_B-policy-security-rule-local_trust_outbound]destination-zonetrust[FW_B-policy-security-rule-local_trust_outbound]source-address24[FW_B-policy-security-rule-local_trust_outbound]actionpermit[FW_B-policy-security-rule-local_trust_outbound][FW_B-policy-security]rulename[FW_B-policy-security-rule-local_trust_inbound]source-zone[FW_B-policy-security-rule-local_trust_inbound]destination-zone[FW_B-policy-security-rule-local_trust_inbound]destination-address[FW_B-policy-security-rule-local_trust_inbound]action[FW_B-policy-security-rule-local_trust_inbound]#配置Local和Untrust[FW_B-policy-security][FW_B-policy-security]rulename[FW_B-policy-security-rule-local_untrust_outbound]source-zone[FW_B-policy-security-rule-local_untrust_outbound]destination-zoneuntrust[FW_B-policy-security-rule-local_untrust_outbound]source-address24[FW_B-policy-security-rule-local_untrust_outbound]actionpermit[FW_B-policy-security-rule-local_untrust_outbound][FW_B-policy-security]rulename[FW_B-policy-security-rule-local_untrust_inbound]source-zone[FW_B-policy-security-rule-local_untrust_inbound]destination-zone[FW_B-policy-security-rule-local_untrust_inbound]destination-address[FW_B-policy-security-rule-local_untrust_inbound]action[FW_B-policy-security-rule-local_untrust_inbound]#配置Local和hrpzone[FW_B-policy-security][FW_B-policy-security]rulename[FW_B-policy-security-rule-local_hrpzone_outbound]source-zone[FW_B-policy-security-rule-local_hrpzone_outbound]destination-zonehrpzone[FW_B-policy-security-rule-local_hrpzone_outbound]source-address24[FW_B-policy-security-rule-local_hrpzone_outbound]actionpermit[FW_B-policy-security-rule-local_hrpzone_outbound][FW_B-policy-security]rulename[FW_B-policy-security-rule-local_hrpzone_inbound]source-zone[FW_B-policy-security-rule-local_hrpzone_inbound]destination-zone[FW_B-policy-security-rule-local_hrpzone_inbound]destination-address[FW_B-policy-security-rule-local_untrust_inbound]action[FW_B-policy-security-rule-local_untrust_inbound]#配置trust和untrust域間的安全策略,允許移動終端訪問wap網(wǎng)關(guān)的隧道報文通[FW_B-policy-security][FW_B-policy-security]rulename[FW_B-policy-interzone-trust_untrust_outbound1]source-zone[FW_B-policy-interzone-trust_untrust_outbound1]destination-zone[FW_B-policy-interzone-trust_untrust_outbound1]action[FW_B-policy-interzone-trust_untrust_outbound1][FW_B-policy-security]rulename[FW_B-policy-interzone-trust_untrust_inbound1]source-zoneuntrust[FW_B-policy-interzone-trust_untrust_inbound1]destination-zonetrust[FW_B-policy-interzone-trust_untrust_inbound1]actionpermit[FW_B-policy-interzone-trust_untrust_inbound1]#配置trust和untrust域間的安全策略,允許移動終端訪問Internet的報文通過。[FW_B-policy-security][FW_B-policy-security]rulename[FW_B-policy-security-rule-trust_untrust_outbound2]source-zone[FW_B-policy-security-rule-trust_untrust_outbound2]destination-zoneuntrust[FW_B-policy-security-rule-trust_untrust_outbound2]source-address16[FW_B-policy-security-rule-trust_untrust_outbound2]actionpermit[FW_B-policy-security-rule-trust_untrust_outbound2]步驟3說明主備防火墻需要為OSPF進(jìn)程指定不同的router-id,防止OSPF配置FW_A的OSPF#配置路由策略,F(xiàn)W和骨干網(wǎng)側(cè)相連側(cè)引入靜態(tài)路由時,僅引入NAT地址池地[FW_A][FW_A]ipip-prefixnatAddresspermit032[FW_A]ipip-prefixnatAddresspermit132[FW_A]ipip-prefixnatAddresspermit232[FW_A]ipip-prefixnatAddresspermit332[FW_A]ipip-prefixnatAddresspermit432[FW_A]ipip-prefixnatAddresspermit532[FW_A]route-policyPS_NATpermitnode10[FW_A-route-policy]if-matchip-prefixnatAddress[FW_A-route-policy]quit[FW_A]ospf1router-id[FW_A-ospf-1]import-routestaticroute-policy[FW_A-ospf-1]area[FW_A-ospf-1-area-]network[FW_A-ospf-1-area-][FW_A-ospf-1]#FW[FW_A][FW_A]ipip-prefixno-defaultdeny[FW_A]ipip-prefixno-defaultpermit0less-equal[FW_A]ospf2router-id[FW_A-ospf-2]filter-policyip-prefixno-default[FW_A-ospf-2]default-route-[FW_A-ospf-2]area[FW_A-ospf-2-area-][FW_A-ospf-2]#[FW_A][FW_A]iproute-static032NULL[FW_A]iproute-static132NULL[FW_A]iproute-static232NULL[FW_A]iproute-static332NULL[FW_A]iproute-static432NULL[FW_A]iproute-static532NULL配置FW_B的OSPF#配置路由策略,F(xiàn)W和骨干網(wǎng)側(cè)相連側(cè)引入靜態(tài)路由時,僅引入NAT地址池地[FW_B][FW_B]ipip-prefixnatAddresspermit032[FW_B]ipip-prefixnatAddresspermit132[FW_B]ipip-prefixnatAddresspermit232[FW_B]ipip-prefixnatAddresspermit332[FW_B]ipip-prefixnatAddresspermit432[FW_B]ipip-prefixnatAddresspermit532[FW_B]route-policyPS_NATpermitnode10[FW_B-route-policy]if-matchip-prefixnatAddress[FW_B-route-policy]quit[FW_B]ospf1router-id[FW_B-ospf-1]import-routestaticroute-policy[FW_B-ospf-1]area[FW_B-ospf-1-area-]network[FW_B-ospf-1-area-][FW_B-ospf-1]#FW[FW_B][FW_B]ipip-prefixno-defaultdeny[FW_B]ipip-prefixno-defaultpermit0less-equal[FW_B]ospf2router-id[FW_B-ospf-2]filter-policyip-prefixno-default[FW_B-ospf-2]default-route-[FW_B-ospf-2]area[FW_B-ospf-2-area-][FW_B-ospf-2]#[FW_B][FW_B]iproute-static032NULL[FW_B]iproute-static132NULL[FW_B]iproute-static232NULL[FW_B]iproute-static332NULL[FW_B]iproute-static432NULL[FW_B]iproute-static532NULL步驟4完成FW_A#配置HRP[FW_A][FW_A]hrptrackinterfaceEth-Trunk[FW_A]hrptrackinterfaceEth-Trunk#配置根據(jù)HRP狀態(tài)調(diào)整OSPF的cost[FW_A][FW_A]hrpadjustospf-cost#[FW_A][FW_A]hrpinterfaceEth-Trunk0remote開啟HRP[FW_A][FW_A]hrp#配置VGMP管理組的搶占延遲時間為300[FW_A][FW_A]hrppreemptdelay完成FW_B#配置HRP[FW_B][FW_B]hrptrackinterfaceEth-Trunk[FW_B]hrptrackinterfaceEth-Trunk#配置根據(jù)HRP狀態(tài)調(diào)整OSPF的cost#[FW_B][FW_B]hrpinterfaceEth-Trunk0remote開啟HRP[FW_B]hrp #[FW_B]hrpstandby- 步驟5配置NAT和說明雙機(jī)熱備狀態(tài)形成后,F(xiàn)W_A上的和配置將會自動備份到B,無需在B上單獨配置。#創(chuàng)建NAT配置FW_A的HRP_M[FW_A]HRP_M[FW_A]nataddress-groupHRP_M[FW_A-address-group-addressgroup1]section0配置NAT策略。此處以轉(zhuǎn)換/16網(wǎng)段的所有報文的源地址為例進(jìn)行介HRP_M[FW_A]HRP_M[FW_A]nat-HRP_M[FW_A-policy-nat]rulenameHRP_M[FW_A-policy-nat-rule-trust_untrust_outbound]source-zoneHRP_M[FW_A-policy-nat-rule-trust_untrust_outbound]destination-zoneuntrustHRP_M[FW_A-policy-nat-rule-trust_untrust_outbound]source-address55HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound]actionsource-nataddress-groupHRP_M[FW_A-policy-nat-rule-trust_untrust_outbound]HRP_M[FW_A-policy-nat]配置FW_A的ASPFHRP_M[FW_A]HRP_M[FW_A]firewallinterzonetrustuntrustHRP_M[FW_A-interzone-trust-untrust]detectftpHRP_M[FW_A-interzone-trust-untrust]detectpptpHRP_M[FW_A-interzone-trust-untrust]quit步驟6說明配置FW_AHRP_M[FW_A]HRP_M[FW_A]firewalldefendlandenableHRP_M[FW_A]firewalldefendsmurfenableHRP_M[FW_A]firewalldefendfraggleenableHRP_M[FW_A]firewalldefendip-fragmentenableHRP_M[FW_A]firewalldefendtcp-flagenableHRP_M[FW_A]firewalldefendwinnukeenableHRP_M[FW_A]firewalldefendsource-routeenableHRP_M[FW_A]firewalldefendteardropenableHRP_M[FW_A]firewalldefendroute-recordenableHRP_M[FW_A]firewalldefendtime-stampenableHRP_M[FW_A]firewalldefendping-of-deathenable步驟7配置網(wǎng)管配置FW_A的網(wǎng)管#配置FW上SNMP的版本。本步驟為可選配置,缺省情況下,SNMPSNMPv3版本。如果版本不為SNMPv3HRP_M[FW_A]snmp-agentsys-infoversion #配置SNMPv3HRP_M[FW_A]HRP_M[FW_A]snmp-agentgroupv3NMS1#配置SNMPv3HRP_M[FW_A]HRP_M[FW_A]snmp-agentusm-userv3Admin123NMS1authentication-modemd5Admin@123privacy-modeaes256Admin@456#HRP_M[FW_A]HRP_M[FW_A]snmp-agentsys-infocontact#HRP_M[FW_A]HRP_M[FW_A]snmp-agentsys-infolocation#配置FW上SNMPHRP_M[FW_A]HRP_M[FW_A]snmp-agenttarget-hosttrapaddressudp-domainparamssecuritynameAdmin123v3privacyprivate-netmanagerHRP_M[FW_A]snmp-agenttrapWarning:AllswitchesofSNMPtrap/notificationwillbeopen.Continue?FW_B的網(wǎng)管#配置FW上SNMP的版本。本步驟為可選配置,缺省情況下,SNMPSNMPv3版本。如果版本不為SNMPv3#配置SNMPv3HRP_S[FW_B]HRP_S[FW_B]snmp-agentgroupv3NMS1#配置SNMPv3HRP_S[FW_B]HRP_S[FW_B]snmp-agentusm-userv3Admin123NMS1authentication-modemd5Admin@123privacy-modeaes256Admin@456#HRP_S[FW_B]HRP_S[FW_B]snmp-agentsys-infocontact#HRP_S[FW_B]HRP_S[FW_B]snmp-agentsys-infolocation#配置FW上SNMPHRP_S[FW_B]HRP_S[FW_B]snmp-agenttarget-hosttrapaddressudp-domainparamssecuritynameAdmin123v3privacyprivate-netmanagerHRP_M[FW_B]snmp-agenttrapWarning:AllswitchesofSNMPtrap/notificationwillbeopen.Continue?步驟8配置說明LogCenter日志服務(wù)器的配置請參見LogCenter服務(wù)器的產(chǎn)品手冊。此處只介紹FW配置FW_AHRP_M[FW_A]HRP_M[FW_A]firewallloghost1#HRP_M[FW_A]HRP_M[FW_A]security-HRP_M[FW_A-policy-security]rulenametrust_untrustHRP_M[FW_A-policy-security-rule-trust_untrust]sessionloggingHRP_M[FW_A-policy-security-rule-trust_untrust]actionpermitHRP_M[FW_A-policy-security-rule-trust_untrust]quitHRP_M[FW_A-policy-security]quitHRP_M[FW_A]HRP_M[FW_A]firewalllogsessionlog-typesyslogHRP_M[FW_A]firewalllogsessionmulti-host-modeconcurrentHRP_M[FW_A]firewalllogsource6000配置FW_BHRP_S[FW_B]firewalllogsource ----在FW_A上執(zhí)行displayhrpstate命令,檢查當(dāng)前HRPHRPHRP_M[FW_A]HRP_M[FW_A]displayhrpstateRole:active,peer:Runningpriority:46002,peer:46002Backupchannelusage:7%Stabletime:0days,0hours,12用戶使用手機(jī)可以正常瀏覽WebsysnameFW_Ainfo-centersourcedefaultchannel2loglevelinfo-centerloghost0firewalllogsessionlog-typefirewalllogsessionmulti-host-modeconcurrentfirewalllogsource6000firewallloghost514modepatstatushrphrpinterfaceEth-Trunk0remotehrpadjustospf-costenablehrppreemptdelayhrptrackinterfaceEth-Trunk1firewalldefendlandenablefirewalldefendsmurfenablefirewalldefendfraggleenablefirewalldefendip-fragmentenablefirewalldefendtcp-flagenablefirewalldefendwinnukeenablefirewalldefendsource-routeenablefirewalldefendteardropenablefirewalldefendroute-recordenablefirewalldefendtime-stampenablefirewalldefendping-of-deathenableinterfaceEth-Trunk0ipaddressundoservice-manageenableinterfaceEth-Trunk1descriptionTo_Backboneundoservice-manageenabledescriptionTo_GIundoservice-manageenableeth-trunk0eth-trunk0eth-trunk1sysnameFW_Binfo-centersourcedefaultchannel2loglevelinfo-centerloghost0firewalllogsessionlog-typefirewalllogsessionmulti-host-modeconcurrentfirewalllogsource6000firewallloghost514modepatstatushrphrpstandby-hrpinterfaceEth-Trunk0remotehrpadjustospf-costenablehrptrackinterfaceEth-Trunk1firewalldefendlandenablefirewalldefendsmurfenablefirewalldefendfraggleenablefirewalldefendip-fragmentenablefirewalldefendtcp-flagenablefirewalldefendwinnukeenablefirewalldefendsource-routeenablefirewalldefendteardropenablefirewalldefendroute-recordenablefirewalldefendtime-stampenablefirewalldefendping-of-deathenableinterfaceEth-Trunk0descriptionTo_FW_Aipaddressundoservice-manageenableinterfaceEth-Trunk1descriptionTo_Backboneundoservice-manageenabledescriptionTo_GIundoservice-manageenableeth-trunk0eth-trunk0eth-trunk1eth-trunk2eth-trunk2firewallzonetrustsetpriority85addinterfaceEth-Trunk2firewallzoneuntrustsetpriority5addinterfaceEth-Trunk1firewallzonehrpzonesetpriority65addinterfaceEth-Trunk0firewallinterzonetrustuntrustdetectrtspdetectftpdetectpptprulenamelocal_trust_outboundsource-zonelocaldestination-zonetrustsource-address24actionpermitrulenamelocal_trust_inboundsource-zonetrustdestination-zonelocaldestination-address24actionpermitrulenamelocal_untrust_outboundsource-zonelocaldestination-zoneuntrustsource-address24actionpermitrulenamelocal_untrust_inboundsource-zoneuntrustdestination-zonelocaldestination-address24actionpermitrulenamelocal_hrpzone_outboundsource-zonelocaldestination-zonehrpzonesource-address24actionpermitrulenamelocal_hrpzone_inboundsource-zonehrpzonedestination-zonedestination-address24actionpermitrulenametrust_untrust_outbound1source-zonetrustdestination-zoneuntrustactionpermitrulenametrust_untrust_inbound1source-zoneuntrustdestination-zonetrustactionpermitrulenametrust_untrust_outbound2source-zonetrusteth-trunk2eth-trunk2firewallzonetrustsetpriority85addinterfaceEth-Trunk2firewallzoneuntrustsetpriority5addinterfaceEth-Trunk1firewallzonehrpzonesetpriority65addinterfaceEth-Trunk0firewallinterzonetrustuntrustdetectrtspdetectftpdetectpptprulenamelocal_trust_outboundsource-zonelocaldestination-zonetrustsource-address24actionpermitrulenamelocal_trust_inboundsource-zonetrustdestination-zonelocaldestination-address24actionpermitrulenamelocal_untrust_outboundsource-zonelocaldestination-zoneuntrustsource-address24actionpermitrulenamelocal_untrust_inboundsource-zoneUntrustdestination-zonelocaldestination-address24actionpermitrulenamelocal_hrpzone_outboundsource-zonelocaldestination-zonehrpzonesource-address24actionpermitrulenamelocal_hrpzone_inboundsource-zonehrpzonedestination-zonedestination-address24actionpermitrulenametrust_untrust_outbound1source-zonetrustdestination-zoneuntrustactionpermitrulenametrust_untrust_inbound1source-zoneUntrustdestination-zonetrustactionpermitrulenametrust_untrust_outbound2source-zonetrustdestination-zoneuntrustsource-address16actionpermitrulenametrust_untrustsessionloggingactionpermitrulenametrust_untrust_outbound

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

最新文檔

評論

0/150

提交評論