华为USG6000V防火墙学习
实验示例:
实验要求:
1、登录防火墙,修改初始密码并保存保存设置;
2、开启对应接口https服务功能,修改端口IP地址,使用浏览器登录防火墙的web控制台;
格式:https://端口IP地址:8443
3、开启对用接口ping服务功能,使用本地Windows PowerShell命令行ping通对应端口的IP地址;
4、制定防火墙策略,用本地Windows PowerShell命令行ping通对应端口的IP地址,使得可以和本地通信。
实验配置:
User interface con0 is available Please Press ENTER. Login authentication Username:admin Password: ************************************************************************* * Copyright (C) 2014-2018 Huawei Technologies Co., Ltd. * * All rights reserved. * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************* <USG6000V1> <USG6000V1>system-view Enter system view, return user view with Ctrl+Z. [USG6000V1]interface GigabitEthernet 0/0/0 [USG6000V1-GigabitEthernet0/0/0]dis thi 2020-09-04 01:01:49.780 # interface GigabitEthernet0/0/0 undo shutdown ip binding vpn-instance default ip address 192.168.100.15 255.255.255.0 alias GE0/METH service-manage https permit service-manage ping permit # return [USG6000V1-GigabitEthernet0/0/0]
在端口内,允许ping功能开启。使得端口可以和本地通信。
开启https服务功能,使用浏览器登录防火墙后台。
制定防火墙策略,端口和本地正常通信
配置如下:
<USG6000V1>system-view Enter system view, return user view with Ctrl+Z. [USG6000V1]security-policy [USG6000V1-policy-security]rule name T2L_ping Sep 4 2020 01:13:35 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 6, the change loop count is 0, and the maximum number of records is 4095. [USG6000V1-policy-security-rule-T2L_ping]source-zone trust [USG6000V1-policy-security-rule-T2L_ping]destination-zone local [USG6000V1-policy-security-rule-T2L_ping] Sep 4 2020 01:13:55 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 8, the change loop count is 0, and the maximum number of records is 4095. [USG6000V1-policy-security-rule-T2L_ping]source-address 192.168.100.1 32 Sep 4 2020 01:14:25 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 9, the change loop count is 0, and the maximum number of records is 4095. [USG6000V1-policy-security-rule-T2L_ping]service icmp [USG6000V1-policy-security-rule-T2L_ping]dis thi 2020-09-04 01:15:02.670 # rule name T2L_ping source-zone trust destination-zone local source-address 192.168.100.1 mask 255.255.255.255 service icmp (not configure the action) # return [USG6000V1-policy-security-rule-T2L_ping] Sep 4 2020 01:15:05 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 10, the change loop count is 0, and the maximum number of records is 4095. [USG6000V1-policy-security-rule-T2L_ping]action permit [USG6000V1-policy-security-rule-T2L_ping]dis thi 2020-09-04 01:15:34.550 # rule name T2L_ping source-zone trust destination-zone local source-address 192.168.100.1 mask 255.255.255.255 service icmp action permit # return
制定防火墙出接口流量策略。
配置如下
[USG6000V1]security-policy [USG6000V1-policy-security]rule name L2T_ping [USG6000V1-policy-security-rule-L2T_ping]source-zone local [USG6000V1-policy-security-rule-L2T_ping]destination-zone trust [USG6000V1-policy-security-rule-L2T_ping]source-address 192.168.100.15 32 [USG6000V1-policy-security-rule-L2T_ping]destination-address 192.168.100.1 32 [USG6000V1-policy-security-rule-L2T_ping]service icmp [USG6000V1-policy-security-rule-L2T_ping]action permit [USG6000V1-policy-security-rule-L2T_ping]dis thi 2020-09-04 01:41:04.390 # rule name L2T_ping source-zone local destination-zone trust source-address 192.168.100.15 mask 255.255.255.255 destination-address 192.168.100.1 mask 255.255.255.255 service icmp action permit # return [USG6000V1-policy-security-rule-L2T_ping]
修改iCMP会话超时时间并查询。
