华为园区交换机防火墙双机热备出口部署配置案例
客户需求
客户园区核心层的两台交换机组建集群,作为整个园区网络的核心,同时作为用户网关,为用户分配IP地址。出口设两台防火墙组建双机热备,作为整个园区网的出口网关,对出入园区的业务流量提供安全过滤功能,为网络安全提供保证。
要求:业务流量在网络出口侧可自动选择出口,分流到不同的运营商网络,避免链路资源浪费。
内网用户可以正常访问Internet资源,但工作时间不能玩网络游戏和观看网络视频。
外网用户可以访问内网中的HTTP服务器资源。
组网拓扑图
出口使用的设备:USG6300E 版本:V600R007C00
核心层使用的设备:S12700E 版本:V200R019C10
相关部署配置思路
1、配置核心交换机集群/堆叠、多主检测功能,提高设备级可靠性。
2、核心交换机、出口防火墙配置Eth-Trunk功能,提高链路可靠性。
3、核心交换机、出口防火墙配置接口、IP地址、路由,使得网络互通。
4、出口防火墙开启智能选路功能,根据出口链路带宽动态地选择出接口,实现链路资源的合理利用和用户体验的提升。
5、出口防火墙配置双机热备,提高设备级可靠性。
6、出口防火墙配置安全策略,使得业务可以通过防火墙。
7、出口防火墙配置NAT策略,使得内网用户可以访问外网。
8、出口防火墙配置NAT Server,使得外网用户可以访问内网HTTP服务器。
9、配置智能DNS功能,确保不同运营商的用户访问请求获得最适合的解析地址。
10、出口防火墙配置攻击防范和应用行为控制,保证网络安全、内网用户在工作时间不能玩网络游戏和观看网络视频。
部署步骤
1、核心交换机配置集群、多主检测功能
2在出口防火墙和核心交换机上配置Eth-Trunk功能:
# 在FWA上创建Eth-Trunk30,用于连接CORE,并加入Eth-Trunk成员接口。
<sysname> system-view
[sysname] sysname FWA
[FWA] interface eth-trunk 30
[FWA-Eth-Trunk30] mode lacp-static
[FWA-Eth-Trunk30] quit
[FWA] interface gigabitethernet 1/0/3
[FWA-GigabitEthernet1/0/3] eth-trunk 30
[FWA-GigabitEthernet1/0/3] quit
[FWA] interface gigabitethernet 1/0/4
[FWA-GigabitEthernet1/0/4] eth-trunk 30
[FWA-GigabitEthernet1/0/4] quit
# 在FWB上创建Eth-Trunk40,用于连接CORE,并加入Eth-Trunk成员接口。
<sysname> system-view
[sysname] sysname FWB
[FWB] interface eth-trunk 40
[FWB-Eth-Trunk40] mode lacp-static
[FWB-Eth-Trunk40] quit
[FWB] interface gigabitethernet 1/0/3
[FWB-GigabitEthernet1/0/3] eth-trunk 40
[FWB-GigabitEthernet1/0/3] quit
[FWB] interface gigabitethernet 1/0/4
[FWB-GigabitEthernet1/0/4] eth-trunk 40
[FWB-GigabitEthernet1/0/4] quit
# 在核心交换机CORE上创建Eth-Trunk30、Eth-Trunk40,分别用于连接FWA、FWB,并加入Eth-Trunk成员接口。
[CORE] interface eth-trunk 30
[CORE-Eth-Trunk30] mode lacp
[CORE-Eth-Trunk30] quit
[CORE] interface gigabitethernet 1/3/0/0
[CORE-GigabitEthernet1/3/0/0] eth-trunk 30
[CORE-GigabitEthernet1/3/0/0] quit
[CORE] interface gigabitethernet 2/3/0/0
[CORE-GigabitEthernet2/3/0/0] eth-trunk 30
[CORE-GigabitEthernet2/3/0/0] quit
[CORE] interface eth-trunk 40
[CORE-Eth-Trunk40] mode lacp
[CORE-Eth-Trunk40] quit
[CORE] interface gigabitethernet 1/3/0/1
[CORE-GigabitEthernet1/3/0/1] eth-trunk 40
[CORE-GigabitEthernet1/3/0/1] quit
[CORE] interface gigabitethernet 2/3/0/1
[CORE-GigabitEthernet2/3/0/1] eth-trunk 40
[CORE-GigabitEthernet2/3/0/1] quit
在出口防火墙和核心交换机上配置接口和IP地址。
在FWA上配置接口IP地址,并将接口加入相应的安全区域。
[FWA] interface loopback 0
[FWA-LoopBack0] ip address 1.1.1.1 32 //用来做Router ID
[FWA-LoopBack0] quit
[FWA] interface gigabitethernet 1/0/1
[FWA-GigabitEthernet1/0/1] ip address 192.0.2.1 24 //配置和ISPA相连的接口的IP地址
[FWA-GigabitEthernet1/0/1] gateway 192.0.2.254
[FWA-GigabitEthernet1/0/1] quit
[FWA] interface gigabitethernet 1/0/5
[FWA-GigabitEthernet1/0/5] ip address 198.51.100.2 24 //配置和ISPB相连的接口的IP地址
[FWA-GigabitEthernet1/0/5] gateway 198.51.100.254
[FWA-GigabitEthernet1/0/5] quit
[FWA] interface gigabitethernet 1/0/2
[FWA-GigabitEthernet1/0/2] ip address 172.16.111.1 24 //配置双机热备心跳口IP地址
[FWA-GigabitEthernet1/0/2] quit
[FWA] interface eth-trunk 30
[FWA-Eth-Trunk30] ip address 172.16.10.1 24 //配置和CORE相连的Eth-Trunk接口的IP地址
[FWA-Eth-Trunk30] quit
[FWA] firewall zone trust
[FWA-zone-trust] set priority 85
[FWA-zone-trust] add interface eth-trunk 30 //将连接内网的Eth-Trunk30加入安全区域
[FWA-zone-trust] quit
[FWA] firewall zone name isp1 //将连接ISPA的接口加入安全区域isp1
[FWA-zone-isp1] set priority 10
[FWA-zone-isp1] add interface gigabitethernet 1/0/1
[FWA-zone-isp1] quit
[FWA] firewall zone name isp2 //将连接ISPB的接口加入安全区域isp2
[FWA-zone-isp2] set priority 15
[FWA-zone-isp2] add interface gigabitethernet 1/0/5
[FWA-zone-isp2] quit
[FWA] firewall zone dmz
[FWA-zone-dmz] set priority 50
[FWA-zone-dmz] add interface gigabitethernet 1/0/2 //将心跳口加入DMZ区域
[FWA-zone-dmz] quit
在FWB上配置接口IP地址,并将接口加入相应的安全区域。
[FWB] interface loopback 0
[FWB-LoopBack0] ip address 2.2.2.2 32 //用来做Router ID
[FWB-LoopBack0] quit
[FWB] interface gigabitethernet 1/0/1
[FWB-GigabitEthernet1/0/1] ip address 192.0.2.2 24 //配置和ISPA相连的接口的IP地址
[FWB-GigabitEthernet1/0/1] gateway 192.0.2.254
[FWB-GigabitEthernet1/0/1] quit
[FWB] interface gigabitethernet 1/0/5
[FWB-GigabitEthernet1/0/5] ip address 198.51.100.1 24 //配置和ISPB相连的接口的IP地址
[FWB-GigabitEthernet1/0/5] gateway 198.51.100.254
[FWB-GigabitEthernet1/0/5] quit
[FWB] interface gigabitethernet 1/0/2
[FWB-GigabitEthernet1/0/2] ip address 172.16.111.2 24 //配置双机热备心跳口IP地址
[FWB-GigabitEthernet1/0/2] quit
[FWB] interface eth-trunk 40
[FWB-Eth-Trunk40] ip address 172.16.10.2 24 //配置和CORE相连的Eth-Trunk接口的IP地址
[FWB-Eth-Trunk40] quit
[FWB] firewall zone trust
[FWB-zone-trust] set priority 85
[FWB-zone-trust] add interface eth-trunk 40 //将连接内网的Eth-Trunk40加入安全区域
[FWB-zone-trust] quit
[FWB] firewall zone name isp1 //将连接ISPA的接口加入安全区域isp1
[FWB-zone-isp1] set priority 10
[FWB-zone-isp1] add interface gigabitethernet 1/0/1
[FWB-zone-isp1] quit
[FWB] firewall zone name isp2 //将连接ISPB的接口加入安全区域isp2
[FWB-zone-isp2] set priority 15
[FWB-zone-isp2] add interface gigabitethernet 1/0/5
[FWB-zone-isp2] quit
[FWB] firewall zone dmz
[FWB-zone-dmz] set priority 50
[FWB-zone-dmz] add interface gigabitethernet 1/0/2 //将心跳口加入DMZ区域
[FWB-zone-dmz] quit
在核心交换机CORE上配置接口和IP地址。
[CORE] interface loopback 0
[CORE-LoopBack0] ip address 3.3.3.3 32 //用来做Router ID
[CORE-LoopBack0] quit
[CORE] vlan batch 10 50
[CORE] interface eth-trunk 30
[CORE-Eth-Trunk30] port link-type access
[CORE-Eth-Trunk30] port default vlan 10
[CORE-Eth-Trunk30] quit
[CORE] interface eth-trunk 40
[CORE-Eth-Trunk40] port link-type access
[CORE-Eth-Trunk40] port default vlan 10
[CORE-Eth-Trunk40] quit
[CORE] interface vlanif 10
[CORE-Vlanif10] ip address 172.16.10.3 24 //配置连接FW的VLANIF的IP地址
[CORE-Vlanif10] quit
[CORE] interface xgigabitethernet 1/2/0/20
[CORE-XGigabitEthernet1/2/0/20] port link-type access
[CORE-XGigabitEthernet1/2/0/20] port default vlan 50
[CORE-XGigabitEthernet1/2/0/20] quit
[CORE] interface vlanif 50
[CORE-Vlanif50] ip address 172.16.50.1 24
[CORE-Vlanif50] quit
在出口防火墙和核心交换机上配置路由。
在FWA上配置OSPF路由来发布下行接口所在网段。
[FWA] ospf 1 router-id 1.1.1.1
[FWA-ospf-1] area 0.0.0.0
[FWA-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255
[FWA-ospf-1-area-0.0.0.0] quit
[FWA-ospf-1] quit
在FWB上配置OSPF路由来发布下行接口所在网段。
[FWB] ospf 1 router-id 2.2.2.2
[FWB-ospf-1] area 0.0.0.0
[FWB-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255
[FWB-ospf-1-area-0.0.0.0] quit
[FWB-ospf-1] quit
在核心交换机CORE上配置OSPF路由发布上行接口所在网段。
[CORE] router id 3.3.3.3
[CORE] ospf 1
[CORE-ospf-1] area 0.0.0.0
[CORE-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255 //发布连接FW的网段
[CORE-ospf-1-area-0.0.0.0] network 172.16.50.0 0.0.0.255 //发布连接HTTP服务器的网段
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit
在核心交换机CORE上配置缺省路由,下一跳为FW的IP地址。
[CORE] ip route-static 0.0.0.0 0.0.0.0 172.16.10.1
[CORE] ip route-static 0.0.0.0 0.0.0.0 172.16.10.2
在出口防火墙上配置智能选路。
# 在FWA上配置IP-Link,探测各ISP提供的链路状态是否正常。
[FWA] ip-link check enable
[FWA] ip-link name ip_link_1
[FWA-iplink-ip_link_1] destination 192.0.2.254 interface gigabitethernet 1/0/1
[FWA-iplink-ip_link_1] quit
[FWA] ip-link name ip_link_2
[FWA-iplink-ip_link_2] destination 198.51.100.254 interface gigabitethernet 1/0/5
[FWA-iplink-ip_link_2] quit
# 在FWB上配置IP-Link,探测各ISP提供的链路状态是否正常。
[FWB] ip-link name ip_link_1
[FWB-iplink-ip_link_1] destination 192.0.2.254 interface gigabitethernet 1/0/1
[FWB-iplink-ip_link_1] quit
[FWB] ip-link name ip_link_2
[FWB-iplink-ip_link_2] destination 198.51.100.254 interface gigabitethernet 1/0/5
[FWB-iplink-ip_link_2] quit
# 在FWA上配置缺省路由,下一跳分别指向两个ISP的接入点。
[FWA] ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_1
[FWA] ip route-static 0.0.0.0 0.0.0.0 198.51.100.254 track ip-link ip_link_2
# 在FWB上配置缺省路由,下一跳分别指向两个ISP的接入点。
[FWB] ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_1
[FWB] ip route-static 0.0.0.0 0.0.0.0 198.51.100.254 track ip-link ip_link_2
# 在FWA上配置智能选路,根据链路带宽负载分担。
[FWA] multi-interface
[FWA-multi-inter] mode proportion-of-bandwidth
[FWA-multi-inter] add interface GigabitEthernet1/0/1
[FWA-multi-inter] add interface GigabitEthernet1/0/5
[FWA-multi-inter] quit
[FWA] interface GigabitEthernet 1/0/1
[FWA-GigabitEthernet1/0/1] bandwidth ingress 800000 threshold 95
[FWA-GigabitEthernet1/0/1] bandwidth egress 800000 threshold 95
[FWA-GigabitEthernet1/0/1] quit
[FWA] interface GigabitEthernet 1/0/5
[FWA-GigabitEthernet1/0/5] bandwidth ingress 200000 threshold 90
[FWA-GigabitEthernet1/0/5] bandwidth egress 200000 threshold 90
[FWA-GigabitEthernet1/0/5] quit
# 在FWB上配置智能选路,根据链路带宽负载分担。
[FWB] multi-interface
[FWB-multi-inter] mode proportion-of-bandwidth
[FWB-multi-inter] add interface GigabitEthernet1/0/1
[FWB-multi-inter] add interface GigabitEthernet1/0/5
[FWB-multi-inter] quit
[FWB] interface GigabitEthernet 1/0/1
[FWB-GigabitEthernet1/0/1] bandwidth ingress 800000 threshold 95
[FWB-GigabitEthernet1/0/1] bandwidth egress 800000 threshold 95
[FWB-GigabitEthernet1/0/1] quit
[FWB] interface GigabitEthernet 1/0/5
[FWB-GigabitEthernet1/0/5] bandwidth ingress 200000 threshold 90
[FWB-GigabitEthernet1/0/5] bandwidth egress 200000 threshold 90
[FWB-GigabitEthernet1/0/5] quit
在出口防火墙上配置双机热备。
# 在FWA下行业务接口配置VRRP备份组1,并将其状态设置为Active。
[FWA] interface Eth-Trunk 30
[FWA-Eth-Trunk30] vrrp vrid 1 virtual-ip 172.16.10.3 24 active
[FWA-Eth-Trunk30] quit
# 在FWA上配置VGMP组监控下行业务接口。
[FWA] hrp track interface eth-trunk 30
# 在FWB下行业务接口配置VRRP备份组1,并将其状态设置为Standby。
[FWB] interface Eth-Trunk 40
[FWB-Eth-Trunk40] vrrp vrid 1 virtual-ip 172.16.10.3 24 standby
[FWB-Eth-Trunk40] quit
# 在FWB上配置VGMP组监控下行业务接口。
[FWB] hrp track interface eth-trunk 40
# 在FWA上配置会话快速备份功能,指定心跳口并启用双机热备功能。
[FWA] hrp mirror session enable
[FWA] hrp interface GigabitEthernet 1/0/2 remote 172.16.111.2
[FWA] hrp enable
# 在FWB上分别配置会话快速备份功能,指定心跳口并启用双机热备功能。
[FWB] hrp mirror session enable
[FWB] hrp interface GigabitEthernet 1/0/2 remote 172.16.111.1
[FWB] hrp enable
在出口防火墙上配置安全策略。
# 在FWA上配置安全策略。双机热备状态成功建立后,FWA的安全策略配置会自动备份到FWB上。
HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_dmz //允许本地和DMZ区域间互访
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone local
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone dmz
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone local
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone dmz
HRP_M[FWA-policy-security-rule-policy_dmz] action permit
HRP_M[FWA-policy-security-rule-policy_dmz] quit
HRP_M[FWA-policy-security] rule name trust_to_untrust //允许内网用户访问外网
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FWA-policy-security-rule-trust_to_untrust] destination-zone isp1
HRP_M[FWA-policy-security-rule-trust_to_untrust] destination-zone isp2
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-address 172.16.40.0 24
HRP_M[FWA-policy-security-rule-trust_to_untrust] action permit
HRP_M[FWA-policy-security-rule-trust_to_untrust] quit
HRP_M[FWA-policy-security] rule name untrust_to_trust //允许外网用户访问HTTP服务器
HRP_M[FWA-policy-security-rule-untrust_to_trust] source-zone isp1
HRP_M[FWA-policy-security-rule-untrust_to_trust] source-zone isp2
HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-zone trust
HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-address 172.16.50.0 24
HRP_M[FWA-policy-security-rule-untrust_to_trust] action permit
HRP_M[FWA-policy-security-rule-untrust_to_trust] quit
HRP_M[FWA-policy-security] quit
在出口防火墙上配置NAT策略。
# 在FWA上创建地址池addressgroup1(4.4.4.1~4.4.4.5)和addressgroup2(5.5.5.1~5.5.5.5)。在FWA上配置的地址池会自动同步到FWB上。
HRP_M[FWA] nat address-group addressgroup1
HRP_M[FWA-nat-address-group-addressgroup1] section 0 4.4.4.1 4.4.4.5
HRP_M[FWA-nat-address-group-addressgroup1] mode pat
HRP_M[FWA-nat-address-group-addressgroup1] route enable
HRP_M[FWA-nat-address-group-addressgroup1] quit
HRP_M[FWA] nat address-group addressgroup2
HRP_M[FWA-nat-address-group-addressgroup2] section 1 5.5.5.1 5.5.5.5
HRP_M[FWA-nat-address-group-addressgroup2] mode pat
HRP_M[FWA-nat-address-group-addressgroup2] route enable
HRP_M[FWA-nat-address-group-addressgroup2] quit
# 配置源NAT策略,使内网用户通过转换后的公网IP地址访问Internet。
HRP_M[FWA] nat-policy
HRP_M[FWA-policy-nat] rule name policy_nat_1
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-address range 172.16.40.1 172.16.40.127
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-zone trust
HRP_M[FWA-policy-nat-rule-policy_nat_1] destination-zone untrust
HRP_M[FWA-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1
HRP_M[FWA-policy-nat-rule-policy_nat_1] quit
HRP_M[FWA-policy-nat] rule name policy_nat_2
HRP_M[FWA-policy-nat-rule-policy_nat_2] source-address range 172.16.40.128 172.16.40.254
HRP_M[FWA-policy-nat-rule-policy_nat_2] source-zone trust
HRP_M[FWA-policy-nat-rule-policy_nat_2] destination-zone untrust
HRP_M[FWA-policy-nat-rule-policy_nat_2] action source-nat address-group addressgroup2
HRP_M[FWA-policy-nat-rule-policy_nat_2] quit
HRP_M[FWA-policy-nat] quit
# 需要联系ISP的网络管理员配置目的地址为地址池addressgroup1和addressgroup2的路由,下一跳为FW对应的接口地址。
在出口防火墙上配置NAT Server。
# 配置服务器静态映射。假设内网的HTTP服务器分别向ISPA和ISPB申请了公网IP地址(4.4.4.10、5.5.5.10)对外提供服务,ISPA和ISPB的外网用户分别通过各自对应的公网地址访问HTTP服务器。
HRP_M[FWA] nat server web_for_isp1 zone isp1 protocol tcp global 4.4.4.10 8080 inside 172.16.50.10 80 no-reverse
HRP_M[FWA] nat server web_for_isp2 zone isp2 protocol tcp global 5.5.5.10 8080 inside 172.16.50.10 80 no-reverse
# 需要联系ISP的网络管理员配置目的地址为HTTP服务器对外映射IP地址的路由,下一跳为FW对应的接口地址。
# 在FWA上配置黑洞路由。外网用户只能通过8080端口访问HTTP服务器,其他情况通过黑洞路由,避免产生路由环路。
HRP_M[FWA] ip route-static 4.4.4.10 32 NULL 0
HRP_M[FWA] ip route-static 5.5.5.10 32 NULL 0
# 在FWB上配置黑洞路由。
HRP_S[FWB] ip route-static 4.4.4.10 32 NULL 0
HRP_S[FWB] ip route-static 5.5.5.10 32 NULL 0
# 在FWA上开启报文从同一接口进入和发出功能。
HRP_M[FWA] interface GigabitEthernet 1/0/1
HRP_M[FWA-GigabitEthernet1/0/1] redirect-reverse next-hop 192.0.2.254
HRP_M[FWA-GigabitEthernet1/0/1] quit
HRP_M[FWA] interface GigabitEthernet 1/0/5
HRP_M[FWA-GigabitEthernet1/0/5] redirect-reverse next-hop 198.51.100.254
HRP_M[FWA-GigabitEthernet1/0/5] quit
# 在FWB上开启报文从同一接口进入和发出功能。
HRP_S[FWB] interface GigabitEthernet 1/0/1
HRP_S[FWB-GigabitEthernet1/0/1] redirect-reverse next-hop 192.0.2.254
HRP_S[FWB-GigabitEthernet1/0/1] quit
HRP_S[FWB] interface GigabitEthernet 1/0/5
HRP_S[FWB-GigabitEthernet1/0/5] redirect-reverse next-hop 198.51.100.254
HRP_S[FWB-GigabitEthernet1/0/5] quit
在出口防火墙上配置智能DNS。
本功能需要License授权,并通过动态加载功能加载相应组件包后方可使用。
HRP_M[FWA] dns-smart enable
HRP_M[FWA] dns-smart group 1 type multi
HRP_M[FWA-dns-smart-group-1] out-interface GigabitEthernet 1/0/1 map 4.4.4.10
HRP_M[FWA-dns-smart-group-1] out-interface GigabitEthernet 1/0/5 map 5.5.5.10
HRP_M[FWA-dns-smart-group-1] quit
在出口防火墙上配置攻击防范和应用行为控制。
# 配置攻击防范。
HRP_M[FWA] firewall defend land enable
HRP_M[FWA] firewall defend smurf enable
HRP_M[FWA] firewall defend fraggle enable
HRP_M[FWA] firewall defend winnuke enable
HRP_M[FWA] firewall defend source-route enable
HRP_M[FWA] firewall defend route-record enable
HRP_M[FWA] firewall defend time-stamp enable
HRP_M[FWA] firewall defend ping-of-death enable
HRP_M[FWA] interface GigabitEthernet 1/0/1
HRP_M[FWA-GigabitEthernet1/0/1] anti-ddos flow-statistic enable
HRP_M[FWA-GigabitEthernet1/0/1] quit
HRP_M[FWA] interface GigabitEthernet 1/0/5
HRP_M[FWA-GigabitEthernet1/0/5] anti-ddos flow-statistic enable
HRP_M[FWA-GigabitEthernet1/0/5] quit
HRP_M[FWA] anti-ddos baseline-learn start
HRP_M[FWA] anti-ddos baseline-learn tolerance-value 100
HRP_M[FWA] anti-ddos baseline-learn apply
HRP_M[FWA] anti-ddos syn-flood source-detect
HRP_M[FWA] anti-ddos udp-flood dynamic-fingerprint-learn
HRP_M[FWA] anti-ddos udp-frag-flood dynamic-fingerprint-learn
HRP_M[FWA] anti-ddos http-flood defend alert-rate 2000
HRP_M[FWA] anti-ddos http-flood source-detect mode basic
# 配置应用行为控制。
本功能需要License授权,并通过动态加载功能加载相应组件包后方可使用。
创建应用行为控制文件,用于禁止工作时间进行HTTP操作和FTP操作。
HRP_M[FWA] profile type app-control name profile_app_work
HRP_M[FWA-profile-app-control-profile_app_work] http-control post action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control proxy action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control web-browse action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file delete action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] quit
创建应用行为控制文件,用于休息时间只允许进行HTTP浏览网页、HTTP代理上网和HTTP文件下载。
HRP_M[FWA] profile type app-control name profile_app_rest
HRP_M[FWA-profile-app-control-profile_app_rest] http-control post action deny
HRP_M[FWA-profile-app-control-profile_app_rest] http-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_rest] ftp-control file delete action deny
HRP_M[FWA-profile-app-control-profile_app_rest] ftp-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_rest] ftp-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_rest] quit
创建名称为working_hours的时间段,该时间段为工作时间。
HRP_M[FWA] time-range working_hours
HRP_M[FWA-time-range-working_hours] period-range 09:00:00 to 17:30:00 working-day
HRP_M[FWA-time-range-working_hours] quit
创建名称为off_hours的时间段,该时间段为非工作时间。
HRP_M[FWA] time-range off_hours
HRP_M[FWA-time-range-off_hours] period-range 00:00:00 to 23:59:59 off-day
HRP_M[FWA-time-range-off_hours] period-range 00:00:00 to 08:59:59 working-day
HRP_M[FWA-time-range-off_hours] period-range 17:30:01 to 23:59:59 working-day
HRP_M[FWA-time-range-off_hours] quit
配置安全策略policy_sec_work,通过引用时间段“working_hours”和应用行为控制配置“profile_app_work”用来控制用户在工作时间段的应用行为。
HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_sec_work
HRP_M[FWA-policy-security-rule-policy_sec_work] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_work] destination-zone isp1
HRP_M[FWA-policy-security-rule-policy_sec_work] destination-zone isp2
HRP_M[FWA-policy-security-rule-policy_sec_work] user any
HRP_M[FWA-policy-security-rule-policy_sec_work] time-range working_hours
HRP_M[FWA-policy-security-rule-policy_sec_work] profile app-control profile_app_work
HRP_M[FWA-policy-security-rule-policy_sec_work] action permit
HRP_M[FWA-policy-security-rule-policy_sec_work] quit
配置安全策略policy_sec_rest,通过引用时间段“off_hours”以及应用行为控制配置文件“profile_app_rest”用来控制学生在非工作时间段的应用行为。
HRP_M[FWA-policy-security] rule name policy_sec_rest
HRP_M[FWA-policy-security-rule-policy_sec_rest] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_rest] destination-zone isp1
HRP_M[FWA-policy-security-rule-policy_sec_rest] destination-zone isp2
HRP_M[FWA-policy-security-rule-policy_sec_rest] user any
HRP_M[FWA-policy-security-rule-policy_sec_rest] time-range off_hours
HRP_M[FWA-policy-security-rule-policy_sec_rest] profile app-control profile_app_rest
HRP_M[FWA-policy-security-rule-policy_sec_rest] action permit
HRP_M[FWA-policy-security-rule-policy_sec_rest] quit
结果验证
# 通过Ping方式,可以发现内网用户可以正常访问Internet资源,外网用户可以访问内网中的HTTP服务器资源。但内网用户在工作时间不能玩网络游戏和观看网络视频。
# 当ISPA的链路拥塞时,业务能自动切换到ISPB的链路。
配置文件
FWA的配置文件
#
sysname FWA
#
hrp enable
hrp interface GigabitEthernet 1/0/2 remote 172.16.111.2
hrp track interface Eth-Trunk 30
hrp mirror session enable
#
interface Eth-Trunk 30
ip address 172.16.10.1 255.255.255.0
mode lacp-static
vrrp vrid 1 virtual-ip 172.16.10.3 24 active
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.0.2.1 255.255.255.0
anti-ddos flow-statistic enable
gateway 192.0.2.254
bandwidth ingress 800000 threshold 95
bandwidth egress 800000 threshold 95
redirect-reverse next-hop 192.0.2.254
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 172.16.111.1 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
eth-trunk 30
#
interface GigabitEthernet1/0/4
undo shutdown
eth-trunk 30
#
interface GigabitEthernet1/0/5
undo shutdown
ip address 198.51.100.2 255.255.255.0
anti-ddos flow-statistic enable
gateway 198.51.100.254
bandwidth egress 200000 threshold 90
bandwidth ingress 200000 threshold 90
redirect-reverse next-hop 198.51.100.254
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk30
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
firewall zone name isp1
set priority 10
add interface GigabitEthernet1/0/1
#
firewall zone name isp2
set priority 15
add interface GigabitEthernet1/0/5
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.10.0 0.0.0.255
#
ip-link check enable
ip-link name ip_link_1
destination 192.0.2.254 interface GigabitEthernet1/0/1
#
ip-link name ip_link_2
destination 198.51.100.254 interface GigabitEthernet1/0/5
#
ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_1
ip route-static 0.0.0.0 0.0.0.0 198.51.100.254 track ip-link ip_link_2
ip route-static 4.4.4.10 255.255.255.255 NULL 0
ip route-static 5.5.5.10 255.255.255.255 NULL 0
#
multi-interface
mode proportion-of-bandwidth
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/5
#
security-policy
rule name policy_dmz
source-zone local
source-zone dmz
destination-zone local
destination-zone dmz
action permit
rule name trust_to_untrust
source-zone trust
destination-zone isp1
destination-zone isp2
source-address 172.16.40.0 mask 255.255.255.0
action permit
rule name untrust_to_trust
source-zone isp1
source-zone isp2
destination-zone trust
destination-address 172.16.50.0 mask 255.255.255.0
action permit
rule name policy_sec_work
source-zone trust
destination-zone isp1
destination-zone isp2
time-range working_hours
profile app-control profile_app_work
action permit
rule name policy_sec_rest
source-zone trust
destination-zone isp1
destination-zone isp2
time-range off_hours
profile app-control profile_app_rest
action permit
#
nat address-group addressgroup1
mode pat
route enable
section 0 4.4.4.1 4.4.4.5
#
nat address-group addressgroup2
mode pat
route enable
section 1 5.5.5.1 5.5.5.5
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone isp1
destination-zone isp2
source-address range 172.16.40.1 172.16.40.127
action source-nat address-group addressgroup1
rule name policy_nat_2
source-zone trust
destination-zone isp1
destination-zone isp2
source-address range 172.16.40.127 172.16.40.254
action source-nat address-group addressgroup2
#
nat server web_for_isp1 zone isp1 protocol tcp global 4.4.4.10 8080 inside 172.16.50.10 80 no-reverse
nat server web_for_isp2 zone isp2 protocol tcp global 5.5.5.10 8080 inside 172.16.50.10 80 no-reverse
#
dns-smart enable
dns-smart group 1 type multi
out-interface GigabitEthernet 1/0/1 map 4.4.4.10
out-interface GigabitEthernet 1/0/5 map 5.5.5.10
#
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
profile type app-control name profile_app_work
http-control post action deny
http-control proxy action deny
http-control web-browse action deny
http-control file direction upload action deny
http-control file direction download action deny
ftp-control file delete action deny
ftp-control file direction upload action deny
ftp-control file direction download action deny
#
profile type app-control name profile_app_rest
http-control post action deny
http-control file direction upload action deny
ftp-control file delete action deny
ftp-control file direction upload action deny
ftp-control file direction download action deny
#
time-range working_hours
period-range 09:00:00 to 17:30:00 working-day
#
time-range off_hours
period-range 00:00:00 to 23:59:59 off-day
period-range 00:00:00 to 08:59:59 working-day
period-range 17:30:01 to 23:59:59 working-day
#
return
FWB的配置文件
#
sysname FWB
#
hrp enable
hrp interface GigabitEthernet 1/0/2 remote 172.16.111.1
hrp track interface Eth-Trunk 40
hrp mirror session enable
#
interface Eth-Trunk 40
ip address 172.16.10.2 255.255.255.0
mode lacp-static
vrrp vrid 1 virtual-ip 172.16.10.3 24 standby
#
interface GigabitEthernet1/0/1
ip address 192.0.2.2 255.255.255.0
anti-ddos flow-statistic enable
gateway 192.0.2.254
bandwidth ingress 800000 threshold 95
bandwidth egress 800000 threshold 95
redirect-reverse next-hop 192.0.2.254
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 172.16.111.2 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
eth-trunk 40
#
interface GigabitEthernet1/0/4
undo shutdown
eth-trunk 40
#
interface GigabitEthernet1/0/5
undo shutdown
ip address 198.51.100.1 255.255.255.0
anti-ddos flow-statistic enable
gateway 198.51.100.254
bandwidth egress 200000 threshold 90
bandwidth ingress 200000 threshold 90
redirect-reverse next-hop 198.51.100.254
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk40
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
firewall zone name isp1
set priority 10
add interface GigabitEthernet1/0/1
#
firewall zone name isp2
set priority 15
add interface GigabitEthernet1/0/5
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 172.16.10.0 0.0.0.255
#
ip-link check enable
ip-link name ip_link_1
destination 192.0.2.254 interface GigabitEthernet1/0/1
#
ip-link name ip_link_2
destination 198.51.100.254 interface GigabitEthernet1/0/5
#
ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_1
ip route-static 0.0.0.0 0.0.0.0 198.51.100.254 track ip-link ip_link_2
ip route-static 4.4.4.10 255.255.255.255 NULL 0
ip route-static 5.5.5.10 255.255.255.255 NULL 0
#
multi-interface
mode proportion-of-bandwidth
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/5
#
security-policy
rule name policy_dmz
source-zone local
source-zone dmz
destination-zone local
destination-zone dmz
action permit
rule name trust_to_untrust
source-zone trust
destination-zone isp1
destination-zone isp2
source-address 172.16.40.0 mask 255.255.255.0
action permit
rule name untrust_to_trust
source-zone isp1
source-zone isp2
destination-zone trust
destination-address 172.16.50.0 mask 255.255.255.0
action permit
rule name policy_sec_work
source-zone trust
destination-zone isp1
destination-zone isp2
time-range working_hours
profile app-control profile_app_work
action permit
rule name policy_sec_rest
source-zone trust
destination-zone isp1
destination-zone isp2
time-range off_hours
profile app-control profile_app_rest
action permit
#
nat address-group addressgroup1
mode pat
route enable
section 0 4.4.4.1 4.4.4.5
#
nat address-group addressgroup2
mode pat
route enable
section 1 5.5.5.1 5.5.5.5
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone isp1
destination-zone isp2
source-address range 172.16.40.1 172.16.40.127
action source-nat address-group addressgroup1
rule name policy_nat_2
source-zone trust
destination-zone isp1
destination-zone isp2
source-address range 172.16.40.127 172.16.40.254
action source-nat address-group addressgroup2
#
nat server web_for_isp1 zone isp1 protocol tcp global 4.4.4.10 8080 inside 172.16.50.10 80 no-reverse
nat server web_for_isp2 zone isp2 protocol tcp global 5.5.5.10 8080 inside 172.16.50.10 80 no-reverse
#
dns-smart enable
dns-smart group 1 type multi
out-interface GigabitEthernet 1/0/1 map 4.4.4.10
out-interface GigabitEthernet 1/0/5 map 5.5.5.10
#
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
profile type app-control name profile_app_work
http-control post action deny
http-control proxy action deny
http-control web-browse action deny
http-control file direction upload action deny
http-control file direction download action deny
ftp-control file delete action deny
ftp-control file direction upload action deny
ftp-control file direction download action deny
#
profile type app-control name profile_app_rest
http-control post action deny
http-control file direction upload action deny
ftp-control file delete action deny
ftp-control file direction upload action deny
ftp-control file direction download action deny
#
time-range working_hours
period-range 09:00:00 to 17:30:00 working-day
#
time-range off_hours
period-range 00:00:00 to 23:59:59 off-day
period-range 00:00:00 to 08:59:59 working-day
period-range 17:30:01 to 23:59:59 working-day
#
return
CORE的配置文件
#
sysname CORE
#
router id 3.3.3.3
#
vlan batch 10 50
#
interface Vlanif10
ip address 172.16.10.3 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Eth-Trunk30
port link-type access
port default vlan 10
mode lacp
#
interface Eth-Trunk40
port link-type access
port default vlan 10
mode lacp
#
interface GigabitEthernet1/3/0/0
eth-trunk 30
#
interface GigabitEthernet1/3/0/1
eth-trunk 40
#
interface XGigabitEthernet1/1/0/10
mad detect mode direct
#
interface XGigabitEthernet1/2/0/20
port link-type access
port default vlan 50
#
interface GigabitEthernet2/3/0/0
eth-trunk 30
#
interface GigabitEthernet2/3/0/1
eth-trunk 40
#
interface XGigabitEthernet2/1/0/10
mad detect mode direct
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.16.10.0 0.0.0.255
network 172.16.50.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 172.16.10.1
ip route-static 0.0.0.0 0.0.0.0 172.16.10.2
#
return
