Tip: After the article is written, the table of contents can be automatically generated. How to generate it can refer to the help document on the right

Learning Content:

1. Introduction to firewall
Working mode of firewall
Routing mode: When the firewall is in the middle of the internal network and external network, when it is necessary to separate the internal network, external network, and DMZ of the firewall into different address segments, the firewall is first a router at this time. , and then provide other firewall functions.
Transparent mode: When the Huawei firewall is connected to the outer layer, the firewall is in transparent mode. For example, the firewall gateway sinks to the core switch, and the firewall is only used for traffic filtering.
Mixed mode: If it is both in routing interface mode and in transparent mode, the firewall is in mixed mode. Currently, it is only used in the special application of dual-machine hot backup in transparent mode, and it is not used in other environments.
Security zone inbound of Huawei firewall

: data flows from low-level areas to high-level areas, such as untrust (5) areas to trust (85)
outbound: data flows from high-level areas to low-level areas, such as DMZ (50) areas to untrust (5 )
Two: The firewall supports a variety of remote login modes. At present, the commonly used ones are WEB login (the firewall will have a management port and enter from the management port), ssh login, console port login, and telnet login (generally not recommended). Next, let’s learn together Basic firewall policy mode:
The topology diagram is as follows: As can be seen from the topology diagram, we use the virtual network card of the computer as the experimental network card to connect to the firewall, so that the firewall can be connected to the real machine or configured with tools.

Learning Content:

1. WEB login: USG6000V already has WEB files by default, so there is no need to ask the manufacturer to install the files

Purpose of the experiment: Use the real machine web page to log in to the virtual machine firewall web

1. Start the device and enter the configuration interface. The primary default account password of the firewall is admin/Admin@123, and the configuration is as follows:

Username:
Username:admin  #输入账号
Password:Admin@123  #输入密码
The password needs to be changed. Change now? [Y/N]: y  #确定更改
Please enter old password: Admin@123  #旧密码
Please enter new password: admin@123  #新密码
Please confirm new password:admin@123  #再次确定
Info: Your password has been changed. Save the change to survive a reboot. 
*************************************************************************
*         Copyright (C) 2014-2018 Huawei Technologies Co., Ltd.         *
*                           All rights reserved.                        *
*               Without the owner's prior written consent,              *
*        no decompiling or reverse-engineering shall be allowed.        *
*************************************************************************

language-mode Chinese   #更改语言模式为中文提示
Change language mode, confirm? [Y/N] y  #确定
提示：改变语言模式成功。 
sy
sys FW1
[FW1]int g0/0/0
[FW1-GigabitEthernet0/0/0]ip add 10.1.1.3 24  #更改端口地址，管理口缺省地址是192.168.0.1 24
[FW1-GigabitEthernet0/0/0]service-manage all permit  #允许管理口任何流量通过
[FW1-GigabitEthernet0/0/0]dis th  #查看端口现有配置
2022年08月09日 00:40:18.300 
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 10.1.1.3 255.255.255.0
 alias GE0/METH
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
从配置处可以看出已经允许所有流量通过

配置安全策略：
[FW1]security-policy  #配置安全域
[FW1-policy-security]rule name WEB  #命名为WEB
[FW1-policy-security-rule-WEB]source-zone trust  #源区间
[FW1-policy-security-rule-WEB]destination-zone local  #目的区间
[FW1-policy-security-rule-WEB]source-address 10.1.1.1 mask 255.255.255.255  #源地址
[FW1-policy-security-rule-WEB]action permit  #允许通过

Real machine test: Use the Ping function to ping the firewall management port address 10.1.1.3, and the test passes!

Webpage login: Use the webpage to log in 10.1.1.3, the firewall WEB page appears, enter the configured account password: admin/admin@123, and you can log in to the firewall configuration page. If you need to do some security policy configuration, you can configure it on the WEB page. As shown in the picture:

2. SSH configuration:

Experiment purpose: use the real machine CRT tool SSH to access the firewall FW1

Introduction to SSH: SSH is a network communication protocol that enables encrypted communication between two computers. SSH adopts the server-client mode, as the name implies, that is, the part that sends a request to the server (client) and the part that receives the request from the client (service).

The configuration is as follows:

[FW1]rsa local-key-pair create  #创建秘钥
The key name will be: FW1_Host
The range of public key size is (2048 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
       it will take a few minutes.
Input the bits in the modulus[default = 2048]:
Generating keys...
..+++++
........................++
....++++
...........++
[FW1]user-interface vty 0 4  
[FW1-ui-vty0-4]authentication-mode aaa
[FW1-ui-vty0-4]protocol inbound ssh  #定义为ssh

[FW1]ssh user ssh  #指定ssh为SSH用户
[FW1]ssh user ssh authentication-type password  #配置认证方式
[FW1]ssh user ssh service-type stelnet  #配置服务类型
[FW1]aaa
[FW1-aaa]manager-user ssh  #创建本地用户ssh
[FW1-aaa-manager-user-ssh]password cipher admin@123  #配置密码
[FW1-aaa-manager-user-ssh]service-type ssh  #指定服务类型为ssh
[FW1-aaa-manager-user-ssh]level 15  #管理等级为15

[FW1]stelnet server enable  #ssh服务开启

Real machine test, use CRT to test whether it can connect to FW1:

As shown in the picture: CRT can be connected to FW1

Summarize

By default, there is no security policy on the USG6000 series firewall, and all traffic is prohibited. That is to say, no matter what project access is between areas, a security policy must be configured, unless the message is transmitted in the same area.

ENSP firewall basic policy (web, ssh login)