eNSP firewall task configuration

Database 2023-09-16 18:12:28 views: null

web page login configuration

Topology

Cloud1 related configuration, configure the access number, I choose the WLAN network card for configuration

<USG6000V1>sys  #进入系统视图
[USG6000V1]sys NGFW   #配置设备名称
[NGFW]dis ip int brief   #显示虚拟接口对应的IP地址与使用状态
[NGFW]int g0/0/0    #进入端口GE0/0/0
[NGFW-GigabitEthernet0/0/0]ip add 172.89.209.137 24  #端口出配置IP地址
[NGFW-GigabitEthernet0/0/0]service-manage  all permit  #开启服务器管理员权限
[NGFW-GigabitEthernet0/0/0]dis ip int brief

 Use the PING command on the host (ping 172.89.209.137)

 Log in to the website and the requirements are successfully implemented.

IP address-based forwarding strategy

Expansion diagram:

Step 1: Configure the IP addresses of each interface of the firewall

[USG6000V1-GigabitEthernet1/0/1]int  g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip address   192.168.5.1 24
[USG6000V1-GigabitEthernet1/0/0]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip address  1.1.1.1  24
[USG6000V1-GigabitEthernet1/0/1]q

Step 2: Add the GE 1/0/0 interface of the firewall to the Trust zone

[USG6000V1]firewall  zone trust    #进入trust区域
[USG6000V1-zone-trust]add int g1/0/0
[USG6000V1-zone-trust]q

Step 3: Add the GE 1/0/1 interface of the firewall to the Untrust zone 

[USG6000V1]firewall  zone untrust    #进入untrust区域
[USG6000V1-zone-untrust]add int g1/0/1
[USG6000V1-zone-untrust]q

Configure the address set of ip_deny

[USG6000V1]ip address-set  ip_deny  type   object

Add IP addresses that are not allowed to pass through the firewall to the ip_deny address set

[USG6000V1-object-address-set-ip_deny]address 192.168.5.2  0
[USG6000V1-object-address-set-ip_deny]address 192.168.5.3  0
[USG6000V1-object-address-set-ip_deny]address 192.168.5.3  0
[USG6000V1-object-address-set-ip_deny]address 192.168.5.6  0
[USG6000V1-object-address-set-ip_deny]q

Create a policy that does not allow IP forwarding through the firewall

[USG6000V1]security-policy  //安全策略
[USG6000V1-policy-security]rule   name   policy_deny
[USG6000V1-policy-security-rule-policy_deny]source-address  address-set   ip_deny
[USG6000V1-policy-security-rule-policy_deny]action   deny
[USG6000V1-policy-security-rule-policy_deny]q

Create a forwarding policy that allows IP addresses belonging to the network segment 1 92.168.5.0/24 to pass through the firewall

[USG6000V1]security-policy
[USG6000V1-policy-security]rule  name polity_permit
[USG6000V1-policy-security-rule-polity_permit]source-address  192.168.5.0  24
[USG6000V1-policy-security-rule-polity_permit]action permit
[USG6000V1-policy-security-rule-polity_permit]q

Dual-machine hot standby technology experiment

Firewall 1

Configuration steps -CLI

① Complete the configuration of the uplink and downlink service interfaces of USG6330-1 . Configure the IP address of each interface and add it to the corresponding security zone.

<USG6000V1>sys
[USG6000V1]int G1/0/1
[USG6000V1-GigabitEthernet1/0/1] ip add 10.1.2.1 255.255.255.0
[USG6000V1-GigabitEthernet1/0/1]q	
[USG6000V1]int G1/0/4
[USG6000V1-GigabitEthernet1/0/4] ip add 40.1.1.1 255.255.255.0 
[USG6000V1-GigabitEthernet1/0/4]q
[USG6000V1] firewall zone trust
[USG6000V1-zone-trust]add interface G1/0/1
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface G1/0/4
[USG6000V1-zone-untrust]q

② Configure backup group 1 of interface G1/0/4 and add it to the VGMP management group with active status

[USG6000V1]int G1/0/4
[USG6000V1-GigabitEthernet1/0/4]vrrp vrid 1 virtual-ip 2.2.2.1 255.255.255.0 a
ctive
[USG6000V1-GigabitEthernet1/0/4]q

③Configure VRRP backup group 2 for interface GigabitEthernet 1/0/1 and join it in VGMP with Active status

Management group.

[USG6000V1]int G1/0/1
[USG6000V1-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 10.1.2.3 24 active
[USG6000V1-GigabitEthernet1/0/1]q

 ④ Complete the heartbeat line configuration of USG6330-1 and configure the IP address of GigabitEthernet1/0/3 .


[USG6000V1]int G1/0/3
[USG6000V1-GigabitEthernet1/0/3]ip address 30.1.1.1 255.255.255.0
[USG6000V1-GigabitEthernet1/0/3]q

⑤Configure GigabitEthernet1/0/3 to join the DMZ zone.

[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add interface G1/0/3
[USG6000V1-zone-dmz]q

 Specify G1/0/3 as the heartbeat port

[USG6000V1]hrp interface G1/0/3  remote 30.1.1.2

⑥Configure the inter-zone forwarding policy for the Trust zone and the Untrust zone

[USG6000V1]security-policy
[USG6000V1-policy-security]rule name policy_sec
[USG6000V1-policy-security-rule-policy_sec]source-zone trust
[USG6000V1-policy-security-rule-policy_sec]action permit
[USG6000V1-policy-security-rule-policy_sec]q
[USG6000V1-policy-security]q

⑦Enable HRP backup function

[USG6000V1]hrp enable

Firewall 2 can modify the corresponding port

Firewall Layer 2 and Layer 3 Communication

Experimental requirements:

1. 6 PCs communicate with each other

  1. The firewall utilizes the three-layer vlanif communication function
  2. PC5 and PC6 realize intercommunication through single-arm routing technology
  3. The firewall divides 6 new zones and applies them

Experimental configuration:

On the firewall:

Step 1: Implement Layer 2 communication (interface communication from 1/0/0 to 1/0/4)

Firewall configuration

1. Create vlan

vlan batch 10 20 30 40

 2. The interface allows VLAN communication

interface GigabitEthernet1/0/1
 portswitch
 undo shutdown
 port link-type access
 port default vlan 40
#
interface GigabitEthernet1/0/2
 portswitch
 undo shutdown
 port link-type access
 port default vlan 30
#
interface GigabitEthernet1/0/3
 portswitch
 undo shutdown
 port link-type access
 port default vlan 10
#
interface GigabitEthernet1/0/4
 portswitch
 undo shutdown
 port link-type access
 port default vlan 20

interface Vlanif10
 ip address 192.168.10.1 255.255.255.0
#
interface Vlanif20
 ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
 ip address 192.168.30.1 255.255.255.0
#
interface Vlanif40
 ip address 192.168.40.1 255.255.255.0
#

Step 2. Implement three-layer communication (single-arm routing)

1. Create sub-interface

interface GigabitEthernet1/0/0.1
 vlan-type dot1q 60
 ip address 192.168.60.1 255.255.255.0
#
interface GigabitEthernet1/0/0.2
 vlan-type dot1q 55
 ip address 192.168.55.1 255.255.255.0
#

Step 3. Add a zone to the interface (note that the zone added is a Layer 3 interface)

firewall zone trust
 add interface Vlanif10
 add interface Vlanif20
add interface Vlanif30
add interface Vlanif40
add interface GigabitEthernet1/0/0.1
add interface GigabitEthernet1/0/0.2
#

Switch configuration

1. Create vlan

vlan batch 55 60
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 55 60
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 55
#vp
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 60

Test Results

Guess you like

Origin blog.csdn.net/m0_64118193/article/details/127369443
Recommended
The sixth meeting of openKylin Community Ecology Committee was successfully held
Alibaba Cloud officially releases Tongyi Qianwen 2.5
Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter
Stack Overflow used my code to train large AI models and banned my account.
Pop!_OS’s COSMIC desktop completes App Store listing
Report: Django is still the first choice for 74% of developers
"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report
15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?
Ranking
Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures
Der M-Chip-Mac implementiert mehrere Android-Emulatoren
CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.
Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery
python3 pip ipython installation
A lot of python crawler source code sharing -- talk about the little thing about python crawler
Agile Sprint in Alpha Stage (7)
Access URL in Unity
FunctoinDemo form
MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq
Daily
More
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)

Code World

© 2018 codetd.com