华为防火墙USG6320
-
初始配置
-
安全策略配置
-
防火墙功能配置
-
高可用性配置
-
维护和管理
-
附加配置
1. 初始配置
-
登录防火墙
telnet 192.168.1.1
-
配置防火墙 IP 地址、子网掩码和网关
system-interface eth1ip address 192.168.1.1 255.255.255.0gateway 192.168.1.254system-interface eth2ip address 192.168.2.1 255.255.255.0gateway 192.168.2.254
-
配置管理口 IP 地址和访问策略
system-management interface eth0 ip address 192.168.0.1 255.255.255.0security-policy rule management-access source-zone trust destination-zone untrust service http action permit-
配置时间同步
system-ntp server 0.us.pool.ntp.org
-
配置用户和授权
user adminpassword Admin123role administratoruser user1password User123role user
2. 安全策略配置
-
配置安全区域
security-zone trust interface eth1security-zone untrust interface eth2-
配置安全策略
rule inter-vlan-access source-zone trust destination-zone untrust service any action permitsecurity-policy rule deny-all source-zone untrust destination-zone trust service any action deny-
配置 NAT 策略
nat-policy rule outbound-natsource-zone trustdestination-zone untrustservice anyoutbound-interface eth2translation-type source-nat
3. 防火墙功能配置
-
配置入侵防御 (IPS)
security-ips enable
-
配置防病毒 (AV)
security-av enable
-
配置内容过滤
security-content-filtering enable
-
配置应用控制
security-application-control enable-
配置 VPN
vpn ipsec site-to-site tunnel my-tunnellocal-gateway 192.168.1.1local-interface eth1remote-gateway 192.168.2.1remote-interface eth2pre-shared-key my-secret-key
4. 高可用性配置
-
配置主备互联
ha-cluster enable
-
配置负载均衡
ha-load-balance enable5. 维护和管理
-
配置日志记录和审计
system-log local-log level information-
配置固件升级
system-upgrade firmware image-url http://192.168.1.10/firmware.bin-
配置备份和恢复
system-backup configurationfilename backup.cfg
6. 附加配置
-
配置防火墙模式 -
单臂防火墙:
trust interface eth1 interface eth2security-policy rule inter-vlan-access source-zone trust destination-zone trust service any action permitsecurity-policy rule deny-all source-zone untrust destination-zone trust service any action deny-
双臂防火墙:
trust interface eth1security-zone untrust interface eth2security-policy rule inter-vlan-access source-zone trust destination-zone untrust service any action permitsecurity-policy rule deny-all source-zone untrust destination-zone trust service-
配置 DoS 攻击防护
security-dos enable
-
配置端口转发
nat-policy rule port-forwardingsource-zone trustdestination-zone untrustservice tcpdestination-port 80translated-port 8080outbound-interface eth2translation-type destination-nat
IDS/IPS
-
配置攻击检测策略
security-ips policy default action drop log enable-
配置异常行为检测
security-ips anomaly-detection enable
-
配置 URL 过滤
url-filtering enable category social-networking action deny-
配置关键字过滤
security-content-filtering keyword-filtering enablekeyword gamblingaction deny
应用控制
-
配置应用识别
security-application-control application-identification enable
-
配置应用策略
security-application-control policy defaultaction permitlog enable
VPN
-
配置 L2TP VPN
vpn l2tp tunnel my-tunnel local-gateway 192.168.1.1 local-interface eth1 remote-gateway 192.168.2.1 remote-interface eth2 pre-shared-key my-secret-key-
配置 SSL VPN
vpn ssl tunnel my-tunnellocal-gateway 192.168.1.1local-interface eth1remote-gateway 192.168.2.1remote-interface eth2pre-shared-key my-secret-key
高可用性
-
配置主备互联模式
ha-cluster mode active-active
-
配置负载均衡模式
ha-load-balance mode round-robin维护和管理
-
配置 SNMP
system-snmp enable community public-
配置 TACACS+
system-tacacs-plus enableserver 192.168.1.10secret my-secret-key
原文始发于微信公众号(技术修道场):华为防火墙配置指引(包含安全配置部分)以USG6320为例
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论