防火墙安全策略

发布于:2025-02-10 ⋅ 阅读:(109) ⋅ 点赞:(0)

目录

一.拓扑及需求

二.需求分析

三.配置详细信息

防火墙:

OA server:

Web Server:

PC1:

​编辑PC2:

PC3:

配置安全区域:

交换机:

四.需求实现以及测试:

1.办公区PC在工作日时间(周一至周五,早8到晚6)可以正常访问OA Server,其他时间不允许

测试:

2.办公区PC可以在任意时刻访问Web Server

测试:

3.生产区PC可以在任意时刻访问OA Server ,但是不能访问Web Server

测试: 

4.特例:生产区PC3可以在每周一早10到早11访问Web Server,用来更新企业最新产品信息

测试(周一十点):

会话表:

server-map表:

五.Web界面

一.拓扑及需求

二.需求分析


1.VLAN 2属于办公区;VLAN 3属于生产区

VLAN 2:包含PC1和PC2,IP地址分别为192.168.1.1和192.168.1.129。

VLAN 3:生产区,包含PC3,IP地址为192.168.1.130。

以下几点可以从地址 、时间段  、创建安全策略来逐步完成

2.办公区PC在工作日时间(周一至周五,早8到晚6)可以正常访问OA Server,其他时间不允许
3.办公区PC可以在任意时刻访问Web Server
4.生产区PC可以在任意时刻访问OA Server ,但是不能访问Web Server
5.特例:生产区PC3可以在每周一早10到早11访问Web Server,用来更新企业最新产品信息

(若要实现策略5,则需要将策略5放在策略4之前)

三.配置详细信息

防火墙:

g1/0/0:

[FW1-GigabitEthernet1/0/0]ip address 10.0.0.254 24

子接口:(g1/0/1.1,g1/0/1.2)

1.
[FW1-GigabitEthernet1/0/0]interface g1/0/1.1
[FW1-GigabitEthernet1/0/1.1]ip address 192.168.1.126 25

#属于vlan2区域
[FW1-GigabitEthernet1/0/1.1]vlan-type dot1q 2
2.
[FW1-GigabitEthernet1/0/1.1]interface g1/0/1.2
[FW1-GigabitEthernet1/0/1.2]ip address 192.168.1.254 25

#属于vlan3区域
[FW1-GigabitEthernet1/0/1.2]vlan-type dot1q 3

FW1路由表:

OA server:

Web Server:

PC1:

PC2:

PC3:

配置安全区域:

#dmz区域:
[FW1]firewall zone dmz 
[FW1-zone-dmz]add interface g1/0/0
[FW1-zone-dmz]

#trust区域:
[FW1-zone-dmz]firewall zone trust
[FW1-zone-trust]add interface g1/0/1.1
[FW1-zone-trust]add interface g1/0/1.2
[FW1-zone-trust]

查看安全区域:

 

交换机:

[Huawei]vlan batch 2 3
[Huawei]interface g0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 2

[Huawei]interface g0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access 
[Huawei-GigabitEthernet0/0/3]port default vlan 3

[Huawei-GigabitEthernet0/0/3]interface g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access 
[Huawei-GigabitEthernet0/0/4]port default vlan 3

[Huawei-GigabitEthernet0/0/4]interface g0/0/1	
[Huawei-GigabitEthernet0/0/1]port link-type trunk 
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3

四.需求实现以及测试:

1.办公区PC在工作日时间(周一至周五,早8到晚6)可以正常访问OA Server,其他时间不允许

#地址:
[FW1]ip address-set BG type object 
[FW1-object-address-set-BG]address 192.168.1.0 mask 25

[FW1-object-address-set-BG]ip address-set OA type object
[FW1-object-address-set-OA]address 10.0.0.1 mask 32

#时间:
[FW1]time-range working-time
[FW1-time-range-working-time]period-range 08:00:00 to 18:00:00 working-day 

#创建安全策略:
[FW1-policy-security]rule name policy_1
[FW1-policy-security-rule-policy_1]description BG_to_OA	
[FW1-policy-security-rule-policy_1]source-zone trust 
[FW1-policy-security-rule-policy_1]destination-zone dmz
[FW1-policy-security-rule-policy_1]source-address address-set BG
[FW1-policy-security-rule-policy_1]destination-address address-set OA
[FW1-policy-security-rule-policy_1]action permit

测试:

工作日:

非工作日:

2.办公区PC可以在任意时刻访问Web Server

[FW1]ip address-set web_server type object 
[FW1-object-address-set-web_server]address 10.0.0.2 mask 32

#任意时间段默认

[FW1]security-policy 	
[FW1-policy-security]rule name policy_2
[FW1-policy-security-rule-policy_2]description BG_to_Web	
[FW1-policy-security-rule-policy_2]source-zone trust 
[FW1-policy-security-rule-policy_2]destination-zone dmz
[FW1-policy-security-rule-policy_2]source-address address-set BG
[FW1-policy-security-rule-policy_2]destination-address address-set web_server
[FW1-policy-security-rule-policy_2]action permit

测试:

 

3.生产区PC可以在任意时刻访问OA Server ,但是不能访问Web Server

[FW1]ip address-set SC type object 
[FW1-object-address-set-SC]address 192.168.1.128 mask 25

#生产区任意时刻访问OA
[FW1-policy-security]rule name policy_3
[FW1-policy-security-rule-policy_3]description SC_to_OA
[FW1-policy-security-rule-policy_3]source-zone trust 
[FW1-policy-security-rule-policy_3]destination-zone dmz
[FW1-policy-security-rule-policy_3]source-address address-set SC
[FW1-policy-security-rule-policy_3]destination-address address-set OA
[FW1-policy-security-rule-policy_3]action permit

#生产区不能访问Web
[FW1]security-policy 
[FW1-policy-security]rule name policy_4
[FW1-policy-security-rule-policy_4]description SC_notvisit_Web	
[FW1-policy-security-rule-policy_4]source-zone trust 
[FW1-policy-security-rule-policy_4]destination-zone dmz
[FW1-policy-security-rule-policy_4]source-address address-set SC
[FW1-policy-security-rule-policy_4]destination-address address-set web_server
[FW1-policy-security-rule-policy_4]action deny

测试: 

可以访问OA Server

 

不能访问Web Server 

4.特例:生产区PC3可以在每周一早10到早11访问Web Server,用来更新企业最新产品信息

[FW1]ip address-set SC3 type object 	
[FW1-object-address-set-SC3]address 192.168.1.130 mask 32
[FW1]time-range visit	
[FW1-time-range-visit]period-range 10:00:00 to 11:00:00 Mon 


[FW1]security-policy 	
[FW1-policy-security]rule name policy_5
[FW1-policy-security-rule-policy_5]description SC3_visit_Web	
[FW1-policy-security-rule-policy_5]source-zone trust 
[FW1-policy-security-rule-policy_5]destination-zone dmz 	
[FW1-policy-security-rule-policy_5]source-address address-set SC3
[FW1-policy-security-rule-policy_5]destination-address address-set web_server	
[FW1-policy-security-rule-policy_5]time-range visit	
[FW1-policy-security-rule-policy_5]action permit

若要实现策略5,则需要将策略5放在策略4之前

[FW1-policy-security]rule move policy_5 before policy_4

测试(周一十点):

会话表:

server-map表:

五.Web界面(所有接口以及安全策略均可在web界面进行配置)

网络接口:

(例如g0/0/0)

安全策略表:

(例如policy_1)

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布