ensp安全策略实验

一、拓扑图和要求

二、接口设置

g1/0/0

新增子接口

g1/0/1.1

g1/0/1.2

命令行

[USG6000V1]int g 1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip address 10.0.0.254 255.255.255.0
[USG6000V1-GigabitEthernet1/0/0]firewall zone dmz
[USG6000V1-zone-dmz]add interface GigabitEthernet 1/0/0

[USG6000V1]int gi 1/0/1.1
[USG6000V1-GigabitEthernet1/0/1.1]vlan-type dot1q 2
[USG6000V1-GigabitEthernet1/0/1.1]ip address 192.168.1.126 255.255.255.128
[USG6000V1-GigabitEthernet1/0/1.1]alias g1/0/1.1
[USG6000V1-GigabitEthernet1/0/1.1]service-manage ping permit 

[USG6000V1]int  gi1/0/1.2
[USG6000V1-GigabitEthernet1/0/1.2]vlan-type dot1q 3
[USG6000V1-GigabitEthernet1/0/1.2]alias gi1/0/1.2
[USG6000V1-GigabitEthernet1/0/1.2]service-manage ping permit 

[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface gi1/0/1.1
[USG6000V1-zone-trust]add interface gi1/0/1.2

测试

安全策略

2、办公区pc在工作日时间(周一至周五，早8到晚6)可以正常访问OA Server,其他时间不允许

建立新安全策略并添加源/目的地址

命令行

[USG6000V1]ip address-set BG type object     
[USG6000V1-object-address-set-BG]address 192.168.1.0 mask 25    
[USG6000V1]ip address-set OA type object
[USG6000V1-object-address-set-OA]address 10.0.0.1 mask 32
 
[USG6000V1]time-range working-time     
[USG6000V1-time-range-working-time]period-range 08:00:00 to 18:00:00 working-day 
 
创建安全策略
[USG6000V1]security-policy  
[USG6000V1-policy-security]rule name policy_1   
[USG6000V1-policy-security-rule-policy_1]description BG to OA  
[USG6000V1-policy-security-rule-policy_1]source-zone trust
[USG6000V1-policy-security-rule-policy_1]destination-zone dmz 
[USG6000V1-policy-security-rule-policy_1]source-address address-set BG 
[USG6000V1-policy-security-rule-policy_1]destination-address address-set OA 
[USG6000V1-policy-security-rule-policy_1]time-range working-time
[USG6000V1-policy-security-rule-policy_1]action permit 

测试

• 时间为2025/7/31 15：30（周四）
  

• 时间为2025/7/31 20：30（周四）
  

3、办公区pc可以在任意时刻访问Web Server

安全策略

命令行

[USG6000V1]ip address-set Web type object 
[USG6000V1-object-address-set-Web]address 10.0.0.2 mask 32
 
[USG6000V1]security-policy 
[USG6000V1-policy-security]rule name policy_2
[USG6000V1-policy-security-rule-policy_2]description BG to Web
[USG6000V1-policy-security-rule-policy_2]source-zone trust 
[USG6000V1-policy-security-rule-policy_2]destination-zone dmz 
[USG6000V1-policy-security-rule-policy_2]source-address address-set BG 
[USG6000V1-policy-security-rule-policy_2]destination-address address-set Web 
[USG6000V1-policy-security-rule-policy_2]action permit 

测试

• 时间为2025/7/31 15：30（周四）
  

• 时间为2025/7/31 20：30（周四）
  

4、生产区pc 可以在任意时刻访问OA Server,但是不能访问Web Server

安全策略

命令行

[USG6000V1]ip address-set SC type object 
[USG6000V1-object-address-set-Web]address 192.168.1.128 mask 25
 
[USG6000V1]security-policy 
[USG6000V1-policy-security]rule name policy_3
[USG6000V1-policy-security-rule-policy_2]description SC to OA
[USG6000V1-policy-security-rule-policy_2]source-zone trust 
[USG6000V1-policy-security-rule-policy_2]destination-zone dmz 
[USG6000V1-policy-security-rule-policy_2]source-address address-set SC 
[USG6000V1-policy-security-rule-policy_2]destination-address address-set OA 
[USG6000V1-policy-security-rule-policy_2]action permit 

测试

• ping OA
  

• ping Web
  

5、特例：生产区pc3可以在每周一早10到早11访问Web Server,用来更新企业最新产品信息

安全策略

命令行

[USG6000V1]time-range update_time
[USG6000V1-time-range-update_time]period-range 10:00:00 to 11:00:00 Mon 
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name policy_4
[USG6000V1-policy-security-rule-policy_4]description SC_update
[USG6000V1-policy-security-rule-policy_4]source-zone trust 
[USG6000V1-policy-security-rule-policy_4]destination-zone dmz 
[USG6000V1-policy-security-rule-policy_4]source-address 192.168.1.130  32
[USG6000V1-policy-security-rule-policy_4]destination-address address-set Web 
[USG6000V1-policy-security-rule-policy_4]time-range update_time
[USG6000V1-policy-security-rule-policy_4]action permit 

测试

• 时间为2025/7/31 15：30（周四）
  

• 时间为2025/8/4 10:15 （周一）