防火墙安全策略配置课堂实验

于 2025-02-06 03:55:10 发布
阅读量942 收藏 12
点赞数 9
文章标签: 网络
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/2301_81097039/article/details/145459665
版权

一、实验拓扑

二、实验需求

1、VLAN 2属于办公区;VLAN 3属于生产区
2、办公区PC在工作日时间(周一至周五,早8到晚6)可以正常访问OA Server,其他时间不允许
3、办公区PC可以在任意时刻访问Web Server
4、生产区PC可以在任意时刻访问OA Server,但是不能访问Web Server
5、特例:生产区PC3可以在每周一早10到11访问Web Server,用来更新企业最新产品信息

三、需求分析

1、根据拓扑与实验要求可知,DMZ区域有OA Server和Web Server两个模块。Trust区域包含VLAN 2(办公区)和VLAN 3(生产区),IP地址段为192.168.1.0/24 。办公区有PC1设备,生产区有PC2和PC3设备。

2、第二个要求规定了OA Server的时间,仅限于周一至周五的早上八点到晚上六点可以访问。这个是对时间和区域的访问控制需求,需要在防火墙上配置时间段和访问控制策略来实现

3、办公区PC可以在任意时刻访问Web Server。

4、生产区PC可以在任意时刻访问OA Server,但不能访问Web Server。是VLAN3对OA Server和Web Server的访问需求,需要在防火墙上配置访问控制策略,允许生产区访问OA Server,同时阻止访问Web Server。

5、特例:生产区PC3(192.168.1.130)可以在每周一早10到11访问Web Server,用来更新企业最新产品信息。这是生产区PC3的一个特殊的访问需求,需要在防火墙上配置基于时间(每周一特定时段)和特定IP(PC3的IP)的访问控制策略。

四、配置详细信息

1、服务器与PC的IP配置

2、防火墙接口IP

(1)wed界面配置

(2)命令行配置

①防火墙   g1/0/0
<FW1>sys	
<FW1>system-view 
Enter system view, return user view with Ctrl+Z.
[FW1]interface GigabitEthernet1/0/0
[FW1-GigabitEthernet1/0/0]ip address 10.0.0.254 255.255.255.0
Error: The address already exists.
[FW1-GigabitEthernet1/0/0]
②子接口  g1/0/1.1
[FW1-GigabitEthernet1/0/0]interface GigabitEthernet1/0/1.1
[FW1-GigabitEthernet1/0/1.1]vlan-type dot1q 2    #属于vlan2区域
Error: Failed to add the VLAN ID because the VLAN ID 2 has already been configur
ed on GigabitEthernet1/0/1.1.
[FW1-GigabitEthernet1/0/1.1]ip address 192.168.1.126 255.255.255.128
Error: The address already exists.
[FW1-GigabitEthernet1/0/1.1]alias GE1/0/1.1
[FW1-GigabitEthernet1/0/1.1]
Feb  5 2025 14:10:46 FW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3
.1 configurations have been changed. The current change number is 4, the change 
loop count is 0, and the maximum number of records is 4095.
[FW1-GigabitEthernet1/0/1.1]service-manage ping permit     #开启ping
[FW1-GigabitEthernet1/0/1.1]
③子接口  g1/0/1.2
[FW1-GigabitEthernet1/0/1.1]interface GigabitEthernet1/0/1.2
[FW1-GigabitEthernet1/0/1.2]vlan-type dot1q 3    #属于vlan3区域
Error: Failed to add the VLAN ID because the VLAN ID 3 has already been configur
ed on GigabitEthernet1/0/1.2.
[FW1-GigabitEthernet1/0/1.2]ip address 192.168.1.254 255.255.255.128
Error: The address already exists.
[FW1-GigabitEthernet1/0/1.2]alias GE1/0/1.2
[FW1-GigabitEthernet1/0/1.2]
Feb  5 2025 14:16:06 FW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3
.1 configurations have been changed. The current change number is 6, the change 
loop count is 0, and the maximum number of records is 4095.
[FW1-GigabitEthernet1/0/1.2]service-manage ping permit   #开启ping
[FW1-GigabitEthernet1/0/1.2]
④进入安全区域划分接口
[FW1-GigabitEthernet1/0/1.2]firewall zone trust
[FW1-zone-trust] add interface GigabitEthernet 1/0/1.1
 Error: The interface has been added to trust security zone. 
[FW1-zone-trust] add interface GigabitEthernet 1/0/1.2
 Error: The interface has been added to trust security zone. 
[FW1-zone-trust]
⑤检查安全区域

⑥交换机
<Huawei>
<Huawei>sys	
<Huawei>system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]vlan batch 2 3
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]interface g0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 2
[Huawei-GigabitEthernet0/0/2]interface g0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 3
[Huawei-GigabitEthernet0/0/3]interface g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access
[Huawei-GigabitEthernet0/0/4]port default vlan 3
[Huawei-GigabitEthernet0/0/4]interface g0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3

3、测试

PC1

PC2

五、设置安全策略

1、办公区PC在工作日时间(周一至周五,早8到晚6)可以正常访问OA Server,其他时间不允许

(1)wed界面配置

①新建安全策略

②新建地址

③确定新建

④查看策略列表

(2)命令行配置

①创建地址BG
<FW1>sys	
<FW1>system-view 
Enter system view, return user view with Ctrl+Z.
[FW1]ip address-set BG type object
[FW1-object-address-set-BG]address 192.168.1.0 mask 25
 Error: Address item conflicts!
[FW1-object-address-set-BG]ip address-set OA type object
[FW1-object-address-set-OA]address 10.0.0.1 mask 32
[FW1-object-address-set-OA]
②设置时间
[FW1-object-address-set-OA]time-range working-time
[FW1-time-range-working-time]period-range 08:00:00 to 18:00:00 working-day
[FW1-time-range-working-time]
③创建安全策略
[FW1-time-range-working-time]security-policy
[FW1-policy-security]rule name policy_1
[FW1-policy-security-rule-policy_1]description BG to OA
[FW1-policy-security-rule-policy_1]source-zone trust
[FW1-policy-security-rule-policy_1]destination-zone dmz
[FW1-policy-security-rule-policy_1]source-address address-set BG
[FW1-policy-security-rule-policy_1]destination-address address-set OA
[FW1-policy-security-rule-policy_1]time-range working-time
[FW1-policy-security-rule-policy_1]action permit
[FW1-policy-security-rule-policy_1]
④测试(PC1-->OA Server)

(现在是2025/2/6  星期四的2:00)由于不在访问时间范围内,则ping不通

(现在是2025/2/5 星期三的14:25)

会话表

Server-map表

2、办公区PC可以在任意时刻访问Web Server

(1)wed界面配置

①创建

①查看

(2)命令行配置

<FW1>sys	
<FW1>system-view 
Enter system view, return user view with Ctrl+Z.
[FW1]ip address-set Web type object
[FW1-object-address-set-Web]address 10.0.0.2 mask 32
[FW1-object-address-set-Web]

默认任意时间段

[FW1-object-address-set-Web]security-policy
[FW1-policy-security]rule name policy_2
[FW1-policy-security-rule-policy_2]description BG to Web
[FW1-policy-security-rule-policy_2]source-zone trust
[FW1-policy-security-rule-policy_2]destination-zone dmz
[FW1-policy-security-rule-policy_2]source-address address-set BG
[FW1-policy-security-rule-policy_2]destination-address address-set Web
[FW1-policy-security-rule-policy_2]action permit
[FW1-policy-security-rule-policy_2]
测试(PC1-->Web Server)

会话表

Server-map表

3、生产区PC可以在任意时刻访问OA Server,但是不能访问Web Server

(1)wed界面配置

①创建

②查看

(2)命令行配置

①地址
<FW1>sys	
<FW1>system-view 
Enter system view, return user view with Ctrl+Z.
[FW1]ip address-set SC type object
[FW1-object-address-set-SC]address 192.168.1.128 mask 25
[FW1-object-address-set-SC]
②生产区任意时刻访问OA
[FW1]security-policy
[FW1-policy-security]rule name policy_3
[FW1-policy-security-rule-policy_3]description SC_to_OA
[FW1-policy-security-rule-policy_3]source-zone trust
[FW1-policy-security-rule-policy_3]destination-zone dmz
[FW1-policy-security-rule-policy_3]source-address address-set SC
[FW1-policy-security-rule-policy_3]destination-address address-set OA
[FW1-policy-security-rule-policy_3]action permit
[FW1-policy-security-rule-policy_3]
③生产区不能访问wed
[FW1-policy-security-rule-policy_3]rule name policy_4
[FW1-policy-security-rule-policy_4]description SC_notvisit_Web
[FW1-policy-security-rule-policy_4]source-zone trust
[FW1-policy-security-rule-policy_4]destination-zone dmz
[FW1-policy-security-rule-policy_4]source-address address-set SC
[FW1-policy-security-rule-policy_4]destination-address address-set web_server
 Error: The specified object web_server does not exist.
[FW1-policy-security-rule-policy_4]action deny
[FW1-policy-security-rule-policy_4]
④测试(PC2-->OA  ||  PC2-->Wed)

ping OA

ping Wed

会话表

Server-map表

 4、特例:生产区PC3可以在每周一早10到11访问Web Server,用来更新企业最新产品信息

(1)wed界面配置

①新建时间

②新建安全策略

 ③查看策略列表

 (2)命令行配置

<FW1>sys	
<FW1>system-view 
Enter system view, return user view with Ctrl+Z.
[FW1]ip address-set SC3 type object
[FW1-object-address-set-SC3]address 192.168.1.130 mask 32
[FW1-object-address-set-SC3]time-range visit
[FW1-time-range-visit]period-range 10:00:00 to 11:00:00 Mon
[FW1-time-range-visit]
[FW1-time-range-visit]security-policy
[FW1-policy-security]rule name policy_5
[FW1-policy-security-rule-policy_5]description SC3_visit_Web
[FW1-policy-security-rule-policy_5]source-zone trust
[FW1-policy-security-rule-policy_5]destination-zone dmz
[FW1-policy-security-rule-policy_5]source-address address-set SC3
[FW1-policy-security-rule-policy_5]destination-address address-set web_server
 Error: The specified object web_server does not exist.
[FW1-policy-security-rule-policy_5]time-range visit
[FW1-policy-security-rule-policy_5]action permit
[FW1-policy-security-rule-policy_5]
①若要实现策略5,则需要将策略5放在策略4之前
[FW1-policy-security-rule-policy_5]q
[FW1-policy-security]rule move policy_5 before policy_4
[FW1-policy-security]
②测试(PC3-->Wed)

将系统时间更改为周一早上十点

PC3-->Wed

会话表

Server-map表

2301_81097039
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值