一、基础配置
1、启动虚拟系统,查看整机资源剩余量,创建资源类并按需求规划会话数、用户数、用户组数、策略数、整体带宽限制。
[USG6000V1]vsys enable
[USG6000V1]display resource global-resource
2024-02-28 12:52:36.050
Global resource table:
------------------------------------------------------------
Global-Number Remained-Number
session 5000 5000
session-rate 6000 6000
ipv6 session 128 128
ipv6 session-rate 10000 10000
bandwidth 10 10
policy 1000 1000
traffic-policy 16 16
ssl-vpn-concurrent 100 100
online-user 500 500
user 500 500
user-group 128 128
security-group 500 500
l2tp-tunnel 200 200
ipsec-tunnel 10 10
------------------------------------------------------------
[USG6000V1]resou
[USG6000V1]resource-class r1
[USG6000V1-resource-class-r1]resource-item-limit session reserved-number 1000 ma
ximum 2000
[USG6000V1-resource-class-r1]resource-item-limit user reserved-number 100
[USG6000V1-resource-class-r1]resource-item-limit user-group reserved-number 10
[USG6000V1-resource-class-r1]resource-item-limit policy reserved-number 200
[USG6000V1-resource-class-r1]resource-item-limit bandwidth 5 entire
2、查看前置资源类是否出错,创建虚拟系统,并分配资源。
[USG6000V1-resource-class-r1]display this
2024-02-28 12:55:44.180
#
resource-class r1
resource-item-limit session reserved-number 1000 maximum 2000
resource-item-limit bandwidth 5 entire
resource-item-limit policy reserved-number 200
resource-item-limit user reserved-number 100
resource-item-limit user-group reserved-number 10
#
[USG6000V1]vsys name vsysa
[USG6000V1-vsys-vsysa]assign resource-class r1
[USG6000V1-vsys-vsysa]assign interface GigabitEthernet 1/0/0
Info: All related configurations on this interface are removed.
[USG6000V1-vsys-vsysa]assign interface GigabitEthernet 1/0/1
Info: All related configurations on this interface are removed.
[USG6000V1-vsys-vsysa]display this
2024-02-28 12:57:19.010
#
vsys name vsysa 1
assign interface GigabitEthernet1/0/0
assign interface GigabitEthernet1/0/1
assign resource-class r1
#
3、切换到虚拟系统下,配置基础步骤。
[USG6000V1]switch vsys vsysa
<USG6000V1-vsysa>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1-vsysa]interface g1/0/0
[USG6000V1-vsysa-GigabitEthernet1/0/0]ip add 10.0.1.254 24
[USG6000V1-vsysa-GigabitEthernet1/0/0]interface g1/0/1
[USG6000V1-vsysa-GigabitEthernet1/0/1]ip add 10.0.2.254 24
[USG6000V1-vsysa-GigabitEthernet1/0/1]q
[USG6000V1-vsysa]firewall zone trust
[USG6000V1-vsysa-zone-trust]add interface g1/0/0
[USG6000V1-vsysa-zone-trust]firewall zone untrust
[USG6000V1-vsysa-zone-untrust]add interface g1/0/1
4、为虚拟系统配置安全策略。
[USG6000V1-vsysa]firewall zone trust
[USG6000V1-vsysa-zone-trust]add interface g1/0/0
[USG6000V1-vsysa-zone-trust]firewall zone untrust
[USG6000V1-vsysa-zone-untrust]add interface g1/0/1
[USG6000V1-vsysa-zone-untrust]q
[USG6000V1-vsysa]se
[USG6000V1-vsysa]security-policy
[USG6000V1-vsysa-policy-security]rule name policy1
[USG6000V1-vsysa-policy-security-rule-policy1]source-zone trust
[USG6000V1-vsysa-policy-security-rule-policy1]destination-zone untrust
[USG6000V1-vsysa-policy-security-rule-policy1]source-address 10.0.1.0 24
[USG6000V1-vsysa-policy-security-rule-policy1]service icmp
[USG6000V1-vsysa-policy-security-rule-policy1]action permit
5、测试。
二、虚拟系统互访
1、基础配置
[USG6000V1]vsys enable
[USG6000V1]display resource global-resource
2024-02-28 12:52:36.050
Global resource table:
------------------------------------------------------------
Global-Number Remained-Number
session 5000 5000
session-rate 6000 6000
ipv6 session 128 128
ipv6 session-rate 10000 10000
bandwidth 10 10
policy 1000 1000
traffic-policy 16 16
ssl-vpn-concurrent 100 100
online-user 500 500
user 500 500
user-group 128 128
security-group 500 500
l2tp-tunnel 200 200
ipsec-tunnel 10 10
------------------------------------------------------------
[USG6000V1]resou
[USG6000V1]resource-class r1
[USG6000V1-resource-class-r1]resource-item-limit session reserved-number 1000 ma
ximum 2000
[USG6000V1-resource-class-r1]resource-item-limit user reserved-number 100
[USG6000V1-resource-class-r1]resource-item-limit user-group reserved-number 10
[USG6000V1-resource-class-r1]resource-item-limit policy reserved-number 200
[USG6000V1-resource-class-r1]resource-item-limit bandwidth 5 entire
[USG6000V1-resource-class-r1]display this
2024-02-28 12:55:44.180
#
resource-class r1
resource-item-limit session reserved-number 1000 maximum 2000
resource-item-limit bandwidth 5 entire
resource-item-limit policy reserved-number 200
resource-item-limit user reserved-number 100
resource-item-limit user-group reserved-number 10
#
[USG6000V1]vsys name vsysa
[USG6000V1-vsys-vsysa]assign resource-class r1
[USG6000V1-vsys-vsysa]assign interface GigabitEthernet 1/0/0
Info: All related configurations on this interface are removed.
[USG6000V1-vsys-vsysa]display this
2024-02-28 13:51:45.290
#
vsys name vsysa 1
assign interface GigabitEthernet1/0/0
assign resource-class r1
#
return
[USG6000V1]vsys name vsysb
[USG6000V1-vsys-vsysb]assign resource-class r1
[USG6000V1-vsys-vsysb]assign interface GigabitEthernet 1/0/1
Info: All related configurations on this interface are removed.
[USG6000V1-vsys-vsysb]display this
2024-02-28 13:53:14.100
#
vsys name vsysb 2
assign interface GigabitEthernet1/0/1
assign resource-class r1
#
return
2、查看接口
[USG6000V1-vsysa]display interface brief
2024-02-28 13:54:44.020
PHY: Physical
*down: administratively down
(l): loopback
(s): spoofing
(b): BFD down
(d): Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
GigabitEthernet1/0/0 up up 0% 0% 0 0
Virtual-if1 up up(s) -- -- 0 0
3、IP地址配置
[USG6000V1-vsysa-GigabitEthernet1/0/0]ip add 10.0.1.254 24
4、划分区域,尤其是Virtual-if1
[USG6000V1-vsysa]firewall zone trust
[USG6000V1-vsysa-zone-trust]add interface g1/0/0
[USG6000V1-vsysa]firewall zone dmz
[USG6000V1-vsysa-zone-dmz]add interface Virtual-if 1
5、安全策略的配置
[USG6000V1-vsysa]security-policy
[USG6000V1-vsysa-policy-security]rule name vsysa_to_vsysb
[USG6000V1-vsysa-policy-security-rule-vsysa_to_vsysb]source-zone trust
[USG6000V1-vsysa-policy-security-rule-vsysa_to_vsysb]destination-zone dmz
[USG6000V1-vsysa-policy-security-rule-vsysa_to_vsysb]source-address 10.0.1.0 24
[USG6000V1-vsysa-policy-security-rule-vsysa_to_vsysb]destination-address 10.0.2.0 24
[USG6000V1-vsysa-policy-security-rule-vsysa_to_vsysb]service icmp
[USG6000V1-vsysa-policy-security-rule-vsysa_to_vsysb]action permit
[USG6000V1-vsysa-policy-security-rule-vsysa_to_vsysb]q
[USG6000V1-vsysa-policy-security]q
6、静态路由配置,指向public
[USG6000V1-vsysa]ip route-static 10.0.2.0 24 public
7、配置根系统(充当路由器)
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add interface Virtual-if 0
[USG6000V1]ip route-static 10.0.2.0 24 vpn-instance vsysb
[USG6000V1]ip route-static 10.0.1.0 24 vpn-instance vsysa
8、配置vsysb
[USG6000V1-vsysb]display interface brief
2024-02-28 14:14:00.870
PHY: Physical
*down: administratively down
(l): loopback
(s): spoofing
(b): BFD down
(d): Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
GigabitEthernet1/0/1 up up 0% 0% 0 0
Virtual-if2 up up(s) -- -- 0 0
[USG6000V1-vsysb]interface g1/0/1
[USG6000V1-vsysb-GigabitEthernet1/0/1]ip add 10.0.2.254 24
[USG6000V1-vsysb-GigabitEthernet1/0/1]q
[USG6000V1-vsysb]firewall zone trust
[USG6000V1-vsysb-zone-trust]add interface g1/0/1
[USG6000V1-vsysb-zone-trust]q
[USG6000V1-vsysb]firewall zone dmz
[USG6000V1-vsysb-zone-dmz]add interface Virtual-if 2
[USG6000V1-vsysb-zone-dmz]q
[USG6000V1-vsysb]security-policy
[USG6000V1-vsysb-policy-security]rule name vsysa_to_vsysb
[USG6000V1-vsysb-policy-security-rule-vsysa_to_vsysb]source-zone dmz
[USG6000V1-vsysb-policy-security-rule-vsysa_to_vsysb]destination-zone trust
[USG6000V1-vsysb-policy-security-rule-vsysa_to_vsysb]source-address 10.0.1.0 24
[USG6000V1-vsysb-policy-security-rule-vsysa_to_vsysb]destination-address 10.0.2.0 24
[USG6000V1-vsysb-policy-security-rule-vsysa_to_vsysb]service icmp
[USG6000V1-vsysb-policy-security-rule-vsysa_to_vsysb]action permit
[USG6000V1-vsysb-policy-security-rule-vsysa_to_vsysb]quit
[USG6000V1-vsysb-policy-security]quit
[USG6000V1-vsysb]ip route-static 10.0.1.0 24 public
9、测试
三、虚拟系统通过根系统访问互联网
1、基础配置与二类似,此处忽略。
[USG6000V1-vsysa]firewall zone untrust
[USG6000V1-vsysa-zone-untrust]add interface Virtual-if 1
[USG6000V1-vsysa]security-policy
[USG6000V1-vsysa-policy-security]rule name vsysa_to_untrust
[USG6000V1-vsysa-policy-security-rule-vsysa_to_untrust]source-zone trust
[USG6000V1-vsysa-policy-security-rule-vsysa_to_untrust]destination-zone untrust
[USG6000V1-vsysa-policy-security-rule-vsysa_to_untrust]source-address 10.0.1.0 24
[USG6000V1-vsysa-policy-security-rule-vsysa_to_untrust]service icmp
[USG6000V1-vsysa-policy-security-rule-vsysa_to_untrust]action permit
[USG6000V1-vsysa]ip route-static 0.0.0.0 0 public
[USG6000V1-vsysb]firewall zone untrust
[USG6000V1-vsysb-zone-untrust]add interface Virtual-if 2
[USG6000V1-vsysb]security-policy
[USG6000V1-vsysb-policy-security]rule name vsysa_to_untrust
[USG6000V1-vsysb-policy-security-rule-vsysa_to_untrust]source-zone trust
[USG6000V1-vsysb-policy-security-rule-vsysa_to_untrust]destination-zone untrust
[USG6000V1-vsysb-policy-security-rule-vsysa_to_untrust]source-address 10.0.2.0 2
4
[USG6000V1-vsysb-policy-security-rule-vsysa_to_untrust]service icmp
[USG6000V1-vsysb-policy-security-rule-vsysa_to_untrust]action permit
[USG6000V1-vsysb]ip route-static 0.0.0.0 0 public
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name vsys_to_untrust
[USG6000V1-policy-security-rule-vsys_to_untrust]source-zone trust
[USG6000V1-policy-security-rule-vsys_to_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-vsys_to_untrust]source-address 10.0.1.0 24
[USG6000V1-policy-security-rule-vsys_to_untrust]source-address 10.0.2.0 24
[USG6000V1-policy-security-rule-vsys_to_untrust]service icmp
[USG6000V1-policy-security-rule-vsys_to_untrust]action permit
[USG6000V1]ip route-static 0.0.0.0 0 2.2.2.254
2、测试
3、查看会话表(第一张为vsysa,第二张为根系统)
根系统可以读取虚拟系统的会话表、状态话信息,但是业务量较大时,会增加一定的资源负担以及配置复杂,为此需要配置引流表。
[USG6000V1]firewall import-flow public 10.0.1.1 10.0.1.1 vpn-instance vsysa
Warning: The destination of this IP range should be in this vsys network, other
wise it may cause flow loop! Continue?[Y/N]:y
[USG6000V1]display firewall import-flow public 10.0.1.1
2024-02-29 13:41:37.530
ImportFlow Tables:
Source Instance Destination Address Destination Instance
------------------------------------------------------------------------------
public 10.0.1.1 vsysa
------------------------------------------------------------------------------
Total:1
[USG6000V1]
可见根系统不存vsysa的会话表,而是根据引流表到虚拟系统,此时的根系统可以看作一台路由器,删除安全策略测试仍可以通过。
[USG6000V1]firewall import-flow public 10.0.2.1 10.0.2.1 vpn-instance vsysb
Warning: The destination of this IP range should be in this vsys network, other
wise it may cause flow loop! Continue?[Y/N]:y
[USG6000V1-policy-security-rule-vsys_to_untrust]undo source-address 10.0.2.0 24
四、引流表
参考资料:防火墙和VPN技术与实践——李学昭