Context技术(将一台防火墙分为多台虚拟防火墙技术)
创建Context相当于构造了一台新的设备
1 创建context
2 将Context进驻缺省安全引擎组
Context view commands:
allocate Assign resources to the context
capability Configure capability limits
context Manage a context
description Configure a description for the context
diagnostic-logfile Diagnostic log file configuration
dialer Specify Dial-on-Demand Routing(DDR) configuration
information
display Display current system information
end Alias for 'return'
exit Alias for 'quit'
limit-resource Configure resource limits
loadbalance Load Balancing module
lock Lock the current line
logfile Log file configuration
monitor System monitor
no Alias for 'undo'
ping Ping function
quit Exit from current command view
repeat Repeat executing history commands
reset Reset operation
return Exit to User View
save Save current configuration
security-logfile Security log file configuration
show Alias for 'display'
tracert Tracert function
undo Cancel current setting
write Alias for 'save'
llocate
:分配资源给上下文,指的是为特定的上下文配置或分配系统资源。capability
:配置能力限制,设置上下文的能力或权限限制。context
:管理上下文,对上下文进行创建、修改或删除等操作。description
:配置上下文描述,为上下文设置或更改描述性信息。diagnostic-logfile
:诊断日志文件配置,设置用于记录系统诊断信息的日志文件。dialer
:指定按需拨号路由(DDR)配置信息,设置与按需拨号相关的配置。display
:显示当前系统信息,展示系统的当前状态或配置。end
:'return'的别名,用于退出当前命令视图并返回到上一级。exit
:'quit'的别名,用于退出当前命令视图。limit-resource
:配置资源限制,为系统或上下文设置资源使用的限制。loadbalance
:负载均衡模块,用于配置和管理负载均衡相关的设置。lock
:锁定当前行,防止未授权的更改。logfile
:日志文件配置,设置系统日志文件的路径、格式等。monitor
:系统监控,监控系统的状态和性能。no
:'undo'的别名,用于取消当前设置。ping
:Ping功能,用于测试网络连接的连通性。quit
:退出当前命令视图。repeat
:重复执行历史命令,允许用户重新执行之前输入的命令。reset
:重置操作,将系统或配置恢复到初始状态。return
:返回到用户视图,退出当前命令视图并返回到用户界面。save
:保存当前配置,将所做的更改保存到系统。security-logfile
:安全日志文件配置,设置用于记录安全事件的日志文件。show
:'display'的别名,用于显示系统信息。tracert
:Tracert功能,追踪数据包从源到目的地的路径。undo
:取消当前设置,撤销最近一次的配置更改。write
:'save'的别名,用于保存配置更改。
3 为Context分配接口
3.1 创建连续的接口
3.2 创建并不连续的接口/vlan
[Context-FW-context-3-admin001]allocate interface GigabitEthernet 1/0/5 ?
GigabitEthernet GigabitEthernet interface
share Share the interfaces with other contexts
to Specify the end interface
<cr>
GigabitEthernet
:指的是千兆以太网接口。GigabitEthernet interface
:千兆以太网接口,这里可能是在提示你输入具体的接口名称。share
:共享接口,允许其他上下文也使用这个接口。to
:指定接口的结束点,可能用于配置接口的另一端。<cr>
:表示按回车键继续。
[Context-FW]context he
[Context-FW-context-5-he]dis
[Context-FW-context-5-he]display th
[Context-FW-context-5-he]display this
#
context he id 5
#
return
[Context-FW-context-5-he]de
[Context-FW-context-5-he]description he
[Context-FW-context-5-he]al
[Context-FW-context-5-he]allocate int
[Context-FW-context-5-he]allocate interface g
[Context-FW-context-5-he]allocate interface GigabitEthernet 1/0/1 to g
[Context-FW-context-5-he]allocate interface GigabitEthernet 1/0/1 to GigabitEt
hernet int
[Context-FW-context-5-he]allocate interface GigabitEthernet 1/0/1 to GigabitEt
hernet 1/0/7
Configuration of the interfaces will be lost. Continue? [Y/N]:y
GigabitEthernet1/0/4 has been allocated in sharing mode. Please cancel the allocation in sharing mode first.
GigabitEthernet1/0/5 has been allocated in sharing mode. Please cancel the allocation in sharing mode first.
Group error: all interfaces of one group must be allocated to the same mdc.
GigabitEthernet1/0/1 GigabitEthernet1/0/2
GigabitEthernet1/0/3 GigabitEthernet1/0/6
GigabitEthernet1/0/7
Port list of group 1:
GigabitEthernet1/0/0 GigabitEthernet1/0/1
GigabitEthernet1/0/2 GigabitEthernet1/0/3
GigabitEthernet1/0/4 GigabitEthernet1/0/5
GigabitEthernet1/0/6 GigabitEthernet1/0/7
GigabitEthernet1/0/8 GigabitEthernet1/0/9
GigabitEthernet1/0/10 GigabitEthernet1/0/11
[Context-FW-context-5-he]
4 限制Context的吞吐量
[Context-fw-1090-context-2-addm001]capability throughput ?
gbps Maximum throughput in gbps
kbps Maximum throughput in kbps
mbps Maximum throughput in mbps
pps Maximum throughput in pps
[Context-fw-1090-context-2-addm001]capability throughput
gbps
:最大吞吐量以千兆比特每秒(Gbps)为单位。kbps
:最大吞吐量以千比特每秒(kbps)为单位。mbps
:最大吞吐量以兆比特每秒(Mbps)为单位。pps
:最大吞吐量以包每秒(Packets Per Second)为单位。
5 限制Context会话并发数
[Context-fw-1090-context-2-addm001]capability session maximum ?
INTEGER<1-4294967295> Maximum number
threshold Configure the alarm recovery threshold in percentage
[Context-fw-1090-context-2-addm001]capability ?
security-policy-rule Security policy rule capability
session Sessions capability
sslvpn-user SSL VPN user limit
throughput Throughput capacity
[Context-fw-1090-context-2-addm001]capability
session maximum ?
INTEGER<1-4294967295>
:最大会话数,可以设置一个介于1到4294967295之间的整数。threshold
:配置警告恢复阈值的百分比。capability ?
security-policy-rule
:安全策略规则的能力。session
:会话能力,即可以设置会话的最大数量和相关参数。sslvpn-user
:SSL VPN用户限制,即可以设置通过SSL VPN连接的用户数量限制。throughput
:吞吐量容量,即可以设置网络吞吐量的限制。
6 为Context分配CPU权重
CPU权重是指在计算机系统中,CPU所占有的重要性或影响力程度。它通常用于衡量计算机资源分配的情况,以便合理地分配计算任务给不同的CPU
7 为Context分配内存空间上限
显示Context对磁盘资源的使用情况。 display context resource
8 访问控制context
[Context-fw-1090-context-2-addm001]
[Context-fw-1090]display context ?
> Redirect it to a file
>> Redirect it to a file in append mode
capability Display the service capabilities of contexts
configuration Display context configuration
interface Display interfaces of the specified context
name Specify a context by its name
online-users Online user information
resource Display the resource configuration and usage information
statistics Display context statistics
vlan VLAN information
| Matching output
<cr>
[Context-fw-1090]display context ca
[Context-fw-1090]display context capability
Session usage and establishment rate:
Slot 1 CPU 0:
ID Name Maximum Used Free Total(/s) Rate(/s) Usage(%)
1 Admin NA 0 NA NA 0 NA
2 addm001 NA 0 NA NA 0 NA
[Context-fw-1090]display context int
[Context-fw-1090]display context interface
Context addm001's interfaces:
[Context-fw-1090]display context addm001
^
% Too many parameters found at '^' position.
[Context-fw-1090]display context na
[Context-fw-1090]display context name ?
STRING<1-15> Context name
[Context-fw-1090]display context name Admin
ID Name Status Description
1 Admin active DefaultContext
[Context-fw-1090]display context name addm001
ID Name Status Description
2 addm001 inactive admin001
[Context-fw-1090]swi
[Context-fw-1090]switchto cont
[Context-fw-1090]switchto context addm001
This context is not started.
[Context-fw-1090]
9 收集日志
10 维护手册-Context
显示安全引擎组的信息 | display blade-controller-team [ blade-controller-team-name | id blade-controller-team-id ] |
显示Context的相关信息 | display context [ name context-name ] [ verbose ] |
显示Context内可分配业务资源的使用情况 | display context [ name context-name ] capability [ security-policy | session [ chassis chassis-number slot slot-number ] | sslvpn-user ] |
显示各Context的配置信息 | display context [ name context-name ] configuration [ file filename ] |
显示Context的接口列表 | display context [ name context-name ] interface |
显示Context对CPU/磁盘/内存资源的使用情况 | display context [ name context-name ] resource [ cpu | disk | memory ] [ chassis chassis-number slot slot-number cpu cpu-number ] |
显示Context内资源的统计信息 | display context [ name context-name ] statistics [ file filename ] |
显示Context的VLAN列表 | display context [ name context-name ] vlan |
清除指定安全引擎组中不在位的安全引擎的数据信息 | reset blade-controller-team team-id member slot slot-number cpu cpu-number |