802.1x
SW3
dot1x enable
undo dot1x handshake
dot1x authentication-method eap
dot1x free-ip 10.1.5.107 32
radius-server template radius
radius-server shared-key cipher Huawei@123
radius-server authentication 10.1.5.107 1812
radius-server accounting 10.1.5.107 1813
quit
radius-server authorization 10.1.5.107 shared-key cipher Huawei@123
aaa
authentication-scheme radius
authentication-mode radius
accounting-scheme radius
accounting-mode radius
domain default
authentication-scheme radius
accounting-scheme radius
radius-server radius
interface GigabitEthernet0/0/10
dot1x enable
FW1/FW2
security-policy
rule name sw3_AC
source-zone dmz
source-zone trust
destination-zone dmz
destination-zone trust
source-address 10.1.3.3 32
source-address 10.1.5.107 32
destination-address 10.1.3.3 32
destination-address 10.1.5.107 32
action permit
portal
SW3
web-auth-server portal
server-ip 10.1.5.107
port 50200
shared-key cipher Huawei@123
url http://10.1.5.107:8080/portal
portal free-rule 1 destination ip 10.1.5.107 mask 255.255.255.255
interface Vlanif2
web-auth-server portal layer3
DDOS
r1
interface e1/0/0.1
arp broadcast enable
interface e1/0/0.2
arp broadcast enable
ip route-static 10.1.5.110 32 10.1.11.61
acl number 3000
rule 5 permit ip destination 10.1.5.110 0
traffic classifier ddos operator or
if-match acl 3000
traffic behavior ddos
redirect ip-nexthop 10.1.9.21
traffic policy ddos
classifier ddos behavior ddos
interface e1/0/0.2
traffic-policy ddos inbound
r2
interface e1/0/0.1
arp broadcast enable
interface e1/0/0.2
arp broadcast enable
ip route-static 10.1.5.110 32 10.1.11.61
acl number 3000
rule 5 permit ip destination 10.1.5.110 0
traffic classifier ddos operator or
if-match acl 3000
traffic behavior ddos
redirect ip-nexthop 10.1.10.21
traffic policy ddos
classifier ddos behavior ddos
interface e1/0/0.2
traffic-policy ddos inbound
antiddos
int g1/0/0.1
anti-ddos clean enable
anti-ddos flow-statistic enable
security-policy
rule name ddos_tr_un
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
action permit
ip route-static 0.0.0.0 0.0.0.0 g1/0/0.1 10.1.11.11
ip route-static 0.0.0.0 0.0.0.0 g1/0/0.1 10.1.11.12 preference 100
ip route-static 10.1.5.110 255.255.255.255 10.1.13.11
ip route-static 10.1.5.110 255.255.255.255 10.1.13.12 preference 100
firewall ddos bgp-next-hop 10.1.11.11
atic
security-policy
rule name acit
source-zone loacal
source-zone trust
destination-zone loacal
destination-zone trust
source-address 10.1.12.105 32
source-address 10.1.12.61 32
destination-address 10.1.12.105 32
destination-address 10.1.12.61 32
action permit
telnet server enable
aaa
manager-user admin
service-type telnet terminal
user-interface vty 0 4
protocol inbound all
snmp-agent
snmp-agent sys-info version v2c
snmp-agent community read Huawei@123
snmp-agent community write Huawei@123
interface g0/0/0
service-manage telnet snmp permit
ipsec
FW1
ike proposal 1
encryption-algorithm aes-256
dh group114
authentication-algorithm sha2-256
authentication-method pre-shared
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike peer fw3
pre-shared-key Huawei@123
ike-proposal 1
remote-address 10.1.70.23
nat traversal
dpd type periodic
ipsec proposal 2
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
acl number 3000
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.23.0 0.0.0.255
rule 10 permit ip source 10.1.5.0 0.0.0.255 destination 10.1.23.0 0.0.0.255
ipsec policy ipsec_isp1 5 isakmp
security acl 3000
ike-peer fw3
proposal 2
tunnel loacal applied-interface
interface g1/0/3
ipsec policy ipsec_isp1
int g1/0/4
ipsec policy ipsec_isp2
ip service-set ipsec_nat_t type object
service protocol udp source-port 500 destination-port 500
service protocol udp source-port 4500 destination-policy 4500
security-policy
rule name ipsec_isp1
source-zone isp1
source-zone local
destination-zone isp1
destination-zone loacal
source-address 10.1.70.23 32
source-address 10.1.9.0 24
destination-address 10.1.70.23 32
destination-address 10.1.9.0 24
service icmp
service ipsec_nat_t
action permit
rule name ipsec_isp1_office
source-zone isp1
source-zone trust
destination-zone isp1
destination-zone trust
source-address 10.1.2.0 24
source-address 10.1.23.0 24
destination-address 10.1.2.0 24
destination-address 10.1.23.0 24
action permit
rule name ipsec_isp1_server
source-zone dmz
source-zone isp1
destination-zone dmz
destination-zone isp1
source-address 10.1.23.0 24
source-address 10.1.5.0 24
destination-address 10.1.23.0 24
destination-address 10.1.5.0 24
action permit
rule name ipsec_isp2_office
source-zone isp2
source-zone trust
destination-zone trust
destination-zone isp2
source-address 10.1.2.0 24
source-address 10.1.23.0 24
destination-address 10.1.2.0 24
destination-address 10.1.23.0 24
action permit
action permit
rule name ipsec_isp2_server
source-zone dmz
source-zone isp2
destination-zone dmz
destination-zone isp2
source-address 10.1.23.0 24
source-address 10.1.5.0 24
destination-address 10.1.23.0 24
destination-address 10.1.5.0 24
action permit
FW3
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike peer fw1_fw2
pre-shared-key Huawei@123
ike-proposal 1
nat traversal
dpd type periodic
ipsec proposal 2
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
acl number 3000
rule 5 permit ip source 10.1.23.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
rule 10 permit ip source 10.1.23.0 0.0.0.255 destination 10.1.5.0 0.0.0.255
ipsec policy-template tem 5
ike-peer fw1_fw2
proposal 2
security acl 3000
tunnel loacal 10.1.70.23
ipsec policy ipsec 5 isakmp template tem
interface g1/0/0
ipsec policy ipsec
ip service-set ipsec_nat_t type object
service protocol udp destination-port 500
service protocol udp destination-port 4500
security-policy
rule name ipsec_isp1
source-zone untrust
source-zone loacal
destination-zone untrust
destination-zone loacal
source-address 10.1.70.23 32
source-address 10.1.40.11 32
destination-address 10.1.70.23 32
destination-address 10.1.40.11 32
service icmp
service ipsec_nat_t
action permit
rule name ipsec_isp2
source-zone untrust
source-zone loacal
destination-zone untrust
destination-zone loacal
source-address 10.1.70.23 32
source-address 10.1.50.12 32
destination-address 10.1.70.23 32
destination-address 10.1.50.12 32
rule name ipsec_data
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 10.1.2.0 24
source-address 10.1.23.0 24
source-address 10.1.5.0 24
destination-address 10.1.2.0 24
destination-address 10.1.23.0 24
destination-address 10.1.5.0 24
action permit
nat-policy
rule name no_nat
source-zone trust
destination-zone untrust
source-address 10.1.23.0 24
destination-address 10.1.2.0 24
destination-address 10.1.5.0 24
action no-nat
rule name pc3_internet
source-zone trust
destination-zone untrust
source-address 10.1.23.0 24
action source-nat easy-ip
switch vsys vfw1
sys
security-policy
rule name inbound_pc3
source-zone untrust
destination-zone trust
destination 10.1.23.0 24
action permit
R1 R2
acl 2001
rule 5 permit source 10.1.9.0 0.0.0.255
int e1/0/1
nat outbound 2001
acl 2001
rule 5 permit source 10.1.10.0 0.0.0.255
int e1/0/1
nat outbound
FW3
security-policy
rule name vgw_ssl
source-zone untrust
destination-zone local
destination-address 10.1.70.23 32
service https
action permit
rule name ssl_web_file
source-zone dmz
source-zone local
source-address 10.1.22.104 32
source-address 10.1.22.23 32
destination-address 10.1.22.104 32
destination-address 10.1.22.23 32
action permit