山石防火墙的内核配置参考

hostname "SG-6000"
admin:hillstone
pass:hillstone

默认IP:192.168.1.1 24

admin
bjjxcxsbgl@2023
adminbak
cisco@123

!
Version 5.5R4

ip vrouter "mgt-vr"
exit
ip vrouter "twin-mode-vr"
exit
ip vrouter "trust-vr"
exit
vswitch "vswitch1"
exit
zone "mgt"
exit
zone "trust"
exit
zone "untrust"
exit
zone "dmz"
exit
zone "l2-trust" l2
exit
zone "l2-untrust" l2
exit
zone "l2-dmz" l2
exit
zone "VPNHub"
exit
zone "HA"
exit
zone "twin-mode"
exit
vlan 619
exit
interface vswitchif1
exit
interface ethernet0/0
exit
interface ethernet0/1
exit
interface ethernet0/2 local
exit
interface ethernet0/3
exit
interface xethernet1/0
exit
interface xethernet1/1
exit
interface xethernet1/2
exit
interface xethernet1/3
exit
interface xethernet1/4
exit
interface xethernet1/5
exit
interface xethernet1/6
exit
interface xethernet1/7
exit
interface xethernet3/0 local
exit
interface xethernet3/1
exit
interface xethernet3/2
exit
interface xethernet3/3
exit
interface xethernet3/4
exit
interface xethernet3/5
exit
interface xethernet3/6
exit
interface xethernet3/7
exit
interface aggregate20
exit
address "旧内网资源"
exit
address "新内网资源"
exit
address "公有云标准区"
exit
address "公有云测试地址池（10.209）"
exit
address "VPN数据进入内网地址段"
exit
address "VPN真实地址池"
exit
aaa-server "local" type local
exit
url-profile "no-url"
exit
admin user "hillstone"
  password ZXu+x55Yj3XRYDgfSUEkNt0gQs
    password-expiration 12345678
  role "admin"
  access console
  access telnet
  access ssh
  access http
  access https
exit
admin user "admin"
  password qc8iIvhAOG6+gptg5sQ2ODpQyR
    password-expiration 1686901279
  role "admin"
  access console
  access telnet
  access ssh
  access http
  access https
exit
admin user "adminbak"
  password H3zpjfaWrIU2CsFuXJsezdGwMd
    password-expiration 1686901388
  role "admin"
  access console
  access telnet
  access ssh
  access http
  access https
  description "管理备份" 
exit
pki trust-domain "trust_domain_default"
  keypair "Default-Key"
  enrollment self
  subject commonName "SG-6000"
  subject organization "Hillstone Networks"
exit
pki trust-domain "trust_domain_ssl_proxy"
  keypair "Default-Key"
  enrollment self
  subject commonName "SG-6000"
  subject organization "Hillstone Networks"
exit
pki trust-domain "trust_domain_ssl_proxy_2048"
  keypair "Default-Key-2048"
  enrollment self
  subject commonName "SG-6000"
  subject organization "Hillstone Networks"
exit
pki trust-domain "network_manager_ca"
  enrollment terminal
exit
address "旧内网资源"
  ip 172.35.0.0/16
  ip 172.36.0.0/16
  ip 172.48.0.0/16
  ip 172.50.0.0/16
  ip 172.60.0.0/16
  ip 172.64.0.0/16
exit
address "新内网资源"
  ip 12.251.160.0/20
exit
address "公有云标准区"
  ip 10.209.61.64/26
  ip 10.199.64.0/24
  ip 10.241.0.0/16
  range 11.168.194.198 11.168.194.200
exit
address "公有云测试地址池（10.209）"
  ip 10.209.69.64/27
exit
address "VPN数据进入内网地址段"
  range 192.36.224.18 192.36.224.20
exit
address "VPN真实地址池"
  ip 12.251.169.0/24
exit
zone "mgt"
  vrouter "mgt-vr"
exit
zone "untrust"
  type wan
  ad tear-drop
  ad ip-spoofing
  ad land-attack
  ad ip-option
  ad ip-fragment
  ad ip-directed-broadcast
  ad winnuke
  ad port-scan
  ad syn-flood
  ad icmp-flood
  ad ip-sweep
  ad ping-of-death
  ad udp-flood
exit
zone "l2-untrust" l2
  type wan
exit
zone "twin-mode"
  vrouter "twin-mode-vr"
exit
hostname "JXCX_HLW_FW01"
admin host any any
admin ipv6-host ::/0 any
isakmp proposal "psk-sha256-aes128-g2"
  hash sha256
  encryption aes
exit

isakmp proposal "psk-sha256-aes256-g2"
  hash sha256
  encryption aes-256
exit

isakmp proposal "psk-sha256-3des-g2"
  hash sha256
exit

isakmp proposal "psk-md5-aes128-g2"
  hash md5
  encryption aes
exit

isakmp proposal "psk-md5-aes256-g2"
  hash md5
  encryption aes-256
exit

isakmp proposal "psk-md5-3des-g2"
  hash md5
exit

isakmp proposal "rsa-sha256-aes128-g2"
  authentication rsa-sig
  hash sha256
  encryption aes
exit

isakmp proposal "rsa-sha256-aes256-g2"
  authentication rsa-sig
  hash sha256
  encryption aes-256
exit

isakmp proposal "rsa-sha256-3des-g2"
  authentication rsa-sig
  hash sha256
exit

isakmp proposal "rsa-md5-aes128-g2"
  authentication rsa-sig
  hash md5
  encryption aes
exit

isakmp proposal "rsa-md5-aes256-g2"
  authentication rsa-sig
  hash md5
  encryption aes-256
exit

isakmp proposal "rsa-md5-3des-g2"
  authentication rsa-sig
  hash md5
exit

isakmp proposal "dsa-sha-aes128-g2"
  authentication dsa-sig
  encryption aes
exit

isakmp proposal "dsa-sha-aes256-g2"
  authentication dsa-sig
  encryption aes-256
exit

isakmp proposal "dsa-sha-3des-g2"
  authentication dsa-sig
exit

ipsec proposal "esp-sha256-aes128-g2"
  hash sha256
  encryption aes
  group 2
exit

ipsec proposal "esp-sha256-aes128-g0"
  hash sha256
  encryption aes
exit

ipsec proposal "esp-sha256-aes256-g2"
  hash sha256
  encryption aes-256
  group 2
exit

ipsec proposal "esp-sha256-aes256-g0"
  hash sha256
  encryption aes-256
exit

ipsec proposal "esp-sha256-3des-g2"
  hash sha256
  encryption 3des
  group 2
exit

ipsec proposal "esp-sha256-3des-g0"
  hash sha256
  encryption 3des
exit

ipsec proposal "esp-md5-aes128-g2"
  hash md5
  encryption aes
  group 2
exit

ipsec proposal "esp-md5-aes128-g0"
  hash md5
  encryption aes
exit

ipsec proposal "esp-md5-aes256-g2"
  hash md5
  encryption aes-256
  group 2
exit

ipsec proposal "esp-md5-aes256-g0"
  hash md5
  encryption aes-256
exit

ipsec proposal "esp-md5-3des-g2"
  hash md5
  encryption 3des
  group 2
exit

ipsec proposal "esp-md5-3des-g0"
  hash md5
  encryption 3des
exit

interface ethernet0/0
  zone  "l2-trust"
  bandwidth downstream 1000000000
  bandwidth upstream 1000000000
exit
interface ethernet0/1
  zone  "mgt"
  ip address 192.36.8.10 255.255.255.0
  manage http
  manage https
  manage ping
  manage ssh
  manage telnet
  manage traceroute
exit
interface ethernet0/2 local
  zone  "untrust"
  ip address 192.36.224.5 255.255.255.248
  bandwidth downstream 1000000000
  bandwidth upstream 1000000000
  combo fiber-forced
  description "to-网康_EHT1接口"
  manage telnet
  manage ssh
  manage ping
  manage http
  manage https
exit
interface ethernet0/3
  zone  "trust"
  ip address 172.36.224.34 255.255.255.248
  bandwidth downstream 1000000000
  bandwidth upstream 1000000000
  combo fiber-forced
  description "to=生产核心交换机"
  manage telnet
  manage ssh
  manage ping
  manage http
  manage https
  manage snmp
exit
interface xethernet1/0
  aggregate aggregate20
  bandwidth downstream 10000000000
  bandwidth upstream 10000000000
exit
interface xethernet1/1
  aggregate aggregate20
exit
interface xethernet1/2
  aggregate aggregate20
exit
interface xethernet1/3
  aggregate aggregate20
exit
interface xethernet3/0 local
  bandwidth downstream 10000000000
  bandwidth upstream 10000000000
  switchmode trunk vlan 619
  switchmode trunk native-vlan 619
exit
interface aggregate20
  zone  "trust"
  ip address 192.36.255.2 255.255.255.252 local
  bandwidth downstream 40000000000
  bandwidth upstream 40000000000
  description "test"
  manage telnet
  manage ssh
  manage ping
  manage http
  manage https
exit
ip vrouter "trust-vr"
  snatrule id 6 from address-book "VPN真实地址池" to address-book "Any" service "Any" trans-to ip 172.36.224.35 mode dynamicport sticky log 
  snatrule id 1 ingress-interface "ethernet0/2" from address-book "VPN数据进入内网地址段" to address-book "公有云标准区" service "Any" eif ethernet0/3 trans-to ip 172.36.224.35 mode dynamicport sticky log 
  snatrule id 2 ingress-interface "ethernet0/2" from address-book "VPN数据进入内网地址段" to address-book "旧内网资源" service "Any" eif ethernet0/3 trans-to ip 172.36.224.36 mode dynamicport sticky log 
  snatrule id 3 from address-book "VPN数据进入内网地址段" to address-book "新内网资源" service "Any" trans-to ip 172.36.224.36 mode dynamicport sticky log 
  snatrule id 4 from address-book "VPN数据进入内网地址段" to ip 10.0.1.1/24 service "Any" trans-to ip 172.36.224.35 mode dynamicport sticky log 
  snatrule id 5 ingress-interface "ethernet0/2" from address-book "VPN数据进入内网地址段" to address-book "公有云测试地址池（10.209）" service "Any" eif ethernet0/3 trans-to ip 172.36.224.37 mode dynamicport sticky log 
  ip route 12.251.160.0/24 ethernet0/3 172.36.224.33
  ip route 12.251.161.0/24 ethernet0/3 172.36.224.33
  ip route 12.251.165.0/24 ethernet0/3 172.36.224.33
  ip route 12.251.174.0/24 ethernet0/3 172.36.224.33
  ip route 12.251.175.0/24 ethernet0/3 172.36.224.33
  ip route 172.36.0.0/16 ethernet0/3 172.36.224.33
  ip route 10.0.0.0/8 ethernet0/3 172.36.224.33 description "总行路由"
  ip route 11.0.0.0/8 ethernet0/3 172.36.224.33 description "总行路由"
  ip route 0.0.0.0/0 192.36.224.2 description "互联网出口路由"
  ip route 192.36.0.0/16 aggregate20 192.36.255.1 description "互联网聚合链路"
exit
qos-engine first
  root-pipe "default" id 1
    qos-mode "stat"
  exit
exit
qos-engine second
  disable
  root-pipe "default" id 2
    qos-mode "stat"
  exit
exit
rule id 1
  action permit
  src-zone "Any"
  dst-zone "Any"
  src-addr "Any"
  dst-addr "Any"
  service "Any"
exit
l2-nonip-action drop
tcp-mss all 1448
tcp-mss tunnel 1380
ecmp-route-select by-src-and-dst
  url-db-query server1 "url1.hillstonenet.com" port 8866 vrouter trust-vr
  url-db-query server1 enable
  url-db-query server2 "url2.hillstonenet.com" port 8866 vrouter trust-vr
  url-db-query server2 enable
flow
  icmp-unreachable-session-keep
exit
strict-tunnel-check
statistics-set "predef_if_bw"
  target-data bandwidth id 0 record-history
  group-by interface directional vsys
exit
statistics-set "predef_user_bw"
  target-data bandwidth id 1 record-history
  group-by user directional vsys
exit
statistics-set "predef_app_bw"
  target-data bandwidth id 2 record-history
  group-by application vsys
exit
statistics-set "predef_user_app_bw"
  target-data bandwidth id 3
  group-by user directional interface zone application vsys
exit
statistics-set "predef_zone_if_app_bw"
  target-data bandwidth id 4
  group-by interface zone directional application vsys
exit
longlife-sess-percent 10
no sms disable

End