域:默认有几个系统自定义的区域local、trust、untrust、dmz,每个区域有各自的优先级;
域间安全策略
outbound代表数据包出方向,即从设备的某接口出去的方向
inbound代表数据包进方向,即由设备的某接口进来的方向
端口配置IP、vrrpIP:
interface GigabitEthernet0/0/6
combo enable fiber
description TO_6505_F5
ip address 10.10.18.2 255.255.255.128
vrrp vrid 3 virtual-ip 10.10.18.1 master
配置zone的端口、优先级:
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/6
自定义zone:
firewall zone name dmz2
set priority 55
detect ftp
detect rtsp
detect pptp
firewall interzone命令用来创建安全域间,并进入安全域间视图。
firewall interzone zone-name1 zone-name2
firewall zone dmz
set priority 50
add interface GigabitEthernet0/0/2
firewall interzone ha untrust2
detect ftp
detect pptp
detect rtsp
ip route-static 0.0.0.0 0.0.0.0 18.23.3.201
ip address-set report type group
description all report
ip address-set _10.0.14.0 type object
address 0 10.0.14.0 mask 24
description hh_service
service 0 service-set ftp
service 1 service-set telnet
ip service-set new_tcp type object
service 0 protocol tcp source-port 0 to 65535 destination-port 9090
service 1 protocol tcp source-port 0 to 65535 destination-port 8008
policy interzone trust untrust inbound
policy 12
action permit
policy logging
policy service service-set dns服务器端口
policy source address-set dns服务器1
policy source address-set dns服务器2
policy source address-set dns服务器3
policy destination address-set mip(28.3.63.16)
policy interzone trust untrust outbound
policy 3
action permit
policy logging
policy service service-set dsmp
policy source address-set inter_mmsc
policy destination address-set dsmp