本篇文章为“H3C防火墙开局基础配置”,主要涵盖配置管理地址、聚合端口、安全区域、安全策略、静态路由、ACL,WEB和SSH远程管理、Console、SNMP、NTP时钟、日志主机等内容,对比交换机配置开局,增加两处配置,安全区域和安全策略。方便调试人员远程管理、调试。
目录
#Step-1_设备名称配置:
system-view
sysname SecPath_F1000
#Step-2_邻居发现协议:
lldp global enable
#Step-3_VLAN配置:
vlan 100
#
vlan 100
description For_Device_Manage
#Step-4_管理IP配置:
interface Vlan-interface100
description For_DevManage_Vlanif
ip address 172.28.115.253 255.255.255.0
quit
interface GigabitEthernet 1/0/1
port link-mode bridge
port link-type access
port access vlan 100
#华三防火墙端口默认为路由口
#Step-5_链路聚接口配置:
interface Bridge-Aggregation 2
Quit
#
interface Ten-GigabitEthernet 1/0/20
port link-mode bridge
description To_Core_S7503X_XG5/0/47
port link-aggregation group 2
interface Ten-GigabitEthernet 1/0/21
port link-mode bridge
description To_Core_S7503X_XG5/0/48
port link-aggregation group 2
Quit
#
interface Bridge-Aggregation2
description To_Core_S7503X_BAGG1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100
link-aggregation mode dynamic
#Step-6_安全区域配置:
security-zone name Management
import interface Vlan-interface100
security-zone name Trust
import interface Bridge-Aggregation2 VLAN XXXX
#Step-7_安全策略配置:
security-policy ip
rule 1 name Any_To_Any_Permit
action pass
#Step-8_静态路由配置:
ip route-static 0.0.0.0 0 X.X.X.X description To_DefaultRoute
#Step-9_ACL配置:
acl advanced name 3000
rule 5 permit ip source X.X.X.X 0
rule 5 comment For_Device_Manage_Server
acl advanced name 3001
rule 5 permit ip source X.X.X.X 0
rule 5 comment For_eSight_Server
#Step-10_本地账号配置:
local-user admin
password simple Admin@123
service-type ssh http https
authorization-attribute user-role network-admin
quit
#Step-11_SSH配置:
ssh server enable
ssh server acl 3000
public-key local create rsa
y
2048
#
ssh user admin service-type all authentication-type password
#Step-12_终端登录,Console配置:
line console 0
authentication-mode password
set authentication password simple Admin@123
screen-length 0
#指定下一屏所显示的行数,取值范围为0~512,0表示一次性显示全部信息,即不进行分屏显示。
idle-timeout 10 0
#Step-13_终端登录,VTY配置:
line vty 0 4
authentication-mode scheme
protocol inbound ssh
screen-length 0
idle-timeout 10 0
#Step-14_网络管理协议SNMP配置:
snmp-agent
snmp-agent community read simple SNMP@Read mib-view view_all acl 3001
snmp-agent community write simple SNMP@Write mib-view view_all acl 3001
snmp-agent sys-info location XXXX
snmp-agent sys-info version v2c
snmp-agent mib-view included view_all iso
snmp-agent trap enable
snmp-agent target-host trap address udp-domain X.X.X.X params securityname Trap@Auth v2c
#Step-15_NTP时钟配置:
clock timezone BeiJing add 08:00:00
ntp-service unicast-server X.X.X.X source Vlan-interface100
#因北京处于+8时区,时间偏移量增加了8;所以在配置时,就需要在系统默认的UTC时区的基础上,加上偏移量8,才能得到预期的BJ时区。
#Step-16_日志主机配置:
info-center enable
info-center loghost source Vlan-interface100
info-center loghost X.X.X.X facility local6
#Step-17_保存配置:
Return
#
Save force
补充:
1、开启设备的ICMP超时报文的发送功能
ip ttl-expires enable
【缺省情况】ICMP超时报文发送功能处于关闭状态。
开启设备的ICMP目的不可达报文的发送功能——H3C
ip unreachables enable
【缺省情况】ICMP目的不可达报文发送功能处于关闭状态。
Huawei设备默认开启;
2、H3C防火墙默认用户名是admin,密码是admin
3、开启WEB服务
ip http enable
ip https enable
#缺省情况下,HTTP和HTTPS服务处于开启状态