本篇文章为“HUAWEI防火墙开局基础配置”,主要涵盖配置管理地址、聚合端口、安全区域、安全策略、静态路由、ACL,WEB和SSH远程管理、Console、SNMP、NTP时钟、日志主机等内容,对比交换机配置开局,增加两处配置,安全区域和安全策略。方便调试人员远程管理、调试。
区别于“H3C交换机开局基础配置”只是厂商间命令形式的差别,功能实现上一致;
目录
2、HUAWEI防火墙默认用户名admin,密码Admin@123
#Step-1_设备名称配置:
system-view
sysname FW
#Step-2_邻居发现协议:
lldp enable
#Step-3_VLAN配置:
vlan 100
#
vlan 100
description For_Device_Manage
#Step-4_管理IP配置:
interface Vlanif100
description For_DevManage_Vlanif
ip address 172.28.115.253 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
quit
interface GigabitEthernet 1/0/1
undo shutdown
portswitch
port link-type access
port access vlan 100
#华为防火墙端口默认为路由口,默认手动关闭状态;
#Step-5_链路聚接口配置:
interface range G0/0/47 G0/0/48 G0/0/1 G0/0/2
undo shutdown
portswitch
Quit
#华为防火墙端口默认为路由口,默认手动关闭状态;
#
interface Eth-Trunk1
Quit
interface Eth-Trunk11
Quit
#
interface Eth-Trunk1
mode lacp
trunkport GigabitEthernet 0/0/47 to 0/0/48
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface Eth-Trunk11
mode lacp
trunkport GigabitEthernet 0/0/1 to 0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
Quit
#Step-6_安全区域配置:
firewall zone trust
add interface Eth-Trunk1
add interface Vlanif100
quit
firewall zone untrust
add interface Eth-Trunk11
quit
#Step-7_安全策略配置:
security-policy
default action permit
或
firewall packet-filter default permit all
#Step-8_静态路由配置:
ip route-static 0.0.0.0 0 X.X.X.X description To_DefaultRoute
#Step-9_ACL配置:(可选)
acl 3000
rule 5 permit ip source X.X.X.X 0 destination For_Device_Manage_Server
acl 3001
rule 5 permit ip source X.X.X.X 0 destination For_eSight_Server
#Step-10_本地账号配置:
aaa
manager-user admin
password cipher Admin@123
service-type web ssh
level 15
#Step-11_SSH配置:
stelnet server enable
或者
ssh server-source -i Vlanif100
rsa local-key-pair create
2048
#
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type stelnet
#Step-12_终端登录,Console配置:
user-interface con 0
authentication-mode password
set authentication password cipher Admin@123
screen-length 0
#Step-13_终端登录,VTY配置:
line vty 0 4
authentication-mode scheme
protocol inbound ssh
screen-length 0
#指定下一屏所显示的行数,取值范围为0~512,0表示一次性显示全部信息,即不进行分屏显示。
#Step-14_网络管理协议SNMP配置:
snmp-agent
snmp-agent acl 3001
snmp-agent community read simple SNMP@Read mib-view view_all
snmp-agent community write simple SNMP@Write mib-view view_all
snmp-agent sys-info location XXXX
snmp-agent sys-info version v2c
snmp-agent mib-view included view_all iso
snmp-agent trap enable
snmp-agent target-host trap address udp-domain X.X.X.X params securityname Trap@Auth v2c
#Step-15_NTP时钟配置:
clock timezone BeiJing add 08:00:00
ntp-service unicast-server X.X.X.X source-interface Vlanif100
#因北京处于+8时区,时间偏移量增加了8;所以在配置时,就需要在系统默认的UTC时区的基础上,加上偏移量8,才能得到预期的BJ时区。
#Step-16_日志主机配置:
info-center enable
info-center loghost source Vlan-interface100
info-center loghost X.X.X.X facility local6
#Step-17_保存配置:
Return
#
Save
补充:
1、开启设备的ICMP超时报文的发送功能
icmp ttl-exceeded send
#允许对tracert路探测回显
2、HUAWEI防火墙默认用户名admin,密码Admin@123
3、开启Web服务
web-manager enable //缺省情况下,设备的HTTP IPv4服务功能已开启,HTTP IPv6服务功能为关闭状态
web-manager security enable //缺省情况下,设备的HTTPS IPv4服务功能已开启,HTTPS IPv6服务功能为关闭状态