上来就几十条policy,随缘命名:rule 1、test、allow_any,半年后自己都看不懂。
一句话:把策略想成“从精确到模糊”的过滤漏斗。上面放关键、下面收尾拒绝。
今日文章阅读福利:《网络工程师手册》
扫添加小助理微信,备注【网工】,即可获取。
一、基础区划(示例接口)
trust:内网接口 GigabitEthernet0/0/1
dmz:服务器区接口 GigabitEthernet0/0/2
untrust:外网接口 GigabitEthernet0/0/3
配置示例(分配接口到zone):
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet0/0/1
[FW] firewall zone dmz
[FW-zone-dmz] add interface GigabitEthernet0/0/2
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet0/0/3
二、对象与服务(规范化)
地址组:
[FW] object-group ip address-group OFFICE
[FW-obj-grp-address-OFFICE] 192.168.10.0 24
[FW] object-group ip address-group WEB-SRV
[FW-obj-grp-address-WEB-SRV] 172.16.20.10 32
服务组:
[FW] object-group service service-group WEB
[FW-obj-grp-service-WEB] service http
[FW-obj-grp-service-WEB] service https
三、NAT(出口简易源 NAT:easy-ip)
[FW] nat-policy
[FW-nat-policy] rule name OUT-NAT
[FW-nat-rule-OUT-NAT] source-zone trust
[FW-nat-rule-OUT-NAT] destination-zone untrust
[FW-nat-rule-OUT-NAT] source-address OFFICE
[FW-nat-rule-OUT-NAT] action source-nat easy-ip
[FW-nat-rule-OUT-NAT] quit
四、策略骨架(按顺序:管理→服务器→用户→隔离→缺省拒绝)
[FW] security-policy
[FW-policy] rule name MGMT-SSH
[FW-policy-rule-MGMT-SSH] source-zone trust
[FW-policy-rule-MGMT-SSH] destination-zone dmz
[FW-policy-rule-MGMT-SSH] source-address 192.168.10.0 24
[FW-policy-rule-MGMT-SSH] destination-address WEB-SRV
[FW-policy-rule-MGMT-SSH] service ssh
[FW-policy-rule-MGMT-SSH] action permit
[FW-policy-rule-MGMT-SSH] logging enable
[FW-policy-rule-MGMT-SSH] quit
[FW-policy] rule name USER-WEB
[FW-policy-rule-USER-WEB] source-zone trust
[FW-policy-rule-USER-WEB] destination-zone untrust
[FW-policy-rule-USER-WEB] source-address OFFICE
[FW-policy-rule-USER-WEB] destination-address any
[FW-policy-rule-USER-WEB] service WEB
[FW-policy-rule-USER-WEB] action permit
[FW-policy-rule-USER-WEB] logging enable
[FW-policy-rule-USER-WEB] quit
[FW-policy] rule name DMZ-OUT-STRICT
[FW-policy-rule-DMZ-OUT-STRICT] source-zone dmz
[FW-policy-rule-DMZ-OUT-STRICT] destination-zone untrust
[FW-policy-rule-DMZ-OUT-STRICT] source-address WEB-SRV
[FW-policy-rule-DMZ-OUT-STRICT] destination-address any
[FW-policy-rule-DMZ-OUT-STRICT] service WEB
[FW-policy-rule-DMZ-OUT-STRICT] action permit
[FW-policy-rule-DMZ-OUT-STRICT] logging enable
[FW-policy-rule-DMZ-OUT-STRICT] quit
[FW-policy] rule name GUEST-BLOCK
[FW-policy-rule-GUEST-BLOCK] source-zone trust
[FW-policy-rule-GUEST-BLOCK] destination-zone dmz
[FW-policy-rule-GUEST-BLOCK] source-address 172.16.40.0 24
[FW-policy-rule-GUEST-BLOCK] destination-address WEB-SRV
[FW-policy-rule-GUEST-BLOCK] service any
[FW-policy-rule-GUEST-BLOCK] action deny
[FW-policy-rule-GUEST-BLOCK] logging enable
[FW-policy-rule-GUEST-BLOCK] quit
[FW-policy] rule name CLEAN-UP
[FW-policy-rule-CLEAN-UP] source-zone any
[FW-policy-rule-CLEAN-UP] destination-zone any
[FW-policy-rule-CLEAN-UP] service any
[FW-policy-rule-CLEAN-UP] action deny
[FW-policy-rule-CLEAN-UP] logging enable
[FW-policy-rule-CLEAN-UP] quit
五、验证
display security-policy all
display firewall session table source 192.168.10.5
display logbuffer | include policy
六、常见错误
· 缺省拒绝未启日志 → 排障困难
· 业务端口忘记放行导致“能ping不能访问”
· 访客与办公未区分zone→ 策略无法精准控制
· NAT在策略前还是后?(华为流程:先策略匹配再NAT转换)
七、优化建议
· 命名格式:类型-对象-服务(例:USER-INET-WEB)
· 变更记录:时间 + 责任人 + 影响范围
· 定期清理 HitCount=0 超90天策略
我们今天就分享到这,下次再见啦!
