大家好!
刚上手华为防火墙,最容易踩的坑就是安全策略乱写:允许、拒绝、anyany全放,结果业务断、攻击面放大,排错超级难。
其实,华为USG系列防火墙安全策略,只要五步流程,命令一套,企业常见场景都能用。
今日文章阅读福利:《网络工程师手册》
扫添加小助理微信,备注【网工】,即可获取。
一、安全策略是什么?一句话解释
安全策略就是通过“源、目的、服务、动作、日志”规则,精确控制谁能访问谁,什么服务能放行,什么流量必须拒绝并记录。
二、典型应用场景举例
1. 内网用户安全上网,只放HTTP/HTTPS
2. 运维管理段只允许SSH/RDP远程管理
3. 服务器对外只开放Web端口,其它全部拒绝
4. 访客网络禁止访问内网服务器,只能出互联网
三、华为USG防火墙安全策略标准五步配置(命令全流程!)
假设场景:
· 办公网段:192.168.10.0/24
· 服务器区:172.16.20.0/24
· 访客区:172.16.30.0/24
· 外网接口:GigabitEthernet0/0/1
· 内网接口:GigabitEthernet0/0/2
第一步:规范Zone与对象分组
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet0/0/2
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet0/0/1
[FW] object-group ip address-group OFFICE
[FW-obj-grp-address-OFFICE] 192.168.10.0 24
[FW] object-group ip address-group SERVER
[FW-obj-grp-address-SERVER] 172.16.20.0 24
[FW] object-group ip address-group GUEST
[FW-obj-grp-address-GUEST] 172.16.30.0 24
第二步:定义服务组
[FW] object-group service service-group WEB
[FW-obj-grp-service-WEB] service http
[FW-obj-grp-service-WEB] service https
[FW] object-group service service-group MGMT
[FW-obj-grp-service-MGMT] service ssh
[FW-obj-grp-service-MGMT] service rdp
第三步:编写安全策略(推荐命名规范,分层放行)
1. 办公区出互联网(HTTP/HTTPS)
[FW] security-policy
[FW-policy] rule name OFFICE-INET-WEB
[FW-policy-rule-OFFICE-INET-WEB] source-zone trust
[FW-policy-rule-OFFICE-INET-WEB] destination-zone untrust
[FW-policy-rule-OFFICE-INET-WEB] source-address OFFICE
[FW-policy-rule-OFFICE-INET-WEB] destination-address any
[FW-policy-rule-OFFICE-INET-WEB] service WEB
[FW-policy-rule-OFFICE-INET-WEB] action permit
[FW-policy-rule-OFFICE-INET-WEB] logging enable
[FW-policy-rule-OFFICE-INET-WEB] quit
2. 服务器对外开放WEB,其他拒绝
[FW-policy] rule name SERVER-INET-WEB
[FW-policy-rule-SERVER-INET-WEB] source-zone dmz
[FW-policy-rule-SERVER-INET-WEB] destination-zone untrust
[FW-policy-rule-SERVER-INET-WEB] source-address SERVER
[FW-policy-rule-SERVER-INET-WEB] destination-address any
[FW-policy-rule-SERVER-INET-WEB] service WEB
[FW-policy-rule-SERVER-INET-WEB] action permit
[FW-policy-rule-SERVER-INET-WEB] logging enable
[FW-policy-rule-SERVER-INET-WEB] quit
[FW-policy] rule name SERVER-INET-DENY
[FW-policy-rule-SERVER-INET-DENY] source-zone dmz
[FW-policy-rule-SERVER-INET-DENY] destination-zone untrust
[FW-policy-rule-SERVER-INET-DENY] source-address SERVER
[FW-policy-rule-SERVER-INET-DENY] destination-address any
[FW-policy-rule-SERVER-INET-DENY] service any
[FW-policy-rule-SERVER-INET-DENY] action deny
[FW-policy-rule-SERVER-INET-DENY] logging enable
[FW-policy-rule-SERVER-INET-DENY] quit
3. 访客禁止访问内网服务器,只能出互联网
[FW-policy] rule name GUEST-LAN-DENY
[FW-policy-rule-GUEST-LAN-DENY] source-zone trust
[FW-policy-rule-GUEST-LAN-DENY] destination-zone dmz
[FW-policy-rule-GUEST-LAN-DENY] source-address GUEST
[FW-policy-rule-GUEST-LAN-DENY] destination-address SERVER
[FW-policy-rule-GUEST-LAN-DENY] service any
[FW-policy-rule-GUEST-LAN-DENY] action deny
[FW-policy-rule-GUEST-LAN-DENY] logging enable
[FW-policy-rule-GUEST-LAN-DENY] quit
[FW-policy] rule name GUEST-INET-PERMIT
[FW-policy-rule-GUEST-INET-PERMIT] source-zone trust
[FW-policy-rule-GUEST-INET-PERMIT] destination-zone untrust
[FW-policy-rule-GUEST-INET-PERMIT] source-address GUEST
[FW-policy-rule-GUEST-INET-PERMIT] destination-address any
[FW-policy-rule-GUEST-INET-PERMIT] service WEB
[FW-policy-rule-GUEST-INET-PERMIT] action permit
[FW-policy-rule-GUEST-INET-PERMIT] logging enable
[FW-policy-rule-GUEST-INET-PERMIT] quit
4. 默认拒绝,最后兜底
[FW-policy] rule name CLEAN-UP
[FW-policy-rule-CLEAN-UP] source-zone any
[FW-policy-rule-CLEAN-UP] destination-zone any
[FW-policy-rule-CLEAN-UP] service any
[FW-policy-rule-CLEAN-UP] action deny
[FW-policy-rule-CLEAN-UP] logging enable
[FW-policy-rule-CLEAN-UP] quit
第四步:策略顺序与命名规范
· 放行策略优先写在前
· 拒绝策略写在后
· 兜底策略最后一条
· 命名建议:区组-方向-服务(如OFFICE-INET-WEB)
第五步:日志与验证
· 每条策略建议开启日志,方便排障
· 验证命令:
[FW] display security-policy all
[FW] display firewall session table
[FW] display logbuffer | include policy
四、排查技巧与升级建议
Q1:策略写了但不生效?
· 检查源/目的zone、地址组是否正确
· 检查服务是否命中(比如http和https分开)
· 检查顺序,宽泛策略是否覆盖了后面的精细策略
· 检查会话是否建立(display firewall session table)
Q2:策略优化建议
· 按业务分策略组,命名规范方便后期维护
· 定期清理长期未命中策略(HitCount=0超90天)
· 结合“时间段策略/限速/IPS”做进一步加固
· 变更前后记录,回溯方便
五、自测3问(收藏本文,答不出建议领资料!)
1. 防火墙安全策略优先匹配原则是什么?
2. 为什么最后必须有一条兜底拒绝策略?
3. display logbuffer能看到哪些关键信息?
我们今天就分享到这,下次再见啦!
