跟着训诫信息化的加快,高校汇注设立日趋完善,在师生畅享丰富汇注资源的同期,校园汇注的安全问题也渐渐突显,并径直影响学校的教学、管束、科研等举止。如何构建一个安全、高速的校园汇注,已成为高校汇注管束者需首要迫惩办的问题。
校园网从汇注层到应用层的各个层面都濒临着不同的安全抑遏:
汇注范畴防护:校园网一般领有多个出口,链路带宽高,汇注结构复杂;病毒、蠕虫的传播成为最大安全隐患;越来越多的费事汇注接入,对安全性组成极大挑战。
内容安全防护:无法实时发现和阻断汇注入侵举止;需要对用户考查的URL进行领域,允许或不容考查某些网页资源,程序上网举止;需要守护欠妥的汇注留言和内容发布,顾惜形成不良的社会影响。
FW动作高性能的下一代防火墙,不错部署在校园网出口,匡助高校裁汰安全抑遏,完毕存效的汇注管束。FW不仅不错提供安全断绝和日常流弊守护,还具备多种高档应用安全才智,如流弊守护、IPS、防病毒、上网举止审计等,在履行范畴防护的同期提供应用层防护。
如图1-1所示,FW动作安全网关部署在校园网出口,提供内、外网互访的安全断绝和防护。FW不仅不错提供传统的基于IP地址的安全策略制定和汇注考查领域,还不错提供基于用户的考查领域和举止溯源。这赐与了汇注管束者极大的活泼性,不错依据汇注本色情况礼聘最高效的管控策略,并减少安全赞佩的职责量。
图1-1 FW在校园网中的应用
决策一:基于IP地址的策略领域
典型组网
如图1-2所示,FW动作安全网关部署在校园网出口,为校内用户提供宽带干事,为校外用户提供干事器考查干事。由于校园汇注是幽静、分期发展起来的,是以出口链路的带宽并不平衡,其中训诫网的链路带宽为1G,ISP1的3条链路带宽分别为200M、1G和200M,ISP2的2条链路带宽均为1G。
图1-2 基于IP地址的策略领域组网图
由于学校汇注的主要用途是学习和职责,是以在保证内网用户和干事器安全的同期,要合理分拨带宽资源,并对汇注流量进行负载分管,升迁表里部用户的考查体验。校园网的主要需求如下:
负载分管
为了保证内网用户的上网体验,充分诈欺多条ISP链路,学校但愿考查特定ISP汇注的流量优先从该ISP对应的出接口转发出去,例如考查训诫网的流量优先从GE1/0/1转发,考查ISP2的流量优先从GE1/0/5或GE1/0/6转发。同期,对属于归并ISP的多条链路,不错按照链路带宽或权重的比例进行流量负载分管。为提高转发的可靠性,顾惜单条链路流量过大导致丢包,各链路间还要完毕链路备份。
各ISP链路的传输质料本色上是不同的,其中训诫网和ISP2的链路质料较高,不错用来转发对时延条款较高的业务流量(例如费事教学系统的流量),ISP1的链路质料较差,不错用来转发占用带宽大、业务价值小的业务流量(例如P2P流量)。磋商到用度身分,考查其他高校干事器的流量、藏书楼内用户的上网流量、悉数匹配缺省路由的流量需要从训诫网链路转发出去。
由于校内用户自动赢得的是归并个DNS干事器地址,是以流量将从归并条ISP链路转发出去。学校但愿充分诈欺其他链路资源,是以要分流部分DNS肯求报文到其他ISP链路上。若是仅仅变调了报文的出接口,也曾无法惩办后续上网流量荟萃在一条链路上的问题。是以要将报文发送到不同ISP的DNS干事器上,这么领路后的地址就属于不同的ISP,达到了分流的地点。
学校里面署了DNS干事器提供域名领路干事,不同ISP的用户考查学校网站时,不错领路到属于我方ISP的地址,不会领路到其他ISP的地址,提高考查质料。
由于考查藏书楼干事器的流量较大,是以需要部署2台干事器对流量进行负载分管。
地址调治
校内用户考查Internet时需要使用公网IP地址。
校内干事器使用公网IP地址同期为内、外网用户提供干事,例如藏书楼干事器、Portal干事器、DNS干事器等。
安全防护
按照汇注开垦所处的位置差异不同区域,并对各区域间的流量进行安全断绝,领域各区域间的互访权限。例如,允许校内用户考查外网资源,只允许外网用户考查校内干事器的指定端口。
大约注视常见的DDoS流弊(例如SYN flood流弊)和单包流弊(例如Land流弊)。
大约对汇注入侵举止进行阻断或告警。
带宽管控
由于带宽资源有限,是以学校但愿截止P2P流量占用的带宽比例,并截止每个用户的P2P流量带宽。常见的P2P流量主要起头于下载软件(如迅雷、电驴、BT、Ares、Vuze)、音乐软件(如酷我音乐盒、酷狗、SoulSeek)或视频网站或软件(如百度影音、爱奇艺、搜狐影音)。
溯源审计
为了顾惜个别校内用户的欠妥汇注举止对学校声誉形成伤害,并作念到过后大约回溯和收复事件,需要对校内用户的汇注举止进行审计,供日后审查和分析。需要审计的举止主要包括URL考查记载、BBS和微博的发帖内容、HTTP上传和下载举止、FTP上传和下载举止。
学校部署有日记干事器,需要在日记干事器上巡逻流弊守护和入侵检测的日记,况且大约巡逻NAT调治前后的IP地址。
业务有缠绵
FW不错称心校园网的悉数需求,底下给出具体功能的先容并荟萃组网进行业务有缠绵。
汇注基础及考查领域配置
FW通过竖立安全区域将校园网的各个区域安全断绝,并通过安全策略领域各个区域间的互访权限。
其中,校园网用户处于Trust区域,安全级别最高,不错主动考查悉数安全区域;干事器也处于Trust区域,关联词通过策略领域干事器仅不错考查外网区域,不不错考查Trust区域内的开垦;分别为各ISP创建安全区域,这是为了粗浅单独领域某两个域间的策略,允许各ISP区域中的开垦考查干事器区。同期,为了保证安全区域间多通说念合同(例如FTP合同)的平素通讯,还需要开启ASPF功能。
入侵注视
为了顾惜僵尸、木马、蠕虫的入侵,需要在FW上部署入侵注视功能,对入侵举止进行告警或阻断。为了更好地识别入侵举止,FW还需要依期通过安全中心平台(sec.huawei.com)更新入侵注视特征库。
DNS透明代理
DNS透明代理功能不错修改DNS肯求报文的地点地址,完毕DNS干事器的重定向。本例中荟萃策略路由智能选路,不错使DNS肯求报文按照链路带宽比例进行转发,由于领路后的干事器地址也属于不同的ISP,是以后续的考查流量也会分管到不同的ISP链路上。
智能选路
为了称心校园网出口的流量转发需求,不错在FW上部署策略路由智能选路功能,荟萃ISP地址集即可完毕按照运营商转发流量。此外,关于某些颠倒流量的转发需求,不错诈欺单出口策略路由指点流量从固定的出接口转发。终末,关于莫得射中ISP地址集的流量,不错礼聘链路质料最佳的链路转发出去。
干事器负载平衡
藏书楼的2台干事器对外体现为一台高性能、高可靠性的假造干事器,关于用户来说考查的等于假造干事器,而并不知说念本色处理业务的是其他干事器。为了升迁用户考查体验,假造干事器向外发布多个ISP的公网IP地址。
智能DNS
智能DNS是指存在私网DNS干事器的情况下,FW关于来自不同ISP的DNS肯求进行智能回话,使各ISP的用户大约赢得最稳当的领路地址,即与用户属于归并ISP汇注的干事器地址。
例如,学校内网有一台DNS干事器,上头存放了Portal干事器的域名(www.example.com)和训诫网分拨的公网地址1.1.15.15,并在FW的GE1/0/2接口上启用智能DNS功能,映射后的地址为ISP1分拨的公网地址2.2.15.15。
当训诫网下的用户考查Portal干事器地址时,由于接口GE1/0/1莫得配置智能DNS功能,因此最终用户得到的Portal干事器地址等于其正本训诫网分拨的公网地址1.1.15.15。当ISP1下的用户考查Portal干事器地址时,DNS干事器复返给ISP1用户的DNS反馈音问到达FW的GE1/0/2接口时,FW会把反馈音问华夏始的训诫网地址1.1.15.15替换成ISP1分拨的公网地址2.2.15.15,ISP1下的用户收到DNS反馈音问后,就会和2.2.15.15这个地址进行通讯。固然,在FW上还需要配置一条NAT Server映射,将Portal干事器的私网地址10.1.10.20和2.2.15.15进行绑定,从而完毕ISP1下的用户通过ISP1的地址2.2.15.15和Portal干事器进行通讯。
NAT
NAT Server
为保证各个ISP的用户大约考查内网干事器,需要在FW上部署NAT Server功能,将干事器的私网地址调治成公网地址。
源NAT
为保证大批内网用户大约诈欺有限的公网IP地址考查外网,需要在FW上部署源NAT功能,将报文的私网IP地址调治成公网IP地址。
NAT ALG
FW配置NAT功能后,若是需要转发多通说念合同报文(例如FTP合同),则必须开启该合同对应的NAT ALG功能,保证多通说念合同报文不错胜利的进行地址调治。本案例中以FTP、QQ和RTSP合同为例,开启这些合同对应的NAT ALG功能。
流弊守护
流弊守护功能不错检测出多种类型的汇注流弊,包括DDoS流弊和单包流弊,保护里面汇注免受坏心流弊。
审策略略
FW扶植审计功能,通过审策略略界说需要审计的上网举止并进行记载,管束员后续不错对用户的上网举止进行审查和分析。
带宽管束
由于P2P流量颠倒糜掷带宽资源,是以学校但愿截止ISP1各链路上的P2P流量带宽,并针对单个IP的P2P流量带宽进行截止。带宽管束功能不错针对特定类型的流量进行全体限流或者截止每IP/每用户的流量。
日记干事器开垦
日记干事器不错进行日记的网罗、查询和报表呈现。FW和日记干事器进行配套使用后,不错在日记干事器上巡逻FW输出的会话日记,其中也包含NAT调治前后的会话日记,通过这些日记即可巡逻到NAT调治的地址信息;也不错在日记干事器上巡逻FW输出的IPS日记和流弊守护日记,通过这些日记即可查询出汇注中的流弊举止和入侵举止。
提防事项
ISP地址荟萃的IP地址是否王人全径直影响智能选路、智能DNS功能的履行闭幕,请依期从安全中心平台(isecurity.huawei.com)更新ISP地址库。
多出口场景下,策略路由智能选路弗成和IP诈欺流弊守护功能或URPF(Unicast Reverse Path Forwarding,单播逆向旅途转发)功能悉数使用。若是开启IP诈欺流弊守护功能或URPF功能,可能导致FW丢弃报文。
智能DNS功能需要License授权,并通过动态加载功能加载相应组件包后方可使用。
干事器负载平衡功能的假造干事器的IP地址弗成和下列IP地址交流:
NAT Server的公网IP地址(global IP)
NAT地址池中的IP地址
网关的IP地址
FW的接口IP地址
干事器负载平衡功能的实干事器的IP地址弗成和下列IP地址交流:
假造干事器的IP地址
NAT Server的公网IP(global IP)
NAT Server的内网干事器IP地址(inside IP)
配置干事器负载平衡功能后,在配置安全策略和路由功能时,需针对实干事器的IP地址进行配置,而不是假造干事器的IP地址。
配置NAT地址池和NAT Server后,需要针对地址池中的地址和NAT Server的公网地址配置黑洞路由,顾惜产生路由环路。
独一审计管束员才智配置审计功能和巡逻审计日记。
独一扶植装配硬盘且硬盘在位的开垦才智在Web界面上巡逻和导出审计日记。
在报文走动旅途不一致的组网环境中,审计日记记载的内容可能不无缺。
配置情势
1.配置接口和安全区域,并为参与选路的出接口配置网关地址、带宽和过载保护阈值。
<FW> system-view
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] description connect_to_edu
[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.252
[FW-GigabitEthernet1/0/1] redirect-reverse next-hop 1.1.1.2
[FW-GigabitEthernet1/0/1] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/1] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/1] quit
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] description connect_to_isp1
[FW-GigabitEthernet1/0/2] ip address 2.2.2.1 255.255.255.252
[FW-GigabitEthernet1/0/2] redirect-reverse next-hop 2.2.2.2
[FW-GigabitEthernet1/0/2] bandwidth ingress 200000 threshold 90
[FW-GigabitEthernet1/0/2] bandwidth egress 200000 threshold 90
[FW-GigabitEthernet1/0/2] quit
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] description connect_to_isp1
[FW-GigabitEthernet1/0/3] ip address 2.2.3.1 255.255.255.252
[FW-GigabitEthernet1/0/3] redirect-reverse next-hop 2.2.3.2
[FW-GigabitEthernet1/0/3] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/3] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/3] quit
[FW] interface GigabitEthernet 1/0/4
[FW-GigabitEthernet1/0/4] description connect_to_isp1
[FW-GigabitEthernet1/0/4] ip address 2.2.4.1 255.255.255.252
[FW-GigabitEthernet1/0/4] redirect-reverse next-hop 2.2.4.2
[FW-GigabitEthernet1/0/4] bandwidth ingress 200000 threshold 90
[FW-GigabitEthernet1/0/4] bandwidth egress 200000 threshold 90
[FW-GigabitEthernet1/0/4] quit
[FW] interface GigabitEthernet 1/0/5
[FW-GigabitEthernet1/0/5] description connect_to_isp2
[FW-GigabitEthernet1/0/5] ip address 3.3.3.1 255.255.255.252
[FW-GigabitEthernet1/0/5] redirect-reverse next-hop 3.3.3.2
[FW-GigabitEthernet1/0/5] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/5] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/5] quit
[FW] interface GigabitEthernet 1/0/6
[FW-GigabitEthernet1/0/6] description connect_to_isp2
[FW-GigabitEthernet1/0/6] ip address 3.3.4.1 255.255.255.252
[FW-GigabitEthernet1/0/6] redirect-reverse next-hop 3.3.4.2
[FW-GigabitEthernet1/0/6] bandwidth ingress 1000000 threshold 90
[FW-GigabitEthernet1/0/6] bandwidth egress 1000000 threshold 90
[FW-GigabitEthernet1/0/6] quit
[FW] interface GigabitEthernet 1/0/7
[FW-GigabitEthernet1/0/7] description connect_to_campus
[FW-GigabitEthernet1/0/7] ip address 10.2.0.1 255.255.255.0
[FW-GigabitEthernet1/0/7] quit
2.配置安全策略。
a.分别为训诫网、ISP1、ISP2创建安全区域,并将各接口加入安全区域。
[FW] firewall zone name edu_zone
[FW-zone-edu_zone] set priority 20
[FW-zone-edu_zone] add interface GigabitEthernet 1/0/1
[FW-zone-edu_zone] quit
[FW] firewall zone name isp1_zone1
[FW-zone-isp1_zone1] set priority 30
[FW-zone-isp1_zone1] add interface GigabitEthernet 1/0/2
[FW-zone-isp1_zone1] quit
[FW] firewall zone name isp1_zone2
[FW-zone-isp1_zone2] set priority 40
[FW-zone-isp1_zone2] add interface GigabitEthernet 1/0/3
[FW-zone-isp1_zone2] quit
[FW] firewall zone name isp1_zone3
[FW-zone-isp1_zone3] set priority 50
[FW-zone-isp1_zone3] add interface GigabitEthernet 1/0/4
[FW-zone-isp1_zone3] quit [FW] firewall zone name isp2_zone1
[FW-zone-isp2_zone1] set priority 60
[FW-zone-isp2_zone1] add interface GigabitEthernet 1/0/5
[FW-zone-isp2_zone1] quit
[FW] firewall zone name isp2_zone2
[FW-zone-isp2_zone2] set priority 70
[FW-zone-isp2_zone2] add interface GigabitEthernet 1/0/6
[FW-zone-isp2_zone2] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/7
[FW-zone-trust] quit
为各域间配置安全策略,领域域间互访。在安全策略中援用缺省的入侵注视配置文献,配置入侵注视功能。
[FW] security-policy
[FW-policy-security] rule name user_inside
[FW-policy-security-rule-user_inside] source-zone trust
[FW-policy-security-rule-user_inside] action permit
[FW-policy-security-rule-user_inside] profile ips default
[FW-policy-security-rule-user_inside] quit
[FW-policy-security] rule name user_outside
[FW-policy-security-rule-user_outside] source-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3 isp2_zone1 isp2_zone2
[FW-policy-security-rule-user_outside] destination-address 10.1.10.0 24
[FW-policy-security-rule-user_outside] action permit
[FW-policy-security-rule-user_outside] profile ips default
[FW-policy-security-rule-user_outside] quit
[FW-policy-security] rule name local_to_any
[FW-policy-security-rule-local_to_any] source-zone local
[FW-policy-security-rule-local_to_any] destination-zone any
[FW-policy-security-rule-local_to_any] action permit
[FW-policy-security-rule-local_to_any] quit [FW-policy-security] quit
c.配置入侵注视特征库的定时升级功能。
请证实已购买扶植特征库升级干事的License,并在开垦上激活。
a.配置升级中心。
[FW] update server domain sec.huawei.com
b.开垦可考查升级干事器或可通过代理干事器考查升级干事器。本例中以可径直考查升级干事器为例。
[FW] dns resolve [FW] dns server 10.1.10.30
c.配置定时升级功能,竖立定时升级技艺。
[FW] update schedule ips-sdb enable
[FW] update schedule sa-sdb enable
[FW] update schedule ips-sdb daily 02:30
[FW] update schedule sa-sdb daily 02:30
3.配置IP-Link功能,探伤各ISP链路情景是否平素。
IP-Link的配置敕令在USG6000和USG9500上略有各异,此处使用的是USG6000进行例如讲解。
[FW] ip-link check enable
[FW] ip-link name edu_ip_link
[FW-iplink-edu_ip_link] destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp
[FW-iplink-edu_ip_link] quit
[FW] ip-link name isp1_ip_link
[FW-iplink-isp1_ip_link] destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp
[FW-iplink-isp1_ip_link] destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp
[FW-iplink-isp1_ip_link] destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp
[FW-iplink-isp1_ip_link] quit [FW] ip-link name isp2_ip_link
[FW-iplink-isp2_ip_link] destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp
[FW-iplink-isp2_ip_link] destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp
[FW-iplink-isp2_ip_link] quit
4.配置路由。
除本必然需的路由信息外,其他路由配置请管束员证据本色组网需要进行配置,本例不给出详备指点。
# 配置静态路由,地点地址为内网网段,下一跳为内网交换机的地址,保证外网的流量大约到达内网。
[FW] ip route-static 10.1.0.0 255.255.0.0 10.2.0.2
5.配置DNS透明代理。
# 配置各接口绑定DNS干事器的IP地址。
[FW] dns-transparent-policy
[FW-policy-dns] dns transparent-proxy enable
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/1 preferred 1.1.22.22 alternate 1.1.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/2 preferred 2.2.22.22 alternate 2.2.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/3 preferred 2.2.24.24 alternate 2.2.25.25
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/4 preferred 2.2.26.26 alternate 2.2.27.27
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/5 preferred 3.3.22.22 alternate 3.3.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/6 preferred 3.3.24.24 alternate 3.3.25.25
# 配置甩掉域名。
[FW-policy-dns] dns transparent-proxy exclude domain www.example.com server preferred 1.1.25.25
# 配置DNS透明代理策略。
[FW-policy-dns] rule name dns_trans_rule
[FW-policy-dns-rule-dns_trans_rule] action tpdns
[FW-policy-dns-rule-dns_trans_rule] quit
[FW-policy-dns] quit
# 为DNS肯求报文配置策略路由智能选路,使报文大约负载分管到各链路上。
[FW] policy-based-route
[FW-policy-pbr] rule name pbr_dns_trans
[FW-policy-pbr-rule-pbr_dns_trans] source-zone trust
[FW-policy-pbr-rule-pbr_dns_trans] service dns dns-tcp
[FW-policy-pbr-rule-pbr_dns_trans] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] quit
[FW-policy-pbr-rule-pbr_dns_trans] quit
[FW-policy-pbr] quit
6.配置智能选路。
# 配置ISP地址集。
上传ISP地址文献到FW,不错使用SFTP面容进行传输,具身局面略。
为训诫网、ISP1和ISP2分别创建运营商称号,并联系对应的ISP地址文献。
[FW] isp name edu_address set filename edu_address.csv
[FW] isp name isp1_address set filename isp1_address.csv
[FW] isp name isp2_address set filename isp2_address.csv
[FW] isp name other_edu_server_address set filename other_edu_server_address.csv
# 新建对应费事教学系统软件的应用,并在策略路由中援用,使费事教学系统软件的流量从训诫网和ISP2链路转发。
请确保FW上存在相应的路由配置,使费事教学流量在莫得策略路由时仍然不错平素传输。
[FW] sa
[FW-sa] user-defined-application name UD_dis_edu_sys_app
[FW-sa-user-defined-app-UD_dis_edu_sys_app] category Business_Systems sub-category Enterprise_Application
[FW-sa-user-defined-app-UD_dis_edu_sys_app] model client-server
[FW-sa-user-defined-app-UD_dis_edu_sys_app] label Encrypted-Communications Business-Applications
[FW-sa-user-defined-app-UD_dis_edu_sys_app] rule name 1
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] ip-address 2.2.50.50 32
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] port 5000
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] quit
[FW-sa-user-defined-app-UD_dis_edu_sys_app] quit
[FW-sa] quit
[FW] policy-based-route
[FW-policy-pbr] rule name dis_edu_sys
[FW-policy-pbr-rule-dis_edu_sys] source-zone trust
[FW-policy-pbr-rule-dis_edu_sys] application app UD_dis_edu_sys_app
[FW-policy-pbr-rule-dis_edu_sys] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] quit
[FW-policy-pbr-rule-dis_edu_sys] quit
# 配置策略路由智能选路,使P2P流量从ISP1链路转发。
请确保FW上存在相应的路由配置,使P2P流量在莫得策略路由时仍然不错平素传输。
[FW-policy-pbr] rule name p2p_traffic
[FW-policy-pbr-rule-p2p_traffic] source-zone trust
[FW-policy-pbr-rule-p2p_traffic] application category Entertainment sub-category PeerCasting
[FW-policy-pbr-rule-p2p_traffic] application category General_Internet sub-category FileShare_P2P
[FW-policy-pbr-rule-p2p_traffic] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-p2p_traffic-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-p2p_traffic-multi-inter] quit
[FW-policy-pbr-rule-p2p_traffic] quit
# 配置单出口策略路由。
a.考查其他高校干事器的流量和藏书楼内用户的上网流量从训诫网链路转发。
[FW-policy-pbr] rule name other_edu_server
[FW-policy-pbr-rule-other_edu_server] source-zone trust
[FW-policy-pbr-rule-other_edu_server] source-address 10.1.0.0 16
[FW-policy-pbr-rule-other_edu_server] destination-address isp other_edu_server_address
[FW-policy-pbr-rule-other_edu_server] action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2
[FW-policy-pbr-rule-other_edu_server] quit
[FW-policy-pbr] rule name lib_internet
[FW-policy-pbr-rule-lib_internet] source-zone trust
[FW-policy-pbr-rule-lib_internet] source-address 10.1.50.0 22
[FW-policy-pbr-rule-lib_internet] action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.2
[FW-policy-pbr-rule-lib_internet] quit
# 配置基于地点地址的策略路由智能选路。
a.流量的地点地址属于训诫网地址集时,优先使用训诫网链路转发。
[FW-policy-pbr] rule name pbr_edu
[FW-policy-pbr-rule-pbr_edu] source-zone trust
[FW-policy-pbr-rule-pbr_edu] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_edu] destination-address isp edu_address
[FW-policy-pbr-rule-pbr_edu] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_edu-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/1 priority 8
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/2 priority 5
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/3 priority 5
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/4 priority 5
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/5 priority 1
[FW-policy-pbr-rule-pbr_edu-multi-inter] add interface GigabitEthernet 1/0/6 priority 1
[FW-policy-pbr-rule-pbr_edu-multi-inter] quit
[FW-policy-pbr-rule-pbr_edu] quit
b.流量的地点地址属于ISP1地址集时,优先使用ISP1链路转发。
[FW-policy-pbr] rule name pbr_isp1
[FW-policy-pbr-rule-pbr_isp1] source-zone trust
[FW-policy-pbr-rule-pbr_isp1] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_isp1] destination-address isp isp1_address
[FW-policy-pbr-rule-pbr_isp1] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_isp1-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/1 priority 5
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/2 priority 8
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/3 priority 8
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/4 priority 8
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/5 priority 1
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/6 priority 1
[FW-policy-pbr-rule-pbr_isp1-multi-inter] quit [FW-policy-pbr-rule-pbr_isp1] quit
c.流量的地点地址属于ISP2地址集时,优先使用ISP2链路转发。
[FW-policy-pbr] rule name pbr_isp2
[FW-policy-pbr-rule-pbr_isp2] source-zone trust
[FW-policy-pbr-rule-pbr_isp2] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_isp2] destination-address isp isp2_address
[FW-policy-pbr-rule-pbr_isp2] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_isp2-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/1 priority 5
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/2 priority 1
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/3 priority 1
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/4 priority 1
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/5 priority 8
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/6 priority 8
[FW-policy-pbr-rule-pbr_isp2-multi-inter] quit
[FW-policy-pbr-rule-pbr_isp2] quit
# 莫得匹配到任何ISP地址集的流量,通过策略路由pbr_rest礼聘链路质料最佳的链路来转发。
[FW-policy-pbr] rule name pbr_rest
[FW-policy-pbr-rule-pbr_rest] source-zone trust
[FW-policy-pbr-rule-pbr_rest] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_rest] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_rest-multi-inter] mode priority-of-link-quality
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality protocol tcp-simple
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality parameter delay jitter loss
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality interval 3 times 5
[FW-policy-pbr-rule-pbr_rest-multi-inter] quit
[FW-policy-pbr-rule-pbr_rest] quit
[FW-policy-pbr] quit
7.配置干事器负载平衡。
# 开启干事器负载平衡功能。
[FW] slb enable
# 配置负载平衡算法。
[FW] slb [FW-slb] group 1 grp1
[FW-slb-group-1] metric roundrobin
# 向实干事器组中添加实干事器。
[FW-slb-group-1] rserver 1 rip 10.1.10.10
[FW-slb-group-1] rserver 2 rip 10.1.10.11
[FW-slb-group-1] quit
# 配置假造干事器的IP地址。
[FW-slb] vserver 1 vs1
[FW-slb-vserver-1] vip 1 1.1.111.111
[FW-slb-vserver-1] vip 2 2.2.112.112
[FW-slb-vserver-1] vip 3 3.3.113.113
# 联系假造干事器和实干事器组。
[FW-slb-vserver-1] group grp1
[FW-slb-vserver-1] quit
[FW-slb] quit
8.配置智能DNS。
# 启用智能DNS功能。
[FW] dns-smart enable
# 创建智能DNS组,并在组中配置智能DNS映射。
[FW] dns-smart group 1 type single
[FW-dns-smart-group-1] real-server-ip 1.1.15.15
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/2 map 2.2.15.15
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/3 map 2.2.16.16
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/4 map 2.2.17.17
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/5 map 3.3.15.15
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/6 map 3.3.16.16
[FW-dns-smart-group-1] quit [FW] dns-smart group 2 type single
[FW-dns-smart-group-2] real-server-ip 1.1.101.101
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/2 map 2.2.102.102
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/3 map 2.2.103.103
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/4 map 2.2.104.104
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/5 map 3.3.102.102
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/6 map 3.3.103.103
[FW-dns-smart-group-2] quit
9.配置基于安全区域的NAT Server,使不同ISP的用户通过对应的公网IP考查内网干事器。
# 为Portal干事器配置NAT Server。
[FW] nat server portal_server01 zone edu_zone global 1.1.15.15 inside 10.1.10.20
[FW] nat server portal_server02 zone isp1_zone1 global 2.2.15.15 inside 10.1.10.20 no-reverse
[FW] nat server portal_server03 zone isp1_zone2 global 2.2.16.16 inside 10.1.10.20 no-reverse
[FW] nat server portal_server04 zone isp1_zone3 global 2.2.17.17 inside 10.1.10.20 no-reverse
[FW] nat server portal_server05 zone isp2_zone1 global 3.3.15.15 inside 10.1.10.20 no-reverse
[FW] nat server portal_server06 zone isp2_zone2 global 3.3.16.16 inside 10.1.10.20 no-reverse
# 为DNS干事器配置NAT Server。
[FW] nat server dns_server01 zone edu_zone global 1.1.101.101 inside 10.1.10.30
[FW] nat server dns_server02 zone isp1_zone1 global 2.2.102.102 inside 10.1.10.30 no-reverse
[FW] nat server dns_server03 zone isp1_zone2 global 2.2.103.103 inside 10.1.10.30 no-reverse
[FW] nat server dns_server04 zone isp1_zone3 global 2.2.104.104 inside 10.1.10.30 no-reverse
[FW] nat server dns_server05 zone isp2_zone1 global 3.3.102.102 inside 10.1.10.30 no-reverse
[FW] nat server dns_server06 zone isp2_zone2 global 3.3.103.103 inside 10.1.10.30 no-reverse
# 为NAT Server的公网地址配置黑洞路由,顾惜产生路由环路。
[FW] ip route-static 1.1.15.15 32 NULL 0
[FW] ip route-static 2.2.15.15 32 NULL 0
[FW] ip route-static 2.2.16.16 32 NULL 0
[FW] ip route-static 2.2.17.17 32 NULL 0
[FW] ip route-static 3.3.15.15 32 NULL 0
[FW] ip route-static 3.3.16.16 32 NULL 0
[FW] ip route-static 1.1.101.101 32 NULL 0
[FW] ip route-static 2.2.102.102 32 NULL 0
[FW] ip route-static 2.2.103.103 32 NULL 0
[FW] ip route-static 2.2.104.104 32 NULL 0
[FW] ip route-static 3.3.102.102 32 NULL 0
[FW] ip route-static 3.3.103.103 32 NULL 0
10.配置源NAT。
# 为考查训诫网的流量配置源NAT,地址池中为训诫网的公网地址。
[FW] nat address-group edu_nat_address_pool
[FW-address-group-edu_nat_address_pool] mode pat
[FW-address-group-edu_nat_address_pool] section 0 1.1.30.31 1.1.30.33
[FW-address-group-edu_nat_address_pool] quit
[FW] nat-policy
[FW-policy-nat] rule name edu_nat_policy
[FW-policy-nat-rule-edu_nat_policy] source-zone trust
[FW-policy-nat-rule-edu_nat_policy] destination-zone edu_zone
[FW-policy-nat-rule-edu_nat_policy] source-address 10.1.0.0 16
[FW-policy-nat-rule-edu_nat_policy] action source-nat address-group edu_nat_address_pool
[FW-policy-nat-rule-edu_nat_policy] quit
[FW-policy-nat] quit
# 配置域内源NAT,使内网用户不错通过公网地址考查内网干事器。
[FW] nat-policy
[FW-policy-nat] rule name inner_nat_policy
[FW-policy-nat-rule-inner_nat_policy] source-zone trust
[FW-policy-nat-rule-inner_nat_policy] destination-zone trust
[FW-policy-nat-rule-inner_nat_policy] source-address 10.1.0.0 16
[FW-policy-nat-rule-inner_nat_policy] action source-nat address-group edu_nat_address_pool
[FW-policy-nat-rule-inner_nat_policy] quit
[FW-policy-nat] quit
# 为考查ISP1的流量配置源NAT,地址池中为ISP1的公网地址。
[FW] nat address-group isp1_nat_address_pool1
[FW-address-group-isp1_nat_address_pool1] mode pat
[FW-address-group-isp1_nat_address_pool1] section 0 2.2.5.1 2.2.5.3
[FW-address-group-isp1_nat_address_pool1] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy1
[FW-policy-nat-rule-isp1_nat_policy1] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy1] destination-zone isp1_zone1
[FW-policy-nat-rule-isp1_nat_policy1] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy1] action source-nat address-group isp1_nat_address_pool1
[FW-policy-nat-rule-isp1_nat_policy1] quit
[FW-policy-nat] quit
[FW] nat address-group isp1_nat_address_pool2
[FW-address-group-isp1_nat_address_pool2] mode pat
[FW-address-group-isp1_nat_address_pool2] section 0 2.2.6.1 2.2.6.3
[FW-address-group-isp1_nat_address_pool2] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy2
[FW-policy-nat-rule-isp1_nat_policy2] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy2] destination-zone isp1_zone2
[FW-policy-nat-rule-isp1_nat_policy2] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy2] action source-nat address-group isp1_nat_address_pool2
[FW-policy-nat-rule-isp1_nat_policy2] quit
[FW-policy-nat] quit
[FW] nat address-group isp1_nat_address_pool3
[FW-address-group-isp1_nat_address_pool3] mode pat
[FW-address-group-isp1_nat_address_pool3] section 0 2.2.7.1 2.2.7.3
[FW-address-group-isp1_nat_address_pool3] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy3
[FW-policy-nat-rule-isp1_nat_policy3] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy3] destination-zone isp1_zone3
[FW-policy-nat-rule-isp1_nat_policy3] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy3] action source-nat address-group isp1_nat_address_pool3
[FW-policy-nat-rule-isp1_nat_policy3] quit
[FW-policy-nat] quit
# 为考查ISP2的流量配置源NAT,地址池中为ISP2的公网地址。
[FW] nat address-group isp2_nat_address_pool1
[FW-address-group-isp2_nat_address_pool1] mode pat
[FW-address-group-isp2_nat_address_pool1] section 0 3.3.1.1 3.3.1.3
[FW-address-group-isp2_nat_address_pool1] quit
[FW] nat-policy
[FW-policy-nat] rule name isp2_nat_policy1
[FW-policy-nat-rule-isp2_nat_policy1] source-zone trust
[FW-policy-nat-rule-isp2_nat_policy1] destination-zone isp2_zone1
[FW-policy-nat-rule-isp2_nat_policy1] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp2_nat_policy1] action source-nat address-group isp2_nat_address_pool1
[FW-policy-nat-rule-isp2_nat_policy1] quit
[FW-policy-nat] quit
[FW] nat address-group isp2_nat_address_pool2
[FW-address-group-isp2_nat_address_pool2] mode pat
[FW-address-group-isp2_nat_address_pool2] section 0 3.3.2.1 3.3.2.3
[FW-address-group-isp2_nat_address_pool2] quit
[FW] nat-policy
[FW-policy-nat] rule name isp2_nat_policy2
[FW-policy-nat-rule-isp2_nat_policy2] source-zone trust
[FW-policy-nat-rule-isp2_nat_policy2] destination-zone isp2_zone2
[FW-policy-nat-rule-isp2_nat_policy2] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp2_nat_policy2] action source-nat address-group isp2_nat_address_pool2
[FW-policy-nat-rule-isp2_nat_policy2] quit
[FW-policy-nat] quit
# 为NAT地址池中的公网地址配置黑洞路由,顾惜产生路由环路。
[FW] ip route-static 1.1.30.31 32 NULL 0
[FW] ip route-static 1.1.30.32 32 NULL 0
[FW] ip route-static 1.1.30.33 32 NULL 0
[FW] ip route-static 2.2.5.1 32 NULL 0
[FW] ip route-static 2.2.5.2 32 NULL 0
[FW] ip route-static 2.2.5.3 32 NULL 0
[FW] ip route-static 2.2.6.1 32 NULL 0
[FW] ip route-static 2.2.6.2 32 NULL 0
[FW] ip route-static 2.2.6.3 32 NULL 0
[FW] ip route-static 2.2.7.1 32 NULL 0
[FW] ip route-static 2.2.7.2 32 NULL 0
[FW] ip route-static 2.2.7.3 32 NULL 0
[FW] ip route-static 3.3.1.1 32 NULL 0
[FW] ip route-static 3.3.1.2 32 NULL 0
[FW] ip route-static 3.3.1.3 32 NULL 0
[FW] ip route-static 3.3.2.1 32 NULL 0
[FW] ip route-static 3.3.2.2 32 NULL 0
[FW] ip route-static 3.3.2.3 32 NULL 0
11.配置Trust和其他安全域间的NAT ALG功能,底下以FTP、QQ和RTSP合同为例。配置NAT ALG功能的同期,也开启了ASPF功能。
[FW] firewall interzone trust edu_zone
[FW-interzone-trust-edu_zone] detect ftp
[FW-interzone-trust-edu_zone] detect qq
[FW-interzone-trust-edu_zone] detect rtsp
[FW-interzone-trust-edu_zone] quit
[FW] firewall interzone trust isp1_zone1
[FW-interzone-trust-isp1_zone1] detect ftp
[FW-interzone-trust-isp1_zone1] detect qq
[FW-interzone-trust-isp1_zone1] detect rtsp
[FW-interzone-trust-isp1_zone1] quit
[FW] firewall interzone trust isp1_zone2
[FW-interzone-trust-isp1_zone2] detect ftp
[FW-interzone-trust-isp1_zone2] detect qq
[FW-interzone-trust-isp1_zone2] detect rtsp
[FW-interzone-trust-isp1_zone2] quit
[FW] firewall interzone trust isp1_zone3
[FW-interzone-trust-isp1_zone3] detect ftp
[FW-interzone-trust-isp1_zone3] detect qq
[FW-interzone-trust-isp1_zone3] detect rtsp
[FW-interzone-trust-isp1_zone3] quit
[FW] firewall interzone trust isp2_zone1
[FW-interzone-trust-isp2_zone1] detect ftp
[FW-interzone-trust-isp2_zone1] detect qq
[FW-interzone-trust-isp2_zone1] detect rtsp
[FW-interzone-trust-isp2_zone1] quit
[FW] firewall interzone trust isp2_zone2
[FW-interzone-trust-isp2_zone2] detect ftp
[FW-interzone-trust-isp2_zone2] detect qq
[FW-interzone-trust-isp2_zone2] detect rtsp
[FW-interzone-trust-isp2_zone2] quit
12.配置流弊守护功能。
[FW] firewall defend land enable
[FW] firewall defend smurf enable
[FW] firewall defend fraggle enable
[FW] firewall defend ip-fragment enable
[FW] firewall defend tcp-flag enable
[FW] firewall defend winnuke enable
[FW] firewall defend source-route enable
[FW] firewall defend teardrop enable
[FW] firewall defend route-record enable
[FW] firewall defend time-stamp enable
[FW] firewall defend ping-of-death enable
13.配置审计配置文献,并在审策略略中援用。
[FW] profile type audit name trust_to_internet_audit
[FW-profile-audit-trust_to_internet_audit] http-audit url all
[FW-profile-audit-trust_to_internet_audit] http-audit bbs-content
[FW-profile-audit-trust_to_internet_audit] http-audit micro-blog
[FW-profile-audit-trust_to_internet_audit] http-audit file direction both
[FW-profile-audit-trust_to_internet_audit] ftp-audit file direction both
[FW-profile-audit-trust_to_internet_audit] quit
[FW] audit-policy
[FW-policy-audit] rule name trust_to_internet_audit_policy
[FW-policy-audit-rule-trust_to_internet_audit_policy] source-zone trust
[FW-policy-audit-rule-trust_to_internet_audit_policy] destination-zone edu_zone isp1_zone1 isp1_zone2 isp1_zone3 isp2_zone1 isp2_zone2
[FW-policy-audit-rule-trust_to_internet_audit_policy] action audit profile trust_to_internet_audit
[FW-policy-audit-rule-trust_to_internet_audit_policy] quit [FW-policy-audit] quit
14.配置带宽管束。
# 对GE1/0/2接口链路的P2P流量进行限流。
[FW] traffic-policy
[FW-policy-traffic] profile isp1_p2p_profile_01
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth whole both 100000
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth per-ip both 500
[FW-policy-traffic-profile-isp1_p2p_profile_01] quit
[FW-policy-traffic] rule name isp1_p2p_01
[FW-policy-traffic-rule-isp1_p2p_01] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_01] egress-interface GigabitEthernet 1/0/2
[FW-policy-traffic-rule-isp1_p2p_01] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_01] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_01] action qos profile isp1_p2p_profile_01
[FW-policy-traffic-rule-isp1_p2p_01] quit
# 对GE1/0/3接口链路的P2P流量进行限流。
[FW-policy-traffic] profile isp1_p2p_profile_02
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth whole both 300000
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth per-ip both 1000
[FW-policy-traffic-profile-isp1_p2p_profile_02] quit
[FW-policy-traffic] rule name isp1_p2p_02
[FW-policy-traffic-rule-isp1_p2p_02] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_02] egress-interface GigabitEthernet 1/0/3
[FW-policy-traffic-rule-isp1_p2p_02] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_02] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_02] action qos profile isp1_p2p_profile_02
[FW-policy-traffic-rule-isp1_p2p_02] quit
# 对GE1/0/4接口链路的P2P流量进行限流。
[FW-policy-traffic] profile isp1_p2p_profile_03
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth whole both 700000
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth per-ip both 2000
[FW-policy-traffic-profile-isp1_p2p_profile_03] quit
[FW-policy-traffic] rule name isp1_p2p_03
[FW-policy-traffic-rule-isp1_p2p_03] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_03] egress-interface GigabitEthernet 1/0/4
[FW-policy-traffic-rule-isp1_p2p_03] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_03] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_03] action qos profile isp1_p2p_profile_03
[FW-policy-traffic-rule-isp1_p2p_03] quit [FW-policy-traffic] quit
15.配置系统日记和NAT溯源功能,在网管系统eSight上巡逻日记。
# 配置向日记主机(10.1.10.30)发送系统日记(本案例发送IPS日记和流弊守护日记)。
[FW] info-center enable
[FW] engine log ips enable
[FW] info-center source IPS channel loghost log level emergencies
[FW] info-center source ANTIATTACK channel loghost
[FW] info-center loghost 10.1.10.30
# 配置会话日记功能。
[FW] security-policy
[FW-policy-security] rule name trust_edu_zone
[FW-policy-security-rule-trust_edu_zone] source-zone trust
[FW-policy-security-rule-trust_edu_zone] destination-zone edu_zone
[FW-policy-security-rule-trust_edu_zone] action permit
[FW-policy-security-rule-trust_edu_zone] session logging
[FW-policy-security-rule-trust_edu_zone] quit
[FW-policy-security] rule name trust_isp1_zone
[FW-policy-security-rule-trust_isp1_zone] source-zone trust
[FW-policy-security-rule-trust_isp1_zone] destination-zone isp1_zone1 isp1_zone2 isp1_zone3
[FW-policy-security-rule-trust_isp1_zone] action permit
[FW-policy-security-rule-trust_isp1_zone] session logging
[FW-policy-security-rule-trust_isp1_zone] quit
[FW-policy-security] rule name trust_isp2_zone
[FW-policy-security-rule-trust_isp2_zone] source-zone trust
[FW-policy-security-rule-trust_isp2_zone] destination-zone isp2_zone1 isp2_zone2
[FW-policy-security-rule-trust_isp2_zone] action permit
[FW-policy-security-rule-trust_isp2_zone] session logging
[FW-policy-security-rule-trust_isp2_zone] quit
[FW-policy-security] quit
16.配置SNMP功能,日记干事器上的SNMP参数需要与FW上保执一致。
[FW] snmp-agent sys-info version v3
[FW] snmp-agent group v3 inside_snmp privacy
[FW] snmp-agent usm-user v3 snmp_user group inside_snmp
[FW] snmp-agent usm-user v3 snmp_user authentication-mode sha cipher Test@123
[FW] snmp-agent usm-user v3 user-name privacy-mode aes256 cipher Test@123
日记干事器配置完成后开云体育,在日记干事器上礼聘“ 日记分析 > 会话分析 > IPv4会话日记”,不错巡逻会话日记。