In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-03 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
I. configure security policy
Configure the network (ensure network connectivity)
The first step is to configure under the system view
Dis ver
2018-05-26 1214 340 56.580
Huawei Versatile Routing Platform Software
VRP (R) Software, Version 5.170 (USG6500 V500R001C60SPC300)
Copyright (C) 2014-2017 Huawei Technologies Co., Ltd.
USG6530 uptime is 0 week, 0 day, 0 hour, 10 minutes
License active activates the specified license file
Display license views license's information
System-view
Info-center enable # Open Log Center
Info-center loghost 192.168.1.10 # configure the log server IP address and the source interface for sending log information
Info-center loghost source GE0/0/1
Step 2, configure the interface address
Interface g0swap 1 # enters the G0UniUniq1 interface.
Ip add 192.168.10.1 24 # configure interface address
Service-manage enable # enable management function
Service-manage https permit # allows https management functions (policies that control management protocols take priority)
Undo shutdown # activate the interface
Portswitch # switches to layer 2 Ethernet interface mode
Quit # exits the interface view
Web-manager security enable port 2000 # enables web management (https is supported by security, but http is not supported)
Aaa
Manager-user admin # configuring web users
Password cipher admin@123
Service-type web
Level 3
Manager-user ftptest
Service-type ftp
Password cipher ftp@1234
Level 3
Ftp-directory hda1:/
User (192.168.40.1: (none)): ftptest
331 Password required for ftptest.
Password: ftp@1234
230 User logged in.
Ftp > get vrpcfg.zip
200 Port command okay.
150 Opening ASCII mode data connection for directory list.
226 Transfer complete.
Ftp: received 5966 bytes, using 0.05s 112.57 kilobytes per second.
Ftp > lcd
The current local directory C:\ Users\ Administrator.
Step 3: add the interface to the area
Firewall zone office # create a security zone
Set priority 80 # set the security level
Add interface g0swap 1 # add the interface to the security zone
Display zone viewing area
Display firewall packet-filter default all views forwarding policies between default areas
Step 4, modify the default policy
Ip route-static 0.0.0.0 0.0.0.0 123.121.1.1
Fifth step, use strategy, precise control
Firewall packet-filter default permit interzone trust dmz direction outbound releases all traffic from trust to DMZ area
The higher the security policy rules, the higher the priority.
Firewall interzone trust dmz
For multi-channel services, detect ftp needs to enable application layer detection to release the traffic of the service.
Policy interzone trust dmz outbound formulates a precise traffic policy from trust trigger to dmz. The default is to reject all.
Security-policy # enters the security view
Rule name 1 # create security rule name
Source-zone office # configure source security zone
Destination-zone local # destination security zone
Source-address 192.168.1.0 mask 255.255.255.0 # configure the source address of the security policy rule
Action permit action
0.255.0.255 reverse mask # indicates that segments An and C are masked, while segments B and D are ignored
Rule move 3 before rule 1 # Adjustment Policy
Quit
Time-range week
Absolute-range 8:00:00 2018-05-07 to 8:00:00 2019-05-07 set absolute time period
Period-range 8:00:00 to 17:30:00 daily set cycle time period
Hh:mm:ss # from some time to some time
YYYY/MM/DD # from a date to a date
Daily # every day of the week
Off-day # rest days (Saturday, Sunday)
Working-day # weekdays (Monday to Friday)
Display policy interzone trust dmz outbound
Firewall defend syn-flood enable enables syn-flood*** prevention function.
Firewall defend tcp-illegal-session enable
Firewall defend port-scan-flood enable
Firewall defend udp-flood enable
Firewall defend icmp-flood enable
Firewall defend arp-flood enable
Firewall defend syn-flood enable
Snmp-agent sys-info version V2C # sets SNMP version number V2C
Snmp-agent community read cipher public # sets SNMP read-only community word public
Snmp-agent community write cipher admin # set SNMP to read and write community words admin
Snmp-agent trap enable # enable SNMP trap function
Snmp-agent target-host trap address udp-domain 192.168.1.1 params securityname cipher hello@123 v2c # set up SNMP trap server
The configuration management device actively sends an alarm to the network management server. If the SNMP trap,SNMP network management service is not configured, it will only periodically send various query messages to the managed device, and the device will return the query data.
User-interface console 0
Ide-outtime 0 10 timeout
User-interface vty 0 4
Set authentication password cipher admin@123 # password authentication, using password authentication only
Authentication-mode aaa # AAA authentication, using username and password authentication
Protocol inbound all # allows all protocol connections
The default policy blocks all traffic (including those initiated by local and local), but the policy of the control management protocol under the interface takes precedence.
Logging in through the Console port is the safest way, and it is also the only way to log in to the device for troubleshooting when the device cannot start (when it cannot connect to the network).
One-click upgrade of system software
1. Check whether the storage space of the system device is satisfied.
2. The system software must be suffixed with ".bin" and does not support Chinese.
3. Set to start the system software next time, and restart the system
Display firewall esn # uniquely identifies the digital serial number of the device. You need to provide the device esn information when applying for license files.
Display firewall session table view session table information
Display firewall session table verbose view session table details
Display firewall statistic system discard
Reset firewall session table # clears the system's current session list entry
Profile Typ
Current-configuration: the configuration is currently in effect and is stored in memory. Restart is lost.
Saved-configuration: the configuration file used for the next power-on startup will be stored in Flash or CF card, and the restart will not be lost.
Clear the configuration file
1. Command mode: reset saved-configuration # restart
2. Web mode: system-> profile management-- > restore factory configuration-- > Click
3. Hardware reset button: press and hold the reset button first-- > turn on the power switch on the device-- > the LED flashes at a frequency of 2 times per second-- > release the reset.
4. The device has been started normally: press and hold reset for more than 10s and release
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.