Shulou(Shulou.com)06/01 Report--

I. configure security policy

Configure the network (ensure network connectivity)

The first step is to configure under the system view

Dis ver

2018-05-26 1214 340 56.580

Huawei Versatile Routing Platform Software

VRP (R) Software, Version 5.170 (USG6500 V500R001C60SPC300)

Copyright (C) 2014-2017 Huawei Technologies Co., Ltd.

USG6530 uptime is 0 week, 0 day, 0 hour, 10 minutes

License active activates the specified license file

Display license views license's information

System-view

Info-center enable # Open Log Center

Info-center loghost 192.168.1.10 # configure the log server IP address and the source interface for sending log information

Info-center loghost source GE0/0/1

Step 2, configure the interface address

Interface g0swap 1 # enters the G0UniUniq1 interface.

Ip add 192.168.10.1 24 # configure interface address

Service-manage enable # enable management function

Service-manage https permit # allows https management functions (policies that control management protocols take priority)

Undo shutdown # activate the interface

Portswitch # switches to layer 2 Ethernet interface mode

Quit # exits the interface view

Web-manager security enable port 2000 # enables web management (https is supported by security, but http is not supported)

Aaa

Manager-user admin # configuring web users

Password cipher admin@123

Service-type web

Level 3

Manager-user ftptest

Service-type ftp

Password cipher ftp@1234

Level 3

Ftp-directory hda1:/

User (192.168.40.1: (none)): ftptest

331 Password required for ftptest.

Password: ftp@1234

230 User logged in.

Ftp > get vrpcfg.zip

200 Port command okay.

150 Opening ASCII mode data connection for directory list.

226 Transfer complete.

Ftp: received 5966 bytes, using 0.05s 112.57 kilobytes per second.

Ftp > lcd

The current local directory C:\ Users\ Administrator.

Step 3: add the interface to the area

Firewall zone office # create a security zone

Set priority 80 # set the security level

Add interface g0swap 1 # add the interface to the security zone

Display zone viewing area

Display firewall packet-filter default all views forwarding policies between default areas

Step 4, modify the default policy

Ip route-static 0.0.0.0 0.0.0.0 123.121.1.1

Fifth step, use strategy, precise control

Firewall packet-filter default permit interzone trust dmz direction outbound releases all traffic from trust to DMZ area

The higher the security policy rules, the higher the priority.

Firewall interzone trust dmz

For multi-channel services, detect ftp needs to enable application layer detection to release the traffic of the service.

Policy interzone trust dmz outbound formulates a precise traffic policy from trust trigger to dmz. The default is to reject all.

Security-policy # enters the security view

Rule name 1 # create security rule name

Source-zone office # configure source security zone

Destination-zone local # destination security zone

Source-address 192.168.1.0 mask 255.255.255.0 # configure the source address of the security policy rule

Action permit action

0.255.0.255 reverse mask # indicates that segments An and C are masked, while segments B and D are ignored

Rule move 3 before rule 1 # Adjustment Policy

Quit

Time-range week

Absolute-range 8:00:00 2018-05-07 to 8:00:00 2019-05-07 set absolute time period

Period-range 8:00:00 to 17:30:00 daily set cycle time period

Hh:mm:ss # from some time to some time

YYYY/MM/DD # from a date to a date

Daily # every day of the week

Off-day # rest days (Saturday, Sunday)

Working-day # weekdays (Monday to Friday)

Display policy interzone trust dmz outbound

Firewall defend syn-flood enable enables syn-flood*** prevention function.

Firewall defend tcp-illegal-session enable

Firewall defend port-scan-flood enable

Firewall defend udp-flood enable

Firewall defend icmp-flood enable

Firewall defend arp-flood enable

Firewall defend syn-flood enable

Snmp-agent sys-info version V2C # sets SNMP version number V2C

Snmp-agent community read cipher public # sets SNMP read-only community word public

Snmp-agent community write cipher admin # set SNMP to read and write community words admin

Snmp-agent trap enable # enable SNMP trap function

Snmp-agent target-host trap address udp-domain 192.168.1.1 params securityname cipher hello@123 v2c # set up SNMP trap server

The configuration management device actively sends an alarm to the network management server. If the SNMP trap,SNMP network management service is not configured, it will only periodically send various query messages to the managed device, and the device will return the query data.

User-interface console 0

Ide-outtime 0 10 timeout

User-interface vty 0 4

Set authentication password cipher admin@123 # password authentication, using password authentication only

Authentication-mode aaa # AAA authentication, using username and password authentication

Protocol inbound all # allows all protocol connections

The default policy blocks all traffic (including those initiated by local and local), but the policy of the control management protocol under the interface takes precedence.

Logging in through the Console port is the safest way, and it is also the only way to log in to the device for troubleshooting when the device cannot start (when it cannot connect to the network).

One-click upgrade of system software

1. Check whether the storage space of the system device is satisfied.

2. The system software must be suffixed with ".bin" and does not support Chinese.

3. Set to start the system software next time, and restart the system

Display firewall esn # uniquely identifies the digital serial number of the device. You need to provide the device esn information when applying for license files.

Display firewall session table view session table information

Display firewall session table verbose view session table details

Display firewall statistic system discard

Reset firewall session table # clears the system's current session list entry

Profile Typ

Current-configuration: the configuration is currently in effect and is stored in memory. Restart is lost.

Saved-configuration: the configuration file used for the next power-on startup will be stored in Flash or CF card, and the restart will not be lost.

Clear the configuration file

1. Command mode: reset saved-configuration # restart

2. Web mode: system-> profile management-- > restore factory configuration-- > Click

3. Hardware reset button: press and hold the reset button first-- > turn on the power switch on the device-- > the LED flashes at a frequency of 2 times per second-- > release the reset.

4. The device has been started normally: press and hold reset for more than 10s and release

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.