Shulou(Shulou.com)06/01 Report--

Huawei Firewall Security Policy configuration

I. configuration requirements and topology

Request:

1. Users in Trust region can access users in Untust region and DMZ region

2. Users in Untrust region can only access ICMP and Telnet traffic in DMZ region.

3. Users in DMZ area cannot access Untrust area and Tust area

4. Only the source address of 192.168.1.0 is allowed in the region trust.

II. Basic configuration

Firewall huaweiFW

System-view

Sysname huaweiFW

Interface GigabitEthernet0/0/0

Ip address 202.100.1.10 255.255.255.0

Quit

Interface GigabitEthernet0/0/1

Ip address 172.16.1.10 255.255.255.0

Quit

Interface GigabitEthernet0/0/2

Ip address 192.168.1.10 255.255.255.0

Quit

Interface GigabitEthernet0/0/3

Ip address 192.168.10.10 255.255.255.0

Quit

Firewall zone trust

Add interface GigabitEthernet0/0/2

Add interface GigabitEthernet0/0/3

Quit

Firewall zone untrust

Add interface GigabitEthernet0/0/0

Quit

Firewall zone dmz

Add interface GigabitEthernet0/0/1

Quit

AR1:

System-view

Sysname AR5

Interface GigabitEthernet0/0/0

Ip address 192.168.10.1 255.255.255.0

Quit

Ip route-static 0.0.0.0 0.0.0.0 192.168.10.1

AR2

System-view

Sysname DMZ

Interface GigabitEthernet 0/0/0

Ip address 172.16.1.1 24

Quit

Ip route-static 0.0.0.0 0 172.16.1.10

AR3

System-view

Sysname trust

Interface GigabitEthernet 0/0/0

Ip address 192.168.1.1 24

Interface loopback0

Ip address 2.2.2.2 32

Quit

Ip route-static 0.0.0.0 0 192.168.1.10

Quit

AR5

System-view

Sysname trust

Interface GigabitEthernet 0/0/0

Ip address 192.168.1.1 24

Interface loopback0

Ip address 2.2.2.2 32

Quit

Ip route-static 0.0.0.0 0 192.168.1.10

Quit

III. Firewall policy configuration

The default firewall policy is:

#

Firewall packet-filter default permit interzone local trust direction inbound

Firewall packet-filter default permit interzone local trust direction outbound

Firewall packet-filter default permit interzone local untrust direction outbound

Firewall packet-filter default permit interzone local dmz direction outbound

#

Firewall session link-state check = = enable session link state check

Firewall packet-filter default deny all = = deny all traffic

Matching value security access policy

Trust area users can access Untust area and DMZ area users

Firewall packet-filter default permit interzone trust untrust direction outbound

Firewall packet-filter default permit interzone trust dmz direction outbound

Users in Untrust area can only access ICMP and Telnet traffic in DMZ region

Policy interzone dmz untrust inbound

Policy 1

Action permit

Policy service service-set icmp

Policy destination 172.16.1.1 0

Policy 2

Action permit

Policy service service-set telnet

Policy destination 172.16.1.1 0

View the session:

[huaweiFW] display policy interzone untrust dmz inbound

15:17:51 2015-02-02

Policy interzone dmz untrust inbound

Firewall default packet-filter is deny

Policy 1 (2 times matched)

Action permit

Policy service service-set icmp (predefined)

Policy source any

Policy destination 172.16.1.1 0

Policy 2 (4 times matched)

Action permit

Policy service service-set telnet (predefined)

Policy source any

Policy destination 172.16.1.1 0

[huaweiFW]

Users in DMZ area cannot access Untrust zone and Tust zone (can not be configured because the traffic has been denied once before)

Only the source address of 192.168.1.0 is allowed in the region trust.

Policy zone trust

Policy 1

Action permit

Policy service service-set icmp

Policy source 192.168.1.0 mask 255.255.255.0

Policy 2

Action deny

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.