防火墻安全區(qū)配置試驗(yàn)

1、華為防火墻策略測(cè)試方案測(cè)試目標(biāo)工作過程中遇到有些客戶需要進(jìn)行華為防火墻設(shè)備，此實(shí)驗(yàn)主要是熟練命令行配置華為防火墻。熟練配置防火墻策略，熟悉防火墻安全區(qū)域配置方法。拓?fù)涓攀?、Fw6防火墻作為出口設(shè)備。2、AR6作為非安全區(qū)設(shè)備。3、AR7作為安全區(qū)設(shè)備。4、AR8作為非軍事化區(qū)設(shè)備。測(cè)試拓?fù)浞阑鹪雠銱1檢ie.2e.fi/24GE MWARTtrust測(cè)試報(bào)告測(cè)試項(xiàng)目華為防火墻安全區(qū)域策略配置測(cè)試目的華為防火墻安全區(qū)域策略配置測(cè)試環(huán)境前置條件：1）按照上述組網(wǎng)搭建測(cè)試環(huán)境；測(cè)試步驟1）配置路由器城域網(wǎng)端AR4;2）配置AR6作為非安全區(qū)域設(shè)備3）配置AR7作為安全區(qū)域設(shè)備4）配置AR8作為非軍

2、事化區(qū)設(shè)備。預(yù)期結(jié)果1）能夠看到AR6站點(diǎn)和AR8內(nèi)部網(wǎng)絡(luò)可以ping可以telnet ;其他流量不通Q AK白-一二工ARGAR?AFMFW6LSW2Theof int-erfacc that;UP xn BhyEical 工j 3A7ht工 1ZLL工工也一 LUac La *01 In RKy當(dāng) 11cal. Is 2Theof interfaM that is UP in Protocol ia 3Theof inctffAc# mic is mwn in FzDrocal it 2ip aaoxw 日日版津立pnvsxcai PxotocQiGigabitEthemetO/O/Cl1

3、0 0 T 10,1/24upupGxcrabitEti&emETQ/O iunassj-gnEdlIcwddownGlga.bltEthexnetO/O/2un.3 Jlgrs&ildownclawn11gR自己uJcLldi.Diilil/24up屈機(jī)虹：un&ii upupdping -a 10,0,1,1 Id.0.3.3PIS5 ID / Q-3 + 3； 5W 西三力 bYCes, pMB3 CTKL_G Co 胃甘上Reply Er L0.0,3.3; byt=與56 Suruhe-L tXl-Z5T tine-800 ils實(shí)際結(jié)果eply 土二口工 . j . 3. d :E

4、3=5c SequejncE-2 ttl=2：&9 1；1Z1E = 6O IL3RypJty zon 10.0 Ji. 9： byt/EJS-弓 Sequrnd-1- 5 Lt 1-254 txrae LlCl ndReplv ro3i 10*0.3*9*Sea,ucBC=4 ttl-2b tiac=lOO mHWply tlQA 10.G. 3.3： byC=5 BEqURh&1=254 Cla&iTO 4分-100 + 3 P 3 pl&g stanzistics 一=S packet a i itrarLsraittd= pacjce 13， le zexvaaOdOOl1 口曰nEo

5、unn mp sellmat Dd rw10 * Q f 3.3Press iTTRX ro cjoic zelnec modeTzyiiiig .Canect -d tQ 10.0.h 3 .目Ltwisi 口七葉，丁 ujirjimV備注實(shí)驗(yàn)成功設(shè)備配置：dis curV200R003C00#sysname R6#snmp-agent local-engineid 800007DB03000000000000 snmp-agent#clock timezone China-Standard-Time minus 08:00:00 portal local-server load porta

6、lpage.zip#drop 川egal-mac alarm#set cpu-usage threshold 80 restore 75#aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password cipher %$%$K8m.Nt84DZe#08bmE3Uw%$%$ local-user admin service-type http#firewall zone L

7、ocalpriority 15#interface GigabitEthernet0/0/0ip address #interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/2#interface NULL0#interface LoopBack0ip address #ip route-static 54#user-interface con 0authentication-mode passworduser-interface vty 0 4user-interface vty 16 20#wlan ac#returndis c

8、urV200R003C00#sysname R7#snmp-agent local-engineid 800007DB03000000000000snmp-agent#clock timezone China-Standard-Time minus 08:00:00#portal local-server load portalpage.zip#drop illegal-mac alarm#set cpu-usage threshold 80 restore 75#aaaauthentication-scheme defaultauthorization-scheme defaultaccou

9、nting-scheme defaultdomain defaultdomain default_adminlocal-user admin password cipher %$%$K8m.Nt84DZe#08bmE3Uw%$%$ local-user admin service-type http#firewall zone Localpriority 15#interface GigabitEthernet0/0/0ip address #interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/2#interface NULL

10、0#interface LoopBack0ip address #ip route-static 0.0.0,0 54#user-interface con 0authentication-mode passworduser-interface vty 0 4user-interface vty 16 20#wlan ac#returndis curV200R003C00#sysname R8#snmp-agent local-engineid 800007DB03000000000000snmp-agent#clock timezone China-Standard-Time minus 0

11、8:00:00#portal local-server load portalpage.zip#drop 川egal-mac alarm#set cpu-usage threshold 80 restore 75#aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user test password cipher %$%$aH$oPQzuh3o*CU/2=)%6Yo%$%$local-user t

12、est service-type telnetlocal-user admin password cipher %$%$K8m.Nt84DZe#08bmE3Uw%$%$ local-user admin service-type http#firewall zone Localpriority 15#interface GigabitEthernet0/0/0ip address 10.0.30,1 #interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/2#interface NULL0#interface LoopBack0

13、ip address 10.0.3,3 #ip route-static 0.0.0,0 54#user-interface con 0authentication-mode passworduser-interface vty 0 4 authentication-mode aaauser-interface vty 16 20#wlan ac#Retdis cur2019-10-15 06:53:54.890!Software Version V500R005C10SPC300#sysname FW#l2tp domain suffix-separator #ipsec sha2 comp

14、atible enable#undo telnet server enableundo telnet ipv6 server enable#clock timezone UTC add 00:00:00#update schedule location-sdb weekly Sun 02:42#firewall defend action discard#banner enable#user-manage web-authentication security port 8887undo privacy-statement englishundo privacy-statement chine

15、sesettinguser-manage security version tlsv1.1 tlsv1.2password-policylevel highuser-manage single-sign-on aduser-manage single-sign-on tsmuser-manage single-sign-on radiususer-manage auto-sync online-user#web-manager security version tlsv1.1 tlsv1.2web-manager enableweb-manager security enable#firewa

16、ll dataplane to manageplane application-apperceive default-action drop#undo ips log merge enable#decoding uri-cache disable#update schedule ips-sdb daily 02:44update schedule av-sdb daily 02:44update schedule sa-sdb daily 02:44update schedule cnc daily 02:44update schedule file-reputation daily 02:4

17、4#ip vpn-instance defaultipv4-family#time-range worktimeperiod-range 08:00:00 to 18:00:00 working-day#ike proposal defaultencryption-algorithm aes-256 aes-192 aes-128dh group14authentication-algorithm sha2-512 sha2-384 sha2-256authentication-method pre-shareintegrity-algorithm hmac-sha2-256prf hmac-

18、sha2-256#aaaauthentication-scheme defaultauthentication-scheme admin_localauthentication-scheme admin_radius_localauthentication-scheme admin_hwtacacs_localauthentication-scheme admin_ad_localauthentication-scheme admin_ldap_localauthentication-scheme admin_radiusauthentication-scheme admin_hwtacacs

19、authentication-scheme admin_adauthorization-scheme defaultaccounting-scheme defaultdomain defaultservice-type internetaccess ssl-vpn l2tp ike internet-access mode password reference user current-domainmanager-user audit-adminpassword cipher%i2%ds5o896Zat;|=/=Kn1)3Yjt!aQ73.lm8Ybq.Gn1,K% service-type

20、web terminallevel 15manager-user api-adminpassword cipher%5,F$3$mr;6,&j!B|N0Tq-2bB&B:H%|DNA*hoeE)-5q%level 15manager-user adminpassword cipher%&l;O#EYG6RH#1Tk51HeKrvU!AC5p1JazWsp:IKrye% service-type web terminal level 15 role system-admin role device-adminrole device-admin(monitor)role audit-adminbi

21、nd manager-user audit-admin role audit-admin bind manager-user admin role system-admin#l2tp-group default-lns#interface GigabitEthernet0/0/0undo shutdownip binding vpn-instance defaultip address alias GE0/METH#interface GigabitEthernet1/0/0undo shutdownip address 54 #interface GigabitEthernet1/0/1un

22、do shutdownip address 54 #interface GigabitEthernet1/0/2undo shutdownip address 54 #interface GigabitEthernet1/0/3undo shutdown#interface GigabitEthernet1/0/4undo shutdown#interface GigabitEthernet1/0/5undo shutdown#interface GigabitEthernet1/0/6undo shutdown#interface Virtual-if0#interface NULL0#fi

23、rewall zone localset priority 100#firewall zone trustset priority 85add interface GigabitEthernet0/0/0add interface GigabitEthernet1/0/1#firewall zone untrustset priority 5add interface GigabitEthernet1/0/0#firewall zone dmzset priority 50add interface GigabitEthernet1/0/2#ip route-static ip route-static ip route-static #undo ssh server compatible-ssh1x enablessh authentication-type default passwordssh server cipher aes256_ctr aes128_ctrssh server hmac sha2_256 sha1ssh client cipher aes256_ctr aes128_ctrssh client hmac sha2_25