H3CSecPathF100系列防火墙配置教程
H3C防火墙配置详解
H3C SecPath F100—A-G2 防火墙的透明模式和访问控制。
注意:安全域要在安全策略中执行.URL和其他访问控制的策略都需要在安全策略中去执行。
安全策略逐条检索,匹配执行,不匹配执行下一条,直到匹配到最后,还没有的则丢弃。
配置的步骤如下:一、首先连接防火墙开启WEB命令为:yssecurity-zone name Trustimport interface GigabitEthernet1/0/0import interface GigabitEthernet1/0/1interface GigabitEthernet1/0/0port link—mode routeip address 100。
0。
0。
1 255.255。
255。
0acl advanced 3333rule 0 permit ipzone-pair security source Trust destination localpacket-filter 3333zone-pair security source local destination Trustpacket—filter 3333local—user admin class managepassword hash adminservice—type telnet terminal http httpsauthorization-attribute user-role level-3authorization-attribute user-role network—adminip http enableip https enable二、进入WEB ,将接口改为二层模式,在将二层模式的接口划到Trust安全域中。
管理口在管理域中。
配置安全策略,安全策略配置完如图详情:将接口划入到域中,例如将G1/0/2、G1/0/3口变成二层口,并加入到trust域中域间策略控制配置其他网段只能访问其中的服务器DHCP 要启用 DHCP中继dhcp—relay。
H3C SecPath F100系列防火墙配置教程
H3C SecPath F100系列防火墙配置教程初始化配置〈H3C〉system-view开启防火墙功能[H3C]firewall packet-filter enable[H3C]firewall packet-filter default permit分配端口区域[H3C] firewall zone untrust[H3C-zone-trust] add interface GigabitEthernet0/0[H3C] firewall zone trust[H3C-zone-trust] add interface GigabitEthernet0/1工作模式firewall mode transparent 透明传输firewall mode route 路由模式http 服务器使能HTTP 服务器 undo ip http shutdown关闭HTTP 服务器 ip http shutdown添加WEB用户[H3C] local-user admin[H3C-luser-admin] password simple admin[H3C-luser-admin] service-type telnet[H3C-luser-admin] level 3开启防范功能firewall defend all 打开所有防范切换为中文模式 language-mode chinese设置防火墙的名称 sysname sysname配置防火墙系统IP 地址 firewall system-ip system-ip-address [ address-mask ] 设置标准时间 clock datetime time date设置所在的时区 clock timezone time-zone-name { add | minus } time取消时区设置 undo clock timezone配置切换用户级别的口令 super password [ level user-level ] { simple | cipher } password取消配置的口令 undo super password [ level user-level ]缺缺省情况下,若不指定级别,则设置的为切换到3 级的密码。
H3CSecPathF100系列防火墙配置教程
H3CSecPathF100系列防火墙配置教程H3C SecPath F100 系列防火墙配置教程初始化配置切换为中文模式language-mode chinese 设置防火墙的名称sysname sysname 配置防火墙系统IP 地址firewall system-ip system-ip-address [ address-ma sk ] 设置标准时刻clock datetime time date 设置所在的时区clock timezone time-zone-name { add | minus } time 取消时区设置undo clock timezone 配置切换用户级别的口令super password [ level user-level ] { simple | c ipher } password 取消配置的口令undo super password [ level user-level ] 缺缺省情形下,若不指定级别,则设置的为切换到3 级的密码。
切换用户级别super [ level ] 直截了当重新启动防火墙reboot 开启信息中心info-center enable 关闭信息中心undo info-center enable ftp server enable显示下次启动时加载的配置文件display saved-configuration [ by-linenum] 显示系统此次启动及下次启动使用的配置文件display startup 显示当前视图的配置display this 显示防火墙的当前的运行配置display current-configuration[ interface interface-type [ interface-number ] | configuration[ isp | zone | interzone | radius-template | system |user-interf ace ] ] [ by-linenum ] [ | { begin | include|exclude } string ] 储存当前配置save [ file-name | safely ]删除Flash 中储存的下次启动时加载的配置文件配置防火墙工作在透亮模式 H3C SecPath 系列安全产品令配置防火墙工作在路由模式复原防火墙的工作模式为缺省模式undo firewall mode 缺省情形下,防火墙工作在路由模式(route )下。
设置H3C SecPath F100 系列防火墙的web访问
设置H3C SecPath F100 系列防火墙的web访问最近集团下属酒店退回一台H3C SecPath F100-S防火墙,自我学习巩固的同时,给大家带来几篇教程,欢迎大家的拍砖。
今天给大家带来的是如何实现通过Web方式访问和配置路由器。
和H3C之前的产品不同,H3C在SecPath F100系列防火墙产品中增加了更加人性化的WEB方式配置界面,用户可以通过WEB方式来访问防火墙并通过图形化界面来配置各种参数,这点改进大大降低了防火墙设置的门槛,让用户可以更快的上手。
下面我们就来看看如何通过WEB方式配置SecPath F100-S防火墙,当然默认情况下WEB方式是关闭的。
第一步:建立与防火墙之间的连接,我们采用console方式进行配置,将防火墙自带console线的RJ45端插入防火墙“console”端口,另一头连接到电脑串口。
在电脑上启动“超级终端”,我们选用默认值:9600/8/无/1/无,然后点击确定。
第一步:建立与防火墙之间的连接,我们采用console方式进行配置,将防火墙自带console 线的RJ45端插入防火墙“console”端口,另一头连接到电脑串口。
在电脑上启动“超级终端”,我们选用默认值:9600/8/无/1/无,然后点击确定。
第二步:插电启动防火墙,我们就会在超级终端界面上清楚的看到防火墙的全部启动过程。
按回车键,进入防火墙命令行配置模式第三步:输入“system-view”命令,进入高级管理模式,我们首先查看一下防火墙默认的配置信息第四步:下面开始配置:启动防火墙的HTTP服务,默认情况下是开启的,我们不用操作。
命令:undo ip http shutdown在防火墙中新建相应的用户,授于用户telnet的权限,管理权限设为最高的3级。
local-user admin (新建用户admin)password simple admin (设置密码为明文的admin)service-type telnet (仅当登录用户具有telnet的服务类型时,才允许登录http服务器,且不同级别的用户在web界面中的可配置选项不同)level3 (权限级别设为最高的3级)给允许提供web访问的接口设置IP地址,我们将eth0/0端口的IP地址配置为192.168.1.1 255.255.255.0,这个IP地址就是web方式登录时键入到浏览器地址栏里面的地址将接口添加到信任区域,同时配置防火墙的默认策略为允许数据通过Zone trustAdd interface Ethernet 0/0QuitPacket-filter default permit第五步:设置计算机的IP地址与要登录防火墙的IP地址在同一网段,在浏览器中输入http://192.168.1.1就看到了防火墙web管理的登录界面。
H3C SecPath F100-C-SI防火墙 Web配置指导-5PW100-安全配置
目录1访问控制 ············································································································································ 1-11.1 概述 ··················································································································································· 1-11.2 配置访问控制····································································································································· 1-11.3 访问控制典型配置举例 ······················································································································ 1-3 2网站过滤 ············································································································································ 2-12.1 概述 ··················································································································································· 2-12.2 网站过滤典型配置举例 ······················································································································ 2-23 MAC地址过滤 ···································································································································· 3-13.1 概述 ··················································································································································· 3-13.2 配置MAC地址过滤····························································································································· 3-13.2.1 配置MAC地址过滤类型··········································································································· 3-13.2.2 配置要过滤的MAC地址··········································································································· 3-23.3 MAC地址过滤典型配置举例 ·············································································································· 3-3 4攻击防范 ············································································································································ 4-14.1 概述 ··················································································································································· 4-14.1.1 黑名单功能······························································································································ 4-14.1.2 入侵检测功能 ·························································································································· 4-14.2 配置黑名单 ········································································································································ 4-34.2.1 配置概述 ································································································································· 4-34.2.2 启用黑名单过滤功能 ··············································································································· 4-44.2.3 手动新建黑名单表项 ··············································································································· 4-44.2.4 查看黑名单······························································································································ 4-54.3 配置入侵检测····································································································································· 4-54.4 攻击防范典型配置举例 ······················································································································ 4-64.4.1 攻击防范典型配置举例 ··········································································································· 4-6 5应用控制 ············································································································································ 5-15.1 概述 ··················································································································································· 5-15.2 配置应用控制····································································································································· 5-15.2.1 配置概述 ································································································································· 5-15.2.2 加载应用程序 ·························································································································· 5-15.2.3 配置自定义应用程序 ··············································································································· 5-25.2.4 使能应用控制 ·························································································································· 5-35.3 应用控制典型配置举例 ······················································································································ 5-41 访问控制1.1 概述访问控制是指通过设置时间段、局域网内计算机的IP地址、端口范围和数据包协议类型,禁止符合指定条件的数据包通过,来限制局域网内的计算机对Internet的访问。
H3C SecPath F100系列防火墙配置教程
H3C SecPath F100系列防火墙配置教程初始化配置〈H3C〉system-view开启防火墙功能[H3C]firewall packet-filter enable[H3C]firewall packet-filter default permit分配端口区域[H3C] firewall zone untrust[H3C-zone-trust] add interface GigabitEthernet0/0[H3C] firewall zone trust[H3C-zone-trust] add interface GigabitEthernet0/1工作模式firewall mode transparent 透明传输firewall mode route 路由模式http 服务器使能HTTP 服务器 undo ip http shutdown关闭HTTP 服务器 ip http shutdown添加WEB用户[H3C] local-user admin[H3C-luser-admin] password simple admin[H3C-luser-admin] service-type telnet[H3C-luser-admin] level 3开启防范功能firewall defend all 打开所有防范切换为中文模式 language-mode chinese设置防火墙的名称 sysname sysname配置防火墙系统IP 地址 firewall system-ip system-ip-address [ address-mask ] 设置标准时间 clock datetime time date设置所在的时区 clock timezone time-zone-name { add | minus } time取消时区设置 undo clock timezone配置切换用户级别的口令 super password [ level user-level ] { simple | cipher } password取消配置的口令 undo super password [ level user-level ]缺缺省情况下,若不指定级别,则设置的为切换到3 级的密码。
H3C SecPath F100系列防火墙配置教程
H3C SecPath F100系列防火墙配置教程初始化配置〈H3C〉system-view开启防火墙功能[H3C]firewall packet-filter enable[H3C]firewall packet-filter default permit分配端口区域[H3C] firewall zone untrust[H3C-zone-trust] add interface GigabitEthernet0/0[H3C] firewall zone trust[H3C-zone-trust] add interface GigabitEthernet0/1工作模式firewall mode transparent 透明传输firewall mode route 路由模式http 服务器使能HTTP 服务器 undo ip http shutdown关闭HTTP 服务器 ip http shutdown添加WEB用户[H3C] local-user admin[H3C-luser-admin] password simple admin[H3C-luser-admin] service-type telnet[H3C-luser-admin] level 3开启防范功能firewall defend all 打开所有防范切换为中文模式 language-mode chinese设置防火墙的名称 sysname sysname配置防火墙系统IP 地址 firewall system-ip system-ip-address [ address-mask ] 设置标准时间 clock datetime time date设置所在的时区 clock timezone time-zone-name { add | minus } time取消时区设置 undo clock timezone配置切换用户级别的口令 super password [ level user-level ] { simple | cipher } password取消配置的口令 undo super password [ level user-level ]缺缺省情况下,若不指定级别,则设置的为切换到3 级的密码。
H3C SecPath F100系列防火墙01-入门配置指导-基本配置
• 配置 NAT 静态转换
nat static local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ]
• 使配置在接口上生效
nat outbound static
nat outbound [ acl-number ] [ address-group group-number [ vpn-instance vpn-instance-name ] [ no-pat ] ] [ track vrrp virtual-router-id ]
目录
1 基本配置 ············································································································································ 1-1 1.1 概述 ···················································································································································1-1 1.2 通过Web方式进行设备基本配置 ·······································································································1-1 1.3 通过命令行方式进行设备基本配置 ····································································································1-8 1.4 业务配置说明·····································································································································1-9
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
H3CSecPathF100系列防火墙配置教程初始化配置〈H3C〉system-view开启防火墙功能[H3C]firewall packet-filter enable[H3C]firewall packet-filter default permit分配端口区域[H3C] firewall zone untrust[H3C-zone-trust] add interface GigabitEthernet0/0[H3C] firewall zone trust[H3C-zone-trust] add interface GigabitEthernet0/1工作模式firewall mode transparent 透亮传输firewall mode route 路由模式服务器使能服务器 undo ip shutdown关闭服务器 ip shutdown添加WEB用户[H3C] local-user admin[H3C-luser-admin] password simple admin[H3C-luser-admin] service-type telnet[H3C-luser-admin] level 3开启防范功能firewall defend all 打开所有防范切换为中文模式 language-mode chinese设置防火墙的名称 sysname sysname配置防火墙系统IP 地址 firewall system-ip system-ip-address [ address-mask ] 设置标准时刻 clock datetime time date设置所在的时区 clock timezone time-zone-name { add | minus } time取消时区设置 undo clock timezone配置切换用户级别的口令 super password [ level user-level ] { simple | cipher } password取消配置的口令 undo super password [ level user-level ]缺缺省情形下,若不指定级别,则设置的为切换到3 级的密码。
切换用户级别 super [ level ]直截了当重新启动防火墙 reboot开启信息中心 info-center enable关闭信息中心 undo info-center enableftp server enable显示下次启动时加载的配置文件 display saved-configuration [ by-linenum ]显示系统本次启动及下次启动使用的配置文件 display startup显示当前视图的配置 display this显示防火墙的当前的运行配置display current-configuration[ interface interface-type [ interface-number ] | configuration[ isp | zone | interzone | radius-template | system |user-interface ] ] [ by-linenum ] [ | { begin | include |exclude } string ]储存当前配置 save [ file-name | safely ]删除Flash 中储存的下次启动时加载的配置文件 reset saved-configuration配置防火墙工作在透亮模式 firewall mode transparentH3C SecPath 系列安全产品操作手册(安全)第8 章透亮防火墙操作命令配置防火墙工作在路由模式 firewall mode route复原防火墙的工作模式为缺省模式 undo firewall mode缺省情形下,防火墙工作在路由模式(route)下。
启动ARP 表项自动学习功能 firewall arp-learning enable禁止ARP 表项自动学习功能 undo firewall arp-learning enable缺省情形下,当防火墙工作在透亮模式下时,防火墙启动ARP 表项自动学习功能。
配置VLAN ID 透传操作命令使能接口的VLAN ID 透传功能 bridge vlanid-transparent-transmit enable禁止接口的VLAN ID 透传功能 undo bridge vlanid-transparent-transmit enable缺省情形下,禁止接口的VLAN ID 透传功能。
使能ARP Flood 攻击防范功能 firewall defend arp-flood [ max-rate rate-number ]关闭ARP Flood 攻击防范功能 undo firewall defend arp-flood [ max-rate ] 缺省为关闭ARP Flood 攻击防范功能。
ARP 报文的最大连接速率范畴为1~1,000,000,缺省为100。
SecPath 系列安全产品支持以方式登录到系统中,并通过Web 治理界面对系统进行配置和治理。
在使用Web 界面登录到系统前,必须先使能服务器功能。
请在系统视图下进行下列配置。
H3C SecPath 系列安全产品操作手册(基础配置)第4 章系统爱护治理开启/关闭服务器开启服务器 undo ip shutdown关闭服务器 ip shutdown缺省情形下,系统开启服务器。
仅当登录用户具有Telnet 的服务类型时(service-type telnet),才承诺登录服务器,且不同等级的用户在Web 界面中的可配置项也会不同。
配置服务器的访问限制能够配置服务器,使仅具有特定IP 地址的用户才能够登录服务器,对设备进行配置和治理。
请在系统视图下进行下列配置。
表4-18 配置服务器的访问限制操作命令配置服务器的访问限制 ip acl acl-number取消对服务器的访问限制 undo ip acl缺省情形下,未配置服务器的访问限制。
仅ACL 中承诺的IP 地址才能够访问服务器。
表3-10 显示系统状态信息操作命令显示系统版本信息 display version显示详细的软件版本信息 vrbd显示系统时钟 display clock显示终端用户 display users [ all ]显示起始配置信息 display saved-configuration显示当前配置信息 display current-configuration显示调试开关状态 display debugging [ interface interface-typeinterface-number ] [ module-name ]显示当前视图的运行配置 display this显示技术支持信息 display diagnostic-information显示剪贴板的内容 display clipboardH3C SecPath 系列安全产品操作手册(基础配置)第3 章 Comware 的差不多配置操作命令显示当前系统内存使用情形 display memory [ limit ]显示CPU 占用率的统计信息 display cpu-usage [ configuration | number[ offset ] [ verbose ] [ from-device ] ]设置CPU 占用率统计的周期 cpu-usage cycle { 5sec | 1min | 5min | 72min }以图形方式显示CPU 占用率统计历史信息 display cpu-usage history [ task task-id ]对插槽中的插卡进行拔出预处理 remove slot slot-id取消拔出预处理操作 undo remove slot slot-id显示设备和插卡的信息(任意视图) display device [ slot-id ]配置防火墙网页登陆1. 配置防火墙缺省承诺报文通过。
<H3C> system-view[H3C] firewall packet-filter default permit2. 为防火墙的以太网接口(以GigabitEthernet0/0为例)配置IP地址,并将接口加入到安全区域。
[H3C] interface GigabitEthernet0/0[H3C-GigabitEthernet0/0] ip address 192.168.0.1 255.255.255.0[H3C-GigabitEthernet0/0] quit[H3C] firewall zone trust[H3C-zone-trust] add interface GigabitEthernet0/03. 为PC配置IP地址。
假设PC的IP地址为192.168.0.2。
4. 使用Ping命令验证网络连接性。
<H3C> ping 192.168.0.2Ping命令成功!5.添加登录用户为使用户能够通过Web登录,同时有权限对防火墙进行治理,必须为用户添加登录帐户同时给予其权限。
例如:建立一个帐户名和密码都为admin,帐户类型为telnet,权限等级为3的治理员用户。
[H3C] local-user admin[H3C-luser-admin] password simple admin[H3C-luser-admin] service-type telnet[H3C-luser-admin] level 3在 PC上启动扫瞄器(建议使用IE5.0及以上版本),在地址栏中输入IP地址“192.168.0.1”后回车,即可进入防火墙Web登录页面,使用之前创建的 admin帐户登录防火墙,单击<Login>按钮即可登录。
用户能够通过“Language”下拉框选择界面语言内部主机通过域名区分并访问对应的内部服务器组网应用1)配置easy ip(不用配地址池,直截了当通过接口地址做转换)nat outbound acl-number2)DNS MAPnat dns-map domain-name global-addrglobal-port [ tcp | udp ]实例:# 在Ethernet0/0/0 接口上配置FTP 及WWW内部服务器。
[H3C] interface ethernet0/0/0[H3C-Ethernet0/0/0] ip address 1.1.1.1 255.0.0.0[H3C-Ethernet0/0/0] nat outbound 2000[H3C-Ethernet0/0/0] nat server protocol tcp global 1.1.1.1 www inside 10.0.0.2www[H3C-Ethernet0/0/0] nat server protocol tcp global 1.1.1.1 ftp inside 10.0.0.3ftp[H3C-Ethernet0/0/0] quit# 配置访问操纵列表,承诺10.0.0.0/8 网段访问Internet。