华为USG防火墙长连接官方配置案例.doc
7页
华为USG防火墙长连接官方配置案例 - 配置会话表老化时间和长连接 会话表是状态检测防火墙进展转发的根底本例通过调整会话老化时间和配置长连接,为特殊应用保证长时间的数据连接需要注意的是,保持数据连接需要消耗一定的系统性能 组网需求 NGFW部署在某企业的出口该企业对外提供FTP效劳,对内提供FTP效劳和数据库效劳 ? 由于FTP效劳器上存放有较多大体积文件,用户下载时间可能会比拟长,所以需要将设备的FTP老化时间调长 根据文件大小和网络传输速度,将FTP控制通道老化时间定为3600秒,将FTP数据通道老化时间定为300秒 ? 在提供数据库效劳的过程中,可能存在用户很长时间才查询一次的情况,所以为数据库效劳配置一个长连接,使其会话表项长时间不被老化 根据用户查询数据库的最大间隔时间,将长连接时间定为24小时 组网图如图1所示 图1 配置会话表老化时间和长连接组网图 操作步骤 1. 配置各个接口的IP,并划入相应的平安区域 2. system-view 3. [NGFW] interface GigabitEther 1/0/3 4. [NGFW-GigabitEther1/0/3] ip address 10.3.1.1 24 5. [NGFW-GigabitEther1/0/3] quit 6. [NGFW] interface GigabitEther 1/0/2 7. [NGFW-GigabitEther1/0/2] ip address 10.2.1.1 24 8. [NGFW-GigabitEther1/0/2] quit 9. [NGFW] interface GigabitEther 1/0/1 10. [NGFW-GigabitEther1/0/1] ip address 1.1.1.1 24 11. [NGFW-GigabitEther1/0/1] quit 12. [NGFW] firewall zone trust 13. [NGFW-zone-trust] add interface GigabitEther 1/0/3 14. [NGFW-zone-trust] quit 15. [NGFW] firewall zone dmz 16. [NGFW-zone-dmz] add interface GigabitEther 1/0/2 17. [NGFW-zone-dmz] quit 18. [NGFW] firewall zone untrust 19. [NGFW-zone-untrust] add interface GigabitEther 1/0/1 20. [NGFW-zone-untrust] quit 21. 创立一条ACL用于定义内网用户访问数据库效劳器的流量。
22. [NGFW] acl 3001 23. [NGFW-acl-adv-3001] rule permit ip source 10.3.1.0 0.0.0.255 destination 10.2.1.3 0 [NGFW-acl-adv-3001] quit 24. 配置平安策略,以保证网络根本通信正常 25. [NGFW] security-policy 26. [NGFW-policy-security] rule name policy_sec_1 27. [NGFW-policy-security-rule-policy_sec_1] source-zone trust 28. [NGFW-policy-security-rule-policy_sec_1] destination-zone dmz 29. [NGFW-policy-security-rule-policy_sec_1] source-address 10.3.1.0 24 30. [NGFW-policy-security-rule-policy_sec_1] destination-address range 10.2.1.2 10.2.1.3 31. [NGFW-policy-security-rule-policy_sec_1] action permit 32. [NGFW-policy-security-rule-policy_sec_1] quit 33. [NGFW-policy-security] rule name policy_sec_2 34. [NGFW-policy-security-rule-policy_sec_2] source-zone untrust 35. [NGFW-policy-security-rule-policy_sec_2] destination-zone dmz 36. [NGFW-policy-security-rule-policy_sec_2] destination-address 10.2.1.2 32 37. [NGFW-policy-security-rule-policy_sec_2] action permit 38. [NGFW-policy-security-rule-policy_sec_2] quit [NGFW-policy-security] quit 39. 在trust区域与dmz区域的域间引用ACL3001进展长连接的配置。
40. [NGFW] firewall interzone trust dmz 41. [NGFW-interzone-trust-dmz] detect ftp 42. [NGFW-interzone-trust-dmz] long-link 3001 outbound 43. WARNING: Too large range of ACL maybe affect the performance of firewall, please use this mand carefully! 44. Are you sure?[Y/N]Y 45. [NGFW-interzone-trust-dmz] quit 46. [NGFW] firewall interzoneuntrustdmz 47. [NGFW-interzone-dmz-untrust] detect ftp 48. [NGFW-interzone-dmz-untrust] quit 49. 配置长连接功能老化时间,使ACL3001中定义的流量按照该时间进展老化然后调整FTP的控制通道与数据通道的老化时间该配置对所有流量生效,所以不需要匹配ACL。
其中ftp表示FTP控制通道,ftp-data表示FTP数据通道 50. [NGFW] firewall long-link aging-time 24 51. [NGFW] firewall session aging-time service-set ftp 3600 [NGFW] firewall session aging-time service-set ftp-data 300 配置脚本 以下仅给出与本案例有关的脚本 # sysname NGFW # firewall long-link aging-time 24 firewall session aging-time service-set ftp 3600 firewall session aging-time service-set ftp-data 300 # acl number 3001 rule 5 permit ip source 10.3.1.0 0.0.0.255 destination 10.2.1.3 0 # interface GigabitEther1/0/3 ip address 10.3.1.1 255.255.255.0 # interface GigabitEther1/0/2 ip address 10.2.1.1 255.255.255.0 # interface GigabitEther1/0/1 ip address 1.1.1.1 255.255.255.0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEther1/0/3 # firewall zone untrust set priority 5 add interface GigabitEther1/0/1 # firewall zone dmz set priority 50 add interface GigabitEther1/0/2 # firewallinterzone trust dmz detect ftp long-link 3001 outbound # firewallinterzoneuntrustdmz detect ftp # security-policy rule name policy_sec_1 source-zone trust destination-zonedmz source-address 10.3.1.0 24 destination-address range 10.2.1.2 10.2.1.3 action permit rule name policy_sec_2 source-zoneuntrust destination-zonedmz destination-address 10.2.1.2 32 action permit # return 第 页 共 页。
