2022.2.8 Pretty things should be enjoyed--美玉不该蒙尘
1、接口配置IP 接口加入安全域
2、路由(策略路由/普通路由)
[FW]policy-based-route
[FW-policy-pbr]dis this
2022-02-08 11:48:45.540
#
policy-based-route
rule name vpc1-r3
source-zone trust
source-address 192.168.1.0 mask 255.255.255.0
track ip-link r3--关联ip-link
action pbr next-hop 100.1.1.1
rule name vpc2-r4
source-zone dmz
source-address 10.1.1.0 mask 255.255.255.0
track ip-link r4--关联ip-link
action pbr next-hop 200.1.1.1
3、NAT
[FW]nat-policy
[FW-policy-nat]dis this
2022-02-08 11:50:22.150
#
nat-policy
rule name permit-interint
source-zone dmz
source-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
source-address 192.168.1.0 mask 255.255.255.0
action source-nat easy-ip
4、策略
[FW]security-policy
[FW-policy-security]dis this
2022-02-08 11:51:33.100
#
security-policy
rule name permit-interint
source-zone dmz
source-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
source-address 192.168.1.0 mask 255.255.255.0
action permit
IP-link
[FW]ip-link check enable
[FW]ip-link name r3
[FW-iplink-r3]destination 100.1.1.1
兜底路由调用IP-link
[FW]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1 track ip-link r3
总结
华为防火墙:
所有抵达USG防火墙自身的管理流量(Ping、Telnet、SSH、SNMP、HTTP、HTTPS、Netconf)不受安全策略的控制,如果需要放行,需要在接口下放行。
[FW-GigabitEthernet0/0/0]service-manage ping permit
[FW-GigabitEthernet0/0/0]service-manage ping deny
策略路由不能基于目的端口和目的安全域匹配流量,控制数据走向。
策略路由 优于 普通路由表