山石防火墙命令行配置示例
现网1台山石SG6000防火墙,配置都可以通过GUI实现。
但有一些配置在命令行下配置效率更高,比如在1个已有策略中添加1个host或端口。
下面的双引号可以不加
1 创建服务
1.1 单个端口
service "tcp-901"
tcp dst-port 901
1.2 端口范围
service "tcp-10000-65535"
tcp dst-port 10000 65535
1.3 group (包含多个service, 就是思科ASA的object-group service)
servgroup "Management"
service "SSH"
service "xdmcp_UDP_177"
service "HTTPS"
service "tcp-901"
2 创建Ip
2.1 single ip
address "RDM-WaiGua-System-10.248.68.114"
ip 10.248.68.114/32
2.2 ip range
address "10.248.68.5-40"
range 10.248.68.5 10.248.68.40
2.3 ip subnet
address 10.248.1.0/24
10.248.1.0/24
2.4 当然下面可以接多个条目 ,比如
address "Logistics"
ip 10.248.33.89/32
ip 10.248.33.88/32
2.5 查看方法
show address xxx
Hillstone # show address 10.248.1.0/24
Name: 10.248.1.0/24
Address family: IPv4
Member count: 1
Address members:
10.248.1.0/24
Excluded members:
Total IP count: 256
IP subnet in this entry: 1
10.248.1.0/24
3 schedule (时间范围)
对应思科ASA上的time-range
可以指定只有结束,
也可以包含开始+结束
schedule "2025.1.17"
absolute end 01/18/2025 00:00:00
schedule "2021/7/1"
absolute start 01/01/1970 00:00:00 end 07/01/2021 23:59:00
exit
4 rule (就是具体的ACL了)
包含ID,行为,zone,源目IP, 端口,名称 ,时间范围
以下这条,放行:从生产区到CR区的流量,源IP为Data-1,目的IP为wan-1,目标端口为 80 和443,最后的名称Coalsoft为可选项,可以不加
rule id 401
action permit
src-zone "SC"
dst-zone "CR"
src-addr "Data-1"
dst-addr "wan-1"
service http
service https
name Colasoft
rule id 3019
action permit
src-zone "INSIDE"
dst-zone "OUTSIDE"
src-ip 10.248.1.1/32
dst-addr "AI-10.248.1.1-10"
service "tcp-1521"
schedule "2025.1.17"
怎样查看rule, 不能show rule, 而是show policy,
** 示例 :**
hillstone # show policy id 3019
Rule id: 3019
Rule sequence: 12
Status: E
From zone "CS" to zone "SC"
Type: 0
Fragment: N/A
Source addresses:
10.248.1.1/32
Destination addresses:
Oracle-10.248.200.1
Services:
tcp-1521
Application:
Schedules:
2025.1.17
Action: PERMIT
Roles:
Users:
User-groups:
assistant: disable
Hit 1353 times
创建1条rule在最前面
rule top
action permit
src-ip 1.1.1.1/32
dst-ip 2.1.1.1/32
service any
删除1条rule
no rule 3029
disable一条rule(失效,而不是删除)
rule id 3029
disable
Enable一条rule(重新生效)
rule id 3029
enable
5 路由配置
5.1带外接口配置
interface MGT0
zone "mgt"
ip address 10.19.254.84 255.255.255.0
manage ip 10.19.254.85
manage ssh
manage ping
manage snmp
manage https
exit
5.1 静态路由
ip vrouter "mgt-vr"
ip route 0.0.0.0/0 10.19.254.254
6 接口配置
6.1 聚合接口
interface xethernet1/0
aggregate aggregate1
mirror enable both
description "To_Core"
exit
interface xethernet1/1
aggregate aggregate1
mirror enable both
description "To_Core"
exit
interface xethernet1/2
aggregate aggregate1
mirror enable both
description "To_Core"
exit
interface xethernet1/3
aggregate aggregate1
mirror enable both
description "To_Core"
exit
6.2子接口配置
下面是2台山石的子接口配置,因为做了双机,
所以是每1台有独立的IP,虚拟出来1个VIP
** 第1台**
interface aggregate1.1101
zone "SC"
ip address 10.19.255.161 255.255.255.248 // 10.19.255.16 是VIP
manage ip 10.19.255.162 // 10.19.255.162 是本机的实IP
manage ping
description "ShengChan"
** 第2台**
interface aggregate1.1101
zone "SC"
ip address 10.19.255.161 255.255.255.248 // 10.19.255.16 是VIP
manage ip 10.19.255.163 // 10.19.255.163 是本机的实IP
manage ping
description "ShengChan"
7 DNS timezone
clock zone china
ip name-server 223.5.5.5 vrouter "mgt-vr"
8 创建用户名
admin user "hillstone"
password 123123123
password-expiration 1673230455
role "admin"
access console
access telnet
access ssh
access http
access https
exit
配置NTP
ntp enable
ntp query-interval 1
ntp server “100.64.1.1” vrouter “mgt-vr” source MGT0
GUI界面
限制登录的source IP
相当于思科交换机的line vty 下面的access-class
telnet timeout 20
ssh timeout 60
admin host 10.248.1.0/24 ssh
admin host 10.248.1.0/24 https
浙公网安备 33010602011771号