防火墙F1000-C8110

正常放通vlan，打通路由，防火墙接外网接口nat，安全域放通就可以了

#
version 7.1.064, Release 9524P22
#
sysname kerren firewall
#
clock timezone Beijing add 08:00:00
clock protocol none
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
dialer-group 1 rule ip permit
#
nat address-group 1 name 非信任外网
address 192.168.3.1 192.168.4.1
#
nat log enable
#
dhcp enable
#
dns proxy enable
dns server 114.114.114.114
dns server 202.96.64.68
#
password-recovery enable
#
vlan 1
#
vlan 10
description 办公
#
vlan 20
description 办公网络
#
vlan 200
description 公寓网络
#
vlan 984
description He-xin-jing-xiang
#
object-group ip address 10.0.11.1主楼电视盒
0 network subnet 10.0.11.0 255.255.255.0
#
object-group ip address 10.100.120.8
0 network host address 10.100.120.8
#
object-group ip address ewr
security-zone Untrust
0 network subnet 192.168.2.0 255.255.254.0
#
object-group ip address "vlan 20"
security-zone Trust
0 network subnet 10.11.20.0 255.255.255.0
#
object-group ip address VLAN20和200
security-zone Trust
0 network subnet 10.11.20.0 255.255.255.0
10 network subnet 10.11.200.0 255.255.255.0
#
object-group ip address 办公网
security-zone Trust
0 network subnet 10.11.20.0 255.255.255.0
10 network subnet 10.11.200.0 255.255.255.0
#
object-group ip address 保障10.0.32.0
0 network subnet 10.0.32.0 255.255.255.0
#
object-group ip address 出口192.168.10.22
#
object-group ip address 内网
0 network subnet 172.16.15.0 255.255.255.0
#
object-group ip address 内网1
security-zone Trust
0 network subnet 172.16.15.0 255.255.255.0
#
object-group ip address 限制全部P2P
0 network subnet 0.0.0.0 0.0.0.0
#
object-group ip address 信锐无线AP
0 network subnet 192.168.100.0 255.255.255.0
#
object-group service 111
description 111
0 service tcp destination eq 443
#
dhcp server ip-pool 办公网VLAN20
gateway-list 10.11.20.1
network 10.11.20.0 mask 255.255.255.0
dns-list 114.114.114.114
#
dhcp server ip-pool 办公网VLAN200
gateway-list 10.11.200.1
network 10.11.200.0 mask 255.255.255.0
dns-list 114.114.114.114
#
dhcp server ip-pool 不信任外网
gateway-list 192.168.3.1
network 192.168.2.0 mask 255.255.254.0
dns-list 114.114.114.114
#
dhcp server ip-pool 内网
gateway-list 172.16.10.1
network 172.16.10.0 mask 255.255.255.0
dns-list 114.114.114.114
#
controller Cellular1/0/0
#
interface NULL0
#
interface Vlan-interface20
ip address 10.11.20.1 255.255.255.0
nat outbound
gateway 10.11.20.254
#
interface Vlan-interface200
ip address 10.11.200.1 255.255.255.0
nat outbound
gateway 10.11.200.254
#
interface GigabitEthernet1/0/0
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
description GuideWan Interface
bandwidth 100000000
ip address 192.168.10.23 255.255.255.0
nat outbound description GuideNat
gateway 192.168.10.1
#
interface GigabitEthernet1/0/2
port link-mode route
duplex full
ip address 172.16.10.1 255.255.254.0
ip last-hop hold
#
interface GigabitEthernet1/0/3
port link-mode route
description kereen
bandwidth 400000
ip address 192.168.3.1 255.255.254.0
ip last-hop hold
#
interface GigabitEthernet1/0/4
port link-mode bridge
bandwidth 400000000
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20
port trunk pvid vlan 20
duplex full
#
interface GigabitEthernet1/0/5
port link-mode bridge
description VLAN10,20,200
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20
#
interface GigabitEthernet1/0/6
port link-mode bridge
#
interface GigabitEthernet1/0/7
port link-mode bridge
port access vlan 984
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/2
import interface Vlan-interface20
import interface Vlan-interface200
import interface GigabitEthernet1/0/4 vlan 1 to 4094
import interface GigabitEthernet1/0/5 vlan 1 to 4094
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/3
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
security-zone name Mirror
import interface GigabitEthernet1/0/7 vlan 984
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class usb
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 24 192.168.10.23
#
snmp-agent
snmp-agent local-engineid 800063A28080E455686E0500000001
snmp-agent community read admin
snmp-agent community write keree
snmp-agent sys-info location 机房
snmp-agent sys-info version v3
#
ssh server enable
#
acl basic 2000
rule 0 permit
rule 5 permit source 0.0.2.1 255.255.25.252
rule 10 permit source 0.0.0.22 255.255.255.0
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$0JITFBDTcVpmgIaC$uwt/xUo/+vIFB1QNP3yfU3ZCG22k3CrgHLC4izH28/LdNKQ44jqImmNnvs+hjv+nxgsjZpLxhpUNtasj+1bFjg==
service-type ssh telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec logging negotiation enable
#
app-group 保障10.0.12.20，10.0.12.28，10.0.12.38
description 保障所有
include application BaoFeng
include application BitTorrent
include application eMule
include application iQiYiPPS
include application KingsoftAntivirus
include application Letv
include application MangGuoTV
include application NetworkVideo
include application QQXuanFeng
include application TencentVideo
include application Thunder
include application XunLeiKanKan
include application ZhangYuTV
#
app-group 保障10.0.32.0
description 保障http,视频流应用
include application 56Video
include application Bilibili
include application CTCCMusicMenHu
include application http
include application KGeDaRen
include application MeiLeFM
include application MiGuMusic
include application NetEaseVideo
include application PPTV
include application QQMusic
include application SinaVideo
include application SoHuVideo
include application SouGouMusic
include application TencentVideo
include application TuDou
include application XiaMi
include application YinYueTai
include application YouKu
#
app-group 保障信锐
description 10.100.120.8
#
app-group 限制P2P
description 限制全部
include application 360General
include application 360Website
include application AndroidMarket
include application AnZhiMarket
include application AppChina
include application AppStore
include application BaiduResource
include application BaiDuSoftwareDownload
include application BaiduWenKu
include application BaoFeng
include application BitTorrent
include application DiGuaGameCenter
include application DuoTeSoftware
include application eMule
include application FeiFanRuanJianZhan
include application FileDownload
include application GeneralDownload
include application iQiYiPPS
include application JiFengMarket
include application JinShanShouJiZhuShou
include application KingsoftAntivirus
include application KuAn
include application Letv
include application LieBaoWebsite
include application MangGuoTV
include application MIAppStore
include application MobileMarket
include application MuMaYiMarket
include application NetworkAudio
include application NetworkVideo
include application OnlineDown
include application PC6
include application PictureBrowse
include application PPZhuShou
include application QQWebsite
include application QQXuanFeng
include application ShouJiBaiDu
include application SkyCN
include application TencentResource
include application TencentVideo
include application Thunder
include application TianJiDownload
include application UCLandingPage
include application UCWebsite
include application WanDouJia
include application WindowsUpdate
include application WoStore
include application XiaZaiBa
include application XiXiSoftwareStore
include application XunLeiKanKan
include application YingYongBao
include application ZhangYuTV
include application ZhiHuiYun
include application ZuiMeiYingYong
#
ike logging negotiation enable
#
ip http enable
ip https enable
webui log enable
#
inspect block-source parameter-profile ips_block_default_parameter
#
inspect block-source parameter-profile url_block_default_parameter
#
inspect capture parameter-profile ips_capture_default_parameter
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
inspect redirect parameter-profile av_redirect_default_parameter
#
inspect redirect parameter-profile ips_redirect_default_parameter
#
inspect redirect parameter-profile url_redirect_default_parameter
#
traffic-policy
rule 1 name GuideAVCPolicy
action qos profile guideavcprofile1
source-zone Trust
destination-zone DMZ
destination-zone Untrust
profile name guideavcprofile1
bandwidth downstream guaranteed 90000
bandwidth downstream maximum 90000
#
security-policy ip
rule 18 name GuideSecPolicy
action pass
source-zone Trust
source-zone Local
destination-zone Untrust
destination-zone DMZ
destination-zone Local
destination-zone Trust
rule 19 name 非安全域外网
description 非安全域策略
action pass
source-zone Untrust
source-zone Local
destination-zone Untrust
destination-zone Local
rule 20 name "vlan 20"
action pass
source-zone Trust
source-zone Local
destination-zone Untrust
destination-zone Local
source-ip "vlan 20"
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus logging parameter-profile av_logging_default_parameter
#
cloud-management server domain opstunnel.seccloud.h3c.com
#
return

这个每台设备都需要完整的配置的话。就算发了，你也不一定能看的懂啊，建议400吧，

您好，请知：

配置防火墙上网，以下是部署要点，请参考：

1、配置与核心交换机的三层互联和路由指向。

2、配置防火墙的上网接入。

3、配置防火墙的默认路由指向到外网。

4、配置防火墙的NAT地址转换。

5、防火墙上涉及到的物理端口需加入安全域并放通安全策略或域间策略。