F1000-AI-25怎么防止同一个安全域互访?

我的配置：

#

 version 7.1.064, Release 8860P18

#

 sysname Gateway

#

 clock timezone CST add 08:00:00

 clock protocol ntp context 1

#

context Admin id 1

#

 irf mac-address persistent timer

 irf auto-update enable

 undo irf link-delay

 irf member 1 priority 1

#

 dialer-group 1 rule ip permit

#

 dhcp enable

#

 dns proxy enable

#

 password-recovery enable

#

vlan 1

 description Internal

#

vlan 10

 description LAN

#

vlan 20

 description Guest

#

vlan 100

 description IPTV

#

object-group ip address Guest

 security-zone Guest

 0 network subnet 10.0.6.0 255.255.254.0

#

object-group ip address Internal

 security-zone Trust

 0 network subnet 172.16.0.0 255.255.255.0

#

object-group ip address LAN

 security-zone Trust

 0 network subnet 10.0.0.0 255.255.252.0

#

object-group service dhcpv6-client

 0 service udp destination eq 547

#

object-group service dhcpv6-server

 0 service udp destination eq 546

#

dhcp server ip-pool Guest

 gateway-list 10.0.6.1

 network 10.0.6.0 mask 255.255.254.0

 dns-list 10.0.6.1

 expired day 0 hour 2

#

dhcp server ip-pool Internal

 gateway-list 172.16.0.1

 network 172.16.0.0 mask 255.255.255.0

 dns-list 172.16.0.1

 option 43 ascii TP-LINK

#

dhcp server ip-pool LAN

 gateway-list 10.0.0.1

 network 10.0.0.0 mask 255.255.252.0

 dns-list 10.0.0.1

 expired day 0 hour 12

 static-bind ip-address 10.0.0.5 mask 255.255.252.0 client-identifier <>

#

interface NULL0

#

interface Vlan-interface1

 description Internal

 ip address 172.16.0.1 255.255.255.0

 gateway 172.16.0.1

#

interface Vlan-interface10

 description LAN

 ip address 10.0.0.1 255.255.252.0

 ipv6 address auto

 ipv6 address auto link-local

 ipv6 address 1 ::1/64

 ipv6 nd autoconfig managed-address-flag

 ipv6 nd autoconfig other-flag

 undo ipv6 nd ra halt

 ipv6 nd ra dns server <> infinite sequence 0

 gateway 10.0.0.1

#

interface Vlan-interface20

 description Guest

 ip address 10.0.6.1 255.255.254.0

 gateway 10.0.6.1

#

interface Vlan-interface100

 description IPTV

#

interface GigabitEthernet1/0/1

 port link-mode route

 description WAN

 pppoe-client dial-bundle-number 0

#

interface GigabitEthernet1/0/0

 port link-mode bridge

 description Internal

 port link-type hybrid

 port hybrid vlan 10 20 100 tagged

 port hybrid vlan 1 untagged

#

interface GigabitEthernet1/0/14

 port link-mode bridge

 port access vlan 100

#

interface M-GigabitEthernet1/0/0

 ip address 192.168.0.1 255.255.255.0

#

interface Ten-GigabitEthernet1/0/26

 port link-mode route

#

interface Ten-GigabitEthernet1/0/27

 port link-mode route

#

 ipv6 temporary-address

 ipv6 prefer temporary-address

#

security-zone name Local

#

security-zone name Trust

 import interface Vlan-interface1

 import interface GigabitEthernet1/0/0 vlan 1

 import vlan 1

#

security-zone name DMZ

#

security-zone name Untrust

 import interface Dialer0

 import interface GigabitEthernet1/0/1

#

security-zone name Management

 import interface M-GigabitEthernet1/0/0

#

security-zone name Guest

 import interface Vlan-interface20

 import vlan 20

#

security-zone name IPTV

 import interface Vlan-interface100

 import interface GigabitEthernet1/0/14 vlan 100

 import vlan 100

#

security-zone name LAN

 import interface Vlan-interface10

 import vlan 10

#

 scheduler logfile size 16

#

line class console

 authentication-mode scheme

 user-role network-admin

#

line class vty

 user-role network-operator

#

line con 0

 user-role network-admin

#

line vty 0 63

 authentication-mode scheme

 user-role network-admin

#

 ip route-static 0.0.0.0 0 Dialer0

#

 info-center loghost 127.0.0.1 port 3301 format default

 info-center source CFGLOG loghost level informational

#

 customlog format session

 customlog format attack-defense

 customlog format aft

 customlog format dpi audit

 customlog format dpi url-filter

 customlog format dpi netshare

 customlog format dpi ips

 customlog format dpi anti-virus

 customlog format dpi reputation

 customlog format dpi terminal

 customlog timestamp localtime

#

 userlog flow export version 5

#

performance-management

#

 arp static 10.0.0.5 <> 10 GigabitEthernet1/0/0

#

domain system

#

 domain default enable system

#

role name level-0

 description Predefined level-0 role

#

role name level-1

 description Predefined level-1 role

#

role name level-2

 description Predefined level-2 role

#

role name level-3

 description Predefined level-3 role

#

role name level-4

 description Predefined level-4 role

#

role name level-5

 description Predefined level-5 role

#

role name level-6

 description Predefined level-6 role

#

role name level-7

 description Predefined level-7 role

#

role name level-8

 description Predefined level-8 role

#

role name level-9

 description Predefined level-9 role

#

role name level-10

 description Predefined level-10 role

#

role name level-11

 description Predefined level-11 role

#

role name level-12

 description Predefined level-12 role

#

role name level-13

 description Predefined level-13 role

#

role name level-14

 description Predefined level-14 role

#

user-group system

#

local-user admin class manage

 password hash <>

 service-type ssh terminal http https

 authorization-attribute user-role level-3

 authorization-attribute user-role network-admin

 authorization-attribute user-role network-operator

#

 session statistics enable

 session log flow-begin

 session log flow-end

#

 aft log flow-begin

 aft log flow-end

#

apr signature auto-update

 update schedule daily start-time 02:00:00 tingle 120

#

 ip http enable

 ip https enable

#

 blacklist destination-ip 114.114.114.114

 blacklist global enable

 whitelist global enable

 blacklist logging enable

#

 inspect real-ip enable

#

inspect block-source parameter-profile ips_block_default_parameter

#

inspect block-source parameter-profile url_block_default_parameter

#

inspect block-source parameter-profile waf_block_default_parameter

#

inspect logging parameter-profile av_logging_default_parameter

 undo log syslog

#

inspect logging parameter-profile ips_logging_default_parameter

 undo log syslog

#

inspect logging parameter-profile url_logging_default_parameter

#

inspect email parameter-profile mailsetting_default_parameter

 undo authentication enable

 username fwalerts-nxmznf@***.***

 password cipher $c$3$Ps4iZqtmO2sitWC3h/DlnBMxUHD9i93WjzvwmpfEFQl0y8Q=

#

 loadbalance isp file flash:/lbispinfo_v1.5.tp

#

uapp-control

 policy name ApplicationCheck audit

  source-zone Guest

  source-zone LAN

  destination-zone Untrust

  rule 1 any behavior any bhcontent any keyword include any action permit audit-logging

#

security-policy ip

 rule 8 name ApplicationControl

  app-group default

 rule 7 name IPC

  terminal-group IPC

 rule 0 name WAN

  action pass

  source-zone Local

  source-zone Trust

  source-zone Guest

  source-zone LAN

  destination-zone Untrust

 rule 2 name Internal(DHCP)

  action pass

  source-zone Local

  source-zone Trust

  destination-zone Local

  destination-zone Trust

  service dhcp-client

  service dhcp-server

  service dns-tcp

  service dns-udp

 rule 1 name LAN(DHCP)

  action pass

  source-zone Local

  source-zone LAN

  destination-zone Local

  destination-zone LAN

  service dhcp-client

  service dhcp-server

  service dns-tcp

  service dns-udp

 rule 3 name Guest(DHCP)

  action pass

  source-zone Local

  source-zone Guest

  destination-zone Local

  destination-zone Guest

  service dhcp-client

  service dhcp-server

  service dns-tcp

  service dns-udp

 rule 4 name Internal-Internal

  action pass

  source-zone Trust

  destination-zone Trust

#

security-policy ipv6

 rule 6 name ApplicationControl6

  app-group default

 rule 5 name IPC6

  terminal-group IPC

 rule 0 name WAN6

  action pass

  source-zone LAN

  destination-zone Untrust

 rule 1 name LAN6(dhcpv6)

  action pass

  source-zone Local

  source-zone Untrust

  source-zone LAN

  destination-zone Local

  destination-zone Untrust

  destination-zone LAN

  service dhcpv6-client

  service dhcpv6-server

  service dns-tcp

  service dns-udp

#

dac log-collect service attack-defense blacklist enable

dac log-collect service attack-defense flood enable

dac log-collect service attack-defense ipcar_alarm enable

dac log-collect service attack-defense scan enable

dac log-collect service attack-defense signature enable

dac log-collect service dpi audit enable

dac log-collect service dpi terminal enable

dac log-collect service dpi threat enable

dac log-collect service dpi traffic enable

dac log-collect service dpi url-filter enable

dac log-collect service packet-filter security_policy enable

dac log-collect service security-policy counting enable

#

ips logging parameter-profile ips_logging_default_parameter

ips email parameter-profile mailsetting_default_parameter

#

anti-virus logging parameter-profile av_logging_default_parameter

anti-virus email parameter-profile mailsetting_default_parameter

#

 cloud-management server domain opstunnel-seccloud.h3c.com

#

return