现在无论在策略里面怎么禁止LAN安全域到LAN安全域的80和443端口都不生效
端口1/0/1设置为Trust,LAN作为VLAN10 tagged通过并设置安全域为LAN
(0)
最佳答案
我的配置:
#version 7.1.064, Release 8860P18#sysname Gateway#clock timezone CST add 08:00:00clock protocol ntp context 1#context Admin id 1#irf mac-address persistent timerirf auto-update enableundo irf link-delayirf member 1 priority 1#dialer-group 1 rule ip permit#dhcp enable#dns proxy enable#password-recovery enable#vlan 1description Internal#vlan 10description LAN#vlan 20description Guest#vlan 100description IPTV#object-group ip address Guestsecurity-zone Guest0 network subnet 10.0.6.0 255.255.254.0#object-group ip address Internalsecurity-zone Trust0 network subnet 172.16.0.0 255.255.255.0#object-group ip address LANsecurity-zone Trust0 network subnet 10.0.0.0 255.255.252.0#object-group service dhcpv6-client0 service udp destination eq 547#object-group service dhcpv6-server0 service udp destination eq 546#dhcp server ip-pool Guestgateway-list 10.0.6.1network 10.0.6.0 mask 255.255.254.0dns-list 10.0.6.1expired day 0 hour 2#dhcp server ip-pool Internalgateway-list 172.16.0.1network 172.16.0.0 mask 255.255.255.0dns-list 172.16.0.1option 43 ascii TP-LINK#dhcp server ip-pool LANgateway-list 10.0.0.1network 10.0.0.0 mask 255.255.252.0dns-list 10.0.0.1expired day 0 hour 12static-bind ip-address 10.0.0.5 mask 255.255.252.0 client-identifier <>#interface NULL0#interface Vlan-interface1description Internalip address 172.16.0.1 255.255.255.0gateway 172.16.0.1#interface Vlan-interface10description LANip address 10.0.0.1 255.255.252.0ipv6 address autoipv6 address auto link-localipv6 address 1 ::1/64ipv6 nd autoconfig managed-address-flagipv6 nd autoconfig other-flagundo ipv6 nd ra haltipv6 nd ra dns server <> infinite sequence 0gateway 10.0.0.1#interface Vlan-interface20description Guestip address 10.0.6.1 255.255.254.0gateway 10.0.6.1#interface Vlan-interface100description IPTV#interface GigabitEthernet1/0/1port link-mode routedescription WANpppoe-client dial-bundle-number 0#interface GigabitEthernet1/0/0port link-mode bridgedescription Internalport link-type hybridport hybrid vlan 10 20 100 taggedport hybrid vlan 1 untagged#interface GigabitEthernet1/0/14port link-mode bridgeport access vlan 100#interface M-GigabitEthernet1/0/0ip address 192.168.0.1 255.255.255.0#interface Ten-GigabitEthernet1/0/26port link-mode route#interface Ten-GigabitEthernet1/0/27port link-mode route#ipv6 temporary-addressipv6 prefer temporary-address#security-zone name Local#security-zone name Trustimport interface Vlan-interface1import interface GigabitEthernet1/0/0 vlan 1import vlan 1#security-zone name DMZ#security-zone name Untrustimport interface Dialer0import interface GigabitEthernet1/0/1#security-zone name Managementimport interface M-GigabitEthernet1/0/0#security-zone name Guestimport interface Vlan-interface20import vlan 20#security-zone name IPTVimport interface Vlan-interface100import interface GigabitEthernet1/0/14 vlan 100import vlan 100#security-zone name LANimport interface Vlan-interface10import vlan 10#scheduler logfile size 16#line class consoleauthentication-mode schemeuser-role network-admin#line class vtyuser-role network-operator#line con 0user-role network-admin#line vty 0 63authentication-mode schemeuser-role network-admin#ip route-static 0.0.0.0 0 Dialer0#info-center loghost 127.0.0.1 port 3301 format defaultinfo-center source CFGLOG loghost level informational#customlog format sessioncustomlog format attack-defensecustomlog format aftcustomlog format dpi auditcustomlog format dpi url-filtercustomlog format dpi netsharecustomlog format dpi ipscustomlog format dpi anti-viruscustomlog format dpi reputationcustomlog format dpi terminalcustomlog timestamp localtime#userlog flow export version 5#performance-management#arp static 10.0.0.5 <> 10 GigabitEthernet1/0/0#domain system#domain default enable system#role name level-0description Predefined level-0 role#role name level-1description Predefined level-1 role#role name level-2description Predefined level-2 role#role name level-3description Predefined level-3 role#role name level-4description Predefined level-4 role#role name level-5description Predefined level-5 role#role name level-6description Predefined level-6 role#role name level-7description Predefined level-7 role#role name level-8description Predefined level-8 role#role name level-9description Predefined level-9 role#role name level-10description Predefined level-10 role#role name level-11description Predefined level-11 role#role name level-12description Predefined level-12 role#role name level-13description Predefined level-13 role#role name level-14description Predefined level-14 role#user-group system#local-user admin class managepassword hash <>service-type ssh terminal http httpsauthorization-attribute user-role level-3authorization-attribute user-role network-adminauthorization-attribute user-role network-operator#session statistics enablesession log flow-beginsession log flow-end#aft log flow-beginaft log flow-end#apr signature auto-updateupdate schedule daily start-time 02:00:00 tingle 120#ip http enableip https enable#blacklist destination-ip 114.114.114.114blacklist global enablewhitelist global enableblacklist logging enable#inspect real-ip enable#inspect block-source parameter-profile ips_block_default_parameter#inspect block-source parameter-profile url_block_default_parameter#inspect block-source parameter-profile waf_block_default_parameter#inspect logging parameter-profile av_logging_default_parameterundo log syslog#inspect logging parameter-profile ips_logging_default_parameterundo log syslog#inspect logging parameter-profile url_logging_default_parameter#inspect email parameter-profile mailsetting_default_parameterundo authentication enableusername fwalerts-nxmznf@***.***password cipher $c$3$Ps4iZqtmO2sitWC3h/DlnBMxUHD9i93WjzvwmpfEFQl0y8Q=#loadbalance isp file flash:/lbispinfo_v1.5.tp#uapp-controlpolicy name ApplicationCheck auditsource-zone Guestsource-zone LANdestination-zone Untrustrule 1 any behavior any bhcontent any keyword include any action permit audit-logging#security-policy iprule 8 name ApplicationControlapp-group defaultrule 7 name IPCterminal-group IPCrule 0 name WANaction passsource-zone Localsource-zone Trustsource-zone Guestsource-zone LANdestination-zone Untrustrule 2 name Internal(DHCP)action passsource-zone Localsource-zone Trustdestination-zone Localdestination-zone Trustservice dhcp-clientservice dhcp-serverservice dns-tcpservice dns-udprule 1 name LAN(DHCP)action passsource-zone Localsource-zone LANdestination-zone Localdestination-zone LANservice dhcp-clientservice dhcp-serverservice dns-tcpservice dns-udprule 3 name Guest(DHCP)action passsource-zone Localsource-zone Guestdestination-zone Localdestination-zone Guestservice dhcp-clientservice dhcp-serverservice dns-tcpservice dns-udprule 4 name Internal-Internalaction passsource-zone Trustdestination-zone Trust#security-policy ipv6rule 6 name ApplicationControl6app-group defaultrule 5 name IPC6terminal-group IPCrule 0 name WAN6action passsource-zone LANdestination-zone Untrustrule 1 name LAN6(dhcpv6)action passsource-zone Localsource-zone Untrustsource-zone LANdestination-zone Localdestination-zone Untrustdestination-zone LANservice dhcpv6-clientservice dhcpv6-serverservice dns-tcpservice dns-udp#dac log-collect service attack-defense blacklist enabledac log-collect service attack-defense flood enabledac log-collect service attack-defense ipcar_alarm enabledac log-collect service attack-defense scan enabledac log-collect service attack-defense signature enabledac log-collect service dpi audit enabledac log-collect service dpi terminal enabledac log-collect service dpi threat enabledac log-collect service dpi traffic enabledac log-collect service dpi url-filter enabledac log-collect service packet-filter security_policy enabledac log-collect service security-policy counting enable#ips logging parameter-profile ips_logging_default_parameterips email parameter-profile mailsetting_default_parameter#anti-virus logging parameter-profile av_logging_default_parameteranti-virus email parameter-profile mailsetting_default_parameter#cloud-management server domain opstunnel-seccloud.h3c.com#return
(0)
那说明流量可能没到防火墙就直接源目的直接转发了。
建议先确认下具体组网情况在看看吧。
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明