防火墙策略
- 0关注
- 2收藏,1861浏览
问题描述:
hCount(1069)=2;Event(1048)=Permit; %Mar 27 21:59:36:785 2022 H3C FILTER/6/FILTER_ZONE_EXECUTIO N_ICMP: -COntext=1; SrcZoneName(1025)=Untrust;DstZoneName(1 035)=Trust;Type(1067)=ACL;SecurityPolicy(1072)=Untrust_Loca l;RuleID(1078)=2;Protocol(1001)=ICMP;SrcIPAddr(1003)=192.16 8.31.10;SrcMacAddr(1021)=7cfb-3d36-0802;DstIPAddr(1007)=192 .168.200.1;IcmpType(1062)=ECHO(8);IcmpCode(1063)=0;MatchCou nt(1069)=2;Event(1048)=Permit;
请问下没被策略拦截吧,但是不通。
组网及组网描述:
- 2022-03-27提问
- 举报
-
(0)
最佳答案
只是代表策略放通,先dis session table xxx verbose查看下会话状态,另如果想通过debug判断是否被防火墙拦截,可以按如下思路排查:
<H3C>debugging ip info acl 3500
<H3C>debugging packet-filter packet ip acl 3500
<H3C>debugging object-policy packet ip acl 3500
<H3C>debugging security-policy packet ip acl 3500
<H3C>debug aspf packet acl 3500
<H3C>terminal debugging
<H3C>terminal monitor
[H3C]info-center enable
开启debug调试后,在客户端上执行ping操作,查看防火墙弹出的会话信息,排查报文被哪些模块过滤,具体如下:
(1)IP转发debug:
<H3C>debugging ip info acl 3500
<H3C>*Nov 2 14:49:51:678 2019 H3C IPFW/7/IPFW_INFO: -COntext=1;
MBUF was intercepted! Phase Num is 1(pre routing), Service ID is 24(lb), Bitmap is 9000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is GigabitEthernet1/0/3,
s= 192.168.1.2, d= 192.168.10.2, protocol= 1, pktid = 9028.
根据以上信息可判断出报文匹配上负载均衡策略被丢弃,排查负载均衡配置。
(2)域间策略debug:
<H3C>debugging packet-filter packet ip acl 3500
*Mar 22 10:12:25:381 2011 Sysname pflt/7/Event: -MDC=1; The packet is permitted. Interface=Ten-GigabitEthernet7/0/18, Direction=OUTBOUND; Packet Info: Src-IP=1.1.1.1, Dst-IP=2.2.2.2, VPN-Instance=vpn1, Src-Port=1024, Dst-Port=1025, Protocol=icmp(1), ACL=3500, Rule-ID=0.
(3)对象策略debug:
<H3C>debugging object-policy packet ip acl 3500
*Mar 22 10:12:25:381 2011 Sysname pflt/7/Event: -MDC=1; The packet is permitted. Src-ZOne= DMZ, Dst-ZOne=TRUST; Match Info: Src-IP=1.1.1.1, Dst-IP=2.2.2.2, VPN-Instance=vpn1, Src-Port=1024, Dst-Port=1025, Protocol=icmp(1), ObjectPolicy=policy1.
(4)安全策略debug:
<H3C>debugging security-policy packet ip acl 3500
*Nov 2 14:54:50:184 2019 H3C FILTER/7/PACKET: -COntext=1; The packet is permitted. Src-ZOne=Trust, Dst-ZOne=Untrust;If-In=GigabitEthernet1/0/3(4), If-Out=GigabitEthernet1/0/1(2); Packet Info:Src-IP=192.168.1.2, Dst-IP=192.168.10.2, VPN-Instance=, Src-MacAddr=3417-eb7d-3176,Src-Port=8, Dst-Port=0, Protocol=ICMP(1), Application=ICMP(22742), SecurityPolicy=1, Rule-ID=0.
域间策略、对象策略、安全策略三者有其一即可,观察动作是permit还是denied,若为denied,查看命中哪条策略,并在对应配置中排查。若一条策略也没命中,说明防火墙未放通此流量(缺省deny),需手动增加策略放通。
注:vpn instance和ipv6流量需另外增加策略放通,无法和普通IPV4策略混用。
vpn instance策略:
[H3C]security-policy ip
[H3C-security-policy-ip]rule name 1
[H3C-security-policy-ip-0-cs]vrf cs
IPV6策略:
[H3C]security-policy ipv6
(5)ASPF debug
<H3C>debug aspf packet acl 3500
<H3C> debugging aspf packet
*Aut 28 12:09:44:309 2011 Sysname ASPF/7/PACKET: -MDC=1; The packet of no session was dropped by ASPF, because the TCP SYN checking failed. Interface=GigabitEthernet1/0/2, Diretion=INBOUND; Packet Info: Src-IP=1.1.1.1, Dst-IP=1.1.1.2, VPN-Instance=none, Src-Port=12345, Dst-Port=21, Protocol=tcp(6).
排查流量是否被ASPF阻断。
- 2022-03-27回答
- 评论(0)
- 举报
-
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论