• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

防护墙

1天前提问
  • 0关注
  • 0收藏,37浏览
粉丝:0人 关注:0人

问题描述:

为什么我把rule4的安全策略打开网就特别卡
 version 7.1.064, Release 8860P41
#
 sysname YSGYY-FW-main
#
 clock timezone Lisbon add 00:00:00
 clock protocol ntp context 1
#
context Admin id 1
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 10
#
 dns server 8.8.8.8
 dns server 114.114.114.114
#
 lldp global enable
#
 password-recovery enable
#
vlan 1
#
vlan 29
#
vlan 33
#
vlan 123
#
vlan 1076 to 1078
#
vlan 1192
 description QiLuYiYuan-DianXin-ZhuanXian
#
vlan 2000
#
object-group ip address 白名单
 security-zone Trust
 10 network range 172.30.120.191 172.30.120.254
 20 network host address 172.30.123.9
 object 20 description 杨玉霞
 30 network host address 172.30.123.27
 object 30 description 宋俊贤
 40 network host address 172.30.123.13
 object 40 description 宋惠娟
 50 network host address 172.30.123.6
 object 50 description 王梅林
 60 network host address 172.30.123.17
 object 60 description 护理部陈文倩
 70 network host address 172.30.123.3
 object 70 description 隋春晓
 80 network host address 172.30.123.7
 object 80 description 田崇林
 90 network host address 172.30.123.28
 object 90 description 李世杰
 100 network host address 172.30.125.7
 object 100 description 鞠佳良
 110 network host address 172.30.125.6
 object 110 description 贾善菲
 120 network host address 172.30.145.252
 object 120 description 宋日旭
 130 network host address 172.30.125.8
 object 130 description 医务部赵娟
 140 network host address 172.30.125.50
 object 140 description 医务部张立福
 150 network subnet 172.30.142.0 255.255.255.0
 object 150 description 查体中心
 160 network host address 172.30.125.86
 object 160 description 医养中心
 170 network host address 172.30.123.20
 object 170 description 经管科王文娟
 180 network host address 172.30.125.40
 object 180 description 医养中心
 190 network host address 172.30.125.155
 object 190 description 设备科1
 200 network host address 172.30.125.98
 object 200 description 设备科2
 210 network host address 172.30.125.95
 object 210 description 设备科3
 220 network host address 172.30.125.20
 object 220 description 设备科4
 230 network host address 172.30.125.157
 object 230 description 设备科5
 240 network host address 172.30.123.201
 object 240 description 护理部
 250 network host address 172.30.125.2
 object 250 description 康文楼检验科1
 260 network host address 172.30.125.3
 object 260 description 康文楼检验科2
 270 network host address 172.30.122.89
 object 270 description 病房楼检验科
 280 network host address 172.30.125.19
 object 280 description 检验科陈静
 290 network host address 172.30.121.4
 object 290 description 便民药房
 300 network host address 172.30.123.5
 object 300 description 临床药学
 310 network host address 172.30.130.2
#
object-group ip address 财务共享中心服务器
 security-zone Untrust
 0 network subnet 172.20.128.0 255.255.192.0
 10 network host address 182.40.34.73
#
object-group ip address 集团南山服务器组
 security-zone Untrust
 0 network subnet 172.15.248.0 255.255.255.0
 10 network range 172.15.253.0 172.15.254.255
 20 network subnet 172.20.231.0 255.255.255.0
 30 network range 172.20.238.0 172.20.244.255
 40 network range 172.20.248.0 172.20.249.255
 50 network subnet 172.20.254.0 255.255.255.0
 60 network host address 10.0.0.251
 object 60 description 上网认证
 70 network host address 192.168.188.195
#
object-group ip address 其他必要公网服务
 description 其他必要公网服务
 security-zone Untrust
 0 network host name www.baidu.com
#
object-group ip address 齐鲁医院服务器网段
 security-zone Untrust
 0 network subnet 172.20.231.0 255.255.255.0
#
object-group ip address 网络监管
 security-zone Untrust
 0 network subnet 172.16.102.0 255.255.255.0
 10 network subnet 172.15.1.0 255.255.255.0
 20 network subnet 172.15.3.0 255.255.255.0
 30 network subnet 172.16.69.0 255.255.255.0
 40 network subnet 172.16.207.0 255.255.255.0
#
object-group ip address 医院到南山互联
 10 network subnet 10.2.0.0 255.255.255.0
#
object-group ip address 医院内网网段
 security-zone Trust
 0 network subnet 172.30.112.0 255.255.252.0
 10 network subnet 172.30.102.0 255.255.255.0
 20 network subnet 172.30.119.0 255.255.255.0
 30 network range 172.30.120.0 172.30.123.254
 40 network range 172.30.125.1 172.30.127.254
 50 network range 172.30.129.1 172.30.153.254
 60 network range 172.30.176.1 172.30.178.254
#
object-group ip address 允许访问域名
 security-zone Untrust
 10 network host name ***.***
 20 network range 27.221.34.176 27.221.34.177
 30 network host address 106.11.35.100
 40 network host address 106.11.40.32
 50 network host address 106.11.43.136
 60 network host address 106.11.43.160
 70 network host address 119.249.58.142
 80 network host name ***.***
 90 network host name ***.***
 100 network host name *.***.***
 110 network host name ***.***
 object 110 description 钉钉
 120 network host name ***.***
 object 120 description 钉钉
 130 network host name space.***.***
 object 130 description 钉钉
 140 network host name ***.***
 150 network host name ***.***
 object 150 description 钉钉
 160 network host address 119.188.223.101
 object 160 description 钉钉
 170 network host name ***.***
 object 170 description 钉钉
 180 network range 119.188.223.101 119.188.223.108
 object 180 description 钉钉
 190 network host name oa.***.***
#
interface NULL0
#
interface GigabitEthernet1/0/4
 port link-mode route
#
interface GigabitEthernet1/0/5
 port link-mode route
#
interface GigabitEthernet1/0/6
 port link-mode route
#
interface GigabitEthernet1/0/7
 port link-mode route
#
interface GigabitEthernet1/0/8
 port link-mode route
#
interface GigabitEthernet1/0/9
 port link-mode route
#
interface GigabitEthernet1/0/10
 port link-mode route
#
interface GigabitEthernet1/0/11
 port link-mode route
#
interface GigabitEthernet1/0/12
 port link-mode route
#
interface GigabitEthernet1/0/13
 port link-mode route
#
interface GigabitEthernet1/0/14
 port link-mode route
#
interface GigabitEthernet1/0/15
 port link-mode route
#
interface GigabitEthernet1/0/16
 port link-mode route
 combo enable fiber
#
interface GigabitEthernet1/0/17
 port link-mode route
 combo enable fiber
#
interface GigabitEthernet1/0/18
 port link-mode route
 combo enable fiber
#
interface GigabitEthernet1/0/19
 port link-mode route
 combo enable fiber
#
interface GigabitEthernet1/0/0
 port link-mode bridge
 description QiLuYiYuan-CMCC-ZhuanXian-To-core
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 1076 to 1078
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 description QiLuYiYuan-CMCC-ZhuanXian
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 1076 to 1078
#
interface GigabitEthernet1/0/2
 port link-mode bridge
#
interface GigabitEthernet1/0/3
 port link-mode bridge
#
interface GigabitEthernet1/0/20
 port link-mode bridge
 description dianshijifang-To-CORE
 port access vlan 33
#
interface GigabitEthernet1/0/21
 port link-mode bridge
 description Dianshijifang
 port access vlan 33
 speed 1000
 duplex full
#
interface GigabitEthernet1/0/22
 port link-mode bridge
 description ToCSHY-5800-g1/0/10_To_core
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 29 123 2000
#
interface GigabitEthernet1/0/23
 port link-mode bridge
 description ToCSHY-5800-g1/0/10
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 29 123 2000
#
interface M-GigabitEthernet1/0/0
 ip address 172.30.120.253 255.255.255.0
#
interface Ten-GigabitEthernet1/0/27
 port link-mode route
#
interface Ten-GigabitEthernet1/0/28
 port link-mode route
#
interface Ten-GigabitEthernet1/0/29
 port link-mode route
#
interface Ten-GigabitEthernet1/0/24
 port link-mode bridge
 description QiLuYiYuan-DianXin-LuoGuangLan-10G-To_CORE
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 1192
#
interface Ten-GigabitEthernet1/0/25
 port link-mode bridge
 description QiLuYiYuan-DianXin-LuoGuangLan-10G
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 1192
#
interface Ten-GigabitEthernet1/0/26
 port link-mode bridge
#
security-zone name Local
#
security-zone name Trust
 import interface GigabitEthernet1/0/0 vlan 1 to 4094
 import interface GigabitEthernet1/0/20 vlan 1 to 4094
 import interface GigabitEthernet1/0/22 vlan 1 to 4094
 import interface Ten-GigabitEthernet1/0/24 vlan 1 to 4094
#
security-zone name DMZ
#
security-zone name Untrust
 import interface GigabitEthernet1/0/1 vlan 1 to 4094
 import interface GigabitEthernet1/0/21 vlan 1 to 4094
 import interface GigabitEthernet1/0/23 vlan 1 to 4094
 import interface Ten-GigabitEthernet1/0/25 vlan 1 to 4094
#
security-zone name Management
 import interface M-GigabitEthernet1/0/0
#
 scheduler logfile size 16
#
line class console
 user-role network-admin
#
line class vty
 user-role network-operator
#
line con 0
 authentication-mode scheme
 user-role network-admin
#
line vty 0 63
 authentication-mode scheme
 user-role network-admin
#
 ip route-static 0.0.0.0 0 172.30.120.254
#
performance-management
#
 ssh server enable
#
 ntp-service enable
 ntp-service source M-GigabitEthernet1/0/0
 ntp-service authentication-keyid 1 authentication-mode md5 cipher $c$3$Hw4nybF19dUiJstp/3hcAwjcEvM=
 ntp-service reliable authentication-keyid 1
 ntp-service unicast-server 172.30.120.188 authentication-keyid 1 version 1
#
 undo password-control blacklist all-line
#
domain system
#
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
local-user admin class manage
 password hash $h$6$3/PiKkFy0WESWZlm$8O95aQLuBnGv+SjwFrISXfm5hfa99jZhnE4/Q5kN1GPgD3tTzdYJK1BveHdibb7TqHF8eL5/7E+IonYVc2H/GA==
 service-type ssh terminal https
 authorization-attribute user-role level-3
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
#
 session synchronization enable
 session synchronization dns http
#
 ipsec logging negotiation enable
#
 ike logging negotiation enable
#
 ip https enable
#
 blacklist global enable
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
inspect logging parameter-profile waf_logging_default_parameter
#
inspect email parameter-profile mailsetting_default_parameter
 undo authentication enable
#
 loadbalance isp file flash:/lbispinfo_v1.5.tp
#
waf logging parameter-profile waf_logging_default_parameter
#
security-policy ip
 rule 7 name LAN-WAN-白名单允许内网访问
  action pass
  logging enable
  counting enable
  source-ip 白名单
 rule 3 name 允许内网网段访问服务器网段
  action pass
  logging enable
  counting enable
  source-zone Trust
  destination-zone Untrust
  source-ip 医院内网网段
  destination-ip 齐鲁医院服务器网段
  destination-ip 集团南山服务器组
  destination-ip 网络监管
  destination-ip 医院到南山互联
  destination-ip 财务共享中心服务器
 rule 8 name 允许访问域名
  action pass
  logging enable
  counting enable
  source-zone Trust
  destination-zone Untrust
  source-ip 医院内网网段
  destination-ip 允许访问域名
 rule 9 name WAN-LAN允许外网部分服务访问内网
  action pass
  logging enable
  counting enable
  source-zone Untrust
  destination-zone Trust
  source-ip 允许访问域名
  destination-ip 医院内网网段
 rule 4 name 拒绝齐鲁医院内网网段trust-untrust
  disable
  source-zone Trust
  destination-zone Untrust
  source-ip 医院内网网段
 rule 5 name WAN-LAN允许外网网段访问内网
  action pass
  logging enable
  counting enable
  source-zone Untrust
  destination-zone Trust
  source-ip 集团南山服务器组
  source-ip 网络监管
  source-ip 医院到南山互联
  source-ip 财务共享中心服务器
  destination-ip 医院内网网段
 rule 6 name WAN-LAN拒绝外到内访问
  source-zone Untrust
  destination-zone Trust
  destination-ip 医院内网网段
 rule 2 name any
  action pass
  logging enable
  counting enable
  source-zone Local
  source-zone Trust
  source-zone DMZ
  source-zone Untrust
  source-zone Management
  destination-zone Local
  destination-zone Trust
  destination-zone DMZ
  destination-zone Untrust
  destination-zone Management
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus logging parameter-profile av_logging_default_parameter
#
 cloud-management server domain opstunnel-seccloud.h3c.com
#
return

2 个回答
粉丝:192人 关注:8人

不会的啊,关闭就没问题?

暂无评论

粉丝:13人 关注:8人

您好,请知:

单单看rule 4的配置是看不出有什么问题。

建议结合现网的业务情况看下是否有其他安全策略上的冲突。

另外开启rule 4时,看下防火墙的CPU、内存使用率是否高。


暂无评论

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明