问

防护墙

IPS防攻击

1天前提问

0关注
0收藏，37浏览

zhiliao_tWRgTi

zhiliao_tWRgTi 零段

粉丝：0人关注：0人

问题描述：

为什么我把rule4的安全策略打开网就特别卡
version 7.1.064, Release 8860P41
#
sysname YSGYY-FW-main
#
clock timezone Lisbon add 00:00:00
clock protocol ntp context 1
#
context Admin id 1
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 10
#
dns server 8.8.8.8
dns server 114.114.114.114
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
vlan 29
#
vlan 33
#
vlan 123
#
vlan 1076 to 1078
#
vlan 1192
description QiLuYiYuan-DianXin-ZhuanXian
#
vlan 2000
#
object-group ip address 白名单
security-zone Trust
10 network range 172.30.120.191 172.30.120.254
20 network host address 172.30.123.9
object 20 description 杨玉霞
30 network host address 172.30.123.27
object 30 description 宋俊贤
40 network host address 172.30.123.13
object 40 description 宋惠娟
50 network host address 172.30.123.6
object 50 description 王梅林
60 network host address 172.30.123.17
object 60 description 护理部陈文倩
70 network host address 172.30.123.3
object 70 description 隋春晓
80 network host address 172.30.123.7
object 80 description 田崇林
90 network host address 172.30.123.28
object 90 description 李世杰
100 network host address 172.30.125.7
object 100 description 鞠佳良
110 network host address 172.30.125.6
object 110 description 贾善菲
120 network host address 172.30.145.252
object 120 description 宋日旭
130 network host address 172.30.125.8
object 130 description 医务部赵娟
140 network host address 172.30.125.50
object 140 description 医务部张立福
150 network subnet 172.30.142.0 255.255.255.0
object 150 description 查体中心
160 network host address 172.30.125.86
object 160 description 医养中心
170 network host address 172.30.123.20
object 170 description 经管科王文娟
180 network host address 172.30.125.40
object 180 description 医养中心
190 network host address 172.30.125.155
object 190 description 设备科1
200 network host address 172.30.125.98
object 200 description 设备科2
210 network host address 172.30.125.95
object 210 description 设备科3
220 network host address 172.30.125.20
object 220 description 设备科4
230 network host address 172.30.125.157
object 230 description 设备科5
240 network host address 172.30.123.201
object 240 description 护理部
250 network host address 172.30.125.2
object 250 description 康文楼检验科1
260 network host address 172.30.125.3
object 260 description 康文楼检验科2
270 network host address 172.30.122.89
object 270 description 病房楼检验科
280 network host address 172.30.125.19
object 280 description 检验科陈静
290 network host address 172.30.121.4
object 290 description 便民药房
300 network host address 172.30.123.5
object 300 description 临床药学
310 network host address 172.30.130.2
#
object-group ip address 财务共享中心服务器
security-zone Untrust
0 network subnet 172.20.128.0 255.255.192.0
10 network host address 182.40.34.73
#
object-group ip address 集团南山服务器组
security-zone Untrust
0 network subnet 172.15.248.0 255.255.255.0
10 network range 172.15.253.0 172.15.254.255
20 network subnet 172.20.231.0 255.255.255.0
30 network range 172.20.238.0 172.20.244.255
40 network range 172.20.248.0 172.20.249.255
50 network subnet 172.20.254.0 255.255.255.0
60 network host address 10.0.0.251
object 60 description 上网认证
70 network host address 192.168.188.195
#
object-group ip address 其他必要公网服务
description 其他必要公网服务
security-zone Untrust
0 network host name www.baidu.com
#
object-group ip address 齐鲁医院服务器网段
security-zone Untrust
0 network subnet 172.20.231.0 255.255.255.0
#
object-group ip address 网络监管
security-zone Untrust
0 network subnet 172.16.102.0 255.255.255.0
10 network subnet 172.15.1.0 255.255.255.0
20 network subnet 172.15.3.0 255.255.255.0
30 network subnet 172.16.69.0 255.255.255.0
40 network subnet 172.16.207.0 255.255.255.0
#
object-group ip address 医院到南山互联
10 network subnet 10.2.0.0 255.255.255.0
#
object-group ip address 医院内网网段
security-zone Trust
0 network subnet 172.30.112.0 255.255.252.0
10 network subnet 172.30.102.0 255.255.255.0
20 network subnet 172.30.119.0 255.255.255.0
30 network range 172.30.120.0 172.30.123.254
40 network range 172.30.125.1 172.30.127.254
50 network range 172.30.129.1 172.30.153.254
60 network range 172.30.176.1 172.30.178.254
#
object-group ip address 允许访问域名
security-zone Untrust
10 network host name ***.***
20 network range 27.221.34.176 27.221.34.177
30 network host address 106.11.35.100
40 network host address 106.11.40.32
50 network host address 106.11.43.136
60 network host address 106.11.43.160
70 network host address 119.249.58.142
80 network host name ***.***
90 network host name ***.***
100 network host name *.***.***
110 network host name ***.***
object 110 description 钉钉
120 network host name ***.***
object 120 description 钉钉
130 network host name space.***.***
object 130 description 钉钉
140 network host name ***.***
150 network host name ***.***
object 150 description 钉钉
160 network host address 119.188.223.101
object 160 description 钉钉
170 network host name ***.***
object 170 description 钉钉
180 network range 119.188.223.101 119.188.223.108
object 180 description 钉钉
190 network host name oa.***.***
#
interface NULL0
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/12
port link-mode route
#
interface GigabitEthernet1/0/13
port link-mode route
#
interface GigabitEthernet1/0/14
port link-mode route
#
interface GigabitEthernet1/0/15
port link-mode route
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/0
port link-mode bridge
description QiLuYiYuan-CMCC-ZhuanXian-To-core
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 1076 to 1078
#
interface GigabitEthernet1/0/1
port link-mode bridge
description QiLuYiYuan-CMCC-ZhuanXian
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 1076 to 1078
#
interface GigabitEthernet1/0/2
port link-mode bridge
#
interface GigabitEthernet1/0/3
port link-mode bridge
#
interface GigabitEthernet1/0/20
port link-mode bridge
description dianshijifang-To-CORE
port access vlan 33
#
interface GigabitEthernet1/0/21
port link-mode bridge
description Dianshijifang
port access vlan 33
speed 1000
duplex full
#
interface GigabitEthernet1/0/22
port link-mode bridge
description ToCSHY-5800-g1/0/10_To_core
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 29 123 2000
#
interface GigabitEthernet1/0/23
port link-mode bridge
description ToCSHY-5800-g1/0/10
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 29 123 2000
#
interface M-GigabitEthernet1/0/0
ip address 172.30.120.253 255.255.255.0
#
interface Ten-GigabitEthernet1/0/27
port link-mode route
#
interface Ten-GigabitEthernet1/0/28
port link-mode route
#
interface Ten-GigabitEthernet1/0/29
port link-mode route
#
interface Ten-GigabitEthernet1/0/24
port link-mode bridge
description QiLuYiYuan-DianXin-LuoGuangLan-10G-To_CORE
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 1192
#
interface Ten-GigabitEthernet1/0/25
port link-mode bridge
description QiLuYiYuan-DianXin-LuoGuangLan-10G
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 1192
#
interface Ten-GigabitEthernet1/0/26
port link-mode bridge
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/0 vlan 1 to 4094
import interface GigabitEthernet1/0/20 vlan 1 to 4094
import interface GigabitEthernet1/0/22 vlan 1 to 4094
import interface Ten-GigabitEthernet1/0/24 vlan 1 to 4094
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/1 vlan 1 to 4094
import interface GigabitEthernet1/0/21 vlan 1 to 4094
import interface GigabitEthernet1/0/23 vlan 1 to 4094
import interface Ten-GigabitEthernet1/0/25 vlan 1 to 4094
#
security-zone name Management
import interface M-GigabitEthernet1/0/0
#
scheduler logfile size 16
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 172.30.120.254
#
performance-management
#
ssh server enable
#
ntp-service enable
ntp-service source M-GigabitEthernet1/0/0
ntp-service authentication-keyid 1 authentication-mode md5 cipher $c$3$Hw4nybF19dUiJstp/3hcAwjcEvM=
ntp-service reliable authentication-keyid 1
ntp-service unicast-server 172.30.120.188 authentication-keyid 1 version 1
#
undo password-control blacklist all-line
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$3/PiKkFy0WESWZlm$8O95aQLuBnGv+SjwFrISXfm5hfa99jZhnE4/Q5kN1GPgD3tTzdYJK1BveHdibb7TqHF8eL5/7E+IonYVc2H/GA==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
session synchronization enable
session synchronization dns http
#
ipsec logging negotiation enable
#
ike logging negotiation enable
#
ip https enable
#
blacklist global enable
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
inspect logging parameter-profile waf_logging_default_parameter
#
inspect email parameter-profile mailsetting_default_parameter
undo authentication enable
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
waf logging parameter-profile waf_logging_default_parameter
#
security-policy ip
rule 7 name LAN-WAN-白名单允许内网访问
action pass
logging enable
counting enable
source-ip 白名单
rule 3 name 允许内网网段访问服务器网段
action pass
logging enable
counting enable
source-zone Trust
destination-zone Untrust
source-ip 医院内网网段
destination-ip 齐鲁医院服务器网段
destination-ip 集团南山服务器组
destination-ip 网络监管
destination-ip 医院到南山互联
destination-ip 财务共享中心服务器
rule 8 name 允许访问域名
action pass
logging enable
counting enable
source-zone Trust
destination-zone Untrust
source-ip 医院内网网段
destination-ip 允许访问域名
rule 9 name WAN-LAN允许外网部分服务访问内网
action pass
logging enable
counting enable
source-zone Untrust
destination-zone Trust
source-ip 允许访问域名
destination-ip 医院内网网段
rule 4 name 拒绝齐鲁医院内网网段trust-untrust
disable
source-zone Trust
destination-zone Untrust
source-ip 医院内网网段
rule 5 name WAN-LAN允许外网网段访问内网
action pass
logging enable
counting enable
source-zone Untrust
destination-zone Trust
source-ip 集团南山服务器组
source-ip 网络监管
source-ip 医院到南山互联
source-ip 财务共享中心服务器
destination-ip 医院内网网段
rule 6 name WAN-LAN拒绝外到内访问
source-zone Untrust
destination-zone Trust
destination-ip 医院内网网段
rule 2 name any
action pass
logging enable
counting enable
source-zone Local
source-zone Trust
source-zone DMZ
source-zone Untrust
source-zone Management
destination-zone Local
destination-zone Trust
destination-zone DMZ
destination-zone Untrust
destination-zone Management
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus logging parameter-profile av_logging_default_parameter
#
cloud-management server domain opstunnel-seccloud.h3c.com
#
return