#
version 7.1.064, Release 9560P41
#
sysname H3C
#
clock protocol none
#
context Admin id 1
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
mac-authentication access-user log enable failed-login successful-login
#
nat log enable
nat log flow-begin
nat log flow-end
#
dhcp enable
#
dns proxy enable
dns server 223.5.5.5
dns server 223.6.6.6
#
ip subscriber access-user log enable successful-login failed-login logout abnormal
#
password-recovery enable
#
vlan 1
#
object-group service blue_443
0 service tcp destination eq 443
#
object-group service blue_80
0 service tcp destination eq 80
#
object-group service blue_81
0 service tcp destination eq 81
#
traffic classifier PBR_CLASS operator or
if-match acl 3000
#
traffic behavior PBR_BEHAVIOR
#
dhcp server ip-pool blue-dhcp-pool-1
gateway-list 10.0.0.1
network 10.0.0.0 mask 255.255.254.0
dns-list 223.5.5.5 223.6.6.6
#
controller Cellular1/0/0
#
controller Cellular1/0/1
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.4.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.5.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
description GuideWan Interface
bandwidth 100000
ip address 220.192.4.2 255.255.255.252
gateway 220.192.4.1
#
interface GigabitEthernet1/0/5
port link-mode route
description GuideLan Interface
ip address 10.0.0.1 255.255.254.0
manage ping inbound
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
ip address 192.168.3.2 255.255.255.0
nat outbound
manage ping inbound
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface SSLVPN-AC0
ip address 192.168.8.1 255.255.255.0
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/5
import interface GigabitEthernet1/0/7
import interface SSLVPN-AC0
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/4
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 GigabitEthernet1/0/4 220.192.4.1
ip route-static 192.168.1.0 24 192.168.3.1
#
customlog format dpi ips
customlog format dpi sandbox
customlog format dpi traffic-policy
customlog format lb
customlog format trusted-access authorization
customlog format trusted-access notification
#
performance-management
#
ssh server enable
#
arp ip-conflict log prompt
#
undo password-control blacklist all-line
#
domain blue_isp_sslvpn_admin
authentication sslvpn local
authorization sslvpn local
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group blue_user_group_sslvpn_admin
identity-member user user1
#
user-group system
#
local-user admin class manage
password hash $hxxx
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
password-control login-attempt 3 exceed lock-time 60
#
local-user user1 class network
password cipher $c$3xxx
service-type sslvpn
group blue_user_group_sslvpn_admin
authorization-attribute user-role network-operator
identity-group blue_user_group_sslvpn_admin
validity-datetime from 2025/08/08 22:08:06 to 2026/08/09 22:08:08
#
session statistics enable
session log flow-begin
session log flow-end
#
ipsec logging negotiation enable
#
nat global-policy
rule name blue_81
service blue_81
source-zone Untrust
destination-ip host 220.192.4.2
action dnat ip-address 10.0.0.20 local-port 80
counting enable
rule name blue_80
service blue_80
source-zone Untrust
destination-ip host 220.192.4.2
action dnat ip-address 10.0.0.20 local-port 80
counting enable
rule name blue_443
service blue_443
source-zone Untrust
destination-ip host 220.192.4.2
action dnat ip-address 10.0.0.20 local-port 443
counting enable
rule name GlobalPolicyRule_1
description GuideNat
source-zone Trust
destination-zone Untrust
action snat easy-ip
counting enable
#
ike logging negotiation enable
#
ip https port 8443
ip https enable
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
undo log syslog
log language chinese
#
inspect logging parameter-profile url_logging_default_parameter
#
inspect email parameter-profile mailsetting_default_parameter
undo authentication enable
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
loadbalance log enable link-flow
#
traffic-policy
rule 1 name GuideAVCPolicy
action qos profile guideavcprofile1
profile name guideavcprofile1
bandwidth downstream guaranteed 100000
bandwidth downstream maximum 100000
#
sslvpn ip address-pool blue_ip_pool_sslvpn 192.168.8.10 192.168.8.254
#
sslvpn gateway blue_gateway_sslvpn
ip address 0.0.0.0 port 2000
service enable
#
sslvpn context blue_context_sslvpn
gateway blue_gateway_sslvpn
undo password-changing enable
ip-tunnel interface SSLVPN-AC0
ip-tunnel address-pool blue_ip_pool_sslvpn mask 255.255.255.0
ip-tunnel dns-server primary 10.0.0.1
ip-route-list blue_allow_sslvpn_all
include 10.0.0.0 255.255.254.0
include 192.168.1.0 255.255.255.0
include 192.168.2.0 255.255.255.0
include 192.168.3.0 255.255.255.0
policy-group blue_r_group_sslvpn_10_0_0
ip-tunnel access-route ip-route-list blue_allow_sslvpn_all
ip-tunnel address-pool blue_ip_pool_sslvpn mask 255.255.255.0
default-policy-group blue_r_group_sslvpn_10_0_0
aaa domain blue_isp_sslvpn_admin
log user-login enable
force-logout max-onlines enable
service enable
#
security-policy ip
rule 0 name GuideSecPolicy
action pass
source-zone Trust
destination-zone Untrust
destination-zone DMZ
rule 2 name blue
action pass
logging enable
#
dac log-collect service dpi traffic enable
dac log-collect service dpi waf enable
dac log-collect service nat flow_log enable
dac log-collect service security-policy counting enable
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus logging parameter-profile av_logging_default_parameter
#
cloud-management server domain opstunnel-seccloud.h3c.com
#
return