问

防火墙F100-m 自动断网问题

持续性

2018-10-31提问

0关注
1收藏，1065浏览

大侠

大侠零段

粉丝：0人关注：0人

问题描述：

现公司在台F100-m防火墙，已使用近10年，最近出现此问题：每隔24小时或更短时间内，公司上网缓慢或无法上网，防火墙必须重启后，上网恢复正常。求助

配置如下：以下配置中的Ip有更改。

组网及组网描述：

# sysname beijing # ike local-name beijing # firewall packet-filter enable firewall packet-filter default permit # firewall url-filter host enable firewall url-filter host default deny firewall webdata-filter enable # firewall statistic system enable # qos carl 1 source-ip-address range 192.168.2.50 to 192.168.2.254 qos carl 2 destination-ip-address range 192.168.2.50 to 192.168.2.254 # firewall blacklist enable # firewall mac-binding enable firewall mac-binding 192.168.2.3 5254-4cfc-847c firewall mac-binding 192.168.2.4 0015-17b6-51b5 firewall mac-binding 192.168.2.5 000e-0cdd-68ab firewall mac-binding 192.168.2.6 0022-6489-414c firewall mac-binding 192.168.2.7 5254-4cfc-7f12 firewall mac-binding 192.168.2.8 5254-4cfc-7e0a firewall mac-binding 192.168.2.9 5254-4cf2-5756 firewall mac-binding 192.168.2.10 001e-c9f3-2907 firewall mac-binding 192.168.2.11 001e-c9f3-2270 firewall mac-binding 192.168.2.12 3c52-8261-55a3 firewall mac-binding 192.168.2.13 001e-c9f3-228e firewall mac-binding 192.168.2.14 001e-c9f3-44fa firewall mac-binding 192.168.2.15 001e-c9f3-2718 firewall mac-binding 192.168.2.16 001e-c9f3-202c firewall mac-binding 192.168.2.17 5254-4ce0-a146 firewall mac-binding 192.168.2.18 30e1-716a-f834 firewall mac-binding 192.168.2.19 0023-ae5f-63c3 firewall mac-binding 192.168.2.20 9002-a974-85c2 firewall mac-binding 192.168.2.21 5254-4cf2-e876 firewall mac-binding 192.168.2.22 9002-a971-1321 firewall mac-binding 192.168.2.23 8c89-a514-381c firewall mac-binding 192.168.2.24 0022-19d5-e4ac firewall mac-binding 192.168.2.25 0c4b-54ae-4895 firewall mac-binding 192.168.2.26 2cb0-5d3f-117c firewall mac-binding 192.168.2.28 d43d-7e9d-93bb firewall mac-binding 192.168.2.29 0024-2155-4eaa firewall mac-binding 192.168.2.30 000e-0cdd-6ac5 firewall mac-binding 192.168.2.31 841b-5e7a-7363 firewall mac-binding 192.168.2.32 0021-2c29-2c66 firewall mac-binding 192.168.2.33 28c6-8eb3-7b90 firewall mac-binding 192.168.2.34 90b1-1c09-b987 firewall mac-binding 192.168.2.35 000f-e257-eb1b firewall mac-binding 192.168.2.36 848f-69df-cd3a firewall mac-binding 192.168.2.37 0c4b-5407-16eb firewall mac-binding 192.168.2.38 a4ba-db48-e462 firewall mac-binding 192.168.2.39 d815-0d11-950b firewall mac-binding 192.168.2.40 0018-8b90-ac9b firewall mac-binding 192.168.2.41 0026-9e14-fbd5 firewall mac-binding 192.168.2.42 a4ba-db48-d89f firewall mac-binding 192.168.2.43 0026-9e43-c55b firewall mac-binding 192.168.2.44 b8ac-6f27-cb0f firewall mac-binding 192.168.2.45 d4be-d9b7-caef firewall mac-binding 192.168.2.46 d815-0d11-8531 firewall mac-binding 192.168.2.47 0014-2a36-1b70 firewall mac-binding 192.168.2.48 0021-9b14-d81b firewall mac-binding 192.168.2.49 0026-9e1b-2a2b # p2p block-emule enable # pki entity svpndefent common-name svpn-gw organization-unit security organization h3c locality beijing state beijing country cn # pki domain svpndefdom ca identifier svpn certificate request from ra certificate request entity svpndefent crl check disable # ssl server-policy svpndefssp pki-domain svpndefdom client-verify weakenable use ssl-card 1/0 # web-server-policy svpndefwsp ssl-server-policy svpndefssp # radius scheme system server-type extended # domain system # local-user kadmin password simple ********- service-type telnet level 3 local-user admin password simple ********* service-type telnet level 3 service-type ftp ftp-directory flash:/ # ike peer ningbo exchange-mode aggressive pre-shared-key 123456 remote-name ningbo remote-address 1.1.2.2 # ike peer shenyang exchange-mode aggressive pre-shared-key 123456 remote-name shenyang remote-address 1.1.1.2 # ipsec proposal 1 # ipsec policy beijing 1 isakmp security acl 3001 ike-peer shenyang proposal 1 # ipsec policy beijing1 1 isakmp security acl 3001 ike-peer ningbo proposal 1 # ftp-detector alizmi # acl number 2000 rule 0 deny source 59.36.103.237 0 rule 1 permit acl number 2001 rule 0 permit source 192.168.0.0 0.0.0.255 rule 1 permit source 192.168.1.0 0.0.0.255 rule 2 permit source 192.168.2.0 0.0.0.255 rule 3 permit source 192.168.3.0 0.0.0.255 rule 4 permit source 192.168.4.0 0.0.0.255 rule 5 permit source 192.168.5.0 0.0.0.255 rule 6 permit source 192.168.6.0 0.0.0.255 rule 7 permit source 192.168.7.0 0.0.0.255 rule 8 permit source 192.168.8.0 0.0.0.255 rule 9 permit source 192.168.9.0 0.0.0.255 rule 10 permit source 192.168.10.0 0.0.0.255 rule 11 deny acl number 2999 rule 0 permit source 10.10.10.0 0.0.0.255 # acl number 3001 rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255 rule 1 deny ip acl number 3002 acl number 3003 rule 0 permit ip source 192.168.2.4 0 acl number 3004 rule 0 permit ip destination 192.168.2.4 0 acl number 3007 rule 0 permit ip source 192.168.2.24 0 acl number 3008 rule 0 permit ip destination 192.168.2.24 0 acl number 3009 rule 0 permit ip source 192.168.0.0 0.0.0.255 rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 221.6.203.24 0 rule 2 permit ip source 192.168.2.0 0.0.0.255 rule 3 permit ip source 192.168.3.0 0.0.0.255 destination 221.6.203.24 0 rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 221.6.203.24 0 rule 5 permit ip source 192.168.5.0 0.0.0.255 rule 6 permit ip source 192.168.6.0 0.0.0.255 rule 7 permit ip source 192.168.7.0 0.0.0.255 rule 8 permit ip source 192.168.8.0 0.0.0.255 rule 9 permit ip source 192.168.9.0 0.0.0.255 rule 10 permit ip source 192.168.10.0 0.0.0.255 rule 11 permit ip source 192.168.1.0 0.0.0.255 destination 114.114.114.114 0 rule 12 permit ip source 192.168.3.0 0.0.0.255 destination 114.114.114.114 0 rule 13 permit ip source 192.168.4.0 0.0.0.255 destination 114.114.114.114 0 # interface Aux0 async mode flow # interface Ethernet0/0 flow-control description WCN_INTERFACE_WAN ip address 220.249.248.34 255.255.255.224 arp send-gratuitous-arp 60 nat outbound 3009 nat outbound 2001 nat server protocol tcp global 220.249.248.35 any inside 192.168.2.21 any nat server protocol tcp global 220.249.248.136 any inside 192.168.2.22 any nat server protocol tcp global 220.249.248.137 any inside 192.168.2.36 any nat server protocol tcp global 220.249.48.38 any inside 192.168.2.38 any nat server protocol tcp global 220.249.148.139 any inside 192.168.2.42 any nat server protocol tcp global 220.249.148.142 any inside 192.168.2.24 any nat server protocol tcp global 220.249.1481.43 any inside 192.168.2.9 any nat server protocol tcp global 220.249.148.145 any inside 192.168.2.8 any nat server protocol tcp global 220.249.148.146 any inside 192.168.2.5 any nat server protocol tcp global 220.249.148.147 any inside 192.168.2.3 any nat server protocol tcp global 220.249.148.148 any inside 192.168.2.7 any nat server protocol tcp global 220.249.48.50 any inside 192.168.2.12 any nat server protocol tcp global 220.249.148.151 any inside 192.168.2.39 any nat server protocol tcp global 220.249.248.44 any inside 192.168.2.34 any nat server protocol tcp global 220.249.148.249 any inside 192.168.2.28 any nat server protocol tcp global 220.249.248.140 any inside 192.168.2.40 any nat server protocol tcp global 220.249.148.141 any inside 192.168.2.18 any # interface Ethernet0/1 description WCN_INTERFACE_LAN ip address 192.168.2.1 255.255.255.0 arp send-gratuitous-arp 1 nat outbound 2999 qos car inbound carl 1 cir 6000000 cbs 6000000 ebs 6000000 green pass red discard qos car inbound acl 3003 cir 6000000 cbs 6000000 ebs 6000000 green pass red discard qos car inbound acl 3007 cir 6000000 cbs 6000000 ebs 6000000 green pass red discard qos car outbound carl 2 cir 4000000 cbs 4000000 ebs 4000000 green pass red discard qos car outbound acl 3004 cir 3000000 cbs 3000000 ebs 3000000 green pass red discard qos car outbound acl 3008 cir 6000000 cbs 6000000 ebs 6000000 green pass red discard # interface Ethernet0/2 description WCN_INTERFACE_LAN qos car inbound carl 1 cir 6000000 cbs 6000000 ebs 6000000 green pass red discard qos car inbound acl 3003 cir 6000000 cbs 6000000 ebs 6000000 green pass red discard qos car inbound acl 3007 cir 6000000 cbs 6000000 ebs 6000000 green pass red discard qos car outbound carl 2 cir 4000000 cbs 4000000 ebs 4000000 green pass red discard qos car outbound acl 3004 cir 3000000 cbs 3000000 ebs 3000000 green pass red discard qos car outbound acl 3008 cir 6000000 cbs 6000000 ebs 6000000 green pass red discard # interface Ssl-Card1/0 # interface Tunnel1 description beijing-to-shenyang ip address 1.1.1.1 255.255.255.224 source 220.249.148.234 destination 61.189.56.50 ipsec policy beijing # interface Tunnel2 description beijing-to-ningbo shutdown ip address 1.1.2.1 255.255.255.224 source 220.249.148.234 destination 61.164.92.186 ipsec policy beijing1 # interface NULL0 # interface LoopBack1 ip address 192.168.10.1 255.255.255.0 # firewall zone local set priority 100 # firewall zone trust add interface Ethernet0/1 add interface Tunnel1 add interface Tunnel2 set priority 85 # firewall zone untrust add interface Ethernet0/0 set priority 5 # firewall zone DMZ add interface Ethernet0/2 set priority 50 # firewall interzone local trust # firewall interzone local untrust # firewall interzone local DMZ # firewall interzone trust untrust # firewall interzone trust DMZ # firewall interzone DMZ untrust # undo info-center enable # FTP server enable FTP update normal ftp-server source-ip 192.168.2.1 # ftp source-ip 192.168.2.1 # telnet source-interface Ethernet0/0 # naturemask-arp enable # ip route-static 0.0.0.0 0.0.0.0 220.249.148.233 preference 60 ip route-static 192.168.1.0 255.255.255.0 192.168.2.2 preference 60 ip route-static 192.168.3.0 255.255.255.0 192.168.2.2 preference 60 ip route-static 192.168.4.0 255.255.255.0 192.168.2.2 preference 60 ip route-static 192.168.5.0 255.255.255.0 192.168.2.2 preference 60 ip route-static 192.168.11.0 255.255.255.0 1.1.1.2 preference 60 ip route-static 192.168.12.0 255.255.255.0 1.1.1.2 preference 60 ip route-static 192.168.13.0 255.255.255.0 1.1.1.2 preference 60 ip route-static 192.168.14.0 255.255.255.0 1.1.1.2 preference 60 ip route-static 192.168.15.0 255.255.255.0 1.1.1.2 preference 60 ip route-static 192.168.16.0 255.255.255.0 1.1.1.2 preference 60 ip route-static 192.168.17.0 255.255.255.0 1.1.1.2 preference 60 ip route-static 192.168.18.0 255.255.255.0 1.1.1.2 preference 60 ip route-static 192.168.19.0 255.255.255.0 1.1.1.2 preference 60 ip route-static 192.168.20.0 255.255.255.0 1.1.1.2 preference 60 ip route-static 192.168.21.0 255.255.255.0 1.1.2.2 preference 60 ip route-static 192.168.22.0 255.255.255.0 1.1.2.2 preference 60 ip route-static 192.168.23.0 255.255.255.0 1.1.2.2 preference 60 ip route-static 192.168.24.0 255.255.255.0 1.1.2.2 preference 60 ip route-static 192.168.25.0 255.255.255.0 1.1.2.2 preference 60 ip route-static 192.168.26.0 255.255.255.0 1.1.2.2 preference 60 ip route-static 192.168.27.0 255.255.255.0 1.1.2.2 preference 60 ip route-static 192.168.28.0 255.255.255.0 1.1.2.2 preference 60 ip route-static 192.168.29.0 255.255.255.0 1.1.2.2 preference 60 ip route-static 192.168.30.0 255.255.255.0 1.1.2.2 preference 60 ip route-static 192.168.41.0 255.255.255.0 1.1.3.3 preference 60 ip route-static 192.168.50.0 255.255.255.0 1.1.3.3 preference 60 # firewall defend ip-spoofing firewall defend land firewall defend smurf firewall defend fraggle firewall defend winnuke firewall defend icmp-redirect firewall defend icmp-unreachable firewall defend source-route firewall defend route-record firewall defend tracert firewall defend ping-of-death firewall defend tcp-flag firewall defend ip-fragment firewall defend large-icmp 1000 firewall defend teardrop firewall defend ip-sweep max-rate 20 blacklist-timeout 1000 firewall defend port-scan max-rate 50 blacklist-timeout 12 firewall defend arp-spoofing firewall defend arp-flood firewall defend frag-flood firewall defend syn-flood enable firewall defend udp-flood enable firewall defend icmp-flood enable # user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme user privilege level 3 # return