路由器——F1080——服务器
现场删除全放通策略,只保留业务ip的策略,ospf无法建立。
配置如下:
[FW-security-policy-ip]dis
this
security-policy ip
rule 5 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 10 name any-local
action pass
destination-zone local
service telnet
service ssh
service https
service http
rule 15 name local-any
action pass
source-zone local
rule 20 name trust-trust
action pass
source-zone trust
destination-zone trust
rule 100 name 业务访问
action pass
counting enable
source-zone Untrust
destination-zone Trust
source-ip test
source-ip 外部单位
destination-ip EAS应用
destination-ip EAS数据
service 6888
service 11034
rule 1 name any
action pass
#
#
object-group ip address test
30 network host address 172.xx.xx.253
#
object-group ip address EAS应用
0 network host address 172.xx.xx.210
#
object-group service 6888
0 service tcp destination eq 6888
#
按上述配置,现场访问没问题,ospf建立正常
*Aug 21 16:21:09:309 2019 ZL_BGW_FIREWALL FILTER/7/PACKET: -COntext=1; The packet is permitted. Src-ZOne=Untrust, Dst-ZOne=Trust;If-In=GigabitEthernet1/0/15(16), If-Out=GigabitEthernet1/0/14(15), VLAN-In=255, VLAN-Out=255; Packet Info:Src-IP=172.16.255.253, Dst-IP=172.19.51.210, VPN-Instance=, Src-MacAddr=5cc9-99ba-88f1,Src-Port=62702, Dst-Port=6888, Protocol=TCP(6), Application=general_tcp(2086), SecurityPolicy=业务访问, Rule-ID=100.
此时不愿意配置any全放通策略,于是关闭rule 1
[FW-security-policy-ip-1-any]disable
此时访问没有会话
把rule100中的源目地址undo
[FW-security-policy-ip-100-业务访问]dis this
#
rule 100 name 业务访问
action pass
counting enable
source-zone Untrust
destination-zone Trust
#
此时业务恢复
*Aug 21 16:27:43:590 2019 ZL_BGW_FIREWALL FILTER/7/PACKET: -COntext=1; The packet is permitted. Src-ZOne=Untrust, Dst-ZOne=Trust;If-In=GigabitEthernet1/0/15(16), If-Out=GigabitEthernet1/0/14(15), VLAN-In=255, VLAN-Out=255; Packet Info:Src-IP=172.16.255.253, Dst-IP=172.19.51.210, VPN-Instance=, Src-MacAddr=5cc9-99ba-88f1,Src-Port=62706, Dst-Port=6888, Protocol=TCP(6), Application=general_tcp(2086), SecurityPolicy=业务访问, Rule-ID=100.
现场跑的是ospf,安全策略需要放通组播地址和router id的地址
现场刚开始的配置明细的放通了业务ip的安全策略,同时有一条全放通的策略,debugging 看,业务ip也是匹配到了明细的安全策略,但是现场把全放通的策略删除,两端ospf的匹配不上明细的业务ip的源目地址,所以ospf建立不起来,业务不通,此时把源目地址删除,ospf则可以匹配上rule100,业务正常。
防火墙跑ospf时,需要配置使ospf能正常建立的策略,而不能只配置业务ip的安全策略。
此问题防火墙未放通ospf的组播地址和对端route id,放通后问题解决。