日誌審計設備nat日誌審計

日誌審計正常添加設備。

防火牆：

如下圖所示，用戶通過在設備Device上配置Flow日誌功能，實現在日誌主機上（Log Host）對用戶User的上網活動進行監控。

圖-1 Flow日誌配置組網圖

‌

配置步驟

1. 配置接口IP地址

# 根據組網圖中規劃的信息，配置各接口的IP地址，具體配置步驟如下。

<Device> system-view

[Device] interface loopback 0

[Device-LoopBack0] ip address 2.2.2.2 255.255.255.0

[Device-LoopBack0] quit

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] ip address 169.1.1.1 255.255.255.0

[Device-GigabitEthernet1/0/1] quit

請參考以上步驟配置其他接口的IP地址，具體配置步驟略。

2. 配置靜態路由

本舉例僅以靜態路由方式配置路由信息。實際組網中，請根據具體情況選擇相應的路由配置方式。

# 請根據組網圖中規劃的信息，配置靜態路由，本舉例假設到日誌主機和Internet的下一跳IP地址為和1.1.1.2和3.3.3.1，實際使用中請以具體組網情況為準，具體配置步驟如下。

[Device] ip route-static 1.2.3.0 24 1.1.1.2

[Device] ip route-static 0.0.0.0 0 3.3.3.1

3. 配置接口加入安全域。

# 請根據組網圖中規劃的信息，將接口加入對應的安全域，具體配置步驟如下。

[Device] security-zone name trust

[Device-security-zone-Trust] import interface gigabitethernet 1/0/1

[Device-security-zone-Trust] quit

[Device] security-zone name dmz

[Device-security-zone-DMZ] import interface gigabitethernet 1/0/2

[Device-security-zone-DMZ] quit

[Device] security-zone name untrust

[Device-security-zone-Untrust] import interface gigabitethernet 1/0/3

[Device-security-zone-Untrust] quit

4. 配置安全策略

# 配置名稱為loglocalout的安全策略規則，使Device可以向日誌主機發送日誌信息報文，具體配置步驟如下。

[Device] security-policy ip

[Device-security-policy-ip] rule name loglocalout

[Device-security-policy-ip-1-loglocalout] source-zone local

[Device-security-policy-ip-1-loglocalout] destination-zone dmz

[Device-security-policy-ip-1-loglocalout] source-ip-host 2.2.2.2

[Device-security-policy-ip-1-loglocalout] destination-ip-host 1.2.3.6

[Device-security-policy-ip-1-loglocalout] action pass

[Device-security-policy-ip-1-loglocalout] quit

# 配置名稱為trust-untrust的安全策略規則，使用戶User可以正常訪問Internet，具體配置步驟如下。

[Device-security-policy-ip] rule name trust-untrust

[Device-security-policy-ip-2-trust-untrust] source-zone trust

[Device-security-policy-ip-2-trust-untrust] destination-zone untrust

[Device-security-policy-ip-2-trust-untrust] source-ip-subnet 169.1.1.0 24

[Device-security-policy-ip-2-trust-untrust] action pass

[Device-security-policy-ip-2-trust-untrust] quit

[Device-security-policy-ip] quit

5. 配置Flow日誌

# 開啟NAT新建、刪除會話和活躍流的日誌功能，具體配置步驟如下。

[Device] nat log enable

[Device] nat log flow-begin

[Device] nat log flow-end

[Device] nat log flow-active 10

[Device] userlog flow export version 3

# 配置將Flow日誌信息發送給Flow日誌主機，將2.2.2.2配置為承載Flow日誌的UDP報文的源IP地址，具體配置步驟如下。

[Device] userlog flow export host 1.2.3.6 port 2000

[Device] userlog flow export source-ip 2.2.2.2

驗證配置結果

# 查看Flow日誌的配置和統計信息。

[Device] display userlog export

Flow:

  Export flow log as UDP Packet.

  Version: 3.0

  Source ipv4 address: 2.2.2.2

  Log load balance function: Disabled

  Local time stamp: Disabled

  Number of log hosts: 1

  Log host 1:

    Host/Port: 1.2.3.6/2000

Total logs/UDP packets exported: 112/87

配置文件

Device

#

 nat log enable

 nat log flow-active 10

 nat log flow-begin

 nat log flow-end

#

interface LoopBack0

 ip address 2.2.2.2 255.255.255.0

#

interface GigabitEthernet1/0/1

 ip address 169.1.1.1 255.255.255.0

#

interface GigabitEthernet1/0/2

 ip address 1.1.1.1 255.255.255.0

#

interface GigabitEthernet1/0/3

 ip address 3.3.3.3 255.255.255.0

#

security-zone name Trust

 import interface GigabitEthernet1/0/1

#

security-zone name DMZ

 import interface GigabitEthernet1/0/2

#

security-zone name Untrust

 import interface GigabitEthernet1/0/3

#

 ip route-static 0.0.0.0 0 3.3.3.1

 ip route-static 1.2.3.0 24 1.1.1.2

#

 userlog flow export version 3

 userlog flow export source-ip 2.2.2.2

 userlog flow export host 1.2.3.6 port 2000

#

security-policy ip

 rule 1 name loglocalout

  action pass

  source-zone local

  destination-zone dmz

  source-ip-host 2.2.2.2

  destination-ip-host 1.2.3.6

 rule 2 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 169.1.1.0 255.255.255.0