在H3C防火牆上,要針對某個網段進行URL訪問白名單,具體應該怎麼操作了?在ds上問了很多次,都沒法操作成功
防火牆的型號是SecPath F1000-AI-35,軟件版本是version 7.1.064, Release 8860P12。
1. 創建 URL 分類和策略
url-filter category whitelist
rule 1 host text "***.***"
rule 2 host text "***.***"
rule 3 host text "h3c.com"
url-filter policy whitelist_policy
category whitelist action permit
default-action block
log enable
2. 創建 URL 過濾配置文件
url-filter profile whitelist_profile
policy whitelist_policy
3. 在接口上應用 URL 過濾
interface GigabitEthernet1/0/14 # 內網接口
url-filter apply profile whitelist_profile
4. 創建安全策略控製訪問
security-policy ip
# 放行白名單網段的互聯網訪問
rule 10 name allow_whitelist_out
action pass
source-ip-group whitelist_group # 10.41.24.0/23
destination-zone untrust
logging enable
counting enable
# 阻止白名單網段的其他互聯網訪問
rule 11 name block_whitelist_out
action deny
source-ip-group whitelist_group
destination-zone untrust
logging enable
counting enable
<xtlzx_OUT_f1000>dis cu
#
version 7.1.064, Release 8860P12
#
sysname xtlzx_OUT_f1000
#
clock protocol none
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
dns server 8.8.8.8
dns server 114.114.114.114
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
object-group ip address school_wuxian
security-zone Trust
0 network subnet 10.32.0.0 255.255.0.0
#
object-group ip address teacher_wuxian
security-zone Trust
0 network subnet 10.31.0.0 255.255.0.0
#
object-group ip address youxian
security-zone Trust
0 network subnet 10.41.0.0 255.255.0.0
10 network subnet 172.16.100.0 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
#
interface GigabitEthernet1/0/1
port link-mode route
#
interface GigabitEthernet1/0/2
port link-mode route
#
interface GigabitEthernet1/0/3
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/12
port link-mode route
#
interface GigabitEthernet1/0/13
port link-mode route
#
interface GigabitEthernet1/0/14
port link-mode route
description downto routeMSR5660
ip address 10.10.1.1 255.255.255.252
nat hairpin enable
manage https inbound
manage https outbound
#
interface GigabitEthernet1/0/15
port link-mode route
description upto lt_dianguanzhan2/2
ip address 124.165.196.45 255.255.255.0
packet-filter 3010 inbound
nat outbound 2000
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/20
port link-mode route
#
interface GigabitEthernet1/0/21
port link-mode route
#
interface GigabitEthernet1/0/22
port link-mode route
#
interface GigabitEthernet1/0/23
port link-mode route
#
interface GigabitEthernet1/0/24
port link-mode route
#
interface GigabitEthernet1/0/25
port link-mode route
#
interface M-GigabitEthernet1/0/0
ip address 192.168.0.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/26
port link-mode route
#
interface Ten-GigabitEthernet1/0/27
port link-mode route
#
interface SSLVPN-AC0
ip address 10.61.0.254 255.255.255.0
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/14
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/15
import interface SSLVPN-AC0
#
security-zone name Management
import interface M-GigabitEthernet1/0/0
#
scheduler logfile size 16
#
line class console
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 124.165.196.1
ip route-static 10.10.1.4 30 10.10.1.2
ip route-static 10.20.0.0 16 10.10.1.2
ip route-static 10.31.0.0 16 10.10.1.2
ip route-static 10.32.0.0 16 10.10.1.2
ip route-static 10.33.0.0 16 10.10.1.2
ip route-static 10.41.0.0 16 10.10.1.2
ip route-static 10.51.0.0 16 10.10.1.2
ip route-static 172.16.100.0 24 10.10.1.2
#
info-center source CFGLOG loghost level informational
#
ssh server enable
#
acl basic 2000
rule 0 deny source 10.51.0.0 0.0.255.255
rule 5 permit
#
acl advanced 3000
rule 0 permit ip
#
acl advanced 3010
rule 0 deny tcp source-port eq 135 destination-port eq 135
rule 5 deny tcp source-port eq 137 destination-port eq 137
rule 10 deny tcp source-port eq 138 destination-port eq 138
rule 15 deny tcp source-port eq 139 destination-port eq 139
rule 20 deny tcp source-port eq 445 destination-port eq 445
rule 1000 permit ip
#
undo password-control composition enable
password-control length 8
password-control composition type-number 3 type-length 1
undo password-control complexity user-name check
#
domain system
#
domain xtl
authentication sslvpn local
authorization sslvpn local
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
user-group usergroup1
authorization-attribute sslvpn-policy-group pgroup
#
local-user admin class manage
password hash $h$6$x1sfhGJcTTGDfsQY$YSknQ9Zu9tWQPW/Bj6W4pDK8LRhA5sRRgfGrrdrV12S/TRQBQjROybYZ2XKS42yno3Fdb++H0pCSLJxi7yx+rA==
service-type ssh telnet terminal http https
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user baby class network
password cipher $c$3$JYlMpg6ncb5ebdj0HN46GtEhwetFKfY=
service-type sslvpn
group usergroup1
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
pki domain sslvpn
public-key rsa general name sslvpn
undo crl check enable
#
ftp server enable
#
session statistics enable
#
ike logging negotiation enable
#
ip https port 64400
ip http enable
ip https enable
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
sslvpn ip address-pool ippool 10.61.0.1 10.61.0.100
#
sslvpn gateway gw
ip address 124.165.233.210 port 65500
service enable
#
sslvpn context ctx1
gateway gw
ip-tunnel interface SSLVPN-AC0
ip-tunnel address-pool ippool mask 255.255.255.0
ip-route-list iplist
include 10.20.0.15 255.255.255.255
include 10.20.3.254 255.255.255.255
policy-group pgroup
filter ip-tunnel acl 3000
ip-tunnel access-route ip-route-list iplist
default-policy-group pgroup
service enable
#
uapp-control
policy name 應用審計 audit
rule 1 any behavior any bhcontent any keyword include any action permit audit-logging
#
security-policy ip
rule 1 name trust-Local
action pass
counting enable
source-zone trust
destination-zone Local
service pingv6
service ping
service telnet
service ssh
service https
rule 4 name block-10.51-out
logging enable
counting enable
source-zone trust
destination-zone untrust
source-ip-subnet 10.51.0.0 255.255.0.0
rule 10 name 1111
action pass
logging enable
counting enable
source-zone Trust
destination-zone Trust
rule 9 name Local-untrust-2
action pass
counting enable
source-zone Local
destination-zone untrust
rule 8 name Local-trust-2
action pass
counting enable
source-zone Local
destination-zone trust
rule 7 name trust-untrust-2
action pass
counting enable
source-zone trust
destination-zone untrust
rule 2 name block-untrust-to-10.51
logging enable
counting enable
source-zone untrust
destination-zone trust
destination-ip-subnet 10.51.0.0 255.255.0.0
rule 3 name untrust-trust
logging enable
counting enable
source-zone untrust
destination-zone trust
#
dac log-collect service dpi traffic enable
dac traffic-statistic application enable
#
cloud-management server domain opstunnel-seccloud.h3c.com
#
return
<xtlzx_OUT_f1000>
不需要在url裏做,安全策略裏限製主機名就可以
本舉例是在F5000-AI-55-G的E9900版本上進行配置和驗證的。
如下圖所示,某公司內的各部門之間通過Device實現互連,公司內網中部署了域名為***.***的Web服務器用於公司財務管理,該域名已在內網DNS服務器中注冊。通過配置安全策略,實現如下需求:
允許財務部通過HTTP協議訪問財務管理Web服務器。
禁止市場部在任何時間通過HTTP協議訪問財務管理Web服務器。
圖-1 基於域名的安全策略配置組網圖
配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 10.0.13.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
請參考以上步驟配置其他接口的IP地址,具體配置步驟略。
配置接口加入安全域
# 請根據組網圖中規劃的信息,創建安全域,並將接口加入對應的安全域,具體配置步驟如下。
[Device] security-zone name web
[Device-security-zone-web] import interface gigabitethernet 1/0/1
[Device-security-zone-web] quit
[Device] security-zone name market
[Device-security-zone-market] import interface gigabitethernet 1/0/2
[Device-security-zone-market] quit
[Device] security-zone name finance
[Device-security-zone-finance] import interface gigabitethernet 1/0/3
[Device-security-zone-finance] quit
[Device] security-zone name dns
[Device-security-zone-dns] import interface gigabitethernet 1/0/4
[Device-security-zone-dns] quit
配置對象
# 創建名為web的IP地址對象組,並定義其主機名稱為***.***,具體配置步驟如下。
[Device] object-group ip address web
[Device-obj-grp-ip-web] network host name ***.***
[Device-obj-grp-ip-web] quit
配置DNS服務器地址
# 指定DNS服務器的IP地址為10.10.10.10,確保Device可以獲取到主機名對應的IP地址,具體配置步驟如下。
[Device] dns server 10.10.10.10
配置安全策略
# 配置名稱為dnslocalout的安全策略規則,允許Device訪問DNS服務器,具體配置步驟如下。
[Device] security-policy ip
[Device-security-policy-ip] rule name dnslocalout
[Device-security-policy-ip-0-dnslocalout] source-zone local
[Device-security-policy-ip-0-dnslocalout] destination-zone dns
[Device-security-policy-ip-0-dnslocalout] destination-ip-host 10.10.10.10
[Device-security-policy-ip-0-dnslocalout] action pass
[Device-security-policy-ip-0-dnslocalout] quit
# 配置名稱為host-dns的安全策略規則,允許內網主機訪問DNS服務器,具體配置步驟如下。
[Device-security-policy-ip] rule name host-dns
[Device-security-policy-ip-1-host-dns] source-zone finance
[Device-security-policy-ip-1-host-dns] source-zone market
[Device-security-policy-ip-1-host-dns] destination-zone dns
[Device-security-policy-ip-1-host-dns] source-ip-subnet 10.0.11.0 24
[Device-security-policy-ip-1-host-dns] source-ip-subnet 10.0.12.0 24
[Device-security-policy-ip-1-host-dns] destination-ip-host 10.10.10.10
[Device-security-policy-ip-1-host-dns] service dns-udp
[Device-security-policy-ip-1-host-dns] action pass
[Device-security-policy-ip-1-host-dns] quit
# 配置名稱為finance-web的安全策略規則,允許財務部通過HTTP協議訪問財務管理Web服務器,具體配置步驟如下。
[Device-security-policy-ip] rule name finance-web
[Device-security-policy-ip-2-finance-web] source-zone finance
[Device-security-policy-ip-2-finance-web] destination-zone web
[Device-security-policy-ip-2-finance-web] source-ip-subnet 10.0.11.0 24
[Device-security-policy-ip-2-finance-web] destination-ip web
[Device-security-policy-ip-2-finance-web] service http
[Device-security-policy-ip-2-finance-web] action pass
[Device-security-policy-ip-2-finance-web] quit
# 配置名稱為market-web的安全策略規則,禁止市場部在任何時間通過HTTP協議訪問財務管理Web服務器,具體配置步驟如下。
[Device-security-policy-ip] rule name market-web
[Device-security-policy-ip-3-market-web] source-zone market
[Device-security-policy-ip-3-market-web] destination-zone web
[Device-security-policy-ip-3-market-web] source-ip-subnet 10.0.12.0 24
[Device-security-policy-ip-3-market-web] destination-ip web
[Device-security-policy-ip-3-market-web] service http
[Device-security-policy-ip-3-market-web] action drop
[Device-security-policy-ip-3-market-web] quit
# 激活安全策略規則的加速功能,具體配置步驟如下。
[Device-security-policy-ip] accelerate enhanced enable
[Device-security-policy-ip] quit
配置完成後,財務部可以訪問財務管理服務器的Web服務,市場部任何時間均不可以訪問財務管理服務器的Web服務。
防火牆通過安全策略實現過濾HTTPS網站配置方法(命令行)
1 目錄
本案例適用於軟件平台為Comware V7係列防火牆:F100-X-G2、F1000-X-G2、F100-WiNet、F1000-AK、F10X0等
注:本案例是在F100-C-G2的Version 7.1.064, Release 9510P08版本上進行配置和驗證的。
防火牆部署在互聯網出口,需要實現通過安全策略限製訪問www.baidu.com的目的。
上網配置略,請參考《輕輕鬆鬆配安全》2.1章節防火牆連接互聯網上網配置方法案例。
4.2 開啟本地DNS代理
#開啟設備本地DNS代理功能,用於解析域名。
<H3C>system-view //進入係統視圖
System View: return to User View with Ctrl+Z.
[H3C]dns proxy enable //開啟設備本地DNS代理功能
[H3C]dns server 114.114.114.114 //配置dns服務器
4.3 修改DHCP服務器DNS為設備接口地址
#如果防火牆作為DNS服務器則需要保證下發給終端地址時,客戶端DNS為防火牆接口地址;
[H3C]dhcp server ip-pool 2 //創建dhcp服務器 地址池名稱2
[H3C-dhcp-pool-2]gateway-list 192.168.2.1 //客戶端網關
[H3C-dhcp-pool-2]network 192.168.2.0 mask 255.255.255.0 //配置客戶端網段192.168.2.0 掩碼 255.255.255.0
[H3C-dhcp-pool-2]dns-list 192.168.2.1 //客戶端dns
[H3C-dhcp-pool-2]quit //退出當前視圖
防火牆開啟DNS代理後,如果終端將DNS請求發向防火牆則防火牆會替代向外網發起DNS解析請求,DNS回應報文返回防火牆後再由防火牆轉發至終端,這樣做的目的是保證終端和防火牆解析的地址相同。
#創建地址對象組,地址對象組名稱為baidu.使用基於主機的形式關聯域名:www.baidu.com.
[H3C]object-group ip address baidu //創建地址對象組,地址對象組名稱為baidu
[H3C-obj-grp-ip-baidu]0 network host name www.baidu.com //使用基於主機的形式關聯域名:www.baidu.com
[H3C-obj-grp-ip-baidu]quit //退出當前視圖
#創建安全策略規則1名稱為“baidu-deny”源安全域為“trust”、目的IP為名稱為“baidu”的地址對象,安全策略默認策略為拒絕;創建安全策略規則2名稱為“passany”源安全域為“trust”、目的安全域為“untrust”,動作配置為“pass”放通所有數據。
[H3C]security-policy ip //創建安全策略
[H3C-security-policy-ip]rule 1 name baidu-deny //創建規則1名稱為“baidu-deny”
[H3C-security-policy-ip-1-denybaidu]source-zone trust //源安全域為“trust”
[H3C-security-policy-ip-1-denybaidu]destination-ip baidu //目的IP為名稱為“baidu”的地址對象
[H3C-security-policy-ip-1-denybaidu]quit //退出當前視圖
[H3C-security-policy-ip]rule 2 name passany //創建安全策略規則2名稱為“passany”
[H3C-security-policy-ip-2-passany]action pass //動作配置為“pass”放通所有數據
[H3C-security-policy-ip-2-passany]source-zone trust //源安全域為“trust”
[H3C-security-policy-ip-2-passany]destination-zone untrust //目的安全域為“untrust”
[H3C-security-policy-ip-2-passany]quit //退出當前視圖
[H3C]save force
使用瀏覽器打開www.baidu.com,不能正常訪問:
使用瀏覽器打開***.***,可以正常訪問:
查看pc針對百度解析的地址為39.156.66.18:
查看設備的安全策略日誌,可以看到針對改目的ip已成功拒絕(第三條):
能根據我的配置提供步驟不?
親~登錄後才可以操作哦!
確定你的郵箱還未認證,請認證郵箱或綁定手機後進行當前操作
舉報
×
侵犯我的權益
×
侵犯了我企業的權益
×
抄襲了我的內容
×
原文鏈接或出處
誹謗我
×
對根叔社區有害的內容
×
不規範轉載
×
舉報說明