记录第一次配置华为的FW。
#
sysname FW-QTZYQ-XHX-6307E
#
l2tp domain suffix-separator @
#
info-center loghost source Vlanif5
info-center loghost 10.99.216.199
#
vlan batch 2 5
#
authentication-profile name portal_authen_default
#
undo factory-configuration prohibit
#
undo telnet server enable
undo telnet ipv6 server enable
#
clock timezone Beijing add 08:00:00
#
firewall packet-filter basic-protocol enable
#
update schedule location-sdb weekly Sun 04:58
#
firewall defend action discard
#
undo log type traffic enable
log type syslog enable
log type policy enable
undo log type threat enable
undo log type url enable
undo log type um enable
undo log type mail-filter enable
undo log type content enable
#
undo dataflow enable
#
undo sa force-detection enable
#
banner enable
#
user-manage web-authentication security port 8887
undo privacy-statement english
undo privacy-statement chinese
page-setting
user-manage security version tlsv1.1 tlsv1.2
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
firewall ids authentication type aes256
#
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
undo web-manager config-guide enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
feedback type threat-log enable
#
update schedule ips-sdb daily 23:21
update schedule av-sdb daily 23:21
update schedule sa-sdb daily 23:21
update schedule cnc daily 23:21
update schedule ext-url-sdb daily 23:21
#
ip vpn-instance default
ipv4-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
web-auth-server default
port 50100
#
portal-access-profile name default
#
aaa
authentication-scheme admin_ad
authentication-scheme admin_ad_local
authentication-scheme admin_hwtacacs
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ldap
authentication-scheme admin_ldap_local
authentication-scheme admin_local
authentication-scheme admin_radius
authentication-scheme admin_radius_local
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike dot1x
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher $1a$X[vi)6Y@OJ$z[IfMZ4/l=fPE5M1+!M6B;9=Gxm@[GoA83"tq4YK$
service-type web terminal
level 15
manager-user admin
password cipher $1a$1U)3&$}1B'$^{8&BUg+6JE5CgRlR=@X>x`P;"IVl~HEiL!4)9R<$
service-type web terminal ssh
level 15
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
ntp-service server disable
ntp-service ipv6 server disable
ntp-service unicast-server 10.88.253.30
#
interface Vlanif2
ip address 192.168.14.1 255.255.255.0
service-manage ping permit
#
interface Vlanif5
ip address 10.98.5.21 255.255.255.0
service-manage https permit
service-manage ping permit
service-manage ssh permit
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
service-manage http permit
service-manage https permit
service-manage ping permit
#
interface GigabitEthernet0/0/1
undo shutdown
#
interface GigabitEthernet0/0/2
undo shutdown
#
interface GigabitEthernet0/0/3
undo shutdown
#
interface GigabitEthernet0/0/4
undo shutdown
#
interface GigabitEthernet0/0/5
undo shutdown
#
interface GigabitEthernet0/0/6
portswitch
undo shutdown
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/7
portswitch
undo shutdown
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/8
portswitch
shutdown
port link-type access
port default vlan 5
#
interface GigabitEthernet0/0/9
portswitch
undo shutdown
port link-type access
port default vlan 5
#
interface GigabitEthernet0/0/10
undo shutdown
#
interface GigabitEthernet0/0/11
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/6
add interface GigabitEthernet0/0/7
add interface Vlanif2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/8
add interface GigabitEthernet0/0/9
add interface Vlanif5
#
firewall zone dmz
set priority 50
#
api
#
undo icmp name timestamp-request receive
undo icmp name timestamp-reply receive
undo icmp type 17 code 0 receive
undo icmp type 18 code 0 receive
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/9 10.98.5.1
ip route-static 0.0.0.0 0.0.0.0 Vlanif5 10.98.5.1
#
snmp-agent
snmp-agent local-engineid 800007DB03B008755CC8C8
snmp-agent community read cipher %^%#=t1n~+f6Q1t~C<CPHtd$J>k-66tx}*Dx=}G"91EMN)eZ<OQ^-Wln/@VQ0]#Dj`ZoF*jkjP$51uD^BbgU%^%#
snmp-agent sys-info version all
#
undo ssh server compatible-ssh1x enable
stelnet server enable
ssh authentication-type default password
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type all
ssh user admin sftp-directory hda1:
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
ssh server dh-exchange min-len 2048
#
firewall detect ftp
#
v-gateway ssl-renegotiation-attack defend enable
#
nat server 0 global 10.98.5.22 inside 192.168.14.2
nat server 1 global 10.98.5.23 inside 192.168.14.3
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-interface
mode proportion-of-weight
#
right-manager server-group
#
IoT
#
network-scan
network-scan timeout per-asset 0
network-scan timeout entire-scan 0
conflict-resolve override
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
rule name erji-sanji
description erji-server TO PI
source-zone trust
destination-zone untrust
source-address 192.168.14.2 mask 255.255.255.255
destination-address 10.188.52.22 mask 255.255.255.255
destination-address 10.188.52.33 mask 255.255.255.255
service protocol tcp source-port 0 to 65535 destination-port 5450
action permit
rule name sanji-erji
source-zone untrust
destination-zone trust
service https
action permit
rule name sanji-local
source-zone untrust
destination-zone local
service ssh
action permit
rule name icmp
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
service icmp
action permit
rule name erji-sanji1
description erji-server TO tieqiansanji
source-zone trust
destination-zone untrust
source-address 192.168.14.3 mask 255.255.255.255
destination-address 10.188.18.111 mask 255.255.255.255
service protocol tcp source-port 0 to 65535 destination-port 28020
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
rule name nat1
disable
egress-interface Vlanif5
action source-nat easy-ip
#
quota-policy
#
dns-transparent-policy
mode based-on-multi-interface
#
rightm-policy
#
decryption-policy
#
mac-access-profile name mac_access_profile
#
return