实验需求
实验过程
通过 Web / CLI 访问防火墙
配置过程:
# 添加 Cloud 设备并进行接口配置,连接 FW GE0/0/00 接口 # 配置 Cloud 绑定的 Loopback 接口,使用 192.168.0.100/24 地址 # 防火墙开机,并登陆设备,admin / Admin@123 # 按照提示修改密码,admin / Huawei@123 [USG6000V1]interface GigabitEthernet 0/0/0 [USG6000V1-GigabitEthernet0/0/0]service-manage all permit
测试方法:
- 测试主机能够通过浏览器访问防火墙
- firefox https://192.168.0.1:8443
- admin / Huawei@123
Q:在模拟器中,无法通过 Web 访问运行的防火墙?
A:模拟器配置或网桥配置:
# 或,模拟器的默认配置不同,导致无法访问 # 或,需要进入 GigabitEthernet0/0/0 接口,开启 service-manage 配置 # 或,Cloud 桥接网卡配置错误 # 或,需要检查 Cloud 桥接网卡的地址配置
Client1 能够 ping 通其网关 10.0.12.254
配置过程:
[USG6000V1-GigabitEthernet1/0/1] ip address 10.0.12.254 24 [USG6000V1-GigabitEthernet1/0/1] service-manage ping permit [USG6000V1]firewall zone trust [USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1
测试方法:
- [Client1] ping FW1 10.0.12.254 能够成功;
实现 Client1 访问 Server1 的 HTTP 服务
[USG6000V1]interface GigabitEthernet 1/0/2 [USG6000V1-GigabitEthernet1/0/2]ip address 10.0.23.254 24 [USG6000V1]firewall zone untrust [USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/2 [USG6000V1]security-policy [USG6000V1-policy-security]rule name permin_trust_untrust_http [USG6000V1-policy-security-rule-permin_trust_untrust_http]source-zone trust [USG6000V1-policy-security-rule-permin_trust_untrust_http]destination-zone untrust [USG6000V1-policy-security-rule-permin_trust_untrust_http]service http [USG6000V1-policy-security-rule-permin_trust_untrust_http]action permit
测试方法:
- Client1 能够成功访问 Server1 HTTP 服务
- 且 Client1 ping Server1 失败;
查看防火墙会话表;
[USG6000V1]display firewall session table 2025-03-19 08:08:28.110 Current Total Sessions : 1 http VPN: public --> public 10.0.12.1:2053 --> 10.0.23.1:80 [USG6000V1]display firewall session table verbose 2025-03-19 08:08:29.230 Current Total Sessions : 1 http VPN: public --> public ID: c487f6d1808b8c0285967da7b79 Zone: trust --> untrust TTL: 00:00:10 Left: 00:00:09 Recv Interface: GigabitEthernet1/0/1 Interface: GigabitEthernet1/0/2 NextHop: 10.0.23.1 MAC: 5489-98f7-4e2a <--packets: 4 bytes: 471 --> packets: 6 bytes: 399 10.0.12.1:2053 --> 10.0.23.1:80 PolicyName: permin_trust_untrust_http TCP State: close
补充说明
Client ==(ping)==> FW Interface
如果 Client-1 需要 ping 通防火墙接口绑定的地址(.12.254 / .23.254),则需要执行 [GE 1/0/1] service-manage ping permit 命令;
当执行该命令后,两个接口都能够 ping 通;
Service Manage vs. Security Policy
默认,防火墙 Interface 开启 Servie Manage 功能,所以 Interface 对流量的处理行为首先受到 Service Manange 的管控;
如果关闭 Service Manager 功能,[Interface] undo service-manager,则流量将受到 Security Policy 的管控;
为了能够通信,需要配置安全策略,创建允许 destination-zone local 的安全策略;
查看安全区域:dispaly zone
<USG6000V1>display zone
2022-02-08 07:34:08.780
local
priority is 100
interface of the zone is (0):
#
trust
priority is 85
interface of the zone is (1):
GigabitEthernet0/0/0
#
untrust
priority is 5
interface of the zone is (0):
#
dmz
priority is 50
interface of the zone is (0):
#
查看会话表项:display firewall session table
[USG6000V1]display firewall session table 2022-02-08 07:43:32.540 Current Total Sessions : 2 tcp VPN: default --> default 192.168.0.100:5688 --> 192.168.0.1:8443 http VPN: public --> public 10.0.12.1:2051 --> 10.0.23.100:80 [USG6000V1]display firewall session table verbose 2022-02-08 07:44:18.670 Current Total Sessions : 4 http VPN: public --> public ID: c387f3fc68ff48846f62021f50 Zone: trust --> untrust TTL: 00:00:10 Left: 00:00:09 Recv Interface: GigabitEthernet1/0/1 Interface: GigabitEthernet1/0/2 NextHop: 10.0.23.100 MAC: 5489-98e6-027a <--packets: 4 bytes: 471 --> packets: 6 bytes: 401 10.0.12.1:2052 --> 10.0.23.100:80 PolicyName: permit_trust2untrust_http TCP State: close tcp VPN: default --> default ID: c387f3fc6900dd0a4b62021f3f Zone: trust --> local TTL: 00:20:00 Left: 00:19:42 Recv Interface: GigabitEthernet0/0/0 Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 0000-0000-0000 <--packets: 416 bytes: 591,837 --> packets: 256 bytes: 20,833 192.168.0.100:10557 --> 192.168.0.1:8443 PolicyName: --- TCP State: established # 补充说明: # PolicyName,为 --- 表示该会话表不受安全策略控制,而是通过其他方式(比如 Service Manage 等等);
查看会话失效时间:display firewall session aging-time
display firewall session aging-time