杨浦教育防火墙项目竣工文档

1、杨浦区教育系统防火墙项目竣工文档It 1 1 I iir1上海有为信息技术有限公司2009年12月30日项目竣工验收报告项目名称杨浦区教育系统防火墙项目竣工日期2009年12月30日项目经理陈欢项目实施周期12/22-30项目实施内容简述：对Hillstone防火墙进行女装上架，配置IP、路由等基本信息；在Hillstone防火墙配置 NAT、SSL VPN、AV防病毒、防攻击等策略对上述配置进行测试，达到用户要求提交技术文档清单序号文件名称/编号页数份数文档形式1竣工文档352书面文本目录一、竣工报告 4二、货物清单 4三、设备部署 5四、功能配置 5五、详细配置 6六、本项目售后服务承诺

2、35、竣工报告项目说明项目名称：杨浦区教育系统防火墙项目建设单位：杨浦区教育局信息中心承建单位：上海有为信息技术有限公司系统运行情况概述序号系统名称运行情况备注1防火墙正常所要求实现的功能均通过测试已实现， 运行稳定、货物清单货物型号描述数量SG-6000-G5150-CN12SG-6000-G5150软硬件平台，包含一年硬件保修和软件升级维护 服务。参数：2U机箱，4GE+8SFP口 4个通用扩展槽，热插拔双 电源，中国电源线，热插拔风扇；性能参数：吞吐量8G并发连接300万/400万（标配/最大）1AV-SGG5150-012-00SG-6000-G5150 年病毒服务1SG-SSL-00

3、2525个SSL VPN并发用户使用许可1TRAN-LX10LX千兆单模光模块（10KM）2TRAN-SXSX千兆多模光模块2SGSV-G5150-024-00SG-6000-G5150两年硬件保修和软件升级维护服务1三、设备部署走則忙忌内円申计豆性如上图所示：Hillst one SG-6000防火墙部署在杨浦区教育网的In ternet出口处，分别连接电信（ eO/2）、市教委（eO/3）、有线通（eO/4）链路，eO/6接口连接至 AceNet流控设备。四、功能配置在本项目中，Hillstone SG-6000防火墙，主要实现以下功能:三条链路的负载均衡NAT （包含服务器IP地址的静态

4、NAT）ACL、攻击防护AV防病毒SSL VPN五、详细配置SG-6000# show configuration|Output modifierssavedSaved configurationSG-6000# show configurationBuilding configuration.Running configuration:!Version 3.5ip vrouter trust-vrexitrole jxxyzxrole jyjrole kjzxrole ypgjrole tjyfzrole local role-mapping-rule localrolematch user

5、-group jxxyzx role jxxyzx match user-group jyj role jyj match user-group kjzx role kjzx match user-group ypgj role ypgj match user-group tjyfz role tjyfz exitaaa-server local type local role-mapping-rule localrole user SSLTESTpassword 75+EPHtgjyCtfgMD0m2g5iz33/4o exituser jxxyzx01password HK+cELNHWl

6、etrsiE+qTYMGuLRWcb exituser jxxyzx02password dCtdcy4D7NwE4jeJIyQURzJ7I8Ywexituser jxxyzx03password axV+5bo7RYKCT5gN7SLxlWQ8mGkj exituser jxxyzx04password 08DXgIaQenUdB4k9la844GYzSHM4 exituser jxxyzx05password sXOpds9ZjILJLIeGaJT4G3Sw3FE7 exituser jxxyzx06password 5wZZPlgNDEwVOvEel4B7lhlJXP8V exituse

7、r jxxyzx07password LxtmcKN27S3LZyxYF8o6ZSrolEod exituser jxxyzx08password bYyBkEY6zGmm4Df5wa/oNGJVWOwG exituser jxxyzx09password PegND8wg/6jItIEbwqXiqSOOHykG exituser jxxyzx10password FMiFfHJ6JkWmNZyRA4AHPEbofM0J exituser jyj01password jKZLaPqdO1pZ3PXT8eFt1D0bWLov exituser jyj02password aNSEKVUTHzVH

8、pgnG/8gBiFB+16sj exituser jyj03password 4bKHGtK4NRRvGYxbCkR0Oi6xQfIEexituser jyj04password 2LHtsIItBMCHfqvi62KhBkG3Hvsm exituser jyj05password bV7hal86xjx1spgf9gkRLnniqeMc exituser jyj06password s4s7mkLpMQElbnFAqf1G6nVF4UY2 exituser jyj07password xBetU5GJ2cc6sCo3TB7gU1FfAHwW exituser jyj08password s

9、FyPx+6VL5xjART0ax8OO1vQYsIr exituser jyj09password WwdmBzfRfKs1OVfmVZnc1RIgCFQR exituser jyj10password UdE6Vjt5oFXRQCOX6tzbaE2xJ/gf exituser kjzx01password lbuwuZX/Yh+rrGQRnrRw2mDIm5o5 exituser kjzx02password p9PhZKTiLQ7TkhEBKOpxDxGQzecq exituser kjzx03password Cr56yV586pwpN4hs331t12bvQ40H exituser

10、kjzx04password MRIffhJa4dHvpeDwpDg3RRQOD3Yhexituser kjzx05password 8/2qiLiWj0dfxpJcjZUbfzNSJV os exituser kjzx06password bkkdkDBD9iT9AG0N9kxgNBCc+S4n exituser kjzx07password BS9NYyh5FW3zahB3jNSsW A3tcmMD exituser kjzx08password AD5IxQcgar/WdD/y8mX/q3/cwjMK exituser kjzx09password QP8PVn/+Ih4ZhRY1boh

11、AKhvv158M exituser kjzx10password hdQusUrMUfhlmbB/dOHg9kGnxMkn exituser ypgj01password fWnYIfj4Re6i/Kzbz8I8vU5q+2YE exituser ypgj02password DNOi5IQJREHUQQIoc5FbLCXkXTIJ exituser ypgj03password 8O4AZp10wQ7LR0gHWEKLp1GbUA0Y exituser ypgj04password s9j25Kir/Oi3vxlt6sNxCUMb17c5 exituser ypgj05password Y

12、uA92CNJfe824+TgP2137D8tujE4exituser ypgj06password L078EdFSbkmZ2+i85mvjn3yD5Fg8 exituser ypgj07password mQGc9aWwWMnYz0qGBD0l8SVxMKMk exituser ypgj08password xeEX+zwQK2aTHIfAZX02m2K72Vom exituser ypgj09password mYN8TJgS2Rd8u6p3wEtV4kNsYSUk exituser ypgj10password KQxnPiOS3QZ6oAOVYLfl02KMiV0i exituser

13、 tjyfz01password JxaBiPP/porql71RnpQthTM6sQUX exituser tjyfz02password IxU6yHwOO+9IOoPNKHeJvXIdoxcG exituser tjyfz03password D2kOVvYSa52eHX64iP1DYCRDqFg4 exituser tjyfz04password saUrQwa2c1B6VwtITJgiZC0dWukw exituser tjyfz05password BgEkkx4Sc8F0jVZUlqAU+GdjhF4x exituser tjyfz06password G6FqM1O7NqIde

14、wzvf/EY4nWiqNQ9exituser tjyfz07password 3BlFPfsZ/ASSKNsM/nTosAjtvasx exituser tjyfz08password 5ZBUTOd6zmIXck0OcYfqS3mDjLI5 exituser tjyfz09password 9H6YBC1dMWbA4STNoEL4E0NT0M0j exituser tjyfz10password uS/Qt1EBfU+eWBrtbQwOSgsD4MYX exituser-group jxxyzxmember user jxxyzx01member user jxxyzx02member u

15、ser jxxyzx03member user jxxyzx04member user jxxyzx05member user jxxyzx06member user jxxyzx07member user jxxyzx08member user jxxyzx09member user jxxyzx10exituser-group jyjmember user jyj01member user jyj02member user jyj03member user jyj04member user jyj05member user jyj06member user jyj07member user

16、 jyj08member user jyj09member user jyj10exituser-group kjzxmember user kjzx01member user kjzx02member user kjzx03member user kjzx04member user kjzx05member user kjzx06member user kjzx07member user kjzx08member user kjzx09member user kjzx10exituser-group tjyfzmember user tjyfz01member user tjyfz02mem

17、ber user tjyfz03member user tjyfz04member user tjyfz05member user tjyfz06member user tjyfz07member user tjyfz08member user tjyfz09member user tjyfz10exituser-group ypgjmember user ypgj01member user ypgj02member user ypgj03member user ypgj04member user ypgj05member user ypgj06member user ypgj07member

18、 user ypgj08member user ypgj09member user ypgj10exitexitadmin user hillstonepassword 3bAjTIiZuZ9N9fAQRnzbZIGA0Aprivilege RXWaccess consoleaccess telnetaccess sshaccess http access https exitadmin user jbxiangpassword M5er/4xNsovtIc3mWXwp023AAf privilege RXW access httpsexithostname SG-6000 admin hos

19、t any any logging traffic on interface vswitchif1 exitinterface ethernet0/0 exitinterface ethernet0/1 exitinterface ethernet0/2 exitinterface ethernet0/3 exitinterface ethernet0/4 exitinterface ethernet0/5 exitinterface ethernet0/6 exitinterface ethernet0/7 exitinterface ethernet0/8 exitinterface et

20、hernet0/9exitinterface ethernet0/10exitinterface ethernet0/11exitinterface tunnel1exitvswitch vswitch1exitzone trustad port-scanad port-scan threshold 4000ad ip-sweepad ip-sweep threshold 4000exitzone untrusttype wanad tear-dropad ip-spoofingad land-attackad ip-optionad ip-option action alarmad ip-f

21、ragmentad winnukead port-scanad syn-floodad icmp-floodad ip-sweepad ping-of-deathad udp-floodad ip-directed-broadcastexitzone dmzexitzone l2-trust l2exitzone l2-untrust l2type wanexitzone l2-dmz l2exitzone VPNHubexitzone HAexitzone SJWvrouter trust-vrtype wanad ip-fragmentad port-scanad port-scan th

22、reshold 3000ad syn-floodad icmp-floodad ip-sweepad ip-sweep threshold 3000ad ping-of-deathad udp-floodad ip-directed-broadcastexitzone CTCvrouter trust-vrtype wanad ip-fragmentad port-scanad port-scan threshold 3000ad icmp-floodad ip-sweepad ip-sweep threshold 3000ad ping-of-deathad udp-floodad ip-d

23、irected-broadcast exitzone YXTvrouter trust-vrtype wanad tear-dropad ip-fragmentad port-scanad port-scan threshold 3000ad syn-floodad icmp-floodad ip-sweepad ip-sweep threshold 3000ad ping-of-deathad udp-floodad ip-directed-broadcast exitzone SSLZONEvrouter trust-vr exitaddress /32ip 10.24.

24、0.1/32 exitaddress /32ip /32 exitaddress /32ip /32 exitaddress /32ip /32 exitaddress /32ip /32 exitaddress /32ip /32 exitaddress 1/32ip 1/32exitaddress 7/32ip 7/32exitaddress

25、 /32ip /32exitaddress /32ip /32exitaddress 3/32ip 3/32exitaddress /32ip /32exitaddress /32ip /32exitaddress 8/32ip 8/32exitaddress

26、/32ip /32exitaddress 1/32ip 1/32exitaddress 7/32ip 7/32exitaddress 39-246range 39 46 exitaddress /13ip /13exitaddress 30/32ip 30/32exitaddress 218.242.1

27、70.150-163range 50 63 exitaddress 01ip 01/32exitaddress ip /32exitaddress ip /32exitaddress 0ip 0/32exitaddress 00ip 00/32exitaddress ip /32exitaddress

28、35 ip 35/32exitaddress ip /32exitaddress 00 ip 00/32exitaddress 8ip 8/32exitaddress ip /32exitaddress ip /32exitaddress 99 ip 99/32exitaddress 83 ip 10.

29、24.0.183/32exitaddress ip /32exitaddress 17 ip 17/32exitaddress 8ip 8/32exitaddress 0 ip 0/32 exitaddress 15 ip 15/32 exitaddress 85 ip 85/32 exitaddress 218.2

30、42.170.120 ip 20/32 exitaddress 00 ip 00/32 exitaddress 48 ip 48/32 exitaddress 24 ip 24/32 exitaddress 35 ip 35/32 exitaddress 02 ip 02/32 exitaddress 218.2

31、42.170.88ip 8/32exitaddress 03ip 03/32exitaddress 9ip 9/32exitaddress 99ip 99/32exitaddress 83ip 83/32exitaddress 92ip 92/32exitaddress 17ip 218

32、.242.170.217/32exitaddress 17ip 17/32exitaddress 8ip 8/32exitaddress /24ip /24exitaddress -15.255 range 55exitaddress -31.255range 55exitaddress -47.255ra

33、nge 55exitaddress -15.255range 55exitpki trust-domain trust_domain_default keypair Default-Key enrollment selfsubject commonName SG-6000 subject organization Hillstone Networks exitpki trust-domain network_manager_ca enrollment terminalexitisakmp pro

34、posal psk-md5-des-g2hash md5encryption desexitisakmp proposal psk-md5-3des-g2hash md5exitisakmp proposal psk-md5-aes128-g2 hash md5 encryption aesexitisakmp proposal psk-md5-aes256-g2 hash md5encryption aes-256exit isakmp proposal psk-sha-des-g2encryption desexitisakmp proposal psk-sha-3des-g2 exiti

35、sakmp proposal psk-sha-aes128-g2 encryption aesexitisakmp proposal psk-sha-aes256-g2 encryption aes-256exitisakmp proposal rsa-md5-des-g2 authentication rsa-sig hash md5 encryption desexitisakmp proposal rsa-md5-3des-g2 authentication rsa-sig hash md5exitisakmp proposal rsa-md5-aes128-g2 authenticat

36、ion rsa-sig hash md5 encryption aesexitisakmp proposal rsa-md5-aes256-g2 authentication rsa-sig hash md5 encryption aes-256exitisakmp proposal rsa-sha-des-g2 authentication rsa-sig encryption desexitisakmp proposal rsa-sha-3des-g2 authentication rsa-sigexitisakmp proposal rsa-sha-aes128-g2 authentic

37、ation rsa-sig encryption aesexitisakmp proposal rsa-sha-aes256-g2 authentication rsa-sig encryption aes-256exitisakmp proposal dsa-sha-des-g2 authentication dsa-sig encryption desexitisakmp proposal dsa-sha-3des-g2 authentication dsa-sigexitisakmp proposal dsa-sha-aes128-g2 authentication dsa-sig en

38、cryption aesexitisakmp proposal dsa-sha-aes256-g2 authentication dsa-sig encryption aes-256exitipsec proposal esp-md5-des-g2 hash md5 encryption des group 2exitipsec proposal esp-md5-des-g0 hash md5 encryption desexitipsec proposal esp-md5-3des-g2hash md5 encryption 3des group 2exitipsec proposal es

39、p-md5-3des-g0 hash md5 encryption 3desexitipsec proposal esp-md5-aes128-g2 hash md5 encryption aes group 2exitipsec proposal esp-md5-aes128-g0 hash md5 encryption aesexitipsec proposal esp-md5-aes256-g2 hash md5encryption aes-256 group 2exitipsec proposal esp-md5-aes256-g0 hash md5encryption aes-256

40、exitipsec proposal esp-sha-des-g2 hash sha encryption des group 2exitipsec proposal esp-sha-des-g0 hash sha encryption desexitipsec proposal esp-sha-3des-g2hash shaencryption 3desgroup 2exitipsec proposal esp-sha-3des-g0hash shaencryption 3desexitipsec proposal esp-sha-aes128-g2hash sha encryption a

41、es group 2exitipsec proposal esp-sha-aes128-g0hash sha encryption aesexitipsec proposal esp-sha-aes256-g2hash sha encryption aes-256 group 2exitipsec proposal esp-sha-aes256-g0hash sha encryption aes-256exitscvpn pool ippool1address 0 00 netmask exittunnel scvpn

42、 SSLVPNpool ippool1 anti-replay 32 allow-multi-logon number 1 split-tunnel-route /13 metric 35 aaa-server local interface ethernet0/2exitinterface ethernet0/0zone trustip address manage ssh manage telnet manage ping manage snmp manage http manage httpsexitinterface

43、 ethernet0/1manage pingexitinterface ethernet0/2zone CTCip address 02 52 manage pingmanage httpsmanage sshno reverse-routeexitinterface ethernet0/3zone SJWip address 0 52 manage pingexitinterface ethernet0/4zone YXTip address

44、 manage ping manage httpsno reverse-routeexitinterface ethernet0/6zone trustip address 48 manage telnet manage ssh manage pingmanage httpmanage httpsexitinterface tunnel1zone SSLZONEip address manage pingtunnel scvpn SSLVPNexitip vrouter trust-vrsnatr

45、ule id 3 from /32 to Any eif ethernet0/2 trans-to address-bo ok /32 mode staticsnatrule id 4 from 7/32 to Any eif ethernet0/2 trans-to address-b ook 7/32 mode staticsnatrule id 5 from /32 to Any eif ethernet0/4 trans-to address-bo ok

46、/32 mode staticsnatrule id 6 from /32 to Any eif ethernet0/4 trans-to address-bo ok 3/32 mode staticsnatrule id 7 from /32 to Any eif ethernet0/4 trans-to address-bo ok /32 mode staticsnatrule id 8 from /32 to Any eif ethernet0/4 trans-to address-

47、bo ok /32 mode staticsnatrule id 9 from /32 to Any eif ethernet0/4 trans-to address-bo ok 8/32 mode staticsnatrule id 10 from /32 to Any eif ethernet0/4 trans-to address-b ook /32 mode staticsnatrule id 11 from 1/32 to Any eif etherne

48、t0/4 trans-to addressbook 1/32 mode staticsnatrule id 12 from to Any eif ethernet0/4 trans-to 85 mode staticsnatrule id 13 from 0 to Any eif ethernet0/4 trans-to 20 mode staticsnatrule id 14 from 00 to Any eif ethernet0/4 trans-to

49、 00 mode staticsnatrule id 15 from to Any eif ethernet0/4 trans-to 48 mode staticsnatrule id 16 from to Any eif ethernet0/4 trans-to 24 mode staticsnatrule id 17 from 35 to Any eif ethernet0/4 trans-to 35 mode stati

50、csnatrule id 18 from to Any eif ethernet0/4 trans-to 218.242.170 .102 mode staticsnatrule id 19 from 00 to Any eif ethernet0/4 trans-to 218.242. 170.100 mode staticsnatrule id 20 from 8 to Any eif ethernet0/4 trans-to 218.242.170 .88 mode staticsnatrule id 21 from 10.2

51、8.232.3 to Any eif ethernet0/4 trans-to 218.242.17 0.103 mode staticsnatrule id 22 from to Any eif ethernet0/4 trans-to 218.242.170 .29 mode staticsnatrule id 23 from 99 to Any eif ethernet0/4 trans-to 218.242.17 0.199 mode staticsnatrule id 24 from 83 to Any eif etherne

52、t0/4 trans-to 218.242.17 0.183 mode staticsnatrule id 25 from to Any eif ethernet0/4 trans-to 218.242.17 0.192 mode staticsnatrule id 26 from 17 to Any eif ethernet0/4 trans-to 218.242. 170.217 mode staticsnatrule id 27 from 17 to Any eif ethernet0/4 trans-to 218.242.17 0.117 mode staticsnatrule id 28 from 8 to Any eif ethernet0/4 trans-to 218.242.170 .38 mode staticsnatrule id 29 from 01 to Any eif ethernet0/4 trans-to 218.242.17 0.10 mode staticsnatrule id 30 from to Any