版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
编号密级广东移动揭阳分公司OA核心防火墙设备替换方案V1.0文档修订记录文档编号:工程名称广东移动揭阳分公司OA核心防火墙设备替换文件名称广东移动揭阳分公司OA核心防火墙设备替换方案文档描述Juniper防火墙设备替换方案当前版本1.0创立日期2010文档作者文档所属部门修改记录日期修改人审阅人摘要V1.020吴文轩文档书写目录第一章文档概述41.1文档目的41.2产品概述41.3产品说明41.4产品优势5设备性能6硬件架构6软件架构6软件功能7第二章网络拓扑82.1现有网络拓扑82.2改造网络拓扑82.3网络流量9现有拓扑流量9替换后网络流量10第三章网络实施113.1配置信息11设备硬件113.2配置信息12设备硬件12设备软件12接口配置12地址分配13路由配置13策略配置14HA设置143.2.8UAC配置153.3割接准备15机架空位15网络线缆16电源功率163.4割接步骤163.5回退方案17第四章配置汇总17文档概述文档目的本方案依据广东移动揭阳分公司现有核心防火墙的现状,对现有防火墙进行设备的替换有JuniperISG系列防火墙替换为SRX系列防火墙,其目的是提高核心防火墙对整网的处理性能,并解决现有网络中存在的一些性能瓶颈。方案明确SRX设备的整体优势、现网所需配置及整个网络割接的细节步骤,保证广东移动揭阳分公司防火墙设备替换工程的顺利实施。产品概述瞻博网络SRX3000系列业务网关是下一代解决方案,用于同时满足大型企业和电信运营商不断增长的网络根底架构和应用平安性需求。SRX3000系列业务网关从一开始便设计用于提供灵活的处理可扩展性、I/O可扩展性和高级集成能力,在数据中心大规模整合、快速托管效劳部署及平安解决方案融合等领域,能够满足网络和平安要求。SRX3000以瞻博网络Junos软件为构建根底,将瞻博网络丰富的路由功能、电信运营商级高可靠性与ScreenOS网络的卓越平安性结合在一起,支持高级特性/效劳集成,能够保护现代化网络根底架构和应用的平安。产品说明瞻博网络(JuniperNetworks®)SRX3400业务网关和瞻博网络SRX3600业务网关是下一代业务网关,在中型机箱中提供了市场领先的可扩展性和效劳集成能力。这些产品是大中型企业、公共部门和电信运营商网络的理想选择,包括:大型企业的效劳器库/数据中心部门或独立平安解决方案的会聚环境云和托管供给商数据中心托管效劳部署SRX3000产品系列基于创新的“中置背板〞(mid-plane)设计和瞻博网络的动态效劳架构,为大型企业和电信运营商环境提供最高性价比。在添加效劳处理卡(SPC)的情况下,每种业务网关都支持近线性的可扩展性,SRX3600最多可支持30Gbps的防火墙吞吐量。SPC设计用于支持广泛的效劳,能够支持将来的新功能,无需安装效劳特定的硬件。通过将SPC应用于所有效劳,将能够确保运行环境中的特定效劳领域不会存在闲置资源——最大限度地提高硬件利用率。SRX3000产品系列采用模块化架构,提供市场领先的灵活性和性价比。这个网关基于瞻博网络的动态效劳架构,支持灵活地配置I/O卡(IOC)、网络处理卡(NPC)和效劳处理卡(SPC)——使用户能够通过配置系统在性能和端口密度之间实现理想均衡,并能够基于特定的网络要求对瞻博网络SRX业务网关进行定制部署。这种灵活性支持您将SRX3600配置为支持超过100Gbps的接口(可以是千兆以太网和万兆以太网端口的任意组合);提供从10到30Gbps的网络处理性能;并且提供适当的效劳处理来满足特定的业务需求。业务网关中部署了交换矩阵,支持SPC、NPC和IOC扩展功能。这个交换矩阵最多支持320Gbps的数据传输速度,在任何特定的配置中,都能提供最大处理能力和I/O能力的最合理的组合。这个级别的可扩展性和灵活性支持用户在不中断业务运行的情况下扩展并增长网络根底架构能力,不受平安解决方案的束缚。SRX3000产品系列的灵活性不仅限于动态效劳架构的创新成果和公认优势。SRX3000产品系列采用“中置背板〞(midplane)设计,用户可以同时在前后端安装SPC,从而获得市场领先的灵活性和可扩展性。SRX3000产品系列在一半的机柜空间中支持两倍的SPC,不仅提供根本的架构创新,而且还采用创新的物理设计。SRX系列业务网关通过瞻博网络Junos®软件支持特性集成。通过将Junos软件的路由特性与ScreenOS®软件的平安优势结合在一起,SRX系列业务网关提供了一组强大的功能,包括防火墙、IPsecVPN、入侵防御系统(IPS)、拒绝效劳攻击(DoS)防御、网络地址转换(NAT)和效劳质量(QoS)保证等。除此之外,将全部功能结合在单一OS框架中,还大幅度优化了流量在业务网关中的处理流程。安装Junos软件使SRX系列产品与瞻博网络电信运营商级路由器和交换机一样,获得了单源OS、一致的版本演进和一致性架构的优势产品优势新一代的SRX防火墙采用与ScreenOS不同的硬件架构及软件架构,SRX系列防火墙更适合运行在高稳定性及高性能要求的网络环境中。设备性能SRX3400业务网关与SRX3600使用相同的SPC、IOC和NPC,最多支持20Gbps的防火墙吞吐量、6Gbps的防火墙和IPS吞吐量,或者6Gbps的IPsecVPN吞吐量以及每秒最多17.5万条新建连接,描述如下表:参数型号SRX3600SRX3400ISG2000ISG1000吞吐量10/20/30Gbps10/20Gbps4Gbps2Gbps同时新建会话175,000175,00023,00020,000同时在线会话2,250,0002,250,0001,000,0005,00,0003DES性能10Gbps6Gbps2Gbps1Gbps硬件架构电信级机箱设计&高密度槽位高密度槽位和性能扩展Ichip&StingerfabricASICDPC板卡的技术和NP芯片转发与控制别离〔路由引擎、SPC、NPC由独立硬件处理,并可按需配置〕交换矩阵,彻底摆脱现有防火墙通过总线进行内部数据交换的现状,提供高性能的交换矩阵,真正无阻塞交换〔SRX3000系列采用SF16矩阵〕接口数量总数多软件架构模块化软件系统,新功能部署运行稳定,电信级互联网操作系统已被证明新功能整合能力如(EX交换、MX以太网会聚PE等)电信级路由操作系统JUNOS和平安操作系统ScreenOS的完美融合来自JUNOS的MPLS/NSF/NSR等高级功能来自JUNOS的层次化CLI配置风格来自ScreenOS的平安特性:平安域/NAT/IPsecVPN/Screen/深度检测/UTMCommit/JUNOSScripts等高级管理特性软件功能JUNOS的优势路由〔1,000,000条OSPF/BGP条目〕QoS配置回退完整的IDP功能〔独立硬件处理,多核处理器中独立的core〕基于硬件的DoS攻击防护功能〔Screen功能〕基于策略的流量统计、基于策略的新建会话统计等网络拓扑现有网络拓扑揭阳现有网络拓扑如下,ISG1000防火墙采用主/备的方式与核心交换机相连。改造网络拓扑改造后网络拓扑根本不变,ISG1000更换为SRX3000系列防火墙,防火墙采用主备模式,防火墙采用两个接口与交换机互联。网络流量现有拓扑流量现有网络拓扑采用单线连接防火墙与交换机,用户接入VLAN及上联MDCNVLAN之间的流量通过1G电口线缆传输,容易造成线路的流量瓶颈。流量图如下列图:替换后网络流量替换后防火墙采用用户VLAN之间流量及用户到MDCN大网流量物理接口别离的方法实现,改变现有的单线1G线缆到两条1G光纤线缆的模式,提高了网络的带宽,减少链路带宽的瓶颈。用户VLAN间流量用户VLAN间流量承载在独立的物理接口上。网络实施配置信息设备硬件型号描术数量SRX3400-ASRX3400Chassis,Midplane,Fan,RE,SFB-12GE,ACPEM-nopowercord-1SPC-noNPC1SRX3K-NPCNPC板卡,插到FPC71SRX3K-SPC-1-10-40SPC板卡,插到FPC51SFP-1GE-SX1G光模块,插到SFB-12GEControl01SFP-1GE-SX1G光模块,插到SFB-12GEGe-0/0/91SFP-1GE-SX1G光模块,插到SFB-12GEGe-0/0/101SFP-1GE-SX1G光模块,插到SFB-12GEGe-0/0/111SRX3K-PWR-AC电源1CBL-PWR-C19S-162-CH16A电源线2SRX3400-BSRX3400Chassis,Midplane,Fan,RE,SFB-12GE,ACPEM-nopowercord-1SPC-noNPC1SRX3K-NPCNPC板卡,插到FPC71SRX3K-SPC-1-10-40SPC板卡,插到FPC51SFP-1GE-SX1G光模块,插到SFB-12GEControl01SFP-1GE-SX1G光模块,插到SFB-12GEGe-0/0/91SFP-1GE-SX1G光模块,插到SFB-12GEGe-0/0/101SFP-1GE-SX1G光模块,插到SFB-12GEGe-0/0/111SRX3K-PWR-AC电源1CBL-PWR-C19S-162-CH16A电源线2配置信息设备硬件型号描述数量SRX3400-AJY-SRX3400-A1SRX3400-BJY-SRX3400-B1设备软件设备名称设备型号软件版本软件名称SRX3000SRX10.2R2.11junos-srx3000-10.2R2.11-domestic.tgzIC4000IC40004.0R2接口配置本端设备接口对端设备接口线缆类型SRX3000-1ge-0/0/10核心交换机光纤LC-LCcontrol0SRX3000-2control0光纤LC-LCge-0/0/11ge-8/0/11光纤LC-LCSRX3000-2ge-8/0/10核心交换机光纤LC-LCcontrol0SRX3000-1control0光纤LC-LCge-8/0/11ge-0/0/11光纤LC-LC地址分配本端设备接口IP地址备注SRX3000-1ge-0/0/10.2ge-0/0/10.11ge-0/0/10.12ge-0/0/10.13ge-0/0/10.14ge-0/0/10.1510.2ge-0/0/10.16ge-0/0/10.17ge-0/0/10.18ge-0/0/10.19ge-0/0/10.21ge-0/0/10.22ge-0/0/10.23ge-0/0/10.24ge-0/0/10.25ge-0/0/10.26ge-0/0/10.27ge-0/0/10.29ge-0/0/10.103ge-0/0/10.105ge-0/0/10.20510.ge-0/0/10.500SRX3000-2与主用防火墙相同路由配置路由配置防火墙采用动态路由协议OSPF,详细情况如下表:防火墙AreaIDInterfaceModeCost值SRX3000-1.21reth0.2passive1reth0.11passive1reth0.12passive1reth0.13passive1reth0.14passive1reth0.15passive1reth0.16passive1reth0.17passive1reth0.18passive1reth0.19passive1reth0.21passive1reth0.22passive1reth0.23passive1reth0.24passive1reth0.25passive1reth0.26passive1reth0.27passive1reth0.29passive1reth0.1031reth0.1051reth0.2051reth0.5001防火墙采用静态路由协议,详细情况如下表:目标地址下一跳策略配置策略按照原有ISG1000防火墙策略书写,并根据SRX防火墙平台的特定对策略做局部修改,如命名长度、命名语言〔中文更改为字母〕、调整策略LOG选项等,不修改策略的权限控制。HA设置SRX防火墙HA采用JSRP的方式部署,采用Redundany组织接口,并使用专用的Control接口传输控制信息,并定义Data接口传输RTO信息等。Cluster设置功能区域ClusterID外网接入区1RedundantGroup设置冗余组组IDNODE优先级接口组成RG1RETH0Node0200ge-0/0/10Node150ge-8/0/10监控设置MonitorInterfaceInterfacege-0/0/10ge-8/0/10UAC配置防火墙局部命名IP端口接口密码超时动作IC400011123Reth0.2jySRX!@#no-changeIC局部namePlatformpasswordserialnumberSRX3000JunOSjySRX!@#配置如下列图:割接准备机架空位型号大小备注SRX3400WxHxD(44.5x13.3x64.8cm)3USRX3600WxHxD(44.5x22.2x64.8cm)5U网络线缆类型数量长度备注光纤1根据设备位置确认互连线长度SRX设备互连〔Control〕光纤1根据设备位置确认互连线长度SRX设备互连〔DATA〕光纤2根据设备位置确认互连线长度SRX与交换机互连电源功率型号功率备注SRX34001,200W(ACpower)1,020W(DCpower)需16SRX36001,800W(ACpower)1,800W(DCpower)需16割接步骤2010/10步骤一:配置备份备份相关网络设备配置,如交换机、ISG1000防火墙、IC4000设备、SSG520。步骤二:断开ISG2000与6509互联的端口步骤三:接上SRX3400与6509互联的端口步骤3:网络测试检查内容命令结果备注网络连通性pi内网主机进行Ping测试IC联动检查检查防火墙及IC联队情况showservicesunified-access-controlstatusIC认证测试登陆IE浏览器并验证认证信息检查IC联动及用户认证IC认证客户端使用客户端测试测试客户认证及HostCheck功能是否正常切换测试拔除防火墙监控接口线缆测试防火墙切换,并检查会话及认证用户信息。showsecurityflowsessionshowservicesunified-access-controlauthentication-table步骤五:测试与省公司SNPM采集的信息,测试省公司的syslog能否采集信息。〔2010-10回退方案回退方案无需更改交换机配置,步骤为:步骤一:断开SRX与6509互联的接口步骤二:接上ISG2000与6509互联的接口步骤三:将网关切换至原防火墙上配置汇总//Node0(主用防火墙)启用Chassis功能,并启用ge-0/0/11为Fabric接口setchassisclustercluster-id1node0rebootsetinterfacefab0fabric-optionsmember-interfacesge-0/0/11//Node1(备用防火墙)启用Chassis功能,并启用ge-8/0/6为Fabric〔data〕接口setchassisclustercluster-id1node1rebootsetinterfacefab0fabric-optionsmember-interfacesge-8/0/11//配置Cluster链路自动恢复功能setchassisclustercontrol-link-recovery//配置Chassis冗余组,setchassisclusterreth-count2//配置冗余组优先级,数值大的优先级高,并设置JSRP监控接口。setchassisclusterredundancy-group0node1priority50setchassisclusterredundancy-group0node0priority200setchassisclusterredundancy-group1node1priority50setchassisclusterredundancy-group1node0priority200setchassisclusterredundancy-group1interface-monitorge-0/0/10weight255setchassisclusterredundancy-group1interface-monitorge-8/0/10weight255//设备HostName设置及管理接口配置IP配置。setgroupsnode0systemhost-nameJY-SRX3400-Asetgroupsnode0systembackup-routersetgroupsnode0systembackup-routerdestination.0/0.1/24setgroupsnode1systemhost-nameJY-SRX3400-Bsetgroupsnode1systembackup-routersetgroupsnode1systembackup-routerdestination.0/0setapply-groupsnode0setapply-groupsnode1//设置系统时区setsystemtime-zoneAsia/Shanghai//系统启用SSH、Telnet、FTP、管理setsystemservicessshsetsystemservicestelnetsetsystemservicesftp//绑定冗余接口setinterfacesge-0/0/10gigether-optionsredundant-parentreth0setinterfacesge-8/0/10gigether-optionsredundant-parentreth0setinterfacesreth0redundant-ether-optionsredundancy-group1//Reth0启用VlanTAG,并分配相关接口Vlan-ID及IP地址。setinterfacesreth0unit2vlan-id2familyinetaddress10.setinterfacesreth0unit205vlan-id205familyinetaddre//配置DHCP-Relay功能,并在相应接口启用DHCP-Relaysetforwarding-optionshelpersbootprelay-agent-optionsetforwarding-optionshelpersbootpserversetforwarding-optionshelpersbootpinterfacereth0.12serversetforwarding-optionshelpersbootpinterfacereth0.22server//设置SNMP网管配置。setsnmpnameJY_SRX3400-Asetsnmpcommunityzjpublicauthorizationread-only//配置动态OSPF路由setpolicy-optionspolicy-statementStatic-to-Ospfterm1fromprotocolstaticsetpolicy-optionspolicy-statementStatic-to-Ospfterm1thenacceptsetprotocolsospfexportStatic-to-Ospfsetprotocolsospfare.21interfacereth0.2metric1setprotocolsospfare.21interfacereth0.2authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.2passivesetprotocolsospfare.21interfacereth0.11passivesetprotocolsospfare.21interfacereth0.11metric1setprotocolsospfare.21interfacereth0.11authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.12passivesetprotocolsospfare.21interfacereth0.12metric1setprotocolsospfare.21interfacereth0.12authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.13passivesetprotocolsospfare.21interfacereth0.13metric1setprotocolsospfare.21interfacereth0.13authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.14passivesetprotocolsospfare.21interfacereth0.14metric1setprotocolsospfare.21interfacereth0.14authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.15passivesetprotocolsospfare.21interfacereth0.15metric1setprotocolsospfare.21interfacereth0.15authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.16passivesetprotocolsospfare.21interfacereth0.16metric1setprotocolsospfare.21interfacereth0.16authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.17passivesetprotocolsospfare.21interfacereth0.17metric1setprotocolsospfare.21interfacereth0.17authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.18passivesetprotocolsospfare.21interfacereth0.18metric1setprotocolsospfare.21interfacereth0.18authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.19passivesetprotocolsospfare.21interfacereth0.19metric1setprotocolsospfare.21interfacereth0.19authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.21passivesetprotocolsospfare.21interfacereth0.21metric1setprotocolsospfare.21interfacereth0.21authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.22passivesetprotocolsospfare.21interfacereth0.22metric1setprotocolsospfare.21interfacereth0.22authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.23passivesetprotocolsospfare.21interfacereth0.23metric1setprotocolsospfare.21interfacereth0.23authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.24passivesetprotocolsospfare.21interfacereth0.24metric1setprotocolsospfare.21interfacereth0.24authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.25passivesetprotocolsospfare.21interfacereth0.25metric1setprotocolsospfare.21interfacereth0.25authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.26passivesetprotocolsospfare.21interfacereth0.26metric1setprotocolsospfare.21interfacereth0.26authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.27passivesetprotocolsospfare.21interfacereth0.27metric1setprotocolsospfare.21interfacereth0.27authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.29passivesetprotocolsospfare.21interfacereth0.29metric1setprotocolsospfare.21interfacereth0.29authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.103metric1setprotocolsospfare.21interfacereth0.103authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.105metric1setprotocolsospfare.21interfacereth0.105authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.205metric1setprotocolsospfare.21interfacereth0.205authenticationmd51keyJYgmccsetprotocolsospfare.21interfacereth0.500metric1setprotocolsospfare.21interfacereth0.500authenticationmd51keyJYgmcc//配置静态路由setrouting-optionsstaticrout//配置syslog日志效劳器setsecuritylogmodestreamsetsecuritylogformatsd-syslogsetsecuritylogsource-address10.24setsecuritylogstreamsyslogseveritywarningsetsecuritylogstreamsyslogformatsyslogsetsecuritylogstreamsyslogcategoryall//定义地址簿及地址组配置setsecurityzonessecurity-zoneTrustaddresssetsecurityzonessecurity-zoneTrustaddress-bookaddressAll_Trust.0/8-5Fsetsecurityzonessecurity-zoneTrustaddress-bookaddress-setAll_Trust_ZONEaddressAll_Trustsetsecurityzonessecurity-zoneTrustaddress-bookaddress-setGD_ORACALaddressGD-ORACAL-3setsecurityzonessecurity-zoneTrustaddress-bookaddress-setGD_ORACALaddressGD_ORACAL_1setsecurityzonessecurity-zoneTrustaddress-bookaddress-setGD_ORACALaddressGD_ORACAL_2setsecurityzonessecurity-zoneDMZaddress-bookaddress-setDMZ_ORACAL_GROUP_1addressDKH_ORACAL_65setsecurityzonessecurity-zoneDMZaddress-bookaddress-setDMZ_ORACAL_GROUP_1addressJJFWZC_ORACAL_69-5Fsetsecurityzonessecurity-zoneDMZinterfacesreth0.2host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneDMZinterfacesreth0.2host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.11host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.11host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.11host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.12host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.12host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.12host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.13host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.13host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.13host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.14host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.14host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.14host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.15host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.15host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.15host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.16host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.16host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.16host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.17host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.17host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.17host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.18host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.18host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.18host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.19host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.19host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.19host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.21host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.21host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.21host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.22host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.22host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.22host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.23host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.23host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.23host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.24host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.24host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.24host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneDMZinterfacesreth0.25host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneDMZinterfacesreth0.25host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneDMZinterfacesreth0.25host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.26host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.26host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.26host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.27host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.27host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.27host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.29host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.29host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneLouCeng_ZONEinterfacesreth0.29host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneBOSS_ZONEinterfacesreth0.103host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneBOSS_ZONEinterfacesreth0.103host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneBOSS_ZONEinterfacesreth0.103host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.105host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.105host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.105host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zoneTrustinterfacesreth0.205host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zoneTrustinterfacesreth0.205host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zoneTrustinterfacesreth0.205host-inbound-trafficsystem-servicesbootpsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.500host-inbound-trafficsystem-servicespingsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.500host-inbound-trafficsystem-servicestelnetsetsecurityzonessecurity-zonexianggongsi_testinterfacesreth0.500host-inbound-trafficsystem-servicesbootp//设置防火墙策略setsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneTrustpolicyid_294matchsource-addressAll_BOSS_ZONEuWuQisetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneTrustpolicyid_294matchapplicationjunos-setsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneTrustpolicyid_294thenpermitsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneTrustpolicyid_293matchsource-addressAll_XianGongSi_ZONEsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneTrustpolicyid_293matchapplicationjunos-setsecuritypoliciesfrom-zonexianggongsi_testto-zoneTrustpolicyid_293thenpermitsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_292matchsource-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_292matchapplicationjunos-setsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_292thenpermitsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_279matchapplicationanysetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneTrustpolicyid_279thenpermitsetsecuritypoliciesfrom-zoneTrustto-zoneDMZpolicyid_276matchsource-addressAll_Trust_ZONEsetsecuritypoliciesfrom-zoneTrustto-zoneDMZpolicyid_276matchapplicationanysetsecuritypoliciesfrom-zoneTrustto-zoneDMZpolicyid_276thenpermitsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneBOSS_ZONEpolicyid_275matchsource-addressAll_XianGongSi_ZONEsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneBOSS_ZONEpolicyid_275matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zonexianggongsi_testto-zoneBOSS_ZONEpolicyid_275matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zonexianggongsi_testto-zoneBOSS_ZONEpolicyid_275thendenysetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274matchsource-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274thendenydeactivatesecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneBOSS_ZONEpolicyid_274setsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_272matchsource-addressAudit_Server_Groupsetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_272matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_272matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_272thenpermitsetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_273matchsource-addressAll_DMZ_ZONEsetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_273matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_273matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneDMZto-zoneBOSS_ZONEpolicyid_273thendenysetsecuritypoliciesfrom-zoneTrustto-zoneBOSS_ZONEpolicyid_271matchsource-addressAll_Trust_ZONEsetsecuritypoliciesfrom-zoneTrustto-zoneBOSS_ZONEpolicyid_271matchdestination-addressBOSS_Audited_Serversetsecuritypoliciesfrom-zoneTrustto-zoneBOSS_ZONEpolicyid_271matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneTrustto-zoneBOSS_ZONEpolicyid_271thendenysetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_311matchsource-addressDeny-Clent-OA-xgs-tiyanjisetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_311matchdestination-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_311matchapplicationanysetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_311thendenysetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_270matchsource-addressAll_XianGongSi_ZONEsetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_270matchdestination-addressMDCN_Audited_Serversetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_270matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zonexianggongsi_testto-zoneLouCeng_ZONEpolicyid_270thendenysetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_297matchsource-addressDeny-Clent-BOSS-tiyanjisetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_297matchdestination-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_297matchapplicationanysetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_297thendenysetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_269matchsource-addressAll_BOSS_ZONEsetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_269matchdestination-addressMDCN_Audited_Serversetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_269matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneBOSS_ZONEto-zoneLouCeng_ZONEpolicyid_269thendenysetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneLouCeng_ZONEpolicyid_268matchsource-addressAll_LouCeng_ZONEsetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneLouCeng_ZONEpolicyid_268matchdestination-addressMDCN_Audited_Serversetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneLouCeng_ZONEpolicyid_268matchapplicationYuanChengZhuoMiansetsecuritypoliciesfrom-zoneLouCeng_ZONEto-zoneLouCeng_ZONEpolicyid_268thendenysetsecuritypoliciesfrom-zoneDMZto-zoneLouCeng_ZONEpolicyid_267matchsource-addressAudit_Server_Groupsetsecuritypoliciesfrom-z
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2024年度蜂蜜产业数字化转型合同:数字技术应用与产业升级2篇
- 2024年幼儿园小班社会教案《敲门》含反思
- 2024年汽车销售与维修合同
- 2024专用版房产抵债转让详细合同
- 2024年专业消防炮安装合同范本3篇
- 2024年度网络安全合同
- 2024年某大型基础设施工程总承包合同版B版
- 2024年幼儿园儿童营养配餐配送合作协议书2篇
- 桥梁护栏工程质量控制关键技术研究合同(2024年度)3篇
- 2024年智能硬件设备众包设计与制造合同
- 2023年民航东北空管局人员招聘笔试真题
- 《接触网施工》课件 5.1.2 避雷器安装
- 人教部编版《道德与法治》二年级上册第9课《这些是大家的》精美课件(第1课时)
- 第二届全国技能大赛珠宝加工项目江苏省选拔赛技术工作文件
- 人力五年规划
- 六年级语文上册 期末字词专项训练(一)(含答案)(部编版)
- 黑8台球比赛规则单选题100道及答案解析
- 防范电信诈骗安全
- 小学五年级上册语文 第一单元 语文要素阅读(含解析)
- 小儿肠瘘护理查房
- ABB工业机器人基础知识
评论
0/150
提交评论