中文字幕av专区_日韩电影在线播放_精品国产精品久久一区免费式_av在线免费观看网站

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

華為USG防火墻基本配置

發布時間:2020-07-25 03:07:31 來源:網絡 閱讀:8116 作者:zhuxtqw 欄目:安全技術

USG防火墻基本配置

學習目的

  • 掌握登陸USG防火墻的方法

  • 掌握修改防火墻設備名的方法

  • 掌握對防火墻的時間、時區進行修改的方法

  • 掌握修改防火墻登陸標語信息的方法

  • 掌握修改防火墻登陸密碼的方法

  • 掌握查看、保存和刪除防火墻配置的方法

  • 掌握在防火墻上配置vlan、地址接口、測試基本連通性的方法

拓撲圖

        華為USG防火墻基本配置

學習任務

步驟一.登陸缺省配置的防火墻并修改防火墻的名稱

         防火墻和路由器一樣,有一個Console接口。使用console線纜將console接口和計算機的com口連接在一塊。使用windows操作系統自帶的超級終端軟件,即可連接到防火墻。

         防火墻的缺省配置中,包括了用戶名和密碼。其中用戶名為admin、密碼Admin@123,所以登錄時需要輸入用戶名和密碼信息,輸入時注意區分大小寫。

         修改防火墻的名稱的方法與修改路由器名稱的方法一致。

         另外需要注意的是,由于防火墻和路由器同樣使用了VRP平臺操作系統,所以在命令級別、命令幫助等,與路由器上相應操作相同。

<SRG>sys

13:47:28 2014/07/04

Enter system view, return user view withCtrl+Z.

[SRG]sysname FW

13:47:32 2014/07/04

步驟二.修改防火墻的時間和時區信息

         默認情況下防火墻沒有定義時區,系統保存的時間和實際時間可能不符。使用時應該根據實際的情況定義時間和時區信息。實驗中我們將時區定義到東八區,并定義標準時間。

<FW>clock timezone 1 add 08:00:00

13:50:57 2014/07/04

<FW>dis clock

21:51:15 2014/07/03

2014-07-03 21:51:15

Thursday

Time Zone : 1 add 08:00:00

<FW>clock datetime 13:53:442014/07/04

21:53:29 2014/07/03

<FW>dis clock

13:54:04 2014/07/04

2014-07-04 13:54:04

Friday

Time Zone : 1 add 08:00:00

步驟三。修改防火墻登錄標語信息

         默認情況下,在登陸防火墻,登陸成功后有如下的標語信息。

Please Press ENTER.

 

Login authentication

 

 

Username:admin

Password:*********

NOTICE:This is a private communicationsystem.

      Unauthorized access or use may lead to prosecution.

         防火墻設備以此信息警告非授權的訪問。

         實際使用中,管理員可以根據需要修改默認的登陸標語信息。分為登錄前提示信息和登陸成功后提示信息兩種。

[FW]header login information ^

14:01:21 2014/07/04

Info: The banner text supports 220characters max, including the start and the en

d character.If you want to enter more thanthis, use banner file instead.

Input banner text, and quit with thecharacter '^':

Welcome to USG5500^   

[FW]header shell information ^

14:02:54 2014/07/04

Info: The banner text supports 220characters max, including the start and the en

d character.If you want to enter more thanthis, use banner file instead.

Input banner text, and quit with thecharacter '^':

Welcome to USG5500

You are logining insystem Please do not delete system config files^

配置完成后,通過推出系統。然后重新登錄,可以查看是否生效。

Please Press ENTER.

 

Welcome to USG5500

 

Login authentication

 

 

Username:admin

Password:*********

Welcome to USG5500

You are logining insystem Please do not delete system config files

NOTICE:This is a private communicationsystem.

      Unauthorized access or use may lead to prosecution.

注意,默認達到NOTICE信息一般都會存在,不會消失或被代替。

步驟四.修改登陸防火墻的用戶名和密碼

         防火墻默認使用的用戶名admin。密碼Admin@123。可以根據我們的需求進行修改。試驗中我們新建一個用戶,級別為level3.用戶名為user1.密碼:huawei@123.需要說明的是,默認情況下console接口登陸僅允許admin登陸。所以配置console接口登陸驗證方式為aaa,才能確保新建的用戶生效。在配置中,需要指定該配置的用戶名的使用范圍,本次實驗中選擇termianl,表示使用于通過console口登陸驗證的憑據。

[FW]aaa

14:15:43 2014/07/04

[FW-aaa]local-user user1 pass        

[FW-aaa]local-user user1 password cipherhuawei@123

14:16:08 2014/07/04  

[FW-aaa]local-user user1 service-typeterminal

14:16:28 2014/07/04

[FW-aaa]local-user user1 level 3

14:16:38 2014/07/04

[FW-aaa]q

14:16:43 2014/07/04

[FW]user-interface console 0

14:16:57 2014/07/04

[FW-ui-console0]authentication-mode aaa

退出系統,測試新用戶名和密碼是否生效。

Please Press ENTER.

 

Welcome to USG5500

 

Login authentication

 

 

Username:user1

Password:**********

Welcome to USG5500

You are logining in system Please do notdelete system config files

NOTICE:This is a private communicationsystem.

      Unauthorized access or use may lead to prosecution.

<FW>

步驟五.掌握查看、保存、和刪除配置的方法。

         在防火墻上使用命令查看運行的配置和已經保存的配置。其中使用display current-configuration命令查看運行配置,使用displaysaved-configuration命令查看已經保存的配置。

<FW>dis current-configuration

14:27:01 2014/07/04

#

stp region-configuration

 region-name f0a7e2157008

 active region-configuration

#

interface GigabitEthernet0/0/0

 alias GE0/MGMT

 ipaddress 192.168.0.1 255.255.255.0

 dhcpselect interface

 dhcpserver gateway-list 192.168.0.1

#

interface GigabitEthernet0/0/1

#

interface GigabitEthernet0/0/2

#

interface GigabitEthernet0/0/3

#

interface GigabitEthernet0/0/4

#

interface GigabitEthernet0/0/5

#

interface GigabitEthernet0/0/6

#

interface GigabitEthernet0/0/7

#

interface GigabitEthernet0/0/8

#

interface NULL0

 alias NULL0

#

firewall zone local

 setpriority 100

#

firewall zone trust

 setpriority 85

 addinterface GigabitEthernet0/0/0

#

firewall zone untrust

 setpriority 5

#

firewall zone dmz

 setpriority 50

#

aaa

 local-user admin password cipher%$%$s$]c%^XV6(/|BaQ$[T;X"G>5%$%$

 local-user admin service-type web terminaltelnet

 local-user admin level 15

 local-user user1 password cipher%$%$tY4Z:`xG0/G!1^C)2[48"%yp%$%$

 local-user user1 service-type terminal

 local-user user1 level 3

 authentication-scheme default

 #

 authorization-scheme default

 #

 accounting-scheme default

 #

 domain default

 #

#

nqa-jitter tag-version 1

 

#

 header shell information "Welcome toUSG5500

You are logining in system Please do notdelete system config files"

 header login information "Welcome toUSG5500"

 banner enable

#

user-interface con 0

 authentication-mode aaa

user-interface vty 0 4

 authentication-mode none

 protocol inbound all

#

 slb

#

right-manager server-group

#

 sysname FW

#

 l2tpdomain suffix-separator @

#

 firewall packet-filter default permitinterzone local trust direction inbound

 firewall packet-filter default permitinterzone local trust direction outbound

 firewall packet-filter default permitinterzone local untrust direction outbound

 

 firewall packet-filter default permitinterzone local dmz direction outbound

#

 ipdf-unreachables enable

#

 firewall ipv6 session link-state check

 firewall ipv6 statistic system enable

#

 dnsresolve

#

 firewall statistic system enable

#

 pkiocsp response cache refresh interval 0

 pkiocsp response cache number 0

#

 undodns proxy

#

 license-server domain lic.huawei.com

#

 web-manager enable

#

return

保存配置,并查看以保存的配置信息。

<FW> sa

14:29:29 2014/07/04

The current configuration will be writtento the device.

Are you sure to continue?[Y/N]y

2014-07-04 14:29:31 FW %%01CFM/4/SAVE(l):When deciding whether to save configura

tion to the device, the user chose Y.

Do you want to synchronically save theconfiguration to the startup saved-configu

ration file on peer device?[Y/N]:y

Now saving the current configuration to thedevice...

Info:The current configuration was saved tothe device successfully.

 

 

<FW>dis saved-configuration

14:27:48 2014/07/04

# CLI_VERSION=V300R001

 

# Last configuration was changed at2014/07/04 13:56:09 from console0

#*****BEGIN****public****#

#

interface GigabitEthernet0/0/0

 alias GE0/MGMT

 ipaddress 192.168.0.1 255.255.255.0

 dhcpselect interface

 dhcpserver gateway-list 192.168.0.1

#

interface GigabitEthernet0/0/1

#

interface GigabitEthernet0/0/2

#

interface GigabitEthernet0/0/3

#

interface GigabitEthernet0/0/4

#

interface GigabitEthernet0/0/5

#

interface GigabitEthernet0/0/6

#

interface GigabitEthernet0/0/7

#

interface GigabitEthernet0/0/8

#

interface NULL0

 alias NULL0

#

firewall zone local

 setpriority 100

#

firewall zone trust

 setpriority 85

 addinterface GigabitEthernet0/0/0

#

firewall zone untrust

 setpriority 5

#

firewall zone dmz

 setpriority 50

#

aaa

 local-user admin password cipher%$%$s$]c%^XV6(/|BaQ$[T;X"G>5%$%$

 local-user admin service-type web terminaltelnet

 local-useradmin level 15

 authentication-scheme default

 #

 authorization-scheme default

 #

 accounting-scheme default

 #

 domain default

 #

#

nqa-jitter tag-version 1

 

#

 banner enable

#

user-interface con 0

 authentication-mode none

user-interface vty 0 4

 authentication-mode none

 protocol inbound all

#

 slb

#

right-manager server-group

#

 sysname FW

#

 l2tpdomain suffix-separator @

#

 firewall packet-filter default permitinterzone local trust direction inbound

 firewall packet-filter default permitinterzone local trust direction outbound

 firewall packet-filter default permitinterzone local untrust direction outbound

 

 firewall packet-filter default permitinterzone local dmz direction outbound

#

 ipdf-unreachables enable

#

 firewall ipv6 session link-state check

 firewall ipv6 statistic system enable

#

 dnsresolve 

#

 firewall statistic system enable

#

 pkiocsp response cache refresh interval 0

 pkiocsp response cache number 0

#

 undodns proxy 

#

 license-server domain lic.huawei.com

#

 web-manager enable

#

return

#-----END----#

使用delete Flash/vrpcfg.zip命令刪除保存的配置。

 

<FW>delete flash:/vrpcfg.cfg

14:31:42 2014/07/04

Be Careful! Deleting the next startupconfig file will lose your configuration.

 

Delete flash:/vrpcfg.cfg?[Y/N]:y

%Deleting file flash:/vrpcfg.cfg...Done!

步驟六.配置接口地址

         配置G0/0/110.0.2.1/24;G0/0/0:10.0.1.1/24;G0/0/2:10.0.3.1/24.

[FW] interface g0/0/2

16:12:58 2014/07/04

[FW-GigabitEthernet0/0/2]ip add 10.0.3.1 24

16:13:21 2014/07/04

[FW-GigabitEthernet0/0/2]interface g0/0/0

16:13:32 2014/07/04

[FW-GigabitEthernet0/0/0]undo ip add

16:14:02 2014/07/04

[FW-GigabitEthernet0/0/0]ip add 10.0.1.1 24

16:14:14 2014/07/04

[FW-GigabitEthernet0/0/0]interface g0/0/1

16:14:36 2014/07/04

[FW-GigabitEthernet0/0/1]ip add 10.0.2.1 24

16:14:50 2014/07/04

[FW-GigabitEthernet0/0/1]q

16:14:52 2014/07/04

[FW]

         在交換機S1上配置接口G0/0/21屬于vlan1G0/0/22屬于vlan2G0/0/23屬于vlan3.vlanif接口配置IP地址10.0.1.2/24vlanif2接口配置IP地址10.0.2.2/24vlanif3接口配置IP地址10.0.3.2/24

[Huawei]sysname S1

[S1]vlan batch 2 3

[S1]interface g0/0/21

[S1-GigabitEthernet0/0/21]port link-typeaccess

[S1-GigabitEthernet0/0/21]port default vlan1

[S1-GigabitEthernet0/0/21]interface g0/0/22

[S1-GigabitEthernet0/0/22]port link-typeaccess

[S1-GigabitEthernet0/0/22]port default vlan2

[S1-GigabitEthernet0/0/22]interface g0/0/23

[S1-GigabitEthernet0/0/23]port link-typeaccess

[S1-GigabitEthernet0/0/23]port default vlan3

[S1-GigabitEthernet0/0/23]interface vlanif1

[S1-Vlanif1]ip add 10.0.1.2 24

[S1-Vlanif1]interface vlanif 2

[S1-Vlanif2]ip add 10.0.2.2 24

[S1-Vlanif2]interface vlanif 3

[S1-Vlanif3]ip add 10.0.3.2 24

G0/0/0G0/0/1G0/0/2添加到trust區。在測試三口的連通性(在添加到trust區以前先確認這些端口不在untrust區)

 

[FW]firewall zone trust

16:39:40 2014/07/04

[FW-zone-trust]add interface g0/0/2

16:40:05 2014/07/04

[FW-zone-trust]add interface g0/0/3

16:41:59 2014/07/04

[FW-zone-trust]add interface g0/0/1

[FW-zone-trust]q

 

[S1]ping -c 1 10.0.1.1

 PING 10.0.1.1: 56  data bytes,press CTRL_C to break

   Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=50 ms

 

  ---10.0.1.1 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 50/50/50 ms

 

[S1]ping -c 1 10.0.2.1

 PING 10.0.2.1: 56  data bytes,press CTRL_C to break

   Reply from 10.0.2.1: bytes=56 Sequence=1 ttl=255 time=50 ms

 

  ---10.0.2.1 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 50/50/50 ms

 

[S1]ping -c 1 10.0.3.1

 PING 10.0.3.1: 56  data bytes,press CTRL_C to break

   Reply from 10.0.3.1: bytes=56 Sequence=1 ttl=255 time=60 ms

 

  ---10.0.3.1 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 60/60/60 ms

 

 

 


附件:http://down.51cto.com/data/2364616
向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

青州市| 阳曲县| 偏关县| 凤凰县| 武山县| 呼图壁县| 九江县| 丹阳市| 静安区| 阿勒泰市| 湄潭县| 浮山县| 天等县| 临洮县| 高阳县| 那曲县| 乡宁县| 体育| 鸡东县| 钦州市| 雷州市| 四川省| 惠州市| 利辛县| 南和县| 蓬莱市| 平顶山市| 云浮市| 石首市| 永嘉县| 汤原县| 雷山县| 宁波市| 舟曲县| 铁力市| 万州区| 锡林郭勒盟| 汕头市| 尼玛县| 图木舒克市| 宁安市|