山石防火墙命令行配置示例
现网1台山石SG6000防火墙,配置都可以通过GUI实现。
但有一些配置在命令行下配置效率更高,比如在1个已有策略中添加1个host或端口。
下面的双引号可以不加
1 创建服务
1.1 单个端口
service "tcp-901"tcp dst-port 901
1.2 端口范围
service "tcp-10000-65535"tcp dst-port 10000 65535
1.3 group (包含多个service, 就是思科ASA的object-group service)
servgroup "Management"service "SSH"service "xdmcp_UDP_177"service "HTTPS"service "tcp-901"
2 创建Ip
2.1 single ip
address "RDM-WaiGua-System-10.248.68.114"ip 10.248.68.114/32
2.2 ip range
address "10.248.68.5-40"range 10.248.68.5 10.248.68.40
2.3 ip subnet
address 10.248.1.0/2410.248.1.0/24
2.4 当然下面可以接多个条目 ,比如
address "Logistics"ip 10.248.33.89/32ip 10.248.33.88/32
2.5 查看方法
show address xxx
Hillstone # show address 10.248.1.0/24
Name: 10.248.1.0/24
Address family: IPv4
Member count: 1
Address members:10.248.1.0/24
Excluded members:
Total IP count: 256
IP subnet in this entry: 110.248.1.0/24
3 schedule (时间范围)
可以指定只有结束,
也可以包含开始+结束
schedule "2025.1.17"absolute end 01/18/2025 00:00:00schedule "2021/7/1"absolute start 01/01/1970 00:00:00 end 07/01/2021 23:59:00
exit
4 rule
包含ID,行为,zone,源目IP, 端口,名称 ,时间范围
rule id 401action permitsrc-zone "SC"dst-zone "CR"src-addr "Data-1"dst-addr "wan-1"service httpservice httpsname Colasoft
rule id 3019action permitsrc-zone "INSIDE"dst-zone "OUTSIDE"src-ip 10.248.1.1/32dst-addr "AI-10.248.1.1-10"service "tcp-1521"schedule "2025.1.17"
怎样查看rule, 不能show rule, 而是show policy,
** 示例 :**
hillstone # show policy id 3019
Rule id: 3019
Rule sequence: 12
Status: E
From zone "CS" to zone "SC"
Type: 0
Fragment: N/A
Source addresses:10.248.1.1/32
Destination addresses:Oracle-10.248.200.1
Services:tcp-1521
Application:
Schedules:2025.1.17
Action: PERMIT
Roles:
Users:
User-groups:
assistant: disable
Hit 1353 times
创建1条rule在最前面
rule top
action permit
src-ip 1.1.1.1/32
dst-ip 2.1.1.1/32
service any
删除1条rule
no rule 3029
disable一条rule(失效,而不是删除)
rule id 3029
disable
Enable一条rule(重新生效)
rule id 3029
enable
5 路由配置
5.1带外接口配置
interface MGT0zone "mgt"ip address 10.19.254.84 255.255.255.0manage ip 10.19.254.85manage sshmanage pingmanage snmpmanage https
exit
5.1 静态路由
ip vrouter "mgt-vr"ip route 0.0.0.0/0 10.19.254.254
6 接口配置
6.1 聚合接口
interface xethernet1/0aggregate aggregate1mirror enable bothdescription "To_Core"
exit
interface xethernet1/1aggregate aggregate1mirror enable bothdescription "To_Core"
exit
interface xethernet1/2aggregate aggregate1mirror enable bothdescription "To_Core"
exit
interface xethernet1/3aggregate aggregate1mirror enable bothdescription "To_Core"
exit
6.2子接口配置
下面是2台山石的子接口配置,因为做了双机,
所以是每1台有独立的IP,虚拟出来1个VIP
** 第1台**
interface aggregate1.1101zone "SC"ip address 10.19.255.161 255.255.255.248 // 10.19.255.16 是VIPmanage ip 10.19.255.162 // 10.19.255.162 是本机的实IPmanage pingdescription "ShengChan"
** 第2台**
interface aggregate1.1101zone "SC"ip address 10.19.255.161 255.255.255.248 // 10.19.255.16 是VIPmanage ip 10.19.255.163 // 10.19.255.163 是本机的实IPmanage pingdescription "ShengChan"
7 DNS timezone
clock zone china
ip name-server 223.5.5.5 vrouter "mgt-vr"
8 创建用户名
admin user "hillstone"password 123123123password-expiration 1673230455role "admin"access consoleaccess telnetaccess sshaccess httpaccess https
exit