Netscreen透明模式配置实例
公司由于业务整理,整理出一台netscreen防火墙设备,为避免设备闲置,决定将其放于关键业务的前端使用。使用透明模式,加强对公司关键业务应用的保护。
一、防火墙的透明模式即防火墙内网和外网不设三层IP地址,不做路由或者地址转换,只有设置管理IP。
一般在现有复杂网络添加防火墙时采用。接口为透明模式时,NetScreen 设备过滤通过防火墙的封包,而不会修改 IP 封包包头中的任何源或目的地信息。所有接口运行起来都像是同一网络中的一部分,而NetScreen 设备的作用更像是Layer 2(第 2 层)交换机或桥接器。在透明模式下,接口的 IP 地址被设置为 0.0.0.0,使得 NetScreen 设备对于用户来说是可视或“透明”的。
二、实例
ethent0 V1-Trust zone IP:0.0.0.0/0
ethent3 V1-Untrust zone IP:0.0.0.0/0
gateway:192.168.1.1
ethent0 V1-Trust zone IP:0.0.0.0/0
ethent3 V1-Untrust zone IP:0.0.0.0/0
gateway:192.168.1.1
LAN:192.168.1.0/24
web 服务器:192.168.1.2 192.168.1.3 192.168.1.4
sqlserver服务器:192.168.1.10 192.168.1.11 192.168.1.12
VLAN1 IP:192.168.1.100/24 端口 8080
web 服务器:192.168.1.2 192.168.1.3 192.168.1.4
sqlserver服务器:192.168.1.10 192.168.1.11 192.168.1.12
VLAN1 IP:192.168.1.100/24 端口 8080
透明模式的 NetScreen 设备保护的单独 LAN 的基本配置。策略允许 V1-Trust 区段中所有主机的外向信息流、web服务器的内向 web服务,以及 sqlserver服务器的内向 访问 服务。为了提高管理信息流的安全性,将 WebUI 管理的 HTTP 端口号从 80 改为 8080。使用 VLAN1 IP 地址192.168.1.100/24 来管理 V1-Trust 安全区段的设备。也可配置到外部路由器的缺省路由(于 192.168.1.1处),以便 NetScreen 设备能向其发送出站 VPN 信息流。V1-Trust 区段中所有设备的缺省网关也是 192.168.1.1。)
Web界面模式
管理设置和接口
1. Network > Interfaces > Edit(对于 VLAN1 接口):输入以下内容,然后单击 OK:
IP Address/Netmask: 192.168.1.100/24
Management Services: WebUI, Telnet (选择)
Other Services: Ping(选择)
2. Configuration > Admin > Management:在“HTTP Port”字段中,键入 8080,然后单击 Apply
3. Network > Interfaces > Edit(对于 ethernet1):输入以下内容,然后单击 OK:
Zone Name: V1-Trust
IP Address/Netmask: 0.0.0.0/0
4. Network > Interfaces > Edit(对于 ethernet3):输入以下内容,然后单击 OK:
Zone Name: V1-Untrust
IP Address/Netmask: 0.0.0.0/0
5. Network > Interfaces > Edit(对于 v1-trust):选择以下内容,然后单击 OK:
Management Services: WebUI, Telnet
Other Services: Ping
1. Network > Interfaces > Edit(对于 VLAN1 接口):输入以下内容,然后单击 OK:
IP Address/Netmask: 192.168.1.100/24
Management Services: WebUI, Telnet (选择)
Other Services: Ping(选择)
2. Configuration > Admin > Management:在“HTTP Port”字段中,键入 8080,然后单击 Apply
3. Network > Interfaces > Edit(对于 ethernet1):输入以下内容,然后单击 OK:
Zone Name: V1-Trust
IP Address/Netmask: 0.0.0.0/0
4. Network > Interfaces > Edit(对于 ethernet3):输入以下内容,然后单击 OK:
Zone Name: V1-Untrust
IP Address/Netmask: 0.0.0.0/0
5. Network > Interfaces > Edit(对于 v1-trust):选择以下内容,然后单击 OK:
Management Services: WebUI, Telnet
Other Services: Ping
路由
6. Network > Routing > Routing Table > trust-vr New:输入以下内容,然后单击 OK:
Network Address/Netmask: 0.0.0.0/0
Gateway: (选择)
Interface: vlan1(trust-vr)
Gateway IP Address: 192.168.1.1.
Metric: 1
6. Network > Routing > Routing Table > trust-vr New:输入以下内容,然后单击 OK:
Network Address/Netmask: 0.0.0.0/0
Gateway: (选择)
Interface: vlan1(trust-vr)
Gateway IP Address: 192.168.1.1.
Metric: 1
地址
7. Objects > Addresses > List > New:输入以下内容,然后单击 OK:
Address Name: web Server1
IP Address/Domain Name: IP/Netmask: 192.168.1.2/32
Zone: v1-Trust
7. Objects > Addresses > List > New:输入以下内容,然后单击 OK:
Address Name: web Server1
IP Address/Domain Name: IP/Netmask: 192.168.1.2/32
Zone: v1-Trust
Address Name: web Server2
IP Address/Domain Name: IP/Netmask: 192.168.1.3/32
Zone: v1-Trust
Zone: v1-Trust
Address Name: web Server3
IP Address/Domain Name: IP/Netmask: 192.168.1.4/32
Zone: v1-Trust
8. Objects > Addresses > List > New:输入以下内容,然后单击 OK:
Address Name: sqlserver1
Zone: v1-Trust
8. Objects > Addresses > List > New:输入以下内容,然后单击 OK:
Address Name: sqlserver1
IP Address/Domain Name: IP/Netmask: 192.168.1.10/32
Zone: v1-Trust
Zone: v1-Trust
Address Name: sqlserver2
IP Address/Domain Name: IP/Netmask: 192.168.1.11/32
Zone: v1-Trust
Zone: v1-Trust
Address Name: sqlserver3
IP Address/Domain Name: IP/Netmask: 192.168.1.12/32
Zone: v1-Trust
Zone: v1-Trust
策略
9. Policies > (From: v1-Trust, To: v1-Untrust) > New:输入以下内容,然后单击 OK:
Source Address:
Address Book: (选择) , Any
Destination Address:
Address Book: (选择) , Any
Service: Any
Action: Permit
10. Policies > (From: v1-Untrust, To: v1-Trust) > New:输入以下内容,然后单击 OK:
Source Address:
Address Book: (选择) , Any
Destination Address:
Address Book: (选择) -muti :webserver1,webserver2,webserver3
Service: http,pcanywhere
Action: Permit
11. Policies > (From: v1-Untrust, To: v1-Trust) > New:输入以下内容,然后单击 OK:
Source Address:
Address Book: (选择) , Any
Destination Address:
Address Book: (选择) -muti: sqlserver1,sqlserver2,sqlserver3
Service: MS-SQL,pcanywhere
Action: Permit
9. Policies > (From: v1-Trust, To: v1-Untrust) > New:输入以下内容,然后单击 OK:
Source Address:
Address Book: (选择) , Any
Destination Address:
Address Book: (选择) , Any
Service: Any
Action: Permit
10. Policies > (From: v1-Untrust, To: v1-Trust) > New:输入以下内容,然后单击 OK:
Source Address:
Address Book: (选择) , Any
Destination Address:
Address Book: (选择) -muti :webserver1,webserver2,webserver3
Service: http,pcanywhere
Action: Permit
11. Policies > (From: v1-Untrust, To: v1-Trust) > New:输入以下内容,然后单击 OK:
Source Address:
Address Book: (选择) , Any
Destination Address:
Address Book: (选择) -muti: sqlserver1,sqlserver2,sqlserver3
Service: MS-SQL,pcanywhere
Action: Permit
命令行模式:
set interface vlan1 ip 192.168.1.100/24
set interface vlan1 manage web
set interface vlan1 manage telnet
set interface vlan1 manage ping
set interface vlan1 manage web
set interface vlan1 manage telnet
set interface vlan1 manage ping
set admin port 8080
set interface eth1 zone V1-Trust
set interface eth3 zone V1-Untrust
set interface eth1 zone V1-Trust
set interface eth3 zone V1-Untrust
set interface eth1 manage web
set interface eth1 manage telnet
set interface eth1 manage ping
set interface eth1 manage telnet
set interface eth1 manage ping
set route 0.0.0.0/0 interface vlan1 gateway 192.168.1.1 metric 1
set address v1-trust webserver1 192.168.1.2/32
set address v1-trust webserver1 192.168.1.3/32
set address v1-trust webserver1 192.168.1.4/32
set address v1-trust sqlserver1 192.168.1.10/32
set address v1-trust sqlserver1 192.168.1.10/32
set address v1-trust sqlserver1 192.168.1.11/32
set address v1-trust sqlserver1 192.168.1.12/32
set policy from v1-trust to v1-untrust any any any permit
set policy from v1-untrust to v1-trust any webserver1 http permit
set policy from v1-untrust to v1-trust any webserver2 http permit
set policy from v1-untrust to v1-trust any webserver3 http permit
set policy from v1-untrust to v1-trust any sqlserver1 ms-sql permit
set policy from v1-untrust to v1-trust any sqlserver2 ms-sql permit
set policy from v1-untrust to v1-trust any sqlserver3 ms-sql permit
