网络安全-防火墙双机热备-ensp练习
拓扑
步骤
开启hrp
接口remote对方地址
创建备份组
将对应接口加入安全区域
安全策略trust-untrust
代码:
[USG6000V1]hrp en
HRP_M[USG6000V1]hrp interface GigabitEthernet 1/0/1 remote 192.168.12.2
HRP_M[USG6000V1-GigabitEthernet1/0/1]ip a 192.168.12.1 24
HRP_M[USG6000V1-GigabitEthernet1/0/0]ip a 192.168.1.2 24
HRP_M[USG6000V1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 192.168.1.254 24 act
ive
HRP_M[USG6000V1-GigabitEthernet1/0/2]ip a 192.168.2.2 24
HRP_M[USG6000V1-GigabitEthernet1/0/2]vrrp vrid 2 virtual-ip 192.168.2.254 24 act
ive
HRP_M[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/2
HRP_M[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/0
HRP_M[USG6000V1-zone-dmz]add interface GigabitEthernet 1/0/1
HRP_M[USG6000V1-policy-security]rule name t_un
同理配置fw2
HRP_M[USG6000V1-policy-security]rule name t_un (+B)
HRP_M[USG6000V1-policy-security-rule-t_un]source-zone trust (+B)
HRP_M[USG6000V1-policy-security-rule-t_un] destination-zone untrust (+B)
HRP_M[USG6000V1-policy-security-rule-t_un]action permit (+B)
fw1
与fw2进行hrp同步成功
HRP_M[USG6000V1]security-policy (+B)
HRP_M[USG6000V1-policy-security]dis th
#
security-policy
rule name t_un
source-zone trust
destination-zone untrust
action permit
#
return
HRP_M[USG6000V1-policy-security]dis cu
!Software Version V500R001C10
#
sysname USG6000V1
#
undo l2tp sendaccm enable
l2tp domain suffix-separator @
#
undo telnet server enable
undo telnet ipv6 server enable
#
hrp enable
hrp interface GigabitEthernet1/0/1 remote 192.168.12.2
#
firewall packet-filter basic-protocol enable
#
firewall detect ftp
#
log type traffic enable
log type syslog enable
log type policy enable
#
undo dataflow enable
#
isp name "china mobile"
isp name "china mobile" set filename china-mobile.csv
isp name "china unicom"
isp name "china unicom" set filename china-unicom.csv
isp name "china telecom"
isp name "china telecom" set filename china-telecom.csv
isp name "china educationnet"
isp name "china educationnet" set filename china-educationnet.csv
#
snmp-agent session history-max-number enable
snmp-agent session trap threshold 4000
snmp-agent session-rate trap threshold 24000
#
web-manager security version tlsv1 tlsv1.1
web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
update schedule ips-sdb daily 03:11
update schedule av-sdb daily 03:11
update schedule sa-sdb daily 03:11
update schedule cnc daily 03:11
#
ip vpn-instance default
ipv4-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authentication-scheme admin_ldap
authorization-scheme default
accounting-scheme default
domain default
service-type l2tp ike
reference user current-domain
manager-user password-modify enable
manager-user audit-admin
password cipher @%@%"Snm%p2oiQ;k/J#ekcKT56^t78-p59f!^;lc4'%urC356^w5@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%uw956wrVt>L$CK*M~ccM7dX%hZXf)EXxNK'ob)D%.EgGdX(7@%@%
service-type api
level 15
manager-user admin
password cipher @%@%mzq<@2|MG~xL/,E:i:oM3z0NqhvN1S]O_Yw]/w;[YOW/z0Q3@%@%
service-type web terminal
level 15
role system-admin
dashboard read-write
monitor read-write
policy read-write
object read-write
network read-write
system read-write
role device-admin
dashboard read-only
monitor read-only log log-traffic log-threat log-policy-matching report traffi
c-map threat-map session statistic statistic-acl
monitor none diagnose
policy read-write
object read-write
network read-write
system read-write high-reliability
system none configuration vsys license update-center mail-send feedback
role device-admin(monitor)
dashboard read-only
monitor read-only log log-traffic log-threat log-policy-matching report traffi
c-map threat-map session statistic statistic-acl
monitor none diagnose
policy read-only
object read-only
network read-only
system read-only high-reliability
system none configuration vsys license update-center mail-send feedback
role audit-admin
dashboard read-only
monitor read-write log-audit
monitor read-only log log-traffic log-threat log-syslog log-policy-matching re
port traffic-map threat-map
monitor none session statistic statistic-acl diagnose
policy none
object none
network none
system none
bind manager-user audit-admin role audit-admin
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.1.254 active
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.12.1 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.2.2 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.2.254 active
#
interface GigabitEthernet1/0/3
undo shutdown
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
Sep 14 2018 06:31:58 USG6000V1 %%01POLICY/4/POLICYACCFAIL(l)[7]:Policy accelerat
ion failed, the device doesn't have enough memory. set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#
l2tp-group default-lns
#
undo ssh server compatible-ssh1x enable
#
user-interface con 0
authentication-mode password
set authentication password cipher $1a$D#IOQiBeqC$a,nt/[Rv^@ucZs7zkX~6L4L`7SEV5
5%[q=FB3MQN$
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
sa
#
location
#
multi-interface
mode proportion-of-weight
#
security-policy
rule name t_un
source-zone trust
destination-zone untrust
action permit
#
traffic-policy
#
policy-based-route
#
nat-policy
#
pcp-policy
#
dns-transparent-policy
#
return
fw2
同步成功后不可操作
HRP_S[USG6000V1]service-quality
^
Error:Incomplete command found at '^' position.
HRP_S[USG6000V1]
Sep 14 2018 06:31:58 USG6000V1 %%01POLICY/4/POLICYACCFAIL(l)[7]:Policy accelerat
ion failed, the device doesn't have enough memory.
HRP_S[USG6000V1]
网络安全-防火墙双机热备-ensp练习相关推荐
- 华为eNSP下防火墙双机热备的实现以及在HRP配置错误时的现象
华为防火墙双机热备基础教程 [华为官方视频] https://ilearningx.huawei.com/courses/course-v1:HuaweiX+EBGTC00000189+2018.9/ ...
- 防火墙双机热备配置实例(三)
今天继续给大家介绍HCIE安全系列相关内容.本文以华为eNSP模拟器为例,实现了配置防火墙双击热备技术配置实例,采用的是上下行交换机配置VRRP的主备模式. 阅读本文,您需要有一定的防火墙配置基础和防 ...
- 防火墙双机热备配置实例(一)
今天继续给大家介绍HCIE安全.本文以华为eNSP模拟器为例,实现了配置防火墙双击热备技术配置实例,采用的是上下行交换机配置VRRP的主备模式. 阅读本文,您需要有一定的防火墙配置基础和防火墙双机热备 ...
- 防火墙双机热备,DHCP服务器,核心交换机负载分担及冗余设计
文章目录 目录: 一.防火墙双机热备技术概念 二.配合使用的相关技术指导 三.设计要求及拓扑图 四:配置过程及相应命令 总结 一.防火墙热备概述: 一般而言,防火墙部署于公司网络的出口 ...
- 防火墙双机热备三大协议(VRRP-VGMP-HRP)原理
防火墙双机热备技术 双机热备概述: 为什么需要要双机热备? 解决单点故障,实现业务的平滑过渡(会话表需要同步的) 双机热备的两种部署方式: 主备方式 负载分担分时. 防火墙双机热备产生的原因,详细内容 ...
- 防火墙双机热备+负载分担
防火墙双机热备+负载分担实验步骤 防火墙双机热备+负载分担实验以及两者之间的区别,通过实验.配置思路加深理解 负载分担: 防火墙双击热备和负载分担的区别就在于在双机热备模式下,fw1既是pc1的网关, ...
- 配置华为防火墙双机热备
Web配置防火墙双机热备: 命令行配置防火墙双机热备: FW1 [FW1]int g1/0/1 //进入接口 [FW1-GigabitEthernet1/0/1]vrrp vrid 1 virtual ...
- Eudemon防火墙双机热备配置及实现
Eudemon防火墙双机热备配置及实现,上下联为两台二层交换机#上联地址 int g 0/0/1ip addr 192.168.10.253 24 vrrp vrid 10 virtual-ip 19 ...
- 华为防火墙双机热备技术:HRP、VGMP、VRRP,三大技术值得一学!
防火墙双机热备,主要是提供冗余备份的功能,在网络发生故障的时候避免业务出现中断.防火墙双机热备组网根据防火墙的模式, 分路由模式下的双机热备组网和透明模式下的双机热备组网,下面分别根据防火墙的不同模式 ...
最新文章
- 一些关于找工作的书籍
- golang range 遍历 索引和值
- C. Anton and Making Potions 贪心 + 二分
- 征文通知 | 第十八届中国计算语言学大会(CCL 2019)论文提交截止时间推迟
- IOS基础之绘图函数的使用
- 2017.12.1T19_B2_2zuoye
- scala char_Scala中的Char数据类型
- 使用Enterprise Architecture绘制10种UML画画
- php属性未定义,PHP-警告-未定义的属性:stdClass-修复?
- pythonの鉴黄之路(五)——强行解析json串
- .NET下数据访问层+webform前台 技术大比拼
- 百度回应百科外链遭篡改:严厉打击 已报案
- 最小距离分类器,交互式选取图像样本分类数据,进行最小距离分类(实现欧式距离,马氏距离,计程距离)
- 最新PS2022下载含安装操作步骤
- 视频剪辑必备,5个音效素材网
- lotus notes 闪退_win10系统Lotus notes邮箱闪退的恢复办法
- FB15K-237知识图谱数据集的介绍与分析,Freebase
- 金山WPS C++ 客户端 实习面试面经
- excel多条件筛选公式
- 1块钱整个域名,这波不错