防火墙基础配置

#step1：增加GE1/0/0到zone trust，具体说应该是增加接口GE1/0/0连接的网络到Trust区域。
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
#

#Zone说明
[FW3]dis zone 
2022-09-04 06:37:07.030 
local   ///信任等级，越高越信任，100，所有接口默认都在Local区域。但不能代表该接口接的网络
 priority is 100
 interface of the zone is (0):
#
trust   /// 一般将内网的接口划分到trust区域。
 priority is 85
 interface of the zone is (1):
    GigabitEthernet0/0/0
#
untrust   ///一般将外网的接口划分到untrust区域。
 priority is 5
 interface of the zone is (0):
#
dmz     ///  介于信任和非信任之间，一般将服务器所在的网络划入该区域。
 priority is 50
 interface of the zone is (0):
#

//step2：开启接口禁ping功能。
[FW3-GigabitEthernet1/0/0]service-manage ping permit 
//测试可以ping通。
PC>ping 172.16.1.2
From 172.16.1.2: bytes=32 seq=1 ttl=255 time<1 ms

#增加GE1/0/1到zone DMZ
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/1
#设置GE1/0/1 的ping功能为允许
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 172.16.2.2 255.255.255.0
 service-manage ping permit
#

// 此时先ping测试一下，ping测抓包，主要看Packet default filter packets，丢弃了5个ping报文，目前ping测还是不通，接下继续配置安全策略。
[FW3]dis firewall statistics system discard 
 Discard statistic information:
                                     Fib miss packets discarded: 3
                     IPv4 service-manage deny packets discarded: 17
                        Packet default filter packets discarded: 67
                                     ARP miss packets discarded: 136
                         Invalid receive zone packets discarded: 1
                           Invalid send zone  packets discarded: 1
                                Dispatch drop packets discarded: 569
[FW3]dis firewall statistics system discard 
 Discard statistic information:
                                     Fib miss packets discarded: 3
                     IPv4 service-manage deny packets discarded: 17
                        Packet default filter packets discarded: 72
                                     ARP miss packets discarded: 136
                         Invalid receive zone packets discarded: 1
                           Invalid send zone  packets discarded: 1
                                Dispatch drop packets discarded: 569

# 安全策略配置：（默认策略拒绝）
规则1；流量自上而下匹配，如果匹配执行对应动作，这里只有一个，多个rule要注意顺序。
规则2：如果策略关联了一体化检查配置文件，可以对更高层载荷执行深度内容检查。
<FW3>dis security-policy rul all      #查看当前默认规则
Total:1 
RULE ID  RULE NAME                         STATE      ACTION       HITS        
-------------------------------------------------------------------------------
0        default                           enable     deny         77          
-------------------------------------------------------------------------------

#step3：配置安全策略。
 rule name Trust_DMZ    #自定义名称
  source-zone trust
  destination-zone dmz
  source-address 172.16.1.1 mask 255.255.255.255
  source-address address-set add_s  #增加地址集，也可以增加service集。
  destination-address 172.16.2.1 mask 255.255.255.255
  service icmp
  action permit
#

#
ip address-set add_s type object
 address 0 172.1.1.1mask 32
 address 1 172.16.6.0 mask 24
 address 2 172.16.7.0 mask 24
#
[FW3-policy-security-rule-Trust_DMZ]disp security-policy  rule  all
2022-09-04 09:35:03.320  
Total:2 
RULE ID  RULE NAME                         STATE      ACTION       HITS        
------------------------------------------------------------------------------- 
1        Trust_DMZ                         enable     permit       0           
0        default                           enable     deny         82          
-------------------------------------------------------------------------------
//PC1 ping PC2 10次，都通了。
[FW3-policy-security-rule-Trust_DMZ]disp security-policy  rule  all
2022-09-04 09:37:55.150  
Total:2 
RULE ID  RULE NAME                         STATE      ACTION       HITS        
------------------------------------------------------------------------------- 
1        Trust_DMZ                         enable     permit       10          
0        default                           enable     deny         82          
-------------------------------------------------------------------------------

//PC1 ping PC2 10次，都通了。
[[FW3-policy-security-rule-Trust_DMZ]disp security-policy  rule  all
-policy-security-rule-Trust_DMZ]disp security-policy  rule  all
2022-09-04 09:37:55.150  
Total:2 
RULE ID  RULE NAME                         STATE      ACTION       HITS        
------------------------------------------------------------------------------- 
1        Trust_DMZ                         enable     permit       10          
0        default                           enable     deny         82          
-------------------------------------------------------------------------------

// 安全策略会话查询，状态化查询。
<FW1>dis firewall session table verbose 
 Current Total Sessions : 19
 icmp  VPN: public --> public  ID: c387f131b97a4886736315980f  //public表示没有虚拟防火墙。
 Zone: trust --> dmz  TTL: 00:00:20  Left: 00:00:12  
 Recv Interface: GigabitEthernet1/0/0      //ping报文接收接口。
 Interface: GigabitEthernet1/0/1  NextHop: 172.16.2.1  MAC: 5489-98df-6a11   //ping报文发送接口，下一跳及mac地址，mac是pc2的mac。
 <--packets: 1 bytes: 60 --> packets: 1 bytes: 60     //收发报文的数量
 172.16.1.1:5016 --> 172.16.2.1:2048 PolicyName: Trust_DMZ   //匹配的安全策略。

 icmp  VPN: public --> public  ID: c387f131b97bb48bc063159806
 Zone: trust --> dmz  TTL: 00:00:20  Left: 00:00:03
 Recv Interface: GigabitEthernet1/0/0
 Interface: GigabitEthernet1/0/1  NextHop: 172.16.2.1  MAC: 5489-98df-6a11
 <--packets: 1 bytes: 60 --> packets: 1 bytes: 60
 172.16.1.1:2712 --> 172.16.2.1:2048 PolicyName: Trust_DMZ

 icmp  VPN: public --> public  ID: c387f131b97a560c9663159810