防火墙虚拟系统

稚 发布于 2024-08-26 44 次阅读


防火墙高级特性

双击热备

配置vrrp和vgmp使用心跳线来当网络down掉之后同步进行切换

虚拟系统



虚拟系统的访问分为虚拟系统之间的互相访问和与根系统进行访问

虚拟系统之间的访问

AR1

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysn ar1
[ar1]int g 0/0/0
[ar1-GigabitEthernet0/0/0]ip add 10.0.11.1 24
[ar1-GigabitEthernet0/0/0]q
[ar1]ip route-static 0.0.0.0 0 10.0.11.254

AR2

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysn Ar2
[Ar2]int g 0/0/0
[Ar2-GigabitEthernet0/0/0]ip add 100.1.1.2 24
Aug 14 2024 20:31:24-08:00 Ar2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
 on the interface GigabitEthernet0/0/0 has entered the UP state. 
[Ar2-GigabitEthernet0/0/0]q
[Ar2]ip route-static 0.0.0.0 0 100.1.1.1 

FW

admin
Admin@123

<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]sysn FW1
[FW1]vsys enable 开启vsys
[FW1]vsys name ar1 创建虚拟系统ar1
[FW1-vsys-ar1]assign interface GigabitEthernet 1/0/1 加入端口
[FW1]vsys name ar2
[FW1-vsys-ar2]assign interface GigabitEthernet 1/0/0
[FW1-vsys-ar2]q
[FW1]switch vsys ar1 进入虚拟系统ar1
<FW1-ar1>sys
[FW1-ar1]firewall zone trust 
[FW1-ar1-zone-trust]add interface g1/0/1
[FW1-ar1]firewall zone untrust 
[FW1-ar1-zone-untrust]add interface Virtual-if 1
[FW1-ar1-zone-untrust]q
[FW1-ar1]int g 1/0/1
[FW1-ar1-GigabitEthernet1/0/1]ip add 10.0.11.254 24
[FW1-ar1-GigabitEthernet1/0/1]q
[FW1-ar1]interface Virtual-if 1
[FW1-ar1-Virtual-if1]ip add 172.16.1.1 32
[FW1-ar1]se  设置安全规则
[FW1-ar1-policy-security]rule name ar1_to_ar2
[FW1-ar1-policy-security-rule-ar1_to_ar2]source-zone trust 
[FW1-ar1-policy-security-rule-ar1_to_ar2]destination-zone untrust 
[FW1-ar1-policy-security-rule-ar1_to_ar2]service icmp
[FW1-ar1-policy-security-rule-ar1_to_ar2]action permit 
<FW1>sys
Enter system view, return user view with Ctrl+Z.
[FW1]sw vs ar2
<FW1-ar2>sys
Enter system view, return user view with Ctrl+Z.
[FW1-ar2]firewall zone untrust 
[FW1-ar2-zone-untrust]add interface g 1/0/0
[FW1-ar2-zone-untrust]firewall zone trust
[FW1-ar2-zone-trust]add interface Virtual-if 2
[FW1-ar2-zone-trust]q
[FW1-ar2]int g 1/0/0
[FW1-ar2-GigabitEthernet1/0/0]ip add 100.1.1.1 24
[FW1-ar2-GigabitEthernet1/0/0]q 
[FW1-ar2]interface Virtual-if 2  设置虚拟地址
[FW1-ar2-Virtual-if2]ip add 172.16.1.2 32
[FW1-ar2-Virtual-if2]q
[FW1-ar2]se 设置安全规则
[FW1-ar2-policy-security]rule name ar1_to_ar2
[FW1-ar2-policy-security-rule-ar1_to_ar2]source-zone trust 
[FW1-ar2-policy-security-rule-ar1_to_ar2]destination-zone untrust
[FW1-ar2-policy-security-rule-ar1_to_ar2]service icmp
[FW1-ar2-policy-security-rule-ar1_to_ar2]action permit 
[FW1-ar2-policy-security-rule-ar1_to_ar2]q
[FW1-ar2-policy-security]q
[FW1-ar2]
<FW1>
<FW1>sys
[FW1]ip route-static vpn-instance ar1 100.1.1.2 24 vpn-instance ar2 配置路由让实例ar1中访问100.1.1.2的下一跳地址交给a实例ar2

img

总结

1. 首先开启虚拟系统功能
2. 然后创建虚拟系统
3. 将相应物理接口加入虚拟系统
4. 进入虚拟系统
5. 在虚拟系统中配置区域 将物理接口和虚拟接口加入区域
6. 在相应的虚拟系统中配置物理接口和虚拟接口的地址
7. 配置安全策略 放行
8. 配置路由让其实例之间可以进行通信