2022.2.14 What we should sober up is , Regret and failure are the normal state of life . It's no use trying , It's no use trying , It's useless to like it , I like it even if it's useless . This is also the greatest heroism ！！！

Suggestions on security policy configuration

During business debugging , How to specify matching conditions accurately is the difficulty of configuring security policies . The matching condition is set too wide extensive , There are security risks ; The matching conditions are set too strictly , It may cause the message to fail to hit the strategy , Affect the business The normal operation . The general configuration idea is as follows ：

1. The action of configuring the default security policy is to allow , Debug the business , Ensure the normal operation of the business .

2. Look at the conversation table , Configure the security policy with the information recorded in the session table as the matching condition .

3. Restore the configuration of the default security policy , Debug the business again , Verify the correctness of the security policy .

The action configuration of the default security policy is permit after , The firewall allows all messages to pass , There may be security risks , because After this commissioning , Be sure to restore the default security policy action to deny.

[USG6000V2]ip address-set deny8888 type object// The configuration name is deny8888 Address set for
[USG6000V2-object-address-set-deny8888]dis this
2022-02-14 20:28:44.810
#
ip address-set deny8888 type object
 address 0 10.1.1.2 mask 32
 address 1 10.2.1.2 mask 32
#
return

[USG6000V2]ip service-set server-deny type object// by Server Configure custom service set server-deny
[USG6000V2-object-service-set-server-deny]dis this
2022-02-14 20:33:05.760
#
ip service-set server-deny type object 131
 service 0 protocol tcp destination-port 8888
#
return

[USG6000V2]time-range time-deny// The configuration name is time_deny Time period                   
[USG6000V2-time-range-time-deny]dis this
2022-02-14 20:35:03.750
#
 time-range time-deny
  period-range 08:00:00 to 17:00:00 daily
#
return

[USG6000V2]security-policy
[USG6000V2-policy-security]dis this
2022-02-14 20:36:06.500
#
security-policy
 rule name deny8888
  source-zone untrust
  destination-zone dmz
  source-address address-set deny8888
  destination-address 10.2.0.10 mask 255.255.255.255
  service server-deny
  time-range time-deny 
  action deny
 rule name deny6666
  source-zone untrust
  destination-zone dmz
  source-address address-set deny8888
  destination-address 10.2.0.11 mask 255.255.255.255
  service server-deny
  time-range time-deny 
  action deny
 rule name permit-6666
  source-zone untrust
  destination-zone dmz
  destination-address 10.2.0.11 mask 255.255.255.255
  service server-deny
  action permit
#                                         
return  

summary

Huawei USG Next generation firewall security policy ：

By default ：

Layer 2 multicast message 、 Broadcast message Not controlled by security policy --USG Second floor wall

OSPF、BGP、IP-link、BFD、DHCP、LDP etc. Unicast data Not controlled by security policy

Traffic between different security domains is rejected by default

By default , The traffic between interfaces within a security domain is directly connected , By default, the switch that controls the flow in the domain is not on

[USG6000V1]security-policy

[USG6000V1-policy-security]default packet-filter intrazone enable 

 // Control the switch of interface flow interworking in the domain , After turning on the switch , Intra domain interface traffic is controlled by security policy

firewall l2-multicast packet-filter enable command Configure layer 2 multicast messages Controlled by security policy

firewall packet-filter basic-protocol enable Command configuration is right BGP、OSPF、DHCP、LDP、BFD Unicast message is controlled by security policy

MA：Multi Access  Multiple access

NBMA:Non-Broadcast MA Non broadcast multiple access

If the actual environment ,USG Firewall blocked .

1、 Let the strategy go first , All in

2、 There are other problems besides strategy , Strategic issues

Cisco router acts as HTTP The server ：

HTTPServer1(config)#ip http server

HTTPServer1(config)#ip http port 8888