1.1 对象策略简介
对象策略基于全局进行配置,基于安全域间实例进行应用。在安全域间实例上应用对象策略可实现对报文流的检查,并根据检查结果允许或拒绝其通过。对象策略通过配置对象策略规则实现。有关安全域间实例的详细介绍和配置,请参见“安全配置指导”中的“安全域”。
1.1.1 对象策略规则的报文匹配条件
一个对象策略中可以包含多条对象策略规则。对象策略规则通过指定对象组来描述报文匹配条件的判断语句,匹配条件可以是报文的源IP地址、目的IP地址、服务类型、应用和应用组等。设备依照这些规则匹配出特定的报文,并根据规则预先设定的动作对其进行处理。创建规则时可以不指定任何可选条件,则规则对任意报文生效。
1. 对象策略规则的编号
一个对象策略中可包含多条规则,每条规则都拥有唯一的编号进行标示,此编号在创建规则时由用户手工指定或由系统自动分配。在自动分配编号时,系统会将对应对象策略中已使用的最大编号加一作为新的编号,若新编号超出了编号上限(65534),则选择当前未使用的最小编号作为新的编号。
2. 对象策略规则的匹配顺序
当一个对象策略中包含多条规则时,报文会按照配置顺序与这些规则进行匹配,
一旦匹配上某条规则便结束匹配过程。对象策略规则的配置顺序可在对象策略视图下通过display this命令查看,配置顺序与规则的创建顺序有关,先创建的规则优先进行匹配。同时,也可以通过移动规则的位置来调整规则的配置顺序。根据对象策略规则的匹配原理,为使设备上部署的对象策略对流经设备的报文达到更好、更精准的控制效果,需要在配置对象策略规则时遵循“深度优先”的原则,即控制对象精细的先配置,控制对象范围大的后配置。创建规则时可以不指定任何可选条件,则规则对任意报文生效。
1.1.2 对象策略加速功能
在对基于会话的业务报文(如ASPF等)进行规则匹配时,通常只对首个报文进行匹配以加快报文的处理速度,但这有时并不足以解决报文匹配的效率问题。譬如,当有大量用户同时与设备新建连接时,需要对每个新建连接都进行规则匹配,如果对象策略内包含有大量规则,那么这个匹配过程将很长,这会导致用户建立连接时间超长,从而影响设备新建连接的性能。对象策略加速功能则可以解决上述问题,当对包含大量规则的对象策略使能了加速功能之后,其规则匹配速度将大大提高,从而提高了设备的转发性能以及新建连接的性能。
1.2 对象策略配置限制和指导
- · 如果配置对象策略规则时指定引用对象组,若该对象组不存在,则该规则将不匹配任何报文。如果配置对象策略规则时不指定引用的对象组,则该规则将匹配任意报文。有关对象组的详细介绍请参见“安全配置指导”中的“对象组”。
- · 在对象策略规则中引用应用和应用组时,请只引用PBAR(Port Based Application Recognition,基于端口的应用层协议识别)类型的应用。若引用NBAR(Network Based Application Recognition,基于内容特征的应用层协议识别)类型的应用,则此规则不会与任何报文匹配成功。有关PBAR和NBAR的详细介绍请参见“安全配置指导”中的“APR”。
- · 安全域间实例上同种类型的对象策略只能应用一个,即只能同时应用一个IPv4对象策略和一个IPv6对象策略。如果安全域间实例已应用同种类型的其他对象策略,则会配置失败。若要应用新的对象策略,需要先将已经应用的对象策略删掉。
- · 在安全域间实例应用对象策略前需配置zone-pair security命令创建安全域,关于安全域的详细介绍,请参见“安全命令参考”中的“安全域”。
- · 为使一条对象策略规则生效,必须保证所有引用对象的内容不能为空。
- · 对象策略的加速功能相比安全策略会占用更多设备内存,建议将对象策略转换为安全策略。有关将对象策略转换为安全策略的详细介绍,请参见“安全配置指导”中的“安全策略”。
实现需求
全网互通
网络结构
① 配置终端的IP地址
② 进入防火墙的页面输入用户名/密码
华三防火墙的用户名/密码默认==>admin/admin
Login: admin //输入用户的名字
Password:admin //输入用户名的密码
<H3C>%Sep 18 13:50:45:034 2024 H3C SHELL/5/SHELL_LOGIN: -Context=1; admin logged in from con0.
[H3C]sysname Object-fw //改防火墙的名字
[Object-fw]
[Object-fw]time-range work 08:00 to 18:00 working-day //设置防火墙的工作时间早上8点到晚上18点
[Object-fw]
③ 安全域的配置
[Object-fw]display history-command //查看配置命令的历史记录
security-zone name database //创建的安全区域是 database区域
import interface GigabitEthernet 1/0/3 //将interface GigabitEthernet 1/0/3 接口导入到该区域
quit //退出
security-zone name Management //创建的安全区域是管理区区
import interface GigabitEthernet 1/0/1 //将nterface GigabitEthernet 1/0/1导入到管理区域
安全区域配置的脚本
#
security-zone name Local
#
security-zone name Trust
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
import interface GigabitEthernet1/0/1
#
security-zone name database
import interface GigabitEthernet1/0/3
#
security-zone name finance
import interface GigabitEthernet1/0/5
#
security-zone name market
import interface GigabitEthernet1/0/6
#
security-zone name president
import interface GigabitEthernet1/0/4
#
④ 配置接口的IP
[Object-fw-GigabitEthernet1/0/3]ip address 192.168.0.254 24
This subnet overlaps with another interface!
解释:在网络配置中,当你看到这样的错误消息 "This subnet overlaps with another interface!",这意味着你尝试配置的子网地址与网络中的另一个接口的子网地址有重叠。这通常发生在两个或多个网络接口被分配了具有相同网络部分(网络地址和子网掩码)的IP地址,但是它们的主机部分(即IP地址的最后一部分)却不同。
IP脚本
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 192.168.11.254 255.255.255.0
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
ip address 192.168.1.254 255.255.255.0
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
ip address 192.168.2.254 255.255.255.0
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
ip address 192.168.3.254 255.255.255.0
#⑤ 创建对象组(核心)
[Object-fw]object-group ?
ip IP object group
ipv6 IPv6 object group
port Port object group
rename Change the name
service Service object group
[Object-fw]object-group 注意:
ip: 用于定义一个IP地址组。ipv6: 用于定义一个IPv6地址组。port: 用于定义一个端口号组。service: 用于定义一组服务,如HTTP、FTP等。
[Object-fw]object-group ip address ?
STRING<1-63> Object group name
[Object-fw]object-group ip address 例如,创建一个名为 "Office_Servers" 的对象组,包含 IP 地址从 192.168.1.10 到 192.168.1.20 的范围,可以使用如下命令:
object-group ip address Office_Servers network range 192.168.1.10 192.168.1.20
[Object-fw-obj-grp-ip-president]network ?
group-object Specify an object group
host Specify a host address
range Specify an IP address range
subnet Specify a subnet address
[Object-fw-obj-grp-ip-president]network
host: 用于定义单个主机的IP地址。
address <ip-address>: 直接指定一个IP地址。name <host-name>: 通过主机名指定地址,这要求设备已配置DNS解析。vpn-instance <vpn-instance-name>: 指定VPN实例中的主机。subnet: 用于定义一个子网。
subnet <ip-address> <mask-length>: 指定子网和掩码长度。subnet <ip-address> <mask>: 指定子网和子网掩码。range: 用于定义一个IP地址范围。
range <ip-address1> <ip-address2>: 指定一个IP地址的起始和结束范围。group-object: 用于引用另一个对象组。
group-object <object-group-name>: 引用另一个已定义的对象组。exclude: 用于从对象中排除特定的IP地址或子网。
[Object-fw]object-group ip add
[Object-fw]object-group ip address ?
STRING<1-63> Object group name
[Object-fw]object-group ip address president
[Object-fw-obj-grp-ip-president]net
[Object-fw-obj-grp-ip-president]network ?
group-object Specify an object group
host Specify a host address
range Specify an IP address range
subnet Specify a subnet address
[Object-fw-obj-grp-ip-president]network su
[Object-fw-obj-grp-ip-president]network subnet ?
X.X.X.X IP address
[Object-fw-obj-grp-ip-president]network subnet 192.168.1.0 24
[Object-fw-obj-grp-ip-president]quit
[Object-fw]object-group ip address finance
[Object-fw-obj-grp-ip-finance]network subnet 192.168.2.0 24
[Object-fw]object-group ip address market
[Object-fw-obj-grp-ip-market]network subnet 192.168.3.0 24
[Object-fw-obj-grp-ip-market]quit
[Object-fw]object-group ip address da
[Object-fw]object-group ip address database
[Object-fw-obj-grp-ip-database]ne
[Object-fw-obj-grp-ip-database]network su
[Object-fw-obj-grp-ip-database]network subnet 192.168.11.0 24
[Object-fw]object-group service web
[Object-fw-obj-grp-service-web]service 6 destination eq 80
[Object-fw-obj-grp-service-web]quit
[Object-fw][Object-fw]display history-command
- object-group ip address market
- network subnet 192.168.3.0 24
- quit
- object-group ip address database
- network subnet 192.168.11.0 24
- quit
- object-group service web
- service 6 destination eq 80
- quit
创建对象组的脚本
#
object-group ip address database
0 network subnet 192.168.11.0 255.255.255.0
#
object-group ip address finance
0 network subnet 192.168.2.0 255.255.255.0
#
object-group ip address market
0 network subnet 192.168.3.0 255.255.255.0
#
object-group ip address president
0 network subnet 192.168.1.0 255.255.255.0
#
object-group service web
0 service tcp destination eq 80
#WEB 配置页面
接口最新脚本
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 192.168.11.254 255.255.255.0
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage ping inbound
manage ping outbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
ip address 192.168.1.254 255.255.255.0
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage ping inbound
manage ping outbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
ip address 192.168.2.254 255.255.255.0
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage ping inbound
manage ping outbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
ip address 192.168.3.254 255.255.255.0
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage ping inbound
manage ping outbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
#
⑥ 配置安全域间实例并应用对象策略
策略脚本
#
security-policy ip
rule 0 name president-database
description president-database Դַ
action pass
logging enable
source-zone president
destination-zone database
source-ip president
destination-ip database
rule 1 name finance-database
description ԴnanceĿdatabase
action pass
logging enable
source-zone finance
destination-zone database
source-ip finance
destination-ip database
rule 2 name market-database
description ԴmarketȥĿtabase
action pass
source-zone market
destination-zone database
source-ip market
destination-ip database
#
<H3C>ping 192.168.2.1
Ping 192.168.2.1 (192.168.2.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=254 time=5.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=254 time=6.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=254 time=6.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=254 time=1.000 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/3.800/6.000/2.315 ms
<H3C>%Sep 18 15:05:01:971 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/3.800/6.000/2.315 ms.
ping 192.168.3.1
Ping 192.168.3.1 (192.168.3.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.3.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 192.168.3.1: icmp_seq=1 ttl=254 time=2.000 ms
56 bytes from 192.168.3.1: icmp_seq=2 ttl=254 time=1.000 ms
56 bytes from 192.168.3.1: icmp_seq=3 ttl=254 time=2.000 ms
56 bytes from 192.168.3.1: icmp_seq=4 ttl=254 time=1.000 ms
--- Ping statistics for 192.168.3.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms
<H3C>%Sep 18 15:05:05:858 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.3.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms.
ping 192.168.1.1
Ping 192.168.1.1 (192.168.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 192.168.1.1: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 192.168.1.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms
<H3C>%Sep 18 15:05:10:285 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.1.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms.
