admin
2025-12-03 04:11:13
华为防火墙
在win7上可以通过浏览器监控及配置防火墙
在win7上可以通过CRT软件SSH连接防火墙,通过命令配置防火墙
1、 配置防火墙IP地址,接口加入Trust区域
2、 配置SSH和web管理
3、 验证远程管理
4、 配置AAA及本地用户
一、华为防火墙配置IP地址
[FW1]interface GigabitEthernet0/0/0
[FW1-GigabitEthernet0/0/0]ip address 192.168.100.10 24
[FW1-GigabitEthernet0/0/0]undo shutdown
二、配置SSH
(1)接口加入Trust区域,默认防火墙就在Trust区域
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 0/0/0
(2)配置防火墙允许远程管理
[FW1-GigabitEthernet0/0/0]service-manage enable
[FW1-GigabitEthernet0/0/0]service-manage ssh permit
[FW1-GigabitEthernet0/0/0]quit
(3)SSH的安全策略
[FW1]security-policy
[FW1-policy-security]rule name allow_ssh
[FW1-policy-security-rule-allow_ssh]source-zone trust
[FW1-policy-security-rule-allow_ssh]destination-zone local
[FW1-policy-security-rule-allow_ssh]action permit
[FW1-policy-security-rule-allow_ssh]quit
[FW1-policy-security]quit
(4)配置认证模式及本地用户信息和开启SSH
[FW1]user-interface vty 0 4
[FW1-ui-vty0-4]authentication-mode aaa
[FW1-ui-vty0-4]protocol inbound ssh
[FW1-ui-vty0-4]quit
[FW1]ssh user test
[FW1]ssh user test authentication-type password
[FW1]ssh user test service-type stelnet
[FW1]aaa
[FW1-aaa]manager-user test
[FW1-aaa-manager-user-ssh]password cipher pwd@1234
[FW1-aaa-manager-user-ssh]service-type ssh
[FW1-aaa-manager-user-ssh]level 15
[FW1-aaa-manager-user-ssh]quit
[FW1-aaa]quit
[FW1]stelnet server enable
三、配置WEB
(1)打开接口的http和https管理
[FW1]interface GigabitEthernet 0/0/0
[FW1-GigabitEthernet0/0/0]service-manage http permit
[FW1-GigabitEthernet0/0/0]service-manage https permit
[FW1-GigabitEthernet0/0/0]quit
(2)配置安全策略
[FW1]security-policy
[FW1-policy-security]rule name allow_web
[FW1-policy-security-rule-allow_web]source-zone trust
[FW1-policy-security-rule-allow_web]destination-zone local
[FW1-policy-security-rule-allow_web]action permit
[FW1-policy-security-rule-allow_web]quit
[FW1-policy-security]quit
(3)开启https功能、配置aaa以及本地用户
[FW1]web-manager security enable
[FW1]aaa
[FW1-aaa]manager-user web
[FW1-aaa-manager-user-web]service-type web
[FW1-aaa-manager-user-web]level 15
四、配置AAA及本地用户
(1)打开防火墙的Telnet功能
[FW1]telnet server enable
(2)配置防火墙允许远程管理
[FW1]interface GigabitEthernet 0/0/0
[FW1-GigabitEthernet0/0/0]service-manage enable
[FW1-GigabitEthernet0/0/0]service-manage telnet permit
(3)配置安全策略
[FW1]security-policy
[FW1-policy-security]rule name allow_telnet
[FW1-policy-security-rule-allow_telnet]source-zone trust
[FW1-policy-security-rule-allow_telnet]destination-zone local
[FW1-policy-security-rule-allow_telnet]action permit
(4)配置认证模式及本地用户信息
[FW1]user-interface vty 0 4
[FW1-ui-vty0-4]authentication-mode aaa
[FW1-ui-vty0-4]protocol inbound telnet
[FW1-ui-vty0-4]quit
[FW1]aaa
[FW1-aaa]manager-user telnet
[FW1-aaa-manager-user-telnet]password cipher pwd@1234
[FW1-aaa-manager-user-telnet]service-type telnet
[FW1-aaa-manager-user-telnet]level 15