Next Generation Frewall (NGFW)

Next Generation Firewall (NGFW) üzerinden geçen trafiği, Application identification, User identification ve Content identification temellerine dayalı inceleyip, gerçek bilgi ve kontrolu sağlayan yeni nesil güvenlik duvarıdır.

Genel cihaz yapılandırması.

Cihazlara isimlerini ve IP addressleri yapılandıralım.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]sysname R1

[R1]int GigabitEthernet0/0/0

[R1-GigabitEthernet0/0/0]ip address 192.168.1.1 24

[R1-GigabitEthernet0/0/0]quit

<Huawei>system-view

Enter system view, return user view with Ctrl+Z.

[Huawei]sysname S1

2. Cihazın kullanılan interfacelerini access olarak yapılandıralım.

[SRG]interface GigabitEthernet 0/0/1

[SRG-GigabitEthernet0/0/1]portswitch

[SRG-GigabitEthernet0/0/1]port link-type access

[SRG]interface GigabitEthernet 0/0/0

[SRG-GigabitEthernet0/0/0]portswitch

[SRG-GigabitEthernet0/0/0]port link-type access

[SRG]pair-interface 1 GigabitEthernet1/0/1 GigabitEthernet1/0/2

Ethernet switch’inden gelen kabloyu trusted network’e yani ilk interface’e takmalısınız.

İkinci interface untrusted network’üdür.

[SRG-zone-untrust]firewall zone trust

[SRG-zone-trust]set priority 85

[SRG-zone-trust]add interface GigabitEthernet1/0/1
[SRG]firewall zone untrust

[SRG-zone-untrust]set priority 5

[SRG-zone-untrust]add interface GigabitEthernet1/0/2

Cihazın security ayarlarını oluşturalım.

<SRG>security-policy

<SRG>rule name PERMIT_ANY

<SRG>source-zone any

<SRG>destination-zone any

<SRG>action permit

Final….

interface GigabitEthernet1/0/1

portswitch

port link-type access

#

interface GigabitEthernet1/0/2

portswitch

port link-type access

#

pair-interface 1 GigabitEthernet1/0/1 GigabitEthernet1/0/2

#

firewall zone trust

set priority 85

add interface GigabitEthernet1/0/1

#

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/2

#

security-policy

rule name PERMIT_ANY

source-zone any

destination-zone any

action permit

#

return

Next Generation Frewall (NGFW)

Next Generation Firewall (NGFW) üzerinden geçen trafiği, Application identification, User identification ve Content identification temellerine dayalı inceleyip, gerçek bilgi ve kontrolu sağlayan yeni nesil güvenlik duvarıdır.

Genel cihaz yapılandırması.

Cihazlara isimlerini ve IP addressleri yapılandıralım.

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]sysname R1

[R1]int GigabitEthernet0/0/0

[R1-GigabitEthernet0/0/0]ip address 192.168.1.1 24

[R1-GigabitEthernet0/0/0]quit

<Huawei>system-view

Enter system view, return user view with Ctrl+Z.

[Huawei]sysname S1

2. Cihazın kullanılan interfacelerini access olarak yapılandıralım.

[SRG]interface GigabitEthernet 0/0/1

[SRG-GigabitEthernet0/0/1]portswitch

[SRG-GigabitEthernet0/0/1]port link-type access

[SRG]interface GigabitEthernet 0/0/0

[SRG-GigabitEthernet0/0/0]portswitch

[SRG-GigabitEthernet0/0/0]port link-type access

[SRG]pair-interface 1 GigabitEthernet1/0/1 GigabitEthernet1/0/2

Ethernet switch’inden gelen kabloyu trusted network’e yani ilk interface’e takmalısınız.

İkinci interface untrusted network’üdür.

[SRG-zone-untrust]firewall zone trust

[SRG-zone-trust]set priority 85

[SRG-zone-trust]add interface GigabitEthernet1/0/1 [SRG]firewall zone untrust

[SRG-zone-untrust]set priority 5

[SRG-zone-untrust]add interface GigabitEthernet1/0/2

Cihazın security ayarlarını oluşturalım.

<SRG>security-policy

<SRG>rule name PERMIT_ANY

<SRG>source-zone any

<SRG>destination-zone any

<SRG>action permit

Final….

interface GigabitEthernet1/0/1

portswitch

port link-type access

#

interface GigabitEthernet1/0/2

portswitch

port link-type access

#

pair-interface 1 GigabitEthernet1/0/1 GigabitEthernet1/0/2

#

firewall zone trust

set priority 85

add interface GigabitEthernet1/0/1

#

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/2

#

security-policy

rule name PERMIT_ANY

source-zone any

destination-zone any

action permit

#

return

[SRG-zone-trust]add interface GigabitEthernet1/0/1
[SRG]firewall zone untrust