返回知识库
一、产品概述
华为USG系列下一代防火墙是面向大中型企业、数据中心和云环境设计的高性能安全网关。本手册以USG6300E/6500E/6600E系列为例,详细介绍安全策略的配置方法。
适用型号:USG6305E/6310E/6320E/6330E/6350E/6360E/6380E/6390E/6500E/6600E系列
二、初始配置
2.1 设备登录
USG防火墙支持多种管理方式:
- Console口:波特率9600,用于初始配置
- Web管理:https://192.168.0.1(默认)
- SSH/ Telnet:命令行管理
USG> system-view
Enter system view, return user view with Ctrl+Z.
[USG]
2.2 默认账号
- 用户名:admin
- 默认密码:Admin@123(首次登录强制修改)
安全提示:首次登录后请立即修改默认密码,密码复杂度要求:8-32位,包含大小写字母、数字和特殊字符。
三、网络基础配置
3.1 接口配置
步骤 1:配置管理口IP地址
[USG] interface GigabitEthernet 0/0/0
[USG-GigabitEthernet0/0/0] ip address 192.168.1.1 24
[USG-GigabitEthernet0/0/0] quit
步骤 2:配置WAN口(连接互联网)
[USG] interface GigabitEthernet 1/0/0
[USG-GigabitEthernet1/0/0] description WAN_Interface
[USG-GigabitEthernet1/0/0] ip address 203.0.113.1 30
[USG-GigabitEthernet1/0/0] quit
步骤 3:配置LAN口(连接内网)
[USG] interface GigabitEthernet 1/0/1
[USG-GigabitEthernet1/0/1] description LAN_Interface
[USG-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[USG-GigabitEthernet1/0/1] quit
3.2 安全区域配置
华为防火墙使用安全区域(Security Zone)来管理网络边界:
[USG] firewall zone trust
[USG-zone-trust] add interface GigabitEthernet 1/0/1
[USG-zone-trust] quit
[USG] firewall zone untrust
[USG-zone-untrust] add interface GigabitEthernet 1/0/0
[USG-zone-untrust] quit
[USG] firewall zone dmz
[USG-zone-dmz] add interface GigabitEthernet 1/0/2
[USG-zone-dmz] quit
安全区域说明:
• Trust(信任区):内网区域,安全级别85
• Untrust(非信任区):外网区域,安全级别5
• DMZ(隔离区):服务器区域,安全级别50
• Local(本地区):防火墙本身,安全级别100
四、安全策略配置
4.1 策略基础概念
华为USG防火墙安全策略由以下要素组成:
- 匹配条件:源/目的安全区域、源/目的IP地址、服务/应用、用户、时间段
- 动作:允许(permit)或拒绝(deny)
- 配置文件:入侵防御、反病毒、URL过滤、数据过滤、文件过滤、应用行为控制
4.2 允许内网访问互联网
[USG] security-policy
[USG-policy-security] rule name trust_to_untrust
[USG-policy-security-rule-trust_to_untrust] source-zone trust
[USG-policy-security-rule-trust_to_untrust] destination-zone untrust
[USG-policy-security-rule-trust_to_untrust] source-address 10.1.1.0 24
[USG-policy-security-rule-trust_to_untrust] action permit
[USG-policy-security-rule-trust_to_untrust] quit
4.3 配置NAT策略
配置源NAT,使内网用户可以访问互联网:
[USG] nat-policy
[USG-policy-nat] rule name source_nat
[USG-policy-nat-rule-source_nat] source-zone trust
[USG-policy-nat-rule-source_nat] destination-zone untrust
[USG-policy-nat-rule-source_nat] source-address 10.1.1.0 24
[USG-policy-nat-rule-source_nat] action source-nat easy-ip
[USG-policy-nat-rule-source_nat] quit
4.4 配置服务器映射(DNAT)
将外网访问映射到DMZ区服务器:
[USG] nat server name web_server
[USG-nat-server-web_server] zone untrust
[USG-nat-server-web_server] global 203.0.113.10
[USG-nat-server-web_server] inside 192.168.10.10
[USG-nat-server-web_server] quit
4.5 精细化策略配置
配置只允许特定服务访问:
[USG] security-policy
[USG-policy-security] rule name allow_web
[USG-policy-security-rule-allow_web] source-zone trust
[USG-policy-security-rule-allow_web] destination-zone untrust
[USG-policy-security-rule-allow_web] service http
[USG-policy-security-rule-allow_web] service https
[USG-policy-security-rule-allow_web] action permit
[USG-policy-security-rule-allow_web] quit
五、安全配置文件
5.1 入侵防御(IPS)
[USG] profile type ips name ips_profile
[USG-profile-ips-ips_profile] signature-set name default
[USG-profile-ips-ips_profile-signature-set-default] severity high
[USG-profile-ips-ips_profile-signature-set-default] severity medium
[USG-profile-ips-ips_profile-signature-set-default] action block
[USG-profile-ips-ips_profile-signature-set-default] quit
[USG-profile-ips-ips_profile] quit
将IPS配置文件应用到安全策略:
[USG] security-policy
[USG-policy-security] rule name trust_to_untrust
[USG-policy-security-rule-trust_to_untrust] profile ips ips_profile
[USG-policy-security-rule-trust_to_untrust] quit
5.2 反病毒(AV)
[USG] profile type av name av_profile
[USG-profile-av-av_profile] http-detect direction both
[USG-profile-av-av_profile] ftp-detect direction both
[USG-profile-av-av_profile] smtp-detect direction both
[USG-profile-av-av_profile] pop3-detect direction both
[USG-profile-av-av_profile] action block
[USG-profile-av-av_profile] quit
5.3 URL过滤
[USG] url-filter profile name url_profile
[USG-url-filter-profile-url_profile] category-action category gambling block
[USG-url-filter-profile-url_profile] category-action category adult block
[USG-url-filter-profile-url_profile] default-action permit
[USG-url-filter-profile-url_profile] quit
六、VPN配置
6.1 IPSec VPN配置
配置与分支机构的IPSec VPN隧道:
[USG] ipsec proposal prop1
[USG-ipsec-proposal-prop1] esp authentication-algorithm sha2-256
[USG-ipsec-proposal-prop1] esp encryption-algorithm aes-256
[USG-ipsec-proposal-prop1] quit
[USG] ike proposal prop1
[USG-ike-proposal-prop1] authentication-method pre-share
[USG-ike-proposal-prop1] authentication-algorithm sha2-256
[USG-ike-proposal-prop1] encryption-algorithm aes-256
[USG-ike-proposal-prop1] dh group14
[USG-ike-proposal-prop1] quit
[USG] ike peer peer1
[USG-ike-peer-peer1] ike-proposal prop1
[USG-ike-peer-peer1] pre-shared-key cipher Huawei@123
[USG-ike-peer-peer1] remote-address 198.51.100.1
[USG-ike-peer-peer1] quit
6.2 SSL VPN配置
配置远程接入SSL VPN:
[USG] sslvpn gateway gateway1
[USG-sslvpn-gateway-gateway1] ip address 203.0.113.1 port 443
[USG-sslvpn-gateway-gateway1] service enable
[USG-sslvpn-gateway-gateway1] quit
[USG] sslvpn context context1
[USG-sslvpn-context-context1] gateway gateway1
[USG-sslvpn-context-context1] ip-pool pool1 10.2.1.1 10.2.1.100
[USG-sslvpn-context-context1] service enable
[USG-sslvpn-context-context1] quit
七、高可用性配置
7.1 双机热备(HA)
配置主备模式双机热备:
[USG] hrp enable
[USG] hrp interface GigabitEthernet 0/0/1
[USG] hrp mirror session enable
[USG] hrp track interface GigabitEthernet 1/0/0
[USG] hrp track interface GigabitEthernet 1/0/1
HRP说明:启用HRP后,主设备的配置会自动同步到备设备,会话信息也会实时同步。
八、监控与维护
8.1 常用查看命令
[USG] display firewall session table # 查看会话表
[USG] display security-policy all # 查看安全策略
[USG] display nat-policy # 查看NAT策略
[USG] display interface brief # 查看接口状态
[USG] display cpu-usage # 查看CPU使用率
[USG] display memory-usage # 查看内存使用率
[USG] display logbuffer # 查看日志
8.2 配置备份
[USG] save
The current configuration will be written to the device. Are you sure? [Y/N]: y
[USG] display saved-configuration # 查看保存的配置
<USG> save configuration.txt # 导出配置到文件
九、常见问题排查
9.1 策略不生效
- 检查策略匹配顺序(从上到下匹配)
- 确认源/目的区域配置正确
- 检查地址对象是否包含目标IP
- 查看会话表确认流量是否到达:
display firewall session table
9.2 NAT不生效
- 确认NAT策略匹配条件正确
- 检查出接口IP配置
- 确认路由可达
- 查看NAT转换表:
display firewall nat-policy
9.3 VPN隧道不通
- 检查IKE协商状态:
display ike sa
- 检查IPSec SA建立情况:
display ipsec sa
- 确认两端配置一致(加密算法、认证方式、预共享密钥)
- 检查路由是否指向隧道接口
技术支持:如遇复杂问题,请联系世纪云峰科技技术支持团队
电话:156-2522-0012 | 邮箱:Roy.zhou@cloud-peak.com.cn
十、相关文档