华为防火墙配置命令大全 超级详细

防火墙（Firewall）也称防护墙，是由Check Point创立者Gil Shwed于1993年发明并引入国际互联网（US5606668（A）1993-12-15）防火墙是位于内部网和外部网之间的屏障，它按照系统管理员预先定义好的规则来控制数据包的进出。防火墙是系统的第一道防线，其作用是防止非法用户的进入。

初始化防火墙

初始化防火墙:默认用户名为admin,默认的密码Admin@123,这里修改密码为along@163

Username:adminPassword:*****Thepasswordneedstobechanged.Changenow?[Y/N]:yPleaseenteroldpassword:Admin@123Pleaseenternewpassword:Along@163Pleaseconfirmnewpassword:Along@163<FW1>system-view//进入系统视图[FW1]sysnameFW1//给防火墙命名[FW1]undoinfo-centerenable//关闭日志弹出功能[FW1]quit<FW1>language-modeChinese//将提示修改为中文Changelanguagemode,confirm?[Y/N]y提示：改变语言模式成功.

开启Web管理界面:默认防火墙console接口IP地址是192.168.0.1

<FW1>system-view[FW1]web-managerenable//开启图形管理界面[FW1]interfaceGigabitEthernet0/0/0[FW1-GigabitEthernet0/0/0]ipaddress192.168.0.124//给接口配置IP地址[FW1-GigabitEthernet0/0/0]service-manageallpermit//放行该端口的请求[FW1-GigabitEthernet0/0/0]displaythis

配置Console口登陆:

<FW1>system-view//进入系统视图[FW1]user-interfaceconsole0//进入console0的用户配置接口[FW1-ui-console0]authentication-modepassword//使用密码验证模式[FW1-ui-console0]setauthenticationpasswordcipherAdmin1234//设置密码为Admin1234[FW1-ui-console0]quit//退出用户配置接口

配置telnet密码认证:配置密码认证模式,此处配置密码为Admin@123

FW1>system-view[FW1]telnetserverenable//开启Telnet支持[FW1]interfaceGigabitEthernet0/0/0//选择配置接口[FW1-GigabitEthernet0/0/0]service-managetelnetpermit//允许telnet[FW1-GigabitEthernet0/0/0]quit[FW1]user-interfacevty04//开启虚拟终端[FW1-ui-vty0-4]protocolinboundtelnet//允许telnet[FW1-ui-vty0-4]authentication-modepassword//设置为密码认证模式[FW1-ui-vty0-4]setauthenticationpasswordcipherAdmin@123//设置用户密码[USG6000V1]firewallzonetrust//选择安全区域[USG6000V1-zone-trust]addinterfaceGE0/0/0//添加到安全区域

配置telnet用户名密码认证:

<FW1>system-view//进入系统视图[FW1]interfaceGigabitEthernet0/0/0//进入接口配置[FW1-GigabitEthernet0/0/0]ipaddress192.168.0.124//配置接口IP[FW1-GigabitEthernet0/0/0]service-managetelnetpermit//允许telnet[FW1-GigabitEthernet0/0/0]service-managepingpermit//允许ping[FW1-GigabitEthernet0/0/0]quit//退出[FW1]firewallzonetrust//进入trust安全域配置[FW1-zone-trust]addinterfaceGigabitEthernet0/0/0//把GE0/0/0加入到trust安全域[FW1-zone-trust]quit[FW1]telnetserverenable//启用telnet服务[FW1]user-interfacevty04//进入vty0-4的用户配置接口[FW1-ui-vty0-4]authentication-modeaaa//使用AAA验证模式[FW1-ui-vty0-4]userprivilegelevel3//配置用户访问的命令级别为3[FW1-ui-vty0-4]protocolinboundtelnet//配置telnet[FW1-ui-vty0-4]quit//退出用户配置接口[FW1]aaa//进入AAA配置视图[FW1-aaa]manager-userlyshark//创建用户vtyadmin[FW1-aaa-manager-user-lyshark]passwordcipheradmin@123//配置用户密码[FW1-aaa-manager-user-lyshark]service-typetelnet//配置服务类型[FW1-aaa-manager-user-lyshark]quit//退出[FW1-aaa]bindmanager-userlysharkrolesystem-admin//绑定管理员角色[FW1-aaa]quit//退出AAA视图

常用查询命令:查询防火墙的其他配置,常用的几个命令如下

[FW1]displayipinterfacebrief//查默认接口信息[FW1]displayiprouting-table//显示路由表[FW1]displayzone//显示防火墙区域[FW1]displayfirewallsessiontable//显示当前会话[FW1]displaysecurity-policyruleall//显示安全策略

配置到这里,我们就可以在浏览器中访问了,其访问地址是http://192.168.0.1

防火墙基本配置

初始化防火墙:初始化配置,并设置好防火墙密码,此处用户名admin密码是along@123

Username:adminPassword:*****Thepasswordneedstobechanged.Changenow?[Y/N]:yPleaseenteroldpassword:Admin@123Pleaseenternewpassword:Along@163Pleaseconfirmnewpassword:Along@163<USG6000V1>system-view//进入系统视图[USG6000V1]sysnameFW1//给防火墙命名[FW1]undoinfo-centerenable//关闭日志弹出功能[FW1]quit<FW1>language-modeChinese//将提示修改为中文[FW1]web-managerenable//开启图形管理界面[FW1]interfaceGigabitEthernet0/0/0[FW1-GigabitEthernet0/0/0]service-manageallpermit//放行该端口的请求

配置内网接口:配置内网的接口信息,这里包括个GE 1/0/0 and GE 1/0/1这两个内网地址

<FW1>system-view[FW1]interfaceGigabitEthernet1/0/0[FW1-GigabitEthernet1/0/0]ipaddress192.168.1.1255.255.255.0[FW1-GigabitEthernet1/0/0]undoshutdown[FW1-GigabitEthernet1/0/0]quit[FW1]interfaceGigabitEthernet1/0/1[FW1-GigabitEthernet1/0/1]ipaddress192.168.2.1255.255.255.0[FW1-GigabitEthernet1/0/1]undoshutdown[FW1-GigabitEthernet1/0/1]quit#-------------------------------------------------------[FW1]firewallzonetrust//将前两个接口加入trust区域[FW1-zone-trust]addinterfaceGigabitEthernet1/0/0[FW1-zone-trust]addinterfaceGigabitEthernet1/0/1

配置外网接口:配置外网接口GE 1/0/2接口的IP地址,并将其加入到untrust区域中

[FW1]interfaceGigabitEthernet1/0/2//选择外网接口[FW1-GigabitEthernet1/0/2]undoshutdown//开启外网接口[FW1-GigabitEthernet1/0/2]ipaddress10.10.10.10255.255.255.0//配置IP地址[FW1-GigabitEthernet1/0/2]gateway10.10.10.20//配置网关[FW1-GigabitEthernet1/0/2]undoservice-manageenable[FW1-GigabitEthernet1/0/2]quit#-------------------------------------------------------[FW1]firewallzoneuntrust//选择外网区域[FW1-zone-untrust]addinterfaceGigabitEthernet1/0/2//将接口加入到此区域

配置安全策略: 配置防火墙安全策略,放行trust(内网)-->untrust(外网)的数据包

[FW1]security-policy//配置安全策略[FW1-policy-security]rulenamelyshark//规则名称[FW1-policy-security-rule-lyshark]source-zonetrust//原安全区域(内部)[FW1-policy-security-rule-lyshark]destination-zoneuntrust//目标安全区域(外部)[FW1-policy-security-rule-lyshark]source-addressany//原地址区域[FW1-policy-security-rule-lyshark]destination-addressany//目标地址区域[FW1-policy-security-rule-lyshark]serviceany//放行所有服务[FW1-policy-security-rule-lyshark]actionpermit//放行配置[FW1-policy-security-rule-lyshark]quit

配置源NAT:配置原NAT地址转换,仅配置源地址访问内网 --> 公网的转换

[FW1]nat-policy//配置NAT地址转换[FW1-policy-nat]rulenamelyshark//指定策略名称[FW1-policy-nat-rule-lyshark]egress-interfaceGigabitEthernet1/0/2//外网接口IP[FW1-policy-nat-rule-lyshark]actionsource-nateasy-ip//源地址转换[FW1-policy-nat-rule-lyshark]displaythis

配置目标NAT:外网访问10.10.10.10自动映射到内网的192.168.2.1这台主机上

[FW1]firewallzoneuntrust//选择外网区域[FW1-zone-untrust]addinterfaceGigabitEthernet1/0/2//将接口加入到此区域#----NAT规则---------------------------------------------------#外网主机访问10.10.10.10主机自动映射到内部的192.168.2.2[FW1]firewalldetectftp[FW1]natserverlysharkglobal10.10.10.10inside192.168.2.2no-reverse#----放行规则---------------------------------------------------[FW1]security-policy//配置安全策略[FW1-policy-security]rulenameuntrs-trs//规则名称[FW1-policy-security-rule-lyshark]source-zoneuntrust//原安全区域(外部)[FW1-policy-security-rule-lyshark]destination-zonetrust//目标安全区域(内部)[FW1-policy-security-rule-lyshark]actionpermit//放行配置[FW1-policy-security-rule-lyshark]quit

NAT地址转换

配置内网区域:分别配置防火墙内网接口GE1/0/0 and GE1/0/1设置IP地址,并加入指定区域内。

<FW1>system-view[FW1]undoinfo-centerenable#----配置IP地址-----------------------------------------------[FW1]interfaceGigabitEthernet1/0/0[FW1-GigabitEthernet1/0/0]ipaddress192.168.1.124[FW1-GigabitEthernet1/0/0]quit[FW1]interfaceGigabitEthernet1/0/1[FW1-GigabitEthernet1/0/1]ipaddress192.168.2.124[FW1-GigabitEthernet1/0/1]quit#----加入到指定区域--------------------------------------------[FW1]firewallzonetrust[FW1-zone-trust]addinterfaceGigabitEthernet1/0/0[FW1]firewallzonedmz[FW1-zone-dmz]addinterfaceGigabitEthernet1/0/1

配置外网区域:然后配置外网地址,将Gig 1/0/2加入到untrust区域内

[FW1]interfaceGigabitEthernet1/0/2[FW1-GigabitEthernet1/0/2]ipaddress10.10.10.108[FW1]firewallzoneuntrust[FW1-zone-dmz]addinterfaceGigabitEthernet1/0/2

配置源NAT:配置原NAT地址转换,仅配置源地址访问内网 --> 公网的转换

#----配置源NAT转换---------------------------------------------[FW1]nat-policy//配置NAT地址转换[FW1-policy-nat]rulenamelyshark//指定策略名称[FW1-policy-nat-rule-lyshark]egress-interfaceGigabitEthernet1/0/2//外网接口IP[FW1-policy-nat-rule-lyshark]actionsource-nateasy-ip//源地址转换[FW1-policy-nat-rule-lyshark]displaythis#----放行相关安全策略------------------------------------------[FW1]security-policy[FW1-policy-security]rulenametrust_untrust[FW1-policy-security-rule]source-zonetrust[FW1-policy-security-rule]destination-zoneuntrust[FW1-policy-security-rule]actionpermit

配置目标NAT:外网访问10.10.10.10自动映射到内网的192.168.2.2这台主机上

#----NAT规则---------------------------------------------------#外网主机访问10.10.10.10主机自动映射到内部的192.168.2.2[FW1]firewalldetectftp[FW1]natserverlysharkglobal10.10.10.10inside192.168.2.2no-reverse#----放行规则---------------------------------------------------[FW1]security-policy//配置安全策略[FW1-policy-security]rulenameuntrs-DMZ//规则名称[FW1-policy-security-rule-untrs-DMZ]source-zoneuntrust//原安全区域(外部)[FW1-policy-security-rule-untrs-DMZ]destination-zonetrust//目标安全区域(内部)[FW1-policy-security-rule-untrs-DMZ]destination-address192.168.2.224[FW1-policy-security-rule-untrs-DMZ]serviceany[FW1-policy-security-rule-untrs-DMZ]actionpermit//放行配置[FW1-policy-security-rule-untrs-DMZ]quit

配成交换机（透明模式）

配置两台交换机:分别配置两台交换机,并划分到相应的VLAN区域内

#----配置LSW1交换机--------------------------------------------<Huawei>system-view[LSW1]vlan10//创建VLAN10[LSW1]quit[LSW1]interfaceEthernet0/0/1//将该接口配置为trunk[LSW1-Ethernet0/0/1]portlink-typetrunk[LSW1-Ethernet0/0/1]porttrunkallow-passvlan10//加入到vlan10[LSW1-Ethernet0/0/1]quit[LSW1]port-groupgroup-memberEth0/0/2toEth0/0/3[LSW1-port-group]portlink-typeaccess[LSW1-port-group]portdefaultvlan10[LSW1-port-group]quit#----配置LSW2交换机--------------------------------------------<Huawei>system-view[LSW2]vlan20[LSW1]quit[LSW2]interfaceEthernet0/0/1[LSW2-Ethernet0/0/1]portlink-typetrunk[LSW2-Ethernet0/0/1]porttrunkallow-passvlan20[LSW2-Ethernet0/0/1]quit[LSW2]port-groupgroup-memberEth0/0/2toEth0/0/3[LSW2-port-group]portlink-typeaccess[LSW2-port-group]portdefaultvlan20[LSW2-port-group]quit

配置防火墙:配置Gig1/0/0和Gig1/0/1接口为trunk模式,并分别配置好网关地址

[FW1]vlan10[FW1-vlan10]quit[FW1]vlan20[FW1-vlan20]quit#----配置防火墙接口地址-----------------------------------------[FW1]interfaceGigabitEthernet1/0/0[FW1-GigabitEthernet1/0/0]portswitch[FW1-GigabitEthernet1/0/0]portlink-typetrunk[FW1-GigabitEthernet1/0/0]porttrunkallow-passvlan10[FW1]interfaceGigabitEthernet1/0/1[FW1-GigabitEthernet1/0/1]portswitch[FW1-GigabitEthernet1/0/1]portlink-typetrunk[FW1-GigabitEthernet1/0/1]porttrunkallow-passvlan20#----分别给VLAN配置IP地址---------------------------------------[FW1]interfaceVlanif10[FW1-Vlanif10][FW1-Vlanif10]ipaddress192.168.10.1255.255.255.0[FW1-Vlanif10]aliasvlan10[FW1-Vlanif10]service-managepingpermit[FW1]interfaceVlanif20[FW1-Vlanif20][FW1-Vlanif20]ipaddress192.168.20.1255.255.255.0[FW1-Vlanif20]aliasvlan20[FW1-Vlanif20]service-managepingpermit

添加防火墙区域:将vlan10和vlan20添加到trust区域内

[FW1]firewallzonetrust[FW1-zone-trust]addinterfaceVlanif10[FW1-zone-trust]addinterfaceVlanif20

主备双机热备

放行所有数据包(两台墙):为了演示实验,需要手动放行数据包

#------------------------------------------------------------#将默认防火墙规则,设置为允许所有[FW1]security-policy[FW1-policy-security]rulenameanyall//指定规则名称[FW1-policy-security-rule-anyall]source-zoneany//源地址允许所有[FW1-policy-security-rule-anyall]destination-zoneany//目标地址允许所有[FW1-policy-security-rule-anyall]actionpermit//放行[FW1-policy-security-rule-anyall]quit[FW1-policy-security]quit#------------------------------------------------------------#将指定的接口加入到指定的区域内[FW1]firewallzonetrust//选择trust区域[FW1-zone-trust]addinterfaceGigabitEthernet1/0/0//添加内部的端口[FW1-zone-trust]quit[FW1]firewallzoneuntrust//添加untru区域[FW1-zone-untrust]addinterfaceGigabitEthernet1/0/1//添加外部接口[FW1-zone-trust]quit

配置IP地址(两台) ：给防火墙的两个接口配置好IP地址

#------------------------------------------------------------#配置防火墙FW1[FW1]interfaceGigabitEthernet1/0/0//选择内部接口[FW1-GigabitEthernet1/0/0]ipaddress192.168.1.25324//配置防火墙IP[FW1-GigabitEthernet1/0/0]service-managepingpermit//开启接口ping[FW1-GigabitEthernet1/0/0]quit[FW1]interfaceGigabitEthernet1/0/1[FW1-GigabitEthernet1/0/1]ipaddress10.10.10.208[FW1-GigabitEthernet1/0/1]service-managepingpermit[FW1-GigabitEthernet1/0/1]quit#------------------------------------------------------------#配置防火墙FW2[FW2]interfaceGigabitEthernet1/0/0//选择内部接口[FW2-GigabitEthernet1/0/0]ipaddress192.168.1.25424//配置防火墙IP[FW2-GigabitEthernet1/0/0]service-managepingpermit//开启接口ping[FW2-GigabitEthernet1/0/0]quit[FW2-GigabitEthernet1/0/0]quit[FW2]interfaceGigabitEthernet1/0/1[FW2-GigabitEthernet1/0/1]ipaddress10.10.10.308[FW2-GigabitEthernet1/0/1]service-managepingpermit[FW2-GigabitEthernet1/0/1]quit

开启源NAT地址:将内网数据映射到外网

#------------------------------------------------------------#配置防火墙FW1[FW1]nat-policy//配置NAT地址转换[FW1-policy-nat]rulenametru_untr//指定策略名称[FW1-policy-nat-rule-tru_untr]egress-interfaceGigabitEthernet1/0/1//外网接口IP[FW1-policy-nat-rule-tru_untr]actionsource-nateasy-ip//源地址转换[FW1-policy-nat-rule-tru_untr]displaythis#------------------------------------------------------------#配置防火墙FW2[FW2]nat-policy//配置NAT地址转换[FW2-policy-nat]rulenametru_untr//指定策略名称[FW2-policy-nat-rule-tru_untr]egress-interfaceGigabitEthernet1/0/1//外网接口IP[FW2-policy-nat-rule-tru_untr]actionsource-nateasy-ip//源地址转换[FW2-policy-nat-rule-tru_untr]displaythis

开启VRRP支持(两台)

#------------------------------------------------------------#配置防火墙FW1[FW1]interfaceGigabitEthernet1/0/0//选择内部接口[FW1-GigabitEthernet1/0/0]vrrpvrid1virtual-ip192.168.1.1active//配置虚拟接口为主[FW1-GigabitEthernet1/0/0]quit[FW1]interfaceGigabitEthernet1/0/1//选择外部接口[FW1-GigabitEthernet1/0/1]vrrpvrid2virtual-ip10.10.10.10active[FW1-GigabitEthernet1/0/1]quit#------------------------------------------------------------#配置防火墙FW12[FW2]interfaceGigabitEthernet1/0/0//选择内部接口[FW2-GigabitEthernet1/0/0]vrrpvrid1virtual-ip192.168.1.1standby//配置虚拟接口为备[FW2-GigabitEthernet1/0/0]quit[FW2]interfaceGigabitEthernet1/0/1[FW2-GigabitEthernet1/0/1]vrrpvrid2virtual-ip10.10.10.10standby[FW2-GigabitEthernet1/0/1]quit

HRP配置(两台):

#------------------------------------------------------------#配置防火墙FW1[FW1]hrpenableHRP_S[FW1]hrpinterfaceGigabitEthernet0/0/0remote172.16.1.2//指定接口和对端IPHRP_M[FW1]interfaceGigabitEthernet0/0/0//选择虚拟接口HRP_M[FW1-GigabitEthernet0/0/0]ipaddress172.16.1.124//配置本端IP地址#------------------------------------------------------------#配置防火墙FW2[FW2]hrpenableHRP_S[FW2]hrpstandby-deviceHRP_S[FW2]hrpinterfaceGigabitEthernet0/0/0remote172.16.1.1HRP_S[FW2]interfaceGigabitEthernet0/0/0HRP_S[FW2-GigabitEthernet0/0/0]ipaddress172.16.1.224

检查配置：

注意1：默认处于 standby 状态的设备不允许配置安全策略，只允许在主设

备配置安全策略，且安全策略会自动同步到备设备上面。

开启命令：hrp standby config enableHRP_M[FW1]displayhrpstateRole:active,peer:standbyRunningpriority:45000,peer:45000Corestate:normal,peer:normalBackupchannelusage:0.00%Stabletime:0days,0hours,0minutesLaststatechangeinformation:-05-061:37:41HRPcorestatechanged,old_state=abnormal(active),new_state=normal,local_priority=45000,peer_priority=45000.HRP_S[FW2]displayhrpstateRole:standby,peer:activeRunningpriority:45000,peer:45000Corestate:normal,peer:normalBackupchannelusage:0.00%Stabletime:0days,0hours,1minutesLaststatechangeinformation:-05-061:37:42HRPlinkchangestoup.

配置负载均衡

配置防火墙接口:

[FW1]interfaceGigabitEthernet1/0/0[FW1-GigabitEthernet1/0/0]ipaddress192.168.1.124[FW1-GigabitEthernet1/0/0]service-managepingpermit[FW1-GigabitEthernet1/0/0]service-managehttppermit[FW1-GigabitEthernet1/0/0]quit[FW1]interfaceGigabitEthernet1/0/1[FW1-GigabitEthernet1/0/1]ipaddress10.10.10.108[FW1-GigabitEthernet1/0/1]service-managepingpermit[FW1-GigabitEthernet1/0/1]service-managehttppermit[FW1-GigabitEthernet1/0/1]quit

加入相应的区域内:

[FW1]firewallzonetrust[FW1-zone-trust]addinterfaceGigabitEthernet1/0/0[FW1-zone-trust]quit[FW1]firewallzoneuntrust[FW1-zone-untrust]addinterfaceGigabitEthernet1/0/1[FW1-zone-untrust]quit

放行数据包:

[FW1]security-policy[FW1-policy-security]rulenameany_trust[FW1-policy-security-rule-any_trust]source-zoneany[FW1-policy-security-rule-any_trust]destination-zonetrust[FW1-policy-security-rule-any_trust]servicehttp[FW1-policy-security-rule-any_trust]serviceicmp[FW1-policy-security-rule-any_trust]actionpermit

配置负载均衡:

[FW1]slbenable//启用SLB服务[FW1]slb//进入SLB配置视图[FW1-slb]group1WebServer//创建服务器组webServer[FW1-slb-group-1]metricweight-least-connection//使用加权轮询算法#-------------------------------------------------------//以下为真实服务设置IP地址端口权重值别名//[FW1-slb-group-1]rserver1rip192.168.1.2port80weight1descriptionserver1[FW1-slb-group-1]rserver2rip192.168.1.3port80weight1descriptionserver2[FW1-slb-group-1]rserver3rip192.168.1.3port80weight1descriptionserver3[FW1-slb-group-1][FW1-slb-group-1]health-checktypeicmptx-interval5times3//配置服务健康检查参数[FW1-slb-group-1]persistencetypesource-ipaging-time180//配置会话保持时间[FW1-slb-group-1]quit//返回SLB视图[FW1-slb][FW1-slb]vserver1WebServer//创建虚拟服务器WebServer[FW1-slb-vserver-1]protocoltcp//配置虚拟服务器的协议类型[FW1-slb-vserver-1]vip110.10.10.100//设置虚拟服务器IP地址[FW1-slb-vserver-1]vport80//设置虚拟服务器端[FW1-slb-vserver-1]groupWebServer//关联真实服务器组[FW1-slb-vserver-1]quit//返回SLB视图