Next Generation Frewall (NGFW)


Next Generation Frewall (NGFW)
ngfw
Next Generation Firewall (NGFW) üzerinden geçen trafiği, Application identification, User identification ve Content identification temellerine dayalı inceleyip, gerçek bilgi ve kontrolu sağlayan yeni nesil güvenlik duvarıdır.
  1. Genel cihaz yapılandırması.
Cihazlara isimlerini  ve IP addressleri yapılandıralım.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R1
[R1]int GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[R1-GigabitEthernet0/0/0]quit
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname S1
2. Cihazın kullanılan interfacelerini access olarak yapılandıralım.
 [SRG]interface GigabitEthernet 0/0/1
[SRG-GigabitEthernet0/0/1]portswitch
[SRG-GigabitEthernet0/0/1]port link-type access
[SRG]interface GigabitEthernet 0/0/0
[SRG-GigabitEthernet0/0/0]portswitch
[SRG-GigabitEthernet0/0/0]port link-type access
[SRG]pair-interface 1 GigabitEthernet1/0/1 GigabitEthernet1/0/2

 

Ethernet switch’inden gelen kabloyu trusted network’e yani ilk interface’e takmalısınız.
İkinci interface untrusted   network’üdür.
[SRG-zone-untrust]firewall zone trust
[SRG-zone-trust]set priority 85
[SRG-zone-trust]add interface GigabitEthernet1/0/1
[SRG]firewall zone untrust
[SRG-zone-untrust]set priority 5
[SRG-zone-untrust]add interface GigabitEthernet1/0/2

 

Cihazın security ayarlarını oluşturalım.
 <SRG>security-policy
<SRG>rule name PERMIT_ANY
<SRG>source-zone any
<SRG>destination-zone any
<SRG>action permit

 

Final….
interface GigabitEthernet1/0/1
portswitch
port link-type access
#
interface GigabitEthernet1/0/2
portswitch
port link-type access
#
pair-interface 1 GigabitEthernet1/0/1 GigabitEthernet1/0/2
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
security-policy
rule name PERMIT_ANY
source-zone any
destination-zone any
action permit
#
return