admin管理员组文章数量:1530852
2024年1月24日发(作者:)
1. 将计算机IP地址设置为10.50.10.44,掩码255.255.255.0,网关10.50.10.45,连接在VPN网关的FE1口。
2. 打开VPN网关配套光盘中的Admin Cert目录,双击证书文件SecGateAdmin.p12,弹出如下窗口。
按提示进行安装,密码为“123456”,其它按默认即可安装成功。
3. 在IE浏览器中输入: 10.50.10.45:8889,密码为firewall
进入VPN网关管理 界面。
4. 进入VPN网关管理 界面。
5. 选择系统配置——》导入导出。
点击“浏览”,选择配置文件。
如下:
# hardware version: SecGate 3600-F3(SJW79)A
# software version: 3.6.4.26
# hostname: SecGate
# serial number: f6f335072669bb05
defaddr delalladdr
defaddr add DMZ 0.0.0.0/0.0.0.0 comment "DMZ"
defaddr add Trust 0.0.0.0/0.0.0.0 comment "Trust"
defaddr add Untrust 0.0.0.0/0.0.0.0 comment "Untrust"
vpn set default prekey PleaseInputPrekey ikelifetime 28800 ipseclifetime
3600 vpnstatus on vpnbak off
vpn on
vpn add remote static main psk name xian addr 222.91.74.218 prekey
PleaseInputPrekey ike 3des-sha1-dh5,aes-sha1-dh5 initiate on obey off
nat_t on ikelifetime 28800 dpddelay 0 dpdtimeout 0
vpn add tunnel name xian_qianxian local 61.185.40.23 remote xian auth
esp ipsec aes128-md5,3des-sha1 pfs on dh_group 5 ipseclifetime 3600
proxy_localip 0.0.0.0 proxy_localmask 0.0.0.0 proxy_remoteip 0.0.0.0
proxy_remotemask 0.0.0.0
anti synflood fe1 200
anti icmpflood fe1 1000
anti pingofdeath fe1 800
anti udpflood fe1 1000
anti pingsweep fe1 10
anti tcpportscan fe1 10
anti udpportscan fe1 10
anti synflood fe2 200
anti icmpflood fe2 1000
anti pingofdeath fe2 800
anti udpflood fe2 1000
anti pingsweep fe2 10
anti tcpportscan fe2 10
anti udpportscan fe2 10
anti synflood fe3 200
anti icmpflood fe3 1000
anti pingofdeath fe3 800
anti udpflood fe3 1000
anti pingsweep fe3 10
anti tcpportscan fe3 10
anti udpportscan fe3 10
anti synflood fe4 200
anti icmpflood fe4 1000
anti pingofdeath fe4 800
anti udpflood fe4 1000
anti pingsweep fe4 10
anti tcpportscan fe4 10
anti udpportscan fe4 10
sysif set fe1 speed auto mtu 1500 ipmac off macpolicy permit mode route
sroute off log off anti off nonip deny idsblock off vlan off
sysif set fe2 speed auto mtu 1500 ipmac off macpolicy permit mode route
sroute off log off anti off nonip deny idsblock off vlan off
sysif set fe3 speed auto mtu 1500 ipmac off macpolicy permit mode route
sroute off log off anti off nonip deny idsblock off vlan off
sysif set fe4 speed auto mtu 1500 ipmac off macpolicy permit mode route
sroute off log off anti off nonip deny idsblock off vlan off
sysip add fe1 10.50.10.45 255.255.255.0 ping off admin on adminping on
traceroute on
sysip add fe4 61.185.40.23 255.255.255.128 ping on admin on adminping off
traceroute off
sysip add fe3 172.24.40.100 255.255.255.0 ping on admin on adminping off
traceroute off
vrrpbunch delay 10
route add droute any 61.185.40.1
mngglobal set cpu 80 mem 80 fs 80 rcomm "public" wcomm "private" trapc
"public" username "snmpuser" level "AuthnoPriv" authpass "12345678"
crypt "MD5"
mngglobal add snmpip 222.91.74.218
mngglobal on
logsrv set 222.91.74.218 514 udp
mngacct set admin password "firewall"
mngacct multi on
mngacct failtime 5 blocktime 30 period 120
dns set sysname SecGate
ipcftcheck off
longconn set 1800
statetable udp 20 icmp 5
statetable overtime establish 1800 syn 120
dnsrelay set auto
rdweb srcaddr any dstaddr any
rdweb dstport 80
vpn set dhcp active off dhcpserver 127.0.0.1 interface lo
timeout set web 600
bandwidth add p2p_band priority 3 minbw 60 maxbw 160 comment "建议仅用于P2P带宽限制"
ftpactive port20 keep off
tcpmss set 1460
defsvc set ftp ftp 21
defsvc set h323 h323 1720
defsvc set sqlnet sqlnet 1521
defsvc set sip sip 5060
defsvc set rtsp rtsp 554
defsvc set mms mms 1755
defsvc set pptp pptp 1723
defsvc set gk gk 1719
defsvc set tftp tftp 69
defsvc set ftp comment "文件传输协议"
defsvc set h323 comment "Netmeeting服务"
defsvc set sqlnet comment "oracle数据库网络连接"
defsvc set sip comment "基于sip协议的动态服务"
defsvc set rtsp comment "RTSP服务"
defsvc set mms comment "MMS服务"
defsvc set pptp comment "点到点隧道协议的动态服务"
defsvc set gk comment "H.323网守服务"
defsvc set tftp comment "TFTP协议"
defsvc set icmp icmp comment "ICMP服务"
defsvc set ping icmp type 8 comment "PING请求"
defsvc set pong icmp type 0 comment "PING回应"
defsvc set tcp proto tcp any any comment "tcp协议的所有服务"
defsvc set udp proto udp any any comment "udp协议的所有服务"
defsvc set gre proto 47 comment "封装协议"
defsvc set esp proto 50 comment "VPN加密认证协议"
defsvc set ah proto 51 comment "加密协议"
defsvc set vrrp proto 112 comment "HA负载均衡协议"
defsvc set ssh proto tcp any 22 comment "远程加密登录"
defsvc set telnet proto tcp any 23 comment "远程登录协议"
defsvc set smtp proto tcp any 25 comment "邮件发送服务"
defsvc set http proto tcp any 80 comment "www服务"
defsvc set pop3 proto tcp any 110 comment "邮件接收服务"
defsvc set ntp proto tcp any 123 comment "时间服务器服务"
defsvc set netbios proto tcp any 137 proto tcp any 139 proto udp any 137
proto udp any 138 comment "windows文件共享"
defsvc set dhcp proto udp any 67:68 proto tcp any 67:68 comment "dhcp &
bootp"
defsvc set https proto tcp any 443 comment "https服务"
defsvc set pptp_server proto tcp any 1723 proto 47 comment "点到点隧道协议(用于防火墙作为PPTP服务器)"
defsvc set dns proto tcp any 53 proto udp any 53 comment "域名解析服务"
defsvc set snmp proto udp any 161 comment "简单网络管理协议"
defsvc set snmptrap proto udp any 162 comment "snmp trap发送服务"
defsvc set syslog proto udp any 514 comment "日志传输协议"
defsvc set oicqc proto udp any 4000 comment "QQ客户端打开端口"
defsvc set oicqs proto udp any 8000 comment "QQ服务器打开端口"
defsvc set secgate_auth proto tcp any 9998 proto udp any 9998 comment
"SecGate安全网关用户认证"
defsvc set secgate_global proto tcp any 161 proto udp any 161 comment
"SecGate安全网关集中管理"
defsvc set secgate_https proto tcp any 8889 proto tcp any 8888 comment
"SecGate安全网关WEB管理"
defsvc set secgate_ha_conf proto tcp any 9223 proto udp any 9455 comment
"SecGate安全网关HA功能配置同步服务"
defsvc set virus_blaster proto tcp any 135:139 proto udp any 135:139 proto
tcp any 4444 proto udp any 69 comment "冲击波影响端口"
defsvc set virus_sasser proto tcp any 445 proto tcp any 1025 proto tcp
any 1068 proto tcp any 5554 proto tcp any 9995:9996 proto udp any 9995:9996
comment "震荡波影响端口"
defsvc set virus_sqlworm proto udp any 1434 comment "SQL蠕虫影响端口"
defsvc set pcanywhere proto tcp any 5631:5632 proto udp any 5631:5632
comment "pcanywhere"
defsvc set lotusnote proto tcp any 1352 proto udp any 1352 comment "lotus
notes"
defsvc set ike proto udp any 500 proto udp any 4500 comment "Internet密钥交换协议"
defsvc set l2tp proto udp any 1701 comment "第二层隧道协议"
defsvc set thunder proto tcp any 3075:3079 proto tcp 3075:3079 any comment
"迅雷端口"
defproxy set http port 80 java permit javascript permit activex permit
defproxy set ftp port 21 get permit put permit multi permit
defproxy set telnet port 23
defproxy set smtp port 25 domain server
maildomain mailserver 1.1.1.1 maxlength 5120 maxreceiver
5 sendinterval 10 sendamount 100
defproxy set pop3 port 110 maxlength 5120
ips atkresp onlog
ips backdoor onlog
ips info onlog
ips multimedia onlog
ips p2p onlog
ips porn onlog
ips scan onlog
ips virus onlog
ips webcf onlog
ips webcgi onlog
ips webclient onlog
ips webfp onlog
ips webiis onlog
ips webmisc onlog
ips webphp onlog
limitp2p set apple deny
limitp2p set ares deny
limitp2p set bt deny
limitp2p set dc deny
limitp2p set edonkey deny
limitp2p set gnu deny
limitp2p set kazaa deny
limitp2p set msn deny
limitp2p set qq deny
limitp2p set skype deny
limitp2p set soul deny
limitp2p set winmx deny
defdomain detect off
policy add permit id 1 name p1 in any out any service ike time none log
on active on
policy add permit id 2 name 集中管理主机 from
222.91.74.218/255.255.255.255 to 219.145.109.30/255.255.255.255 in any
out any service secgate_global time none log on active on
policy add permit id 3 name p2 from 172.24.40.0/255.255.255.0 to
192.168.5.0/255.255.255.0 in any out any time none log on tunnel
xian_qianxian active on
policy add permit id 4 name p3 from 192.168.5.0/255.255.255.0 to
172.24.40.0/255.255.255.0 in any out any time none log on tunnel
xian_qianxian active on
policy add nat id 5 name p5 from 172.24.40.0/255.255.255.0 sat
61.185.40.23 in any out any time none active on
wormfilter set sobig ignore
wormfilter set ramen ignore
wormfilter set welchia ignore
wormfilter set agobot ignore
wormfilter set opaserv ignore
wormfilter set blaster ignore
wormfilter set sadmind ignore
wormfilter set slapper ignore
wormfilter set novarg ignore
wormfilter set slammer ignore
wormfilter set zafi ignore
wormfilter set bofra ignore
wormfilter set dipnet ignore
wormfilter off
defantivirus set smtp discard on alarm on
defantivirus set smtpfile filenum 500 filesize 10 dirnum 8
defantivirus set pop3file filenum 500 filesize 10 dirnum 8
defantivirus set ftp discard on
defantivirus set ftpfile filenum 500 filesize 10 dirnum 8
defantivirus set http discard on
defantivirus set httpfile filesize 10 check html
defantivirus update off
policy stateless off
mnghost add 10.50.10.44 "出厂默认管理主机"
mnghost add 117.32.132.10
mnghost add 222.91.74.218
mnghost add 172.24.40.10
mnghost limitless on
authsrv local 9998 9998
authsrv radius 1.1.1.1 1812 1813 123456
authsrv on local
syncfg set if none state backup backupif off
stp set priority 32768
stp start
router rip interface fe1 auth off
router rip interface fe2 auth off
router rip interface fe3 auth off
router rip interface fe4 auth off
router rip set version 2 metric 16 update 30 garbage 120 timeout 180
router ospf interface fe1 auth off mode text passwd none cost 10
router ospf interface fe2 auth off mode text passwd none cost 10
router ospf interface fe3 auth off mode text passwd none cost 10
router ospf interface fe4 auth off mode text passwd none cost 10
router ospf set routerid 1 rfc1583 on
以上另存为 TXT 文本即可
这时会出现提示“重启安全网关”,点击即可。
版权声明:本文标题:网神安全网关配置方法 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://m.elefans.com/dongtai/1706087103a169967.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论