网神安全网关配置方法

admin管理员组

文章数量:1530852

2024年1月24日发(作者：)

1. 将计算机IP地址设置为10.50.10.44，掩码255.255.255.0，网关10.50.10.45，连接在VPN网关的FE1口。

2. 打开VPN网关配套光盘中的Admin Cert目录，双击证书文件SecGateAdmin.p12，弹出如下窗口。

按提示进行安装，密码为“123456”，其它按默认即可安装成功。

3. 在IE浏览器中输入： 10.50.10.45:8889，密码为firewall

进入VPN网关管理 界面。

4. 进入VPN网关管理 界面。

5. 选择系统配置——》导入导出。

点击“浏览”，选择配置文件。

如下：

# hardware version: SecGate 3600-F3(SJW79)A

# software version: 3.6.4.26

# hostname: SecGate

# serial number: f6f335072669bb05

defaddr delalladdr

defaddr add DMZ 0.0.0.0/0.0.0.0 comment "DMZ"

defaddr add Trust 0.0.0.0/0.0.0.0 comment "Trust"

defaddr add Untrust 0.0.0.0/0.0.0.0 comment "Untrust"

vpn set default prekey PleaseInputPrekey ikelifetime 28800 ipseclifetime

3600 vpnstatus on vpnbak off

vpn on

vpn add remote static main psk name xian addr 222.91.74.218 prekey

PleaseInputPrekey ike 3des-sha1-dh5,aes-sha1-dh5 initiate on obey off

nat_t on ikelifetime 28800 dpddelay 0 dpdtimeout 0

vpn add tunnel name xian_qianxian local 61.185.40.23 remote xian auth

esp ipsec aes128-md5,3des-sha1 pfs on dh_group 5 ipseclifetime 3600

proxy_localip 0.0.0.0 proxy_localmask 0.0.0.0 proxy_remoteip 0.0.0.0

proxy_remotemask 0.0.0.0

anti synflood fe1 200

anti icmpflood fe1 1000

anti pingofdeath fe1 800

anti udpflood fe1 1000

anti pingsweep fe1 10

anti tcpportscan fe1 10

anti udpportscan fe1 10

anti synflood fe2 200

anti icmpflood fe2 1000

anti pingofdeath fe2 800

anti udpflood fe2 1000

anti pingsweep fe2 10

anti tcpportscan fe2 10

anti udpportscan fe2 10

anti synflood fe3 200

anti icmpflood fe3 1000

anti pingofdeath fe3 800

anti udpflood fe3 1000

anti pingsweep fe3 10

anti tcpportscan fe3 10

anti udpportscan fe3 10

anti synflood fe4 200

anti icmpflood fe4 1000

anti pingofdeath fe4 800

anti udpflood fe4 1000

anti pingsweep fe4 10

anti tcpportscan fe4 10

anti udpportscan fe4 10

sysif set fe1 speed auto mtu 1500 ipmac off macpolicy permit mode route

sroute off log off anti off nonip deny idsblock off vlan off

sysif set fe2 speed auto mtu 1500 ipmac off macpolicy permit mode route

sroute off log off anti off nonip deny idsblock off vlan off

sysif set fe3 speed auto mtu 1500 ipmac off macpolicy permit mode route

sroute off log off anti off nonip deny idsblock off vlan off

sysif set fe4 speed auto mtu 1500 ipmac off macpolicy permit mode route

sroute off log off anti off nonip deny idsblock off vlan off

sysip add fe1 10.50.10.45 255.255.255.0 ping off admin on adminping on

traceroute on

sysip add fe4 61.185.40.23 255.255.255.128 ping on admin on adminping off

traceroute off

sysip add fe3 172.24.40.100 255.255.255.0 ping on admin on adminping off

traceroute off

vrrpbunch delay 10

route add droute any 61.185.40.1

mngglobal set cpu 80 mem 80 fs 80 rcomm "public" wcomm "private" trapc

"public" username "snmpuser" level "AuthnoPriv" authpass "12345678"

crypt "MD5"

mngglobal add snmpip 222.91.74.218

mngglobal on

logsrv set 222.91.74.218 514 udp

mngacct set admin password "firewall"

mngacct multi on

mngacct failtime 5 blocktime 30 period 120

dns set sysname SecGate

ipcftcheck off

longconn set 1800

statetable udp 20 icmp 5

statetable overtime establish 1800 syn 120

dnsrelay set auto

rdweb srcaddr any dstaddr any

rdweb dstport 80

vpn set dhcp active off dhcpserver 127.0.0.1 interface lo

timeout set web 600

bandwidth add p2p_band priority 3 minbw 60 maxbw 160 comment "建议仅用于P2P带宽限制"

ftpactive port20 keep off

tcpmss set 1460

defsvc set ftp ftp 21

defsvc set h323 h323 1720

defsvc set sqlnet sqlnet 1521

defsvc set sip sip 5060

defsvc set rtsp rtsp 554

defsvc set mms mms 1755

defsvc set pptp pptp 1723

defsvc set gk gk 1719

defsvc set tftp tftp 69

defsvc set ftp comment "文件传输协议"

defsvc set h323 comment "Netmeeting服务"

defsvc set sqlnet comment "oracle数据库网络连接"

defsvc set sip comment "基于sip协议的动态服务"

defsvc set rtsp comment "RTSP服务"

defsvc set mms comment "MMS服务"

defsvc set pptp comment "点到点隧道协议的动态服务"

defsvc set gk comment "H.323网守服务"

defsvc set tftp comment "TFTP协议"

defsvc set icmp icmp comment "ICMP服务"

defsvc set ping icmp type 8 comment "PING请求"

defsvc set pong icmp type 0 comment "PING回应"

defsvc set tcp proto tcp any any comment "tcp协议的所有服务"

defsvc set udp proto udp any any comment "udp协议的所有服务"

defsvc set gre proto 47 comment "封装协议"

defsvc set esp proto 50 comment "VPN加密认证协议"

defsvc set ah proto 51 comment "加密协议"

defsvc set vrrp proto 112 comment "HA负载均衡协议"

defsvc set ssh proto tcp any 22 comment "远程加密登录"

defsvc set telnet proto tcp any 23 comment "远程登录协议"

defsvc set smtp proto tcp any 25 comment "邮件发送服务"

defsvc set http proto tcp any 80 comment "www服务"

defsvc set pop3 proto tcp any 110 comment "邮件接收服务"

defsvc set ntp proto tcp any 123 comment "时间服务器服务"

defsvc set netbios proto tcp any 137 proto tcp any 139 proto udp any 137

proto udp any 138 comment "windows文件共享"

defsvc set dhcp proto udp any 67:68 proto tcp any 67:68 comment "dhcp &

bootp"

defsvc set https proto tcp any 443 comment "https服务"

defsvc set pptp_server proto tcp any 1723 proto 47 comment "点到点隧道协议（用于防火墙作为PPTP服务器）"

defsvc set dns proto tcp any 53 proto udp any 53 comment "域名解析服务"

defsvc set snmp proto udp any 161 comment "简单网络管理协议"

defsvc set snmptrap proto udp any 162 comment "snmp trap发送服务"

defsvc set syslog proto udp any 514 comment "日志传输协议"

defsvc set oicqc proto udp any 4000 comment "QQ客户端打开端口"

defsvc set oicqs proto udp any 8000 comment "QQ服务器打开端口"

defsvc set secgate_auth proto tcp any 9998 proto udp any 9998 comment

"SecGate安全网关用户认证"

defsvc set secgate_global proto tcp any 161 proto udp any 161 comment

"SecGate安全网关集中管理"

defsvc set secgate_https proto tcp any 8889 proto tcp any 8888 comment

"SecGate安全网关WEB管理"

defsvc set secgate_ha_conf proto tcp any 9223 proto udp any 9455 comment

"SecGate安全网关HA功能配置同步服务"

defsvc set virus_blaster proto tcp any 135:139 proto udp any 135:139 proto

tcp any 4444 proto udp any 69 comment "冲击波影响端口"

defsvc set virus_sasser proto tcp any 445 proto tcp any 1025 proto tcp

any 1068 proto tcp any 5554 proto tcp any 9995:9996 proto udp any 9995:9996

comment "震荡波影响端口"

defsvc set virus_sqlworm proto udp any 1434 comment "SQL蠕虫影响端口"

defsvc set pcanywhere proto tcp any 5631:5632 proto udp any 5631:5632

comment "pcanywhere"

defsvc set lotusnote proto tcp any 1352 proto udp any 1352 comment "lotus

notes"

defsvc set ike proto udp any 500 proto udp any 4500 comment "Internet密钥交换协议"

defsvc set l2tp proto udp any 1701 comment "第二层隧道协议"

defsvc set thunder proto tcp any 3075:3079 proto tcp 3075:3079 any comment

"迅雷端口"

defproxy set http port 80 java permit javascript permit activex permit

defproxy set ftp port 21 get permit put permit multi permit

defproxy set telnet port 23

defproxy set smtp port 25 domain server

maildomain mailserver 1.1.1.1 maxlength 5120 maxreceiver

5 sendinterval 10 sendamount 100

defproxy set pop3 port 110 maxlength 5120

ips atkresp onlog

ips backdoor onlog

ips info onlog

ips multimedia onlog

ips p2p onlog

ips porn onlog

ips scan onlog

ips virus onlog

ips webcf onlog

ips webcgi onlog

ips webclient onlog

ips webfp onlog

ips webiis onlog

ips webmisc onlog

ips webphp onlog

limitp2p set apple deny

limitp2p set ares deny

limitp2p set bt deny

limitp2p set dc deny

limitp2p set edonkey deny

limitp2p set gnu deny

limitp2p set kazaa deny

limitp2p set msn deny

limitp2p set qq deny

limitp2p set skype deny

limitp2p set soul deny

limitp2p set winmx deny

defdomain detect off

policy add permit id 1 name p1 in any out any service ike time none log

on active on

policy add permit id 2 name 集中管理主机 from

222.91.74.218/255.255.255.255 to 219.145.109.30/255.255.255.255 in any

out any service secgate_global time none log on active on

policy add permit id 3 name p2 from 172.24.40.0/255.255.255.0 to

192.168.5.0/255.255.255.0 in any out any time none log on tunnel

xian_qianxian active on

policy add permit id 4 name p3 from 192.168.5.0/255.255.255.0 to

172.24.40.0/255.255.255.0 in any out any time none log on tunnel

xian_qianxian active on

policy add nat id 5 name p5 from 172.24.40.0/255.255.255.0 sat

61.185.40.23 in any out any time none active on

wormfilter set sobig ignore

wormfilter set ramen ignore

wormfilter set welchia ignore

wormfilter set agobot ignore

wormfilter set opaserv ignore

wormfilter set blaster ignore

wormfilter set sadmind ignore

wormfilter set slapper ignore

wormfilter set novarg ignore

wormfilter set slammer ignore

wormfilter set zafi ignore

wormfilter set bofra ignore

wormfilter set dipnet ignore

wormfilter off

defantivirus set smtp discard on alarm on

defantivirus set smtpfile filenum 500 filesize 10 dirnum 8

defantivirus set pop3file filenum 500 filesize 10 dirnum 8

defantivirus set ftp discard on

defantivirus set ftpfile filenum 500 filesize 10 dirnum 8

defantivirus set http discard on

defantivirus set httpfile filesize 10 check html

defantivirus update off

policy stateless off

mnghost add 10.50.10.44 "出厂默认管理主机"

mnghost add 117.32.132.10

mnghost add 222.91.74.218

mnghost add 172.24.40.10

mnghost limitless on

authsrv local 9998 9998

authsrv radius 1.1.1.1 1812 1813 123456

authsrv on local

syncfg set if none state backup backupif off

stp set priority 32768

stp start

router rip interface fe1 auth off

router rip interface fe2 auth off

router rip interface fe3 auth off

router rip interface fe4 auth off

router rip set version 2 metric 16 update 30 garbage 120 timeout 180

router ospf interface fe1 auth off mode text passwd none cost 10

router ospf interface fe2 auth off mode text passwd none cost 10

router ospf interface fe3 auth off mode text passwd none cost 10

router ospf interface fe4 auth off mode text passwd none cost 10

router ospf set routerid 1 rfc1583 on

以上另存为 TXT 文本即可

这时会出现提示“重启安全网关”，点击即可。

本文标签： 协议网关服务端口