网神安全网关配置方法.doc

1. 将计算机IP地址设置为4，掩码，网关5，连接在VPN网关的FE1口。2. 打开VPN网关配套光盘中的Admin Cert目录，双击证书文件SecGateAdmin.p12，弹出如下窗口。按提示进行安装，密码为“123456”，其它按默认即可安装成功。3. 在IE浏览器中输入：5:8889，密码为firewall进入VPN网关管理 界面。4. 进入VPN网关管理 界面。5. 选择系统配置导入导出。点击“浏览”，选择配置文件fwconfig.txt。fwconfig.txt 如下：# hardware version: SecGate 3600-F3(SJW79)A # software version: 6# hostname: SecGate# serial number: f6f335072669bb05defaddr delalladdrdefaddr add DMZ / comment DMZdefaddr add Trust / comment Trustdefaddr add Untrust / comment Untrustvpn set default prekey PleaseInputPrekey ikelifetime 28800 ipseclifetime 3600 vpnstatus on vpnbak offvpn onvpn add remote static main psk name xian addr 18 prekey PleaseInputPrekey ike 3des-sha1-dh5,aes-sha1-dh5 initiate on obey off nat_t on ikelifetime 28800 dpddelay 0 dpdtimeout 0vpn add tunnel name xian_qianxian local 3 remote xian auth esp ipsec aes128-md5,3des-sha1 pfs on dh_group 5 ipseclifetime 3600 proxy_localip proxy_localmask proxy_remoteip proxy_remotemask anti synflood fe1 200anti icmpflood fe1 1000anti pingofdeath fe1 800anti udpflood fe1 1000anti pingsweep fe1 10anti tcpportscan fe1 10anti udpportscan fe1 10anti synflood fe2 200anti icmpflood fe2 1000anti pingofdeath fe2 800anti udpflood fe2 1000anti pingsweep fe2 10anti tcpportscan fe2 10anti udpportscan fe2 10anti synflood fe3 200anti icmpflood fe3 1000anti pingofdeath fe3 800anti udpflood fe3 1000anti pingsweep fe3 10anti tcpportscan fe3 10anti udpportscan fe3 10anti synflood fe4 200anti icmpflood fe4 1000anti pingofdeath fe4 800anti udpflood fe4 1000anti pingsweep fe4 10anti tcpportscan fe4 10anti udpportscan fe4 10sysif set fe1 speed auto mtu 1500 ipmac off macpolicy permit mode route sroute off log off anti off nonip deny idsblock off vlan offsysif set fe2 speed auto mtu 1500 ipmac off macpolicy permit mode route sroute off log off anti off nonip deny idsblock off vlan offsysif set fe3 speed auto mtu 1500 ipmac off macpolicy permit mode route sroute off log off anti off nonip deny idsblock off vlan offsysif set fe4 speed auto mtu 1500 ipmac off macpolicy permit mode route sroute off log off anti off nonip deny idsblock off vlan offsysip add fe1 5 ping off admin on adminping on traceroute onsysip add fe4 3 28 ping on admin on adminping off traceroute offsysip add fe3 00 ping on admin on adminping off traceroute offvrrpbunch delay 10route add droute any mngglobal set cpu 80 mem 80 fs 80 rcomm public wcomm private trapc public username snmpuser level AuthnoPriv authpass 12345678 crypt MD5mngglobal add snmpip 18mngglobal onlogsrv set 18 514 udpmngacct set admin password firewallmngacct multi onmngacct failtime 5 blocktime 30 period 120dns set sysname SecGateipcftcheck offlongconn set 1800statetable udp 20 icmp 5statetable overtime establish 1800 syn 120dnsrelay set autordweb srcaddr any dstaddr anyrdweb dstport 80vpn set dhcp active off dhcpserver interface lotimeout set web 600bandwidth add p2p_band priority 3 minbw 60 maxbw 160 comment 建议仅用于P2P带宽限制ftpactive port20 keep offtcpmss set 1460defsvc set ftp ftp 21defsvc set h323 h323 1720defsvc set sqlnet sqlnet 1521defsvc set sip sip 5060defsvc set rtsp rtsp 554defsvc set mms mms 1755defsvc set pptp pptp 1723defsvc set gk gk 1719defsvc set tftp tftp 69defsvc set ftp comment 文件传输协议defsvc set h323 comment Netmeeting服务defsvc set sqlnet comment oracle数据库网络连接defsvc set sip comment 基于sip协议的动态服务defsvc set rtsp comment RTSP服务defsvc set mms comment MMS服务defsvc set pptp comment 点到点隧道协议的动态服务defsvc set gk comment H.323网守服务defsvc set tftp comment TFTP协议defsvc set icmp icmp comment ICMP服务defsvc set ping icmp type 8 comment PING请求defsvc set pong icmp type 0 comment PING回应defsvc set tcp proto tcp any any comment tcp协议的所有服务defsvc set udp proto udp any any comment udp协议的所有服务defsvc set gre proto 47 comment 封装协议defsvc set esp proto 50 comment VPN加密认证协议defsvc set ah proto 51 comment 加密协议defsvc set vrrp proto 112 comment HA负载均衡协议defsvc set ssh proto tcp any 22 comment 远程加密登录defsvc set telnet proto tcp any 23 comment 远程登录协议defsvc set smtp proto tcp any 25 comment 邮件发送服务defsvc set http proto tcp any 80 comment www服务defsvc set pop3 proto tcp any 110 comment 邮件接收服务defsvc set ntp proto tcp any 123 comment 时间服务器服务defsvc set netbios proto tcp any 137 proto tcp any 139 proto udp any 137 proto udp any 138 comment windows文件共享defsvc set dhcp proto udp any 67:68 proto tcp any 67:68 comment dhcp & bootpdefsvc set https proto tcp any 443 comment https服务defsvc set pptp_server proto tcp any 1723 proto 47 comment 点到点隧道协议（用于防火墙作为PPTP服务器）defsvc set dns proto tcp any 53 proto udp any 53 comment 域名解析服务defsvc set snmp proto udp any 161 comment 简单网络管理协议defsvc set snmptrap proto udp any 162 comment snmp trap发送服务defsvc set syslog proto udp any 514 comment 日志传输协议defsvc set oicqc proto udp any 4000 comment QQ客户端打开端口defsvc set oicqs proto udp any 8000 comment QQ服务器打开端口defsvc set secgate_auth proto tcp any 9998 proto udp any 9998 comment SecGate安全网关用户认证defsvc set secgate_global proto tcp any 161 proto udp any 161 comment SecGate安全网关集中管理defsvc set secgate_https proto tcp any 8889 proto tcp any 8888 comment SecGate安全网关WEB管理defsvc set secgate_ha_conf proto tcp any 9223 proto udp any 9455 comment SecGate安全网关HA功能配置同步服务defsvc set virus_blaster proto tcp any 135:139 proto udp any 135:139 proto tcp any 4444 proto udp any 69 comment 冲击波影响端口defsvc set virus_sasser proto tcp any 445 proto tcp any 1025 proto tcp any 1068 proto tcp any 5554 proto tcp any 9995:9996 proto udp any 9995:9996 comment 震荡波影响端口defsvc set virus_sqlworm proto udp any 1434 comment SQL蠕虫影响端口defsvc set pcanywhere proto tcp any 5631:5632 proto udp any 5631:5632 comment pcanywheredefsvc set lotusnote proto tcp any 1352 proto udp any 1352 comment lotus notesdefsvc set ike proto udp any 500 proto udp any 4500 comment Internet密钥交换协议defsvc set l2tp proto udp any 1701 comment 第二层隧道协议defsvc set thunder proto tcp any 3075:3079 proto tcp 3075:3079 any comment 迅雷端口defproxy set http port 80 java permit javascript permit activex permitdefproxy set ftp port 21 get permit put permit multi permitdefproxy set telnet port 23defproxy set smtp port 25 domain server maildomain mailserver maxlength 5120 maxreceiver 5 sendinterval 10 sendamount 100defproxy set pop3 port 110 maxlength 5120ips atkresp onlogips backdoor onlogips info onlogips multimedia onlogips p2p onlogips porn onlogips scan onlogips virus onlogips webcf onlogips webcgi onlogips webclient onlogips webfp onlogips webiis onlogips webmisc onlogips webphp onloglimitp2p set apple denylimitp2p set ares denylimitp2p set bt denylimitp2p set dc denylimitp2p set edonkey denylimitp2p set gnu denylimitp2p set kazaa denylimitp2p set msn denylimitp2p set qq denylimitp2p set skype denylimitp2p set soul denylimitp2p set winmx denydefdomain detect offpolicy add permit id 1 name p1 in any out any service ike time none log on active onpolicy add permit id 2 name 集中管理主机 from 18/55 to 0/55 in any out any service secgate_global time none log on active onpolicy add permit id 3 name p2 from / to / in any out any time none log on tunnel xian_qianxian active onpolicy add permit id 4 name p3 from / to / in any out any time none log on tunnel xian_qianxian active onpolicy add nat id 5 name p5 from / sat 3 in any out any time none active onwormfilter set sobig ignorewormfilter set ramen ignorewormfilter set welchia ignorewormfilter set agobot ignorewormfilter set opaserv ignorewormfilter set blaster ignorewormfilter set sadmind ignorewormfilter set slapper ignorewormfilter set novarg ignorewormfilter set slammer ignorewormfilter set zafi ignorewormfilter set bofra ignorewormfilter set dipnet ignorewormfilter offdefantivirus set smtp discard on alarm ondefantivirus set smtpfile filenum 500 filesize 10 dirnum 8defantivirus set pop3file filenum 500 filesize 10 dirnum 8defantivirus set ftp discard ondefantivirus set ftpfile filenum 500 filesize 10 dirnum 8defantiv