SonicWALL防火墻配置手冊(cè)_第1頁(yè)
SonicWALL防火墻配置手冊(cè)_第2頁(yè)
SonicWALL防火墻配置手冊(cè)_第3頁(yè)
SonicWALL防火墻配置手冊(cè)_第4頁(yè)
SonicWALL防火墻配置手冊(cè)_第5頁(yè)
已閱讀5頁(yè),還剩18頁(yè)未讀, 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶(hù)提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

SonicWALL防火墻標(biāo)準(zhǔn)版配置

SonicWall標(biāo)準(zhǔn)版網(wǎng)絡(luò)向?qū)渲?...................................................1

SonicWall標(biāo)準(zhǔn)版規(guī)則向?qū)渲?...................................................7

SonicWall標(biāo)準(zhǔn)版一般規(guī)則向?qū)渲?...........................................7

SonicWall標(biāo)準(zhǔn)版服務(wù)器規(guī)則向?qū)渲?........................................12

SonicWall標(biāo)準(zhǔn)版一般規(guī)則干脆配置...............................................15

SonicWall標(biāo)準(zhǔn)版服務(wù)器1對(duì)1NAT配置...........................................18

SonicWall標(biāo)準(zhǔn)版透亮模式配置...................................................19

SonicWall標(biāo)準(zhǔn)版網(wǎng)絡(luò)向?qū)渲?/p>

首次接觸SonicWALL防火墻設(shè)備,我們將電源接上,并開(kāi)啟電源開(kāi)關(guān),將X0口和你

的電腦相連(注:請(qǐng)用交叉線),SonicWALL防火墻默認(rèn)的IP地址為68,我

們也可以通過(guò)setuptool.exe這個(gè)小工具探知SonicWALL防火墻的IP地址。如圖所示:

當(dāng)網(wǎng)線和電源等都連接好之后,我們?cè)O(shè)置一下本機(jī)的IP地址,以便和SonicWALL防火

墻處于同一個(gè)網(wǎng)段。如圖所示:

4-本地連接屬性?X■:

工具⑴高級(jí)國(guó))

堂規(guī)高級(jí)

更素文件夾回▼1X-4f>nICO

LAS或高速工nterne

本地連接

己連接上,有

IntelePRO

設(shè)置好IP地址后,我們?cè)贗E閱讀器的地址欄輸入SonicWALL防火墻的IP地址,

后退,。?國(guó)圖匕/技索☆收《陜S

點(diǎn)next,提示我們是否修改管理員密碼,

http://192.168.168.168-SonicfALL-SetupVizard-licrosoftInternetEx...||><

Step1:ChangePassword

YoumustchangetheadministratorpasswordforyourSonicWALL.

Pleaseselectastrongpassword.Astrongpasswordshouldbeacombinationof

numbersanclettersupto32characterslong.

Thepasswordyouselectwillbecase-sensitive.Itshouldnotbeawordthat

appearsinthedictionary,anditshouldnotcontainpersonalinformationsuch

asbirthdates,namesofrelatives,orlicenseplatenumbers.Itshouldbe

somethingeasytoremember,butdifficulttoguess,suchas-111k3ch33s3M.

Tocontinue,clickNext.

vBack|Next>Cancel

短暫不修改,點(diǎn)next,提示我們修改防火墻的時(shí)區(qū),我們選擇中國(guó)的時(shí)區(qū)。

Step2:ChangeTimeZone

SelecttheTimeZoneforyourSonicWALL

SonicWALL'sinternalclockwillbeautomaticallyconfiguredbyaccessing

aNetworkTimeserverontheInternet.

PleaseselectyourTimeZonefromthepull-downmenu.

TimeZone:|china』ndonesia,Philippines,Australia(GMT誼dcH

□Automaticallyadjustclockfordaylightsavingtime

Tocontinue,clickNext.

點(diǎn)nexi,提示我們?cè)O(shè)置WAN口的地址獲得類(lèi)型,這時(shí)候,我們須要和ISP相聯(lián)系,并選擇

相關(guān)的類(lèi)型,這里以靜態(tài)地址為例:

我們點(diǎn)next,輸入相關(guān)的信息,IP地址、掩碼、網(wǎng)關(guān)、DNS服務(wù)器等,假如不知道此處該

如何設(shè)置,請(qǐng)和你的ISP聯(lián)系。

Step4:WANNetworkMode:NATEnabled

FillinthefollowingnetworksettingstogettotheInternet.

Youwilln。9dtofillinthefollowingfieldstoconnecttotheInternet

AllthesevaluesmustbeenteredasnumericalIPaddresses(suchas2).

Ifyoudonothavetheinformation,pleasecontactvourISP.

SonicWALLWANIPAddress:|192,168121.10。

WANSubnetMask:|255,255255.0

Gateway(Router)Address:|

DNSServerAddress:(61,139.2.69

DNSServerAddress#2(optional):

Tocontinue,cickNext.

vBackNext>Cancel

點(diǎn)nexi,提示我們?cè)O(shè)置LAN口的IP和掩碼,我們依據(jù)自己的規(guī)劃和網(wǎng)絡(luò)的實(shí)際狀況設(shè)置,

此處我沒(méi)有修改。

點(diǎn)next,防火墻詢(xún)問(wèn)我們?cè)贚AN口是否開(kāi)啟DHCPserver的功能,并是否是默認(rèn)的網(wǎng)段,

我們可依據(jù)實(shí)際狀況做調(diào)整,確定起先或關(guān)閉,以及網(wǎng)段地址等,如下圖:

*http:〃192.168.168.168-SonicUALL-Setuplizard-?IcrosoftInternetEK—]取

Step6:LANDHCPSettings

YoucanenableandconfigureyourSonicVtIALL'sDHCPServerontheLAN.

tfynuwichtnus。5nnicWAII'sDHCPaatvornnthpIAN,chocktho"FnahloDHCP

SeiveronLAN*checkboxbelowandenterarangeofIPaddressestoassigntothe

networkdevices.

TheaddressrangemustbeintnesamesubnetastheSonlcWALLWeb

Managementaddress,currently68/

Therangebelowalreadyexists.Youmaychangeithereifyouwish.

□EnableDHCPServeronWN

LANAddressRange192.168.1681to67

Tocontinue,clickMexl.

SONKWALL^<BackNext*Cancel

點(diǎn)nexi,防火墻將把前面做的設(shè)置做一個(gè)摘要,以便我們?cè)僖淮未_認(rèn)是否設(shè)置正確,假如有

和實(shí)際不符的地方,可以點(diǎn)back返回進(jìn)行修改。依據(jù)我們前面的設(shè)置,防火墻開(kāi)啟了NAT

模式——即在LAN內(nèi)的PC訪問(wèn)WAN外的互連網(wǎng)時(shí),將轉(zhuǎn)換其IP地址為WANI」地址。

點(diǎn)apply,設(shè)置生效。并須要重起防火墻,點(diǎn)restart重起。

SetupWizardConH)lete

YourSonicWALLwassuccessfullyconfigured.

Congratulations!

YouhavesuccesstulfycompletedtheSonicWALLSetupWizard.

AdditionalandadvancedconfigurationoptionscanbefoundintheSonicWALL

WebManagementInterface.

Remember,fromnowonyouwillcontacttheWebManagementInterfaceat:

URL68

UserName:admin

Password:<setaspreviously

Alteryoucompetethiswizard,youshouldregisteryourSonicWALLatSonicWALL'swebsite.

Thiswillbenecessarybeforeyoucantakeadvantageoffirmwareupdates

andotheroptionsfeatures.

ItisnownecessaYtorestarttheunit.

TorestarttheSonicWALL,clickRestart

Restart

當(dāng)把配置做好以后,我們將防火墻的XI口接到ISP進(jìn)來(lái)的網(wǎng)線上,洛X(qián)0口接到內(nèi)網(wǎng)交換

機(jī)上。這時(shí),我們可以找一個(gè)內(nèi)網(wǎng)的機(jī)器,測(cè)試是否可以訪問(wèn)外網(wǎng):

fc:\>ping

DPingingwww.cache.split.netease.com[220.181.28.52]w

DReplpfrom220.181.28.52:bytes=32time=52msTTL=52

DReplpfrom220.181.28.52:bytes=32tine=51msTTL=52

SonicWall標(biāo)準(zhǔn)版規(guī)則向?qū)渲?/p>

SonicWall標(biāo)準(zhǔn)版一般規(guī)則向?qū)渲?/p>

當(dāng)我們做如上的配置后,此時(shí)的策略是默認(rèn)允許內(nèi)網(wǎng)的全部機(jī)器可以隨意的訪問(wèn)外網(wǎng),

為了符合公司的平安策略,我們假如要相關(guān)的平安策略,限制一些訪問(wèn)的協(xié)議。通常有兩種

做法:一種是先限制全部的協(xié)議,在逐步開(kāi)放須要訪問(wèn)的協(xié)議;另一種是先開(kāi)放全部的協(xié)議,

在逐步禁止不能訪問(wèn)的協(xié)議。

我們以其次種方式為例。選擇firewall,

Firewall>AcctttRules|RuleWizard...J[7|

Items'tod(of8)Cl<]C>(2

AccessRules

Note:UsetheRuleWaardtohelpvoucreatearulethatallowsaccesstoawebserver,mailserver,orotherserverfromtheInternet

Priority▲SourceDestinationServiceActionOptionsEnableConfigure

0

3192.168.168168(LW)牌:麗麗師*信回初期

移第

niir團(tuán)

LAN68(UMM)Allow

Managemem

同¥0

DMZLANNetBIOSAllowo

0

KerberosAllow1

0

MyAllow

0

AnyDeny

0卡

0激

我們可以點(diǎn)右上角的rulewizard,也可以干脆點(diǎn)add,以運(yùn)用規(guī)則向?qū)槔?/p>

WelcometotheSonicWALLNetworkAccessRuleWizard

ThisWizardwilhelpyoucreateanewNetworkAccessRule.

PleaseseetheUser'sGuideformoredetails.

Tocontinue,dckNext.

Next*Cancel

點(diǎn)next,我們選擇規(guī)則類(lèi)型,publicserverrule我們?cè)贒MZ或者LAN有服務(wù)器,須要對(duì)外

發(fā)布,一一即允許來(lái)自WAN口的PC可以訪問(wèn)我們的服務(wù)器而做的端U映射。而generalrule

則是前面強(qiáng)調(diào)的針對(duì)LAN或DMZ區(qū)訪問(wèn)外網(wǎng)的權(quán)限限制。我們以此為例,選擇generalrule。

Step1:AccessRuleType

Whattypeofnetworkaccessruledoyouwishtocreate?

ThePublicServaroptionwillhelpyoucreatearulethatallows

accesstoawebserver,mailserver,orotherserverTromtheinternet.

SelecttheGeneraloptionifyouwouldliketospecifyothertypes

ofnetworkaccessrules.

Selectthetypeofnetworkaccessruletocreate:

■PublicServerRule

OGeneralRule

Youhavetheoptionofaddingacommenttohelpyoudistinguishb9tweendifferentrules:

Comment:

Tocontinue,clickNext.

〈Back|Nexl>ICancel

點(diǎn)nexi,選擇我們須要限制的協(xié)議和服務(wù),此處我們選擇web,

tep2:AccessRuleService

Whichservicedoyouwishtoallowordeny?

Networkaccessrulesareusedtoallowordenyaccesstoservices

runningonyounetworkTheservicemaybeawell-knownservice

suchasHTTP',oritmaybeacustomservicethatyoucreate.

SelecttheseNcetousebythisrule:

■Web(HTTP)

Tocontinue,clickNext.

?BackNext*Cancel

點(diǎn)next,選擇針對(duì)的web的執(zhí)行的動(dòng)作,由于默認(rèn)已經(jīng)有一條規(guī)則允許內(nèi)網(wǎng)可以隨意的訪

問(wèn)外網(wǎng),我們?yōu)橄拗苾?nèi)網(wǎng)的訪問(wèn)權(quán)限,選擇deny,同時(shí)還有TCP連接超時(shí)的時(shí)間,默認(rèn)是

15分鐘,可依據(jù)須要做修改。如無(wú)特別要求,可運(yùn)用默認(rèn)設(shè)置。

Step3:AccessRuleAction

Doyouwanttoallowordenyaccesswiththisrule?

Youcanchoosetoallowordenyalltrafficforthisservice

TheInactivitytlmeojtwillcloseanInactweestablishedTCPconnection

forthisruleafterthetimespecifiedbelow

Selecttheactionforthisrule:

?AllowODeny

TCPConnectionInactivityTimeout(minutes):

Tocontinue,clickNext

?BackINext>Cancel

點(diǎn)nexi,此處設(shè)置此規(guī)則的源接口和源IP地址,依據(jù)須要做一配置,我們此處選擇LAN的

2做規(guī)則限制。

Step4:AccessRuleSourceInterfaceandAddress

ChoosethesourceinterfaceandIPaddressforthisrule.

ThisrulewillbeappliedtotrafficoriginatingfromtheIPaddressor

addressrangeconnectedtothespecifiedinterface(s).

Speciiythesourceinterface(s)aswellasthesourceaddressoraddress

rangeforthisrule.

Enter1*'ifyouwishtospecifyallpossibleaddresses.

Interface:

IPAddressBegin:2

IPAddressEnd:2

Tocontinue,clickNext.

<BackNext?Cancel

點(diǎn)next,此處選擇規(guī)則生效的目的接口和目的IP地址,*表示隨意的地址。

Step5:AccessRuleDestinationInterfaceandAddress

ChoosethedestinationinterfaceandIPaddressforthisrule.

ThisrulewillbeappliedtotrafficdestinedfortheIPaddressor

addressrangeconnectedtothespecifiedinterface(s).

Specilythedestinationinterface(s)aswellasthedestinationaddress

oraddressrangeforthisrule

Enter'*'ifyoudonotwishtospecilyanaddress.

interface:

IPAddressBegin:

IPAddressEnd

Tocontinue,clickNext.

<BackNext>Cancel

點(diǎn)nexi,此處設(shè)置規(guī)則生效的時(shí)間,默認(rèn)是始終生效,可依據(jù)須要修改時(shí)間。

Step6:AccessRuleTime

Whendoyouwanttoapplythisrule?

點(diǎn)next,相關(guān)的規(guī)則設(shè)置的選項(xiàng)已經(jīng)設(shè)置好了。

Congratulations!

Youhavesuccessfullycompletedtheaccessrulewizard.

ClickApplytocreatethenewruleandstorethenewconfiguration.

Toaddthenewrule,clickApply.

<BackIApplyICancel

點(diǎn)apply,規(guī)則生效,在規(guī)則列表的最上面一條,即是我們剛才通過(guò)規(guī)則向?qū)гO(shè)置的規(guī)則。

SonicWall標(biāo)準(zhǔn)版服務(wù)器規(guī)則向?qū)渲?/p>

假如我們?cè)贒MZ區(qū)或者LAN區(qū)還有一些服務(wù)器須要對(duì)外發(fā)布,那么,我們也須要添加

相關(guān)的規(guī)則,以允許來(lái)自外網(wǎng)的訪問(wèn)。以web服務(wù)為例,通過(guò)規(guī)則向?qū)?lái)配置,如下:

點(diǎn)rulewizard,

點(diǎn)next,選擇publicserverrule

Step1:AccessRuleType

Whattypeofnetworkaccessruledoyouwishtocreate?

ThePublicServeroptionwillhelpyoucreatearulethatallows

accesstoawebserver,mailserver,orotherserverfromtheInternet

SelecttheGeneraloptionifyouwouldliketospecliyothertyoes

ofnetworkaccessrules.

Selectthetypeofnetworkaccessruletocreate:

OPublicServerRule

?GeneralRule

Youhavetheoptionofaddingacommenttohelpyoudistinguishbetweendifferentrules:

Comment:

Tocontinue,clickNext.

?Back|Next?|Cancel

點(diǎn)nexl,我們選擇須要對(duì)外發(fā)布的服務(wù)類(lèi)型,此處選擇web,輸入服務(wù)器的IP地址,并選

擇其所處的接口,此處選擇LAN口,

HKWALL^?BackNext*Cancel

點(diǎn)next,

Congratulations!

Youhavesuccessfullycompletedtheaccessrulewizard.

ClickApplytocreatethenewruleandstorethenewconfiguration.

Toaddthenewrule,clickApply.

<BackIApply

Cancel

點(diǎn)apply,規(guī)則生效

AccessRulesItems1to10(Of10)C300U]

Note:UsetheRulewizardtohelpyoucreatearulethctallowsaccesstoawebserver,mailserver,orotherserverfromtheinternet

IPriorityASourceDestinationServiceActionOptionsEnableConfigure

2

1WANWeb(HTTP)Deny

(LAN)□

192.168.168.'68HTTPS

2LANAJIOW

(LAN)Management□

192.168.168/68HTTP

3LANAllow信&電

(LAN)Management□

192.168.168/3

4?Web(HTTP)Allow

(LAN)

5DMZUMMNelBiosAJIow信□

6DMZLANKerberosAJIOW加

7DMZWANAnyAJIOW□

8WANDMZAnyDeny0

9AnyAllow□

10?LANAnyDeny回

Defaults

我們可以看到,在規(guī)則列表中的第4條即為我們添加的規(guī)則。在我們添加這條規(guī)則的背后,

服務(wù)器的IP地址被映射成了WAN口的地址,并自動(dòng)添加了相關(guān)的NAT配置。

SonicWall標(biāo)準(zhǔn)版一般規(guī)則干脆配置

通過(guò)前面的向?qū)渲?,我們可以發(fā)覺(jué),添加一般規(guī)則時(shí),其配置過(guò)程相對(duì)困難,因?yàn)?,我?/p>

可以干脆添加策略,而不用通過(guò)向?qū)渲?。如下?/p>

在firewall界面,的accessrules干脆點(diǎn)add:

我們以禁止內(nèi)網(wǎng)IP為2的PC不允許訪問(wèn)外網(wǎng)的flp服務(wù)為例,在action處,

選擇deny,在service處選擇ftp,source處選擇LAN口的,在地址段處添寫(xiě)IP,2,

在destination處選擇WAN口,地址保留*號(hào),表示隨意地址。

GeneralAdvancedBandwidth

RuleSettings

Action:OAllow?Deny

FileTransfer(FTP)v

Service:

Ethernet:AddressRangeBegin:AddressRangeEnd:

Source:2

Destination:

Comment

Comment:

假如我們不須要做進(jìn)一步的設(shè)置,如規(guī)則生效時(shí)間,帶寬等,可干脆點(diǎn)OK生效,假如須要

做進(jìn)一步設(shè)置,選advanced,修改我們須要設(shè)置的時(shí)間,

AdvancedSellings

□AllowFragmentedPackets

TCPConnectionInactivityTimeout(minutes):

假如要做帶寬限制,選擇bandwidth,將enable勾選,并輸入相關(guān)的帶寬限制要求。(注:

由于本條規(guī)則deny,所以帶寬限制不行用)

點(diǎn)OK,規(guī)則生效。

Note:UsetheRuleWizardtohelpyoucreatearuletha:allowsaccesstoawebserver,mailserver,orotherseiverfromtheInternet.

1Priority▲SourceDestinationServiceActionOptionsEnableConfigure

192168168.12

1WANWeb(HTTP)Deny瀚?

(LAN)□

2FileTransfer

2WANDeny源於

(LAN)(FTP)

68HTTPS

3LANAllow□

(LAN)Management

192.168168168HTTP

4SNAJIow源?

(LAN)Management□

192.16816813

5Web(HTTP)Allow

(LAN)□

6DMZLANNetBIOSAllow信0

7DMZLANKerberosAJIow回海?

8DMZWANAnyAllow0七?

9WANDMZAnyDeny回加

.A.r^iSA0

規(guī)則列表中的第2條即為我們添加的規(guī)則。

SonicWall標(biāo)準(zhǔn)版服務(wù)器1對(duì)1NAT配置

假如我們有多余的公網(wǎng)IP地址,并且希望服務(wù)器可以單獨(dú)擁有一個(gè)公網(wǎng)IP地址,即我們須

要對(duì)服務(wù)器做1對(duì)1的NAT時(shí),我們須要通過(guò)如下的配置來(lái)實(shí)現(xiàn):

點(diǎn)network,選擇one-to-oneNAT,我們勾選enableone-to-oneNAT

點(diǎn)add,

在彈出的界面中,我們輸入相關(guān)的服務(wù)器IP和公網(wǎng)IP,在rangelength處,我們可以添入相

關(guān)的數(shù)字,假如只有1個(gè)服務(wù)器,添1,假如添入的數(shù)字為其他數(shù)字如5,則,私網(wǎng)地址處,

將從我們添入的地址起先,公網(wǎng)地址處,也將從我們添入的公網(wǎng)地址起先,一一對(duì)應(yīng),并遞

增直到段的長(zhǎng)度結(jié)束。

點(diǎn)OK后,NAT生效。如下圖。

One-to-OneNetworkAddressTranslation(NAT)Ranges

0EnableOne-to-OneNAT

PrivateBeginPublicBeginLengthConfigure

4192.168.121,1011爸)@

Add...

在做完1對(duì)1的NAT后,我們選擇到firewall界面,選擇accessrules,來(lái)添加相關(guān)的規(guī)則,

同樣可通過(guò)rulewizard來(lái)做向?qū)渲茫浣缑嫒缜八觥?/p>

SonicWall標(biāo)準(zhǔn)版透亮模式配置

假如須要將防火墻部署成透亮模式,在我們登陸防火墻時(shí),在彈出的向?qū)гO(shè)置頁(yè)面選擇

cancel,

Cancel

輸入默認(rèn)的帳號(hào)密碼

點(diǎn)login,然后選擇networks

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶(hù)所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶(hù)上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶(hù)上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶(hù)因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

最新文檔

評(píng)論

0/150

提交評(píng)論