Professional Documents
Culture Documents
Firewall Security Policies Lab
Firewall Security Policies Lab
Firewall Security Policies Lab
Experiment Overview
About This Experiment
Security policies can be deployed on a firewall to ensure that the Trust zone can
proactively access the Untrust zone.
Objectives
Understand the security policy mechanism.
Understand the relationships between security zones.
Configure firewall security policies on the CLI and web UI.
Experiment Networking
Topology for configuring firewall security policies
Experiment Planning
A security device USG is deployed on a service node. The upstream and downstream
devices of the USG are both switches, and the downstream service interface of the USG
works at Layer 3.
Port addresses and zones
Device Port IP Address Zone
Name
Experiment Tasks
No. Task Subtask Description
Configure a security policy to permit packets from the Trust zone to the Untrust zone.
[USG_A] security-policy
[USG_A-policy-security] rule name policy_sec
[USG_A-policy-security-rule-policy_sec] source-zone trust
[USG_A-policy-security-rule-policy_sec] destination-zone untrust
[USG_A-policy-security-rule-policy_sec] action permit
[USG_A-policy-security-rule-policy_sec] quit
Choose Network > Interface. Click next to the interface to be configured. Set
parameters, and then click OK. The following figure shows the configuration of
GigabitEthernet1/0/1.
Verification
Checking the Ping Result and Firewall Session Table
Run the ping 40.1.1.100 command on PC1 to check whether PC1 can ping through PC2.
PC> ping 40.1.1.100
Run the display firewall session table command to view the session table of the firewall.
[USG_A] display firewall session table
Current Total Sessions : 5
icmp VPN: public --> public 10.1.2.100:49569 --> 40.1.1.100:2048
icmp VPN: public --> public 10.1.2.100:50081 --> 40.1.1.100:2048
icmp VPN: public --> public 10.1.2.100:49057 --> 40.1.1.100:2048
icmp VPN: public --> public 10.1.2.100:49313 --> 40.1.1.100:2048
icmp VPN: public --> public 10.1.2.100:49825 --> 40.1.1.100:2048