企业官网建设流程全解析

system-view sysname HRZ # 宿主机接口（GE_0/0） interface GigabitEthernet 1/0/0 ip address 192.168.56.47 255.255.255.0 quit # 内网接口（GE_0/1） interface GigabitEthernet 1/0/1 ip address 192.47.1.1 255.255.255.0 quit # DMZ接口（GE_0/2） interface GigabitEthernet 1/0/2 ip address 192.47.2.1 255.255.255.0 quit # 外网接口（GE_0/3） interface GigabitEthernet 1/0/3 ip address 20.47.0.1 255.0.0.0 quit #安全域 security-zone name host import interface GigabitEthernet 1/0/0 quit security-zone name Trust import interface GigabitEthernet 1/0/1 quit security-zone name DMZ import interface GigabitEthernet 1/0/2 quit security-zone name Untrust import interface GigabitEthernet 1/0/3 attack-defense policy al quit #定义ACL，管理流量通过 acl advanced 3000 rule permit ip quit #创建域间策略(host<>Local) zone-pair security source host destination local packet-filter 3000 quit zone-pair security source local destination host packet-filter 3000 quit #本地管理员账号 local-user admin class manage service-type http https # 开启HTTP服务（或HTTPS，这里用HTTP） ip http enable ip https enable # 创建WEB登录用户 local-user Boss class manage password simple 2026 service-type http authorization-attribute user-role network-admin # 管理员权限 quit #定义ACL，内部流量允许通过访问外网 acl advanced 3500 rule permit ip rule permit icmp quit #配置ASPF策略 aspf policy 1 detect ftp action drop detect http action drop quit #放行内部IP访问外网 zone-pair security source trust destination untrust packet-filter 3500 aspf apply policy 1 #在安全域间实例上应用ASPF策略 quit #放行内部IP访问dmz zone-pair security source trust destination dmz packet-filter 3500 quit #放行外网访问dmz zone-pair security source untrust destination dmz packet-filter 3500 quit ip route-static 0.0.0.0 0 0 20.47.0.2 acl basic 2030 rule 1 permit source 192.168.56.47 0 quit #在全局上开启黑名单过滤功能 blacklist global enable #创建攻击防范策略 attack-defense policy al signature detect smurf action logging scan detect level low action logging block-source timeout 10 syn-flood detect ip 192.47.2.2 threshold 5000 action logging drop quit security-zone name Untrust attack-defense apply policy al quit