电信WAP网关SSG550配置手册
4.10 版本升级步骤
升级前请将原有配置文件备份,保证电源供应正常,建议升级过程中使用超级终端连接到防火墙的Console 端口上。
选择Configuration > Update > ScreenOS/KEY > Fireware Update (ScreenOS) > 浏览
选择FLASH文件存放位置 > 打开 > Apply 。
第36页 共42页
电信WAP网关SSG550配置手册
4.11 常用排错步骤及命令汇总
? ? ? ? ?
Get config 全局查看当前设备运行配置 Get interface 查看接口配置及状态
Get config | inc nsrp 检查安全设备NSRP配置 Exec policy verify 检查策略是否有重复
Ping x.x.x.x from ethx/x 通过源接口PING目的检查路由是否可达
? Get system 查看当前设备系统运行的参数
第37页 共42页
电信WAP网关SSG550配置手册
5 附录:防火墙配置文件
5.1 SSG-550M-1防火墙配置
set clock timezone 0
set vrouter trust-vr sharable set vrouter \exit
set vrouter %unset auto-route-export exit
set service \ set service \ set alg appleichat enable
unset alg appleichat re-assembly enable set alg sctp enable
set auth-server \
set auth-server \set auth default auth server \set auth radius accounting port 1646 set admin name \
set admin password \set admin auth web timeout 10 set admin auth server \set admin format dos
set zone \set zone \set zone \set zone \
set zone \set zone \ set zone \ unset zone \ set zone \ set zone \ set zone \ unset zone \
set zone \set zone \set zone \set zone \set zone \
第38页 共42页
电信WAP网关SSG550配置手册 set zone \set zone \set zone \set zone \set zone \
set interface \set interface \set interface \set interface bgroup0/0 port ethernet0/3 set interface bgroup0/0 port ethernet0/4 set interface bgroup0/0 port ethernet0/5 set interface bgroup0/1 port ethernet0/6 set interface bgroup0/1 port ethernet0/7 set interface bgroup0/1 port ethernet0/8 set interface ethernet0/0 ip 192.168.0.1/24 set interface ethernet0/0 route unset interface vlan1 ip
set interface ethernet0/1 ip 10.0.0.167/28 set interface ethernet0/1 nat
set interface ethernet0/2 ip 211.136.136.4/28 set interface ethernet0/2 route
unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet0/0 ip manageable set interface ethernet0/1 ip manageable set interface ethernet0/2 ip manageable set interface ethernet0/1 manage ssh set interface ethernet0/1 manage telnet set interface ethernet0/1 manage snmp set interface ethernet0/1 manage ssl set interface ethernet0/1 manage web set interface ethernet0/1 manage mtrace set interface ethernet0/2 manage ping set interface ethernet0/2 manage ssh set interface ethernet0/2 manage telnet set interface ethernet0/2 manage snmp set interface ethernet0/2 manage ssl set interface ethernet0/2 manage web set interface ethernet0/2 manage mtrace
set interface ethernet0/1 dip 4 10.0.0.165 10.0.0.165 set interface ethernet0/1 dip 9 10.0.0.164 10.0.0.164
set interface ethernet0/2 ext ip 172.16.1.99 255.255.255.252 dip 6 172.16.1.99 172.16.1.99 set interface ethernet0/2 ext ip 172.16.1.100 255.255.255.252 dip 5 172.16.1.100 172.16.1.100
set interface ethernet0/2 ext ip 192.168.200.100 255.255.255.252 dip 7 192.168.200.100
第39页 共42页
电信WAP网关SSG550配置手册 192.168.200.100
set interface ethernet0/2 ext ip 192.168.200.99 255.255.255.252 dip 8 192.168.200.99 192.168.200.99 set interface \mip 211.136.136.2 host 192.168.0.133 netmask 255.255.255.255 vr \
unset flow no-tcp-seq-check set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer set flow reverse-route tunnel always
set pki authority default scep mode \set pki x509 default cert-path partial
set address \set address \
set address \set address \set address \set address \set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60 unset ike ikeid-enumeration unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 unset ipsec access-session log-error
unset ipsec access-session info-exch-connected unset ipsec access-session use-error-log set vrouter \exit
set vrouter \exit
set url protocol websense exit
set policy id 1 from \ \ set policy id 1 exit
set policy id 2 from \ \permit log set policy id 2 exit
set policy id 10 from \to \ \\\nat src dip-id 7 permit log
第40页 共42页