CLI: Example for Configuring Security Policies Based on IP Addresses and Ports

This section describes how to configure security policies on the CLI to implement access control based on IP addresses, time ranges, and services (ports).

Networking Requirements

As shown in Figure 1, two servers are deployed on the intranet: Server1 provides services through TCP port 8888, and Server2 provides services through UDP port 6666. Access control policies need to be configured on the FW to prohibit PCs at 10.1.1.2 and 10.2.1.2 from accessing the two servers during working hours (8:00-17:00), but allow other PCs to access these two servers at any time.

Figure 1 Networking diagram for configuring security policies based on IP addresses and ports

Data Planning

Item	Data	Description
GigabitEthernet 0/0/1	IP address: 10.2.0.1/24 Security zone: dmz	-
GigabitEthernet 0/0/2	IP address: 10.1.1.1/24 Security zone: trust	-
GigabitEthernet 0/0/3	IP address: 10.2.1.1/24 Security zone: trust	-
Server 1	IP address: 10.2.0.10/24 Port: TCP 8888	Provides services using an ephemeral port.
Server 2	IP address: 10.2.0.11/24 Port: UDP 6666	Provides services using an ephemeral port.

Configuration Roadmap

Set the address set, service sets, and time range and reference these conditions in security policies.

Configure a source IP address set and add the IP addresses prohibited from accessing the servers to it.

When configuring a security policy, you can specify multiple IP addresses or address sets. You are advised to configure scattered and non-contiguous IP addresses as an address set for centralized management and for other policies to reuse.

The destination address is an individual address. Therefore, you do not need to configure a destination IP address set.
Configure two user-defined service sets and add the ephemeral port of one server into one service set and that of the other server into the other service set.

In this example, servers use ephemeral ports to provide services. Therefore, add the ephemeral ports to user-defined service sets and reference these service sets in security policies.

If a server uses a well-known port (for example, HTTP port 80) to provide services, a predefined service set (such as HTTP or FTP) can be used.
Set a working time range (8:00-17:00).
Configure two security policies to separately restrict the access of PCs at 10.1.1.2 and 10.2.1.2 to the two servers.
Configure a security policy to allow the access from the trust zone to the dmz.

In this example, only two PCs are prohibited from accessing the servers during working hours. Therefore, you need to first configure security policies to restrict the access of the two PCs and then enable the access from the trust zone to the dmz.

The system has a default security policy (all conditions are any, and all actions are deny). To allow only the PCs at specified IP addresses to access servers, keep the default security policy and configure security policies to allow the access from these IP addresses.

Security policies are matched based on the order of configuration. Therefore, configure specific policies before general policies. For example, to implement access control on subnet 10.1.1.0/24, configure a security policy to deny the access from specific IP addresses and then a security policy to allow the access from the entire subnet.

Procedure

Complete interface settings, such as IP addresses and security zones.

Set the IP address of interface GigabitEthernet 0/0/1 and add it to the dmz.

<FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 10.2.0.1 24
[FW-GigabitEthernet0/0/1] quit
[FW] firewall zone dmz
[FW-zone-dmz] add interface GigabitEthernet 0/0/1
[FW-zone-dmz] quit

Set the IP address of interface GigabitEthernet 0/0/2 and add it to the trust zone.

[FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 10.1.1.1 24
[FW-GigabitEthernet0/0/2] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/2
[FW-zone-trust] quit

Set the IP address of interface GigabitEthernet 0/0/3 and add it to the trust zone.

[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.2.1.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit

Configure source IP address set server_deny and add the IP addresses prohibited from accessing the servers to it.

[FW] ip address-set server_deny type object
[FW-object-address-set-server_deny] address 10.1.1.2 mask 32
[FW-object-address-set-server_deny] address 10.2.1.2 mask 32
[FW-object-address-set-server_deny] quit

Configure time range time_deny in which specific PCs are not allowed to access the servers.

[FW] time-range time_deny
[FW-time-range-time_deny] period-range 08:00:00 to 17:00:00 mon tue wed thu fri sat sun
[FW-time-range-time_deny] quit

Configure user-defined service sets server1_port and server2_port for Server1 and Server2 respectively and add the ephemeral ports of the servers to the service sets.

[FW] ip service-set server1_port type object
[FW-object-service-set-server1_port] service protocol TCP source-port 0 to 65535 destination-port 8888
[FW-object-service-set-server1_port] quit
[FW] ip service-set server2_port type object
[FW-object-service-set-server2_port] service protocol UDP source-port 0 to 65535 destination-port 6666
[FW-object-service-set-server2_port] quit

Configure security policies to reference the configured address sets, time ranges, and service sets.

The default values of non-configured conditions are any.

# Security policy that restricts the access from PCs to Server1:

[FW] security-policy
[FW-policy-security] rule name policy_sec_deny1
[FW-policy-security-rule-policy_sec_deny1] source-zone trust
[FW-policy-security-rule-policy_sec_deny1] destination-zone dmz
[FW-policy-security-rule-policy_sec_deny1] source-address address-set server_deny
[FW-policy-security-rule-policy_sec_deny1] destination-address 10.2.0.10 32
[FW-policy-security-rule-policy_sec_deny1] service server1_port
[FW-policy-security-rule-policy_sec_deny1] time-range time_deny
[FW-policy-security-rule-policy_sec_deny1] action deny
[FW-policy-security-rule-policy_sec_deny1] quit

# Security policy that restricts the access from PCs to Server2:

[FW-policy-security] rule name policy_sec_deny2
[FW-policy-security-rule-policy_sec_deny2] source-zone trust
[FW-policy-security-rule-policy_sec_deny2] destination-zone dmz
[FW-policy-security-rule-policy_sec_deny2] source-address address-set server_deny
[FW-policy-security-rule-policy_sec_deny2] destination-address 10.2.0.11 32
[FW-policy-security-rule-policy_sec_deny2] service server2_port
[FW-policy-security-rule-policy_sec_deny2] time-range time_deny
[FW-policy-security-rule-policy_sec_deny2] action deny
[FW-policy-security-rule-policy_sec_deny2] quit

# Security policy that allows the access from PCs to Server1:

[FW-policy-security] rule name policy_sec_permit3
[FW-policy-security-rule-policy_sec_permit3] source-zone trust
[FW-policy-security-rule-policy_sec_permit3] destination-zone dmz
[FW-policy-security-rule-policy_sec_permit3] destination-address 10.2.0.10 32
[FW-policy-security-rule-policy_sec_permit3] service server1_port
[FW-policy-security-rule-policy_sec_permit3] action permit
[FW-policy-security-rule-policy_sec_permit3] quit

# Security policy that allows the access from PCs to Server2:

[FW-policy-security] rule name policy_sec_permit4
[FW-policy-security-rule-policy_sec_permit4] source-zone trust
[FW-policy-security-rule-policy_sec_permit4] destination-zone dmz
[FW-policy-security-rule-policy_sec_permit4] destination-address 10.2.0.11 32
[FW-policy-security-rule-policy_sec_permit4] service server2_port
[FW-policy-security-rule-policy_sec_permit4] action permit
[FW-policy-security-rule-policy_sec_permit4] quit
[FW-policy-security] quit

Verification

PCs at 10.1.1.2 and 10.2.1.2 can access the two servers any time except from 8:00 to 17:00. Other PCs can access these two servers at any time.

Configuration Scripts

The script related to this configuration example is listed as follows:

#                                                                            
ip address-set server_deny type object                                          
 address 0 10.1.1.2 mask 32                                                     
 address 1 10.2.1.2 mask 32 
#                                                                               
ip service-set server1_port type object                                         
 service 0 protocol tcp source-port 0 to 65535 destination-port 8888            
#                                                                               
ip service-set server2_port type object                                         
 service 0 protocol udp source-port 0 to 65535 destination-port 6666 
#                                                                               
 time-range time_deny                                                           
  period-range 08:00:00 to 17:00:00 daily                    
#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/3
 undo shutdown
 ip address 10.2.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2 
 add interface GigabitEthernet 0/0/3
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/1
#                        
security-policy
 rule name policy_sec_deny1                                                              
  source-zone trust                                                             
  destination-zone dmz                                                          
  source-address address-set server_deny                                        
  destination-address 10.2.0.10 32                                              
  service server1_port                                                          
  time-range time_deny                                                          
  action deny                                                                   
 rule name policy_sec_deny2                                                              
  source-zone trust                                                             
  destination-zone dmz                                                      
  source-address address-set server_deny                                        
  destination-address 10.2.0.11 32
  service server2_port                                              
  time-range time_deny                                                          
  action deny                                                                   
 rule name policy_sec_permit3                                                            
  source-zone trust                                                             
  destination-zone dmz
  destination-address 10.2.0.10 32  
  service server1_port                                                        
  action permit
 rule name policy_sec_permit4                                                            
  source-zone trust                                                             
  destination-zone dmz
  destination-address 10.2.0.11 32
  service server2_port                                                        
  action permit
#
return