H3C防火墙配置流程

作者: /

背景:

# 查看设备型号和版本
<H3C>display version
H3C Comware Software, Version 7.1.064, Release 9510P05
Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.
H3C SecPath F100-M-G2 uptime is 0 weeks, 0 days, 4 hours, 19 minutes
Last reboot reason: User reboot

Boot image: flash:/f1010fw-cmw710-boot-R9510P05.bin
Boot image version: 7.1.064, Release 9510P05
  Compiled Jun 16 2017 16:00:00
System image: flash:/f1010fw-cmw710-system-R9510P05.bin
System image version: 7.1.064, Release 9510P05
  Compiled Jun 16 2017 16:00:00

SLOT 1
CPU type: Multi-core CPU
DDR3 SDRAM Memory      2032M bytes 
Board PCB        Version:Ver.A
Basic  BootWare  Version: 1.06
Extend BootWare  Version: 1.06
[SubSlot 0]12GE  (Hardware)Ver.A, (Driver)1.0
<H3C>
  1. Console口:这是一个串行端口,类似于老式的COM口。它的作用是初始配置,比如当设备没有IP地址或您忘记了管理地址时,通过命令行进行最基础的设置。连接它需要专用的 Console线
  2. console线的另一端为 DB9串口,这里用一根转接线插在 DB9串口上,使用电脑USB口连接
1e494fa4a2f26a8fa4f784e779dbb362

一、使用console线连接到电脑

1. 有线连接console口到电脑上

2. 安装console线驱动(下载驱动人生)

image-20251128132213652

3. 查看设备管理器上显示的串口(COM+数字)

image-20251128132325458

4. 打开putty根据设备管理器看到的串口号进行连接

image-20251128132603047

二、进入系统重置密码

putty进入系统后拔掉重新插防火墙电源,进入系统会在界面上看到提示信息,按ctrl+b进入BOOTWARE菜单:

image-20251128144532425

按8(清除密码)––回车,按0(重启)回车重启,重启后自动进入系统:

image-20251128144803027
#进入系统视图
<A-F100M-FW>system-view
#关闭密码恢复功能
[A-F100M-FW]undo password-recovery enable
#重置密码
[A-F100M-FW]super password
#输入/确认
Password:
confirm :
#保存配置
[A-F100M-FW]save force
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.

#退出系统视图
[A-F100M-FW]quit
#重启测试
<A-F100M-FW>reboot
Start to check configuration with next startup configuration file, please wait.........DONE!
This command will reboot the device. Continue? [Y/N]:y
Now rebooting, please wait...
%Nov 28 06:46:17:000 2025 A-F100M-FW DEV/5/SYSTEM_REBOOT: System is rebooting now.

再次重启发现刚才设置的密码没有保存成功,由于上一步已经关闭密码恢复功能,现在可以恢复出厂设置,重启ctrl+b按5:回车按0再回车

登录防火墙命令行,开始配置

登录成功,进行配置:

#进入系统视图
[H3C] system-view
#查看可用的接口
[H3C] display interface brief

Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface            Link Protocol Primary IP      Description
GE1/0/0              DOWN DOWN     192.168.0.1
GE1/0/1              DOWN DOWN     --
GE1/0/2              DOWN DOWN     192.168.1.1
GE1/0/3              DOWN DOWN     --
GE1/0/4              DOWN DOWN     --
GE1/0/5              DOWN DOWN     --
GE1/0/6              DOWN DOWN     --
GE1/0/7              DOWN DOWN     --
GE1/0/8              DOWN DOWN     --
GE1/0/9              DOWN DOWN     --
GE1/0/10             DOWN DOWN     --
GE1/0/11             DOWN DOWN     --
InLoop0              UP   UP(s)    --
NULL0                UP   UP(s)    --
REG0                 UP   --       --
#配置1/0/4口的ip地址
[H3C]interface g 1/0/4
[H3C-GigabitEthernet1/0/4]ip address 192.168.240.1 24
[H3C-GigabitEthernet1/0/4]undo shutdown
[H3C-GigabitEthernet1/0/4]save force
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
#配置好之后用网线将交换机与电脑连接,可以看到下面出现up即为启动成功
[H3C-GigabitEthernet1/0/4]%Nov 28 07:10:09:934 2025 H3C IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/4 changed to up.
%Nov 28 07:10:09:934 2025 H3C IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/4 changed to up.
%Nov 28 07:10:29:267 2025 H3C IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/4 changed to down.
%Nov 28 07:10:29:268 2025 H3C IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/4 changed to down.
%Nov 28 07:12:02:822 2025 H3C IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/4 changed to up.
%Nov 28 07:12:02:823 2025 H3C IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/4 changed to up.
#查看当前接口:
<H3C>display interface brief
Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface            Link Protocol Primary IP      Description                
GE1/0/0              DOWN DOWN     192.168.0.1     
GE1/0/1              DOWN DOWN     --              
GE1/0/2              DOWN DOWN     192.168.1.1     
GE1/0/3              DOWN DOWN     --              
GE1/0/4              UP   UP       192.168.240.1   
GE1/0/5              DOWN DOWN     --              
GE1/0/6              DOWN DOWN     --              
GE1/0/7              DOWN DOWN     --              
GE1/0/8              DOWN DOWN     --              
GE1/0/9              DOWN DOWN     --              
GE1/0/10             DOWN DOWN     --              
GE1/0/11             DOWN DOWN     --              
InLoop0              UP   UP(s)    --              
NULL0                UP   UP(s)    --              
REG0                 UP   --       --  

电脑端配置

由于防火墙ip设置的192.168.240.1,电脑以太网也要配到192.168.240.0网段:

# Windows cmd中设置IP(临时)
netsh interface ip set address "以太网" static 192.168.240.2 255.255.255.0 192.168.240.1

现在ping不通,管理网页无法打开,需要对防火墙进行配置

# 直接创建允许所有流量的ACL并应用
[H3C] acl advanced 3000
[H3C-acl-ipv4-adv-3000] rule 0 permit ip
[H3C-acl-ipv4-adv-3000] quit

[H3C] interface GigabitEthernet 1/0/4
[H3C-GigabitEthernet1/0/4] packet-filter 3000 inbound
[H3C-GigabitEthernet1/0/4] packet-filter 3000 outbound
[H3C-GigabitEthernet1/0/4] quit

[H3C] save force
# 将接口GigabitEthernet1/0/4加入到Trust域
[H3C] security-zone name Trust
[H3C-security-zone-Trust] import interface GigabitEthernet1/0/4
[H3C-security-zone-Trust] quit
# 创建从Trust到Local的域间策略(允许管理流量)
[H3C] zone-pair security source Trust destination Local
[H3C-zone-pair-security-Trust-Local] packet-filter 3000
[H3C-zone-pair-security-Trust-Local] quit

# 创建从Trust到Untrust的域间策略(允许上网流量)
[H3C] zone-pair security source Trust destination Untrust
[H3C-zone-pair-security-Trust-Untrust] packet-filter 3000
[H3C-zone-pair-security-Trust-Untrust] quit

# 创建从Local到Trust的域间策略(允许反向管理)
[H3C] zone-pair security source Local destination Trust
[H3C-zone-pair-security-Local-Trust] packet-filter 3000
[H3C-zone-pair-security-Local-Trust] quit
# 查看当前ACL配置
[H3C] display acl all

# 如果ACL 3000不存在,重新创建
[H3C] acl advanced 3000
[H3C-acl-ipv4-adv-3000] rule 0 permit ip
[H3C-acl-ipv4-adv-3000] quit

开启网页管理服务

# 开启HTTP服务
[H3C] ip http enable

# 开启HTTPS服务(推荐)
[H3C] ip https enable

# 确认admin用户配置
[H3C] local-user admin
[H3C-luser-manage-admin] password simple admin123
[H3C-luser-manage-admin] service-type http https telnet terminal
[H3C-luser-manage-admin] authorization-attribute user-role network-admin
[H3C-luser-manage-admin] quit
[H3C] save force

通过命令行重置网页管理页面密码

# 进入admin用户配置
[H3C] local-user admin

# 重置密码(使用新密码)
[H3C-luser-manage-admin] password simple H3C@admin123  # 设置一个强密码
# 确认服务类型包含http https
[H3C-luser-manage-admin] service-type http https telnet terminal
# 确认权限
[H3C-luser-manage-admin] authorization-attribute user-role network-admin
# 保存并退出
[H3C-luser-manage-admin] quit
[H3C] save force

# 或者方式B:删除重建(如果方式A不行)
[H3C] undo local-user admin
[H3C] local-user admin class manage
[H3C-luser-manage-admin] password simple H3C@admin123
[H3C-luser-manage-admin] service-type http https telnet terminal
[H3C-luser-manage-admin] authorization-attribute user-role network-admin
[H3C-luser-manage-admin] quit
[H3C] save force
用浏览器访问:https://192.168.240.1
用户名: admin
密码: H3C@admin123

发表评论

您的邮箱地址不会被公开。 必填项已用 * 标注

滚动至顶部