FAQ-USG5120HSR应用控制如何实现内网用户通过域名访问公网web网站

发布时间:  2015-03-14 浏览次数:  129 下载次数:  0
问题描述

USG5120HSR应用控制功能如何实现内网用户通过域名访问公网web网站

设备型号:USG5120HSR 

软件版本: V300R001C10SPC500

解决方案

1.配置service-set
ip service-set inter_web type group     
  service 0 service-set http              
  service 1 service-set https             
  service 2 service-set tcp               
  service 3 service-set dns                    
  service 4 service-set dns-tcp           
  service 5 service-set icmp 


2.配置app-set
app-set inter_web                     
  category Web_Browsing application HTTP 
  category Web_Browsing application HTTPS
  category Web_Browsing application HTTP_Download
  category Web_Browsing application HTTP_Text
  category Web_Browsing application HTTP_Image
  category Network_Administration application DNS //这里要注意的是,虽然service-set已经放行了DNS,但sa-policy 如果没有配置放行,会被sa-policy阻断。


3.配置sa-policy           
sa-policy inter_web                     
 policy default action deny              
  rule 0                                  
   rule enable                            
   action permit                          
   rule app-set inter_web  //调用app-set


4.配置域间策略
policy interzone untrust trust outbound
 policy 1                                
  action permit                          
  policy logging                         
  policy session traffic statistic logging enable
  policy service service-set inter_web  //调用service-set 
  policy source 192.168.10.0 mask 24
  policy sa inter_web    //调用sa-policy              
  policy ips inter                       
  policy av inter   
 

END