|
|
本帖最后由 iseeyou0918 于 2021-2-7 14:44 编辑
如下图所示,EVE版本3.1,抓包FW1 G1/0/0的时候始终能抓到多余的报文,不停的刷屏,这是怎么回事?VMnet1桥接的是物理网卡。
<Fw-1>dis current-configuration
2021-02-02 13:46:25.240
!Software Version V500R005C00SPC100
#
sysname Fw-1
#
l2tp domain suffix-separator @
#
info-center source default channel 0 trap state off
#
ipsec sha2 compatible enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
clock timezone UTC add 00:00:00
#
update schedule location-sdb weekly Sun 00:08
#
firewall defend action discard
#
log type traffic enable
log type syslog enable
log type policy enable
#
undo dataflow enable
#
sa force-detection enable
#
banner enable
#
password-policy
level high
user-manage single-sign-on radius
#
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
update schedule ips-sdb daily 00:22
update schedule av-sdb daily 00:22
update schedule sa-sdb daily 00:22
update schedule cnc daily 00:22
update schedule file-reputation daily 00:22
#
ip vpn-instance default
ipv4-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
acl number 3000
rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal 10
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer to-fw2
pre-shared-key %^%#ZC298t=Nq.#"v7&}jeyQc6)wIqK8"-9X_~$D`G"V%^%#
ike-proposal 10
remote-address 202.100.1.11
#
ipsec policy ipsec 10 isakmp
security acl 3000
ike-peer to-fw2
proposal 10
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authentication-scheme admin_ldap
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode auto-online
reference user current-domain
manager-user password valid-days 0
manager-user audit-admin
password cipher @%@%~azhA]irw/F1PxB"-AzX$/*kSD+QK*N{[2TefrAREF6>/*n$@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%{Q"0.F*m"J<io9"@!yz3dK]XpNZV-9$DP@^ujm>J2\=UK][d@%@%
service-type api
level 15
manager-user admin
password cipher @%@%XrQ8#yo!)YQIMR>g;4OS2-dbTYk2$n]hc81Bt0ZCCT<U-de2@%@%
service-type web terminal
level 15
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
shutdown
ip binding vpn-instance default
service-manage http permit
service-manage https permit
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 202.100.1.10 255.255.255.0
service-manage ping permit
ipsec policy ipsec
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.1.254 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
#
interface GigabitEthernet1/0/3
undo shutdown
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
#
api
#
ip route-static 0.0.0.0 0.0.0.0 202.100.1.11
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
#
user-interface password complexity-check disable
#
firewall detect ftp
#
user-interface con 0
authentication-mode password
set authentication password cipher $1c$uMM_BG!%M Q+N<0jBRb0!o)C)'@Hj6ASlG%9-a7&9Q"cK!~ig&$
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
mode proportion-of-weight
#
right-manager server-group
#
security-policy
default action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
proxy-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return
|
|
