现网1台山石SG6000防火墙，配置都可以通过GUI实现。
但有一些配置在命令行下配置效率更高，比如在1个已有策略中添加1个host或端口。

下面的双引号可以不加

1 创建服务

1.1 单个端口

service "tcp-901"tcp dst-port 901 

1.2 端口范围

service "tcp-10000-65535"tcp dst-port 10000 65535 

1.3 group （包含多个service， 就是思科ASA的object-group service)

servgroup "Management"service "SSH"service "xdmcp_UDP_177"service "HTTPS"service "tcp-901"

2 创建Ip

2.1 single ip

address "RDM-WaiGua-System-10.248.68.114"ip 10.248.68.114/32

2.2 ip range

address "10.248.68.5-40"range 10.248.68.5 10.248.68.40

2.3 ip subnet

address 10.248.1.0/2410.248.1.0/24

2.4 当然下面可以接多个条目 ，比如

address "Logistics"ip 10.248.33.89/32ip 10.248.33.88/32

2.5 查看方法

show address xxx

Hillstone # show address   10.248.1.0/24
Name:           10.248.1.0/24
Address family: IPv4
Member count:   1
Address members:10.248.1.0/24
Excluded members:
Total IP count: 256
IP subnet in this entry: 110.248.1.0/24

3 schedule (时间范围）

可以指定只有结束，
也可以包含开始+结束

schedule "2025.1.17"absolute  end 01/18/2025 00:00:00schedule "2021/7/1"absolute start 01/01/1970 00:00:00 end 07/01/2021 23:59:00
exit

4 rule

包含ID，行为，zone，源目IP， 端口，名称 ，时间范围

rule id 401action permitsrc-zone "SC"dst-zone "CR"src-addr "Data-1"dst-addr "wan-1"service httpservice httpsname Colasoft

rule id 3019action permitsrc-zone "INSIDE"dst-zone "OUTSIDE"src-ip 10.248.1.1/32dst-addr "AI-10.248.1.1-10"service "tcp-1521"schedule "2025.1.17"

怎样查看rule， 不能show rule, 而是show policy,
** 示例 ：**

hillstone  #    show policy id 3019
Rule id: 3019
Rule sequence: 12
Status: E
From zone "CS" to zone "SC"
Type: 0
Fragment: N/A
Source addresses:10.248.1.1/32
Destination addresses:Oracle-10.248.200.1
Services:tcp-1521
Application:
Schedules:2025.1.17
Action: PERMIT 
Roles:
Users:
User-groups:
assistant: disable
Hit 1353 times

创建1条rule在最前面

rule top
action permit
src-ip 1.1.1.1/32
dst-ip 2.1.1.1/32
service any

删除1条rule

no rule 3029

disable一条rule（失效，而不是删除）

rule id 3029
disable

Enable一条rule（重新生效）

rule id 3029
enable

5 路由配置

5.1带外接口配置

interface MGT0zone  "mgt"ip address 10.19.254.84 255.255.255.0manage ip 10.19.254.85manage sshmanage pingmanage snmpmanage https
exit

5.1 静态路由

ip vrouter "mgt-vr"ip route 0.0.0.0/0 10.19.254.254

6 接口配置

6.1 聚合接口

interface xethernet1/0aggregate aggregate1mirror enable bothdescription "To_Core"
exit
interface xethernet1/1aggregate aggregate1mirror enable bothdescription "To_Core"
exit
interface xethernet1/2aggregate aggregate1mirror enable bothdescription "To_Core"
exit
interface xethernet1/3aggregate aggregate1mirror enable bothdescription "To_Core"
exit

6.2子接口配置

下面是2台山石的子接口配置，因为做了双机，
所以是每1台有独立的IP，虚拟出来1个VIP

** 第1台**

interface aggregate1.1101zone  "SC"ip address 10.19.255.161 255.255.255.248    		// 10.19.255.16 是VIPmanage ip 10.19.255.162									// 10.19.255.162 是本机的实IPmanage pingdescription "ShengChan"

** 第2台**

interface aggregate1.1101zone  "SC"ip address 10.19.255.161 255.255.255.248    		// 10.19.255.16 是VIPmanage ip 10.19.255.163									// 10.19.255.163 是本机的实IPmanage pingdescription "ShengChan"

7 DNS timezone

clock zone china
ip name-server 223.5.5.5 vrouter "mgt-vr"

8 创建用户名

admin user "hillstone"password 123123123password-expiration 1673230455role "admin"access consoleaccess telnetaccess sshaccess httpaccess https
exit