CN109547502A - Firewall ACL management method and device - Google Patents
Firewall ACL management method and device Download PDFInfo
- Publication number
- CN109547502A CN109547502A CN201910058925.4A CN201910058925A CN109547502A CN 109547502 A CN109547502 A CN 109547502A CN 201910058925 A CN201910058925 A CN 201910058925A CN 109547502 A CN109547502 A CN 109547502A
- Authority
- CN
- China
- Prior art keywords
- acl
- firewall
- information
- address
- configuration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The embodiment of the present invention provides a kind of firewall ACL management method and device, is related to field of information security technology, for solve the problems, such as due to different fire-proof ACL leads to labor management firewall there are grammatical differences when there are misuse rate the higher and efficiency of management is lower.The present invention includes: firewall ACL management method, ACL standard configuration object and its corresponding ACL standard configuration characteristics of objects code are generated according to the information type of at least one ACL configuration information of the objective management firewall of acquisition, by the information preservation of above-mentioned generation to preset ACL standard configuration information bank;Firewall ACL configuring management method, the work order information that network work order carries based on the received determines target firewall, and determine whether to obtain the corresponding ACL standard configuration object of work order information from above-mentioned preset ACL standard configuration information bank, according to work order command information and ACL standard configuration object acquisition ACL standard operation object and it is converted into ACL configuration-direct and is issued to target firewall.The present invention is used for the management of firewall.
Description
Technical field
The present invention relates to field of information security technology more particularly to a kind of firewall ACL management method and devices.
Background technique
With the universal and development of network technology, attack is also more and more frequent.Currently, enterprise is in order to safeguard it
The safety of intranet information usually can all install firewall, and by managing firewall ACL, (Access Control List is visited
Ask control list) firewall is managed.
In actual conditions, the configuration of firewall ACL, the management processes such as to issue realized by labor management mode.
Wherein, for the purpose of policy optimization, enterprises would generally use the firewall of different model, due to different model firewall
Firewall ACL there are grammatical differences, cause administrative staff in managing firewall, need be familiar with and grasp a variety of firewall types
Number and the corresponding firewall ACL grammer of firewall model, so as to according to firewall model and firewall ACL grammer to firewall into
The accurate management of row.When firewall model is more, since the firewall model and firewall ACL grammer type that are related to are more, lead
Cause the process of labor management firewall excessively cumbersome and complicated, misuse rate is higher and the efficiency of management is relatively low.
Summary of the invention
The embodiment of the present invention provides a kind of firewall ACL management method and device, for solve in the prior art due to
There are misuse rate, the higher and efficiency of management is lower when different fire-proof ACL leads to labor management firewall there are grammatical differences
Technical problem, the present invention can be effectively reduced the management operation difficulty of firewall, promote firewall management efficiency.
In order to achieve the above object, the present invention adopts the following technical scheme:
In a first aspect, providing a kind of firewall ACL management method, comprising:
At least one firewall access for acquiring objective management firewall controls list ACL configuration information;
Determine the information type of every firewall ACL configuration information;Information type include: domain, address class, service class, when
Imitate class, acl rule or acl rule group;
The corresponding ACL standard configuration object of every firewall ACL configuration information is generated according to information type;
ACL standard configuration object is saved to preset firewall ACL standard configuration library of object.
In firewall ACL management method provided in an embodiment of the present invention, objective management firewall can be acquired at least
Then one firewall ACL configuration information generates every according to the information type of the firewall ACL configuration information of above-mentioned acquisition and prevents
The corresponding ACL standard configuration object of wall with flues ACL configuration information is configured the firewall ACL under different ACL syntactic definitions with realizing
Information is converted into the purpose of the ACL standard configuration object of unified format and unified ACL syntactic definition, and then eliminates different fire-proof
The difference of existing format differences and ACL syntactic definition between the firewall ACL configuration information of model, finally by above-mentioned ACL
Standard configuration object is saved to preset firewall ACL standard configuration information bank, to be based on firewall ACL standard configuration information
The ACL standard configuration object of the unified format saved in library is managed collectively firewall ACL, reduces misuse rate and improves
The efficiency of management.
Optionally, the firewall access for acquiring objective management firewall controls list ACL configuration information specifically:
Firewall access every predetermined period acquisition objective management firewall controls list ACL configuration information;
ACL standard configuration object is saved to preset firewall ACL standard configuration library of object, comprising:
By the ACL standard configuration object of storage in ACL standard configuration object and firewall ACL standard configuration library of object into
Row compares, and determines the to be updated ACL standard configuration object different from ACL standard configuration object has been put in storage;
By the ACL standard configuration pair to be updated of ACL standard configuration object to be updated and ACL standard configuration object to be updated
As condition code is saved to firewall ACL standard configuration library of object.
Second aspect provides a kind of firewall ACL configuring management method, comprising:
Receive the network work order for carrying work order information;Work order information includes: address information, command information and service letter
Breath;
Target firewall is determined according to address information;Address information includes: source IP address and purpose IP address;
The corresponding at least one work order ACL standard configuration object of target firewall and every work are generated according to work order information
The work order ACL standard configuration characteristics of objects code of single ACL standard configuration object;
Judge in preset firewall ACL standard configuration information bank with the presence or absence of work order ACL standard configuration characteristics of objects code
Identical synonymous ACL standard configuration characteristics of objects code;Wherein, preset firewall ACL standard configuration information bank includes at least one
ACL standard configuration object;Every ACL standard configuration object by any firewall in objective management firewall firewall ACL
Standard configuration information is generated according to the information type of firewall ACL standard configuration information;Information type includes: domain, address class, clothes
Business class, timeliness class, acl rule or acl rule group;
If the determination result is YES, then synonymous ACL standard configuration pair in preset firewall ACL standard configuration information bank is obtained
As the corresponding synonymous ACL standard configuration object of condition code is as target ACL standard configuration object;If judging result be it is no, by institute
Work order ACL standard configuration object is stated as target ACL standard configuration object;
The corresponding ACL configuration of target firewall is generated according to command information and the target ACL standard configuration object to refer to
It enables;
ACL configuration-direct is issued to target firewall, so that target firewall executes ACL configuration-direct.
It, can be automatically according to received network work in firewall ACL configuring management method provided in an embodiment of the present invention
The address information carried in list determines target firewall, and matches from the firewall ACL standard comprising a plurality of ACL standard configuration object
It sets and obtains the corresponding target ACL standard configuration object of above-mentioned target firewall in information bank, wherein preset firewall ACL mark
Quasi- configuration information library includes at least one ACL standard configuration object;Every ACL standard configuration object is by objective management firewall
The firewall ACL standard configuration information of any firewall is generated according to the information type of firewall ACL standard configuration information;Information
Type includes: domain, address class, service class, timeliness class, acl rule or acl rule group;That is, preset firewall
It is preserved in ACL standard configuration information bank and converts unified format for the firewall ACL configuration information under different ACL syntactic definitions
ACL standard configuration object;The last embodiment of the present invention can be automatically according to the command information and mesh carried in network work order
It marks ACL standard configuration object and generates ACL standard operation object, and ACL standard operation object is converted to target firewall can
Target firewall is issued to after the ACL configuration-direct of identification.It can be seen that the embodiment of the present invention can be automatically based upon network work order
And firewall ACL standard configuration information bank configures to automate determining target firewall and the corresponding ACL of target firewall
Auto-matching, the ACL standard configuration object to ACL configuration-direct of target firewall and ACL standard configuration object are realized in instruction
It automatic conversion and a series of processes such as issues automatically, the automatic management of firewall ACL is realized to a certain extent, without pipe
Reason personnel confirm and are converted between a variety of firewall models and firewall ACL grammer by the way of labor management again,
The operation complexity for reducing administrative staff effectively improves the efficiency of management of firewall.
Optionally, target firewall is determined according to address information, comprising:
Obtain the configuration information for being pre-configured firewall to be detected in firewall;Wherein being pre-configured firewall includes at least one
Firewall;Firewall to be detected is to be pre-configured any firewall in firewall;
Determine whether address information matches with the configuration information of firewall to be detected;Address information include: source IP address with
And purpose IP address;
If address information is matched with the configuration information of firewall to be detected, it is determined that firewall to be detected is target fire prevention
Wall.
Optionally, configuration information includes: domain range information;Then determine address information whether the configuration with firewall to be detected
Information matches, comprising:
According to the domain range information of firewall to be detected determine the matched first source IP address matching domain of source IP address and
The matched first purpose IP address matching domain of purpose IP address;Wherein the domain range information of firewall to be detected includes to be detected anti-
Address information within the scope of the domain in the domain of wall with flues and the domain of firewall to be detected;
Judge whether the first source IP address matching domain and the first purpose IP address matching domain are identical;
If judging result is that the first source IP address matching domain and the first purpose IP address matching domain be not identical, it is determined that address
Information is matched with the configuration information of firewall to be detected.
Optionally, configuration information includes: routing table information;Then determine address information whether the configuration with firewall to be detected
Information matches, comprising:
The corresponding first interface of source IP address and with destination IP is determined according to the routing table information of firewall to be detected
The corresponding second interface in location;Wherein the routing table information of firewall to be detected includes the firewall routing address of firewall to be detected
Information and the corresponding interface of firewall routing address information;
Judge whether first interface is identical as second interface;
If judging result is that first interface and second interface be not identical, determined according to the corresponding relationship of preset domain and interface
The corresponding second source IP address matching domain of first interface and the corresponding second purpose IP address matching domain of second interface;
Judge whether the second source IP address matching domain and the second purpose IP address matching domain are identical;
If judging result is that the second source IP address matching domain and the second purpose IP address matching domain be not identical, it is determined that address
Information is matched with the configuration information of firewall to be detected.
Optionally, configuration information further include: exclusive domain information;
Before determining that address information is matched with the configuration information of firewall to be detected, firewall ACL configuring management method is also
Comprise determining that whether address information matches with exclusive domain information, if judging result is that address information is matched with exclusive domain information,
Determine that address information and the configuration information of firewall to be detected match.
Optionally, before issuing ACL configuration-direct to target firewall, firewall ACL configuring management method further include:
The first ACL configuration information for obtaining target firewall, determines whether that issuing ACL matches according to the first ACL configuration information
Set instruction.
Optionally, after issuing ACL configuration-direct to target firewall, firewall ACL configuring management method further include:
Obtain the 2nd ACL configuration information of target firewall;
According to the action type of the 2nd ACL configuration information and ACL standard configuration object determine ACL configuration-direct whether under
It sends out successfully.
Optionally, the action type of ACL standard configuration object includes: newly-increased operation, modification operation and delete operation.
The third aspect provides a kind of firewall ACL managing device, comprising:
Acquisition module, at least one firewall access for acquiring objective management firewall control list ACL with confidence
Breath;
Determining module, for determining the information type of every firewall ACL configuration information;Information type includes: domain, address
Class, service class, timeliness class, acl rule or acl rule group;
Processing module, for generating the corresponding ACL standard configuration pair of every firewall ACL configuration information according to information type
As and ACL standard configuration object ACL standard configuration characteristics of objects code;
Processing module is stored, for saving ACL standard configuration object to preset firewall ACL standard configuration object
Library.
Optionally, acquisition module is specifically used for:
Firewall access every predetermined period acquisition objective management firewall controls list ACL configuration information;
Processing module is then stored to be specifically used for:
By the ACL standard configuration object of storage in ACL standard configuration object and firewall ACL standard configuration library of object into
Row compares, and determines the to be updated ACL standard configuration object different from ACL standard configuration object has been put in storage;
By the ACL standard configuration pair to be updated of ACL standard configuration object to be updated and ACL standard configuration object to be updated
As condition code is saved to firewall ACL standard configuration library of object.
It is to be appreciated that the firewall ACL managing device of above-mentioned offer is for executing first aspect pair presented above
The method answered, therefore, the attainable beneficial effect method that can refer to first aspect above and embodiment party in detail below
The beneficial effect of corresponding scheme in formula, details are not described herein again.
Fourth aspect provides a kind of firewall ACL configuration management device, comprising:
Receiving module, for receiving the network work order for carrying work order information;Work order information includes: address information, instruction letter
Breath and information on services;
Target determination module, for determining target firewall according to address information;Address information include: source IP address and
Purpose IP address;
First generation module, for generating the corresponding at least one work order ACL standard of target firewall according to work order information
Configure the work order ACL standard configuration characteristics of objects code of object and every work order ACL standard configuration object;
Judgment module is matched in preset firewall ACL standard configuration information bank with the presence or absence of work order ACL standard for judging
Set the identical synonymous ACL standard configuration characteristics of objects code of characteristics of objects code;Wherein, preset firewall ACL standard configuration information
Library includes at least one ACL standard configuration object;Every ACL standard configuration object is by any firewall in objective management firewall
Firewall ACL standard configuration information according to firewall ACL standard configuration information information type generate;Information type includes:
Domain, address class, service class, timeliness class, acl rule or acl rule group;
Processing module, for if the determination result is YES, then obtaining synonymous in preset firewall ACL standard configuration information bank
The corresponding synonymous ACL standard configuration object of ACL standard configuration characteristics of objects code is as target ACL standard configuration object;If judgement
As a result be it is no, using work order ACL standard configuration object as target ACL standard configuration object;
It is corresponding to generate target firewall according to command information and target ACL standard configuration object for second generation module
ACL configuration-direct;
Module is issued, for issuing ACL configuration-direct to target firewall, is referred to so that target firewall executes ACL configuration
It enables.
Optionally, target determination module is specifically used for:
Obtain the configuration information for being pre-configured firewall to be detected in firewall;Wherein being pre-configured firewall includes at least one
Firewall;Firewall to be detected is to be pre-configured any firewall in firewall;
Determine whether address information matches with the configuration information of firewall to be detected;
If address information is matched with the configuration information of firewall to be detected, it is determined that firewall to be detected is target fire prevention
Wall.
Optionally, configuration information includes: domain range information;Then target determination module is specifically used for:
According to the domain range information of firewall to be detected determine the matched first source IP address matching domain of source IP address and
The matched first purpose IP address matching domain of purpose IP address;Wherein the domain range information of firewall to be detected includes to be detected anti-
Address information within the scope of the domain in the domain of wall with flues and the domain of firewall to be detected;
Judge whether the first source IP address matching domain and the first purpose IP address matching domain are identical;
If judging result is that the first source IP address matching domain and the first purpose IP address matching domain be not identical, it is determined that address
Information is matched with the configuration information of firewall to be detected.
Optionally, configuration information includes: routing table information;Then target determination module is specifically used for:
The corresponding first interface of source IP address and with destination IP is determined according to the routing table information of firewall to be detected
The corresponding second interface in location;Wherein the routing table information of firewall to be detected includes the firewall routing address of firewall to be detected
Information and the corresponding interface of firewall routing address information;
Judge whether first interface is identical as second interface;
If judging result is that first interface and second interface be not identical, determined according to the corresponding relationship of preset domain and interface
The corresponding second source IP address matching domain of first interface and the corresponding second purpose IP address matching domain of second interface;
Judge whether the second source IP address matching domain and the second purpose IP address matching domain are identical;
If judging result is that the second source IP address matching domain and the second purpose IP address matching domain be not identical, it is determined that address
Information is matched with the configuration information of firewall to be detected.
Optionally, configuration information further include: exclusive domain information;Firewall ACL configuration management device further include:
Exclusive domain information determining module, for determining whether address information matches with exclusive domain information, if judging result is
Address information is matched with exclusive domain information, it is determined that address information is matched with the configuration information of firewall to be detected.
Optionally, firewall ACL configuration management device further include: issue determining module, be used for:
The first ACL configuration information for obtaining target firewall, determines whether that issuing ACL matches according to the first ACL configuration information
Set instruction.
Optionally, firewall ACL configuration management device further include: correction verification module is used for:
Obtain the 2nd ACL configuration information of target firewall;
According to the action type of the 2nd ACL configuration information and ACL standard configuration object determine ACL configuration-direct whether under
It sends out successfully.
Optionally, the action type of ACL standard configuration object includes: newly-increased operation, modification operation and delete operation.
It is to be appreciated that the firewall ACL configuration management device of above-mentioned offer is for executing second party presented above
The corresponding method in face, therefore, attainable beneficial effect can refer to the method for second aspect above and real in detail below
The beneficial effect of corresponding scheme in mode is applied, details are not described herein again.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention, the drawings are only for the purpose of illustrating a preferred embodiment, and is not to be construed as limiting the invention.
Fig. 1 is a kind of method flow diagram of firewall ACL management method provided in an embodiment of the present invention;
Fig. 2 is the method flow diagram of another firewall ACL management method provided in an embodiment of the present invention;
Fig. 3 is a kind of method flow diagram of firewall ACL configuring management method provided in an embodiment of the present invention;
Fig. 4 is the method flow diagram for another firewall ACL configuring management method that one embodiment of the invention provides;
Fig. 5 is the method flow diagram for another firewall ACL configuring management method that one embodiment of the invention provides;
Fig. 6 is the method flow diagram for another firewall ACL configuring management method that one embodiment of the invention provides;
Fig. 7 is a kind of structural block diagram for firewall ACL managing device that one embodiment of the invention provides;
Fig. 8 is the structural block diagram for another firewall ACL managing device that one embodiment of the invention provides;
Fig. 9 is a kind of structural block diagram for firewall ACL configuration management device that one embodiment of the invention provides;
Figure 10 is the structural block diagram for another firewall ACL configuration management device that one embodiment of the invention provides.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiment is some embodiments of the present application, instead of all the embodiments.Based on this Shen
Please in embodiment, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, shall fall in the protection scope of this application.The use of term " first " and " second " etc. does not indicate any sequence, can be by above-mentioned art
Language is construed to the title of described object.In the embodiment of the present application, " illustrative " or " such as " etc. words for indicate make
Example, illustration or explanation.Be described as in the embodiment of the present application " illustrative " or " such as " any embodiment or design
Scheme is not necessarily to be construed as than other embodiments or design scheme more preferably or more advantage.Specifically, it uses " exemplary
" or " such as " etc. words be intended to that related notion is presented in specific ways.In addition, in the description of the embodiment of the present application, unless
It is otherwise noted, the meaning of " plurality " is refer to two or more.
Before introducing the embodiment of the present invention, simply it is situated between to the generation and management method of current firewall ACL first
It continues.Currently, multiple firewalls can be all arranged to isolate difference in enterprise for the safety of resource information in maintaining enterprise intranet
Trusted areas (that is: the corresponding region isolated in the corresponding region that enterprises dedicated network is covered by each firewall),
And external equipment is controlled to trusted areas by managing firewall ACL (Access Control List, accesses control list)
The access of resource, to safeguard the safety of the middle resource information of trusted areas, thus in maintaining enterprise intranet resource information peace
Entirely.In actual conditions, for the purpose of policy optimization, enterprises would generally use the firewall of different model to trusted areas
Access be managed, since there are grammatical differences by the firewall ACL of different model firewall, cause administrative staff to firewall
When being managed, it usually needs the firewall ACL grammer of each firewall of manual confirmation: firstly, administrative staff need manual confirmation
The model of firewall;Then, administrative staff need corresponding anti-according to the model of the model manual confirmation of the firewall firewall
Wall with flues ACL grammer;Finally, administrative staff are managed firewall by the way of labor management according to firewall ACL grammer.
In the process, administrative staff not only need repeatedly to confirm the model and firewall ACL grammer of firewall, it is also necessary to be familiar with each
Model firewall and the corresponding firewall ACL grammer of each model firewall are to be managed firewall, when firewall type
When number more, administrative staff need to confirm and switch between a variety of firewall models and firewall ACL grammer, lead to people
The process of work managing firewall is excessively cumbersome and complicated, and misuse rate is higher and the efficiency of management is relatively low.
To solve the above problems, the embodiment of the present invention provides a kind of firewall ACL management method, effectively to drop
Complexity and tedious steps during low labor management firewall reduce misuse rate and improve the efficiency of management.
Fig. 1 shows a kind of firewall ACL management method of one embodiment of the invention offer, shown in Figure 1, this method
Include the following steps:
Step S110: at least one firewall ACL configuration information of acquisition objective management firewall.
Specifically, the one or more that objective management firewall, that is, user selectes according to actual needs needs user management
Firewall.Wherein, the method for determination of objective management firewall can there are many, for example, can with default user select one or
Whole firewalls in multiple networks (such as intranet, i.e. enterprises dedicated network) are objective management firewall;Or it can also
It is prevented fires using the one or more firewalls for selecting user in whole firewalls of one or more networks as objective management
Wall.In specific implementation, the automatic linking objective managing firewall of preset interface can be first passed through in advance, from objective management firewall
At least one firewall ACL configuration information (that is: firewall access controls list ACL configuration information) of acquisition.Preset interface
Form can there are many, such as api interface, the embodiment of the present invention be not construed as limiting the form of preset interface.
Specifically, the acquisition mode of firewall ACL configuration information can there are many, such as can be directly according to receiving
The acquisition instructions automatic collection firewall ACL configuration information that user sends;Alternatively, can also be every predetermined period automatically from target
The firewall ACL configuration information of objective management firewall is acquired on managing firewall;Or it can also automatic monitoring objective management
Whether the version of the firewall ACL configuration information of firewall updates, if so, automatic collection firewall ACL configuration information,
Otherwise firewall ACL configuration information, etc. is not acquired.In specific implementation, above-mentioned predetermined period can be by those skilled in the art
It is configured according to the actual situation, this is not limited by the present invention.The acquisition mode of ACL configuration information can be by art technology
Personnel are configured according to the actual situation, and this is not limited by the present invention.
Specifically, during acquiring firewall ACL configuration information, the acquisition modes of firewall ACL configuration information can also
There are many, for example, can be sent according to the model of objective management firewall to objective management firewall, its model is corresponding to match
Acquisition is set, obtains the currently running configuration information of objective management firewall that objective management firewall is sent, and according to this
The corresponding ACL configuration information mark of the firewall model of objective management firewall, extracting from the configuration information of above-mentioned acquisition should
The firewall ACL configuration information of objective management firewall;Above-mentioned ACL configuration information mark is specifically as follows being capable of unique identification
The relevant information of ACL configuration information;Alternatively, backup instruction can also be sent to objective management firewall, in order to objective management
Configuration information when firewall is run according to backup command backs up to TFTP (Trivial File Transfer
Protocol, Simple File Transfer Protocol) server or FTP (File Transfer Protocol, File Transfer Protocol) clothes
Being engaged in device can due to configuration information when backup has objective management firewall to run on tftp server or ftp server
To obtain the configuration information when operation of objective management firewall from tftp server or ftp server, and according to the target
The corresponding ACL configuration information mark of the firewall model of managing firewall extracts objective management firewall from the configuration information
Firewall ACL configuration information, etc..It is understood that the acquisition modes of above-mentioned cited ACL configuration information are only to show
Example property, in specific implementation, the acquisition modes of ACL configuration information are including but not limited to above-mentioned cited acquisition modes.It is above-mentioned
Firewall model may include the information that the brand of firewall, brand type number etc. can indicate firewall Business Performance.
Step S120: the information type of firewall ACL configuration information is determined.
Specifically, above- mentioned information type may include: domain, address class, service class, timeliness class, acl rule or ACL rule
Then group.Wherein, information type is that the ACL configuration information in domain can specifically include: interface message, such as source interface, purpose interface
Deng;Information type can specifically include for the ACL configuration information of address class: ACL configuration information relevant to address, such as IP
Location, group of addresses (wherein including multiple IP address) etc..Information type is that the ACL configuration information of service class may include network protocol
(such as TCP (Transmission Control Protocol, transmission control protocol)), service destination port (such as port TCP22)
Deng ACL configuration information relevant to service.Information type is the ACL configuration information of timeliness class when may include relevant to ACL
Imitate information, such as entry-into-force time, time repetition period of ACL configuration information of ACL configuration information etc.;Information type is ACL rule
ACL configuration information then is specifically as follows the information formulation for information types such as above-mentioned domain, address class, service class, timeliness classes
Implementation strategy, acl rule can quote following information: source domain (either source interface), purpose domain (or purpose interface), source
Location (either source address group), destination address (either destination address group), purpose service (or purpose service group), age information,
And movement (adduction relationship between the information of i.e. different information types) etc., in specific implementation, acl rule can cover one
The access of complete network five-tuple (i.e. source IP address, source port, purpose IP address, destination port and transport layer protocol) is asked
It asks.It include a plurality of acl rule in acl rule group, in actual conditions, acl rule is subordinated to acl rule group belonging to acl rule.
Determine the information type of firewall ACL configuration information mode can there are many, such as can be according to firewall ACL
Identification information (such as keyword or the other info class that can be identified for that firewall ACL configuration information for including in configuration information
Type relevant information) determine the information type of firewall ACL configuration information.Wherein, the firewall ACL configuration of different fire-proof model
The identification information of information type in information for identifying firewall ACL configuration information is different, and identification information can be by this
Field technical staff is configured according to the actual situation, and this is not limited by the present invention.
Step S130: according to information type generate the corresponding ACL standard configuration object of every firewall ACL configuration information with
And the ACL standard configuration characteristics of objects code of ACL standard configuration object.
Specifically, the content for extracting every firewall ACL configuration information, fills in this firewall ACL for above content
In the corresponding default ACL standard configuration object of the information type of configuration information, generates the corresponding ACL standard of above- mentioned information type and match
Set object.In specific implementation, the type of default ACL standard configuration object includes: default field object, preset address object, presets
Service object, default timeliness object, default acl rule object and default acl rule group objects.Wherein, domain is corresponding default
ACL standard configuration object is default field object, then fill message type is that the firewall ACL in domain matches confidence in default field object
Breath generates field object;Class corresponding default ACL standard configuration object in address is preset address object, then in preset address object
Fill message type is that the firewall ACL configuration information of address class generates address object;The corresponding default ACL standard of service class is matched
Setting object is preset service object, then fill message type is to service the firewall ACL of class with confidence in preset service object
Breath generates service object;The corresponding default ACL standard configuration object of timeliness class is default timeliness object, then in default timeliness object
Middle fill message type is that the firewall ACL configuration information of timeliness class generates timeliness object;The corresponding default ACL mark of acl rule
Quasi- configuration object is acl rule object, then in default acl rule object fill message type be acl rule firewall ACL
Configuration information generates acl rule object;The corresponding default ACL standard configuration object of acl rule group is acl rule group objects, then
Fill message type is that the firewall ACL configuration information of acl rule group generates acl rule group in default acl rule group objects
Object.Default ACL standard configuration object is taken using unified format and the definition setting of ACL standard syntax, firewall ACL configuration information
When from the firewall of different fire-proof model, the different ACL grammers that can will be used in different fire-proof model by this step
The ACL standard configuration pair that the firewall ACL configuration information of definition is converted to unified format and unified ACL standard syntax defines
As, and then it is fixed to eliminate existing format differences and ACL grammer between the firewall ACL configuration information of different fire-proof model
The difference of justice, so that the firewall ACL configuration information to different fire-proof model is managed collectively.
ACL standard configuration characteristics of objects code is generated according to the content of ACL standard configuration object, and being specifically as follows can be used in
The information of the content of unique identification ACL standard configuration object.That is, the content when two ACL standard configuration objects is identical
When, the condition code generated is identical;When the content difference of two ACL standard configuration objects, then the condition code generated is different.Tool
During body is implemented, the generating mode of ACL standard configuration characteristics of objects code can there are many, such as MD5 (Message can be used
Digest Algorithm 5, Message Digest Algorithm 5) digest algorithm, hash algorithm etc., as long as only table can be generated
Show the condition code of the content of ACL standard configuration object.
For example, the content of address object 1 is 135.191.35.53 if having address object 1 and address object 2, with
And the content of address object 2 is 10.251.33.107, obtains the ACL according to ACL standard configuration object according to MD5 digest algorithm
Standard configuration characteristics of objects code, then the corresponding condition code of address object 1 is 9de2e8f49aaeb914, and address object 2 is corresponding
Condition code is 8d82f1f63cf6c1a2, it can be seen that, address object 1 is different with the content of address object 2, then address object 1
It is also different with the condition code of address object 2.If have group of addresses GA by 135.191.35.53,135.191.20.21,
135.191.20.20, totally 4 IP address objects (are that description scene is convenient, it is assumed that address object is to 135.191.20.19 here
Orderly, actually firewall box will not distinguish the sequence of each address object in group of addresses) composition, MD5 digest is used at this time
Algorithm generates the condition code 4e550ab33885a6cf that group of addresses GA is generated;Obtain ground after address object in group of addresses GA is reset
Location group GA ' uses MD5 digest algorithm to generate the condition code of group of addresses GA ' still for 4e550ab33885a6cf, that is to say, that
As long as the content of ACL standard configuration object is identical, the corresponding ACL standard configuration characteristics of objects code of ACL standard configuration object is identical.
Step S140: ACL standard configuration object is saved to preset firewall ACL standard configuration library of object.
Specifically, the ACL standard configuration object generated in step S130 is saved to match to generate preset firewall ACL standard
Information bank is set, so as to the ACL standard configuration pair based on the unified format saved in preset firewall ACL standard configuration information bank
As being managed collectively to firewall ACL.
Wherein, optionally, since the firewall ACL configuration information of objective management firewall can be with actual conditions at any time more
It newly, can be preferably every the firewall ACL configuration of predetermined period acquisition objective management firewall therefore when executing step S110
Information, in order to be able to be timely updated preset firewall ACL standard configuration according to the firewall ACL configuration information currently acquired
ACL standard configuration object in information bank, so that the timeliness of information in firewall ACL standard configuration information bank is effectively ensured,
Then when executing step S140, shown in Figure 2, step S140 can be implemented in the following way:
Step S210: by the ACL standard of storage in ACL standard configuration object and firewall ACL standard configuration library of object
Configuration object is compared, and determines the to be updated ACL standard configuration object different from ACL standard configuration object has been put in storage.
In actual conditions, the quantity of the ACL configuration information of firewall is usually ten hundreds of, causes to generate in step S130
The enormous amount of the corresponding ACL standard configuration object of firewall ACL configuration information, in order to improve preset firewall ACL standard
The update efficiency of ACL standard configuration object in configuration information library, in this step, the ACL standard configuration pair that will be generated in S130
As being compared with the ACL standard configuration object of storage in firewall ACL standard configuration library of object, ACL standard configuration is determined
The to be updated ACL standard configuration object different from ACL standard configuration object has been put in storage in object.
Wherein, by the ACL standard configuration of storage in ACL standard configuration object and firewall ACL standard configuration library of object
The alignments that object is compared can be configured according to the actual situation by those skilled in the art, be adopted for example, by using snapshot
Mode set is compared, and this is not limited by the present invention.
Step S220: the condition code of ACL standard configuration object to be updated and ACL standard configuration object to be updated is saved
To preset firewall ACL standard configuration library of object.
In this step, without to be put in storage in ACL standard configuration object object identical with ACL standard configuration object into
Row repeats to save operation, but only will be different from ACL standard configuration object has been put in storage to be updated in ACL standard configuration object
ACL standard configuration object is saved to preset firewall ACL standard configuration library of object, is greatly reduced and is needed to be implemented preservation operation
ACL standard configuration object quantity, effectively increase ACL standard configuration in preset firewall ACL standard configuration information bank
The update efficiency of object.
The embodiment of the present invention also provides a kind of firewall ACL configuring management method, shown in Figure 3, and this method includes such as
Lower step:
Step S301: the network work order for carrying work order is received.
Wherein, above-mentioned work order information includes: address information, command information and information on services.Address information may include:
Source IP address and purpose IP address.It may include any process instruction for data in command information, such as data executed
The newly-increased instruction of newly-increased operation executes the modification instruction for modifying operation, the deletion instruction that data are executed with delete operation to data
Etc..Information on services can specifically include interface and network protocol.In specific implementation, default external system can be first passed through in advance
System interface is attached with external system, and receives the network work order of external system transmission, and above-mentioned default external system interface can
To be configured according to the actual situation by those skilled in the art, as (Application Program Interface, is answered API
With routine interface) etc., this is not limited by the present invention.Said external system is that user selects according to actual needs or what is specified is
System.Before being attached by default external system interface and external system, the log-on message (example of available user's input
Such as login name and entry password), it is logged according to above-mentioned log-on message, when logining successfully, connects external system automatically.
Step S302: target firewall is determined according to address above mentioned information.
Specifically, according to the source IP address and purpose IP address in address information, source IP address will be located at and be directed toward purpose
Firewall in the path of IP address is determined as target firewall.In specific implementation, the quantity of target firewall can be one
Or it is multiple.The determination of target firewall can rely on the preconfigured configuration information for being pre-configured firewall.It is wherein pre-configured anti-
Wall with flues includes at least one firewall, and being pre-configured firewall can be configured according to the actual situation by those skilled in the art.
In specific implementation, the implementation procedure of this step be may refer to shown in Fig. 4, comprising:
Step S401: the configuration information for being pre-configured firewall to be detected in firewall is obtained;Wherein firewall to be detected is
It is pre-configured any firewall in firewall.
Firewall to be detected be pre-configured firewall in any firewall, configuration information may include: domain range information or
Person's routing table information.Wherein, domain range information may include: within the scope of the domain in the domain of firewall and each domain of the firewall
Address information.In this step, the domain range information of firewall to be detected may include: firewall to be detected domain and to
Detect the address information within the scope of the domain in the domain of firewall;Routing table information may include: the firewall routing address of firewall
Information and the corresponding interface of firewall routing address information, in this step, the routing table information of firewall to be detected can be with
It include: the firewall routing address information and the corresponding interface of firewall routing address information of firewall to be detected.
Step S402: judge whether address information matches with the configuration information of firewall to be detected, however, it is determined that result be it is yes,
Then follow the steps S403;Otherwise ending method process.
Specifically, according to the configuration information obtained in step S401, this step can be implemented using the following two kinds scheme:
Scheme one:
Shown in Figure 5, the program includes:
Step S501: matched first source IP address of source IP address is determined according to the domain range information of firewall to be detected
With the matched first purpose IP address matching domain in domain and purpose IP address.
Specifically, the address information within the scope of the domain in each domain of firewall to be detected is traversed, if the address within the scope of domain is believed
There is address information identical with source IP address in breath, i.e., includes source IP address in the address information within the scope of domain, then will include
The domain of source IP address is as the first source IP address matching domain;Similarly, if existing in address information within the scope of domain and destination IP
The identical address information in address includes purpose IP address that is, in the address information within the scope of domain, then will include purpose IP address
Domain is as the first purpose IP address matching domain.
For example, if the domain of firewall to be detected includes domain 1, domain 2, domain 3, domain 4 and domain 5;Within the scope of the domain in domain 2
Address information includes: address A, address B and address C, the address information within the scope of the domain in domain 3 include: address E, address F and
Address H, source IP address are address A, and purpose IP address is address F, in the address information within the scope of the domain in domain 2 including source IP
Location, then domain 2 is the first source IP address matching domain, includes purpose IP address in the address information within the scope of the domain in domain 3, then domain 3 is
First purpose IP address matching domain.
In specific implementation, when in the address information within the scope of the domain in the domain of firewall to be detected include source IP address and mesh
IP address when, there are the first source IP address matching domain and the first purpose IP address matching domains in the domain of firewall to be detected;
It is when not including source IP address or purpose IP address in the address information within the scope of the domain in the domain of firewall to be detected, then to be checked
It surveys and the first source IP address matching domain and the first purpose IP address matching domain is not present in the domain of firewall.
Step S502: judge the first source IP address matching domain of firewall to be detected and the first purpose of firewall to be detected
Whether IP address matching domain is identical.
Specifically, if the determination result is YES, then terminate this process;If judging result is no, it is determined that address information with to
The configuration information matching for detecting firewall, executes step S403;Alternatively, optionally, in actual conditions, in order to further quasi-
It determines target firewall, avoids situation (the i.e. currently determining mesh for occurring definitive result mistake when determining target firewall
Mark firewall should not be targeted firewall), if such as the first source IP address matching domain is DMZ (demilitarized
Zone, isolated area) domain, the first purpose IP address matching domain is untrust (non-trust area) domain, is needed from the domain DMZ to the domain untrust
By outer net firewall, there is the domain of 2 firewalls to be detected to match above-mentioned first source IP address matching domain and first at this time
Purpose IP address matching domain, this 2 one, the firewall to be detected firewall for Intranet (intranet), one is outer net (in non-
Portion's net) firewall, Intranet firewall should not be targeted firewall at this time, for above situation, can be preparatory it is pre-
Configure firewall exclusive domain information, when in this step judging result be it is no when, may further determine that address information whether with
The matching of exclusive domain information, wherein exclusive domain information may include: firewall to be detected domain and each firewall to be detected
The corresponding exclusive domain in domain.Exclusive domain information is configured according to the actual situation by those skilled in the art, and the present invention does not make this
It limits.It determines whether address information matches with exclusive domain information to be specifically as follows: inquiring first in the domain of firewall to be detected
Source IP address matching domain determines that the first source IP address matching domain is corresponding according to the corresponding exclusive domain in the domain of each firewall to be detected
Exclusive domain, whether include the first purpose IP address matching domain in the corresponding exclusive domain of the first source IP address matching domain of inquiry, if
It is no, it is determined that address information is matched with exclusive domain information, determines that address information and the configuration information of firewall to be detected match, and
Execute step S403;If so, determining that address information and exclusive domain information mismatch, address information and firewall to be detected are determined
Configuration information mismatch, terminate this process.
Wherein, in the present solution, can using traversal by the way of by be pre-configured firewall in firewall be successively used as to
Firewall is detected, step S501- step S502 only is executed to a firewall to be detected every time;Alternatively, can also be using parallel
The mode of processing will be pre-configured multiple firewalls in firewall as firewall to be detected, every time simultaneously to multiple to be checked simultaneously
It surveys firewall and executes step S501- step S502, to effectively improve the execution efficiency of above-mentioned determination process.
Scheme two:
Shown in Figure 6, the program includes:
Step S601: according to the routing table information of firewall to be detected determine the corresponding first interface of source IP address and with
The corresponding second interface of purpose IP address.
Wherein, the routing table information of firewall to be detected include firewall to be detected firewall routing address information and
The corresponding interface of firewall routing address information.Specifically, in this step, the firewall road of firewall to be detected can be traversed
By address information, determine whether the firewall routing address information of firewall to be detected includes source IP address and destination IP
Location, if in the firewall routing address information of firewall to be detected including source IP address and purpose IP address, it is determined that source IP
The corresponding firewall to be detected in address firewall routing address information (firewall to be detected i.e. identical with source IP address it is anti-
Wall with flues routing address information), as source IP using the corresponding interface of firewall routing address information of above-mentioned firewall to be detected
The matched first interface in location;And determine the firewall routing address information of the corresponding firewall to be detected of purpose IP address (i.e.
The firewall routing address information of firewall to be detected identical with purpose IP address), by the fire prevention of above-mentioned firewall to be detected
The corresponding interface of wall routing address information is as the matched second interface of source IP address.
If not including source IP address or purpose IP address in the firewall routing address information of firewall to be detected, cancel
Firewall to be detected is further processed.
Step S602: judge whether first interface is identical as second interface;If judging result be it is no, then follow the steps
S603 if the determination result is YES then terminates this process.
Step S603: according to domain and the corresponding relationship of interface determine the corresponding second source IP address matching domain of first interface with
And the corresponding second purpose IP address matching domain of second interface.
Wherein, in the corresponding relationship of domain and interface, interface that the corresponding interface in each domain i.e. domain includes.Specific implementation
In, the corresponding relationship of domain and interface can be configured according to the actual situation by those skilled in the art, in above-mentioned corresponding pass
In system, each domain corresponds to the source IP address interface and a purpose IP address interface that the domain includes.In this step,
According to the corresponding relationship in domain and interface, the identical source IP address interface of first interface is determined, the source IP address interface is corresponding
Domain is as the second source IP address matching domain;And determine the identical purpose IP address interface of second interface, by the purpose IP address
The corresponding domain of interface is as the second purpose IP address matching domain.
Step S604: judge whether the second source IP address matching domain and the second purpose IP address matching domain are identical.
Specifically, if the determination result is YES, then terminate this process;If judging result is no, it is determined that address information with to
The configuration information matching for detecting firewall, executes step S403;Alternatively, optionally, going out when target firewall in order to avoid determining
The situation of existing definitive result mistake, the exclusive domain information of pre-configuration firewall that can also be preparatory, when judging result in this step
Be it is no, may further determine that whether address information matches with exclusive domain information, exclusive domain information may refer in step S502
It is corresponding introduce, details are not described herein again.It is specifically as follows in the present solution, determining whether address information matches with exclusive domain information:
The second source IP address matching domain is inquired in the domain of firewall to be detected, the domain according to each firewall to be detected is corresponding exclusive
Domain determines the corresponding exclusive domain of the second source IP address matching domain, in the corresponding exclusive domain of the second source IP address matching domain of inquiry whether
Comprising the second purpose IP address matching domain, if it is not, then determine address information matched with exclusive domain information, determine address information and to
The configuration information matching of firewall is detected, and executes step S403;If so, not determining address information and exclusive domain information not
Match, determines that the configuration information of address information and firewall to be detected mismatches, terminate this process.
In specific implementation, in the present solution, the firewall in firewall can will be pre-configured successively by the way of traversal
As firewall to be detected, step S601- step S604 only is executed to a firewall to be detected every time;Alternatively, can also adopt
Use the mode of parallel processing that will be pre-configured multiple firewalls in firewall simultaneously as firewall to be detected, every time simultaneously to more
A firewall to be detected executes step S601- step S604, to effectively improve with obtaining source IP address matching domain and destination IP
The efficiency of location matching domain.
It is, of course, understood that the two schemes of above-mentioned introduction are only exemplary, in specific implementation, mesh is determined
The mode of mark firewall may include but be not limited to above-mentioned cited mode.
Step S403: determine that firewall to be detected is target firewall.
Step S303: the corresponding at least one work order ACL standard configuration object of target firewall is generated according to work order information
And the work order ACL standard configuration characteristics of objects code of every work order ACL standard configuration object.
Specifically, in this step, the information type for determining work order information generates work order ACL according to above- mentioned information type
The work order ACL standard configuration characteristics of objects code of standard configuration object and every work order ACL standard configuration object.Work order information
Information type can specifically include: domain, address class, service class, timeliness class, acl rule or acl rule group are believed according to work order
The information type of breath, which generates in the detailed process and step S130 of work order ACL standard configuration object, matches confidence according to firewall ACL
The process that the information type of breath generates the corresponding ACL standard configuration object of every firewall ACL configuration information is identical, can specifically join
See the corresponding description in step S130, details are not described herein again.The work order ACL standard configuration object of work order ACL standard configuration object
The generating process of the ACL standard configuration characteristics of objects code of ACL standard configuration object in the generating process and step S130 of condition code
It is identical, it specifically may refer to the corresponding description in step S130, details are not described herein again.
In this step, the naming rule of the ACL configuration information on available target firewall is generating work order ACL
After standard configuration object, above-mentioned work order ACL standard configuration object is named using above-mentioned naming rule according to predetermined manner.Specifically
In implementation, above-mentioned work order ACL standard configuration object is named to be specifically as follows using above-mentioned naming rule according to predetermined manner:
If work order ACL standard configuration object is address object, work order ACL standard configuration object naming can be followed such as lower section
Formula:
Address object is divided into single ip address and address range comprising multiple IP address.If address object is for IP
Location, then IP address is named as $ IP1. $ IP2. $ IP3. $ IP4/ $ netmask- $ n.Wherein, IP1, IP2, IP3, IP4 are composition
The dotted decimal notation number of IP, netmask are IP mask, and (that is: name is identical right for of the same name object of the $ n for distinguishing IP address
As).For example IP address 1 is named as 10.172.16.83/32, if had existed in preset ACL standard configuration information bank
" 10.172.16.83/32 " occurs naming identical situation, and IP address 1 is named as " 10.172.16.83/32-1 ".
Address range is named as $ IP1. $ IP2. $ IP3. $ IP4- $ rg- $ n.IP1, IP2, IP3, IP4 are the point for forming IP
Divide decimal number, rg is the last one IP of IP range.
If work order ACL standard configuration object is service object, work order ACL standard configuration object naming can be followed such as lower section
Formula: $ protocol $ port- $ port2- $ n;Protocol is network protocol, such as Transmission Control Protocol, and port is to start port, port2
To terminate port.$ n is used for the object of the same name of Differentiated Services object.
If work order ACL standard configuration object is timeliness object, work order ACL standard configuration object naming can be followed such as lower section
Formula: $ yyyymmdd- $ n.Yyyymmdd is the Close Date.$ n is used for the object of the same name of Differentiated Services object.Timeliness object can be with
The period is begun to shut off for defining.
If work order ACL standard configuration object be acl rule object, work order ACL standard configuration object naming can follow as
Under type: it uses to preset the natural number specified ACL rule number that stepping increases.Above-mentioned default stepping can be by this field skill
Personnel are configured according to the actual situation, and this is not limited by the present invention.
Wherein, address object, service object cited in ACL object and timeliness object, naming rule is with above-mentioned
Location object, service object and the corresponding naming rule of timeliness object are identical.
Further, in this step, the network work order number that network work order can also be obtained, using network work order number as work order
The description information of ACL standard configuration object, to believe foregoing description in subsequent step (corresponding step S304-S08)
Breath issues target firewall with work order ACL standard configuration object together, can be according to from target firewall convenient for administrative staff
The description information of acquisition obtains network work order number, in order to being managed to the ACL configuration-direct issued on target firewall.
Step S304: judge in preset firewall ACL standard configuration information bank with the presence or absence of work order ACL standard configuration pair
As the identical synonymous ACL standard configuration characteristics of objects code of condition code;If the determination result is YES, S305 is thened follow the steps;If judgement
As a result be it is no, then follow the steps S306.
It specifically, include at least one ACL standard configuration object in preset firewall ACL standard configuration information bank, often
ACL standard configuration object is by the firewall ACL configuration information of any firewall in objective management firewall according to firewall ACL
The information type of configuration information generates, above- mentioned information type include: domain, address class, service class, timeliness class, acl rule or
Acl rule group.Wherein, the one or more that objective management firewall, that is, user selectes according to actual needs needs user management
Firewall.The method of determination of objective management firewall can there are many, for example, can with default user select one or more nets
Whole firewalls in network (such as intranet, i.e. enterprises dedicated network) are objective management firewall;Or it can also will use
One or more firewalls that family is selected in whole firewalls of one or more networks are as objective management firewall.Specifically
In implementation, the automatic linking objective managing firewall of preset interface can be first passed through, in advance with what is acquired from objective management firewall
At least one firewall ACL configuration information.The form of preset interface can there are many, such as api interface, the embodiment of the present invention pair
The form of preset interface is not construed as limiting.
Wherein, information type is that the ACL configuration information in domain can specifically include: interface message, such as source interface, purpose connect
Mouthful etc.;Information type is that the ACL configuration information of address class can specifically include: ACL configuration information relevant to address, such as IP
Address, group of addresses (wherein including multiple IP address) etc..Information type is that the ACL configuration information of service class may include network association
Discuss (such as TCP (Transmission Control Protocol, transmission control protocol)), service destination port (such as end TCP22
Mouthful) etc. ACL configuration information relevant to service.Information type is that the ACL configuration information of timeliness class may include relevant to ACL
Age information, such as entry-into-force time, time repetition period of ACL configuration information of ACL configuration information etc.;Information type is ACL
The ACL configuration information of rule is specifically as follows the information system for information types such as above-mentioned domain, address class, service class, timeliness classes
Fixed implementation strategy, acl rule can quote following information: source domain (either source interface), purpose domain (or purpose interface), source
Address (either source address group), destination address (either destination address group), purpose service (or purpose service group), timeliness letter
Breath and movement (adduction relationship between the information of i.e. different information types) etc., in specific implementation, acl rule can be covered
The access of one complete network five-tuple (i.e. source IP address, source port, purpose IP address, destination port and transport layer protocol)
Request.It include a plurality of acl rule in acl rule group, in actual conditions, acl rule is subordinated to acl rule belonging to acl rule
Group.
Step S305: synonymous ACL standard configuration characteristics of objects code in preset firewall ACL standard configuration information bank is obtained
Corresponding synonymous ACL standard configuration object is as target ACL standard configuration object.
Step S306: using work order ACL standard configuration object as target ACL standard configuration object.
It is identical when work order ACL standard configuration characteristics of objects code is not present in preset firewall ACL standard configuration information bank
Synonymous ACL standard configuration characteristics of objects code when, illustrate in firewall ACL standard configuration information bank there is no work order ACL standard
The identical ACL standard configuration object of object is configured, then using work order ACL standard configuration object as target ACL standard configuration object.
It further, can also be by target after using work order ACL standard configuration object as target ACL standard configuration object
ACL standard configuration object is stored in preset firewall ACL standard configuration information bank, so that next time passes through preset firewall
ACL standard configuration information bank can carry out automatic management to target ACL standard configuration object.
Step S307: the corresponding ACL of target firewall is generated according to command information and target ACL standard configuration object and is matched
Set instruction.
Specifically, in this step, target ACL standard configuration pair is generated according to the command information that network work order carries first
As corresponding ACL standard operation object.ACL standard operation object includes target ACL standard configuration object and target ACL standard
Configure the action type of object.In specific implementation, the action type of target ACL standard configuration object is according to the instruction of network work order
Information determines.For example, if being instructed in above-metioned instruction information for ACL standard configuration object to be newly-increased, ACL standard configuration object
Action type correspond to newly-increased type;For target ACL standard configuration object to delete instruction in command information, then ACL is marked
The action type of quasi- configuration object corresponds to delete type, etc..
After obtaining ACL standard operation object, ACL standard operation object is converted into the corresponding ACL of target firewall and is matched
Set instruction.Wherein, ACL configuration-direct uses the ACL syntactic definition of target firewall, can be identified by target firewall.Specifically
In implementation, target firewall is obtained from preset firewall ACL information template according to the firewall model of target firewall
The corresponding firewall ACL information template of firewall model extracts target ACL standard configuration object in ACL standard operation object
Content fills in above content in the corresponding firewall ACL information template of type of target ACL standard configuration object.Wherein,
The type of firewall ACL information template includes: domain, address class, service class, timeliness class, acl rule or acl rule group.Target
The type of ACL standard configuration object include: field object, address object, service object, timeliness object, acl rule object and
Acl rule group objects.Wherein, the type of the corresponding firewall ACL information template of field object is domain;The corresponding firewall of field object
The type of ACL information template is domain;The type of the corresponding firewall ACL information template of address object is address class;Service object
The type of corresponding firewall ACL information template is service class;The type of the corresponding firewall ACL information template of timeliness object is
Timeliness class;The type of the corresponding firewall ACL information template of acl rule object is acl rule;Acl rule group objects is corresponding
The type of firewall ACL information template is acl rule group.
Step S308: ACL configuration-direct is issued to target firewall, so that target firewall executes ACL configuration-direct.
Step S309: the first ACL configuration information of target firewall is obtained, is determined whether according to the first ACL configuration information
Issue ACL configuration-direct.
This step is optional step.First ACL configuration information issues before ACL configuration-direct on target firewall
ACL configuration information.In specific implementation, there may be the configuration information of the same name of ACL configuration-direct, ACL in the first ACL configuration information
The configuration information of the same name of configuration-direct specifically: name configuration information identical with the name of ACL configuration-direct.When directly issuing
When ACL configuration-direct to target firewall, the configuration information of the same name of ACL configuration-direct, then will appear ACL configuration-direct if it exists
The case where above-mentioned configuration information of the same name can be covered, causes the loss of above-mentioned configuration information of the same name.In order to avoid above situation occurs,
Before issuing ACL configuration-direct, the first ACL configuration information of target firewall is obtained, by the name of the first ACL configuration information
It is compared with the name of ACL configuration-direct, when the configuration information of the same name in the first ACL configuration information there are ACL configuration-direct
When, then the identical ACL configuration-direct of name of configuration information of the same name is not issued.The alignments of above-mentioned comparison can be by this field skill
Art personnel are configured according to the actual situation, are compared for example, by using snapshot acquisition mode, this is not limited by the present invention.
Further, in order to be verified to the ACL configuration-direct for being issued to target firewall, execute the step S309 it
Afterwards, following steps can also be performed:
Step S310: obtaining the 2nd ACL configuration information of target firewall, is marked according to the 2nd ACL configuration information and ACL
The action type of quasi- configuration object determines whether ACL configuration-direct issues success.
Wherein, the 2nd ACL configuration information is that ACL configuration-direct is issued to the ACL of target firewall after target firewall and matches
Confidence breath.
Specifically, in this step, the corresponding ACL standard configuration pair of every the 2nd ACL configuration information can be firstly generated
As it is corresponding then to generate the 2nd ACL configuration information according to the content of the corresponding ACL standard configuration object of the 2nd ACL configuration information
ACL standard configuration object condition code, wherein generate the corresponding ACL standard configuration object of the 2nd ACL configuration information and step
The process that the corresponding ACL standard configuration object of every firewall ACL configuration information is generated in S130 is identical, specifically may refer to walk
Corresponding description in rapid S130, details are not described herein again.The condition code of the corresponding ACL standard configuration object of 2nd ACL configuration information
Generating process and step S130 in generate the corresponding ACL standard configuration characteristics of objects of the content of every ACL standard configuration object
The process of code is identical, specifically may refer to the corresponding description in step S130, details are not described herein again.
Wherein, when the ACL standard configuration information successful execution ACL configuration-direct of firewall, determine that ACL configuration-direct issues
Success.Therefore, when judging whether ACL configuration-direct issues successfully, can according to the ACL standard configuration information of firewall whether
Successful execution ACL configuration-direct determines, when firewall ACL standard configuration information whether successful execution ACL configuration-direct, then
It determines that ACL configuration-direct issues success, otherwise determines that ACL configuration-direct issues failure.The ACL standard configuration information of firewall is
Whether no successful execution ACL configuration-direct succeeds according to the corresponding ACL standard configuration object of ACL standard configuration information of firewall
The action type of the ACL standard configuration object corresponding A CL standard configuration object is executed to determine.In specific implementation, ACL standard is matched
The action type for setting object may include: delete operation, newly-increased operation or modification operation.
When the action type of ACL standard configuration object is delete operation, it can be determined that at least one ACL is configured in object
With the presence or absence of ACL standard configuration object;If it does not exist, it is determined that ACL configuration-direct issues success;If it exists, it is determined that ACL matches
It sets instruction and issues failure.
When the action type of ACL standard configuration object is newly-increased operation, or modification operates, described at least one is judged
First ACL, which is configured, whether there is the ACL standard configuration object in object;If it does not exist, it is determined that ACL configuration-direct issues mistake
It loses;If it exists, it is determined that target ACL corresponding with the ACL standard configuration object matches in at least one ACL configuration object
Set object;And further judge that the target ACL configures the condition code of object and the condition code of the ACL standard configuration object is
It is no consistent;If consistent, it is determined that ACL configuration-direct issues success;If inconsistent, it is determined that ACL configuration-direct issues failure.It is logical
The above process is crossed, can accurately verify whether ACL configuration-direct issues success, realizes that automatic Verification ACL configuration-direct issues knot
The purpose of fruit promotes the automatization level of firewall.
Further, after completing above-mentioned checking procedure, mirror configuration can be written into ACL configuration-direct, to be effectively ensured
It is still effective to restart the rear above-mentioned ACL configuration-direct issued.
It, can be automatically according to received network work in firewall ACL configuring management method provided in an embodiment of the present invention
The address information carried in list determines target firewall, and matches from the firewall ACL standard comprising a plurality of ACL standard configuration object
It sets and obtains the corresponding ACL standard configuration object of above-mentioned target firewall in information bank, wherein preset firewall ACL standard is matched
Setting information bank includes at least one ACL standard configuration object;Every ACL standard configuration object is by any in objective management firewall
The firewall ACL standard configuration information of firewall is generated according to the information type of firewall ACL standard configuration information;Information type
It include: domain, address class, service class, timeliness class, acl rule or acl rule group;That is, preset firewall ACL mark
The ACL for converting the firewall ACL configuration information under different ACL syntactic definitions to unified format is preserved in quasi- configuration information library
Standard configuration object;The last embodiment of the present invention can be automatically according to the command information and above-mentioned ACL carried in network work order
Standard configuration object generates ACL standard operation object, and ACL standard operation object is converted to what target firewall can identify
Target firewall is issued to after ACL configuration-direct.It can be seen that the embodiment of the present invention can be automatically based upon network work order and prevent
Wall with flues ACL standard configuration information bank automates determining target firewall and the corresponding ACL configuration-direct of target firewall, real
The Auto-matching of existing target firewall and ACL standard configuration object, ACL standard configuration object to ACL configuration-direct from turn
It a series of processes such as changes and issues automatically, realize the automatic management of firewall ACL to a certain extent, be not necessarily to administrative staff
Confirmed and converted between a variety of firewall models and firewall ACL grammer by the way of labor management again, is reduced
The operation complexity of administrative staff effectively improves the efficiency of management of firewall.
The embodiment of the present invention also provides a kind of firewall ACL managing device, shown in Figure 7, firewall ACL managing device
Include:
Acquisition module 71, at least one firewall access for acquiring objective management firewall control list ACL configuration
Information;
Determining module 72, the information type of every firewall ACL configuration information for determining the acquisition of acquisition module 71;Letter
Breath type includes: domain, address class, service class, timeliness class, acl rule or acl rule group;
Processing module 73, the information type for being determined according to determining module 72 generate every firewall ACL configuration information
The ACL standard configuration characteristics of objects code of corresponding ACL standard configuration object and the ACL standard configuration object.
Processing module 74 is stored, is used for ACL standard configuration object obtained in processing module 73 and ACL standard configuration
The ACL standard configuration characteristics of objects code of object is saved to preset firewall ACL standard configuration library of object.
Optionally, acquisition module 71 specifically can be used for:
Firewall access every predetermined period acquisition objective management firewall controls list ACL configuration information;
Storage processing module 74 specifically can be used for:
By the ACL standard configuration object of storage in ACL standard configuration object and firewall ACL standard configuration library of object into
Row compares, and determines the to be updated ACL standard configuration object different from ACL standard configuration object has been put in storage;
By the ACL standard configuration pair to be updated of ACL standard configuration object to be updated and ACL standard configuration object to be updated
As condition code is saved to firewall ACL standard configuration library of object.
All related contents for each step that above method embodiment is related to can quote the function of corresponding function module
It can describe, details are not described herein for effect.
Using integrated module, firewall ACL managing device include: storage unit, processing unit and
Interface unit.Processing unit is for carrying out control management to the movement of firewall ACL managing device, for example, processing unit is used for
Firewall ACL managing device is supported to execute each step in Fig. 1-Fig. 6.Interface unit is for supporting firewall ACL managing device
With the interaction of other devices;Storage unit, for storing firewall ACL managing device program code and data.
Wherein, using processing unit as processor, storage unit is memory, and interface unit is for communication interface.Wherein,
Firewall ACL managing device referring to fig. 8, including communication interface 801, processor 802, memory 803 and bus 804,
Communication interface 801, processor 802 are connected by bus 804 with memory 803.
Processor 802 can be a general central processor (Central Processing Unit, CPU), micro process
Device, application-specific integrated circuit (Application-Specific Integrated Circuit, ASIC) or one or more
A integrated circuit executed for controlling application scheme program.
Memory 803 can be read-only memory (Read-Only Memory, ROM) or can store static information and instruction
Other kinds of static storage device, random access memory (Random Access Memory, RAM) or letter can be stored
The other kinds of dynamic memory of breath and instruction, is also possible to Electrically Erasable Programmable Read-Only Memory (Electrically
Erasable Programmable Read-only Memory, EEPROM), CD-ROM (Compact Disc Read-
Only Memory, CD-ROM) or other optical disc storages, optical disc storage (including compression optical disc, laser disc, optical disc, digital universal
Optical disc, Blu-ray Disc etc.), magnetic disk storage medium or other magnetic storage apparatus or can be used in carrying or store to have referring to
Enable or data structure form desired program code and can by any other medium of computer access, but not limited to this.
Memory, which can be, to be individually present, and is connected by bus with processor.Memory can also be integrated with processor.
Wherein, memory 803 is used to store the application code for executing application scheme, and is controlled by processor 802
System executes.Communication interface 801 is used to support the interaction of firewall ACL managing device Yu other devices.Processor 802 is for executing
The application code stored in memory 803, to realize the firewall ACL management method in the embodiment of the present application.
The embodiment of the present invention also provides a kind of firewall ACL configuration management device, shown in Figure 9, firewall ACL configuration
Managing device includes:
Receiving module 901, for receiving the network work order for carrying work order information;Work order information includes: address information, instruction
Information and information on services.
Target determination module 902, for determining target firewall according to the received address information of receiving module 901.Address
Information includes: source IP address and purpose IP address.
First generation module 903, for generating target determination module 902 according to the received work order information of receiving module 901
The corresponding at least one work order ACL standard configuration object of determining target firewall and every work order ACL standard configuration object
Work order ACL standard configuration characteristics of objects code.
Judgment module 904 is marked in preset firewall ACL standard configuration information bank with the presence or absence of work order ACL for judging
The identical synonymous ACL standard configuration characteristics of objects code of quasi- configuration characteristics of objects code;Wherein, preset firewall ACL standard configuration
Information bank includes at least one ACL standard configuration object;Every ACL standard configuration object is by any anti-in objective management firewall
The firewall ACL standard configuration information of wall with flues is generated according to the information type of firewall ACL standard configuration information;Information type packet
It includes: domain, address class, service class, timeliness class, acl rule or acl rule group.
Processing module 905, if the judging result for judgment module 904 be it is yes, obtain preset firewall ACL standard
The corresponding synonymous ACL standard configuration object of synonymous ACL standard configuration characteristics of objects code is as target ACL standard in configuration information library
Configure object;If the judging result of judgment module 904 be it is no, using work order ACL standard configuration object as target ACL standard configuration
Object.
Second generation module 906, in the command information and processing module 905 for being received according to receiving module 901
Obtained target ACL standard configuration object generates the corresponding ACL configuration-direct of target firewall.
Module 907 is issued, for issuing the ACL configuration-direct of the second generation module 906 generation to target firewall, for
Target firewall executes ACL configuration-direct.
Optionally, target determination module 902 is specifically used for:
Obtain the configuration information for being pre-configured firewall to be detected in firewall;Wherein being pre-configured firewall includes at least one
Firewall;Firewall to be detected is to be pre-configured any firewall in firewall;
Determine whether address information matches with the configuration information of firewall to be detected;
If address information is matched with the configuration information of firewall to be detected, it is determined that firewall to be detected is target fire prevention
Wall.
Optionally, configuration information includes: domain range information;Then target determination module 902 is specifically used for:
According to the domain range information of firewall to be detected determine the matched first source IP address matching domain of source IP address and
The matched first purpose IP address matching domain of purpose IP address;Wherein the domain range information of firewall to be detected includes to be detected anti-
Address information within the scope of the domain in the domain of wall with flues and the domain of firewall to be detected;
Judge whether the first source IP address matching domain and the first purpose IP address matching domain are identical;
If judging result is that the first source IP address matching domain and the first purpose IP address matching domain be not identical, it is determined that address
Information is matched with the configuration information of firewall to be detected.
Optionally, configuration information includes: routing table information;Then target determination module 902 is specifically used for:
The corresponding first interface of source IP address and with destination IP is determined according to the routing table information of firewall to be detected
The corresponding second interface in location;Wherein the routing table information of firewall to be detected includes the firewall routing address of firewall to be detected
Information and the corresponding interface of firewall routing address information;
Judge whether first interface is identical as second interface;
If judging result is that first interface and second interface be not identical, determined according to the corresponding relationship of preset domain and interface
The corresponding second source IP address matching domain of first interface and the corresponding second purpose IP address matching domain of second interface;
Judge whether the second source IP address matching domain and the second purpose IP address matching domain are identical;
If judging result is that the second source IP address matching domain and the second purpose IP address matching domain be not identical, it is determined that address
Information is matched with the configuration information of firewall to be detected.
Optionally, configuration information further include: exclusive domain information;ACL configuration management device further include:
Exclusive domain information determining module 908, for determining whether address information matches with exclusive domain information, if so, really
Determine address information to match with the configuration information of firewall to be detected.
Optionally, ACL configuration management device further include: issue determining module 909, be used for:
The first ACL configuration information for obtaining target firewall, determines whether that issuing ACL matches according to the first ACL configuration information
Set instruction.
Optionally, ACL configuration management device further include: correction verification module 910 is used for:
Obtain the 2nd ACL configuration information of target firewall;
According to the action type of the 2nd ACL configuration information and ACL standard configuration object determine ACL configuration-direct whether under
It sends out successfully.
Optionally, the action type of ACL standard configuration object includes: newly-increased operation, modification operation and delete operation.
All related contents for each step that above method embodiment is related to can quote the function of corresponding function module
It can describe, details are not described herein for effect.
Using integrated module, firewall ACL configuration management device includes: storage unit, processing unit
And interface unit.Processing unit is for carrying out control management to the movement of firewall ACL configuration management device, for example, processing
Unit is for supporting firewall ACL configuration management device to execute each step in Fig. 1-Fig. 6.Interface unit is for supporting firewall
The interaction of ACL configuration management device and other devices;Storage unit, for storing firewall ACL configuration management program of device generation
Code and data.
Wherein, using processing unit as processor, storage unit is memory, and interface unit is for communication interface.Wherein,
Firewall ACL configuration management device referring to fig. 10, including communication interface 1001, processor 1002,1003 and of memory
Bus 1004, communication interface 1001, processor 1002 are connected by bus 1004 with memory 1003.
Processor 1002 can be a general central processor (Central Processing Unit, CPU), micro- place
Manage device, application-specific integrated circuit (Application-Specific Integrated Circuit, ASIC) or one or
Multiple integrated circuits executed for controlling application scheme program.
Memory 1003 can be read-only memory (Read-Only Memory, ROM) or can store static information and refer to
The other kinds of static storage device enabled, random access memory (Random Access Memory, RAM) or can store
The other kinds of dynamic memory of information and instruction, is also possible to Electrically Erasable Programmable Read-Only Memory
(Electrically Erasable Programmable Read-only Memory, EEPROM), CD-ROM (Compact
Disc Read-Only Memory, CD-ROM) or other optical disc storages, optical disc storage (including compression optical disc, laser disc, light
Dish, Digital Versatile Disc, Blu-ray Disc etc.), magnetic disk storage medium or other magnetic storage apparatus or can be used in carry or
Store have instruction or data structure form desired program code and can by any other medium of computer access, but
It is without being limited thereto.Memory, which can be, to be individually present, and is connected by bus with processor.Memory can also be integrated with processor
Together.
Wherein, memory 1003 be used for store execution application scheme application code, and by processor 1002
Control executes.Communication interface 1001 is used to support the interaction of firewall ACL configuration management device and other devices.Processor 1002
For executing the application code stored in memory 1003, to realize the firewall ACL configuration in the embodiment of the present application
Management method.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row
His property includes, so that the process, method, article or the device that include a series of elements not only include those elements, and
And further include other elements that are not explicitly listed, or further include for this process, method, article or device institute it is intrinsic
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do
There is also other identical elements in the process, method of element, article or device.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.Based on this understanding, the technical solution of the application substantially in other words does the prior art
The part contributed out can be embodied in the form of software products, which is stored in a storage medium
In (such as REOM/REAM, magnetic disk, CD), including some instructions are used so that a terminal (can be mobile phone, computer, service
Device, air conditioner or network equipment etc.) execute method described in each embodiment of the application.
The embodiment of the present invention also provides a kind of computer program, which can be loaded directly into memory, and
Containing software code, which is loaded into via computer and can be realized above-mentioned firewall ACL management method after executing
And firewall ACL configuring management method.
Embodiments herein is described above in conjunction with attached drawing, but the application be not limited to it is above-mentioned specific
Embodiment, the above mentioned embodiment is only schematical, rather than restrictive, those skilled in the art
Under the enlightenment of the application, when not departing from the application objective and scope of the claimed protection, can also it make very much
Form belongs within the protection of the application.
Claims (20)
1. a kind of firewall ACL management method characterized by comprising
At least one firewall access for acquiring objective management firewall controls list ACL configuration information;
Determine the information type of every firewall ACL configuration information;The information type includes: domain, address class, service
Class, timeliness class, acl rule or acl rule group;
The corresponding ACL standard configuration object of every firewall ACL configuration information and institute are generated according to the information type
State the ACL standard configuration characteristics of objects code of ACL standard configuration object;
By the ACL standard configuration characteristics of objects code of the ACL standard configuration object and the ACL standard configuration object save to
Preset firewall ACL standard configuration library of object.
2. firewall ACL management method according to claim 1, which is characterized in that the acquisition objective management firewall
Firewall access control list ACL configuration information specifically:
Firewall access every predetermined period acquisition objective management firewall controls list ACL configuration information;
It is described to save the ACL standard configuration object to preset firewall ACL standard configuration library of object, comprising:
By the ACL standard configuration pair of storage in the ACL standard configuration object and the firewall ACL standard configuration library of object
It is determining from the ACL standard configuration object to be updated that be put in storage ACL standard configuration object different as being compared;
The ACL standard to be updated of the ACL standard configuration object to be updated and the ACL standard configuration object to be updated is matched
Characteristics of objects code is set to save to the firewall ACL standard configuration library of object.
3. a kind of firewall ACL configuring management method characterized by comprising
Receive the network work order for carrying work order information;The work order information includes: address information, command information and service letter
Breath;
Target firewall is determined according to the address information;The address information includes: source IP address and purpose IP address;
According to the corresponding at least one work order ACL standard configuration object of the work order information generation target firewall and often
The work order ACL standard configuration characteristics of objects code of work order ACL standard configuration object described in item;
Judge in preset firewall ACL standard configuration information bank with the presence or absence of the work order ACL standard configuration characteristics of objects code
Identical synonymous ACL standard configuration characteristics of objects code;Wherein, the preset firewall ACL standard configuration information bank includes extremely
A few ACL standard configuration object;Every ACL standard configuration object by objective management firewall any firewall it is anti-
Wall with flues ACL standard configuration information is generated according to the information type of the firewall ACL standard configuration information;The information type packet
It includes: domain, address class, service class, timeliness class, acl rule or acl rule group;
If the determination result is YES, then synonymous ACL standard described in the preset firewall ACL standard configuration information bank is obtained to match
The corresponding synonymous ACL standard configuration object of characteristics of objects code is set as target ACL standard configuration object;If judging result be it is no,
Using the work order ACL standard configuration object as the target ACL standard configuration object;
The corresponding ACL of the target firewall is generated according to described instruction information and the target ACL standard configuration object to match
Set instruction;
The ACL configuration-direct is issued to the target firewall, is referred to so that the target firewall executes the ACL configuration
It enables.
4. firewall ACL configuring management method according to claim 3, which is characterized in that described to be believed according to the address
It ceases and determines target firewall, comprising:
Obtain the configuration information for being pre-configured firewall to be detected in firewall;Wherein the pre-configuration firewall includes at least one
Firewall;The firewall to be detected is any firewall in the pre-configuration firewall;
Determine whether the address information matches with the configuration information of the firewall to be detected;
If the address information is matched with the configuration information of the firewall to be detected, it is determined that firewall to be detected is the mesh
Mark firewall.
5. firewall ACL configuring management method according to claim 4, the configuration information includes: domain range information;Then
Whether the determination address information matches with the configuration information of the firewall to be detected, comprising:
According to the domain range information of firewall to be detected determine the matched first source IP address matching domain of the source IP address and
First purpose IP address matching domain of the destination IP address matching;Wherein the domain range information of the firewall to be detected includes
Address information within the scope of the domain in the domain of the firewall to be detected and the domain of the firewall to be detected;
Judge whether the first source IP address matching domain and the first purpose IP address matching domain are identical;
If judging result is that the first source IP address matching domain and the first purpose IP address matching domain be not identical, it is determined that
The address information is matched with the configuration information of the firewall to be detected.
6. firewall ACL configuring management method according to claim 4, which is characterized in that the configuration information includes: road
By table information;Then whether the determination address information matches with the configuration information of the firewall to be detected, comprising:
According to the routing table information of firewall to be detected determine the corresponding first interface of the source IP address and with the purpose
The corresponding second interface of IP address;Wherein the routing table information of the firewall to be detected includes the firewall of firewall to be detected
Routing address information and the corresponding interface of the firewall routing address information;
Judge whether the first interface is identical as the second interface;
If judging result is that the first interface and the second interface be not identical, according to the corresponding relationship in preset domain and interface
Determine the corresponding second source IP address matching domain of the first interface and corresponding second purpose IP address of the second interface
Matching domain;
Judge whether the second source IP address matching domain and the second purpose IP address matching domain are identical;
If judging result is that the second source IP address matching domain and the second purpose IP address matching domain be not identical, it is determined that
The address information is matched with the configuration information of the firewall to be detected.
7. firewall ACL configuring management method according to claim 5 or 6, which is characterized in that the configuration information also wraps
It includes: exclusive domain information;
Before the determination address information is matched with the configuration information of the firewall to be detected, the method also includes:
Determine whether the address information matches with the exclusive domain information, if judging result is the address information and the exclusive domain
Information matches, it is determined that the address information is matched with the configuration information of the firewall to be detected.
8. firewall ACL configuring management method according to claim 3, which is characterized in that described to issue the ACL configuration
Before instruction to the target firewall, the method also includes:
The first ACL configuration information for obtaining the target firewall determines whether to issue institute according to the first ACL configuration information
State ACL configuration-direct.
9. firewall ACL configuring management method according to claim 3, which is characterized in that described to issue the ACL configuration
After instruction to the target firewall, the method also includes:
Obtain the 2nd ACL configuration information of the target firewall;
Determine that the ACL configuration refers to according to the action type of the 2nd ACL configuration information and the ACL standard configuration object
It enables and whether issues success.
10. firewall ACL configuring management method according to claim 9, which is characterized in that the ACL standard configuration pair
The action type of elephant includes: newly-increased operation, modification operation and delete operation.
11. a kind of firewall ACL managing device characterized by comprising
Acquisition module, at least one firewall access for acquiring objective management firewall control list ACL configuration information;
Determining module, for determining the information type of every firewall ACL configuration information;The information type include: domain,
Address class, service class, timeliness class, acl rule or acl rule group;
Processing module is matched for generating the corresponding ACL standard of every firewall ACL configuration information according to the information type
Set the ACL standard configuration characteristics of objects code of object and the ACL standard configuration object;
Processing module is stored, for matching the ACL standard of the ACL standard configuration object and the ACL standard configuration object
Characteristics of objects code is set to save to preset firewall ACL standard configuration library of object.
12. firewall ACL managing device according to claim 11, which is characterized in that the acquisition module is specifically used for:
Firewall access every predetermined period acquisition objective management firewall controls list ACL configuration information;
The storage processing module is specifically used for:
By the ACL standard configuration pair of storage in the ACL standard configuration object and the firewall ACL standard configuration library of object
It is determining from the ACL standard configuration object to be updated that be put in storage ACL standard configuration object different as being compared;
The ACL standard to be updated of the ACL standard configuration object to be updated and the ACL standard configuration object to be updated is matched
Characteristics of objects code is set to save to the firewall ACL standard configuration library of object.
13. a kind of firewall ACL configuration management device characterized by comprising
Receiving module, for receiving the network work order for carrying work order information;The work order information includes: address information, instruction letter
Breath and information on services;
Target determination module, for determining target firewall according to the address information;The address information includes: source IP address
And purpose IP address;
First generation module, for generating the corresponding at least one work order ACL of the target firewall according to the work order information
The work order ACL standard configuration characteristics of objects code of standard configuration object and every work order ACL standard configuration object;
Judgment module is matched in preset firewall ACL standard configuration information bank with the presence or absence of the work order ACL standard for judging
Set the identical synonymous ACL standard configuration characteristics of objects code of characteristics of objects code;Wherein, the preset firewall ACL standard configuration
Information bank includes at least one ACL standard configuration object;Every ACL standard configuration object in objective management firewall by appointing
The firewall ACL standard configuration information of one firewall is generated according to the information type of the firewall ACL standard configuration information;Institute
Stating information type includes: domain, address class, service class, timeliness class, acl rule or acl rule group;
Processing module, for if the determination result is YES, then obtaining described in the preset firewall ACL standard configuration information bank
The corresponding synonymous ACL standard configuration object of synonymous ACL standard configuration characteristics of objects code is as target ACL standard configuration object;If
Judging result be it is no, using the work order ACL standard configuration object as the target ACL standard configuration object;
Second generation module generates the target according to described instruction information and the target ACL standard configuration object and prevents fires
The corresponding ACL configuration-direct of wall;
Module is issued, for issuing the ACL configuration-direct to the target firewall, so that the target firewall executes institute
State ACL configuration-direct.
14. firewall ACL configuration management device according to claim 13, which is characterized in that the target determination module
It is specifically used for: obtains the configuration information for being pre-configured firewall to be detected in firewall;Wherein the pre-configuration firewall includes extremely
A few firewall;The firewall to be detected is any firewall in the pre-configuration firewall;Determine the address information
Whether matched with the configuration information of the firewall to be detected;If the address information matches confidence with the firewall to be detected
Breath matching, it is determined that firewall to be detected is the target firewall.
15. firewall ACL configuration management device according to claim 14, the configuration information include: domain range information;
Then the target determination module is specifically used for:
According to the domain range information of firewall to be detected determine the matched first source IP address matching domain of the source IP address and
First purpose IP address matching domain of the destination IP address matching;Wherein the domain range information of the firewall to be detected includes
Address information within the scope of the domain in the domain of the firewall to be detected and the domain of the firewall to be detected;
Judge whether the first source IP address matching domain and the first purpose IP address matching domain are identical;
If judging result is that the first source IP address matching domain and the first purpose IP address matching domain be not identical, it is determined that
The address information is matched with the configuration information of the firewall to be detected.
16. firewall ACL configuration management device according to claim 14, which is characterized in that the configuration information includes:
Routing table information;Then the target determination module is specifically used for:
According to the routing table information of firewall to be detected determine the corresponding first interface of the source IP address and with the purpose
The corresponding second interface of IP address;Wherein the routing table information of the firewall to be detected includes the firewall of firewall to be detected
Routing address information and the corresponding interface of the firewall routing address information;
Judge whether the first interface is identical as the second interface;
If judging result is that the first interface and the second interface be not identical, according to the corresponding relationship in preset domain and interface
Determine the corresponding second source IP address matching domain of the first interface and corresponding second purpose IP address of the second interface
Matching domain;
Judge whether the second source IP address matching domain and the second purpose IP address matching domain are identical;
If judging result is that the second source IP address matching domain and the second purpose IP address matching domain be not identical, it is determined that
The address information is matched with the configuration information of the firewall to be detected.
17. firewall ACL configuration management device according to claim 15 or 16, which is characterized in that the configuration information
Further include: exclusive domain information;Described device further include:
Exclusive domain information determining module, for determining whether the address information matches with the exclusive domain information, if judgement knot
Fruit is that the address information is matched with the exclusive domain information, it is determined that the address information is matched with the firewall to be detected
Set information matches.
18. firewall ACL configuration management device according to claim 13, which is characterized in that described device further include: under
Determining module is sent out, is used for:
The first ACL configuration information for obtaining the target firewall determines whether to issue institute according to the first ACL configuration information
State ACL configuration-direct.
19. firewall ACL configuration management device according to claim 13, which is characterized in that described device further include: school
Module is tested, is used for:
Obtain the 2nd ACL configuration information of the target firewall;
Determine that the ACL configuration refers to according to the action type of the 2nd ACL configuration information and the ACL standard configuration object
It enables and whether issues success.
20. firewall ACL configuration management device according to claim 19, which is characterized in that the ACL standard configuration pair
The action type of elephant includes: newly-increased operation, modification operation and delete operation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910058925.4A CN109547502A (en) | 2019-01-22 | 2019-01-22 | Firewall ACL management method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910058925.4A CN109547502A (en) | 2019-01-22 | 2019-01-22 | Firewall ACL management method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109547502A true CN109547502A (en) | 2019-03-29 |
Family
ID=65838139
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910058925.4A Pending CN109547502A (en) | 2019-01-22 | 2019-01-22 | Firewall ACL management method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109547502A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110213256A (en) * | 2019-05-28 | 2019-09-06 | 哈尔滨工程大学 | A kind of firewall control method based on producer consumer mode |
CN114338225A (en) * | 2021-03-29 | 2022-04-12 | 井芯微电子技术(天津)有限公司 | Strategy distributor, mimic switch and network system |
US20220210128A1 (en) * | 2020-12-31 | 2022-06-30 | Cerner Innovation, Inc. | Generating network infastructure firewalls |
US11483246B2 (en) | 2020-01-13 | 2022-10-25 | Vmware, Inc. | Tenant-specific quality of service |
US11539633B2 (en) * | 2020-08-31 | 2022-12-27 | Vmware, Inc. | Determining whether to rate limit traffic |
US11599395B2 (en) | 2020-02-19 | 2023-03-07 | Vmware, Inc. | Dynamic core allocation |
US11799784B2 (en) | 2021-06-08 | 2023-10-24 | Vmware, Inc. | Virtualized QoS support in software defined networks |
CN114338225B (en) * | 2021-03-29 | 2024-04-12 | 井芯微电子技术(天津)有限公司 | Policy distributor, mimicry switch and network system |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1863142A (en) * | 2005-08-19 | 2006-11-15 | 华为技术有限公司 | Method for providing different service quality tactics to data stream |
CN101345694A (en) * | 2007-07-11 | 2009-01-14 | 上海未来宽带技术及应用工程研究中心有限公司 | Method for fast searching, positioning and matching access control list |
CN102612694A (en) * | 2009-11-25 | 2012-07-25 | 国际商业机器公司 | Extensible access control list framework |
CN103457824A (en) * | 2012-05-31 | 2013-12-18 | 中兴通讯股份有限公司 | Message processing method and device |
CN104253754A (en) * | 2014-09-11 | 2014-12-31 | 杭州华三通信技术有限公司 | ACL (access control list) fast matching method and equipment |
US8984011B1 (en) * | 2009-02-09 | 2015-03-17 | American Megatrends, Inc. | Page object caching for variably sized access control lists in data storage systems |
CN105812326A (en) * | 2014-12-29 | 2016-07-27 | 北京网御星云信息技术有限公司 | Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system |
CN106027459A (en) * | 2015-12-28 | 2016-10-12 | 深圳市恒扬数据股份有限公司 | ACL (access control list) query method and device |
CN106131086A (en) * | 2016-08-31 | 2016-11-16 | 迈普通信技术股份有限公司 | A kind of matching process accessing control list and device |
CN107948205A (en) * | 2017-12-31 | 2018-04-20 | 中国移动通信集团江苏有限公司 | Firewall strategy-generating method, device, equipment and medium |
CN108429774A (en) * | 2018-06-21 | 2018-08-21 | 蔡梦臣 | A kind of firewall policy centralized optimization management method and its system |
-
2019
- 2019-01-22 CN CN201910058925.4A patent/CN109547502A/en active Pending
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1863142A (en) * | 2005-08-19 | 2006-11-15 | 华为技术有限公司 | Method for providing different service quality tactics to data stream |
CN101345694A (en) * | 2007-07-11 | 2009-01-14 | 上海未来宽带技术及应用工程研究中心有限公司 | Method for fast searching, positioning and matching access control list |
US8984011B1 (en) * | 2009-02-09 | 2015-03-17 | American Megatrends, Inc. | Page object caching for variably sized access control lists in data storage systems |
CN102612694A (en) * | 2009-11-25 | 2012-07-25 | 国际商业机器公司 | Extensible access control list framework |
CN103457824A (en) * | 2012-05-31 | 2013-12-18 | 中兴通讯股份有限公司 | Message processing method and device |
CN104253754A (en) * | 2014-09-11 | 2014-12-31 | 杭州华三通信技术有限公司 | ACL (access control list) fast matching method and equipment |
CN105812326A (en) * | 2014-12-29 | 2016-07-27 | 北京网御星云信息技术有限公司 | Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system |
CN106027459A (en) * | 2015-12-28 | 2016-10-12 | 深圳市恒扬数据股份有限公司 | ACL (access control list) query method and device |
CN106131086A (en) * | 2016-08-31 | 2016-11-16 | 迈普通信技术股份有限公司 | A kind of matching process accessing control list and device |
CN107948205A (en) * | 2017-12-31 | 2018-04-20 | 中国移动通信集团江苏有限公司 | Firewall strategy-generating method, device, equipment and medium |
CN108429774A (en) * | 2018-06-21 | 2018-08-21 | 蔡梦臣 | A kind of firewall policy centralized optimization management method and its system |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110213256A (en) * | 2019-05-28 | 2019-09-06 | 哈尔滨工程大学 | A kind of firewall control method based on producer consumer mode |
CN110213256B (en) * | 2019-05-28 | 2021-09-28 | 哈尔滨工程大学 | Firewall control method based on producer consumer mode |
US11483246B2 (en) | 2020-01-13 | 2022-10-25 | Vmware, Inc. | Tenant-specific quality of service |
US11599395B2 (en) | 2020-02-19 | 2023-03-07 | Vmware, Inc. | Dynamic core allocation |
US11539633B2 (en) * | 2020-08-31 | 2022-12-27 | Vmware, Inc. | Determining whether to rate limit traffic |
US20220210128A1 (en) * | 2020-12-31 | 2022-06-30 | Cerner Innovation, Inc. | Generating network infastructure firewalls |
US11811736B2 (en) * | 2020-12-31 | 2023-11-07 | Cerner Innovation, Inc. | Generating network infastructure firewalls |
CN114338225A (en) * | 2021-03-29 | 2022-04-12 | 井芯微电子技术(天津)有限公司 | Strategy distributor, mimic switch and network system |
CN114338225B (en) * | 2021-03-29 | 2024-04-12 | 井芯微电子技术(天津)有限公司 | Policy distributor, mimicry switch and network system |
US11799784B2 (en) | 2021-06-08 | 2023-10-24 | Vmware, Inc. | Virtualized QoS support in software defined networks |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109547502A (en) | Firewall ACL management method and device | |
AU757668B2 (en) | Method and system for enforcing a communication security policy | |
US6816897B2 (en) | Console mapping tool for automated deployment and management of network devices | |
US7539769B2 (en) | Automated deployment and management of network devices | |
US8438625B2 (en) | Management apparatus, control method, and storage medium | |
US7844563B2 (en) | System and method for applying rule sets and rule interactions | |
US20020147974A1 (en) | Networked installation system for deploying systems management platforms | |
CN113014427B (en) | Network management method and device and storage medium | |
US20020194497A1 (en) | Firewall configuration tool for automated deployment and management of network devices | |
AU2013204798A1 (en) | Cloud based virtual environment validation | |
CN110324338B (en) | Data interaction method, device, fort machine and computer readable storage medium | |
CN108881308A (en) | A kind of user terminal and its authentication method, system, medium | |
US8359377B2 (en) | Interface for automated deployment and management of network devices | |
US20020161888A1 (en) | Template-based system for automated deployment and management of network devices | |
CN106844489A (en) | A kind of file operation method, device and system | |
US20080028034A1 (en) | Method for mapping an iscsi target name to a storage resource based on an initiator hardware class identifier | |
US20060117100A1 (en) | Communication device and communication system capable of facilitating operations | |
CN113341798A (en) | Method, system, device, equipment and storage medium for remotely accessing application | |
CN107294924A (en) | Detection method, the device and system of leak | |
CN114257413A (en) | Application container engine-based anti-braking blocking method and device and computer equipment | |
KR100714681B1 (en) | Network managing device and method thereof | |
CN113194099B (en) | Data proxy method and proxy server | |
CN110290153A (en) | A kind of automatic delivery method of Port Management strategy and device of firewall | |
KR102292579B1 (en) | Method of checking vulnerability based on hybrid using verification code and script and apparatus using the same | |
CN103138961B (en) | server control method, controlled server and central control server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190329 |