CN109547502A

CN109547502A - Firewall ACL management method and device

Info

Publication number: CN109547502A
Application number: CN201910058925.4A
Authority: CN
Inventors: 孙欣; 陆海军; 唐秀才; 肖龙; 康缪建
Original assignee: Chengdu Yaxin Network Security Industry Technology Research Institute Co Ltd
Current assignee: Chengdu Yaxin Network Security Industry Technology Research Institute Co Ltd
Priority date: 2019-01-22
Filing date: 2019-01-22
Publication date: 2019-03-29

Abstract

The embodiment of the present invention provides a kind of firewall ACL management method and device, is related to field of information security technology, for solve the problems, such as due to different fire-proof ACL leads to labor management firewall there are grammatical differences when there are misuse rate the higher and efficiency of management is lower.The present invention includes: firewall ACL management method, ACL standard configuration object and its corresponding ACL standard configuration characteristics of objects code are generated according to the information type of at least one ACL configuration information of the objective management firewall of acquisition, by the information preservation of above-mentioned generation to preset ACL standard configuration information bank；Firewall ACL configuring management method, the work order information that network work order carries based on the received determines target firewall, and determine whether to obtain the corresponding ACL standard configuration object of work order information from above-mentioned preset ACL standard configuration information bank, according to work order command information and ACL standard configuration object acquisition ACL standard operation object and it is converted into ACL configuration-direct and is issued to target firewall.The present invention is used for the management of firewall.

Description

Firewall ACL management method and device

Technical field

The present invention relates to field of information security technology more particularly to a kind of firewall ACL management method and devices.

Background technique

With the universal and development of network technology, attack is also more and more frequent.Currently, enterprise is in order to safeguard it The safety of intranet information usually can all install firewall, and by managing firewall ACL, (Access Control List is visited Ask control list) firewall is managed.

In actual conditions, the configuration of firewall ACL, the management processes such as to issue realized by labor management mode. Wherein, for the purpose of policy optimization, enterprises would generally use the firewall of different model, due to different model firewall Firewall ACL there are grammatical differences, cause administrative staff in managing firewall, need be familiar with and grasp a variety of firewall types Number and the corresponding firewall ACL grammer of firewall model, so as to according to firewall model and firewall ACL grammer to firewall into The accurate management of row.When firewall model is more, since the firewall model and firewall ACL grammer type that are related to are more, lead Cause the process of labor management firewall excessively cumbersome and complicated, misuse rate is higher and the efficiency of management is relatively low.

Summary of the invention

The embodiment of the present invention provides a kind of firewall ACL management method and device, for solve in the prior art due to There are misuse rate, the higher and efficiency of management is lower when different fire-proof ACL leads to labor management firewall there are grammatical differences Technical problem, the present invention can be effectively reduced the management operation difficulty of firewall, promote firewall management efficiency.

In order to achieve the above object, the present invention adopts the following technical scheme:

In a first aspect, providing a kind of firewall ACL management method, comprising:

At least one firewall access for acquiring objective management firewall controls list ACL configuration information；

Determine the information type of every firewall ACL configuration information；Information type include: domain, address class, service class, when Imitate class, acl rule or acl rule group；

The corresponding ACL standard configuration object of every firewall ACL configuration information is generated according to information type；

ACL standard configuration object is saved to preset firewall ACL standard configuration library of object.

In firewall ACL management method provided in an embodiment of the present invention, objective management firewall can be acquired at least Then one firewall ACL configuration information generates every according to the information type of the firewall ACL configuration information of above-mentioned acquisition and prevents The corresponding ACL standard configuration object of wall with flues ACL configuration information is configured the firewall ACL under different ACL syntactic definitions with realizing Information is converted into the purpose of the ACL standard configuration object of unified format and unified ACL syntactic definition, and then eliminates different fire-proof The difference of existing format differences and ACL syntactic definition between the firewall ACL configuration information of model, finally by above-mentioned ACL Standard configuration object is saved to preset firewall ACL standard configuration information bank, to be based on firewall ACL standard configuration information The ACL standard configuration object of the unified format saved in library is managed collectively firewall ACL, reduces misuse rate and improves The efficiency of management.

Optionally, the firewall access for acquiring objective management firewall controls list ACL configuration information specifically:

Firewall access every predetermined period acquisition objective management firewall controls list ACL configuration information；

ACL standard configuration object is saved to preset firewall ACL standard configuration library of object, comprising:

By the ACL standard configuration object of storage in ACL standard configuration object and firewall ACL standard configuration library of object into Row compares, and determines the to be updated ACL standard configuration object different from ACL standard configuration object has been put in storage；

By the ACL standard configuration pair to be updated of ACL standard configuration object to be updated and ACL standard configuration object to be updated As condition code is saved to firewall ACL standard configuration library of object.

Second aspect provides a kind of firewall ACL configuring management method, comprising:

Receive the network work order for carrying work order information；Work order information includes: address information, command information and service letter Breath；

Target firewall is determined according to address information；Address information includes: source IP address and purpose IP address；

The corresponding at least one work order ACL standard configuration object of target firewall and every work are generated according to work order information The work order ACL standard configuration characteristics of objects code of single ACL standard configuration object；

Judge in preset firewall ACL standard configuration information bank with the presence or absence of work order ACL standard configuration characteristics of objects code Identical synonymous ACL standard configuration characteristics of objects code；Wherein, preset firewall ACL standard configuration information bank includes at least one ACL standard configuration object；Every ACL standard configuration object by any firewall in objective management firewall firewall ACL Standard configuration information is generated according to the information type of firewall ACL standard configuration information；Information type includes: domain, address class, clothes Business class, timeliness class, acl rule or acl rule group；

If the determination result is YES, then synonymous ACL standard configuration pair in preset firewall ACL standard configuration information bank is obtained As the corresponding synonymous ACL standard configuration object of condition code is as target ACL standard configuration object；If judging result be it is no, by institute Work order ACL standard configuration object is stated as target ACL standard configuration object；

The corresponding ACL configuration of target firewall is generated according to command information and the target ACL standard configuration object to refer to It enables；

ACL configuration-direct is issued to target firewall, so that target firewall executes ACL configuration-direct.

It, can be automatically according to received network work in firewall ACL configuring management method provided in an embodiment of the present invention The address information carried in list determines target firewall, and matches from the firewall ACL standard comprising a plurality of ACL standard configuration object It sets and obtains the corresponding target ACL standard configuration object of above-mentioned target firewall in information bank, wherein preset firewall ACL mark Quasi- configuration information library includes at least one ACL standard configuration object；Every ACL standard configuration object is by objective management firewall The firewall ACL standard configuration information of any firewall is generated according to the information type of firewall ACL standard configuration information；Information Type includes: domain, address class, service class, timeliness class, acl rule or acl rule group；That is, preset firewall It is preserved in ACL standard configuration information bank and converts unified format for the firewall ACL configuration information under different ACL syntactic definitions ACL standard configuration object；The last embodiment of the present invention can be automatically according to the command information and mesh carried in network work order It marks ACL standard configuration object and generates ACL standard operation object, and ACL standard operation object is converted to target firewall can Target firewall is issued to after the ACL configuration-direct of identification.It can be seen that the embodiment of the present invention can be automatically based upon network work order And firewall ACL standard configuration information bank configures to automate determining target firewall and the corresponding ACL of target firewall Auto-matching, the ACL standard configuration object to ACL configuration-direct of target firewall and ACL standard configuration object are realized in instruction It automatic conversion and a series of processes such as issues automatically, the automatic management of firewall ACL is realized to a certain extent, without pipe Reason personnel confirm and are converted between a variety of firewall models and firewall ACL grammer by the way of labor management again, The operation complexity for reducing administrative staff effectively improves the efficiency of management of firewall.

Optionally, target firewall is determined according to address information, comprising:

Obtain the configuration information for being pre-configured firewall to be detected in firewall；Wherein being pre-configured firewall includes at least one Firewall；Firewall to be detected is to be pre-configured any firewall in firewall；

Determine whether address information matches with the configuration information of firewall to be detected；Address information include: source IP address with And purpose IP address；

If address information is matched with the configuration information of firewall to be detected, it is determined that firewall to be detected is target fire prevention Wall.

Optionally, configuration information includes: domain range information；Then determine address information whether the configuration with firewall to be detected Information matches, comprising:

According to the domain range information of firewall to be detected determine the matched first source IP address matching domain of source IP address and The matched first purpose IP address matching domain of purpose IP address；Wherein the domain range information of firewall to be detected includes to be detected anti- Address information within the scope of the domain in the domain of wall with flues and the domain of firewall to be detected；

Judge whether the first source IP address matching domain and the first purpose IP address matching domain are identical；

If judging result is that the first source IP address matching domain and the first purpose IP address matching domain be not identical, it is determined that address Information is matched with the configuration information of firewall to be detected.

Optionally, configuration information includes: routing table information；Then determine address information whether the configuration with firewall to be detected Information matches, comprising:

The corresponding first interface of source IP address and with destination IP is determined according to the routing table information of firewall to be detected The corresponding second interface in location；Wherein the routing table information of firewall to be detected includes the firewall routing address of firewall to be detected Information and the corresponding interface of firewall routing address information；

Judge whether first interface is identical as second interface；

If judging result is that first interface and second interface be not identical, determined according to the corresponding relationship of preset domain and interface The corresponding second source IP address matching domain of first interface and the corresponding second purpose IP address matching domain of second interface；

Judge whether the second source IP address matching domain and the second purpose IP address matching domain are identical；

If judging result is that the second source IP address matching domain and the second purpose IP address matching domain be not identical, it is determined that address Information is matched with the configuration information of firewall to be detected.

Optionally, configuration information further include: exclusive domain information；

Before determining that address information is matched with the configuration information of firewall to be detected, firewall ACL configuring management method is also Comprise determining that whether address information matches with exclusive domain information, if judging result is that address information is matched with exclusive domain information, Determine that address information and the configuration information of firewall to be detected match.

Optionally, before issuing ACL configuration-direct to target firewall, firewall ACL configuring management method further include:

The first ACL configuration information for obtaining target firewall, determines whether that issuing ACL matches according to the first ACL configuration information Set instruction.

Optionally, after issuing ACL configuration-direct to target firewall, firewall ACL configuring management method further include:

Obtain the 2nd ACL configuration information of target firewall；

According to the action type of the 2nd ACL configuration information and ACL standard configuration object determine ACL configuration-direct whether under It sends out successfully.

Optionally, the action type of ACL standard configuration object includes: newly-increased operation, modification operation and delete operation.

The third aspect provides a kind of firewall ACL managing device, comprising:

Acquisition module, at least one firewall access for acquiring objective management firewall control list ACL with confidence Breath；

Determining module, for determining the information type of every firewall ACL configuration information；Information type includes: domain, address Class, service class, timeliness class, acl rule or acl rule group；

Processing module, for generating the corresponding ACL standard configuration pair of every firewall ACL configuration information according to information type As and ACL standard configuration object ACL standard configuration characteristics of objects code；

Processing module is stored, for saving ACL standard configuration object to preset firewall ACL standard configuration object Library.

Optionally, acquisition module is specifically used for:

Processing module is then stored to be specifically used for:

It is to be appreciated that the firewall ACL managing device of above-mentioned offer is for executing first aspect pair presented above The method answered, therefore, the attainable beneficial effect method that can refer to first aspect above and embodiment party in detail below The beneficial effect of corresponding scheme in formula, details are not described herein again.

Fourth aspect provides a kind of firewall ACL configuration management device, comprising:

Receiving module, for receiving the network work order for carrying work order information；Work order information includes: address information, instruction letter Breath and information on services；

Target determination module, for determining target firewall according to address information；Address information include: source IP address and Purpose IP address；

First generation module, for generating the corresponding at least one work order ACL standard of target firewall according to work order information Configure the work order ACL standard configuration characteristics of objects code of object and every work order ACL standard configuration object；

Judgment module is matched in preset firewall ACL standard configuration information bank with the presence or absence of work order ACL standard for judging Set the identical synonymous ACL standard configuration characteristics of objects code of characteristics of objects code；Wherein, preset firewall ACL standard configuration information Library includes at least one ACL standard configuration object；Every ACL standard configuration object is by any firewall in objective management firewall Firewall ACL standard configuration information according to firewall ACL standard configuration information information type generate；Information type includes: Domain, address class, service class, timeliness class, acl rule or acl rule group；

Processing module, for if the determination result is YES, then obtaining synonymous in preset firewall ACL standard configuration information bank The corresponding synonymous ACL standard configuration object of ACL standard configuration characteristics of objects code is as target ACL standard configuration object；If judgement As a result be it is no, using work order ACL standard configuration object as target ACL standard configuration object；

It is corresponding to generate target firewall according to command information and target ACL standard configuration object for second generation module ACL configuration-direct；

Module is issued, for issuing ACL configuration-direct to target firewall, is referred to so that target firewall executes ACL configuration It enables.

Optionally, target determination module is specifically used for:

Determine whether address information matches with the configuration information of firewall to be detected；

Optionally, configuration information includes: domain range information；Then target determination module is specifically used for:

Optionally, configuration information includes: routing table information；Then target determination module is specifically used for:

Judge whether first interface is identical as second interface；

Optionally, configuration information further include: exclusive domain information；Firewall ACL configuration management device further include:

Exclusive domain information determining module, for determining whether address information matches with exclusive domain information, if judging result is Address information is matched with exclusive domain information, it is determined that address information is matched with the configuration information of firewall to be detected.

Optionally, firewall ACL configuration management device further include: issue determining module, be used for:

Optionally, firewall ACL configuration management device further include: correction verification module is used for:

Obtain the 2nd ACL configuration information of target firewall；

It is to be appreciated that the firewall ACL configuration management device of above-mentioned offer is for executing second party presented above The corresponding method in face, therefore, attainable beneficial effect can refer to the method for second aspect above and real in detail below The beneficial effect of corresponding scheme in mode is applied, details are not described herein again.

Detailed description of the invention

In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention, the drawings are only for the purpose of illustrating a preferred embodiment, and is not to be construed as limiting the invention.

Fig. 1 is a kind of method flow diagram of firewall ACL management method provided in an embodiment of the present invention；

Fig. 2 is the method flow diagram of another firewall ACL management method provided in an embodiment of the present invention；

Fig. 3 is a kind of method flow diagram of firewall ACL configuring management method provided in an embodiment of the present invention；

Fig. 4 is the method flow diagram for another firewall ACL configuring management method that one embodiment of the invention provides；

Fig. 5 is the method flow diagram for another firewall ACL configuring management method that one embodiment of the invention provides；

Fig. 6 is the method flow diagram for another firewall ACL configuring management method that one embodiment of the invention provides；

Fig. 7 is a kind of structural block diagram for firewall ACL managing device that one embodiment of the invention provides；

Fig. 8 is the structural block diagram for another firewall ACL managing device that one embodiment of the invention provides；

Fig. 9 is a kind of structural block diagram for firewall ACL configuration management device that one embodiment of the invention provides；

Figure 10 is the structural block diagram for another firewall ACL configuration management device that one embodiment of the invention provides.

Specific embodiment

Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description, it is clear that described embodiment is some embodiments of the present application, instead of all the embodiments.Based on this Shen Please in embodiment, every other implementation obtained by those of ordinary skill in the art without making creative efforts Example, shall fall in the protection scope of this application.The use of term " first " and " second " etc. does not indicate any sequence, can be by above-mentioned art Language is construed to the title of described object.In the embodiment of the present application, " illustrative " or " such as " etc. words for indicate make Example, illustration or explanation.Be described as in the embodiment of the present application " illustrative " or " such as " any embodiment or design Scheme is not necessarily to be construed as than other embodiments or design scheme more preferably or more advantage.Specifically, it uses " exemplary " or " such as " etc. words be intended to that related notion is presented in specific ways.In addition, in the description of the embodiment of the present application, unless It is otherwise noted, the meaning of " plurality " is refer to two or more.

Before introducing the embodiment of the present invention, simply it is situated between to the generation and management method of current firewall ACL first It continues.Currently, multiple firewalls can be all arranged to isolate difference in enterprise for the safety of resource information in maintaining enterprise intranet Trusted areas (that is: the corresponding region isolated in the corresponding region that enterprises dedicated network is covered by each firewall), And external equipment is controlled to trusted areas by managing firewall ACL (Access Control List, accesses control list) The access of resource, to safeguard the safety of the middle resource information of trusted areas, thus in maintaining enterprise intranet resource information peace Entirely.In actual conditions, for the purpose of policy optimization, enterprises would generally use the firewall of different model to trusted areas Access be managed, since there are grammatical differences by the firewall ACL of different model firewall, cause administrative staff to firewall When being managed, it usually needs the firewall ACL grammer of each firewall of manual confirmation: firstly, administrative staff need manual confirmation The model of firewall；Then, administrative staff need corresponding anti-according to the model of the model manual confirmation of the firewall firewall Wall with flues ACL grammer；Finally, administrative staff are managed firewall by the way of labor management according to firewall ACL grammer. In the process, administrative staff not only need repeatedly to confirm the model and firewall ACL grammer of firewall, it is also necessary to be familiar with each Model firewall and the corresponding firewall ACL grammer of each model firewall are to be managed firewall, when firewall type When number more, administrative staff need to confirm and switch between a variety of firewall models and firewall ACL grammer, lead to people The process of work managing firewall is excessively cumbersome and complicated, and misuse rate is higher and the efficiency of management is relatively low.

To solve the above problems, the embodiment of the present invention provides a kind of firewall ACL management method, effectively to drop Complexity and tedious steps during low labor management firewall reduce misuse rate and improve the efficiency of management.

Fig. 1 shows a kind of firewall ACL management method of one embodiment of the invention offer, shown in Figure 1, this method Include the following steps:

Step S110: at least one firewall ACL configuration information of acquisition objective management firewall.

Specifically, the one or more that objective management firewall, that is, user selectes according to actual needs needs user management Firewall.Wherein, the method for determination of objective management firewall can there are many, for example, can with default user select one or Whole firewalls in multiple networks (such as intranet, i.e. enterprises dedicated network) are objective management firewall；Or it can also It is prevented fires using the one or more firewalls for selecting user in whole firewalls of one or more networks as objective management Wall.In specific implementation, the automatic linking objective managing firewall of preset interface can be first passed through in advance, from objective management firewall At least one firewall ACL configuration information (that is: firewall access controls list ACL configuration information) of acquisition.Preset interface Form can there are many, such as api interface, the embodiment of the present invention be not construed as limiting the form of preset interface.

Specifically, the acquisition mode of firewall ACL configuration information can there are many, such as can be directly according to receiving The acquisition instructions automatic collection firewall ACL configuration information that user sends；Alternatively, can also be every predetermined period automatically from target The firewall ACL configuration information of objective management firewall is acquired on managing firewall；Or it can also automatic monitoring objective management Whether the version of the firewall ACL configuration information of firewall updates, if so, automatic collection firewall ACL configuration information, Otherwise firewall ACL configuration information, etc. is not acquired.In specific implementation, above-mentioned predetermined period can be by those skilled in the art It is configured according to the actual situation, this is not limited by the present invention.The acquisition mode of ACL configuration information can be by art technology Personnel are configured according to the actual situation, and this is not limited by the present invention.

Specifically, during acquiring firewall ACL configuration information, the acquisition modes of firewall ACL configuration information can also There are many, for example, can be sent according to the model of objective management firewall to objective management firewall, its model is corresponding to match Acquisition is set, obtains the currently running configuration information of objective management firewall that objective management firewall is sent, and according to this The corresponding ACL configuration information mark of the firewall model of objective management firewall, extracting from the configuration information of above-mentioned acquisition should The firewall ACL configuration information of objective management firewall；Above-mentioned ACL configuration information mark is specifically as follows being capable of unique identification The relevant information of ACL configuration information；Alternatively, backup instruction can also be sent to objective management firewall, in order to objective management Configuration information when firewall is run according to backup command backs up to TFTP (Trivial File Transfer Protocol, Simple File Transfer Protocol) server or FTP (File Transfer Protocol, File Transfer Protocol) clothes Being engaged in device can due to configuration information when backup has objective management firewall to run on tftp server or ftp server To obtain the configuration information when operation of objective management firewall from tftp server or ftp server, and according to the target The corresponding ACL configuration information mark of the firewall model of managing firewall extracts objective management firewall from the configuration information Firewall ACL configuration information, etc..It is understood that the acquisition modes of above-mentioned cited ACL configuration information are only to show Example property, in specific implementation, the acquisition modes of ACL configuration information are including but not limited to above-mentioned cited acquisition modes.It is above-mentioned Firewall model may include the information that the brand of firewall, brand type number etc. can indicate firewall Business Performance.

Step S120: the information type of firewall ACL configuration information is determined.

Specifically, above- mentioned information type may include: domain, address class, service class, timeliness class, acl rule or ACL rule Then group.Wherein, information type is that the ACL configuration information in domain can specifically include: interface message, such as source interface, purpose interface Deng；Information type can specifically include for the ACL configuration information of address class: ACL configuration information relevant to address, such as IP Location, group of addresses (wherein including multiple IP address) etc..Information type is that the ACL configuration information of service class may include network protocol (such as TCP (Transmission Control Protocol, transmission control protocol)), service destination port (such as port TCP22) Deng ACL configuration information relevant to service.Information type is the ACL configuration information of timeliness class when may include relevant to ACL Imitate information, such as entry-into-force time, time repetition period of ACL configuration information of ACL configuration information etc.；Information type is ACL rule ACL configuration information then is specifically as follows the information formulation for information types such as above-mentioned domain, address class, service class, timeliness classes Implementation strategy, acl rule can quote following information: source domain (either source interface), purpose domain (or purpose interface), source Location (either source address group), destination address (either destination address group), purpose service (or purpose service group), age information, And movement (adduction relationship between the information of i.e. different information types) etc., in specific implementation, acl rule can cover one The access of complete network five-tuple (i.e. source IP address, source port, purpose IP address, destination port and transport layer protocol) is asked It asks.It include a plurality of acl rule in acl rule group, in actual conditions, acl rule is subordinated to acl rule group belonging to acl rule.

Determine the information type of firewall ACL configuration information mode can there are many, such as can be according to firewall ACL Identification information (such as keyword or the other info class that can be identified for that firewall ACL configuration information for including in configuration information Type relevant information) determine the information type of firewall ACL configuration information.Wherein, the firewall ACL configuration of different fire-proof model The identification information of information type in information for identifying firewall ACL configuration information is different, and identification information can be by this Field technical staff is configured according to the actual situation, and this is not limited by the present invention.

Step S130: according to information type generate the corresponding ACL standard configuration object of every firewall ACL configuration information with And the ACL standard configuration characteristics of objects code of ACL standard configuration object.

Specifically, the content for extracting every firewall ACL configuration information, fills in this firewall ACL for above content In the corresponding default ACL standard configuration object of the information type of configuration information, generates the corresponding ACL standard of above- mentioned information type and match Set object.In specific implementation, the type of default ACL standard configuration object includes: default field object, preset address object, presets Service object, default timeliness object, default acl rule object and default acl rule group objects.Wherein, domain is corresponding default ACL standard configuration object is default field object, then fill message type is that the firewall ACL in domain matches confidence in default field object Breath generates field object；Class corresponding default ACL standard configuration object in address is preset address object, then in preset address object Fill message type is that the firewall ACL configuration information of address class generates address object；The corresponding default ACL standard of service class is matched Setting object is preset service object, then fill message type is to service the firewall ACL of class with confidence in preset service object Breath generates service object；The corresponding default ACL standard configuration object of timeliness class is default timeliness object, then in default timeliness object Middle fill message type is that the firewall ACL configuration information of timeliness class generates timeliness object；The corresponding default ACL mark of acl rule Quasi- configuration object is acl rule object, then in default acl rule object fill message type be acl rule firewall ACL Configuration information generates acl rule object；The corresponding default ACL standard configuration object of acl rule group is acl rule group objects, then Fill message type is that the firewall ACL configuration information of acl rule group generates acl rule group in default acl rule group objects Object.Default ACL standard configuration object is taken using unified format and the definition setting of ACL standard syntax, firewall ACL configuration information When from the firewall of different fire-proof model, the different ACL grammers that can will be used in different fire-proof model by this step The ACL standard configuration pair that the firewall ACL configuration information of definition is converted to unified format and unified ACL standard syntax defines As, and then it is fixed to eliminate existing format differences and ACL grammer between the firewall ACL configuration information of different fire-proof model The difference of justice, so that the firewall ACL configuration information to different fire-proof model is managed collectively.

ACL standard configuration characteristics of objects code is generated according to the content of ACL standard configuration object, and being specifically as follows can be used in The information of the content of unique identification ACL standard configuration object.That is, the content when two ACL standard configuration objects is identical When, the condition code generated is identical；When the content difference of two ACL standard configuration objects, then the condition code generated is different.Tool During body is implemented, the generating mode of ACL standard configuration characteristics of objects code can there are many, such as MD5 (Message can be used Digest Algorithm 5, Message Digest Algorithm 5) digest algorithm, hash algorithm etc., as long as only table can be generated Show the condition code of the content of ACL standard configuration object.

For example, the content of address object 1 is 135.191.35.53 if having address object 1 and address object 2, with And the content of address object 2 is 10.251.33.107, obtains the ACL according to ACL standard configuration object according to MD5 digest algorithm Standard configuration characteristics of objects code, then the corresponding condition code of address object 1 is 9de2e8f49aaeb914, and address object 2 is corresponding Condition code is 8d82f1f63cf6c1a2, it can be seen that, address object 1 is different with the content of address object 2, then address object 1 It is also different with the condition code of address object 2.If have group of addresses GA by 135.191.35.53,135.191.20.21, 135.191.20.20, totally 4 IP address objects (are that description scene is convenient, it is assumed that address object is to 135.191.20.19 here Orderly, actually firewall box will not distinguish the sequence of each address object in group of addresses) composition, MD5 digest is used at this time Algorithm generates the condition code 4e550ab33885a6cf that group of addresses GA is generated；Obtain ground after address object in group of addresses GA is reset Location group GA ' uses MD5 digest algorithm to generate the condition code of group of addresses GA ' still for 4e550ab33885a6cf, that is to say, that As long as the content of ACL standard configuration object is identical, the corresponding ACL standard configuration characteristics of objects code of ACL standard configuration object is identical.

Step S140: ACL standard configuration object is saved to preset firewall ACL standard configuration library of object.

Specifically, the ACL standard configuration object generated in step S130 is saved to match to generate preset firewall ACL standard Information bank is set, so as to the ACL standard configuration pair based on the unified format saved in preset firewall ACL standard configuration information bank As being managed collectively to firewall ACL.

Wherein, optionally, since the firewall ACL configuration information of objective management firewall can be with actual conditions at any time more It newly, can be preferably every the firewall ACL configuration of predetermined period acquisition objective management firewall therefore when executing step S110 Information, in order to be able to be timely updated preset firewall ACL standard configuration according to the firewall ACL configuration information currently acquired ACL standard configuration object in information bank, so that the timeliness of information in firewall ACL standard configuration information bank is effectively ensured, Then when executing step S140, shown in Figure 2, step S140 can be implemented in the following way:

Step S210: by the ACL standard of storage in ACL standard configuration object and firewall ACL standard configuration library of object Configuration object is compared, and determines the to be updated ACL standard configuration object different from ACL standard configuration object has been put in storage.

In actual conditions, the quantity of the ACL configuration information of firewall is usually ten hundreds of, causes to generate in step S130 The enormous amount of the corresponding ACL standard configuration object of firewall ACL configuration information, in order to improve preset firewall ACL standard The update efficiency of ACL standard configuration object in configuration information library, in this step, the ACL standard configuration pair that will be generated in S130 As being compared with the ACL standard configuration object of storage in firewall ACL standard configuration library of object, ACL standard configuration is determined The to be updated ACL standard configuration object different from ACL standard configuration object has been put in storage in object.

Wherein, by the ACL standard configuration of storage in ACL standard configuration object and firewall ACL standard configuration library of object The alignments that object is compared can be configured according to the actual situation by those skilled in the art, be adopted for example, by using snapshot Mode set is compared, and this is not limited by the present invention.

Step S220: the condition code of ACL standard configuration object to be updated and ACL standard configuration object to be updated is saved To preset firewall ACL standard configuration library of object.

In this step, without to be put in storage in ACL standard configuration object object identical with ACL standard configuration object into Row repeats to save operation, but only will be different from ACL standard configuration object has been put in storage to be updated in ACL standard configuration object ACL standard configuration object is saved to preset firewall ACL standard configuration library of object, is greatly reduced and is needed to be implemented preservation operation ACL standard configuration object quantity, effectively increase ACL standard configuration in preset firewall ACL standard configuration information bank The update efficiency of object.

The embodiment of the present invention also provides a kind of firewall ACL configuring management method, shown in Figure 3, and this method includes such as Lower step:

Step S301: the network work order for carrying work order is received.

Wherein, above-mentioned work order information includes: address information, command information and information on services.Address information may include: Source IP address and purpose IP address.It may include any process instruction for data in command information, such as data executed The newly-increased instruction of newly-increased operation executes the modification instruction for modifying operation, the deletion instruction that data are executed with delete operation to data Etc..Information on services can specifically include interface and network protocol.In specific implementation, default external system can be first passed through in advance System interface is attached with external system, and receives the network work order of external system transmission, and above-mentioned default external system interface can To be configured according to the actual situation by those skilled in the art, as (Application Program Interface, is answered API With routine interface) etc., this is not limited by the present invention.Said external system is that user selects according to actual needs or what is specified is System.Before being attached by default external system interface and external system, the log-on message (example of available user's input Such as login name and entry password), it is logged according to above-mentioned log-on message, when logining successfully, connects external system automatically.

Step S302: target firewall is determined according to address above mentioned information.

Specifically, according to the source IP address and purpose IP address in address information, source IP address will be located at and be directed toward purpose Firewall in the path of IP address is determined as target firewall.In specific implementation, the quantity of target firewall can be one Or it is multiple.The determination of target firewall can rely on the preconfigured configuration information for being pre-configured firewall.It is wherein pre-configured anti- Wall with flues includes at least one firewall, and being pre-configured firewall can be configured according to the actual situation by those skilled in the art.

In specific implementation, the implementation procedure of this step be may refer to shown in Fig. 4, comprising:

Step S401: the configuration information for being pre-configured firewall to be detected in firewall is obtained；Wherein firewall to be detected is It is pre-configured any firewall in firewall.

Firewall to be detected be pre-configured firewall in any firewall, configuration information may include: domain range information or Person's routing table information.Wherein, domain range information may include: within the scope of the domain in the domain of firewall and each domain of the firewall Address information.In this step, the domain range information of firewall to be detected may include: firewall to be detected domain and to Detect the address information within the scope of the domain in the domain of firewall；Routing table information may include: the firewall routing address of firewall Information and the corresponding interface of firewall routing address information, in this step, the routing table information of firewall to be detected can be with It include: the firewall routing address information and the corresponding interface of firewall routing address information of firewall to be detected.

Step S402: judge whether address information matches with the configuration information of firewall to be detected, however, it is determined that result be it is yes, Then follow the steps S403；Otherwise ending method process.

Specifically, according to the configuration information obtained in step S401, this step can be implemented using the following two kinds scheme:

Scheme one:

Shown in Figure 5, the program includes:

Step S501: matched first source IP address of source IP address is determined according to the domain range information of firewall to be detected With the matched first purpose IP address matching domain in domain and purpose IP address.

Specifically, the address information within the scope of the domain in each domain of firewall to be detected is traversed, if the address within the scope of domain is believed There is address information identical with source IP address in breath, i.e., includes source IP address in the address information within the scope of domain, then will include The domain of source IP address is as the first source IP address matching domain；Similarly, if existing in address information within the scope of domain and destination IP The identical address information in address includes purpose IP address that is, in the address information within the scope of domain, then will include purpose IP address Domain is as the first purpose IP address matching domain.

For example, if the domain of firewall to be detected includes domain 1, domain 2, domain 3, domain 4 and domain 5；Within the scope of the domain in domain 2 Address information includes: address A, address B and address C, the address information within the scope of the domain in domain 3 include: address E, address F and Address H, source IP address are address A, and purpose IP address is address F, in the address information within the scope of the domain in domain 2 including source IP Location, then domain 2 is the first source IP address matching domain, includes purpose IP address in the address information within the scope of the domain in domain 3, then domain 3 is First purpose IP address matching domain.

In specific implementation, when in the address information within the scope of the domain in the domain of firewall to be detected include source IP address and mesh IP address when, there are the first source IP address matching domain and the first purpose IP address matching domains in the domain of firewall to be detected； It is when not including source IP address or purpose IP address in the address information within the scope of the domain in the domain of firewall to be detected, then to be checked It surveys and the first source IP address matching domain and the first purpose IP address matching domain is not present in the domain of firewall.

Step S502: judge the first source IP address matching domain of firewall to be detected and the first purpose of firewall to be detected Whether IP address matching domain is identical.

Specifically, if the determination result is YES, then terminate this process；If judging result is no, it is determined that address information with to The configuration information matching for detecting firewall, executes step S403；Alternatively, optionally, in actual conditions, in order to further quasi- It determines target firewall, avoids situation (the i.e. currently determining mesh for occurring definitive result mistake when determining target firewall Mark firewall should not be targeted firewall), if such as the first source IP address matching domain is DMZ (demilitarized Zone, isolated area) domain, the first purpose IP address matching domain is untrust (non-trust area) domain, is needed from the domain DMZ to the domain untrust By outer net firewall, there is the domain of 2 firewalls to be detected to match above-mentioned first source IP address matching domain and first at this time Purpose IP address matching domain, this 2 one, the firewall to be detected firewall for Intranet (intranet), one is outer net (in non- Portion's net) firewall, Intranet firewall should not be targeted firewall at this time, for above situation, can be preparatory it is pre- Configure firewall exclusive domain information, when in this step judging result be it is no when, may further determine that address information whether with The matching of exclusive domain information, wherein exclusive domain information may include: firewall to be detected domain and each firewall to be detected The corresponding exclusive domain in domain.Exclusive domain information is configured according to the actual situation by those skilled in the art, and the present invention does not make this It limits.It determines whether address information matches with exclusive domain information to be specifically as follows: inquiring first in the domain of firewall to be detected Source IP address matching domain determines that the first source IP address matching domain is corresponding according to the corresponding exclusive domain in the domain of each firewall to be detected Exclusive domain, whether include the first purpose IP address matching domain in the corresponding exclusive domain of the first source IP address matching domain of inquiry, if It is no, it is determined that address information is matched with exclusive domain information, determines that address information and the configuration information of firewall to be detected match, and Execute step S403；If so, determining that address information and exclusive domain information mismatch, address information and firewall to be detected are determined Configuration information mismatch, terminate this process.

Wherein, in the present solution, can using traversal by the way of by be pre-configured firewall in firewall be successively used as to Firewall is detected, step S501- step S502 only is executed to a firewall to be detected every time；Alternatively, can also be using parallel The mode of processing will be pre-configured multiple firewalls in firewall as firewall to be detected, every time simultaneously to multiple to be checked simultaneously It surveys firewall and executes step S501- step S502, to effectively improve the execution efficiency of above-mentioned determination process.

Scheme two:

Shown in Figure 6, the program includes:

Step S601: according to the routing table information of firewall to be detected determine the corresponding first interface of source IP address and with The corresponding second interface of purpose IP address.

Wherein, the routing table information of firewall to be detected include firewall to be detected firewall routing address information and The corresponding interface of firewall routing address information.Specifically, in this step, the firewall road of firewall to be detected can be traversed By address information, determine whether the firewall routing address information of firewall to be detected includes source IP address and destination IP Location, if in the firewall routing address information of firewall to be detected including source IP address and purpose IP address, it is determined that source IP The corresponding firewall to be detected in address firewall routing address information (firewall to be detected i.e. identical with source IP address it is anti- Wall with flues routing address information), as source IP using the corresponding interface of firewall routing address information of above-mentioned firewall to be detected The matched first interface in location；And determine the firewall routing address information of the corresponding firewall to be detected of purpose IP address (i.e. The firewall routing address information of firewall to be detected identical with purpose IP address), by the fire prevention of above-mentioned firewall to be detected The corresponding interface of wall routing address information is as the matched second interface of source IP address.

If not including source IP address or purpose IP address in the firewall routing address information of firewall to be detected, cancel Firewall to be detected is further processed.

Step S602: judge whether first interface is identical as second interface；If judging result be it is no, then follow the steps S603 if the determination result is YES then terminates this process.

Step S603: according to domain and the corresponding relationship of interface determine the corresponding second source IP address matching domain of first interface with And the corresponding second purpose IP address matching domain of second interface.

Wherein, in the corresponding relationship of domain and interface, interface that the corresponding interface in each domain i.e. domain includes.Specific implementation In, the corresponding relationship of domain and interface can be configured according to the actual situation by those skilled in the art, in above-mentioned corresponding pass In system, each domain corresponds to the source IP address interface and a purpose IP address interface that the domain includes.In this step, According to the corresponding relationship in domain and interface, the identical source IP address interface of first interface is determined, the source IP address interface is corresponding Domain is as the second source IP address matching domain；And determine the identical purpose IP address interface of second interface, by the purpose IP address The corresponding domain of interface is as the second purpose IP address matching domain.

Step S604: judge whether the second source IP address matching domain and the second purpose IP address matching domain are identical.

Specifically, if the determination result is YES, then terminate this process；If judging result is no, it is determined that address information with to The configuration information matching for detecting firewall, executes step S403；Alternatively, optionally, going out when target firewall in order to avoid determining The situation of existing definitive result mistake, the exclusive domain information of pre-configuration firewall that can also be preparatory, when judging result in this step Be it is no, may further determine that whether address information matches with exclusive domain information, exclusive domain information may refer in step S502 It is corresponding introduce, details are not described herein again.It is specifically as follows in the present solution, determining whether address information matches with exclusive domain information: The second source IP address matching domain is inquired in the domain of firewall to be detected, the domain according to each firewall to be detected is corresponding exclusive Domain determines the corresponding exclusive domain of the second source IP address matching domain, in the corresponding exclusive domain of the second source IP address matching domain of inquiry whether Comprising the second purpose IP address matching domain, if it is not, then determine address information matched with exclusive domain information, determine address information and to The configuration information matching of firewall is detected, and executes step S403；If so, not determining address information and exclusive domain information not Match, determines that the configuration information of address information and firewall to be detected mismatches, terminate this process.

In specific implementation, in the present solution, the firewall in firewall can will be pre-configured successively by the way of traversal As firewall to be detected, step S601- step S604 only is executed to a firewall to be detected every time；Alternatively, can also adopt Use the mode of parallel processing that will be pre-configured multiple firewalls in firewall simultaneously as firewall to be detected, every time simultaneously to more A firewall to be detected executes step S601- step S604, to effectively improve with obtaining source IP address matching domain and destination IP The efficiency of location matching domain.

It is, of course, understood that the two schemes of above-mentioned introduction are only exemplary, in specific implementation, mesh is determined The mode of mark firewall may include but be not limited to above-mentioned cited mode.

Step S403: determine that firewall to be detected is target firewall.

Step S303: the corresponding at least one work order ACL standard configuration object of target firewall is generated according to work order information And the work order ACL standard configuration characteristics of objects code of every work order ACL standard configuration object.

Specifically, in this step, the information type for determining work order information generates work order ACL according to above- mentioned information type The work order ACL standard configuration characteristics of objects code of standard configuration object and every work order ACL standard configuration object.Work order information Information type can specifically include: domain, address class, service class, timeliness class, acl rule or acl rule group are believed according to work order The information type of breath, which generates in the detailed process and step S130 of work order ACL standard configuration object, matches confidence according to firewall ACL The process that the information type of breath generates the corresponding ACL standard configuration object of every firewall ACL configuration information is identical, can specifically join See the corresponding description in step S130, details are not described herein again.The work order ACL standard configuration object of work order ACL standard configuration object The generating process of the ACL standard configuration characteristics of objects code of ACL standard configuration object in the generating process and step S130 of condition code It is identical, it specifically may refer to the corresponding description in step S130, details are not described herein again.

In this step, the naming rule of the ACL configuration information on available target firewall is generating work order ACL After standard configuration object, above-mentioned work order ACL standard configuration object is named using above-mentioned naming rule according to predetermined manner.Specifically In implementation, above-mentioned work order ACL standard configuration object is named to be specifically as follows using above-mentioned naming rule according to predetermined manner:

If work order ACL standard configuration object is address object, work order ACL standard configuration object naming can be followed such as lower section Formula:

Address object is divided into single ip address and address range comprising multiple IP address.If address object is for IP Location, then IP address is named as $ IP1. $ IP2. $ IP3. $ IP4/ $ netmask- $ n.Wherein, IP1, IP2, IP3, IP4 are composition The dotted decimal notation number of IP, netmask are IP mask, and (that is: name is identical right for of the same name object of the $ n for distinguishing IP address As).For example IP address 1 is named as 10.172.16.83/32, if had existed in preset ACL standard configuration information bank " 10.172.16.83/32 " occurs naming identical situation, and IP address 1 is named as " 10.172.16.83/32-1 ".

Address range is named as $ IP1. $ IP2. $ IP3. $ IP4- $ rg- $ n.IP1, IP2, IP3, IP4 are the point for forming IP Divide decimal number, rg is the last one IP of IP range.

If work order ACL standard configuration object is service object, work order ACL standard configuration object naming can be followed such as lower section Formula: $ protocol $ port- $ port2- $ n；Protocol is network protocol, such as Transmission Control Protocol, and port is to start port, port2 To terminate port.$ n is used for the object of the same name of Differentiated Services object.

If work order ACL standard configuration object is timeliness object, work order ACL standard configuration object naming can be followed such as lower section Formula: $ yyyymmdd- $ n.Yyyymmdd is the Close Date.$ n is used for the object of the same name of Differentiated Services object.Timeliness object can be with The period is begun to shut off for defining.

If work order ACL standard configuration object be acl rule object, work order ACL standard configuration object naming can follow as Under type: it uses to preset the natural number specified ACL rule number that stepping increases.Above-mentioned default stepping can be by this field skill Personnel are configured according to the actual situation, and this is not limited by the present invention.

Wherein, address object, service object cited in ACL object and timeliness object, naming rule is with above-mentioned Location object, service object and the corresponding naming rule of timeliness object are identical.

Further, in this step, the network work order number that network work order can also be obtained, using network work order number as work order The description information of ACL standard configuration object, to believe foregoing description in subsequent step (corresponding step S304-S08) Breath issues target firewall with work order ACL standard configuration object together, can be according to from target firewall convenient for administrative staff The description information of acquisition obtains network work order number, in order to being managed to the ACL configuration-direct issued on target firewall.

Step S304: judge in preset firewall ACL standard configuration information bank with the presence or absence of work order ACL standard configuration pair As the identical synonymous ACL standard configuration characteristics of objects code of condition code；If the determination result is YES, S305 is thened follow the steps；If judgement As a result be it is no, then follow the steps S306.

It specifically, include at least one ACL standard configuration object in preset firewall ACL standard configuration information bank, often ACL standard configuration object is by the firewall ACL configuration information of any firewall in objective management firewall according to firewall ACL The information type of configuration information generates, above- mentioned information type include: domain, address class, service class, timeliness class, acl rule or Acl rule group.Wherein, the one or more that objective management firewall, that is, user selectes according to actual needs needs user management Firewall.The method of determination of objective management firewall can there are many, for example, can with default user select one or more nets Whole firewalls in network (such as intranet, i.e. enterprises dedicated network) are objective management firewall；Or it can also will use One or more firewalls that family is selected in whole firewalls of one or more networks are as objective management firewall.Specifically In implementation, the automatic linking objective managing firewall of preset interface can be first passed through, in advance with what is acquired from objective management firewall At least one firewall ACL configuration information.The form of preset interface can there are many, such as api interface, the embodiment of the present invention pair The form of preset interface is not construed as limiting.

Wherein, information type is that the ACL configuration information in domain can specifically include: interface message, such as source interface, purpose connect Mouthful etc.；Information type is that the ACL configuration information of address class can specifically include: ACL configuration information relevant to address, such as IP Address, group of addresses (wherein including multiple IP address) etc..Information type is that the ACL configuration information of service class may include network association Discuss (such as TCP (Transmission Control Protocol, transmission control protocol)), service destination port (such as end TCP22 Mouthful) etc. ACL configuration information relevant to service.Information type is that the ACL configuration information of timeliness class may include relevant to ACL Age information, such as entry-into-force time, time repetition period of ACL configuration information of ACL configuration information etc.；Information type is ACL The ACL configuration information of rule is specifically as follows the information system for information types such as above-mentioned domain, address class, service class, timeliness classes Fixed implementation strategy, acl rule can quote following information: source domain (either source interface), purpose domain (or purpose interface), source Address (either source address group), destination address (either destination address group), purpose service (or purpose service group), timeliness letter Breath and movement (adduction relationship between the information of i.e. different information types) etc., in specific implementation, acl rule can be covered The access of one complete network five-tuple (i.e. source IP address, source port, purpose IP address, destination port and transport layer protocol) Request.It include a plurality of acl rule in acl rule group, in actual conditions, acl rule is subordinated to acl rule belonging to acl rule Group.

Step S305: synonymous ACL standard configuration characteristics of objects code in preset firewall ACL standard configuration information bank is obtained Corresponding synonymous ACL standard configuration object is as target ACL standard configuration object.

Step S306: using work order ACL standard configuration object as target ACL standard configuration object.

It is identical when work order ACL standard configuration characteristics of objects code is not present in preset firewall ACL standard configuration information bank Synonymous ACL standard configuration characteristics of objects code when, illustrate in firewall ACL standard configuration information bank there is no work order ACL standard The identical ACL standard configuration object of object is configured, then using work order ACL standard configuration object as target ACL standard configuration object.

It further, can also be by target after using work order ACL standard configuration object as target ACL standard configuration object ACL standard configuration object is stored in preset firewall ACL standard configuration information bank, so that next time passes through preset firewall ACL standard configuration information bank can carry out automatic management to target ACL standard configuration object.

Step S307: the corresponding ACL of target firewall is generated according to command information and target ACL standard configuration object and is matched Set instruction.

Specifically, in this step, target ACL standard configuration pair is generated according to the command information that network work order carries first As corresponding ACL standard operation object.ACL standard operation object includes target ACL standard configuration object and target ACL standard Configure the action type of object.In specific implementation, the action type of target ACL standard configuration object is according to the instruction of network work order Information determines.For example, if being instructed in above-metioned instruction information for ACL standard configuration object to be newly-increased, ACL standard configuration object Action type correspond to newly-increased type；For target ACL standard configuration object to delete instruction in command information, then ACL is marked The action type of quasi- configuration object corresponds to delete type, etc..

After obtaining ACL standard operation object, ACL standard operation object is converted into the corresponding ACL of target firewall and is matched Set instruction.Wherein, ACL configuration-direct uses the ACL syntactic definition of target firewall, can be identified by target firewall.Specifically In implementation, target firewall is obtained from preset firewall ACL information template according to the firewall model of target firewall The corresponding firewall ACL information template of firewall model extracts target ACL standard configuration object in ACL standard operation object Content fills in above content in the corresponding firewall ACL information template of type of target ACL standard configuration object.Wherein, The type of firewall ACL information template includes: domain, address class, service class, timeliness class, acl rule or acl rule group.Target The type of ACL standard configuration object include: field object, address object, service object, timeliness object, acl rule object and Acl rule group objects.Wherein, the type of the corresponding firewall ACL information template of field object is domain；The corresponding firewall of field object The type of ACL information template is domain；The type of the corresponding firewall ACL information template of address object is address class；Service object The type of corresponding firewall ACL information template is service class；The type of the corresponding firewall ACL information template of timeliness object is Timeliness class；The type of the corresponding firewall ACL information template of acl rule object is acl rule；Acl rule group objects is corresponding The type of firewall ACL information template is acl rule group.

Step S308: ACL configuration-direct is issued to target firewall, so that target firewall executes ACL configuration-direct.

Step S309: the first ACL configuration information of target firewall is obtained, is determined whether according to the first ACL configuration information Issue ACL configuration-direct.

This step is optional step.First ACL configuration information issues before ACL configuration-direct on target firewall ACL configuration information.In specific implementation, there may be the configuration information of the same name of ACL configuration-direct, ACL in the first ACL configuration information The configuration information of the same name of configuration-direct specifically: name configuration information identical with the name of ACL configuration-direct.When directly issuing When ACL configuration-direct to target firewall, the configuration information of the same name of ACL configuration-direct, then will appear ACL configuration-direct if it exists The case where above-mentioned configuration information of the same name can be covered, causes the loss of above-mentioned configuration information of the same name.In order to avoid above situation occurs, Before issuing ACL configuration-direct, the first ACL configuration information of target firewall is obtained, by the name of the first ACL configuration information It is compared with the name of ACL configuration-direct, when the configuration information of the same name in the first ACL configuration information there are ACL configuration-direct When, then the identical ACL configuration-direct of name of configuration information of the same name is not issued.The alignments of above-mentioned comparison can be by this field skill Art personnel are configured according to the actual situation, are compared for example, by using snapshot acquisition mode, this is not limited by the present invention.

Further, in order to be verified to the ACL configuration-direct for being issued to target firewall, execute the step S309 it Afterwards, following steps can also be performed:

Step S310: obtaining the 2nd ACL configuration information of target firewall, is marked according to the 2nd ACL configuration information and ACL The action type of quasi- configuration object determines whether ACL configuration-direct issues success.

Wherein, the 2nd ACL configuration information is that ACL configuration-direct is issued to the ACL of target firewall after target firewall and matches Confidence breath.

Specifically, in this step, the corresponding ACL standard configuration pair of every the 2nd ACL configuration information can be firstly generated As it is corresponding then to generate the 2nd ACL configuration information according to the content of the corresponding ACL standard configuration object of the 2nd ACL configuration information ACL standard configuration object condition code, wherein generate the corresponding ACL standard configuration object of the 2nd ACL configuration information and step The process that the corresponding ACL standard configuration object of every firewall ACL configuration information is generated in S130 is identical, specifically may refer to walk Corresponding description in rapid S130, details are not described herein again.The condition code of the corresponding ACL standard configuration object of 2nd ACL configuration information Generating process and step S130 in generate the corresponding ACL standard configuration characteristics of objects of the content of every ACL standard configuration object The process of code is identical, specifically may refer to the corresponding description in step S130, details are not described herein again.

Wherein, when the ACL standard configuration information successful execution ACL configuration-direct of firewall, determine that ACL configuration-direct issues Success.Therefore, when judging whether ACL configuration-direct issues successfully, can according to the ACL standard configuration information of firewall whether Successful execution ACL configuration-direct determines, when firewall ACL standard configuration information whether successful execution ACL configuration-direct, then It determines that ACL configuration-direct issues success, otherwise determines that ACL configuration-direct issues failure.The ACL standard configuration information of firewall is Whether no successful execution ACL configuration-direct succeeds according to the corresponding ACL standard configuration object of ACL standard configuration information of firewall The action type of the ACL standard configuration object corresponding A CL standard configuration object is executed to determine.In specific implementation, ACL standard is matched The action type for setting object may include: delete operation, newly-increased operation or modification operation.

When the action type of ACL standard configuration object is delete operation, it can be determined that at least one ACL is configured in object With the presence or absence of ACL standard configuration object；If it does not exist, it is determined that ACL configuration-direct issues success；If it exists, it is determined that ACL matches It sets instruction and issues failure.

When the action type of ACL standard configuration object is newly-increased operation, or modification operates, described at least one is judged First ACL, which is configured, whether there is the ACL standard configuration object in object；If it does not exist, it is determined that ACL configuration-direct issues mistake It loses；If it exists, it is determined that target ACL corresponding with the ACL standard configuration object matches in at least one ACL configuration object Set object；And further judge that the target ACL configures the condition code of object and the condition code of the ACL standard configuration object is It is no consistent；If consistent, it is determined that ACL configuration-direct issues success；If inconsistent, it is determined that ACL configuration-direct issues failure.It is logical The above process is crossed, can accurately verify whether ACL configuration-direct issues success, realizes that automatic Verification ACL configuration-direct issues knot The purpose of fruit promotes the automatization level of firewall.

Further, after completing above-mentioned checking procedure, mirror configuration can be written into ACL configuration-direct, to be effectively ensured It is still effective to restart the rear above-mentioned ACL configuration-direct issued.

It, can be automatically according to received network work in firewall ACL configuring management method provided in an embodiment of the present invention The address information carried in list determines target firewall, and matches from the firewall ACL standard comprising a plurality of ACL standard configuration object It sets and obtains the corresponding ACL standard configuration object of above-mentioned target firewall in information bank, wherein preset firewall ACL standard is matched Setting information bank includes at least one ACL standard configuration object；Every ACL standard configuration object is by any in objective management firewall The firewall ACL standard configuration information of firewall is generated according to the information type of firewall ACL standard configuration information；Information type It include: domain, address class, service class, timeliness class, acl rule or acl rule group；That is, preset firewall ACL mark The ACL for converting the firewall ACL configuration information under different ACL syntactic definitions to unified format is preserved in quasi- configuration information library Standard configuration object；The last embodiment of the present invention can be automatically according to the command information and above-mentioned ACL carried in network work order Standard configuration object generates ACL standard operation object, and ACL standard operation object is converted to what target firewall can identify Target firewall is issued to after ACL configuration-direct.It can be seen that the embodiment of the present invention can be automatically based upon network work order and prevent Wall with flues ACL standard configuration information bank automates determining target firewall and the corresponding ACL configuration-direct of target firewall, real The Auto-matching of existing target firewall and ACL standard configuration object, ACL standard configuration object to ACL configuration-direct from turn It a series of processes such as changes and issues automatically, realize the automatic management of firewall ACL to a certain extent, be not necessarily to administrative staff Confirmed and converted between a variety of firewall models and firewall ACL grammer by the way of labor management again, is reduced The operation complexity of administrative staff effectively improves the efficiency of management of firewall.

The embodiment of the present invention also provides a kind of firewall ACL managing device, shown in Figure 7, firewall ACL managing device Include:

Acquisition module 71, at least one firewall access for acquiring objective management firewall control list ACL configuration Information；

Determining module 72, the information type of every firewall ACL configuration information for determining the acquisition of acquisition module 71；Letter Breath type includes: domain, address class, service class, timeliness class, acl rule or acl rule group；

Processing module 73, the information type for being determined according to determining module 72 generate every firewall ACL configuration information The ACL standard configuration characteristics of objects code of corresponding ACL standard configuration object and the ACL standard configuration object.

Processing module 74 is stored, is used for ACL standard configuration object obtained in processing module 73 and ACL standard configuration The ACL standard configuration characteristics of objects code of object is saved to preset firewall ACL standard configuration library of object.

Optionally, acquisition module 71 specifically can be used for:

Storage processing module 74 specifically can be used for:

All related contents for each step that above method embodiment is related to can quote the function of corresponding function module It can describe, details are not described herein for effect.

Using integrated module, firewall ACL managing device include: storage unit, processing unit and Interface unit.Processing unit is for carrying out control management to the movement of firewall ACL managing device, for example, processing unit is used for Firewall ACL managing device is supported to execute each step in Fig. 1-Fig. 6.Interface unit is for supporting firewall ACL managing device With the interaction of other devices；Storage unit, for storing firewall ACL managing device program code and data.

Wherein, using processing unit as processor, storage unit is memory, and interface unit is for communication interface.Wherein, Firewall ACL managing device referring to fig. 8, including communication interface 801, processor 802, memory 803 and bus 804, Communication interface 801, processor 802 are connected by bus 804 with memory 803.

Processor 802 can be a general central processor (Central Processing Unit, CPU), micro process Device, application-specific integrated circuit (Application-Specific Integrated Circuit, ASIC) or one or more A integrated circuit executed for controlling application scheme program.

Memory 803 can be read-only memory (Read-Only Memory, ROM) or can store static information and instruction Other kinds of static storage device, random access memory (Random Access Memory, RAM) or letter can be stored The other kinds of dynamic memory of breath and instruction, is also possible to Electrically Erasable Programmable Read-Only Memory (Electrically Erasable Programmable Read-only Memory, EEPROM), CD-ROM (Compact Disc Read- Only Memory, CD-ROM) or other optical disc storages, optical disc storage (including compression optical disc, laser disc, optical disc, digital universal Optical disc, Blu-ray Disc etc.), magnetic disk storage medium or other magnetic storage apparatus or can be used in carrying or store to have referring to Enable or data structure form desired program code and can by any other medium of computer access, but not limited to this. Memory, which can be, to be individually present, and is connected by bus with processor.Memory can also be integrated with processor.

Wherein, memory 803 is used to store the application code for executing application scheme, and is controlled by processor 802 System executes.Communication interface 801 is used to support the interaction of firewall ACL managing device Yu other devices.Processor 802 is for executing The application code stored in memory 803, to realize the firewall ACL management method in the embodiment of the present application.

The embodiment of the present invention also provides a kind of firewall ACL configuration management device, shown in Figure 9, firewall ACL configuration Managing device includes:

Receiving module 901, for receiving the network work order for carrying work order information；Work order information includes: address information, instruction Information and information on services.

Target determination module 902, for determining target firewall according to the received address information of receiving module 901.Address Information includes: source IP address and purpose IP address.

First generation module 903, for generating target determination module 902 according to the received work order information of receiving module 901 The corresponding at least one work order ACL standard configuration object of determining target firewall and every work order ACL standard configuration object Work order ACL standard configuration characteristics of objects code.

Judgment module 904 is marked in preset firewall ACL standard configuration information bank with the presence or absence of work order ACL for judging The identical synonymous ACL standard configuration characteristics of objects code of quasi- configuration characteristics of objects code；Wherein, preset firewall ACL standard configuration Information bank includes at least one ACL standard configuration object；Every ACL standard configuration object is by any anti-in objective management firewall The firewall ACL standard configuration information of wall with flues is generated according to the information type of firewall ACL standard configuration information；Information type packet It includes: domain, address class, service class, timeliness class, acl rule or acl rule group.

Processing module 905, if the judging result for judgment module 904 be it is yes, obtain preset firewall ACL standard The corresponding synonymous ACL standard configuration object of synonymous ACL standard configuration characteristics of objects code is as target ACL standard in configuration information library Configure object；If the judging result of judgment module 904 be it is no, using work order ACL standard configuration object as target ACL standard configuration Object.

Second generation module 906, in the command information and processing module 905 for being received according to receiving module 901 Obtained target ACL standard configuration object generates the corresponding ACL configuration-direct of target firewall.

Module 907 is issued, for issuing the ACL configuration-direct of the second generation module 906 generation to target firewall, for Target firewall executes ACL configuration-direct.

Optionally, target determination module 902 is specifically used for:

Optionally, configuration information includes: domain range information；Then target determination module 902 is specifically used for:

Optionally, configuration information includes: routing table information；Then target determination module 902 is specifically used for:

Judge whether first interface is identical as second interface；

Optionally, configuration information further include: exclusive domain information；ACL configuration management device further include:

Exclusive domain information determining module 908, for determining whether address information matches with exclusive domain information, if so, really Determine address information to match with the configuration information of firewall to be detected.

Optionally, ACL configuration management device further include: issue determining module 909, be used for:

Optionally, ACL configuration management device further include: correction verification module 910 is used for:

Obtain the 2nd ACL configuration information of target firewall；

Using integrated module, firewall ACL configuration management device includes: storage unit, processing unit And interface unit.Processing unit is for carrying out control management to the movement of firewall ACL configuration management device, for example, processing Unit is for supporting firewall ACL configuration management device to execute each step in Fig. 1-Fig. 6.Interface unit is for supporting firewall The interaction of ACL configuration management device and other devices；Storage unit, for storing firewall ACL configuration management program of device generation Code and data.

Wherein, using processing unit as processor, storage unit is memory, and interface unit is for communication interface.Wherein, Firewall ACL configuration management device referring to fig. 10, including communication interface 1001, processor 1002,1003 and of memory Bus 1004, communication interface 1001, processor 1002 are connected by bus 1004 with memory 1003.

Processor 1002 can be a general central processor (Central Processing Unit, CPU), micro- place Manage device, application-specific integrated circuit (Application-Specific Integrated Circuit, ASIC) or one or Multiple integrated circuits executed for controlling application scheme program.

Memory 1003 can be read-only memory (Read-Only Memory, ROM) or can store static information and refer to The other kinds of static storage device enabled, random access memory (Random Access Memory, RAM) or can store The other kinds of dynamic memory of information and instruction, is also possible to Electrically Erasable Programmable Read-Only Memory (Electrically Erasable Programmable Read-only Memory, EEPROM), CD-ROM (Compact Disc Read-Only Memory, CD-ROM) or other optical disc storages, optical disc storage (including compression optical disc, laser disc, light Dish, Digital Versatile Disc, Blu-ray Disc etc.), magnetic disk storage medium or other magnetic storage apparatus or can be used in carry or Store have instruction or data structure form desired program code and can by any other medium of computer access, but It is without being limited thereto.Memory, which can be, to be individually present, and is connected by bus with processor.Memory can also be integrated with processor Together.

Wherein, memory 1003 be used for store execution application scheme application code, and by processor 1002 Control executes.Communication interface 1001 is used to support the interaction of firewall ACL configuration management device and other devices.Processor 1002 For executing the application code stored in memory 1003, to realize the firewall ACL configuration in the embodiment of the present application Management method.

It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row His property includes, so that the process, method, article or the device that include a series of elements not only include those elements, and And further include other elements that are not explicitly listed, or further include for this process, method, article or device institute it is intrinsic Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do There is also other identical elements in the process, method of element, article or device.

Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on this understanding, the technical solution of the application substantially in other words does the prior art The part contributed out can be embodied in the form of software products, which is stored in a storage medium In (such as REOM/REAM, magnetic disk, CD), including some instructions are used so that a terminal (can be mobile phone, computer, service Device, air conditioner or network equipment etc.) execute method described in each embodiment of the application.

The embodiment of the present invention also provides a kind of computer program, which can be loaded directly into memory, and Containing software code, which is loaded into via computer and can be realized above-mentioned firewall ACL management method after executing And firewall ACL configuring management method.

Embodiments herein is described above in conjunction with attached drawing, but the application be not limited to it is above-mentioned specific Embodiment, the above mentioned embodiment is only schematical, rather than restrictive, those skilled in the art Under the enlightenment of the application, when not departing from the application objective and scope of the claimed protection, can also it make very much Form belongs within the protection of the application.

Claims

1. a kind of firewall ACL management method characterized by comprising

Determine the information type of every firewall ACL configuration information；The information type includes: domain, address class, service Class, timeliness class, acl rule or acl rule group；

The corresponding ACL standard configuration object of every firewall ACL configuration information and institute are generated according to the information type State the ACL standard configuration characteristics of objects code of ACL standard configuration object；

By the ACL standard configuration characteristics of objects code of the ACL standard configuration object and the ACL standard configuration object save to Preset firewall ACL standard configuration library of object.

2. firewall ACL management method according to claim 1, which is characterized in that the acquisition objective management firewall Firewall access control list ACL configuration information specifically:

It is described to save the ACL standard configuration object to preset firewall ACL standard configuration library of object, comprising:

By the ACL standard configuration pair of storage in the ACL standard configuration object and the firewall ACL standard configuration library of object It is determining from the ACL standard configuration object to be updated that be put in storage ACL standard configuration object different as being compared；

The ACL standard to be updated of the ACL standard configuration object to be updated and the ACL standard configuration object to be updated is matched Characteristics of objects code is set to save to the firewall ACL standard configuration library of object.

3. a kind of firewall ACL configuring management method characterized by comprising

Receive the network work order for carrying work order information；The work order information includes: address information, command information and service letter Breath；

Target firewall is determined according to the address information；The address information includes: source IP address and purpose IP address；

According to the corresponding at least one work order ACL standard configuration object of the work order information generation target firewall and often The work order ACL standard configuration characteristics of objects code of work order ACL standard configuration object described in item；

Judge in preset firewall ACL standard configuration information bank with the presence or absence of the work order ACL standard configuration characteristics of objects code Identical synonymous ACL standard configuration characteristics of objects code；Wherein, the preset firewall ACL standard configuration information bank includes extremely A few ACL standard configuration object；Every ACL standard configuration object by objective management firewall any firewall it is anti- Wall with flues ACL standard configuration information is generated according to the information type of the firewall ACL standard configuration information；The information type packet It includes: domain, address class, service class, timeliness class, acl rule or acl rule group；

If the determination result is YES, then synonymous ACL standard described in the preset firewall ACL standard configuration information bank is obtained to match The corresponding synonymous ACL standard configuration object of characteristics of objects code is set as target ACL standard configuration object；If judging result be it is no, Using the work order ACL standard configuration object as the target ACL standard configuration object；

The corresponding ACL of the target firewall is generated according to described instruction information and the target ACL standard configuration object to match Set instruction；

The ACL configuration-direct is issued to the target firewall, is referred to so that the target firewall executes the ACL configuration It enables.

4. firewall ACL configuring management method according to claim 3, which is characterized in that described to be believed according to the address It ceases and determines target firewall, comprising:

Obtain the configuration information for being pre-configured firewall to be detected in firewall；Wherein the pre-configuration firewall includes at least one Firewall；The firewall to be detected is any firewall in the pre-configuration firewall；

Determine whether the address information matches with the configuration information of the firewall to be detected；

If the address information is matched with the configuration information of the firewall to be detected, it is determined that firewall to be detected is the mesh Mark firewall.

5. firewall ACL configuring management method according to claim 4, the configuration information includes: domain range information；Then Whether the determination address information matches with the configuration information of the firewall to be detected, comprising:

According to the domain range information of firewall to be detected determine the matched first source IP address matching domain of the source IP address and First purpose IP address matching domain of the destination IP address matching；Wherein the domain range information of the firewall to be detected includes Address information within the scope of the domain in the domain of the firewall to be detected and the domain of the firewall to be detected；

If judging result is that the first source IP address matching domain and the first purpose IP address matching domain be not identical, it is determined that The address information is matched with the configuration information of the firewall to be detected.

6. firewall ACL configuring management method according to claim 4, which is characterized in that the configuration information includes: road By table information；Then whether the determination address information matches with the configuration information of the firewall to be detected, comprising:

According to the routing table information of firewall to be detected determine the corresponding first interface of the source IP address and with the purpose The corresponding second interface of IP address；Wherein the routing table information of the firewall to be detected includes the firewall of firewall to be detected Routing address information and the corresponding interface of the firewall routing address information；

Judge whether the first interface is identical as the second interface；

If judging result is that the first interface and the second interface be not identical, according to the corresponding relationship in preset domain and interface Determine the corresponding second source IP address matching domain of the first interface and corresponding second purpose IP address of the second interface Matching domain；

If judging result is that the second source IP address matching domain and the second purpose IP address matching domain be not identical, it is determined that The address information is matched with the configuration information of the firewall to be detected.

7. firewall ACL configuring management method according to claim 5 or 6, which is characterized in that the configuration information also wraps It includes: exclusive domain information；

Before the determination address information is matched with the configuration information of the firewall to be detected, the method also includes: Determine whether the address information matches with the exclusive domain information, if judging result is the address information and the exclusive domain Information matches, it is determined that the address information is matched with the configuration information of the firewall to be detected.

8. firewall ACL configuring management method according to claim 3, which is characterized in that described to issue the ACL configuration Before instruction to the target firewall, the method also includes:

The first ACL configuration information for obtaining the target firewall determines whether to issue institute according to the first ACL configuration information State ACL configuration-direct.

9. firewall ACL configuring management method according to claim 3, which is characterized in that described to issue the ACL configuration After instruction to the target firewall, the method also includes:

Obtain the 2nd ACL configuration information of the target firewall；

Determine that the ACL configuration refers to according to the action type of the 2nd ACL configuration information and the ACL standard configuration object It enables and whether issues success.

10. firewall ACL configuring management method according to claim 9, which is characterized in that the ACL standard configuration pair The action type of elephant includes: newly-increased operation, modification operation and delete operation.

11. a kind of firewall ACL managing device characterized by comprising

Acquisition module, at least one firewall access for acquiring objective management firewall control list ACL configuration information；

Determining module, for determining the information type of every firewall ACL configuration information；The information type include: domain, Address class, service class, timeliness class, acl rule or acl rule group；

Processing module is matched for generating the corresponding ACL standard of every firewall ACL configuration information according to the information type Set the ACL standard configuration characteristics of objects code of object and the ACL standard configuration object；

Processing module is stored, for matching the ACL standard of the ACL standard configuration object and the ACL standard configuration object Characteristics of objects code is set to save to preset firewall ACL standard configuration library of object.

12. firewall ACL managing device according to claim 11, which is characterized in that the acquisition module is specifically used for:

The storage processing module is specifically used for:

13. a kind of firewall ACL configuration management device characterized by comprising

Receiving module, for receiving the network work order for carrying work order information；The work order information includes: address information, instruction letter Breath and information on services；

Target determination module, for determining target firewall according to the address information；The address information includes: source IP address And purpose IP address；

First generation module, for generating the corresponding at least one work order ACL of the target firewall according to the work order information The work order ACL standard configuration characteristics of objects code of standard configuration object and every work order ACL standard configuration object；

Judgment module is matched in preset firewall ACL standard configuration information bank with the presence or absence of the work order ACL standard for judging Set the identical synonymous ACL standard configuration characteristics of objects code of characteristics of objects code；Wherein, the preset firewall ACL standard configuration Information bank includes at least one ACL standard configuration object；Every ACL standard configuration object in objective management firewall by appointing The firewall ACL standard configuration information of one firewall is generated according to the information type of the firewall ACL standard configuration information；Institute Stating information type includes: domain, address class, service class, timeliness class, acl rule or acl rule group；

Processing module, for if the determination result is YES, then obtaining described in the preset firewall ACL standard configuration information bank The corresponding synonymous ACL standard configuration object of synonymous ACL standard configuration characteristics of objects code is as target ACL standard configuration object；If Judging result be it is no, using the work order ACL standard configuration object as the target ACL standard configuration object；

Second generation module generates the target according to described instruction information and the target ACL standard configuration object and prevents fires The corresponding ACL configuration-direct of wall；

Module is issued, for issuing the ACL configuration-direct to the target firewall, so that the target firewall executes institute State ACL configuration-direct.

14. firewall ACL configuration management device according to claim 13, which is characterized in that the target determination module It is specifically used for: obtains the configuration information for being pre-configured firewall to be detected in firewall；Wherein the pre-configuration firewall includes extremely A few firewall；The firewall to be detected is any firewall in the pre-configuration firewall；Determine the address information Whether matched with the configuration information of the firewall to be detected；If the address information matches confidence with the firewall to be detected Breath matching, it is determined that firewall to be detected is the target firewall.

15. firewall ACL configuration management device according to claim 14, the configuration information include: domain range information； Then the target determination module is specifically used for:

16. firewall ACL configuration management device according to claim 14, which is characterized in that the configuration information includes: Routing table information；Then the target determination module is specifically used for:

Judge whether the first interface is identical as the second interface；

17. firewall ACL configuration management device according to claim 15 or 16, which is characterized in that the configuration information Further include: exclusive domain information；Described device further include:

Exclusive domain information determining module, for determining whether the address information matches with the exclusive domain information, if judgement knot Fruit is that the address information is matched with the exclusive domain information, it is determined that the address information is matched with the firewall to be detected Set information matches.

18. firewall ACL configuration management device according to claim 13, which is characterized in that described device further include: under Determining module is sent out, is used for:

19. firewall ACL configuration management device according to claim 13, which is characterized in that described device further include: school Module is tested, is used for:

Obtain the 2nd ACL configuration information of the target firewall；

20. firewall ACL configuration management device according to claim 19, which is characterized in that the ACL standard configuration pair The action type of elephant includes: newly-increased operation, modification operation and delete operation.