CN115766278B - Firewall policy generation method, device, equipment and storage medium - Google Patents
Firewall policy generation method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115766278B CN115766278B CN202211553203.4A CN202211553203A CN115766278B CN 115766278 B CN115766278 B CN 115766278B CN 202211553203 A CN202211553203 A CN 202211553203A CN 115766278 B CN115766278 B CN 115766278B
- Authority
- CN
- China
- Prior art keywords
- firewall policy
- policy
- logic
- creation request
- firewall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention relates to the technical field of computers, and discloses a firewall policy generation method, device, equipment and storage medium, which are used for improving the accuracy of firewall policy generation. The method comprises the following steps: monitoring a directory change event of a preset first strategy directory according to a firewall strategy creation request; determining configuration data and a first firewall policy according to the directory change event, and judging whether character string identifiers exist according to the configuration data and the first firewall policy to obtain a judging result; generating a logic operation according to the judgment result, and determining a corresponding first logic call relation according to the logic operation; writing the logic operation and the first logic calling relation into a request head of a firewall policy creation request to obtain a target policy creation request, and sending the target policy creation request to a second policy directory to perform directory analysis to generate a second logic calling relation; and creating a second firewall policy according to the second policy directory and the second logic call relationship.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a storage medium for generating a firewall policy.
Background
With the rapid development of computer technology, the field of computer operation and maintenance is also gradually mature. At present, an intelligent and automatic solution is provided for different strategy operation and maintenance scenes, and operation and maintenance personnel are assisted to realize strategy opening and strategy batch issuing, so that operation and maintenance efficiency can be improved.
The generation step writing of the existing scheme is dependent on manual operation and maintenance experience and manual participation and judgment, so that the accuracy of the existing scheme is low.
Disclosure of Invention
The invention provides a firewall policy generation method, device, equipment and storage medium, which are used for improving the accuracy of firewall policy generation.
The first aspect of the present invention provides a firewall policy generating method, where the firewall policy generating method includes: receiving a firewall policy creation request, and monitoring a directory change event of a preset first policy directory according to the firewall policy creation request; determining configuration data and a first firewall policy corresponding to the firewall policy creation request according to the directory change event, and judging whether a character string identifier exists according to the configuration data and the first firewall policy to obtain a judgment result; generating a logic operation corresponding to the first firewall policy according to the judging result, and determining a corresponding first logic call relation according to the logic operation; writing the logic operation and the first logic calling relation into a request head of the firewall policy creation request to obtain a target policy creation request, and sending the target policy creation request to a preset second policy directory to perform directory analysis to generate a second logic calling relation; and creating a second firewall policy corresponding to the target policy creation request according to the second policy directory and the second logic call relationship.
Optionally, in a first implementation manner of the first aspect of the present invention, the receiving a firewall policy creation request and monitoring a directory change event of a preset first policy directory according to the firewall policy creation request includes: receiving a firewall policy creation request, and acquiring a request type corresponding to the firewall policy creation request; identifying the firewall policy creation request according to the request type to obtain a request identifier corresponding to the firewall policy creation request; and performing change monitoring on a preset first strategy catalog according to the request identifier to obtain a catalog change event.
Optionally, in a second implementation manner of the first aspect of the present invention, the determining, according to the directory change event, configuration data and a first firewall policy corresponding to the firewall policy creation request, and judging whether a character string identifier exists according to the configuration data and the first firewall policy, to obtain a judging result includes: acquiring a change field corresponding to the directory change event, and inquiring a first firewall policy corresponding to the firewall policy creation request according to the change field; extracting configuration data corresponding to the firewall policy creation request based on the request identification; performing configuration operation analysis on the configuration data according to the first firewall policy to obtain a configuration analysis result; judging whether the character string identifier exists or not according to the configuration analysis result to obtain a judgment result, wherein the judgment result comprises presence and absence.
Optionally, in a third implementation manner of the first aspect of the present invention, the generating, according to the determination result, a logic operation corresponding to the first firewall policy, and determining, according to the logic operation, a corresponding first logic call relationship includes: if the judgment result is that the first firewall policy exists, calling preset address data in the first firewall policy according to the character string identification, and acquiring a logic operation corresponding to the first firewall policy and a first logic calling relation corresponding to the logic operation through the address data; if the judging result is that the first firewall policy does not exist, creating a logic operation corresponding to the first firewall policy according to the first firewall policy, building a parent-child relationship of the logic operation, and generating a first logic calling relationship corresponding to the logic operation according to the parent-child relationship.
Optionally, in a fourth implementation manner of the first aspect of the present invention, writing the logic operation and the first logic call relationship into a request header of the firewall policy creation request to obtain a target policy creation request, and sending the target policy creation request to a preset second policy directory for directory analysis, to generate a second logic call relationship, where the generating includes: invoking a preset access filter according to the first firewall policy, and acquiring a request header corresponding to the firewall policy creation request through the access filter; performing interface interaction mode analysis on the second strategy catalog to obtain a corresponding interface interaction type; transmitting the logic operation and a first logic call relation corresponding to the logic operation to the request head based on the interface interaction type to obtain a target strategy creation request; and sending the target strategy creating request to the second strategy catalog for analysis to obtain a second logic calling relation.
Optionally, in a fifth implementation manner of the first aspect of the present invention, the creating, according to the second policy directory and the second logical call relationship, a second firewall policy corresponding to the target policy creation request includes: generating first creation data through the first firewall policy according to the logic operation and a first logic call relation corresponding to the logic operation; generating second creation data through the second strategy catalog according to the logic operation and a first logic call relation corresponding to the logic operation; and creating a second firewall policy corresponding to the target policy creation request according to the first creation data, the second creation data and the second logic call relation.
Optionally, in a sixth implementation manner of the first aspect of the present invention, the firewall policy generating method further includes: performing policy defect analysis on the first firewall policy to generate a policy defect analysis result; determining whether the firewall policy creation request is abnormal according to the policy defect analysis result; if the firewall policy creation request is abnormal, acquiring abnormal information corresponding to the firewall policy creation request, and inquiring a third policy directory corresponding to the abnormal information; and carrying out policy derivation on the abnormal information and the third policy catalog to generate a third firewall policy.
A second aspect of the present invention provides a firewall policy generating apparatus, including: the receiving module is used for receiving a firewall policy creation request and monitoring a directory change event of a preset first policy directory according to the firewall policy creation request; the judging module is used for determining configuration data and a first firewall policy corresponding to the firewall policy creation request according to the directory change event, judging whether a character string identifier exists according to the configuration data and the first firewall policy, and obtaining a judging result; the generation module is used for generating a logic operation corresponding to the first firewall policy according to the judging result, and determining a corresponding first logic call relation according to the logic operation; the analysis module is used for writing the logic operation and the first logic calling relation into a request head of the firewall policy creation request to obtain a target policy creation request, and sending the target policy creation request to a preset second policy directory for directory analysis to generate a second logic calling relation; and the creation module is used for creating a second firewall policy corresponding to the target policy creation request according to the second policy catalog and the second logic call relation.
Optionally, in a first implementation manner of the second aspect of the present invention, the receiving module is specifically configured to: receiving a firewall policy creation request, and acquiring a request type corresponding to the firewall policy creation request; identifying the firewall policy creation request according to the request type to obtain a request identifier corresponding to the firewall policy creation request; and performing change monitoring on a preset first strategy catalog according to the request identifier to obtain a catalog change event.
Optionally, in a second implementation manner of the second aspect of the present invention, the judging module is specifically configured to: acquiring a change field corresponding to the directory change event, and inquiring a first firewall policy corresponding to the firewall policy creation request according to the change field; extracting configuration data corresponding to the firewall policy creation request based on the request identification; performing configuration operation analysis on the configuration data according to the first firewall policy to obtain a configuration analysis result; judging whether the character string identifier exists or not according to the configuration analysis result to obtain a judgment result, wherein the judgment result comprises presence and absence.
Optionally, in a third implementation manner of the second aspect of the present invention, the generating module is specifically configured to: if the judgment result is that the first firewall policy exists, calling preset address data in the first firewall policy according to the character string identification, and acquiring a logic operation corresponding to the first firewall policy and a first logic calling relation corresponding to the logic operation through the address data; if the judging result is that the first firewall policy does not exist, creating a logic operation corresponding to the first firewall policy according to the first firewall policy, building a parent-child relationship of the logic operation, and generating a first logic calling relationship corresponding to the logic operation according to the parent-child relationship.
Optionally, in a fourth implementation manner of the second aspect of the present invention, the parsing module is specifically configured to: invoking a preset access filter according to the first firewall policy, and acquiring a request header corresponding to the firewall policy creation request through the access filter; performing interface interaction mode analysis on the second strategy catalog to obtain a corresponding interface interaction type; transmitting the logic operation and a first logic call relation corresponding to the logic operation to the request head based on the interface interaction type to obtain a target strategy creation request; and sending the target strategy creating request to the second strategy catalog for analysis to obtain a second logic calling relation.
Optionally, in a fifth implementation manner of the second aspect of the present invention, the creating module is specifically configured to: generating first creation data through the first firewall policy according to the logic operation and a first logic call relation corresponding to the logic operation; generating second creation data through the second strategy catalog according to the logic operation and a first logic call relation corresponding to the logic operation; and creating a second firewall policy corresponding to the target policy creation request according to the first creation data, the second creation data and the second logic call relation.
Optionally, in a sixth implementation manner of the second aspect of the present invention, the firewall policy generating device further includes: the analysis module is used for carrying out strategy defect analysis on the first firewall strategy and generating a strategy defect analysis result; determining whether the firewall policy creation request is abnormal according to the policy defect analysis result; if the firewall policy creation request is abnormal, acquiring abnormal information corresponding to the firewall policy creation request, and inquiring a third policy directory corresponding to the abnormal information; and carrying out policy derivation on the abnormal information and the third policy catalog to generate a third firewall policy.
A third aspect of the present invention provides a firewall policy generating apparatus, including: a memory and at least one processor, the memory having instructions stored therein; the at least one processor invokes the instructions in the memory to cause the firewall policy generation device to perform the firewall policy generation method described above.
A fourth aspect of the present invention provides a computer readable storage medium having instructions stored therein which, when run on a computer, cause the computer to perform the firewall policy generation method described above.
According to the technical scheme provided by the invention, directory change events of a preset first strategy directory are monitored according to a firewall strategy creation request; determining configuration data and a first firewall policy according to the directory change event, and judging whether character string identifiers exist according to the configuration data and the first firewall policy to obtain a judging result; generating a logic operation according to the judgment result, and determining a corresponding first logic call relation according to the logic operation; writing the logic operation and the first logic calling relation into a request head of a firewall policy creation request to obtain a target policy creation request, and sending the target policy creation request to a second policy directory to perform directory analysis to generate a second logic calling relation; the second firewall policy is created according to the second policy catalog and the second logic call relationship, the policy catalog policy generation request is analyzed, and then the second firewall policy corresponding to the first firewall policy is generated according to the logic call relationship, so that the automatic maintenance processing of the firewall policy is realized, and the accuracy of the firewall policy generation is improved.
Drawings
FIG. 1 is a schematic diagram of an embodiment of a method for generating firewall policies according to an embodiment of the invention;
FIG. 2 is a schematic diagram of another embodiment of a method for generating firewall policies according to an embodiment of the invention;
FIG. 3 is a schematic diagram of an embodiment of a firewall policy generating apparatus according to an embodiment of the invention;
FIG. 4 is a schematic diagram of another embodiment of a firewall policy generating apparatus according to an embodiment of the invention;
fig. 5 is a schematic diagram of an embodiment of a firewall policy generating apparatus according to an embodiment of the invention.
Detailed Description
The embodiment of the invention provides a firewall policy generation method, device, equipment and storage medium, which are used for improving the accuracy of firewall policy generation. The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.
For easy understanding, the following describes a specific flow of an embodiment of the present invention, referring to fig. 1, and one embodiment of a firewall policy generating method in the embodiment of the present invention includes:
101. receiving a firewall policy creation request, and monitoring a directory change event of a preset first policy directory according to the firewall policy creation request;
it may be understood that the executing body of the present invention may be a firewall policy generating device, and may also be a terminal or a server, which is not limited herein. The embodiment of the invention is described by taking a server as an execution main body as an example.
Specifically, when the server receives the firewall policy creation request, inquiring whether a built-in directory change event and a preset directory change event mapping table contain directory change events in the firewall policy creation request, if yes, acquiring the directory change event, if not, generating the directory change event, generating a directory change event corresponding to the firewall policy creation request, and when the server monitors the firewall policy creation request sent by the client, firstly traversing the directory change event and the directory change event mapping table, determining whether the mapping table contains directory change events in the firewall policy creation request, if so, indicating that the firewall policy creation request of the client is not received for the first time, if not, generating the directory change event, and determining the directory change event corresponding to the firewall policy creation request.
102. Determining configuration data and a first firewall policy corresponding to a firewall policy creation request according to the directory change event, and judging whether character string identifiers exist according to the configuration data and the first firewall policy to obtain a judging result;
it should be noted that, after the server determines the above directory change event, it determines whether there is an in-line tag of the hypertext markup language, which is used to combine in-line elements in the document, where the in-line tag has no fixed format representation, that is, when a style is applied to the in-line tag, it generates a visual change, and when there is no in-line tag of the hypertext markup language, a corresponding character string identifier is created, and specifically, the server determines, according to the directory change event, log information and a firewall policy corresponding to the firewall policy creation request, and determines whether there is a character string identifier according to the log information and the firewall policy, so as to obtain a determination result.
103. Generating a logic operation corresponding to the first firewall policy according to the judgment result, and determining a corresponding first logic call relation according to the logic operation;
when a logic call relationship is generated, call chain matching needs to be performed according to the character string identifier, further, the call chain refers to an execution process of a transaction or a process in a distributed system, in a tracking standard of the distributed tracking system, the call chain is a logic call relationship formed by a plurality of in-line labels corresponding to character string labels, wherein each in-line label represents a named and timed continuity execution segment in the call chain, for example, when a client initiates a request, the request firstly reaches a load equalizer, then passes through authentication service and charging service, then requests resources, finally determines a corresponding first logic call relationship according to logic operation, specifically, a server generates logic operation corresponding to a first firewall policy according to a judgment result, and further the server generates a corresponding logic call relationship according to the logic operation.
104. Writing the logic operation and the first logic calling relation into a request head of a firewall policy creation request to obtain a target policy creation request, and sending the target policy creation request to a preset second policy directory to perform directory analysis to generate a second logic calling relation;
it should be noted that, write the logic operation and the first logic call relationship into the request header of the firewall policy creation request, after obtaining the request header of the firewall policy creation request, the server first determines whether the request is a web page end request, if yes, generates a unique call chain ID according to the request header, specifically, generates a unique call chain ID according to the request header and obtains a corresponding father service name, and determines whether the parameter of the request header is empty, if yes, generates a unique call chain ID according to the request header, and simultaneously, takes a default value for the father service name, if not, writes the logic operation and the logic call relationship corresponding to the logic operation into the request header of the firewall policy creation request, and sends the request to a preset second policy directory for analysis, so as to obtain a target logic call relationship, and sends the target policy creation request to the preset second policy directory for directory analysis, so as to generate the second logic call relationship.
105. And creating a second firewall policy corresponding to the target policy creation request according to the second policy directory and the second logic call relationship.
It should be noted that, the server obtains the firewall policy and the second logic call relationship according to the target logic call relationship, and stores the relationship in the context of the current thread to determine the information such as the target function and the opportunity to be tracked, and at the same time, initializes the function information including the tracking logic, that is, confirms the object that can be tracked, and records the relevant parameters of the target function in the function information including the tracking logic by loading the target policy creation request in the context of the current thread, thereby generating the target policy creation request, avoiding the developer from repeatedly writing a large number of codes, improving the development efficiency, reducing unnecessary redundant data, and creating the second firewall policy corresponding to the request.
In the embodiment of the invention, a directory change event of a preset first strategy directory is monitored according to a firewall strategy creation request; determining configuration data and a first firewall policy according to the directory change event, and judging whether character string identifiers exist according to the configuration data and the first firewall policy to obtain a judging result; generating a logic operation according to the judgment result, and determining a corresponding first logic call relation according to the logic operation; writing the logic operation and the first logic calling relation into a request head of a firewall policy creation request to obtain a target policy creation request, and sending the target policy creation request to a second policy directory to perform directory analysis to generate a second logic calling relation; the second firewall policy is created according to the second policy catalog and the second logic call relationship, the policy catalog policy generation request is analyzed, and then the second firewall policy corresponding to the first firewall policy is generated according to the logic call relationship, so that the automatic maintenance processing of the firewall policy is realized, and the accuracy of the firewall policy generation is improved.
Referring to fig. 2, another embodiment of a firewall policy generating method in an embodiment of the invention includes:
201. receiving a firewall policy creation request, and monitoring a directory change event of a preset first policy directory according to the firewall policy creation request;
specifically, a firewall policy creation request is received, and a request type corresponding to the firewall policy creation request is obtained; identifying a firewall policy creation request according to the request type to obtain a request identification corresponding to the firewall policy creation request; and performing change monitoring on the preset first strategy catalogue according to the request identification to obtain a catalogue change event.
The server receives the firewall policy creation request, determines a corresponding request type, determines a corresponding request interface according to the request type, monitors the request interface, monitors the firewall policy creation request sent by the client, and when the server receives the firewall policy creation request, it needs to be explained that, after the server receives the firewall policy creation request, the server judges whether the firewall policy creation request is a webpage request, if so, generates a unique call chain ID according to a request header, and identifies the firewall policy creation request according to the request type, so as to obtain a directory change event corresponding to the firewall policy creation request, specifically, judges whether a parameter of the request header is empty, if so, takes the request as a request for first access, generates a unique call chain ID according to the request header, and simultaneously takes a default value for a father service name, if not, takes the request as a request for service call, and identifies the firewall policy creation request according to the request type, so as to obtain the directory change event corresponding to the firewall policy creation request.
202. Determining configuration data and a first firewall policy corresponding to a firewall policy creation request according to the directory change event, and judging whether character string identifiers exist according to the configuration data and the first firewall policy to obtain a judging result;
specifically, a change field corresponding to a directory change event is obtained, and a first firewall policy corresponding to a firewall policy creation request is queried according to the change field; extracting configuration data corresponding to the firewall policy creation request based on the request identification; performing configuration operation analysis on the configuration data according to the first firewall policy to obtain a configuration analysis result; judging whether the character string identifier exists or not according to the configuration analysis result to obtain a judgment result, wherein the judgment result comprises the existence and the nonexistence.
It should be noted that, analyzing the change field corresponding to the catalog change event can obtain the complete service call link of the request of the service, so that the server can determine whether the character string identifier exists according to the configuration analysis result, specifically, the value of the call link ID and the parent service name is obtained through a preset log diagnostic tool. In a specific embodiment, querying all traffic logs on the link according to the tracking ID in the request of the service specifically includes: based on the tracking ID in the request for the service, and using a preset log collection tool, a traffic log is collected. In a specific embodiment, the server extracts configuration data corresponding to the firewall policy creation request based on the request identifier, the server performs configuration operation analysis on the configuration data according to the firewall policy to obtain a configuration analysis result, and the server judges whether a character string identifier exists according to the configuration analysis result to obtain a judgment result.
203. Generating a logic operation corresponding to the first firewall policy according to the judgment result, and determining a corresponding first logic call relation according to the logic operation;
specifically, if the judgment result is that the first firewall policy exists, calling preset address data in the first firewall policy according to the character string identification, and acquiring a logic operation corresponding to the first firewall policy and a first logic calling relation corresponding to the logic operation through the address data; if the judging result is that the logical operation does not exist, creating the logical operation corresponding to the first firewall policy according to the first firewall policy, establishing a parent-child relationship of the logical operation, and generating a first logical calling relationship corresponding to the logical operation according to the parent-child relationship.
It should be noted that, in the process of generating the logic operation corresponding to the first firewall policy according to the judgment result, the server intercepts preset address data in the first firewall policy, acquires preset address data, generates a unique call chain ID according to the preset address data and acquires a corresponding parent service name, stores the call chain ID and the parent service name, and when the server processes a request, selects a corresponding configuration mode according to a mode of calling other services and simultaneously adds the call chain ID and the parent service name to the preset address data, generates the logic operation corresponding to the firewall policy and the logic call relation corresponding to the logic operation according to the judgment result, invokes a preset component in the firewall policy according to the character string identifier, and acquires the logic operation corresponding to the firewall policy and the logic call relation corresponding to the logic operation through the preset component; if the server is judged to be absent, creating a logic operation corresponding to the firewall policy according to the firewall policy, establishing a parent-child relationship of the logic operation, and generating a first logic call relationship corresponding to the logic operation according to the parent-child relationship.
204. Writing the logic operation and the first logic calling relation into a request head of a firewall policy creation request to obtain a target policy creation request, and sending the target policy creation request to a preset second policy directory to perform directory analysis to generate a second logic calling relation;
specifically, a preset access filter is called according to a first firewall policy, and a request head corresponding to a firewall policy creation request is obtained through the access filter; performing interface interaction mode analysis on the second strategy catalog to obtain a corresponding interface interaction type; transmitting the logic operation and a first logic call relation corresponding to the logic operation to a request head based on the interface interaction type to obtain a target policy creation request; and sending the target strategy creating request to a second strategy catalog for analysis to obtain a second logic calling relation.
It should be noted that, the preset access filter is invoked according to the first firewall policy, and the interface interaction mode may refer to a data interaction mode between the current server and the next server. For example, the interface interaction mode may include a hypertext transfer protocol mode and a remote procedure call mode, the different interface interaction modes follow different transfer protocols, when the server obtains a corresponding interface interaction type, the server calls a preset access filter according to a first firewall policy, obtains a request header corresponding to a firewall policy creation request through the access filter, analyzes the interface interaction mode of the second policy directory to obtain a corresponding interface interaction type, transmits a logic operation and a first logic call relationship corresponding to the logic operation to the request header based on the interface interaction type, obtains a target policy creation request, and sends the target policy creation request to the second policy directory to analyze to obtain a second logic call relationship.
205. Generating first creation data through a first firewall policy according to the logic operation and a first logic call relation corresponding to the logic operation;
specifically, the server acquires a remote procedure call request data packet, extracts main chain information corresponding to a logic operation, generates a call chain context cache corresponding to the request data packet and the logic operation, supplements main chain information according to a logic call relation corresponding to the logic operation, generates main chain tracking information according to the supplemented main chain information, writes the main chain tracking information back to the request data packet, writes the main chain tracking information into the call chain context cache, and generates first creation data through a first firewall policy according to the logic operation and a first logic call relation corresponding to the logic operation.
206. Generating second creation data through a second strategy catalog according to the logic operation and a first logic calling relation corresponding to the logic operation;
in particular, the process of generating the second creation data by the server according to the logic operation and the logic call relation corresponding to the logic operation through the second policy directory is similar to the step of generating the second creation data by the firewall policy, and optionally, in the embodiment of the present invention, in the process of responding to the tracking information generation request, the current server may detect whether data in other servers is needed, if so, the server where the needed data is located is used as the next server, and generates a data request including the request identifier based on the needed data and the interface interaction mode, and sends the tracking information generation request to the next server, so that the next server may acquire the request identifier, and further the server generates the second creation data according to the logic operation and the logic call relation corresponding to the logic operation through the second policy directory.
207. And creating a second firewall policy corresponding to the target policy creation request according to the first creation data, the second creation data and the second logic call relation.
Optionally, performing policy defect analysis on the first firewall policy to generate a policy defect analysis result; determining whether the firewall policy creation request is abnormal according to the policy defect analysis result; if the firewall policy creation request is abnormal, obtaining abnormal information corresponding to the firewall policy creation request, and inquiring a third policy directory corresponding to the abnormal information; and carrying out policy derivation on the abnormal information and the third policy catalog to generate a third firewall policy.
The method comprises the steps that a server first selects strategy defect analysis on a logic call relation, determines a corresponding generated strategy defect analysis result, determines whether a firewall strategy creation request is abnormal according to the strategy defect analysis result, further carries out configuration information matching according to tracking target data, first tracking information and second creation data, after the server obtains the tracking configuration information, the server organizes tracking logic of function information according to the tracking configuration information, marks function information in codes and stores the function information in a context of a current thread to determine information such as a target function and opportunity needing to be tracked, and meanwhile initializes the function information containing the tracking logic, namely confirms an object capable of being tracked, if the firewall strategy creation request is abnormal, obtains abnormal information corresponding to the firewall strategy creation request, inquires a third strategy catalog corresponding to the abnormal information, carries out strategy derivation on the abnormal information and the third strategy catalog, and generates a third firewall strategy.
In the embodiment of the invention, a directory change event of a preset first strategy directory is monitored according to a firewall strategy creation request; determining configuration data and a first firewall policy according to the directory change event, and judging whether character string identifiers exist according to the configuration data and the first firewall policy to obtain a judging result; generating a logic operation according to the judgment result, and determining a corresponding first logic call relation according to the logic operation; writing the logic operation and the first logic calling relation into a request head of a firewall policy creation request to obtain a target policy creation request, and sending the target policy creation request to a second policy directory to perform directory analysis to generate a second logic calling relation; the second firewall policy is created according to the second policy catalog and the second logic call relationship, the policy catalog policy generation request is analyzed, and then the second firewall policy corresponding to the first firewall policy is generated according to the logic call relationship, so that the automatic maintenance processing of the firewall policy is realized, and the accuracy of the firewall policy generation is improved.
The firewall policy generating method in the embodiment of the present invention is described above, and the firewall policy generating device in the embodiment of the present invention is described below, referring to fig. 3, where one embodiment of the firewall policy generating device in the embodiment of the present invention includes:
A receiving module 301, configured to receive a firewall policy creation request, and monitor a directory change event of a preset first policy directory according to the firewall policy creation request;
a judging module 302, configured to determine, according to the directory change event, configuration data and a first firewall policy corresponding to the firewall policy creation request, and judge whether a character string identifier exists according to the configuration data and the first firewall policy, so as to obtain a judging result;
the generating module 303 is configured to generate a logic operation corresponding to the first firewall policy according to the determination result, and determine a corresponding first logic call relationship according to the logic operation;
the parsing module 304 is configured to write the logic operation and the first logic call relationship into a request header of the firewall policy creation request, obtain a target policy creation request, and send the target policy creation request to a preset second policy directory for directory parsing, so as to generate a second logic call relationship;
and a creating module 305, configured to create a second firewall policy corresponding to the target policy creation request according to the second policy directory and the second logic call relationship.
In the embodiment of the invention, a directory change event of a preset first strategy directory is monitored according to a firewall strategy creation request; determining configuration data and a first firewall policy according to the directory change event, and judging whether character string identifiers exist according to the configuration data and the first firewall policy to obtain a judging result; generating a logic operation according to the judgment result, and determining a corresponding first logic call relation according to the logic operation; writing the logic operation and the first logic calling relation into a request head of a firewall policy creation request to obtain a target policy creation request, and sending the target policy creation request to a second policy directory to perform directory analysis to generate a second logic calling relation; the second firewall policy is created according to the second policy catalog and the second logic call relationship, the policy catalog policy generation request is analyzed, and then the second firewall policy corresponding to the first firewall policy is generated according to the logic call relationship, so that the automatic maintenance processing of the firewall policy is realized, and the accuracy of the firewall policy generation is improved.
Referring to fig. 4, another embodiment of a firewall policy generating apparatus in an embodiment of the invention includes:
A receiving module 301, configured to receive a firewall policy creation request, and monitor a directory change event of a preset first policy directory according to the firewall policy creation request;
a judging module 302, configured to determine, according to the directory change event, configuration data and a first firewall policy corresponding to the firewall policy creation request, and judge whether a character string identifier exists according to the configuration data and the first firewall policy, so as to obtain a judging result;
the generating module 303 is configured to generate a logic operation corresponding to the first firewall policy according to the determination result, and determine a corresponding first logic call relationship according to the logic operation;
the parsing module 304 is configured to write the logic operation and the first logic call relationship into a request header of the firewall policy creation request, obtain a target policy creation request, and send the target policy creation request to a preset second policy directory for directory parsing, so as to generate a second logic call relationship;
and a creating module 305, configured to create a second firewall policy corresponding to the target policy creation request according to the second policy directory and the second logic call relationship.
Optionally, the receiving module 301 is specifically configured to: receiving a firewall policy creation request, and acquiring a request type corresponding to the firewall policy creation request; identifying the firewall policy creation request according to the request type to obtain a request identifier corresponding to the firewall policy creation request; and performing change monitoring on a preset first strategy catalog according to the request identifier to obtain a catalog change event.
Optionally, the determining module 302 is specifically configured to: acquiring a change field corresponding to the directory change event, and inquiring a first firewall policy corresponding to the firewall policy creation request according to the change field; extracting configuration data corresponding to the firewall policy creation request based on the request identification; performing configuration operation analysis on the configuration data according to the first firewall policy to obtain a configuration analysis result; judging whether the character string identifier exists or not according to the configuration analysis result to obtain a judgment result, wherein the judgment result comprises presence and absence.
Optionally, the generating module 303 is specifically configured to: if the judgment result is that the first firewall policy exists, calling preset address data in the first firewall policy according to the character string identification, and acquiring a logic operation corresponding to the first firewall policy and a first logic calling relation corresponding to the logic operation through the address data; if the judging result is that the first firewall policy does not exist, creating a logic operation corresponding to the first firewall policy according to the first firewall policy, building a parent-child relationship of the logic operation, and generating a first logic calling relationship corresponding to the logic operation according to the parent-child relationship.
Optionally, the parsing module 304 is specifically configured to: invoking a preset access filter according to the first firewall policy, and acquiring a request header corresponding to the firewall policy creation request through the access filter; performing interface interaction mode analysis on the second strategy catalog to obtain a corresponding interface interaction type; transmitting the logic operation and a first logic call relation corresponding to the logic operation to the request head based on the interface interaction type to obtain a target strategy creation request; and sending the target strategy creating request to the second strategy catalog for analysis to obtain a second logic calling relation.
Optionally, the creating module 305 is specifically configured to: generating first creation data through the first firewall policy according to the logic operation and a first logic call relation corresponding to the logic operation; generating second creation data through the second strategy catalog according to the logic operation and a first logic call relation corresponding to the logic operation; and creating a second firewall policy corresponding to the target policy creation request according to the first creation data, the second creation data and the second logic call relation.
Optionally, the firewall policy generating device further includes:
the analysis module 306 is configured to perform policy defect analysis on the first firewall policy, and generate a policy defect analysis result; determining whether the firewall policy creation request is abnormal according to the policy defect analysis result; if the firewall policy creation request is abnormal, acquiring abnormal information corresponding to the firewall policy creation request, and inquiring a third policy directory corresponding to the abnormal information; and carrying out policy derivation on the abnormal information and the third policy catalog to generate a third firewall policy.
In the embodiment of the invention, a directory change event of a preset first strategy directory is monitored according to a firewall strategy creation request; determining configuration data and a first firewall policy according to the directory change event, and judging whether character string identifiers exist according to the configuration data and the first firewall policy to obtain a judging result; generating a logic operation according to the judgment result, and determining a corresponding first logic call relation according to the logic operation; writing the logic operation and the first logic calling relation into a request head of a firewall policy creation request to obtain a target policy creation request, and sending the target policy creation request to a second policy directory to perform directory analysis to generate a second logic calling relation; the second firewall policy is created according to the second policy catalog and the second logic call relationship, the policy catalog policy generation request is analyzed, and then the second firewall policy corresponding to the first firewall policy is generated according to the logic call relationship, so that the automatic maintenance processing of the firewall policy is realized, and the accuracy of the firewall policy generation is improved.
The firewall policy generating apparatus in the embodiment of the present invention is described in detail above in fig. 3 and fig. 4 from the point of view of modularized functional entities, and the firewall policy generating device in the embodiment of the present invention is described in detail below from the point of view of hardware processing.
Fig. 5 is a schematic structural diagram of a firewall policy generating device according to an embodiment of the invention, where the firewall policy generating device 500 may have a relatively large difference due to different configurations or performances, and may include one or more processors (central processing units, CPU) 510 (e.g., one or more processors) and a memory 520, and one or more storage media 530 (e.g., one or more mass storage devices) storing application programs 533 or data 532. Wherein memory 520 and storage medium 530 may be transitory or persistent storage. The program stored in the storage medium 530 may include one or more modules (not shown), each of which may include a series of instruction operations on the firewall policy generation apparatus 500. Still further, the processor 510 may be configured to communicate with the storage medium 530 and execute a series of instruction operations in the storage medium 530 on the firewall policy generation device 500.
The firewall policy generation device 500 can also include one or more power supplies 540, one or more wired or wireless network interfaces 550, one or more input/output interfaces 560, and/or one or more operating systems 531, such as Windows Serve, mac OS X, unix, linux, freeBSD, and the like. It will be appreciated by those skilled in the art that the firewall policy generation device structure shown in fig. 5 does not constitute a limitation of the firewall policy generation device, and may include more or fewer components than shown, or may combine certain components, or may be a different arrangement of components.
The present invention also provides a firewall policy generating device, where the firewall policy generating device includes a memory and a processor, where the memory stores computer readable instructions that, when executed by the processor, cause the processor to execute the steps of the firewall policy generating method in the foregoing embodiments.
The present invention also provides a computer readable storage medium, which may be a non-volatile computer readable storage medium, and may also be a volatile computer readable storage medium, where instructions are stored in the computer readable storage medium, which when executed on a computer, cause the computer to perform the steps of the firewall policy generation method.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A firewall policy generation method, wherein the firewall policy generation method comprises:
receiving a firewall policy creation request, and monitoring a directory change event of a preset first policy directory according to the firewall policy creation request;
determining configuration data and a first firewall policy corresponding to the firewall policy creation request according to the directory change event, and judging whether a character string identifier exists according to the configuration data and the first firewall policy to obtain a judgment result;
generating a logic operation corresponding to the first firewall policy according to the judging result, and determining a corresponding first logic call relation according to the logic operation;
Writing the logic operation and the first logic calling relation into a request head of the firewall policy creation request to obtain a target policy creation request, and sending the target policy creation request to a preset second policy directory to perform directory analysis to generate a second logic calling relation;
and creating a second firewall policy corresponding to the target policy creation request according to the second policy directory and the second logic call relationship.
2. The method for generating a firewall policy according to claim 1, wherein said receiving a request for creating a firewall policy and monitoring a directory change event of a preset first policy directory according to the request for creating a firewall policy comprises:
receiving a firewall policy creation request, and acquiring a request type corresponding to the firewall policy creation request;
identifying the firewall policy creation request according to the request type to obtain a request identifier corresponding to the firewall policy creation request;
and performing change monitoring on a preset first strategy catalog according to the request identifier to obtain a catalog change event.
3. The method of generating a firewall policy according to claim 1, wherein determining configuration data and a first firewall policy corresponding to the firewall policy creation request according to the directory change event, and determining whether a character string identifier exists according to the configuration data and the first firewall policy, to obtain a determination result, includes:
Acquiring a change field corresponding to the directory change event, and inquiring a first firewall policy corresponding to the firewall policy creation request according to the change field;
extracting configuration data corresponding to the firewall policy creation request based on the request identification;
performing configuration operation analysis on the configuration data according to the first firewall policy to obtain a configuration analysis result;
judging whether the character string identifier exists or not according to the configuration analysis result to obtain a judgment result, wherein the judgment result comprises presence and absence.
4. The method for generating a firewall policy according to claim 1, wherein said generating a logical operation corresponding to the first firewall policy according to the determination result, and determining a corresponding first logical call relationship according to the logical operation, comprises:
if the judgment result is that the first firewall policy exists, calling preset address data in the first firewall policy according to the character string identification, and acquiring a logic operation corresponding to the first firewall policy and a first logic calling relation corresponding to the logic operation through the address data;
if the judging result is that the first firewall policy does not exist, creating a logic operation corresponding to the first firewall policy according to the first firewall policy, building a parent-child relationship of the logic operation, and generating a first logic calling relationship corresponding to the logic operation according to the parent-child relationship.
5. The firewall policy generating method according to claim 1, wherein writing the logical operation and the first logical call relationship into a request header of the firewall policy creation request to obtain a target policy creation request, and sending the target policy creation request to a preset second policy directory for directory resolution, generating a second logical call relationship, includes:
invoking a preset access filter according to the first firewall policy, and acquiring a request header corresponding to the firewall policy creation request through the access filter;
performing interface interaction mode analysis on the second strategy catalog to obtain a corresponding interface interaction type;
transmitting the logic operation and a first logic call relation corresponding to the logic operation to the request head based on the interface interaction type to obtain a target strategy creation request;
and sending the target strategy creating request to the second strategy catalog for analysis to obtain a second logic calling relation.
6. The firewall policy generating method according to any one of claims 1 to 5, wherein said creating a second firewall policy corresponding to the target policy creation request according to the second policy directory and the second logical call relationship comprises:
Generating first creation data through the first firewall policy according to the logic operation and a first logic call relation corresponding to the logic operation;
generating second creation data through the second strategy catalog according to the logic operation and a first logic call relation corresponding to the logic operation;
and creating a second firewall policy corresponding to the target policy creation request according to the first creation data, the second creation data and the second logic call relation.
7. The firewall policy generation method of claim 6, further comprising:
performing policy defect analysis on the first firewall policy to generate a policy defect analysis result;
determining whether the firewall policy creation request is abnormal according to the policy defect analysis result;
if the firewall policy creation request is abnormal, acquiring abnormal information corresponding to the firewall policy creation request, and inquiring a third policy directory corresponding to the abnormal information;
and carrying out policy derivation on the abnormal information and the third policy catalog to generate a third firewall policy.
8. A firewall policy generating apparatus, characterized in that the firewall policy generating apparatus comprises:
the receiving module is used for receiving a firewall policy creation request and monitoring a directory change event of a preset first policy directory according to the firewall policy creation request;
the judging module is used for determining configuration data and a first firewall policy corresponding to the firewall policy creation request according to the directory change event, judging whether a character string identifier exists according to the configuration data and the first firewall policy, and obtaining a judging result;
the generation module is used for generating a logic operation corresponding to the first firewall policy according to the judging result, and determining a corresponding first logic call relation according to the logic operation;
the analysis module is used for writing the logic operation and the first logic calling relation into a request head of the firewall policy creation request to obtain a target policy creation request, and sending the target policy creation request to a preset second policy directory for directory analysis to generate a second logic calling relation;
and the creation module is used for creating a second firewall policy corresponding to the target policy creation request according to the second policy catalog and the second logic call relation.
9. A firewall policy generating apparatus, characterized by comprising: a memory and at least one processor, the memory having instructions stored therein;
the at least one processor invokes the instructions in the memory to cause the firewall policy generation apparatus to perform the firewall policy generation method of any one of claims 1-7.
10. A computer readable storage medium having instructions stored thereon, which when executed by a processor implement the firewall policy generation method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211553203.4A CN115766278B (en) | 2022-12-06 | 2022-12-06 | Firewall policy generation method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211553203.4A CN115766278B (en) | 2022-12-06 | 2022-12-06 | Firewall policy generation method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115766278A CN115766278A (en) | 2023-03-07 |
| CN115766278B true CN115766278B (en) | 2023-08-15 |
Family
ID=85343516
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211553203.4A Active CN115766278B (en) | 2022-12-06 | 2022-12-06 | Firewall policy generation method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115766278B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109768962A (en) * | 2018-12-13 | 2019-05-17 | 平安科技(深圳)有限公司 | Firewall strategy-generating method, device, computer equipment and storage medium |
| CN110336834A (en) * | 2019-07-31 | 2019-10-15 | 中国工商银行股份有限公司 | Treating method and apparatus for firewall policy |
| CN111835794A (en) * | 2020-09-17 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Firewall policy control method and device, electronic equipment and storage medium |
| CN112039868A (en) * | 2020-08-27 | 2020-12-04 | 中国平安财产保险股份有限公司 | Firewall policy verification method, device, equipment and storage medium |
| CN112383507A (en) * | 2020-10-16 | 2021-02-19 | 深圳力维智联技术有限公司 | Firewall policy management method, device and system and computer readable storage medium |
| CN112995169A (en) * | 2021-02-22 | 2021-06-18 | 中国工商银行股份有限公司 | Method and device for deploying firewall |
| CN114764325A (en) * | 2021-01-12 | 2022-07-19 | 腾讯科技(深圳)有限公司 | Service logic generation method, device and terminal |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7159125B2 (en) * | 2001-08-14 | 2007-01-02 | Endforce, Inc. | Policy engine for modular generation of policy for a flat, per-device database |
-
2022
- 2022-12-06 CN CN202211553203.4A patent/CN115766278B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109768962A (en) * | 2018-12-13 | 2019-05-17 | 平安科技(深圳)有限公司 | Firewall strategy-generating method, device, computer equipment and storage medium |
| CN110336834A (en) * | 2019-07-31 | 2019-10-15 | 中国工商银行股份有限公司 | Treating method and apparatus for firewall policy |
| CN112039868A (en) * | 2020-08-27 | 2020-12-04 | 中国平安财产保险股份有限公司 | Firewall policy verification method, device, equipment and storage medium |
| CN111835794A (en) * | 2020-09-17 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Firewall policy control method and device, electronic equipment and storage medium |
| CN112383507A (en) * | 2020-10-16 | 2021-02-19 | 深圳力维智联技术有限公司 | Firewall policy management method, device and system and computer readable storage medium |
| CN114764325A (en) * | 2021-01-12 | 2022-07-19 | 腾讯科技(深圳)有限公司 | Service logic generation method, device and terminal |
| CN112995169A (en) * | 2021-02-22 | 2021-06-18 | 中国工商银行股份有限公司 | Method and device for deploying firewall |
Non-Patent Citations (1)
| Title |
|---|
| 基于安全区域和对象的防火墙逻辑策略配置设计;何国雄;《计算机安全》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115766278A (en) | 2023-03-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10348809B2 (en) | Naming of distributed business transactions | |
| US8266097B2 (en) | System analysis program, system analysis method, and system analysis apparatus | |
| CN101997925A (en) | Server monitoring method with early warning function and system thereof | |
| US20110258315A1 (en) | Network analysis system and method utilizing collected metadata | |
| CN108462598A (en) | A kind of daily record generation method, log analysis method and device | |
| JP2008217735A (en) | Fault analysis system, method and program | |
| CN112350854B (en) | Flow fault positioning method, device, equipment and storage medium | |
| CN109344046B (en) | Data processing method, device, medium and electronic equipment | |
| CN115622906A (en) | Application log capturing system and method | |
| CN113630418A (en) | Network service identification method, device, equipment and medium | |
| CN115766278B (en) | Firewall policy generation method, device, equipment and storage medium | |
| CN112257065A (en) | Process event processing method and device | |
| US8429458B2 (en) | Method and apparatus for system analysis | |
| CN113778709B (en) | Interface calling method, device, server and storage medium | |
| CN114598622A (en) | Data monitoring method and device, storage medium and computer equipment | |
| CN114338347A (en) | Ampere platform-based fault information out-of-band acquisition method and device | |
| CN111651330B (en) | Data acquisition method, data acquisition device, electronic equipment and computer readable storage medium | |
| CN110011845B (en) | Log collection method and system | |
| CN109684158B (en) | State monitoring method, device, equipment and storage medium of distributed coordination system | |
| CN112685252A (en) | Micro-service monitoring method, device, equipment and storage medium | |
| JP4286594B2 (en) | Fault analysis data collection device and method | |
| CN117312104B (en) | Visual link tracking method and system based on airport production operation system | |
| CN109918222B (en) | Dump analysis method and system for application program | |
| CN117675891A (en) | Connection identifier generation method, device, computing equipment and computer storage medium | |
| CN115103026A (en) | Service processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20230724 Address after: 518000, A-2511, Golden Coast Building, No. 9 Chuangye Road, Chuangye Road Community, Yuehai Street, Nanshan District, Shenzhen, Guangdong Province Applicant after: Shenzhen Yijia Technology Co.,Ltd. Address before: 518000 19A-3, Jinrun Building, 6019 Shennan Avenue, Tian'an Community, Shatou Street, Futian District, Shenzhen, Guangdong Province Applicant before: Shenzhen Tianyuan Jingyun Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |